dependabot-bundler 0.302.0 → 0.304.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d3c8c83c273d821557584676f42488234689de03421a45e2c49f8e2ab6a26a8
-  data.tar.gz: eeab730ddbd286dec2eb0b273ee3958a41ddd2d605f52e2575f8043dbc03d3fa
+  metadata.gz: afac5aac6bfb6ee45bfa6a928dcd47663352670e32334a78859f6062cdf5e38e
+  data.tar.gz: 9a5c98bda93d938912881fdc6d4407304d485795e6e170c2256b462f8a967546
 SHA512:
-  metadata.gz: 7695d38798ab69af473e091bbf9697875c9216fc6c9272a76fa6ad678bb406274a0e0d96b7a84b78f2924c9065015352294506bce74e0c09f53d03c67ab7af43
-  data.tar.gz: a586a5c50a26304af971e5947398efc1017017c52f9850f840ff083e1e447ade3516db99124c8d1e14cdfff25d7d624ea5019d82e6a5fa4353e664b693816e4d
+  metadata.gz: 19e479a5ea88a9a770c780172b9a1e07cd8a694a3b22825adb348257126871490fe044d56da48a81ca02973cbd0835e5d681a752e4405c3fe0cda3f7c2cda57e
+  data.tar.gz: 45aa64aef52bfca8cb704e1eab1af719ac4a59d3f806e5a4cd412f7ebf234a336fcab74f8e0b56ee749f1ceb92a0b578e0aecf715886a4f1d1960249c7badf11

data/lib/dependabot/bundler/package/package_details_fetcher.rb

@@ -0,0 +1,228 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "json"
+require "time"
+require "cgi"
+require "excon"
+require "nokogiri"
+require "sorbet-runtime"
+require "dependabot/registry_client"
+require "dependabot/bundler"
+require "dependabot/package/package_release"
+require "dependabot/package/package_details"
+
+module Dependabot
+  module Bundler
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+
+        require_relative "../update_checker/shared_bundler_helpers"
+        include Dependabot::Bundler::UpdateChecker::SharedBundlerHelpers
+
+        RELEASES_URL = "https://rubygems.org/api/v1/versions/%s.json"
+        GEM_URL = "https://rubygems.org/gems/%s.gem"
+        PACKAGE_TYPE = "gem"
+        PACKAGE_LANGUAGE = "ruby"
+        APPLICATION_JSON = "application/json"
+
+        RUBYGEMS = "rubygems"
+        PRIVATE_REGISTRY = "private"
+        GIT = "git"
+        OTHER = "other"
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+
+          @source_type = T.let(nil, T.nilable(String))
+        end
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[T.untyped]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[T.untyped]) }
+        attr_reader :credentials
+
+        sig { returns(Dependabot::Package::PackageDetails) }
+        def fetch
+          return rubygems_versions if dependency.name == "bundler"
+          return rubygems_versions unless gemfile
+
+          case source_type
+          when OTHER, GIT, PRIVATE_REGISTRY
+            package_details([])
+          else
+            rubygems_versions
+          end
+        end
+
+        private
+
+        # Example JSON Response Format:
+        # eg https://rubygems.org/api/v1/versions/dependabot-common.json
+        # response:
+        # [
+        # {
+        #   authors: "Dependabot",
+        #   built_at: "2025-03-20T00:00:00.000Z",
+        #   created_at: "2025-03-20T14:48:33.295Z",
+        #   description: "Dependabot-Common provides the shared code used across Dependabot. If you want support for
+        #                 multiple package managers, you probably want the meta-gem dependabot-omnibus.",
+        #   downloads_count: 382,
+        #   metadata: {
+        #   changelog_uri: "https://github.com/dependabot/dependabot-core/releases/tag/v0.302.0",
+        #   bug_tracker_uri: "https://github.com/dependabot/dependabot-core/issues"
+        #   },
+        #   number: "0.302.0",
+        #   summary: "Shared code used across Dependabot Core",
+        #   platform: "ruby",
+        #   rubygems_version: ">= 3.3.7",
+        #   ruby_version: ">= 3.1.0",
+        #   prerelease: false,
+        #   licenses: [
+        #   "MIT"
+        #   ],
+        #   requirements: [ ],
+        #   sha: "e8ef286a91add81534c297425f2f2efc0c5671f3307307f7fad62c059ed8fca2",
+        #   spec_sha: "cd0ac8f3462449bf19e7356dbc2ec83eec378b41702e03221ededc49875b1e1c"
+        #   },
+        #   {
+        #   authors: "Dependabot",
+        #   built_at: "2025-03-14T00:00:00.000Z",
+        #   created_at: "2025-03-14T18:46:18.547Z",
+        #   description: "Dependabot-Common provides the shared code used across Dependabot. If you want support for
+        #                 multiple package managers, you probably want the meta-gem dependabot-omnibus.",
+        #   downloads_count: 324,
+        #   metadata: {
+        #   changelog_uri: "https://github.com/dependabot/dependabot-core/releases/tag/v0.301.1",
+        #   bug_tracker_uri: "https://github.com/dependabot/dependabot-core/issues"
+        #   },
+        #   number: "0.301.1",
+        #   summary: "Shared code used across Dependabot Core",
+        #   platform: "ruby",
+        #   rubygems_version: ">= 3.3.7",
+        #   ruby_version: ">= 3.1.0",
+        #   prerelease: false,
+        #   licenses: [
+        #   "MIT"
+        #   ],
+        #   requirements: [ ],
+        #   sha: "47e5948069571271d72c12f8c03106b415a00550857b6c5fb22aeb780cfe1da7",
+        #   spec_sha: "7191388ac6fa0ea72ed7588f848b2b244a0dc5a4ec3e6b7c9d395296b0fa93d9"
+        #   },
+        # ...
+        # ]
+        sig { returns(Dependabot::Package::PackageDetails) }
+        def rubygems_versions
+          response = registry_json_response_for_dependency
+          raise unless response.status == 200
+
+          package_releases = JSON.parse(response.body).map do |release|
+            package_release(
+              version: release["number"],
+              released_at: Time.parse(release["created_at"]),
+              downloads: release["downloads_count"],
+              url: GEM_URL % "#{@dependency.name}-#{release['number']}",
+              ruby_version: release["ruby_version"]
+            )
+          end
+
+          package_details(package_releases)
+        end
+
+        sig { returns(Excon::Response) }
+        def registry_json_response_for_dependency
+          url = RELEASES_URL % dependency.name
+          Dependabot::RegistryClient.get(
+            url: url,
+            headers: { "Accept" => APPLICATION_JSON }
+          )
+        end
+
+        sig { params(req_string: String).returns(Requirement) }
+        def language_requirement(req_string)
+          Requirement.new(req_string)
+        end
+
+        sig { returns(String) }
+        def source_type
+          @source_type ||= begin
+            return @source_type = RUBYGEMS unless gemfile
+
+            @source_type = in_a_native_bundler_context do |tmp_dir|
+              NativeHelpers.run_bundler_subprocess(
+                bundler_version: bundler_version,
+                function: "dependency_source_type",
+                options: {}, # options,
+                args: {
+                  dir: tmp_dir,
+                  gemfile_name: gemfile.name,
+                  dependency_name: dependency.name,
+                  credentials: credentials
+                }
+              )
+            end
+          end
+        end
+
+        sig { override.returns(String) }
+        def bundler_version
+          @bundler_version ||= T.let(Helpers.bundler_version(lockfile), T.nilable(String))
+        end
+
+        sig do
+          params(releases: T::Array[Dependabot::Package::PackageRelease])
+            .returns(Dependabot::Package::PackageDetails)
+        end
+        def package_details(releases)
+          @package_details ||= T.let(
+            Dependabot::Package::PackageDetails.new(
+              dependency: dependency,
+              releases: releases.reverse.uniq(&:version)
+            ), T.nilable(Dependabot::Package::PackageDetails)
+          )
+        end
+
+        sig do
+          params(
+            version: String,
+            released_at: Time,
+            downloads: Integer,
+            url: String,
+            ruby_version: String,
+            yanked: T::Boolean
+          ).returns(Dependabot::Package::PackageRelease)
+        end
+        def package_release(version:, released_at:, downloads:, url:, ruby_version:, yanked: false)
+          Dependabot::Package::PackageRelease.new(
+            version: Dependabot::Bundler::Version.new(version),
+            released_at: released_at,
+            yanked: yanked,
+            yanked_reason: nil,
+            downloads: downloads,
+            url: url,
+            package_type: PACKAGE_TYPE,
+            language: Dependabot::Package::PackageLanguage.new(
+              name: PACKAGE_LANGUAGE,
+              version: nil,
+              requirement: language_requirement(ruby_version)
+            )
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb

@@ -4,12 +4,13 @@
 require "dependabot/registry_client"
 require "dependabot/bundler/native_helpers"
 require "dependabot/bundler/helpers"
+require "dependabot/bundler/update_checker/latest_version_finder"
 require "sorbet-runtime"
 
 module Dependabot
   module Bundler
     class UpdateChecker
-      class LatestVersionFinder
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         class DependencySource
           extend T::Sig
 

data/lib/dependabot/bundler/update_checker/latest_version_finder.rb

@@ -8,46 +8,54 @@ require "dependabot/update_checkers/version_filters"
 require "dependabot/bundler/requirement"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
+require "dependabot/package/package_latest_version_finder"
 require "dependabot/bundler/update_checker/latest_version_finder/" \
         "dependency_source"
+require "dependabot/bundler/package/package_details_fetcher"
 require "sorbet-runtime"
 
 module Dependabot
   module Bundler
     class UpdateChecker
-      class LatestVersionFinder
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
 
-        def initialize(dependency:, dependency_files:, repo_contents_path: nil,
-                       credentials:, ignored_versions:, raise_on_ignored: false,
-                       security_advisories:, options:)
-          @dependency          = dependency
-          @dependency_files    = dependency_files
-          @repo_contents_path  = repo_contents_path
-          @credentials         = credentials
-          @ignored_versions    = ignored_versions
-          @raise_on_ignored    = raise_on_ignored
-          @security_advisories = security_advisories
-          @options             = options
+        sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def package_details
+          @package_details ||= Package::PackageDetailsFetcher.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).fetch
         end
 
         def latest_version_details
-          @latest_version_details ||= fetch_latest_version_details
+          @latest_version_details ||= if cooldown_enabled?
+                                        latest_version = fetch_latest_version(language_version: nil)
+                                        latest_version ? { version: latest_version } : nil
+                                      else
+                                        fetch_latest_version_details
+                                      end
         end
 
-        def lowest_security_fix_version
-          @lowest_security_fix_version ||= fetch_lowest_security_fix_version
+        sig { override.returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_bundler)
         end
 
-        private
+        sig { override.returns(T.nilable(T::Array[Dependabot::Package::PackageRelease])) }
+        def available_versions
+          return nil if package_details&.releases.nil?
+
+          source_versions = dependency_source.versions
+          return [] if source_versions.empty?
 
-        attr_reader :dependency
-        attr_reader :dependency_files
-        attr_reader :repo_contents_path
-        attr_reader :credentials
-        attr_reader :ignored_versions
-        attr_reader :security_advisories
-        attr_reader :options
+          T.must(package_details).releases.select do |release|
+            source_versions.any? { |v| v.to_s == release.version.to_s }
+          end
+        end
+
+        private
 
         def fetch_latest_version_details
           return dependency_source.latest_git_version_details if dependency_source.git?
@@ -59,7 +67,7 @@ module Dependabot
           relevant_versions.empty? ? nil : { version: relevant_versions.max }
         end
 
-        def fetch_lowest_security_fix_version
+        def fetch_lowest_security_fix_version(*)
           return if dependency_source.git?
 
           relevant_versions = dependency_source.versions
@@ -72,41 +80,9 @@ module Dependabot
           relevant_versions.min
         end
 
-        sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
-        def filter_prerelease_versions(versions_array)
-          return versions_array if wants_prerelease?
-
-          filtered = versions_array.reject(&:prerelease?)
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} pre-release versions")
-          end
-          filtered
-        end
-
-        sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
-        def filter_ignored_versions(versions_array)
-          filtered = versions_array
-                     .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
-          if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
-            raise AllVersionsIgnored
-          end
-
-          if versions_array.count > filtered.count
-            Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} ignored versions")
-          end
-
-          filtered
-        end
-
-        def filter_lower_versions(versions_array)
-          return versions_array unless dependency.numeric_version
-
-          versions_array
-            .select { |version| version > dependency.numeric_version }
-        end
-
+        sig { returns(T::Boolean) }
         def wants_prerelease?
-          @wants_prerelease ||=
+          @wants_prerelease ||= T.let(
             begin
               current_version = dependency.numeric_version
               if current_version&.prerelease?
@@ -116,30 +92,21 @@ module Dependabot
                   req[:requirement].match?(/[a-z]/i)
                 end
               end
-            end
+            end, T.nilable(T::Boolean)
+          )
         end
 
+        # sig { returns(DependencySource) }
         def dependency_source
-          @dependency_source ||= DependencySource.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            options: options
+          @dependency_source ||= T.let(
+            DependencySource.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              options: options
+            ), T.nilable(DependencySource)
           )
         end
-
-        def ignore_requirements
-          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
-        end
-
-        def requirement_class
-          dependency.requirement_class
-        end
-
-        def gemfile
-          dependency_files.find { |f| f.name == "Gemfile" } ||
-            dependency_files.find { |f| f.name == "gems.rb" }
-        end
       end
     end
   end

data/lib/dependabot/bundler/update_checker/version_resolver.rb

@@ -26,6 +26,7 @@ module Dependabot
                        replacement_git_pin: nil, remove_git_source: false,
                        unlock_requirement: true,
                        latest_allowable_version: nil,
+                       cooldown_options: {},
                        options:)
           @dependency                  = dependency
           @unprepared_dependency_files = unprepared_dependency_files
@@ -37,6 +38,7 @@ module Dependabot
           @remove_git_source           = remove_git_source
           @unlock_requirement          = unlock_requirement
           @latest_allowable_version    = latest_allowable_version
+          @cooldown_options            = cooldown_options
           @options                     = options
 
           @latest_allowable_version_incompatible_with_ruby = false
@@ -183,7 +185,6 @@ module Dependabot
             LatestVersionFinder.new(
               dependency: dependency,
               dependency_files: dependency_files,
-              repo_contents_path: repo_contents_path,
               credentials: credentials,
               ignored_versions: ignored_versions,
               raise_on_ignored: @raise_on_ignored,

data/lib/dependabot/bundler/update_checker.rb

@@ -367,7 +367,6 @@ module Dependabot
             LatestVersionFinder.new(
               dependency: dependency,
               dependency_files: prepared_dependency_files,
-              repo_contents_path: repo_contents_path,
               credentials: credentials,
               ignored_versions: ignored_versions,
               raise_on_ignored: raise_on_ignored,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.302.0
+  version: 0.304.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-20 00:00:00.000000000 Z
+date: 2025-04-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.304.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.302.0
+        version: 0.304.0
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -170,14 +170,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.5
+        version: 0.8.7
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.5
+        version: 0.8.7
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -305,6 +305,7 @@ files:
 - lib/dependabot/bundler/language.rb
 - lib/dependabot/bundler/metadata_finder.rb
 - lib/dependabot/bundler/native_helpers.rb
+- lib/dependabot/bundler/package/package_details_fetcher.rb
 - lib/dependabot/bundler/package_manager.rb
 - lib/dependabot/bundler/requirement.rb
 - lib/dependabot/bundler/update_checker.rb
@@ -322,7 +323,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.302.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.304.0
 post_install_message:
 rdoc_options: []
 require_paths: