dependabot-bundler 0.333.0 → 0.335.0

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -1,7 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "bundler"
+require "sorbet-runtime"
 
 require "dependabot/shared_helpers"
 require "dependabot/errors"
@@ -14,6 +15,8 @@ module Dependabot
   module Bundler
     class FileUpdater
       class LockfileUpdater
+        extend T::Sig
+
         require_relative "gemfile_updater"
         require_relative "gemspec_updater"
         require_relative "gemspec_sanitizer"
@@ -24,8 +27,37 @@ module Dependabot
         GIT_DEPENDENCIES_SECTION = /GIT\n.*?\n\n(?!GIT)/m
         GIT_DEPENDENCY_DETAILS = /GIT\n.*?\n\n/m
 
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            options: T::Hash[Symbol, T.untyped],
+            repo_contents_path: T.nilable(String)
+          ).void
+        end
+        def initialize(
+          dependencies:,
+          dependency_files:,
+          credentials:,
+          options:,
+          repo_contents_path: nil
+        )
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @repo_contents_path = T.let(repo_contents_path, T.nilable(String))
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+          @options = T.let(options, T::Hash[Symbol, T.untyped])
+          @updated_lockfile_content = T.let(nil, T.nilable(String))
+          @gemfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @lockfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
+          @evaled_gemfiles = T.let(nil, T.nilable(T::Array[Dependabot::DependencyFile]))
+          @bundler_version = T.let(nil, T.nilable(String))
+        end
+
         # Can't be a constant because some of these don't exist in bundler
         # 1.15, which Heroku uses, which causes an exception on boot.
+        sig { returns(T::Array[T.class_of(::Bundler::Source::Path)]) }
         def gemspec_sources
           [
             ::Bundler::Source::Path,
@@ -33,21 +65,13 @@ module Dependabot
           ]
         end
 
-        def initialize(dependencies:, dependency_files:,
-                       repo_contents_path: nil, credentials:, options:)
-          @dependencies = dependencies
-          @dependency_files = dependency_files
-          @repo_contents_path = repo_contents_path
-          @credentials = credentials
-          @options = options
-        end
-
+        sig { returns(String) }
         def updated_lockfile_content
           @updated_lockfile_content ||=
             begin
               updated_content = build_updated_lockfile
 
-              raise "Expected content to change!" if lockfile.content == updated_content
+              raise "Expected content to change!" if T.must(lockfile).content == updated_content
 
               updated_content
             end
@@ -55,14 +79,24 @@ module Dependabot
 
         private
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
+        sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
+        sig { returns(T::Hash[Symbol, T.untyped]) }
         attr_reader :options
 
+        sig { returns(String) }
         def build_updated_lockfile
-          base_dir = dependency_files.first.directory
+          base_dir = T.must(dependency_files.first).directory
           lockfile_body =
             SharedHelpers.in_a_temporary_repo_directory(
               base_dir,
@@ -75,8 +109,8 @@ module Dependabot
                 function: "update_lockfile",
                 options: options,
                 args: {
-                  gemfile_name: gemfile.name,
-                  lockfile_name: lockfile.name,
+                  gemfile_name: T.must(gemfile).name,
+                  lockfile_name: T.must(lockfile).name,
                   dir: tmp_dir,
                   credentials: credentials,
                   dependencies: dependencies.map(&:to_h)
@@ -90,9 +124,10 @@ module Dependabot
           raise
         end
 
+        sig { void }
         def write_temporary_dependency_files
-          File.write(gemfile.name, prepared_gemfile_content(gemfile))
-          File.write(lockfile.name, sanitized_lockfile_body)
+          File.write(T.must(gemfile).name, prepared_gemfile_content(T.must(gemfile)))
+          File.write(T.must(lockfile).name, sanitized_lockfile_body)
 
           write_gemspecs(top_level_gemspecs)
           write_ruby_version_file
@@ -108,22 +143,25 @@ module Dependabot
           end
         end
 
+        sig { void }
         def write_ruby_version_file
           return unless ruby_version_file
 
-          path = ruby_version_file.name
+          path = T.must(ruby_version_file).name
           FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, ruby_version_file.content)
+          File.write(path, T.must(ruby_version_file).content)
         end
 
+        sig { void }
         def write_tool_versions_file
           return unless tool_versions_file
 
-          path = tool_versions_file.name
+          path = T.must(tool_versions_file).name
           FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, tool_versions_file.content)
+          File.write(path, T.must(tool_versions_file).content)
         end
 
+        sig { params(files: T::Array[Dependabot::DependencyFile]).void }
         def write_gemspecs(files)
           files.each do |file|
             path = file.name
@@ -133,6 +171,7 @@ module Dependabot
           end
         end
 
+        sig { void }
         def write_specification_files
           specification_files.each do |file|
             path = file.name
@@ -141,6 +180,7 @@ module Dependabot
           end
         end
 
+        sig { void }
         def write_imported_ruby_files
           imported_ruby_files.each do |file|
             path = file.name
@@ -149,38 +189,46 @@ module Dependabot
           end
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def path_gemspecs
           all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
           all - top_level_gemspecs
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def imported_ruby_files
           dependency_files
             .select { |f| f.name.end_with?(".rb") }
             .reject { |f| f.name == "gems.rb" }
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def top_level_gemspecs
           dependency_files
             .select { |file| file.name.end_with?(".gemspec") && Pathname.new(file.name).dirname.to_s == "." }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def ruby_version_file
           dependency_files.find { |f| f.name == ".ruby-version" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def tool_versions_file
           dependency_files.find { |f| f.name == ".tool-versions" }
         end
 
+        sig { params(lockfile_body: String).returns(String) }
         def post_process_lockfile(lockfile_body)
           lockfile_body = reorder_git_dependencies(lockfile_body)
           replace_lockfile_ending(lockfile_body)
         end
 
+        sig { params(lockfile_body: String).returns(String) }
         def reorder_git_dependencies(lockfile_body)
           new_section = lockfile_body.match(GIT_DEPENDENCIES_SECTION)&.to_s
-          old_section = lockfile.content.match(GIT_DEPENDENCIES_SECTION)&.to_s
+          lockfile_content = T.must(lockfile).content
+          old_section = lockfile_content&.match(GIT_DEPENDENCIES_SECTION)&.to_s
 
           return lockfile_body unless new_section && old_section
 
@@ -190,8 +238,10 @@ module Dependabot
           return lockfile_body unless new_deps.count == old_deps.count
 
           reordered_new_section = new_deps.sort_by do |new_dep_details|
-            remote = new_dep_details.match(/remote: (?<remote>.*\n)/)[:remote]
-            i = old_deps.index { |details| details.include?(remote) }
+            dep_string = T.cast(new_dep_details, String)
+            match_result = dep_string.match(/remote: (?<remote>.*\n)/)
+            remote = match_result ? match_result[:remote] : ""
+            i = old_deps.index { |details| details.include?(T.must(remote)) }
 
             # If this dependency isn't in the old lockfile then we can't rely
             # on that (presumably outdated) lockfile to do reordering.
@@ -205,15 +255,18 @@ module Dependabot
           lockfile_body.gsub(new_section, reordered_new_section)
         end
 
+        sig { params(lockfile_body: String).returns(String) }
         def replace_lockfile_ending(lockfile_body)
           # Re-add the old `BUNDLED WITH` version (and remove the RUBY VERSION
           # if it wasn't previously present in the lockfile)
+          lockfile_content = T.must(lockfile).content
           lockfile_body.gsub(
             LOCKFILE_ENDING,
-            lockfile.content.match(LOCKFILE_ENDING)&.[](:ending) || "\n"
+            lockfile_content&.match(LOCKFILE_ENDING)&.[](:ending) || "\n"
           )
         end
 
+        sig { params(path: String, gemspec_content: String).returns(String) }
         def sanitized_gemspec_content(path, gemspec_content)
           new_version = replacement_version_for_gemspec(path, gemspec_content)
 
@@ -222,6 +275,7 @@ module Dependabot
             .rewrite(gemspec_content)
         end
 
+        sig { params(path: String, gemspec_content: String).returns(String) }
         def replacement_version_for_gemspec(path, gemspec_content)
           return "0.0.1" unless lockfile
 
@@ -233,9 +287,10 @@ module Dependabot
             CachedLockfileParser.parse(sanitized_lockfile_body).specs
                                 .select { |s| s.name == gem_name && gemspec_sources.include?(s.source.class) }
 
-          gemspec_specs.first&.version || "0.0.1"
+          gemspec_specs.first&.version&.to_s || "0.0.1"
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def prepared_gemfile_content(file)
           content = updated_gemfile_content(file)
 
@@ -246,6 +301,7 @@ module Dependabot
           content
         end
 
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def updated_gemfile_content(file)
           GemfileUpdater.new(
             dependencies: dependencies,
@@ -253,6 +309,7 @@ module Dependabot
           ).updated_gemfile_content
         end
 
+        sig { params(gemspec: Dependabot::DependencyFile).returns(String) }
         def updated_gemspec_content(gemspec)
           GemspecUpdater.new(
             dependencies: dependencies,
@@ -260,11 +317,13 @@ module Dependabot
           ).updated_gemspec_content
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def gemfile
           @gemfile ||= dependency_files.find { |f| f.name == "Gemfile" } ||
                        dependency_files.find { |f| f.name == "gems.rb" }
         end
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def lockfile
           @lockfile ||=
             dependency_files.find { |f| f.name == "Gemfile.lock" } ||
@@ -272,10 +331,13 @@ module Dependabot
         end
 
         # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+        sig { returns(String) }
         def sanitized_lockfile_body
-          lockfile.content.gsub(LOCKFILE_ENDING, "")
+          content = T.must(lockfile).content
+          T.must(content).gsub(LOCKFILE_ENDING, "")
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def evaled_gemfiles
           @evaled_gemfiles ||=
             dependency_files
@@ -288,10 +350,12 @@ module Dependabot
             .reject(&:support_file?)
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def specification_files
           dependency_files.select { |f| f.name.end_with?(".specification") }
         end
 
+        sig { returns(String) }
         def bundler_version
           @bundler_version ||= Helpers.bundler_version(lockfile)
         end

data/lib/dependabot/bundler/file_updater/requirement_replacer.rb

@@ -1,20 +1,45 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "parser/current"
+require "sorbet-runtime"
+
 require "dependabot/bundler/file_updater"
 
 module Dependabot
   module Bundler
     class FileUpdater
       class RequirementReplacer
+        extend T::Sig
+
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
+        sig { returns(Symbol) }
         attr_reader :file_type
+
+        sig { returns(String) }
         attr_reader :updated_requirement
+
+        sig { returns(T.nilable(String)) }
         attr_reader :previous_requirement
 
-        def initialize(dependency:, file_type:, updated_requirement:,
-                       previous_requirement: nil, insert_if_bare: false)
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            file_type: Symbol,
+            updated_requirement: String,
+            previous_requirement: T.nilable(String),
+            insert_if_bare: T::Boolean
+          ).void
+        end
+        def initialize(
+          dependency:,
+          file_type:,
+          updated_requirement:,
+          previous_requirement: nil,
+          insert_if_bare: false
+        )
           @dependency           = dependency
           @file_type            = file_type
           @updated_requirement  = updated_requirement
@@ -22,7 +47,10 @@ module Dependabot
           @insert_if_bare       = insert_if_bare
         end
 
+        sig { params(content: T.nilable(String)).returns(String) }
         def rewrite(content)
+          return "" unless content
+
           buffer = Parser::Source::Buffer.new("(gemfile_content)")
           buffer.source = content
           ast = Parser::CurrentRuby.new.parse(buffer)
@@ -39,10 +67,12 @@ module Dependabot
 
         private
 
+        sig { returns(T::Boolean) }
         def insert_if_bare?
           @insert_if_bare
         end
 
+        sig { params(content: String, updated_content: String).returns(String) }
         def update_comment_spacing_if_required(content, updated_content)
           return updated_content unless previous_requirement
 
@@ -53,43 +83,66 @@ module Dependabot
           updated_line_index =
             updated_lines.length
                          .times.find { |i| content.lines[i] != updated_content.lines[i] }
-          updated_line = updated_lines[updated_line_index]
+          return updated_content unless updated_line_index
+
+          updated_line = T.must(updated_lines[updated_line_index])
 
           updated_line =
             if length_change.positive?
               updated_line.sub(/(?<=\s)\s{#{length_change}}#/, "#")
             elsif length_change.negative?
               updated_line.sub(/(?<=\s{2})#/, (" " * length_change.abs) + "#")
+            else
+              updated_line
             end
 
           updated_lines[updated_line_index] = updated_line
           updated_lines.join
         end
 
+        sig { returns(Integer) }
         def length_change
-          return updated_requirement.length - previous_requirement.length unless previous_requirement.start_with?("=")
+          return 0 unless previous_requirement
+
+          prev_req = T.must(previous_requirement)
+          return updated_requirement.length - prev_req.length unless prev_req.start_with?("=")
 
           updated_requirement.length -
-            previous_requirement.gsub(/^=/, "").strip.length
+            prev_req.gsub(/^=/, "").strip.length
         end
 
         class Rewriter < Parser::TreeRewriter
+          extend T::Sig
+
           # TODO: Ideally we wouldn't have to ignore all of these, but
           # implementing each one will be tricky.
-          SKIPPED_TYPES = %i(send lvar dstr begin if case splat const or).freeze
-
-          def initialize(dependency:, file_type:, updated_requirement:,
-                         insert_if_bare:)
-            @dependency          = dependency
-            @file_type           = file_type
-            @updated_requirement = updated_requirement
-            @insert_if_bare      = insert_if_bare
+          SKIPPED_TYPES = T.let(%i(send lvar dstr begin if case splat const or).freeze, T::Array[Symbol])
+
+          sig do
+            params(
+              dependency: Dependabot::Dependency,
+              file_type: Symbol,
+              updated_requirement: String,
+              insert_if_bare: T::Boolean
+            ).void
+          end
+          def initialize(
+            dependency:,
+            file_type:,
+            updated_requirement:,
+            insert_if_bare:
+          )
+            @dependency = T.let(dependency, Dependabot::Dependency)
+            @file_type = T.let(file_type, Symbol)
+            @updated_requirement = T.let(updated_requirement, String)
+            @insert_if_bare = T.let(insert_if_bare, T::Boolean)
 
             return if %i(gemfile gemspec).include?(file_type)
 
             raise "File type must be :gemfile or :gemspec. Got #{file_type}."
           end
 
+          sig { params(node: T.untyped).void }
           def on_send(node)
             return unless declares_targeted_gem?(node)
 
@@ -117,14 +170,21 @@ module Dependabot
 
           private
 
+          sig { returns(Dependabot::Dependency) }
           attr_reader :dependency
+
+          sig { returns(Symbol) }
           attr_reader :file_type
+
+          sig { returns(String) }
           attr_reader :updated_requirement
 
+          sig { returns(T::Boolean) }
           def insert_if_bare?
             @insert_if_bare
           end
 
+          sig { returns(T::Array[Symbol]) }
           def declaration_methods
             return %i(gem) if file_type == :gemfile
 
@@ -132,12 +192,14 @@ module Dependabot
                add_development_dependency)
           end
 
+          sig { params(node: T.untyped).returns(T::Boolean) }
           def declares_targeted_gem?(node)
             return false unless declaration_methods.include?(node.children[1])
 
             node.children[2].children.first == dependency.name
           end
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns([String, String]) }
           def extract_quote_characters_from(requirement_nodes)
             return ['"', '"'] if requirement_nodes.none?
 
@@ -155,6 +217,7 @@ module Dependabot
             end
           end
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns(T::Boolean) }
           def space_after_specifier?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -174,6 +237,7 @@ module Dependabot
 
           EQUALITY_OPERATOR = /(?<![<>!])=/
 
+          sig { params(requirement_nodes: T::Array[T.untyped]).returns(T::Boolean) }
           def use_equality_operator?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -188,9 +252,18 @@ module Dependabot
             req_string.match?(EQUALITY_OPERATOR)
           end
 
-          def new_requirement_string(quote_characters:,
-                                     space_after_specifier:,
-                                     use_equality_operator:)
+          sig do
+            params(
+              quote_characters: [String, String],
+              space_after_specifier: T::Boolean,
+              use_equality_operator: T::Boolean
+            ).returns(String)
+          end
+          def new_requirement_string(
+            quote_characters:,
+            space_after_specifier:,
+            use_equality_operator:
+          )
             open_quote, close_quote = quote_characters
             new_requirement_string =
               updated_requirement.split(",")
@@ -204,6 +277,7 @@ module Dependabot
             new_requirement_string
           end
 
+          sig { params(req: String, use_equality_operator: T::Boolean).returns(String) }
           def serialized_req(req, use_equality_operator)
             tmp_req = req
 
@@ -215,6 +289,7 @@ module Dependabot
             tmp_req.strip
           end
 
+          sig { params(nodes: T::Array[T.untyped]).returns(T.untyped) }
           def range_for(nodes)
             nodes.first.loc.begin.begin.join(nodes.last.loc.expression)
           end