dependabot-bundler 0.333.0 → 0.334.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/bundler/file_updater/git_pin_replacer.rb +27 -6
  3. data/lib/dependabot/bundler/file_updater/git_source_remover.rb +14 -2
  4. data/lib/dependabot/bundler/file_updater/lockfile_updater.rb +85 -26
  5. data/lib/dependabot/bundler/file_updater/requirement_replacer.rb +74 -10
  6. data/lib/dependabot/bundler/file_updater.rb +48 -19
  7. data/lib/dependabot/bundler/metadata_finder.rb +50 -22
  8. data/lib/dependabot/bundler/requirement.rb +3 -2
  9. data/lib/dependabot/bundler/update_checker/file_preparer.rb +69 -19
  10. data/lib/dependabot/bundler/update_checker/force_updater.rb +1 -1
  11. data/lib/dependabot/bundler/update_checker/latest_version_finder/dependency_source.rb +47 -11
  12. data/lib/dependabot/bundler/update_checker/requirements_updater.rb +77 -29
  13. data/lib/dependabot/bundler/update_checker.rb +1 -1
  14. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ed2db4c89c832c17cf73a1183c1ca6645f8f8c141a357526eb997691227dade6
4
- data.tar.gz: 41f43a96a647a712ba845860aaecd0bcca8a5aa316c93e578c271f5f7aabd50d
3
+ metadata.gz: 37ba3de8a1d1b67ae172bb66d32d9b3fb93780d98441e41fced9bea77d40027a
4
+ data.tar.gz: 48b422ee5ebcb1e925f0cb0b84fab0aa164fd85efb94ab54e5b9152d6304c82e
5
5
  SHA512:
6
- metadata.gz: 8e1ed157de7a72eb7d78ca0cafce120e2517e1142a1f38a2fb676edd787db470da46f782f091123028c9a45c647d77f15740e4ee12fa189be9dbd1176f77aae8
7
- data.tar.gz: 99d4ccb5ccb39ed52adca7aaaeb84e34356b7efa263541fbdd7a00cbca100b818d52311c3145f2abc73da100fb8e318b05c2fa9fbc5d501c5a7a0d06ff936bad
6
+ metadata.gz: 2a702a441d11d257536810283d217a25149aaaab772c6eab11fd7caf958660af245b8b5836c2b92062b1384ac6ca0fadd7f5801c954b5b24e4eec971d41a5d1a
7
+ data.tar.gz: e2929aa03f76bb71700970e4b2cfea6f90f374a00e4f2ddcbf61ccdd2f1a7fd6fff84c0173f531a294b77552775316dba3965671036f91d78412068d8c194072
data/lib/dependabot/bundler/file_updater/git_pin_replacer.rb CHANGED
@@ -1,6 +1,7 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
4
5
  require "parser/current"
5
6
  require "dependabot/bundler/file_updater"
6
7
 
@@ -8,14 +9,21 @@ module Dependabot
8
9
  module Bundler
9
10
  class FileUpdater
10
11
  class GitPinReplacer
12
+ extend T::Sig
13
+
14
+ sig { returns(Dependabot::Dependency) }
11
15
  attr_reader :dependency
16
+
17
+ sig { returns(String) }
12
18
  attr_reader :new_pin
13
19
 
20
+ sig { params(dependency: Dependabot::Dependency, new_pin: String).void }
14
21
  def initialize(dependency:, new_pin:)
15
- @dependency = dependency
16
- @new_pin = new_pin
22
+ @dependency = T.let(dependency, Dependabot::Dependency)
23
+ @new_pin = T.let(new_pin, String)
17
24
  end
18
25
 
26
+ sig { params(content: String).returns(String) }
19
27
  def rewrite(content)
20
28
  buffer = Parser::Source::Buffer.new("(gemfile_content)")
21
29
  buffer.source = content
@@ -27,15 +35,24 @@ module Dependabot
27
35
  end
28
36
 
29
37
  class Rewriter < Parser::TreeRewriter
30
- PIN_KEYS = %i(ref tag).freeze
38
+ extend T::Sig
39
+
40
+ PIN_KEYS = T.let(%i(ref tag).freeze, T::Array[Symbol])
41
+
42
+ sig { returns(Dependabot::Dependency) }
31
43
  attr_reader :dependency
44
+
45
+ sig { returns(String) }
32
46
  attr_reader :new_pin
33
47
 
48
+ sig { params(dependency: Dependabot::Dependency, new_pin: String).void }
34
49
  def initialize(dependency:, new_pin:)
35
- @dependency = dependency
36
- @new_pin = new_pin
50
+ super()
51
+ @dependency = T.let(dependency, Dependabot::Dependency)
52
+ @new_pin = T.let(new_pin, String)
37
53
  end
38
54
 
55
+ sig { params(node: Parser::AST::Node).returns(T.untyped) }
39
56
  def on_send(node)
40
57
  return unless declares_targeted_gem?(node)
41
58
  return unless node.children.last.type == :hash
@@ -50,16 +67,19 @@ module Dependabot
50
67
 
51
68
  private
52
69
 
70
+ sig { params(node: Parser::AST::Node).returns(T::Boolean) }
53
71
  def declares_targeted_gem?(node)
54
72
  return false unless node.children[1] == :gem
55
73
 
56
74
  node.children[2].children.first == dependency.name
57
75
  end
58
76
 
77
+ sig { params(node: Parser::AST::Node).returns(Symbol) }
59
78
  def key_from_hash_pair(node)
60
79
  node.children.first.children.first.to_sym
61
80
  end
62
81
 
82
+ sig { params(hash_pair: Parser::AST::Node).void }
63
83
  def update_value(hash_pair)
64
84
  value_node = hash_pair.children.last
65
85
  open_quote_character, close_quote_character =
@@ -71,6 +91,7 @@ module Dependabot
71
91
  )
72
92
  end
73
93
 
94
+ sig { params(value_node: Parser::AST::Node).returns([String, String]) }
74
95
  def extract_quote_characters_from(value_node)
75
96
  [value_node.loc.begin.source, value_node.loc.end.source]
76
97
  end
data/lib/dependabot/bundler/file_updater/git_source_remover.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "parser/current"
@@ -12,12 +12,15 @@ module Dependabot
12
12
  class GitSourceRemover
13
13
  extend T::Sig
14
14
 
15
+ sig { returns(Dependabot::Dependency) }
15
16
  attr_reader :dependency
16
17
 
18
+ sig { params(dependency: Dependabot::Dependency).void }
17
19
  def initialize(dependency:)
18
20
  @dependency = dependency
19
21
  end
20
22
 
23
+ sig { params(content: String).returns(String) }
21
24
  def rewrite(content)
22
25
  buffer = Parser::Source::Buffer.new("(gemfile_content)")
23
26
  buffer.source = content
@@ -27,18 +30,23 @@ module Dependabot
27
30
  end
28
31
 
29
32
  class Rewriter < Parser::TreeRewriter
33
+ extend T::Sig
34
+
30
35
  # TODO: Hack until Bundler 1.16.0 is available on Heroku
31
36
  GOOD_KEYS = %i(
32
37
  group groups path glob name require platform platforms type
33
38
  source install_if
34
39
  ).freeze
35
40
 
41
+ sig { returns(Dependabot::Dependency) }
36
42
  attr_reader :dependency
37
43
 
44
+ sig { params(dependency: Dependabot::Dependency).void }
38
45
  def initialize(dependency:)
39
- @dependency = dependency
46
+ @dependency = T.let(dependency, Dependabot::Dependency)
40
47
  end
41
48
 
49
+ sig { params(node: Parser::AST::Node).void }
42
50
  def on_send(node)
43
51
  return unless declares_targeted_gem?(node)
44
52
  return unless node.children.last.type == :hash
@@ -57,16 +65,19 @@ module Dependabot
57
65
 
58
66
  private
59
67
 
68
+ sig { params(node: Parser::AST::Node).returns(T::Boolean) }
60
69
  def declares_targeted_gem?(node)
61
70
  return false unless node.children[1] == :gem
62
71
 
63
72
  node.children[2].children.first == dependency.name
64
73
  end
65
74
 
75
+ sig { params(node: Parser::AST::Node).returns(Symbol) }
66
76
  def key_from_hash_pair(node)
67
77
  node.children.first.children.first.to_sym
68
78
  end
69
79
 
80
+ sig { params(node: Parser::AST::Node).void }
70
81
  def remove_all_kwargs(node)
71
82
  kwargs_node = node.children.last
72
83
 
@@ -76,6 +87,7 @@ module Dependabot
76
87
  remove(range_to_remove)
77
88
  end
78
89
 
90
+ sig { params(kwargs_node: Parser::AST::Node).void }
79
91
  def remove_git_related_kwargs(kwargs_node)
80
92
  good_key_index = T.let(nil, T.nilable(Integer))
81
93
  hash_pairs = kwargs_node.children
data/lib/dependabot/bundler/file_updater/lockfile_updater.rb CHANGED
@@ -1,7 +1,8 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "bundler"
5
+ require "sorbet-runtime"
5
6
 
6
7
  require "dependabot/shared_helpers"
7
8
  require "dependabot/errors"
@@ -14,6 +15,8 @@ module Dependabot
14
15
  module Bundler
15
16
  class FileUpdater
16
17
  class LockfileUpdater
18
+ extend T::Sig
19
+
17
20
  require_relative "gemfile_updater"
18
21
  require_relative "gemspec_updater"
19
22
  require_relative "gemspec_sanitizer"
@@ -24,8 +27,32 @@ module Dependabot
24
27
  GIT_DEPENDENCIES_SECTION = /GIT\n.*?\n\n(?!GIT)/m
25
28
  GIT_DEPENDENCY_DETAILS = /GIT\n.*?\n\n/m
26
29
 
30
+ sig do
31
+ params(
32
+ dependencies: T::Array[Dependabot::Dependency],
33
+ dependency_files: T::Array[Dependabot::DependencyFile],
34
+ credentials: T::Array[Dependabot::Credential],
35
+ options: T::Hash[Symbol, T.untyped],
36
+ repo_contents_path: T.nilable(String)
37
+ ).void
38
+ end
39
+ def initialize(dependencies:, dependency_files:, credentials:, options:,
40
+ repo_contents_path: nil)
41
+ @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
42
+ @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
43
+ @repo_contents_path = T.let(repo_contents_path, T.nilable(String))
44
+ @credentials = T.let(credentials, T::Array[Dependabot::Credential])
45
+ @options = T.let(options, T::Hash[Symbol, T.untyped])
46
+ @updated_lockfile_content = T.let(nil, T.nilable(String))
47
+ @gemfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
48
+ @lockfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
49
+ @evaled_gemfiles = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
50
+ @bundler_version = T.let(nil, T.nilable(String))
51
+ end
52
+
27
53
  # Can't be a constant because some of these don't exist in bundler
28
54
  # 1.15, which Heroku uses, which causes an exception on boot.
55
+ sig { returns(T::Array[T.class_of(::Bundler::Source::Path)]) }
29
56
  def gemspec_sources
30
57
  [
31
58
  ::Bundler::Source::Path,
@@ -33,21 +60,13 @@ module Dependabot
33
60
  ]
34
61
  end
35
62
 
36
- def initialize(dependencies:, dependency_files:,
37
- repo_contents_path: nil, credentials:, options:)
38
- @dependencies = dependencies
39
- @dependency_files = dependency_files
40
- @repo_contents_path = repo_contents_path
41
- @credentials = credentials
42
- @options = options
43
- end
44
-
63
+ sig { returns(String) }
45
64
  def updated_lockfile_content
46
65
  @updated_lockfile_content ||=
47
66
  begin
48
67
  updated_content = build_updated_lockfile
49
68
 
50
- raise "Expected content to change!" if lockfile.content == updated_content
69
+ raise "Expected content to change!" if T.must(lockfile).content == updated_content
51
70
 
52
71
  updated_content
53
72
  end
@@ -55,14 +74,24 @@ module Dependabot
55
74
 
56
75
  private
57
76
 
77
+ sig { returns(T::Array[Dependabot::Dependency]) }
58
78
  attr_reader :dependencies
79
+
80
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
59
81
  attr_reader :dependency_files
82
+
83
+ sig { returns(T.nilable(String)) }
60
84
  attr_reader :repo_contents_path
85
+
86
+ sig { returns(T::Array[Dependabot::Credential]) }
61
87
  attr_reader :credentials
88
+
89
+ sig { returns(T::Hash[Symbol, T.untyped]) }
62
90
  attr_reader :options
63
91
 
92
+ sig { returns(String) }
64
93
  def build_updated_lockfile
65
- base_dir = dependency_files.first.directory
94
+ base_dir = T.must(dependency_files.first).directory
66
95
  lockfile_body =
67
96
  SharedHelpers.in_a_temporary_repo_directory(
68
97
  base_dir,
@@ -75,8 +104,8 @@ module Dependabot
75
104
  function: "update_lockfile",
76
105
  options: options,
77
106
  args: {
78
- gemfile_name: gemfile.name,
79
- lockfile_name: lockfile.name,
107
+ gemfile_name: T.must(gemfile).name,
108
+ lockfile_name: T.must(lockfile).name,
80
109
  dir: tmp_dir,
81
110
  credentials: credentials,
82
111
  dependencies: dependencies.map(&:to_h)
@@ -90,9 +119,10 @@ module Dependabot
90
119
  raise
91
120
  end
92
121
 
122
+ sig { void }
93
123
  def write_temporary_dependency_files
94
- File.write(gemfile.name, prepared_gemfile_content(gemfile))
95
- File.write(lockfile.name, sanitized_lockfile_body)
124
+ File.write(T.must(gemfile).name, prepared_gemfile_content(T.must(gemfile)))
125
+ File.write(T.must(lockfile).name, sanitized_lockfile_body)
96
126
 
97
127
  write_gemspecs(top_level_gemspecs)
98
128
  write_ruby_version_file
@@ -108,22 +138,25 @@ module Dependabot
108
138
  end
109
139
  end
110
140
 
141
+ sig { void }
111
142
  def write_ruby_version_file
112
143
  return unless ruby_version_file
113
144
 
114
- path = ruby_version_file.name
145
+ path = T.must(ruby_version_file).name
115
146
  FileUtils.mkdir_p(Pathname.new(path).dirname)
116
- File.write(path, ruby_version_file.content)
147
+ File.write(path, T.must(ruby_version_file).content)
117
148
  end
118
149
 
150
+ sig { void }
119
151
  def write_tool_versions_file
120
152
  return unless tool_versions_file
121
153
 
122
- path = tool_versions_file.name
154
+ path = T.must(tool_versions_file).name
123
155
  FileUtils.mkdir_p(Pathname.new(path).dirname)
124
- File.write(path, tool_versions_file.content)
156
+ File.write(path, T.must(tool_versions_file).content)
125
157
  end
126
158
 
159
+ sig { params(files: T::Array[Dependabot::DependencyFile]).void }
127
160
  def write_gemspecs(files)
128
161
  files.each do |file|
129
162
  path = file.name
@@ -133,6 +166,7 @@ module Dependabot
133
166
  end
134
167
  end
135
168
 
169
+ sig { void }
136
170
  def write_specification_files
137
171
  specification_files.each do |file|
138
172
  path = file.name
@@ -141,6 +175,7 @@ module Dependabot
141
175
  end
142
176
  end
143
177
 
178
+ sig { void }
144
179
  def write_imported_ruby_files
145
180
  imported_ruby_files.each do |file|
146
181
  path = file.name
@@ -149,38 +184,46 @@ module Dependabot
149
184
  end
150
185
  end
151
186
 
187
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
152
188
  def path_gemspecs
153
189
  all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
154
190
  all - top_level_gemspecs
155
191
  end
156
192
 
193
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
157
194
  def imported_ruby_files
158
195
  dependency_files
159
196
  .select { |f| f.name.end_with?(".rb") }
160
197
  .reject { |f| f.name == "gems.rb" }
161
198
  end
162
199
 
200
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
163
201
  def top_level_gemspecs
164
202
  dependency_files
165
203
  .select { |file| file.name.end_with?(".gemspec") && Pathname.new(file.name).dirname.to_s == "." }
166
204
  end
167
205
 
206
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
168
207
  def ruby_version_file
169
208
  dependency_files.find { |f| f.name == ".ruby-version" }
170
209
  end
171
210
 
211
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
172
212
  def tool_versions_file
173
213
  dependency_files.find { |f| f.name == ".tool-versions" }
174
214
  end
175
215
 
216
+ sig { params(lockfile_body: String).returns(String) }
176
217
  def post_process_lockfile(lockfile_body)
177
218
  lockfile_body = reorder_git_dependencies(lockfile_body)
178
219
  replace_lockfile_ending(lockfile_body)
179
220
  end
180
221
 
222
+ sig { params(lockfile_body: String).returns(String) }
181
223
  def reorder_git_dependencies(lockfile_body)
182
224
  new_section = lockfile_body.match(GIT_DEPENDENCIES_SECTION)&.to_s
183
- old_section = lockfile.content.match(GIT_DEPENDENCIES_SECTION)&.to_s
225
+ lockfile_content = T.must(lockfile).content
226
+ old_section = lockfile_content&.match(GIT_DEPENDENCIES_SECTION)&.to_s
184
227
 
185
228
  return lockfile_body unless new_section && old_section
186
229
 
@@ -190,8 +233,10 @@ module Dependabot
190
233
  return lockfile_body unless new_deps.count == old_deps.count
191
234
 
192
235
  reordered_new_section = new_deps.sort_by do |new_dep_details|
193
- remote = new_dep_details.match(/remote: (?<remote>.*\n)/)[:remote]
194
- i = old_deps.index { |details| details.include?(remote) }
236
+ dep_string = T.cast(new_dep_details, String)
237
+ match_result = dep_string.match(/remote: (?<remote>.*\n)/)
238
+ remote = match_result ? match_result[:remote] : ""
239
+ i = old_deps.index { |details| details.include?(T.must(remote)) }
195
240
 
196
241
  # If this dependency isn't in the old lockfile then we can't rely
197
242
  # on that (presumably outdated) lockfile to do reordering.
@@ -205,15 +250,18 @@ module Dependabot
205
250
  lockfile_body.gsub(new_section, reordered_new_section)
206
251
  end
207
252
 
253
+ sig { params(lockfile_body: String).returns(String) }
208
254
  def replace_lockfile_ending(lockfile_body)
209
255
  # Re-add the old `BUNDLED WITH` version (and remove the RUBY VERSION
210
256
  # if it wasn't previously present in the lockfile)
257
+ lockfile_content = T.must(lockfile).content
211
258
  lockfile_body.gsub(
212
259
  LOCKFILE_ENDING,
213
- lockfile.content.match(LOCKFILE_ENDING)&.[](:ending) || "\n"
260
+ lockfile_content&.match(LOCKFILE_ENDING)&.[](:ending) || "\n"
214
261
  )
215
262
  end
216
263
 
264
+ sig { params(path: String, gemspec_content: String).returns(String) }
217
265
  def sanitized_gemspec_content(path, gemspec_content)
218
266
  new_version = replacement_version_for_gemspec(path, gemspec_content)
219
267
 
@@ -222,6 +270,7 @@ module Dependabot
222
270
  .rewrite(gemspec_content)
223
271
  end
224
272
 
273
+ sig { params(path: String, gemspec_content: String).returns(String) }
225
274
  def replacement_version_for_gemspec(path, gemspec_content)
226
275
  return "0.0.1" unless lockfile
227
276
 
@@ -233,9 +282,10 @@ module Dependabot
233
282
  CachedLockfileParser.parse(sanitized_lockfile_body).specs
234
283
  .select { |s| s.name == gem_name && gemspec_sources.include?(s.source.class) }
235
284
 
236
- gemspec_specs.first&.version || "0.0.1"
285
+ gemspec_specs.first&.version&.to_s || "0.0.1"
237
286
  end
238
287
 
288
+ sig { params(file: Dependabot::DependencyFile).returns(String) }
239
289
  def prepared_gemfile_content(file)
240
290
  content = updated_gemfile_content(file)
241
291
 
@@ -246,6 +296,7 @@ module Dependabot
246
296
  content
247
297
  end
248
298
 
299
+ sig { params(file: Dependabot::DependencyFile).returns(String) }
249
300
  def updated_gemfile_content(file)
250
301
  GemfileUpdater.new(
251
302
  dependencies: dependencies,
@@ -253,6 +304,7 @@ module Dependabot
253
304
  ).updated_gemfile_content
254
305
  end
255
306
 
307
+ sig { params(gemspec: Dependabot::DependencyFile).returns(String) }
256
308
  def updated_gemspec_content(gemspec)
257
309
  GemspecUpdater.new(
258
310
  dependencies: dependencies,
@@ -260,11 +312,13 @@ module Dependabot
260
312
  ).updated_gemspec_content
261
313
  end
262
314
 
315
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
263
316
  def gemfile
264
317
  @gemfile ||= dependency_files.find { |f| f.name == "Gemfile" } ||
265
318
  dependency_files.find { |f| f.name == "gems.rb" }
266
319
  end
267
320
 
321
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
268
322
  def lockfile
269
323
  @lockfile ||=
270
324
  dependency_files.find { |f| f.name == "Gemfile.lock" } ||
@@ -272,10 +326,13 @@ module Dependabot
272
326
  end
273
327
 
274
328
  # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
329
+ sig { returns(String) }
275
330
  def sanitized_lockfile_body
276
- lockfile.content.gsub(LOCKFILE_ENDING, "")
331
+ content = T.must(lockfile).content
332
+ T.must(content).gsub(LOCKFILE_ENDING, "")
277
333
  end
278
334
 
335
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
279
336
  def evaled_gemfiles
280
337
  @evaled_gemfiles ||=
281
338
  dependency_files
@@ -288,10 +345,12 @@ module Dependabot
288
345
  .reject(&:support_file?)
289
346
  end
290
347
 
348
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
291
349
  def specification_files
292
350
  dependency_files.select { |f| f.name.end_with?(".specification") }
293
351
  end
294
352
 
353
+ sig { returns(String) }
295
354
  def bundler_version
296
355
  @bundler_version ||= Helpers.bundler_version(lockfile)
297
356
  end