dependabot-bundler 0.308.0 → 0.309.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb +1 -1
- data/lib/dependabot/bundler/update_checker/file_preparer.rb +5 -5
- data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb +3 -3
- data/lib/dependabot/bundler/update_checker/latest_version_finder.rb +64 -10
- data/lib/dependabot/bundler/update_checker/requirements_updater.rb +5 -3
- data/lib/dependabot/bundler/update_checker/version_resolver.rb +1 -1
- data/lib/dependabot/bundler/update_checker.rb +3 -3
- metadata +5 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 98adda346a76e929779863234b449bde7f6a82d20fd06b276985733aba5a1b32
|
|
4
|
+
data.tar.gz: 72fa485c071bb1afaa4e28745cd61a869208a305efd87e0031f8f4d6c644a718
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 661373820c2f8824b479631641081b88dcea64b877ae6e98961419ce5ddfd75e8f8154eee095745c854c124aab1dc6bae539633474763b4f3077127659ea2d2a
|
|
7
|
+
data.tar.gz: af152a6768a8675641f02b3bd98019163e047c9fd5fc75928eefb427e1d9b7fade6a1727a652cc43d0a83f0bc6914181e76787aea8a0d753943465ef52af116f
|
|
@@ -215,13 +215,13 @@ module Dependabot
|
|
|
215
215
|
lower_bound_req = updated_version_req_lower_bound(filename)
|
|
216
216
|
|
|
217
217
|
return lower_bound_req if latest_allowable_version.nil?
|
|
218
|
-
return lower_bound_req unless
|
|
218
|
+
return lower_bound_req unless Bundler::Version.correct?(latest_allowable_version)
|
|
219
219
|
|
|
220
220
|
lower_bound_req + ", <= #{latest_allowable_version}"
|
|
221
221
|
end
|
|
222
222
|
|
|
223
223
|
# rubocop:disable Metrics/PerceivedComplexity
|
|
224
|
-
def updated_version_req_lower_bound(filename)
|
|
224
|
+
def updated_version_req_lower_bound(filename) # rubocop:disable Metrics/CyclomaticComplexity
|
|
225
225
|
original_req = dependency.requirements
|
|
226
226
|
.find { |r| r.fetch(:file) == filename }
|
|
227
227
|
&.fetch(:requirement)
|
|
@@ -234,9 +234,9 @@ module Dependabot
|
|
|
234
234
|
dependency.requirements.map { |r| r[:requirement] }
|
|
235
235
|
.reject { |req_string| req_string.start_with?("<") }
|
|
236
236
|
.select { |req_string| req_string.match?(VERSION_REGEX) }
|
|
237
|
-
.map { |req_string| req_string.match(VERSION_REGEX) }
|
|
238
|
-
.select { |version|
|
|
239
|
-
.max_by { |version|
|
|
237
|
+
.map { |req_string| req_string.match(VERSION_REGEX)&.to_s }
|
|
238
|
+
.select { |version| Bundler::Version.correct?(version) }
|
|
239
|
+
.max_by { |version| Bundler::Version.new(version) }
|
|
240
240
|
|
|
241
241
|
">= #{version_for_requirement || 0}"
|
|
242
242
|
end
|
|
@@ -40,7 +40,7 @@ module Dependabot
|
|
|
40
40
|
|
|
41
41
|
# The latest version details for the dependency from a registry
|
|
42
42
|
#
|
|
43
|
-
sig { returns(T::Array[
|
|
43
|
+
sig { returns(T::Array[Dependabot::Bundler::Version]) }
|
|
44
44
|
def versions
|
|
45
45
|
return rubygems_versions if dependency.name == "bundler"
|
|
46
46
|
return rubygems_versions unless gemfile
|
|
@@ -99,7 +99,7 @@ module Dependabot
|
|
|
99
99
|
)
|
|
100
100
|
|
|
101
101
|
JSON.parse(response.body)
|
|
102
|
-
.map { |d|
|
|
102
|
+
.map { |d| Dependabot::Bundler::Version.new(d["number"]) }
|
|
103
103
|
end
|
|
104
104
|
rescue JSON::ParserError, Excon::Error::Timeout
|
|
105
105
|
@rubygems_versions = []
|
|
@@ -123,7 +123,7 @@ module Dependabot
|
|
|
123
123
|
credentials: credentials
|
|
124
124
|
}
|
|
125
125
|
).map do |version_string|
|
|
126
|
-
|
|
126
|
+
Dependabot::Bundler::Version.new(version_string)
|
|
127
127
|
end
|
|
128
128
|
end
|
|
129
129
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
@@ -20,6 +20,34 @@ module Dependabot
|
|
|
20
20
|
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
21
21
|
extend T::Sig
|
|
22
22
|
|
|
23
|
+
sig do
|
|
24
|
+
params(
|
|
25
|
+
dependency: Dependabot::Dependency,
|
|
26
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
27
|
+
credentials: T::Array[Dependabot::Credential],
|
|
28
|
+
ignored_versions: T::Array[String],
|
|
29
|
+
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
|
30
|
+
cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
|
|
31
|
+
raise_on_ignored: T::Boolean,
|
|
32
|
+
options: T::Hash[Symbol, T.untyped]
|
|
33
|
+
).void
|
|
34
|
+
end
|
|
35
|
+
def initialize(
|
|
36
|
+
dependency:,
|
|
37
|
+
dependency_files:,
|
|
38
|
+
credentials:,
|
|
39
|
+
ignored_versions:,
|
|
40
|
+
security_advisories:,
|
|
41
|
+
cooldown_options: nil,
|
|
42
|
+
raise_on_ignored: false,
|
|
43
|
+
options: {}
|
|
44
|
+
)
|
|
45
|
+
@package_details = T.let(nil, T.nilable(Dependabot::Package::PackageDetails))
|
|
46
|
+
@latest_version_details = T.let(nil, T.nilable(T::Hash[Symbol, T.untyped]))
|
|
47
|
+
@releases_from_dependency_source = T.let(nil, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
|
|
48
|
+
super
|
|
49
|
+
end
|
|
50
|
+
|
|
23
51
|
sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
|
|
24
52
|
def package_details
|
|
25
53
|
@package_details ||= Package::PackageDetailsFetcher.new(
|
|
@@ -29,6 +57,7 @@ module Dependabot
|
|
|
29
57
|
).fetch
|
|
30
58
|
end
|
|
31
59
|
|
|
60
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
32
61
|
def latest_version_details
|
|
33
62
|
@latest_version_details ||= if cooldown_enabled?
|
|
34
63
|
latest_version = fetch_latest_version(language_version: nil)
|
|
@@ -47,7 +76,7 @@ module Dependabot
|
|
|
47
76
|
def available_versions
|
|
48
77
|
return nil if package_details&.releases.nil?
|
|
49
78
|
|
|
50
|
-
source_versions =
|
|
79
|
+
source_versions = releases_from_dependency_source
|
|
51
80
|
return [] if source_versions.empty?
|
|
52
81
|
|
|
53
82
|
T.must(package_details).releases.select do |release|
|
|
@@ -57,27 +86,52 @@ module Dependabot
|
|
|
57
86
|
|
|
58
87
|
private
|
|
59
88
|
|
|
89
|
+
sig { returns(T.nilable(T::Hash[Symbol, Dependabot::Version])) }
|
|
60
90
|
def fetch_latest_version_details
|
|
61
91
|
return dependency_source.latest_git_version_details if dependency_source.git?
|
|
62
92
|
|
|
63
|
-
relevant_versions =
|
|
93
|
+
relevant_versions = releases_from_dependency_source
|
|
64
94
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
65
95
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
66
96
|
|
|
67
|
-
relevant_versions.empty?
|
|
97
|
+
return if relevant_versions.empty?
|
|
98
|
+
|
|
99
|
+
release = relevant_versions.max_by(&:version)
|
|
100
|
+
|
|
101
|
+
{ version: release&.version }
|
|
68
102
|
end
|
|
69
103
|
|
|
70
|
-
|
|
104
|
+
sig do
|
|
105
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
106
|
+
.returns(T.nilable(Dependabot::Version))
|
|
107
|
+
end
|
|
108
|
+
def fetch_lowest_security_fix_version(language_version: nil) # rubocop:disable Lint/UnusedMethodArgument
|
|
71
109
|
return if dependency_source.git?
|
|
72
110
|
|
|
73
|
-
relevant_versions =
|
|
111
|
+
relevant_versions = releases_from_dependency_source
|
|
74
112
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
75
|
-
relevant_versions = Dependabot::UpdateCheckers::VersionFilters
|
|
76
|
-
|
|
113
|
+
relevant_versions = Dependabot::UpdateCheckers::VersionFilters
|
|
114
|
+
.filter_vulnerable_versions(
|
|
115
|
+
relevant_versions,
|
|
116
|
+
security_advisories
|
|
117
|
+
)
|
|
77
118
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
78
119
|
relevant_versions = filter_lower_versions(relevant_versions)
|
|
79
120
|
|
|
80
|
-
relevant_versions.
|
|
121
|
+
relevant_versions.min_by(&:version)&.version
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
|
|
125
|
+
def releases_from_dependency_source
|
|
126
|
+
return @releases_from_dependency_source if @releases_from_dependency_source
|
|
127
|
+
|
|
128
|
+
@releases_from_dependency_source =
|
|
129
|
+
dependency_source.versions.map do |version|
|
|
130
|
+
Dependabot::Package::PackageRelease.new(
|
|
131
|
+
version: version
|
|
132
|
+
)
|
|
133
|
+
end
|
|
134
|
+
@releases_from_dependency_source
|
|
81
135
|
end
|
|
82
136
|
|
|
83
137
|
sig { returns(T::Boolean) }
|
|
@@ -96,7 +150,7 @@ module Dependabot
|
|
|
96
150
|
)
|
|
97
151
|
end
|
|
98
152
|
|
|
99
|
-
|
|
153
|
+
sig { returns(DependencySource) }
|
|
100
154
|
def dependency_source
|
|
101
155
|
@dependency_source ||= T.let(
|
|
102
156
|
DependencySource.new(
|
|
@@ -26,7 +26,7 @@ module Dependabot
|
|
|
26
26
|
def initialize(requirements:, update_strategy:, updated_source:,
|
|
27
27
|
latest_version:, latest_resolvable_version:)
|
|
28
28
|
@requirements = requirements
|
|
29
|
-
@latest_version =
|
|
29
|
+
@latest_version = Dependabot::Bundler::Version.new(latest_version) if latest_version
|
|
30
30
|
@updated_source = updated_source
|
|
31
31
|
@update_strategy = update_strategy
|
|
32
32
|
|
|
@@ -35,7 +35,7 @@ module Dependabot
|
|
|
35
35
|
return unless latest_resolvable_version
|
|
36
36
|
|
|
37
37
|
@latest_resolvable_version =
|
|
38
|
-
|
|
38
|
+
Dependabot::Bundler::Version.new(latest_resolvable_version)
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def updated_requirements
|
|
@@ -267,7 +267,9 @@ module Dependabot
|
|
|
267
267
|
# Updates the version in a "<" or "<=" constraint to allow the given
|
|
268
268
|
# version
|
|
269
269
|
def update_greatest_version(requirement, version_to_be_permitted)
|
|
270
|
-
|
|
270
|
+
if version_to_be_permitted.is_a?(String)
|
|
271
|
+
version_to_be_permitted = Dependabot::Bundler::Version.new(version_to_be_permitted)
|
|
272
|
+
end
|
|
271
273
|
op, version = requirement.requirements.first
|
|
272
274
|
version = version.release if version.prerelease?
|
|
273
275
|
|
|
@@ -118,7 +118,7 @@ module Dependabot
|
|
|
118
118
|
# mismatch
|
|
119
119
|
return nil if ruby_version_incompatible?(details)
|
|
120
120
|
|
|
121
|
-
details[:version] =
|
|
121
|
+
details[:version] = Dependabot::Bundler::Version.new(details[:version])
|
|
122
122
|
end
|
|
123
123
|
details
|
|
124
124
|
end
|
|
@@ -130,10 +130,10 @@ module Dependabot
|
|
|
130
130
|
|
|
131
131
|
updated_dependencies.none? do |dep|
|
|
132
132
|
old_version = dep.previous_version
|
|
133
|
-
next unless
|
|
134
|
-
next if
|
|
133
|
+
next unless Dependabot::Bundler::Version.correct?(old_version)
|
|
134
|
+
next if Dependabot::Bundler::Version.new(old_version).prerelease?
|
|
135
135
|
|
|
136
|
-
|
|
136
|
+
Dependabot::Bundler::Version.new(dep.version).prerelease?
|
|
137
137
|
end
|
|
138
138
|
rescue Dependabot::DependencyFileNotResolvable
|
|
139
139
|
false
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-bundler
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.309.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-04-
|
|
10
|
+
date: 2025-04-17 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: dependabot-common
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.309.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.309.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: parallel
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -322,7 +322,7 @@ licenses:
|
|
|
322
322
|
- MIT
|
|
323
323
|
metadata:
|
|
324
324
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
325
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
325
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.309.0
|
|
326
326
|
rdoc_options: []
|
|
327
327
|
require_paths:
|
|
328
328
|
- lib
|