dependabot-bundler 0.333.0 → 0.335.0

data/lib/dependabot/bundler/file_updater.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/bundler/native_helpers"
@@ -10,10 +12,13 @@ require "dependabot/file_updaters/vendor_updater"
 module Dependabot
   module Bundler
     class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
       require_relative "file_updater/gemfile_updater"
       require_relative "file_updater/gemspec_updater"
       require_relative "file_updater/lockfile_updater"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           # Matches Gemfile, Gemfile.lock, gems.rb, gems.locked, .gemspec files, and anything in vendor directory
@@ -25,20 +30,21 @@ module Dependabot
 
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
         updated_files = T.let([], T::Array[Dependabot::DependencyFile])
 
-        if gemfile && file_changed?(gemfile)
+        if gemfile && file_changed?(T.must(gemfile))
           updated_files <<
             updated_file(
-              file: gemfile,
-              content: updated_gemfile_content(gemfile)
+              file: T.must(gemfile),
+              content: updated_gemfile_content(T.must(gemfile))
             )
         end
 
         if lockfile && dependencies.any?(&:appears_in_lockfile?)
           updated_files <<
-            updated_file(file: lockfile, content: updated_lockfile_content)
+            updated_file(file: T.must(lockfile), content: updated_lockfile_content)
         end
 
         top_level_gemspecs.each do |file|
@@ -59,7 +65,7 @@ module Dependabot
 
         base_dir = T.must(updated_files.first).directory
         vendor_updater
-          .updated_vendor_cache_files(base_directory: base_dir)
+          .updated_files(base_directory: base_dir)
           .each do |file|
           updated_files << file
         end
@@ -72,10 +78,9 @@ module Dependabot
       private
 
       # Dynamically fetch the vendor cache folder from bundler
+      sig { returns(T.nilable(String)) }
       def vendor_cache_dir
-        return @vendor_cache_dir if defined?(@vendor_cache_dir)
-
-        @vendor_cache_dir =
+        @vendor_cache_dir = T.let(
           NativeHelpers.run_bundler_subprocess(
             bundler_version: bundler_version,
             function: "vendor_cache_dir",
@@ -83,9 +88,12 @@ module Dependabot
             args: {
               dir: repo_contents_path
             }
-          )
+          ),
+          T.nilable(String)
+        )
       end
 
+      sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
       def vendor_updater
         Dependabot::FileUpdaters::VendorUpdater.new(
           repo_contents_path: repo_contents_path,
@@ -93,6 +101,7 @@ module Dependabot
         )
       end
 
+      sig { override.void }
       def check_required_files
         file_names = dependency_files.map(&:name)
 
@@ -104,24 +113,32 @@ module Dependabot
         raise "A gemspec or Gemfile must be provided!"
       end
 
+      sig { params(updated_files: T::Array[Dependabot::DependencyFile]).void }
       def check_updated_files(updated_files)
         return if updated_files.reject { |f| dependency_files.include?(f) }.any?
 
         raise "No files have changed!"
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def gemfile
-        @gemfile ||= get_original_file("Gemfile") ||
-                     get_original_file("gems.rb")
+        @gemfile ||= T.let(
+          get_original_file("Gemfile") || get_original_file("gems.rb"),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def lockfile
-        @lockfile ||= get_original_file("Gemfile.lock") ||
-                      get_original_file("gems.locked")
+        @lockfile ||= T.let(
+          get_original_file("Gemfile.lock") || get_original_file("gems.locked"),
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def evaled_gemfiles
-        @evaled_gemfiles ||=
+        @evaled_gemfiles ||= T.let(
           dependency_files
           .reject { |f| f.name.end_with?(".gemspec") }
           .reject { |f| f.name.end_with?(".specification") }
@@ -129,9 +146,12 @@ module Dependabot
           .reject { |f| f.name == "Gemfile" }
           .reject { |f| f.name == "gems.rb" }
           .reject { |f| f.name == "gems.locked" }
-          .reject(&:support_file?)
+          .reject(&:support_file?),
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
       def updated_gemfile_content(file)
         GemfileUpdater.new(
           dependencies: dependencies,
@@ -139,6 +159,7 @@ module Dependabot
         ).updated_gemfile_content
       end
 
+      sig { params(gemspec: Dependabot::DependencyFile).returns(String) }
       def updated_gemspec_content(gemspec)
         GemspecUpdater.new(
           dependencies: dependencies,
@@ -146,24 +167,32 @@ module Dependabot
         ).updated_gemspec_content
       end
 
+      sig { returns(String) }
       def updated_lockfile_content
-        @updated_lockfile_content ||=
+        @updated_lockfile_content ||= T.let(
           LockfileUpdater.new(
             dependencies: dependencies,
             dependency_files: dependency_files,
             repo_contents_path: repo_contents_path,
             credentials: credentials,
             options: options
-          ).updated_lockfile_content
+          ).updated_lockfile_content,
+          T.nilable(String)
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def top_level_gemspecs
         dependency_files
           .select { |file| file.name.end_with?(".gemspec") }
       end
 
+      sig { returns(String) }
       def bundler_version
-        @bundler_version ||= Helpers.bundler_version(lockfile)
+        @bundler_version ||= T.let(
+          Helpers.bundler_version(lockfile),
+          T.nilable(String)
+        )
       end
     end
   end

data/lib/dependabot/bundler/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
@@ -9,17 +9,36 @@ require "dependabot/registry_client"
 module Dependabot
   module Bundler
     class MetadataFinder < Dependabot::MetadataFinders::Base
-      SOURCE_KEYS = %w(
-        source_code_uri
-        homepage_uri
-        wiki_uri
-        bug_tracker_uri
-        documentation_uri
-        changelog_uri
-        mailing_list_uri
-        download_uri
-      ).freeze
+      extend T::Sig
+
+      SOURCE_KEYS = T.let(
+        %w(
+          source_code_uri
+          homepage_uri
+          wiki_uri
+          bug_tracker_uri
+          documentation_uri
+          changelog_uri
+          mailing_list_uri
+          download_uri
+        ).freeze,
+        T::Array[String]
+      )
+
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential]
+        ).void
+      end
+      def initialize(dependency:, credentials:)
+        super
+        @rubygems_marshalled_gemspec_response = T.let(nil, T.nilable(String))
+        @rubygems_api_response = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
+        @base_url = T.let(nil, T.nilable(String))
+      end
 
+      sig { override.returns(T.nilable(String)) }
       def homepage_url
         return super unless %w(default rubygems).include?(new_source_type)
         return super unless rubygems_api_response["homepage_uri"]
@@ -29,6 +48,7 @@ module Dependabot
 
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         case new_source_type
         when "git" then find_source_from_git_url
@@ -37,6 +57,7 @@ module Dependabot
         end
       end
 
+      sig { override.returns(T.nilable(String)) }
       def suggested_changelog_url
         case new_source_type
         when "default"
@@ -50,10 +71,12 @@ module Dependabot
         end
       end
 
+      sig { returns(String) }
       def new_source_type
-        dependency.source_type
+        T.must(dependency.source_type)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_rubygems
         api_source = find_source_from_rubygems_api_response
         return api_source if api_source || new_source_type == "default"
@@ -61,15 +84,16 @@ module Dependabot
         find_source_from_gemspec_download
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_rubygems_api_response
-        source_url = rubygems_api_response
-                     .values_at(*SOURCE_KEYS)
-                     .compact
-                     .find { |url| Source.from_url(url) }
+        api_response = rubygems_api_response
+        source_url = SOURCE_KEYS.filter_map { |key| api_response[key] }
+                                .find { |url| Source.from_url(url) }
 
         Source.from_url(source_url)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_git_url
         info = dependency.requirements.filter_map { |r| r[:source] }.first
 
@@ -77,12 +101,13 @@ module Dependabot
         Source.from_url(url)
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def find_source_from_gemspec_download
         github_urls = []
         return unless rubygems_marshalled_gemspec_response
 
-        rubygems_marshalled_gemspec_response.gsub("\x06;", "\n")
-                                            .scan(Source::SOURCE_REGEX) do
+        T.must(rubygems_marshalled_gemspec_response).gsub("\x06;", "\n")
+         .scan(Source::SOURCE_REGEX) do
           github_urls << Regexp.last_match.to_s
         end
 
@@ -95,12 +120,13 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { returns(T.nilable(String)) }
       def changelog_url_from_gemspec_download
         github_urls = []
         return unless rubygems_marshalled_gemspec_response
 
-        rubygems_marshalled_gemspec_response.gsub("\x06;", "\n")
-                                            .scan(Dependabot::Source::SOURCE_REGEX) do
+        T.must(rubygems_marshalled_gemspec_response).gsub("\x06;", "\n")
+         .scan(Dependabot::Source::SOURCE_REGEX) do
           github_urls << (Regexp.last_match.to_s +
                          T.must(T.must(Regexp.last_match).post_match.split("\n").first))
         end
@@ -115,8 +141,9 @@ module Dependabot
 
       # NOTE: This response MUST NOT be unmarshalled
       # (as calling Marshal.load is unsafe)
+      sig { returns(T.nilable(String)) }
       def rubygems_marshalled_gemspec_response
-        return @rubygems_marshalled_gemspec_response if defined?(@rubygems_marshalled_gemspec_response)
+        return @rubygems_marshalled_gemspec_response if @rubygems_marshalled_gemspec_response
 
         gemspec_uri =
           "#{registry_url}quick/Marshal.4.8/" \
@@ -136,8 +163,9 @@ module Dependabot
         @rubygems_marshalled_gemspec_response = nil
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def rubygems_api_response
-        return @rubygems_api_response if defined?(@rubygems_api_response)
+        return @rubygems_api_response if @rubygems_api_response
 
         response =
           Dependabot::RegistryClient.get(
@@ -155,16 +183,18 @@ module Dependabot
         @rubygems_api_response = {}
       end
 
+      sig { params(listing: T::Hash[String, T.untyped]).returns(T::Hash[String, T.untyped]) }
       def append_slash_to_source_code_uri(listing)
         # We have to do this so that `Source.from_url(...)` doesn't prune the
         # last line off of the directory.
-        return listing unless listing&.fetch("source_code_uri", nil)
-        return listing if listing.fetch("source_code_uri").end_with?("/")
+        return listing unless listing.fetch("source_code_uri", nil)
+        return listing if T.cast(listing.fetch("source_code_uri"), String).end_with?("/")
 
-        listing["source_code_uri"] = listing["source_code_uri"] + "/"
+        listing["source_code_uri"] = T.cast(listing["source_code_uri"], String) + "/"
         listing
       end
 
+      sig { params(response_body: String).returns(String) }
       def augment_private_response_if_appropriate(response_body)
         return response_body if new_source_type == "default"
 
@@ -173,10 +203,8 @@ module Dependabot
 
         digest = parsed_body.values_at("version", "authors", "info").hash
 
-        source_url = parsed_body
-                     .values_at(*SOURCE_KEYS)
-                     .compact
-                     .find { |url| Source.from_url(url) }
+        source_url = SOURCE_KEYS.filter_map { |key| parsed_body[key] }
+                                .find { |url| Source.from_url(url) }
         return response_body if source_url
 
         rubygems_response =
@@ -190,6 +218,7 @@ module Dependabot
         response_body
       end
 
+      sig { returns(String) }
       def registry_url
         return base_url if new_source_type == "default"
 
@@ -197,8 +226,9 @@ module Dependabot
         info[:url] || info.fetch("url")
       end
 
+      sig { returns(String) }
       def base_url
-        return @base_url if defined?(@base_url)
+        return @base_url if @base_url
 
         credential = credentials.find do |cred|
           cred["type"] == "rubygems_server" && cred.replaces_base?
@@ -207,6 +237,7 @@ module Dependabot
         @base_url = "https://#{host}#{'/' unless host&.end_with?('/')}"
       end
 
+      sig { returns(T::Hash[String, String]) }
       def registry_auth_headers
         return {} unless new_source_type == "rubygems"
 

data/lib/dependabot/bundler/package/package_details_fetcher.rb

@@ -143,7 +143,9 @@ module Dependabot
           rescue URI::InvalidURIError
             raise "Invalid registry URL: #{registry_url}"
           end
-          return package_details([]) if parsed_url.host == "rubygems.pkg.github.com"
+
+          # Handle GitHub Package Registry
+          return github_packages_versions(registry_url) if parsed_url.host == "rubygems.pkg.github.com"
 
           response = registry_json_response_for_dependency(registry_url)
 
@@ -193,6 +195,61 @@ module Dependabot
           )
         end
 
+        sig { params(registry_url: String).returns(Dependabot::Package::PackageDetails) }
+        def github_packages_versions(registry_url)
+          # Extract org name from URL like "https://rubygems.pkg.github.com/dsp-testing/"
+          org_name = registry_url.split("/").last
+
+          # GitHub Packages API endpoint for RubyGems packages
+          api_url = "https://api.github.com/orgs/#{org_name}/packages/rubygems/#{dependency.name}/versions"
+
+          response = Dependabot::RegistryClient.get(
+            url: api_url,
+            headers: {
+              "Accept" => "application/vnd.github.v3+json",
+              "Authorization" => "Bearer #{github_token}"
+            }
+          )
+
+          unless response.status == 200
+            error_details = "Status: #{response.status}"
+            error_details += " (Package not found in GitHub Registry)" if response.status == 404
+            error_message = "Failed to fetch versions for '#{dependency.name}' from GitHub Packages. #{error_details}"
+            Dependabot.logger.info(error_message)
+            return package_details([])
+          end
+
+          begin
+            versions_data = JSON.parse(response.body)
+            package_releases = versions_data.map do |version_info|
+              # GitHub Packages API returns different structure than RubyGems
+              version_number = version_info["name"] # GitHub uses "name" for version
+              created_at = version_info["created_at"]
+
+              package_release(
+                version: version_number,
+                released_at: Time.parse(created_at),
+                downloads: 0, # GitHub Packages doesn't provide download counts
+                url: "#{registry_url}/gems/#{dependency.name}-#{version_number}.gem",
+                ruby_version: nil # GitHub Packages API doesn't provide ruby version requirements
+              )
+            end
+
+            package_details(package_releases)
+          rescue JSON::ParserError => e
+            Dependabot.logger.info("Failed to parse GitHub Packages response: #{e.message}")
+            package_details([])
+          end
+        end
+
+        sig { returns(T.nilable(String)) }
+        def github_token
+          github_credential = credentials.find do |cred|
+            cred["type"] == "rubygems_server" && cred["host"] == "rubygems.pkg.github.com"
+          end
+          github_credential&.fetch("token", nil)
+        end
+
         sig { params(req_string: String).returns(Requirement) }
         def language_requirement(req_string)
           Requirement.new(req_string)
@@ -222,7 +279,8 @@ module Dependabot
             Dependabot::Package::PackageDetails.new(
               dependency: dependency,
               releases: releases.reverse.uniq(&:version)
-            ), T.nilable(Dependabot::Package::PackageDetails)
+            ),
+            T.nilable(Dependabot::Package::PackageDetails)
           )
         end
 

data/lib/dependabot/bundler/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -26,9 +26,10 @@ module Dependabot
 
       # Patches Gem::Requirement to make it accept requirement strings like
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      sig { params(requirements: T.nilable(T.any(String, T::Array[String]))).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
-          req_string.split(",").map(&:strip)
+          T.must(req_string).split(",").map(&:strip)
         end
 
         super(requirements)