dependabot-bundler 0.333.0 → 0.334.0

data/lib/dependabot/bundler/file_updater/requirement_replacer.rb

@@ -1,18 +1,38 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "parser/current"
+require "sorbet-runtime"
+
 require "dependabot/bundler/file_updater"
 
 module Dependabot
   module Bundler
     class FileUpdater
       class RequirementReplacer
+        extend T::Sig
+
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
+        sig { returns(Symbol) }
         attr_reader :file_type
+
+        sig { returns(String) }
         attr_reader :updated_requirement
+
+        sig { returns(T.nilable(String)) }
         attr_reader :previous_requirement
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            file_type: Symbol,
+            updated_requirement: String,
+            previous_requirement: T.nilable(String),
+            insert_if_bare: T::Boolean
+          ).void
+        end
         def initialize(dependency:, file_type:, updated_requirement:,
                        previous_requirement: nil, insert_if_bare: false)
           @dependency           = dependency
@@ -22,7 +42,10 @@ module Dependabot
           @insert_if_bare       = insert_if_bare
         end
 
+        sig { params(content: T.nilable(String)).returns(String) }
         def rewrite(content)
+          return "" unless content
+
           buffer = Parser::Source::Buffer.new("(gemfile_content)")
           buffer.source = content
           ast = Parser::CurrentRuby.new.parse(buffer)
@@ -39,10 +62,12 @@ module Dependabot
 
         private
 
+        sig { returns(T::Boolean) }
         def insert_if_bare?
           @insert_if_bare
         end
 
+        sig { params(content: String, updated_content: String).returns(String) }
         def update_comment_spacing_if_required(content, updated_content)
           return updated_content unless previous_requirement
 
@@ -53,43 +78,62 @@ module Dependabot
           updated_line_index =
             updated_lines.length
                          .times.find { |i| content.lines[i] != updated_content.lines[i] }
-          updated_line = updated_lines[updated_line_index]
+          return updated_content unless updated_line_index
+
+          updated_line = T.must(updated_lines[updated_line_index])
 
           updated_line =
             if length_change.positive?
               updated_line.sub(/(?<=\s)\s{#{length_change}}#/, "#")
             elsif length_change.negative?
               updated_line.sub(/(?<=\s{2})#/, (" " * length_change.abs) + "#")
+            else
+              updated_line
             end
 
           updated_lines[updated_line_index] = updated_line
           updated_lines.join
         end
 
+        sig { returns(Integer) }
         def length_change
-          return updated_requirement.length - previous_requirement.length unless previous_requirement.start_with?("=")
+          return 0 unless previous_requirement
+
+          prev_req = T.must(previous_requirement)
+          return updated_requirement.length - prev_req.length unless prev_req.start_with?("=")
 
           updated_requirement.length -
-            previous_requirement.gsub(/^=/, "").strip.length
+            prev_req.gsub(/^=/, "").strip.length
         end
 
         class Rewriter < Parser::TreeRewriter
+          extend T::Sig
+
           # TODO: Ideally we wouldn't have to ignore all of these, but
           # implementing each one will be tricky.
-          SKIPPED_TYPES = %i(send lvar dstr begin if case splat const or).freeze
-
+          SKIPPED_TYPES = T.let(%i(send lvar dstr begin if case splat const or).freeze, T::Array[Symbol])
+
+          sig do
+            params(
+              dependency: Dependabot::Dependency,
+              file_type: Symbol,
+              updated_requirement: String,
+              insert_if_bare: T::Boolean
+            ).void
+          end
           def initialize(dependency:, file_type:, updated_requirement:,
                          insert_if_bare:)
-            @dependency          = dependency
-            @file_type           = file_type
-            @updated_requirement = updated_requirement
-            @insert_if_bare      = insert_if_bare
+            @dependency = T.let(dependency, Dependabot::Dependency)
+            @file_type = T.let(file_type, Symbol)
+            @updated_requirement = T.let(updated_requirement, String)
+            @insert_if_bare = T.let(insert_if_bare, T::Boolean)
 
             return if %i(gemfile gemspec).include?(file_type)
 
             raise "File type must be :gemfile or :gemspec. Got #{file_type}."
           end
 
+          sig { params(node: T.untyped).void }
           def on_send(node)
             return unless declares_targeted_gem?(node)
 
@@ -117,14 +161,21 @@ module Dependabot
 
           private
 
+          sig { returns(Dependabot::Dependency) }
           attr_reader :dependency
+
+          sig { returns(Symbol) }
           attr_reader :file_type
+
+          sig { returns(String) }
           attr_reader :updated_requirement
 
+          sig { returns(T::Boolean) }
           def insert_if_bare?
             @insert_if_bare
           end
 
+          sig { returns(T::Array[Symbol]) }
           def declaration_methods
             return %i(gem) if file_type == :gemfile
 
@@ -132,12 +183,14 @@ module Dependabot
                add_development_dependency)
           end
 
+          sig { params(node: T.untyped).returns(T::Boolean) }
           def declares_targeted_gem?(node)
             return false unless declaration_methods.include?(node.children[1])
 
             node.children[2].children.first == dependency.name
           end
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns([String, String]) }
           def extract_quote_characters_from(requirement_nodes)
             return ['"', '"'] if requirement_nodes.none?
 
@@ -155,6 +208,7 @@ module Dependabot
             end
           end
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns(T::Boolean) }
           def space_after_specifier?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -174,6 +228,7 @@ module Dependabot
 
           EQUALITY_OPERATOR = /(?<![<>!])=/
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns(T::Boolean) }
           def use_equality_operator?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -188,6 +243,13 @@ module Dependabot
             req_string.match?(EQUALITY_OPERATOR)
           end
 
+          sig do
+            params(
+              quote_characters: [String, String],
+              space_after_specifier: T::Boolean,
+              use_equality_operator: T::Boolean
+            ).returns(String)
+          end
           def new_requirement_string(quote_characters:,
                                      space_after_specifier:,
                                      use_equality_operator:)
@@ -204,6 +266,7 @@ module Dependabot
             new_requirement_string
           end
 
+          sig { params(req: String, use_equality_operator: T::Boolean).returns(String) }
           def serialized_req(req, use_equality_operator)
             tmp_req = req
 
@@ -215,6 +278,7 @@ module Dependabot
             tmp_req.strip
           end
 
+          sig { params(nodes: T::Array[T.untyped]).returns(T.untyped) }
           def range_for(nodes)
             nodes.first.loc.begin.begin.join(nodes.last.loc.expression)
           end

data/lib/dependabot/bundler/file_updater.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/bundler/native_helpers"
@@ -10,10 +12,13 @@ require "dependabot/file_updaters/vendor_updater"
 module Dependabot
   module Bundler
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
       require_relative "file_updater/gemfile_updater"
       require_relative "file_updater/gemspec_updater"
       require_relative "file_updater/lockfile_updater"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           # Matches Gemfile, Gemfile.lock, gems.rb, gems.locked, .gemspec files, and anything in vendor directory
@@ -25,20 +30,21 @@ module Dependabot
 
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         updated_files = T.let([], T::Array[Dependabot::DependencyFile])
 
-        if gemfile && file_changed?(gemfile)
+        if gemfile && file_changed?(T.must(gemfile))
           updated_files <<
             updated_file(
-              file: gemfile,
-              content: updated_gemfile_content(gemfile)
+              file: T.must(gemfile),
+              content: updated_gemfile_content(T.must(gemfile))
             )
         end
 
         if lockfile && dependencies.any?(&:appears_in_lockfile?)
           updated_files <<
-            updated_file(file: lockfile, content: updated_lockfile_content)
+            updated_file(file: T.must(lockfile), content: updated_lockfile_content)
         end
 
         top_level_gemspecs.each do |file|
@@ -59,7 +65,7 @@ module Dependabot
 
         base_dir = T.must(updated_files.first).directory
         vendor_updater
-          .updated_vendor_cache_files(base_directory: base_dir)
+          .updated_files(base_directory: base_dir)
           .each do |file|
           updated_files << file
         end
@@ -72,10 +78,9 @@ module Dependabot
       private
 
       # Dynamically fetch the vendor cache folder from bundler
+      sig { returns(T.nilable(String)) }
       def vendor_cache_dir
-        return @vendor_cache_dir if defined?(@vendor_cache_dir)
-
-        @vendor_cache_dir =
+        @vendor_cache_dir = T.let(
           NativeHelpers.run_bundler_subprocess(
             bundler_version: bundler_version,
             function: "vendor_cache_dir",
@@ -83,9 +88,12 @@ module Dependabot
             args: {
               dir: repo_contents_path
             }
-          )
+          ),
+          T.nilable(String)
+        )
       end
 
+      sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
       def vendor_updater
         Dependabot::FileUpdaters::VendorUpdater.new(
           repo_contents_path: repo_contents_path,
@@ -93,6 +101,7 @@ module Dependabot
         )
       end
 
+      sig { override.void }
       def check_required_files
         file_names = dependency_files.map(&:name)
 
@@ -104,24 +113,32 @@ module Dependabot
         raise "A gemspec or Gemfile must be provided!"
       end
 
+      sig { params(updated_files: T::Array[Dependabot::DependencyFile]).void }
       def check_updated_files(updated_files)
         return if updated_files.reject { |f| dependency_files.include?(f) }.any?
 
         raise "No files have changed!"
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def gemfile
-        @gemfile ||= get_original_file("Gemfile") ||
-                     get_original_file("gems.rb")
+        @gemfile ||= T.let(
+          get_original_file("Gemfile") || get_original_file("gems.rb"),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def lockfile
-        @lockfile ||= get_original_file("Gemfile.lock") ||
-                      get_original_file("gems.locked")
+        @lockfile ||= T.let(
+          get_original_file("Gemfile.lock") || get_original_file("gems.locked"),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def evaled_gemfiles
-        @evaled_gemfiles ||=
+        @evaled_gemfiles ||= T.let(
           dependency_files
           .reject { |f| f.name.end_with?(".gemspec") }
           .reject { |f| f.name.end_with?(".specification") }
@@ -129,9 +146,12 @@ module Dependabot
           .reject { |f| f.name == "Gemfile" }
           .reject { |f| f.name == "gems.rb" }
           .reject { |f| f.name == "gems.locked" }
-          .reject(&:support_file?)
+          .reject(&:support_file?),
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
       def updated_gemfile_content(file)
         GemfileUpdater.new(
           dependencies: dependencies,
@@ -139,6 +159,7 @@ module Dependabot
         ).updated_gemfile_content
       end
 
+      sig { params(gemspec: Dependabot::DependencyFile).returns(String) }
       def updated_gemspec_content(gemspec)
         GemspecUpdater.new(
           dependencies: dependencies,
@@ -146,24 +167,32 @@ module Dependabot
         ).updated_gemspec_content
       end
 
+      sig { returns(String) }
       def updated_lockfile_content
-        @updated_lockfile_content ||=
+        @updated_lockfile_content ||= T.let(
           LockfileUpdater.new(
             dependencies: dependencies,
             dependency_files: dependency_files,
             repo_contents_path: repo_contents_path,
             credentials: credentials,
             options: options
-          ).updated_lockfile_content
+          ).updated_lockfile_content,
+          T.nilable(String)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def top_level_gemspecs
         dependency_files
           .select { |file| file.name.end_with?(".gemspec") }
       end
 
+      sig { returns(String) }
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= T.let(
+          Helpers.bundler_version(lockfile),
+          T.nilable(String)
+        )
       end
     end
   end

data/lib/dependabot/bundler/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
@@ -9,7 +9,9 @@ require "dependabot/registry_client"
 module Dependabot
   module Bundler
     class MetadataFinder < Dependabot::MetadataFinders::Base
-      SOURCE_KEYS = %w(
+      extend T::Sig
+
+      SOURCE_KEYS = T.let(%w(
         source_code_uri
         homepage_uri
         wiki_uri
@@ -18,8 +20,22 @@ module Dependabot
         changelog_uri
         mailing_list_uri
         download_uri
-      ).freeze
+      ).freeze, T::Array[String])
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential]
+        ).void
+      end
+      def initialize(dependency:, credentials:)
+        super
+        @rubygems_marshalled_gemspec_response = T.let(nil, T.nilable(String))
+        @rubygems_api_response = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @base_url = T.let(nil, T.nilable(String))
+      end
 
+      sig { override.returns(T.nilable(String)) }
       def homepage_url
         return super unless %w(default rubygems).include?(new_source_type)
         return super unless rubygems_api_response["homepage_uri"]
@@ -29,6 +45,7 @@ module Dependabot
 
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         case new_source_type
         when "git" then find_source_from_git_url
@@ -37,6 +54,7 @@ module Dependabot
         end
       end
 
+      sig { override.returns(T.nilable(String)) }
       def suggested_changelog_url
         case new_source_type
         when "default"
@@ -50,10 +68,12 @@ module Dependabot
         end
       end
 
+      sig { returns(String) }
       def new_source_type
-        dependency.source_type
+        T.must(dependency.source_type)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_rubygems
         api_source = find_source_from_rubygems_api_response
         return api_source if api_source || new_source_type == "default"
@@ -61,15 +81,16 @@ module Dependabot
         find_source_from_gemspec_download
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_rubygems_api_response
-        source_url = rubygems_api_response
-                     .values_at(*SOURCE_KEYS)
-                     .compact
-                     .find { |url| Source.from_url(url) }
+        api_response = rubygems_api_response
+        source_url = SOURCE_KEYS.filter_map { |key| api_response[key] }
+                                .find { |url| Source.from_url(url) }
 
         Source.from_url(source_url)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_git_url
         info = dependency.requirements.filter_map { |r| r[:source] }.first
 
@@ -77,12 +98,13 @@ module Dependabot
         Source.from_url(url)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_gemspec_download
         github_urls = []
         return unless rubygems_marshalled_gemspec_response
 
-        rubygems_marshalled_gemspec_response.gsub("\x06;", "\n")
-                                            .scan(Source::SOURCE_REGEX) do
+        T.must(rubygems_marshalled_gemspec_response).gsub("\x06;", "\n")
+         .scan(Source::SOURCE_REGEX) do
           github_urls << Regexp.last_match.to_s
         end
 
@@ -95,12 +117,13 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { returns(T.nilable(String)) }
       def changelog_url_from_gemspec_download
         github_urls = []
         return unless rubygems_marshalled_gemspec_response
 
-        rubygems_marshalled_gemspec_response.gsub("\x06;", "\n")
-                                            .scan(Dependabot::Source::SOURCE_REGEX) do
+        T.must(rubygems_marshalled_gemspec_response).gsub("\x06;", "\n")
+         .scan(Dependabot::Source::SOURCE_REGEX) do
           github_urls << (Regexp.last_match.to_s +
                          T.must(T.must(Regexp.last_match).post_match.split("\n").first))
         end
@@ -115,8 +138,9 @@ module Dependabot
 
       # NOTE: This response MUST NOT be unmarshalled
       # (as calling Marshal.load is unsafe)
+      sig { returns(T.nilable(String)) }
       def rubygems_marshalled_gemspec_response
-        return @rubygems_marshalled_gemspec_response if defined?(@rubygems_marshalled_gemspec_response)
+        return @rubygems_marshalled_gemspec_response if @rubygems_marshalled_gemspec_response
 
         gemspec_uri =
           "#{registry_url}quick/Marshal.4.8/" \
@@ -136,8 +160,9 @@ module Dependabot
         @rubygems_marshalled_gemspec_response = nil
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def rubygems_api_response
-        return @rubygems_api_response if defined?(@rubygems_api_response)
+        return @rubygems_api_response if @rubygems_api_response
 
         response =
           Dependabot::RegistryClient.get(
@@ -155,16 +180,18 @@ module Dependabot
         @rubygems_api_response = {}
       end
 
+      sig { params(listing: T::Hash[String, T.untyped]).returns(T::Hash[String, T.untyped]) }
       def append_slash_to_source_code_uri(listing)
         # We have to do this so that `Source.from_url(...)` doesn't prune the
         # last line off of the directory.
-        return listing unless listing&.fetch("source_code_uri", nil)
-        return listing if listing.fetch("source_code_uri").end_with?("/")
+        return listing unless listing.fetch("source_code_uri", nil)
+        return listing if T.cast(listing.fetch("source_code_uri"), String).end_with?("/")
 
-        listing["source_code_uri"] = listing["source_code_uri"] + "/"
+        listing["source_code_uri"] = T.cast(listing["source_code_uri"], String) + "/"
         listing
       end
 
+      sig { params(response_body: String).returns(String) }
       def augment_private_response_if_appropriate(response_body)
         return response_body if new_source_type == "default"
 
@@ -173,10 +200,8 @@ module Dependabot
 
         digest = parsed_body.values_at("version", "authors", "info").hash
 
-        source_url = parsed_body
-                     .values_at(*SOURCE_KEYS)
-                     .compact
-                     .find { |url| Source.from_url(url) }
+        source_url = SOURCE_KEYS.filter_map { |key| parsed_body[key] }
+                                .find { |url| Source.from_url(url) }
         return response_body if source_url
 
         rubygems_response =
@@ -190,6 +215,7 @@ module Dependabot
         response_body
       end
 
+      sig { returns(String) }
       def registry_url
         return base_url if new_source_type == "default"
 
@@ -197,8 +223,9 @@ module Dependabot
         info[:url] || info.fetch("url")
       end
 
+      sig { returns(String) }
       def base_url
-        return @base_url if defined?(@base_url)
+        return @base_url if @base_url
 
         credential = credentials.find do |cred|
           cred["type"] == "rubygems_server" && cred.replaces_base?
@@ -207,6 +234,7 @@ module Dependabot
         @base_url = "https://#{host}#{'/' unless host&.end_with?('/')}"
       end
 
+      sig { returns(T::Hash[String, String]) }
       def registry_auth_headers
         return {} unless new_source_type == "rubygems"
 

data/lib/dependabot/bundler/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -26,9 +26,10 @@ module Dependabot
 
       # Patches Gem::Requirement to make it accept requirement strings like
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      sig { params(requirements: T.nilable(T.any(String, T::Array[String]))).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
-          req_string.split(",").map(&:strip)
+          T.must(req_string).split(",").map(&:strip)
         end
 
         super(requirements)