dependabot-bundler 0.332.0 → 0.334.0

data/lib/dependabot/bundler/update_checker/file_preparer.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/dependency_file"
 require "dependabot/bundler/update_checker"
 require "dependabot/bundler/cached_lockfile_parser"
@@ -26,10 +28,13 @@ module Dependabot
       #   version allowed by the gemspec, if the gemspec has a required ruby
       #   version range
       class FilePreparer
+        extend T::Sig
+
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
 
         # Can't be a constant because some of these don't exist in bundler
         # 1.15, which Heroku uses, which causes an exception on boot.
+        sig { returns(T::Array[T.class_of(::Bundler::Source::Path)]) }
         def gemspec_sources
           [
             ::Bundler::Source::Path,
@@ -37,31 +42,47 @@ module Dependabot
           ]
         end
 
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            dependency: Dependabot::Dependency,
+            remove_git_source: T::Boolean,
+            unlock_requirement: T::Boolean,
+            replacement_git_pin: T.nilable(String),
+            latest_allowable_version: T.nilable(T.any(String, Dependabot::Version)),
+            lock_ruby_version: T::Boolean
+          ).void
+        end
         def initialize(dependency_files:, dependency:,
                        remove_git_source: false,
                        unlock_requirement: true,
                        replacement_git_pin: nil,
                        latest_allowable_version: nil,
                        lock_ruby_version: true)
-          @dependency_files         = dependency_files
-          @dependency               = dependency
-          @remove_git_source        = remove_git_source
-          @unlock_requirement       = unlock_requirement
-          @replacement_git_pin      = replacement_git_pin
-          @latest_allowable_version = latest_allowable_version
-          @lock_ruby_version        = lock_ruby_version
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @dependency = T.let(dependency, Dependabot::Dependency)
+          @remove_git_source = T.let(remove_git_source, T::Boolean)
+          @unlock_requirement = T.let(unlock_requirement, T::Boolean)
+          @replacement_git_pin = T.let(replacement_git_pin, T.nilable(String))
+          @latest_allowable_version = T.let(
+            latest_allowable_version&.to_s,
+            T.nilable(String)
+          )
+          @lock_ruby_version = T.let(lock_ruby_version, T::Boolean)
         end
 
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/MethodLength
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def prepared_dependency_files
           files = []
 
-          if gemfile
+          gemfile_file = gemfile
+          if gemfile_file
             files << DependencyFile.new(
-              name: gemfile.name,
-              content: gemfile_content_for_update_check(gemfile),
-              directory: gemfile.directory
+              name: gemfile_file.name,
+              content: gemfile_content_for_update_check(gemfile_file),
+              directory: gemfile_file.directory
             )
           end
 
@@ -76,7 +97,7 @@ module Dependabot
           path_gemspecs.each do |file|
             files << DependencyFile.new(
               name: file.name,
-              content: sanitize_gemspec_content(file.content),
+              content: sanitize_gemspec_content(T.must(file.content)),
               directory: file.directory,
               support_file: file.support_file?
             )
@@ -104,28 +125,37 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+        sig { returns(T.nilable(String)) }
         attr_reader :replacement_git_pin
+        sig { returns(T.nilable(String)) }
         attr_reader :latest_allowable_version
 
+        sig { returns(T::Boolean) }
         def remove_git_source?
           @remove_git_source
         end
 
+        sig { returns(T::Boolean) }
         def unlock_requirement?
           @unlock_requirement
         end
 
+        sig { returns(T::Boolean) }
         def replace_git_pin?
           !replacement_git_pin.nil?
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def gemfile
           dependency_files.find { |f| f.name == "Gemfile" } ||
             dependency_files.find { |f| f.name == "gems.rb" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def evaled_gemfiles
           dependency_files
             .reject { |f| f.name.end_with?(".gemspec") }
@@ -137,41 +167,49 @@ module Dependabot
             .reject(&:support_file?)
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def lockfile
           dependency_files.find { |f| f.name == "Gemfile.lock" } ||
             dependency_files.find { |f| f.name == "gems.locked" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def specification_files
           dependency_files.select { |f| f.name.end_with?(".specification") }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def top_level_gemspecs
           dependency_files
             .select { |f| f.name.end_with?(".gemspec") }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def ruby_version_file
           dependency_files.find { |f| f.name == ".ruby-version" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def tool_versions_file
           dependency_files.find { |f| f.name == ".tool-versions" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def path_gemspecs
           all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
           all - top_level_gemspecs
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def imported_ruby_files
           dependency_files
             .select { |f| f.name.end_with?(".rb") }
             .reject { |f| f.name == "gems.rb" }
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def gemfile_content_for_update_check(file)
-          content = file.content
+          content = T.must(file.content)
           content = replace_gemfile_constraint(content, file.name)
           content = remove_git_source(content) if remove_git_source?
           content = replace_git_pin(content) if replace_git_pin?
@@ -179,12 +217,14 @@ module Dependabot
           content
         end
 
+        sig { params(gemspec: Dependabot::DependencyFile).returns(String) }
         def gemspec_content_for_update_check(gemspec)
-          content = gemspec.content
+          content = T.must(gemspec.content)
           content = replace_gemspec_constraint(content, gemspec.name)
           sanitize_gemspec_content(content)
         end
 
+        sig { params(content: String, filename: String).returns(String) }
         def replace_gemfile_constraint(content, filename)
           FileUpdater::RequirementReplacer.new(
             dependency: dependency,
@@ -194,6 +234,7 @@ module Dependabot
           ).rewrite(content)
         end
 
+        sig { params(content: String, filename: String).returns(String) }
         def replace_gemspec_constraint(content, filename)
           FileUpdater::RequirementReplacer.new(
             dependency: dependency,
@@ -203,6 +244,7 @@ module Dependabot
           ).rewrite(content)
         end
 
+        sig { params(gemspec_content: String).returns(String) }
         def sanitize_gemspec_content(gemspec_content)
           new_version = replacement_version_for_gemspec(gemspec_content)
 
@@ -211,6 +253,7 @@ module Dependabot
             .rewrite(gemspec_content)
         end
 
+        sig { params(filename: String).returns(String) }
         def updated_version_requirement_string(filename)
           lower_bound_req = updated_version_req_lower_bound(filename)
 
@@ -221,6 +264,7 @@ module Dependabot
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(filename: String).returns(String) }
         def updated_version_req_lower_bound(filename) # rubocop:disable Metrics/CyclomaticComplexity
           original_req = dependency.requirements
                                    .find { |r| r.fetch(:file) == filename }
@@ -243,19 +287,22 @@ module Dependabot
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
+        sig { params(content: String).returns(String) }
         def remove_git_source(content)
           FileUpdater::GitSourceRemover.new(
             dependency: dependency
           ).rewrite(content)
         end
 
+        sig { params(content: String).returns(String) }
         def replace_git_pin(content)
           FileUpdater::GitPinReplacer.new(
             dependency: dependency,
-            new_pin: replacement_git_pin
+            new_pin: T.must(replacement_git_pin)
           ).rewrite(content)
         end
 
+        sig { params(gemfile_content: String).returns(String) }
         def lock_ruby_version(gemfile_content)
           top_level_gemspecs.each do |gs|
             gemfile_content = FileUpdater::RubyRequirementSetter
@@ -265,11 +312,13 @@ module Dependabot
           gemfile_content
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
         def lock_ruby_version?(file)
           @lock_ruby_version && file == gemfile
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(gemspec_content: String).returns(String) }
         def replacement_version_for_gemspec(gemspec_content)
           return "0.0.1" unless lockfile
 
@@ -282,17 +331,18 @@ module Dependabot
             .new(gemspec_content: gemspec_content)
             .dependency_name
 
-          return gemspec_specs.first&.version || "0.0.1" unless gem_name
+          return gemspec_specs.first&.version&.to_s || "0.0.1" unless gem_name
 
           spec = gemspec_specs.find { |s| s.name == gem_name }
-          spec&.version || gemspec_specs.first&.version || "0.0.1"
+          spec&.version&.to_s || gemspec_specs.first&.version&.to_s || "0.0.1"
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
         # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+        sig { returns(String) }
         def sanitized_lockfile_content
           re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(re, "")
+          T.must(T.must(lockfile).content).gsub(re, "")
         end
       end
     end

data/lib/dependabot/bundler/update_checker/force_updater.rb

@@ -186,7 +186,7 @@ module Dependabot
           )
         end
 
-        sig { params(dependency: Dependabot::Dependency).returns(T.nilable(T::Hash[String, T.untyped])) }
+        sig { params(dependency: Dependabot::Dependency).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
         def source_for(dependency)
           dependency.requirements
                     .find { |r| r.fetch(:source) }

data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb

@@ -1,11 +1,12 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/registry_client"
 require "dependabot/bundler/native_helpers"
 require "dependabot/bundler/helpers"
 require "dependabot/bundler/update_checker/latest_version_finder"
-require "sorbet-runtime"
 
 module Dependabot
   module Bundler
@@ -22,20 +23,39 @@ module Dependabot
           GIT = "git"
           OTHER = "other"
 
+          sig { returns(Dependabot::Dependency) }
           attr_reader :dependency
+
+          sig { override.returns(T::Array[Dependabot::DependencyFile]) }
           attr_reader :dependency_files
+
+          sig { override.returns(T.nilable(String)) }
           attr_reader :repo_contents_path
+
+          sig { override.returns(T::Array[Dependabot::Credential]) }
           attr_reader :credentials
+
+          sig { override.returns(T::Hash[Symbol, T.untyped]) }
           attr_reader :options
 
+          sig do
+            params(
+              dependency: Dependabot::Dependency,
+              dependency_files: T::Array[Dependabot::DependencyFile],
+              credentials: T::Array[Dependabot::Credential],
+              options: T::Hash[Symbol, T.untyped]
+            ).void
+          end
           def initialize(dependency:,
                          dependency_files:,
                          credentials:,
                          options:)
             @dependency          = dependency
             @dependency_files    = dependency_files
+            @repo_contents_path  = T.let(nil, T.nilable(String))
             @credentials         = credentials
             @options             = options
+            @source_type         = T.let(nil, T.nilable(String))
           end
 
           # The latest version details for the dependency from a registry
@@ -58,6 +78,7 @@ module Dependabot
           # The latest version details for the dependency from a git repo
           #
           # @return [Hash{Symbol => String}, nil]
+          sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
           def latest_git_version_details
             return unless git?
 
@@ -73,7 +94,7 @@ module Dependabot
                   options: options,
                   args: {
                     dir: tmp_dir,
-                    gemfile_name: gemfile.name,
+                    gemfile_name: T.must(gemfile).name,
                     dependency_name: dependency.name,
                     credentials: credentials,
                     dependency_source_url: source_details[:url],
@@ -84,14 +105,16 @@ module Dependabot
             end.transform_keys(&:to_sym)
           end
 
+          sig { returns(T::Boolean) }
           def git?
             source_type == GIT
           end
 
           private
 
+          sig { returns(T::Array[Dependabot::Bundler::Version]) }
           def rubygems_versions
-            @rubygems_versions ||=
+            @rubygems_versions ||= T.let(
               begin
                 response = Dependabot::RegistryClient.get(
                   url: dependency_rubygems_uri,
@@ -100,17 +123,21 @@ module Dependabot
 
                 JSON.parse(response.body)
                     .map { |d| Dependabot::Bundler::Version.new(d["number"]) }
-              end
+              end,
+              T.nilable(T::Array[Dependabot::Bundler::Version])
+            )
           rescue JSON::ParserError, Excon::Error::Timeout
             @rubygems_versions = []
           end
 
+          sig { returns(String) }
           def dependency_rubygems_uri
             "https://rubygems.org/api/v1/versions/#{dependency.name}.json"
           end
 
+          sig { returns(T::Array[Dependabot::Bundler::Version]) }
           def private_registry_versions
-            @private_registry_versions ||=
+            @private_registry_versions ||= T.let(
               in_a_native_bundler_context do |tmp_dir|
                 NativeHelpers.run_bundler_subprocess(
                   bundler_version: bundler_version,
@@ -118,18 +145,21 @@ module Dependabot
                   options: options,
                   args: {
                     dir: tmp_dir,
-                    gemfile_name: gemfile.name,
+                    gemfile_name: T.must(gemfile).name,
                     dependency_name: dependency.name,
                     credentials: credentials
                   }
                 ).map do |version_string|
                   Dependabot::Bundler::Version.new(version_string)
                 end
-              end
+              end,
+              T.nilable(T::Array[Dependabot::Bundler::Version])
+            )
           end
 
+          sig { returns(String) }
           def source_type
-            return @source_type if defined? @source_type
+            return @source_type if @source_type
             return @source_type = RUBYGEMS unless gemfile
 
             @source_type = in_a_native_bundler_context do |tmp_dir|
@@ -139,7 +169,7 @@ module Dependabot
                 options: options,
                 args: {
                   dir: tmp_dir,
-                  gemfile_name: gemfile.name,
+                  gemfile_name: T.must(gemfile).name,
                   dependency_name: dependency.name,
                   credentials: credentials
                 }
@@ -147,18 +177,24 @@ module Dependabot
             end
           end
 
+          sig { returns(T.nilable(Dependabot::DependencyFile)) }
           def gemfile
             dependency_files.find { |f| f.name == "Gemfile" } ||
               dependency_files.find { |f| f.name == "gems.rb" }
           end
 
+          sig { returns(T.nilable(Dependabot::DependencyFile)) }
           def lockfile
             dependency_files.find { |f| f.name == "Gemfile.lock" } ||
               dependency_files.find { |f| f.name == "gems.locked" }
           end
 
+          sig { override.returns(String) }
           def bundler_version
-            @bundler_version ||= Helpers.bundler_version(lockfile)
+            @bundler_version ||= T.let(
+              Helpers.bundler_version(lockfile),
+              T.nilable(String)
+            )
           end
         end
       end

data/lib/dependabot/bundler/update_checker/latest_version_finder.rb

@@ -122,12 +122,8 @@ module Dependabot
           @wants_prerelease ||= T.let(
             begin
               current_version = dependency.numeric_version
-              if current_version&.prerelease?
-                true
-              else
-                dependency.requirements.any? do |req|
-                  req[:requirement].match?(/[a-z]/i)
-                end
+              current_version&.prerelease? || dependency.requirements.any? do |req|
+                req[:requirement].match?(/[a-z]/i)
               end
             end, T.nilable(T::Boolean)
           )