dependabot-bundler 0.301.1 → 0.312.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb +1 -1
- data/lib/dependabot/bundler/package/package_details_fetcher.rb +228 -0
- data/lib/dependabot/bundler/update_checker/file_preparer.rb +5 -5
- data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb +5 -4
- data/lib/dependabot/bundler/update_checker/latest_version_finder.rb +102 -81
- data/lib/dependabot/bundler/update_checker/requirements_updater.rb +5 -3
- data/lib/dependabot/bundler/update_checker/version_resolver.rb +4 -2
- data/lib/dependabot/bundler/update_checker.rb +6 -4
- metadata +29 -31
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 549146f0c01d6f1805e3f7b2df0224005cfaea8fd95f57d369196d472293209b
|
|
4
|
+
data.tar.gz: db901d1622be4c70afe115d2e89764dcab968ca27b1d024c1c5b04c2a318519b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3b7f9f31ac2932af8a31ab6b04282500d99381f77daeb55169a59742d69b10ad2b2bea49137073ba02a49be9f60a757950b39963f9b161cbcd51873a10342a2e
|
|
7
|
+
data.tar.gz: f6acae736ca5bc9449bed970b5da4861909873198ad434c30d5d6b6db96a3778df54ef1f1e75a123afe1d9c10b45581a98a77d1df04f03f51fe6e78e33fa479b
|
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "json"
|
|
5
|
+
require "time"
|
|
6
|
+
require "cgi"
|
|
7
|
+
require "excon"
|
|
8
|
+
require "nokogiri"
|
|
9
|
+
require "sorbet-runtime"
|
|
10
|
+
require "dependabot/registry_client"
|
|
11
|
+
require "dependabot/bundler"
|
|
12
|
+
require "dependabot/package/package_release"
|
|
13
|
+
require "dependabot/package/package_details"
|
|
14
|
+
|
|
15
|
+
module Dependabot
|
|
16
|
+
module Bundler
|
|
17
|
+
module Package
|
|
18
|
+
class PackageDetailsFetcher
|
|
19
|
+
extend T::Sig
|
|
20
|
+
|
|
21
|
+
require_relative "../update_checker/shared_bundler_helpers"
|
|
22
|
+
include Dependabot::Bundler::UpdateChecker::SharedBundlerHelpers
|
|
23
|
+
|
|
24
|
+
RELEASES_URL = "https://rubygems.org/api/v1/versions/%s.json"
|
|
25
|
+
GEM_URL = "https://rubygems.org/gems/%s.gem"
|
|
26
|
+
PACKAGE_TYPE = "gem"
|
|
27
|
+
PACKAGE_LANGUAGE = "ruby"
|
|
28
|
+
APPLICATION_JSON = "application/json"
|
|
29
|
+
|
|
30
|
+
RUBYGEMS = "rubygems"
|
|
31
|
+
PRIVATE_REGISTRY = "private"
|
|
32
|
+
GIT = "git"
|
|
33
|
+
OTHER = "other"
|
|
34
|
+
|
|
35
|
+
sig do
|
|
36
|
+
params(
|
|
37
|
+
dependency: Dependabot::Dependency,
|
|
38
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
39
|
+
credentials: T::Array[Dependabot::Credential]
|
|
40
|
+
).void
|
|
41
|
+
end
|
|
42
|
+
def initialize(dependency:, dependency_files:, credentials:)
|
|
43
|
+
@dependency = dependency
|
|
44
|
+
@dependency_files = dependency_files
|
|
45
|
+
@credentials = credentials
|
|
46
|
+
|
|
47
|
+
@source_type = T.let(nil, T.nilable(String))
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
sig { returns(Dependabot::Dependency) }
|
|
51
|
+
attr_reader :dependency
|
|
52
|
+
|
|
53
|
+
sig { returns(T::Array[T.untyped]) }
|
|
54
|
+
attr_reader :dependency_files
|
|
55
|
+
|
|
56
|
+
sig { returns(T::Array[T.untyped]) }
|
|
57
|
+
attr_reader :credentials
|
|
58
|
+
|
|
59
|
+
sig { returns(Dependabot::Package::PackageDetails) }
|
|
60
|
+
def fetch
|
|
61
|
+
return rubygems_versions if dependency.name == "bundler"
|
|
62
|
+
return rubygems_versions unless gemfile
|
|
63
|
+
|
|
64
|
+
case source_type
|
|
65
|
+
when OTHER, GIT, PRIVATE_REGISTRY
|
|
66
|
+
package_details([])
|
|
67
|
+
else
|
|
68
|
+
rubygems_versions
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
private
|
|
73
|
+
|
|
74
|
+
# Example JSON Response Format:
|
|
75
|
+
# eg https://rubygems.org/api/v1/versions/dependabot-common.json
|
|
76
|
+
# response:
|
|
77
|
+
# [
|
|
78
|
+
# {
|
|
79
|
+
# authors: "Dependabot",
|
|
80
|
+
# built_at: "2025-03-20T00:00:00.000Z",
|
|
81
|
+
# created_at: "2025-03-20T14:48:33.295Z",
|
|
82
|
+
# description: "Dependabot-Common provides the shared code used across Dependabot. If you want support for
|
|
83
|
+
# multiple package managers, you probably want the meta-gem dependabot-omnibus.",
|
|
84
|
+
# downloads_count: 382,
|
|
85
|
+
# metadata: {
|
|
86
|
+
# changelog_uri: "https://github.com/dependabot/dependabot-core/releases/tag/v0.302.0",
|
|
87
|
+
# bug_tracker_uri: "https://github.com/dependabot/dependabot-core/issues"
|
|
88
|
+
# },
|
|
89
|
+
# number: "0.302.0",
|
|
90
|
+
# summary: "Shared code used across Dependabot Core",
|
|
91
|
+
# platform: "ruby",
|
|
92
|
+
# rubygems_version: ">= 3.3.7",
|
|
93
|
+
# ruby_version: ">= 3.1.0",
|
|
94
|
+
# prerelease: false,
|
|
95
|
+
# licenses: [
|
|
96
|
+
# "MIT"
|
|
97
|
+
# ],
|
|
98
|
+
# requirements: [ ],
|
|
99
|
+
# sha: "e8ef286a91add81534c297425f2f2efc0c5671f3307307f7fad62c059ed8fca2",
|
|
100
|
+
# spec_sha: "cd0ac8f3462449bf19e7356dbc2ec83eec378b41702e03221ededc49875b1e1c"
|
|
101
|
+
# },
|
|
102
|
+
# {
|
|
103
|
+
# authors: "Dependabot",
|
|
104
|
+
# built_at: "2025-03-14T00:00:00.000Z",
|
|
105
|
+
# created_at: "2025-03-14T18:46:18.547Z",
|
|
106
|
+
# description: "Dependabot-Common provides the shared code used across Dependabot. If you want support for
|
|
107
|
+
# multiple package managers, you probably want the meta-gem dependabot-omnibus.",
|
|
108
|
+
# downloads_count: 324,
|
|
109
|
+
# metadata: {
|
|
110
|
+
# changelog_uri: "https://github.com/dependabot/dependabot-core/releases/tag/v0.301.1",
|
|
111
|
+
# bug_tracker_uri: "https://github.com/dependabot/dependabot-core/issues"
|
|
112
|
+
# },
|
|
113
|
+
# number: "0.301.1",
|
|
114
|
+
# summary: "Shared code used across Dependabot Core",
|
|
115
|
+
# platform: "ruby",
|
|
116
|
+
# rubygems_version: ">= 3.3.7",
|
|
117
|
+
# ruby_version: ">= 3.1.0",
|
|
118
|
+
# prerelease: false,
|
|
119
|
+
# licenses: [
|
|
120
|
+
# "MIT"
|
|
121
|
+
# ],
|
|
122
|
+
# requirements: [ ],
|
|
123
|
+
# sha: "47e5948069571271d72c12f8c03106b415a00550857b6c5fb22aeb780cfe1da7",
|
|
124
|
+
# spec_sha: "7191388ac6fa0ea72ed7588f848b2b244a0dc5a4ec3e6b7c9d395296b0fa93d9"
|
|
125
|
+
# },
|
|
126
|
+
# ...
|
|
127
|
+
# ]
|
|
128
|
+
sig { returns(Dependabot::Package::PackageDetails) }
|
|
129
|
+
def rubygems_versions
|
|
130
|
+
response = registry_json_response_for_dependency
|
|
131
|
+
raise unless response.status == 200
|
|
132
|
+
|
|
133
|
+
package_releases = JSON.parse(response.body).map do |release|
|
|
134
|
+
package_release(
|
|
135
|
+
version: release["number"],
|
|
136
|
+
released_at: Time.parse(release["created_at"]),
|
|
137
|
+
downloads: release["downloads_count"],
|
|
138
|
+
url: GEM_URL % "#{@dependency.name}-#{release['number']}",
|
|
139
|
+
ruby_version: release["ruby_version"]
|
|
140
|
+
)
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
package_details(package_releases)
|
|
144
|
+
end
|
|
145
|
+
|
|
146
|
+
sig { returns(Excon::Response) }
|
|
147
|
+
def registry_json_response_for_dependency
|
|
148
|
+
url = RELEASES_URL % dependency.name
|
|
149
|
+
Dependabot::RegistryClient.get(
|
|
150
|
+
url: url,
|
|
151
|
+
headers: { "Accept" => APPLICATION_JSON }
|
|
152
|
+
)
|
|
153
|
+
end
|
|
154
|
+
|
|
155
|
+
sig { params(req_string: String).returns(Requirement) }
|
|
156
|
+
def language_requirement(req_string)
|
|
157
|
+
Requirement.new(req_string)
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
sig { returns(String) }
|
|
161
|
+
def source_type
|
|
162
|
+
@source_type ||= begin
|
|
163
|
+
return @source_type = RUBYGEMS unless gemfile
|
|
164
|
+
|
|
165
|
+
@source_type = in_a_native_bundler_context do |tmp_dir|
|
|
166
|
+
NativeHelpers.run_bundler_subprocess(
|
|
167
|
+
bundler_version: bundler_version,
|
|
168
|
+
function: "dependency_source_type",
|
|
169
|
+
options: {}, # options,
|
|
170
|
+
args: {
|
|
171
|
+
dir: tmp_dir,
|
|
172
|
+
gemfile_name: gemfile.name,
|
|
173
|
+
dependency_name: dependency.name,
|
|
174
|
+
credentials: credentials
|
|
175
|
+
}
|
|
176
|
+
)
|
|
177
|
+
end
|
|
178
|
+
end
|
|
179
|
+
end
|
|
180
|
+
|
|
181
|
+
sig { override.returns(String) }
|
|
182
|
+
def bundler_version
|
|
183
|
+
@bundler_version ||= T.let(Helpers.bundler_version(lockfile), T.nilable(String))
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
sig do
|
|
187
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
188
|
+
.returns(Dependabot::Package::PackageDetails)
|
|
189
|
+
end
|
|
190
|
+
def package_details(releases)
|
|
191
|
+
@package_details ||= T.let(
|
|
192
|
+
Dependabot::Package::PackageDetails.new(
|
|
193
|
+
dependency: dependency,
|
|
194
|
+
releases: releases.reverse.uniq(&:version)
|
|
195
|
+
), T.nilable(Dependabot::Package::PackageDetails)
|
|
196
|
+
)
|
|
197
|
+
end
|
|
198
|
+
|
|
199
|
+
sig do
|
|
200
|
+
params(
|
|
201
|
+
version: String,
|
|
202
|
+
released_at: Time,
|
|
203
|
+
downloads: Integer,
|
|
204
|
+
url: String,
|
|
205
|
+
ruby_version: T.nilable(String),
|
|
206
|
+
yanked: T::Boolean
|
|
207
|
+
).returns(Dependabot::Package::PackageRelease)
|
|
208
|
+
end
|
|
209
|
+
def package_release(version:, released_at:, downloads:, url:, ruby_version:, yanked: false)
|
|
210
|
+
Dependabot::Package::PackageRelease.new(
|
|
211
|
+
version: Dependabot::Bundler::Version.new(version),
|
|
212
|
+
released_at: released_at,
|
|
213
|
+
yanked: yanked,
|
|
214
|
+
yanked_reason: nil,
|
|
215
|
+
downloads: downloads,
|
|
216
|
+
url: url,
|
|
217
|
+
package_type: PACKAGE_TYPE,
|
|
218
|
+
language: Dependabot::Package::PackageLanguage.new(
|
|
219
|
+
name: PACKAGE_LANGUAGE,
|
|
220
|
+
version: nil,
|
|
221
|
+
requirement: ruby_version ? language_requirement(ruby_version) : nil
|
|
222
|
+
)
|
|
223
|
+
)
|
|
224
|
+
end
|
|
225
|
+
end
|
|
226
|
+
end
|
|
227
|
+
end
|
|
228
|
+
end
|
|
@@ -215,13 +215,13 @@ module Dependabot
|
|
|
215
215
|
lower_bound_req = updated_version_req_lower_bound(filename)
|
|
216
216
|
|
|
217
217
|
return lower_bound_req if latest_allowable_version.nil?
|
|
218
|
-
return lower_bound_req unless
|
|
218
|
+
return lower_bound_req unless Bundler::Version.correct?(latest_allowable_version)
|
|
219
219
|
|
|
220
220
|
lower_bound_req + ", <= #{latest_allowable_version}"
|
|
221
221
|
end
|
|
222
222
|
|
|
223
223
|
# rubocop:disable Metrics/PerceivedComplexity
|
|
224
|
-
def updated_version_req_lower_bound(filename)
|
|
224
|
+
def updated_version_req_lower_bound(filename) # rubocop:disable Metrics/CyclomaticComplexity
|
|
225
225
|
original_req = dependency.requirements
|
|
226
226
|
.find { |r| r.fetch(:file) == filename }
|
|
227
227
|
&.fetch(:requirement)
|
|
@@ -234,9 +234,9 @@ module Dependabot
|
|
|
234
234
|
dependency.requirements.map { |r| r[:requirement] }
|
|
235
235
|
.reject { |req_string| req_string.start_with?("<") }
|
|
236
236
|
.select { |req_string| req_string.match?(VERSION_REGEX) }
|
|
237
|
-
.map { |req_string| req_string.match(VERSION_REGEX) }
|
|
238
|
-
.select { |version|
|
|
239
|
-
.max_by { |version|
|
|
237
|
+
.map { |req_string| req_string.match(VERSION_REGEX)&.to_s }
|
|
238
|
+
.select { |version| Bundler::Version.correct?(version) }
|
|
239
|
+
.max_by { |version| Bundler::Version.new(version) }
|
|
240
240
|
|
|
241
241
|
">= #{version_for_requirement || 0}"
|
|
242
242
|
end
|
|
@@ -4,12 +4,13 @@
|
|
|
4
4
|
require "dependabot/registry_client"
|
|
5
5
|
require "dependabot/bundler/native_helpers"
|
|
6
6
|
require "dependabot/bundler/helpers"
|
|
7
|
+
require "dependabot/bundler/update_checker/latest_version_finder"
|
|
7
8
|
require "sorbet-runtime"
|
|
8
9
|
|
|
9
10
|
module Dependabot
|
|
10
11
|
module Bundler
|
|
11
12
|
class UpdateChecker
|
|
12
|
-
class LatestVersionFinder
|
|
13
|
+
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
13
14
|
class DependencySource
|
|
14
15
|
extend T::Sig
|
|
15
16
|
|
|
@@ -39,7 +40,7 @@ module Dependabot
|
|
|
39
40
|
|
|
40
41
|
# The latest version details for the dependency from a registry
|
|
41
42
|
#
|
|
42
|
-
sig { returns(T::Array[
|
|
43
|
+
sig { returns(T::Array[Dependabot::Bundler::Version]) }
|
|
43
44
|
def versions
|
|
44
45
|
return rubygems_versions if dependency.name == "bundler"
|
|
45
46
|
return rubygems_versions unless gemfile
|
|
@@ -98,7 +99,7 @@ module Dependabot
|
|
|
98
99
|
)
|
|
99
100
|
|
|
100
101
|
JSON.parse(response.body)
|
|
101
|
-
.map { |d|
|
|
102
|
+
.map { |d| Dependabot::Bundler::Version.new(d["number"]) }
|
|
102
103
|
end
|
|
103
104
|
rescue JSON::ParserError, Excon::Error::Timeout
|
|
104
105
|
@rubygems_versions = []
|
|
@@ -122,7 +123,7 @@ module Dependabot
|
|
|
122
123
|
credentials: credentials
|
|
123
124
|
}
|
|
124
125
|
).map do |version_string|
|
|
125
|
-
|
|
126
|
+
Dependabot::Bundler::Version.new(version_string)
|
|
126
127
|
end
|
|
127
128
|
end
|
|
128
129
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
@@ -8,105 +8,135 @@ require "dependabot/update_checkers/version_filters"
|
|
|
8
8
|
require "dependabot/bundler/requirement"
|
|
9
9
|
require "dependabot/shared_helpers"
|
|
10
10
|
require "dependabot/errors"
|
|
11
|
+
require "dependabot/package/package_latest_version_finder"
|
|
11
12
|
require "dependabot/bundler/update_checker/latest_version_finder/" \
|
|
12
13
|
"dependency_source"
|
|
14
|
+
require "dependabot/bundler/package/package_details_fetcher"
|
|
13
15
|
require "sorbet-runtime"
|
|
14
16
|
|
|
15
17
|
module Dependabot
|
|
16
18
|
module Bundler
|
|
17
19
|
class UpdateChecker
|
|
18
|
-
class LatestVersionFinder
|
|
20
|
+
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
19
21
|
extend T::Sig
|
|
20
22
|
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
23
|
+
sig do
|
|
24
|
+
params(
|
|
25
|
+
dependency: Dependabot::Dependency,
|
|
26
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
27
|
+
credentials: T::Array[Dependabot::Credential],
|
|
28
|
+
ignored_versions: T::Array[String],
|
|
29
|
+
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
|
30
|
+
cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
|
|
31
|
+
raise_on_ignored: T::Boolean,
|
|
32
|
+
options: T::Hash[Symbol, T.untyped]
|
|
33
|
+
).void
|
|
34
|
+
end
|
|
35
|
+
def initialize(
|
|
36
|
+
dependency:,
|
|
37
|
+
dependency_files:,
|
|
38
|
+
credentials:,
|
|
39
|
+
ignored_versions:,
|
|
40
|
+
security_advisories:,
|
|
41
|
+
cooldown_options: nil,
|
|
42
|
+
raise_on_ignored: false,
|
|
43
|
+
options: {}
|
|
44
|
+
)
|
|
45
|
+
@package_details = T.let(nil, T.nilable(Dependabot::Package::PackageDetails))
|
|
46
|
+
@latest_version_details = T.let(nil, T.nilable(T::Hash[Symbol, T.untyped]))
|
|
47
|
+
@releases_from_dependency_source = T.let(nil, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
|
|
48
|
+
super
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
|
|
52
|
+
def package_details
|
|
53
|
+
@package_details ||= Package::PackageDetailsFetcher.new(
|
|
54
|
+
dependency: dependency,
|
|
55
|
+
dependency_files: dependency_files,
|
|
56
|
+
credentials: credentials
|
|
57
|
+
).fetch
|
|
32
58
|
end
|
|
33
59
|
|
|
60
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
34
61
|
def latest_version_details
|
|
35
|
-
@latest_version_details ||=
|
|
62
|
+
@latest_version_details ||= if cooldown_enabled?
|
|
63
|
+
latest_version = fetch_latest_version(language_version: nil)
|
|
64
|
+
latest_version ? { version: latest_version } : nil
|
|
65
|
+
else
|
|
66
|
+
fetch_latest_version_details
|
|
67
|
+
end
|
|
36
68
|
end
|
|
37
69
|
|
|
38
|
-
|
|
39
|
-
|
|
70
|
+
sig { override.returns(T::Boolean) }
|
|
71
|
+
def cooldown_enabled?
|
|
72
|
+
Dependabot::Experiments.enabled?(:enable_cooldown_for_bundler)
|
|
40
73
|
end
|
|
41
74
|
|
|
42
|
-
|
|
75
|
+
sig { override.returns(T.nilable(T::Array[Dependabot::Package::PackageRelease])) }
|
|
76
|
+
def available_versions
|
|
77
|
+
return nil if package_details&.releases.nil?
|
|
78
|
+
|
|
79
|
+
source_versions = releases_from_dependency_source
|
|
80
|
+
return [] if source_versions.empty?
|
|
81
|
+
|
|
82
|
+
T.must(package_details).releases.select do |release|
|
|
83
|
+
source_versions.any? { |v| v.to_s == release.version.to_s }
|
|
84
|
+
end
|
|
85
|
+
end
|
|
43
86
|
|
|
44
|
-
|
|
45
|
-
attr_reader :dependency_files
|
|
46
|
-
attr_reader :repo_contents_path
|
|
47
|
-
attr_reader :credentials
|
|
48
|
-
attr_reader :ignored_versions
|
|
49
|
-
attr_reader :security_advisories
|
|
50
|
-
attr_reader :options
|
|
87
|
+
private
|
|
51
88
|
|
|
89
|
+
sig { returns(T.nilable(T::Hash[Symbol, Dependabot::Version])) }
|
|
52
90
|
def fetch_latest_version_details
|
|
53
91
|
return dependency_source.latest_git_version_details if dependency_source.git?
|
|
54
92
|
|
|
55
|
-
relevant_versions =
|
|
93
|
+
relevant_versions = releases_from_dependency_source
|
|
56
94
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
57
95
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
58
96
|
|
|
59
|
-
relevant_versions.empty?
|
|
97
|
+
return if relevant_versions.empty?
|
|
98
|
+
|
|
99
|
+
release = relevant_versions.max_by(&:version)
|
|
100
|
+
|
|
101
|
+
{ version: release&.version }
|
|
60
102
|
end
|
|
61
103
|
|
|
62
|
-
|
|
104
|
+
sig do
|
|
105
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
106
|
+
.returns(T.nilable(Dependabot::Version))
|
|
107
|
+
end
|
|
108
|
+
def fetch_lowest_security_fix_version(language_version: nil) # rubocop:disable Lint/UnusedMethodArgument
|
|
63
109
|
return if dependency_source.git?
|
|
64
110
|
|
|
65
|
-
relevant_versions =
|
|
111
|
+
relevant_versions = releases_from_dependency_source
|
|
66
112
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
67
|
-
relevant_versions = Dependabot::UpdateCheckers::VersionFilters
|
|
68
|
-
|
|
113
|
+
relevant_versions = Dependabot::UpdateCheckers::VersionFilters
|
|
114
|
+
.filter_vulnerable_versions(
|
|
115
|
+
relevant_versions,
|
|
116
|
+
security_advisories
|
|
117
|
+
)
|
|
69
118
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
70
119
|
relevant_versions = filter_lower_versions(relevant_versions)
|
|
71
120
|
|
|
72
|
-
relevant_versions.
|
|
121
|
+
relevant_versions.min_by(&:version)&.version
|
|
73
122
|
end
|
|
74
123
|
|
|
75
|
-
sig {
|
|
76
|
-
def
|
|
77
|
-
return
|
|
124
|
+
sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
|
|
125
|
+
def releases_from_dependency_source
|
|
126
|
+
return @releases_from_dependency_source if @releases_from_dependency_source
|
|
78
127
|
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
|
|
87
|
-
def filter_ignored_versions(versions_array)
|
|
88
|
-
filtered = versions_array
|
|
89
|
-
.reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
90
|
-
if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
|
|
91
|
-
raise AllVersionsIgnored
|
|
92
|
-
end
|
|
93
|
-
|
|
94
|
-
if versions_array.count > filtered.count
|
|
95
|
-
Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} ignored versions")
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
filtered
|
|
99
|
-
end
|
|
100
|
-
|
|
101
|
-
def filter_lower_versions(versions_array)
|
|
102
|
-
return versions_array unless dependency.numeric_version
|
|
103
|
-
|
|
104
|
-
versions_array
|
|
105
|
-
.select { |version| version > dependency.numeric_version }
|
|
128
|
+
@releases_from_dependency_source =
|
|
129
|
+
dependency_source.versions.map do |version|
|
|
130
|
+
Dependabot::Package::PackageRelease.new(
|
|
131
|
+
version: version
|
|
132
|
+
)
|
|
133
|
+
end
|
|
134
|
+
@releases_from_dependency_source
|
|
106
135
|
end
|
|
107
136
|
|
|
137
|
+
sig { returns(T::Boolean) }
|
|
108
138
|
def wants_prerelease?
|
|
109
|
-
@wants_prerelease ||=
|
|
139
|
+
@wants_prerelease ||= T.let(
|
|
110
140
|
begin
|
|
111
141
|
current_version = dependency.numeric_version
|
|
112
142
|
if current_version&.prerelease?
|
|
@@ -116,30 +146,21 @@ module Dependabot
|
|
|
116
146
|
req[:requirement].match?(/[a-z]/i)
|
|
117
147
|
end
|
|
118
148
|
end
|
|
119
|
-
end
|
|
149
|
+
end, T.nilable(T::Boolean)
|
|
150
|
+
)
|
|
120
151
|
end
|
|
121
152
|
|
|
153
|
+
sig { returns(DependencySource) }
|
|
122
154
|
def dependency_source
|
|
123
|
-
@dependency_source ||=
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
155
|
+
@dependency_source ||= T.let(
|
|
156
|
+
DependencySource.new(
|
|
157
|
+
dependency: dependency,
|
|
158
|
+
dependency_files: dependency_files,
|
|
159
|
+
credentials: credentials,
|
|
160
|
+
options: options
|
|
161
|
+
), T.nilable(DependencySource)
|
|
128
162
|
)
|
|
129
163
|
end
|
|
130
|
-
|
|
131
|
-
def ignore_requirements
|
|
132
|
-
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
133
|
-
end
|
|
134
|
-
|
|
135
|
-
def requirement_class
|
|
136
|
-
dependency.requirement_class
|
|
137
|
-
end
|
|
138
|
-
|
|
139
|
-
def gemfile
|
|
140
|
-
dependency_files.find { |f| f.name == "Gemfile" } ||
|
|
141
|
-
dependency_files.find { |f| f.name == "gems.rb" }
|
|
142
|
-
end
|
|
143
164
|
end
|
|
144
165
|
end
|
|
145
166
|
end
|
|
@@ -26,7 +26,7 @@ module Dependabot
|
|
|
26
26
|
def initialize(requirements:, update_strategy:, updated_source:,
|
|
27
27
|
latest_version:, latest_resolvable_version:)
|
|
28
28
|
@requirements = requirements
|
|
29
|
-
@latest_version =
|
|
29
|
+
@latest_version = Dependabot::Bundler::Version.new(latest_version) if latest_version
|
|
30
30
|
@updated_source = updated_source
|
|
31
31
|
@update_strategy = update_strategy
|
|
32
32
|
|
|
@@ -35,7 +35,7 @@ module Dependabot
|
|
|
35
35
|
return unless latest_resolvable_version
|
|
36
36
|
|
|
37
37
|
@latest_resolvable_version =
|
|
38
|
-
|
|
38
|
+
Dependabot::Bundler::Version.new(latest_resolvable_version)
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def updated_requirements
|
|
@@ -267,7 +267,9 @@ module Dependabot
|
|
|
267
267
|
# Updates the version in a "<" or "<=" constraint to allow the given
|
|
268
268
|
# version
|
|
269
269
|
def update_greatest_version(requirement, version_to_be_permitted)
|
|
270
|
-
|
|
270
|
+
if version_to_be_permitted.is_a?(String)
|
|
271
|
+
version_to_be_permitted = Dependabot::Bundler::Version.new(version_to_be_permitted)
|
|
272
|
+
end
|
|
271
273
|
op, version = requirement.requirements.first
|
|
272
274
|
version = version.release if version.prerelease?
|
|
273
275
|
|
|
@@ -26,6 +26,7 @@ module Dependabot
|
|
|
26
26
|
replacement_git_pin: nil, remove_git_source: false,
|
|
27
27
|
unlock_requirement: true,
|
|
28
28
|
latest_allowable_version: nil,
|
|
29
|
+
cooldown_options: nil,
|
|
29
30
|
options:)
|
|
30
31
|
@dependency = dependency
|
|
31
32
|
@unprepared_dependency_files = unprepared_dependency_files
|
|
@@ -37,6 +38,7 @@ module Dependabot
|
|
|
37
38
|
@remove_git_source = remove_git_source
|
|
38
39
|
@unlock_requirement = unlock_requirement
|
|
39
40
|
@latest_allowable_version = latest_allowable_version
|
|
41
|
+
@cooldown_options = cooldown_options
|
|
40
42
|
@options = options
|
|
41
43
|
|
|
42
44
|
@latest_allowable_version_incompatible_with_ruby = false
|
|
@@ -116,7 +118,7 @@ module Dependabot
|
|
|
116
118
|
# mismatch
|
|
117
119
|
return nil if ruby_version_incompatible?(details)
|
|
118
120
|
|
|
119
|
-
details[:version] =
|
|
121
|
+
details[:version] = Dependabot::Bundler::Version.new(details[:version])
|
|
120
122
|
end
|
|
121
123
|
details
|
|
122
124
|
end
|
|
@@ -183,11 +185,11 @@ module Dependabot
|
|
|
183
185
|
LatestVersionFinder.new(
|
|
184
186
|
dependency: dependency,
|
|
185
187
|
dependency_files: dependency_files,
|
|
186
|
-
repo_contents_path: repo_contents_path,
|
|
187
188
|
credentials: credentials,
|
|
188
189
|
ignored_versions: ignored_versions,
|
|
189
190
|
raise_on_ignored: @raise_on_ignored,
|
|
190
191
|
security_advisories: [],
|
|
192
|
+
cooldown_options: @cooldown_options,
|
|
191
193
|
options: options
|
|
192
194
|
).latest_version_details
|
|
193
195
|
end
|
|
@@ -130,10 +130,10 @@ module Dependabot
|
|
|
130
130
|
|
|
131
131
|
updated_dependencies.none? do |dep|
|
|
132
132
|
old_version = dep.previous_version
|
|
133
|
-
next unless
|
|
134
|
-
next if
|
|
133
|
+
next unless Dependabot::Bundler::Version.correct?(old_version)
|
|
134
|
+
next if Dependabot::Bundler::Version.new(old_version).prerelease?
|
|
135
135
|
|
|
136
|
-
|
|
136
|
+
Dependabot::Bundler::Version.new(dep.version).prerelease?
|
|
137
137
|
end
|
|
138
138
|
rescue Dependabot::DependencyFileNotResolvable
|
|
139
139
|
false
|
|
@@ -189,6 +189,7 @@ module Dependabot
|
|
|
189
189
|
ignored_versions: ignored_versions,
|
|
190
190
|
raise_on_ignored: raise_on_ignored,
|
|
191
191
|
replacement_git_pin: tag,
|
|
192
|
+
cooldown_options: update_cooldown,
|
|
192
193
|
options: options
|
|
193
194
|
).latest_resolvable_version_details
|
|
194
195
|
true
|
|
@@ -351,6 +352,7 @@ module Dependabot
|
|
|
351
352
|
remove_git_source: remove_git_source,
|
|
352
353
|
unlock_requirement: unlock_requirement,
|
|
353
354
|
latest_allowable_version: latest_version,
|
|
355
|
+
cooldown_options: update_cooldown,
|
|
354
356
|
options: options
|
|
355
357
|
)
|
|
356
358
|
end
|
|
@@ -367,11 +369,11 @@ module Dependabot
|
|
|
367
369
|
LatestVersionFinder.new(
|
|
368
370
|
dependency: dependency,
|
|
369
371
|
dependency_files: prepared_dependency_files,
|
|
370
|
-
repo_contents_path: repo_contents_path,
|
|
371
372
|
credentials: credentials,
|
|
372
373
|
ignored_versions: ignored_versions,
|
|
373
374
|
raise_on_ignored: raise_on_ignored,
|
|
374
375
|
security_advisories: security_advisories,
|
|
376
|
+
cooldown_options: update_cooldown,
|
|
375
377
|
options: options
|
|
376
378
|
)
|
|
377
379
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-bundler
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.312.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date: 2025-
|
|
10
|
+
date: 2025-05-09 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: dependabot-common
|
|
@@ -16,14 +15,14 @@ dependencies:
|
|
|
16
15
|
requirements:
|
|
17
16
|
- - '='
|
|
18
17
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
18
|
+
version: 0.312.0
|
|
20
19
|
type: :runtime
|
|
21
20
|
prerelease: false
|
|
22
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
22
|
requirements:
|
|
24
23
|
- - '='
|
|
25
24
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
25
|
+
version: 0.312.0
|
|
27
26
|
- !ruby/object:Gem::Dependency
|
|
28
27
|
name: parallel
|
|
29
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -44,14 +43,14 @@ dependencies:
|
|
|
44
43
|
requirements:
|
|
45
44
|
- - "~>"
|
|
46
45
|
- !ruby/object:Gem::Version
|
|
47
|
-
version: 1.9
|
|
46
|
+
version: '1.9'
|
|
48
47
|
type: :development
|
|
49
48
|
prerelease: false
|
|
50
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
50
|
requirements:
|
|
52
51
|
- - "~>"
|
|
53
52
|
- !ruby/object:Gem::Version
|
|
54
|
-
version: 1.9
|
|
53
|
+
version: '1.9'
|
|
55
54
|
- !ruby/object:Gem::Dependency
|
|
56
55
|
name: gpgme
|
|
57
56
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -72,14 +71,14 @@ dependencies:
|
|
|
72
71
|
requirements:
|
|
73
72
|
- - "~>"
|
|
74
73
|
- !ruby/object:Gem::Version
|
|
75
|
-
version: '13'
|
|
74
|
+
version: '13.2'
|
|
76
75
|
type: :development
|
|
77
76
|
prerelease: false
|
|
78
77
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
78
|
requirements:
|
|
80
79
|
- - "~>"
|
|
81
80
|
- !ruby/object:Gem::Version
|
|
82
|
-
version: '13'
|
|
81
|
+
version: '13.2'
|
|
83
82
|
- !ruby/object:Gem::Dependency
|
|
84
83
|
name: rspec
|
|
85
84
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -114,98 +113,98 @@ dependencies:
|
|
|
114
113
|
requirements:
|
|
115
114
|
- - "~>"
|
|
116
115
|
- !ruby/object:Gem::Version
|
|
117
|
-
version: 1.9
|
|
116
|
+
version: '1.9'
|
|
118
117
|
type: :development
|
|
119
118
|
prerelease: false
|
|
120
119
|
version_requirements: !ruby/object:Gem::Requirement
|
|
121
120
|
requirements:
|
|
122
121
|
- - "~>"
|
|
123
122
|
- !ruby/object:Gem::Version
|
|
124
|
-
version: 1.9
|
|
123
|
+
version: '1.9'
|
|
125
124
|
- !ruby/object:Gem::Dependency
|
|
126
125
|
name: rubocop
|
|
127
126
|
requirement: !ruby/object:Gem::Requirement
|
|
128
127
|
requirements:
|
|
129
128
|
- - "~>"
|
|
130
129
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 1.67
|
|
130
|
+
version: '1.67'
|
|
132
131
|
type: :development
|
|
133
132
|
prerelease: false
|
|
134
133
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
134
|
requirements:
|
|
136
135
|
- - "~>"
|
|
137
136
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 1.67
|
|
137
|
+
version: '1.67'
|
|
139
138
|
- !ruby/object:Gem::Dependency
|
|
140
139
|
name: rubocop-performance
|
|
141
140
|
requirement: !ruby/object:Gem::Requirement
|
|
142
141
|
requirements:
|
|
143
142
|
- - "~>"
|
|
144
143
|
- !ruby/object:Gem::Version
|
|
145
|
-
version: 1.22
|
|
144
|
+
version: '1.22'
|
|
146
145
|
type: :development
|
|
147
146
|
prerelease: false
|
|
148
147
|
version_requirements: !ruby/object:Gem::Requirement
|
|
149
148
|
requirements:
|
|
150
149
|
- - "~>"
|
|
151
150
|
- !ruby/object:Gem::Version
|
|
152
|
-
version: 1.22
|
|
151
|
+
version: '1.22'
|
|
153
152
|
- !ruby/object:Gem::Dependency
|
|
154
153
|
name: rubocop-rspec
|
|
155
154
|
requirement: !ruby/object:Gem::Requirement
|
|
156
155
|
requirements:
|
|
157
156
|
- - "~>"
|
|
158
157
|
- !ruby/object:Gem::Version
|
|
159
|
-
version: 2.29
|
|
158
|
+
version: '2.29'
|
|
160
159
|
type: :development
|
|
161
160
|
prerelease: false
|
|
162
161
|
version_requirements: !ruby/object:Gem::Requirement
|
|
163
162
|
requirements:
|
|
164
163
|
- - "~>"
|
|
165
164
|
- !ruby/object:Gem::Version
|
|
166
|
-
version: 2.29
|
|
165
|
+
version: '2.29'
|
|
167
166
|
- !ruby/object:Gem::Dependency
|
|
168
167
|
name: rubocop-sorbet
|
|
169
168
|
requirement: !ruby/object:Gem::Requirement
|
|
170
169
|
requirements:
|
|
171
170
|
- - "~>"
|
|
172
171
|
- !ruby/object:Gem::Version
|
|
173
|
-
version: 0.8
|
|
172
|
+
version: '0.8'
|
|
174
173
|
type: :development
|
|
175
174
|
prerelease: false
|
|
176
175
|
version_requirements: !ruby/object:Gem::Requirement
|
|
177
176
|
requirements:
|
|
178
177
|
- - "~>"
|
|
179
178
|
- !ruby/object:Gem::Version
|
|
180
|
-
version: 0.8
|
|
179
|
+
version: '0.8'
|
|
181
180
|
- !ruby/object:Gem::Dependency
|
|
182
181
|
name: simplecov
|
|
183
182
|
requirement: !ruby/object:Gem::Requirement
|
|
184
183
|
requirements:
|
|
185
184
|
- - "~>"
|
|
186
185
|
- !ruby/object:Gem::Version
|
|
187
|
-
version: 0.22
|
|
186
|
+
version: '0.22'
|
|
188
187
|
type: :development
|
|
189
188
|
prerelease: false
|
|
190
189
|
version_requirements: !ruby/object:Gem::Requirement
|
|
191
190
|
requirements:
|
|
192
191
|
- - "~>"
|
|
193
192
|
- !ruby/object:Gem::Version
|
|
194
|
-
version: 0.22
|
|
193
|
+
version: '0.22'
|
|
195
194
|
- !ruby/object:Gem::Dependency
|
|
196
195
|
name: turbo_tests
|
|
197
196
|
requirement: !ruby/object:Gem::Requirement
|
|
198
197
|
requirements:
|
|
199
198
|
- - "~>"
|
|
200
199
|
- !ruby/object:Gem::Version
|
|
201
|
-
version: 2.2
|
|
200
|
+
version: '2.2'
|
|
202
201
|
type: :development
|
|
203
202
|
prerelease: false
|
|
204
203
|
version_requirements: !ruby/object:Gem::Requirement
|
|
205
204
|
requirements:
|
|
206
205
|
- - "~>"
|
|
207
206
|
- !ruby/object:Gem::Version
|
|
208
|
-
version: 2.2
|
|
207
|
+
version: '2.2'
|
|
209
208
|
- !ruby/object:Gem::Dependency
|
|
210
209
|
name: vcr
|
|
211
210
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -238,16 +237,16 @@ dependencies:
|
|
|
238
237
|
name: webrick
|
|
239
238
|
requirement: !ruby/object:Gem::Requirement
|
|
240
239
|
requirements:
|
|
241
|
-
- - "
|
|
240
|
+
- - "~>"
|
|
242
241
|
- !ruby/object:Gem::Version
|
|
243
|
-
version: '1.
|
|
242
|
+
version: '1.9'
|
|
244
243
|
type: :development
|
|
245
244
|
prerelease: false
|
|
246
245
|
version_requirements: !ruby/object:Gem::Requirement
|
|
247
246
|
requirements:
|
|
248
|
-
- - "
|
|
247
|
+
- - "~>"
|
|
249
248
|
- !ruby/object:Gem::Version
|
|
250
|
-
version: '1.
|
|
249
|
+
version: '1.9'
|
|
251
250
|
description: Dependabot-Bundler provides support for bumping Ruby (bundler) gems via
|
|
252
251
|
Dependabot. If you want support for multiple package managers, you probably want
|
|
253
252
|
the meta-gem dependabot-omnibus.
|
|
@@ -305,6 +304,7 @@ files:
|
|
|
305
304
|
- lib/dependabot/bundler/language.rb
|
|
306
305
|
- lib/dependabot/bundler/metadata_finder.rb
|
|
307
306
|
- lib/dependabot/bundler/native_helpers.rb
|
|
307
|
+
- lib/dependabot/bundler/package/package_details_fetcher.rb
|
|
308
308
|
- lib/dependabot/bundler/package_manager.rb
|
|
309
309
|
- lib/dependabot/bundler/requirement.rb
|
|
310
310
|
- lib/dependabot/bundler/update_checker.rb
|
|
@@ -322,8 +322,7 @@ licenses:
|
|
|
322
322
|
- MIT
|
|
323
323
|
metadata:
|
|
324
324
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
325
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
326
|
-
post_install_message:
|
|
325
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.312.0
|
|
327
326
|
rdoc_options: []
|
|
328
327
|
require_paths:
|
|
329
328
|
- lib
|
|
@@ -338,8 +337,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
338
337
|
- !ruby/object:Gem::Version
|
|
339
338
|
version: 3.1.0
|
|
340
339
|
requirements: []
|
|
341
|
-
rubygems_version: 3.
|
|
342
|
-
signing_key:
|
|
340
|
+
rubygems_version: 3.6.3
|
|
343
341
|
specification_version: 4
|
|
344
342
|
summary: Provides Dependabot support for Ruby (bundler)
|
|
345
343
|
test_files: []
|