dependabot-bundler 0.382.0 → 0.383.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b1389dea9ddec262718e238d70112ad3495b989bd2b857124974cba40a856c7
-  data.tar.gz: 911a2a11704ad3334c805895940ae7411292e7188dd103f9a5c20c22ab27c668
+  metadata.gz: d1ba21c738892e21622391ab82718a15bc4fbd0ba49080dde90ed4fa917cfe61
+  data.tar.gz: 809f4495fbc61b082895ec1e411be55abe73f57655dcbfdaca818e5d83e36594
 SHA512:
-  metadata.gz: bd55fd7d99cde9d0893c48ffd9690540c792737e5a0bb036aa1deda38f5b2cbf49230648cf1a2469cec65389c130fe9ade5b20f71d4854946923501a3057e240
-  data.tar.gz: 746587193b68ef9037656d766226eac76f2a35cdb568b87f87ae02ec7fad95a9ace33c78f8ba3c0e97629b750af737bb3da2acbf9921c33eff6fbcd6a01f442b
+  metadata.gz: 30e9d815ca521d360711378caf668148ad4d75e62ccb42e851e9200fc309e08bf57c4cb2e841143c086e1087a061f90bfb19778c7d9e2e30ce1229eaf5335ee0
+  data.tar.gz: 3f13429240d46f3f0a942db18625b095bdceb4df72a0ea71b7e26779ed58ec1259927e604881d8420a756a493fe93d97671aef547091ca3d7161b3b5f2a7ea80

data/helpers/v4/monkey_patches/endpoint_specification_metadata_patch.rb

@@ -0,0 +1,32 @@
+# typed: false
+# frozen_string_literal: true
+
+require "bundler/endpoint_specification"
+
+# Bundler 4 parses the metadata a registry's compact index (`/info/<gem>`)
+# returns per gem version. Its guard is `next unless v`, but an empty array
+# `[]` is truthy, so for an empty `checksum` it calls `Checksum.from_api(nil)`
+# -> `nil.match?(...)` and raises `Bundler::GemspecError` ("There was an error
+# parsing the metadata for the gem ..."), aborting the whole resolution.
+#
+# GitHub Packages serves this empty-checksum shape for some old gems (e.g.
+# failbot 2.0.1), so one such gem blocks every update for the repo. Bundler 2
+# didn't parse compact-index checksums, so this only surfaced once the updater
+# moved to the Bundler 4 helper.
+#
+# Drop nil/empty metadata values before Bundler parses them. An empty checksum
+# carries nothing to verify, so skipping it is safe; well-formed values (and
+# genuinely malformed ones, which still raise) are untouched.
+module BundlerEndpointSpecificationMetadataPatch
+  def parse_metadata(data)
+    if data.respond_to?(:reject)
+      data = data.reject do |_key, value|
+        value.nil? || (value.respond_to?(:empty?) && value.empty?)
+      end
+    end
+
+    super
+  end
+end
+
+Bundler::EndpointSpecification.prepend(BundlerEndpointSpecificationMetadataPatch)

data/helpers/v4/run.rb

@@ -24,6 +24,7 @@ end
 require "definition_ruby_version_patch"
 require "definition_bundler_version_patch"
 require "git_source_patch"
+require "endpoint_specification_metadata_patch"
 
 require "functions"
 

data/helpers/v4/spec/bundler_endpoint_specification_metadata_patch_spec.rb

@@ -0,0 +1,49 @@
+# typed: false
+# frozen_string_literal: true
+
+require "native_spec_helper"
+
+RSpec.describe BundlerEndpointSpecificationMetadataPatch do
+  let(:spec_fetcher) { instance_double(Bundler::Fetcher, uri: URI("https://example.com")) }
+
+  def build_spec(metadata)
+    Bundler::EndpointSpecification.new("failbot", "2.0.1", "ruby", spec_fetcher, [], metadata)
+  end
+
+  it "does not raise when the registry serves an empty checksum array" do
+    expect { build_spec([["checksum", []]]) }.not_to raise_error
+  end
+
+  it "leaves the checksum unset for an empty checksum array" do
+    spec = build_spec([["checksum", []]])
+    expect(spec.checksum).to be_nil
+  end
+
+  # The compact-index parser can emit a value-less entry (`["checksum"]`) rather
+  # than an empty array, depending on the RubyGems GemParser version. Both shapes
+  # reach this code, so both must be tolerated.
+  it "does not raise when the checksum entry has no value at all" do
+    expect { build_spec([["checksum"]]) }.not_to raise_error
+  end
+
+  it "ignores nil and blank metadata values" do
+    expect { build_spec([["checksum", nil], ["ruby", []]]) }.not_to raise_error
+  end
+
+  it "still parses a well-formed checksum" do
+    digest = "f" * 64
+    spec = build_spec([["checksum", [digest]]])
+    expect(spec.checksum).not_to be_nil
+  end
+
+  it "still parses ruby and rubygems requirements" do
+    spec = build_spec([["ruby", [">= 3.1"]], ["rubygems", [">= 3.0"]], ["checksum", []]])
+    expect(spec.required_ruby_version.to_s).to eq(">= 3.1")
+    expect(spec.required_rubygems_version.to_s).to eq(">= 3.0")
+  end
+
+  it "still raises on a genuinely malformed (non-empty) checksum" do
+    expect { build_spec([["checksum", ["not-a-valid-digest"]]]) }
+      .to raise_error(Bundler::GemspecError)
+  end
+end

data/helpers/v4/spec/native_spec_helper.rb

@@ -21,6 +21,7 @@ $LOAD_PATH.unshift(File.expand_path("../../spec_helpers", __dir__))
 require "definition_ruby_version_patch"
 require "definition_bundler_version_patch"
 require "git_source_patch"
+require "endpoint_specification_metadata_patch"
 
 require "functions"
 

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -26,7 +26,9 @@ module Dependabot
         LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m
         GIT_DEPENDENCIES_SECTION = /GIT\n.*?\n\n(?!GIT)/m
         GIT_DEPENDENCY_DETAILS = /GIT\n.*?\n\n/m
-        CHECKSUMS_SECTION = /(^CHECKSUMS\n)(?<entries>(?:^  .*\n)+)/m
+        # No `/m`: it would let the greedy `.*` in `entries` match newlines and
+        # swallow the trailing `BUNDLED WITH` section. `^` is line-anchored anyway.
+        CHECKSUMS_SECTION = /(^CHECKSUMS\n)(?<entries>(?:^  .*\n)+)/
         BUNDLED_WITH_VERSION_REGEX = /BUNDLED WITH\s+(?<version>\d+\.\d+\.\d+)/m
         BUNDLER_CHECKSUM_ENTRY_REGEX = /^  bundler \([^)]+\).*\n?$/
         MIN_BUNDLER_CHECKSUM_VERSION = Gem::Version.new("4.0.11")
@@ -226,6 +228,7 @@ module Dependabot
         def post_process_lockfile(lockfile_body)
           lockfile_body = reorder_git_dependencies(lockfile_body)
           lockfile_body = strip_new_bundler_checksum(lockfile_body)
+          lockfile_body = restore_bundler_checksum(lockfile_body)
           replace_lockfile_ending(lockfile_body)
         end
 
@@ -246,7 +249,9 @@ module Dependabot
         def should_strip_bundler_checksum?
           lockfile_content = T.must(lockfile).content
           return false unless lockfile_content&.include?("CHECKSUMS\n")
-          return false if lockfile_content.match?(BUNDLER_CHECKSUM_ENTRY_REGEX)
+
+          checksums_section = lockfile_content.match(CHECKSUMS_SECTION)
+          return false if checksums_section && T.must(checksums_section[:entries]).match?(BUNDLER_CHECKSUM_ENTRY_REGEX)
 
           bundled_with = lockfile_content.match(BUNDLED_WITH_VERSION_REGEX)&.[](:version)
           return false unless bundled_with
@@ -255,6 +260,37 @@ module Dependabot
           bundled_with_version >= Gem::Version.new("4.0.0") && bundled_with_version < MIN_BUNDLER_CHECKSUM_VERSION
         end
 
+        sig { params(lockfile_body: String).returns(String) }
+        def restore_bundler_checksum(lockfile_body)
+          original_entry = original_bundler_checksum_entry
+          return lockfile_body unless original_entry
+
+          checksums_section = lockfile_body.match(CHECKSUMS_SECTION)
+          return lockfile_body unless checksums_section
+
+          entries = T.must(checksums_section[:entries])
+          return lockfile_body unless entries.match?(BUNDLER_CHECKSUM_ENTRY_REGEX)
+
+          restored_entries = entries.lines.map do |line|
+            line.match?(BUNDLER_CHECKSUM_ENTRY_REGEX) ? original_entry : line
+          end.join
+
+          lockfile_body.sub(CHECKSUMS_SECTION) { "CHECKSUMS\n#{restored_entries}" }
+        end
+
+        sig { returns(T.nilable(String)) }
+        def original_bundler_checksum_entry
+          checksums_section = T.must(lockfile).content&.match(CHECKSUMS_SECTION)
+          return nil unless checksums_section
+
+          entry = T.must(checksums_section[:entries]).lines.find do |line|
+            line.match?(BUNDLER_CHECKSUM_ENTRY_REGEX)
+          end
+          return nil unless entry
+
+          "#{entry.chomp}\n"
+        end
+
         sig { params(lockfile_body: String).returns(String) }
         def reorder_git_dependencies(lockfile_body)
           new_section = lockfile_body.match(GIT_DEPENDENCIES_SECTION)&.to_s

data/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 
 require "dependabot/bundler/update_checker"
+require "dependabot/dependency_requirement"
 require "dependabot/requirements_update_strategy"
 
 module Dependabot
@@ -25,7 +26,7 @@ module Dependabot
 
         sig do
           params(
-            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            requirements: T::Array[Dependabot::DependencyRequirement],
             update_strategy: Dependabot::RequirementsUpdateStrategy,
             updated_source: T.nilable(T::Hash[Symbol, T.untyped]),
             latest_version: T.nilable(String),
@@ -39,7 +40,10 @@ module Dependabot
           latest_version:,
           latest_resolvable_version:
         )
-          @requirements = requirements
+          @requirements = T.let(
+            requirements.map { |req| Dependabot::DependencyRequirement.create(req) },
+            T::Array[Dependabot::DependencyRequirement]
+          )
           @latest_version = T.let(
             (T.cast(Dependabot::Bundler::Version.new(latest_version), Dependabot::Bundler::Version) if latest_version),
             T.nilable(Dependabot::Bundler::Version)
@@ -57,7 +61,7 @@ module Dependabot
           )
         end
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         def updated_requirements
           return requirements if update_strategy.lockfile_only?
 
@@ -74,7 +78,7 @@ module Dependabot
 
         private
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        sig { returns(T::Array[Dependabot::DependencyRequirement]) }
         attr_reader :requirements
 
         sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
@@ -96,9 +100,9 @@ module Dependabot
           raise "Unknown update strategy: #{update_strategy}"
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_gemfile_requirement(req)
-          req = req.merge(source: updated_source)
+          req = Dependabot::DependencyRequirement.create(req.merge(source: updated_source))
           return req unless latest_resolvable_version
 
           case update_strategy
@@ -110,14 +114,14 @@ module Dependabot
           end
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_version_requirement_if_needed(req)
           return req if new_version_satisfies?(req)
 
           update_version_requirement(req)
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_version_requirement(req)
           requirements =
             req[:requirement].split(",").map { |r| Gem::Requirement.new(r) }
@@ -131,10 +135,10 @@ module Dependabot
               update_gemfile_range(requirements).join(", ")
             end
 
-          req.merge(requirement: new_requirement)
+          Dependabot::DependencyRequirement.create(req.merge(requirement: new_requirement))
         end
 
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Boolean) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(T::Boolean) }
         def new_version_satisfies?(req)
           return false unless latest_resolvable_version
 
@@ -179,9 +183,9 @@ module Dependabot
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
-        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+        sig { params(req: Dependabot::DependencyRequirement).returns(Dependabot::DependencyRequirement) }
         def update_gemspec_requirement(req)
-          req = req.merge(source: updated_source) if req.fetch(:source)
+          req = Dependabot::DependencyRequirement.create(req.merge(source: updated_source)) if req.fetch(:source)
           return req unless latest_version && latest_resolvable_version
 
           requirements =
@@ -202,9 +206,9 @@ module Dependabot
             end
 
           updated_requirements = binding_requirements(updated_requirements)
-          req.merge(requirement: updated_requirements.join(", "))
+          Dependabot::DependencyRequirement.create(req.merge(requirement: updated_requirements.join(", ")))
         rescue UnfixableRequirement
-          req.merge(requirement: :unfixable)
+          Dependabot::DependencyRequirement.create(req.merge(requirement: :unfixable))
         end
         # rubocop:enable Metrics/PerceivedComplexity
 

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -38,6 +38,12 @@ module Dependabot
         GIT_REGEX = /reset --hard [^\s]*` in directory (?<path>[^\s]*)/
         GIT_REF_REGEX = /not exist in the repository (?<path>[^\s]*)\./
         PATH_REGEX = /The path `(?<path>.*)` does not exist/
+        # Raised by Bundler when a registry's compact index (`/info/<gem>`) returns
+        # gem metadata it can't parse (e.g. an illformed `ruby:`/`rubygems:`
+        # requirement). This means the *registry* served bad data, not that the
+        # user's dependency files are broken.
+        REGISTRY_METADATA_ERROR_REGEX =
+          /error parsing the metadata for the gem (?<gem>\S+) \((?<version>[^)]+)\)/
 
         module BundlerErrorPatterns
           MISSING_AUTH_REGEX = /bundle config set --global (?<source>.*) username:password/
@@ -118,7 +124,7 @@ module Dependabot
           case error.error_class
           when "Bundler::Dsl::DSLError", "Bundler::GemspecError"
             # We couldn't evaluate the Gemfile, let alone resolve it
-            raise Dependabot::DependencyFileNotEvaluatable, msg
+            raise registry_metadata_error(error) || Dependabot::DependencyFileNotEvaluatable.new(msg)
           when "Bundler::Source::Git::MissingGitRevisionError"
             match_data = error.message.match(GIT_REF_REGEX)
             gem_name = T.must(T.must(match_data).named_captures["path"])
@@ -196,6 +202,31 @@ module Dependabot
         # rubocop:enable Metrics/AbcSize
         # rubocop:enable Metrics/MethodLength
 
+        # When Bundler fails to parse gem metadata served by a registry's compact
+        # index, surface it as a private source error (the registry returned bad
+        # data) rather than blaming the user's dependency files. Returns nil when
+        # the error isn't a registry metadata error so the caller can fall back.
+        sig do
+          params(error: Dependabot::SharedHelpers::HelperSubprocessFailed)
+            .returns(T.nilable(Dependabot::PrivateSourceBadResponse))
+        end
+        def registry_metadata_error(error)
+          match = error.message.match(REGISTRY_METADATA_ERROR_REGEX)
+          return nil unless match
+
+          source = private_registry_source
+          return nil unless source
+
+          detail = "Invalid gem metadata returned for #{match[:gem]} (#{match[:version]}) " \
+                   "by the source: #{source}"
+          Dependabot::PrivateSourceBadResponse.new(source, detail)
+        end
+
+        sig { returns(T.nilable(String)) }
+        def private_registry_source
+          private_registry_credentials.filter_map { |cred| cred["host"] }.first
+        end
+
         sig { returns(T::Array[T::Hash[String, T.untyped]]) }
         def inaccessible_git_dependencies
           in_a_native_bundler_context(error_handling: false) do |tmp_dir|

data/lib/dependabot/bundler/update_checker.rb

@@ -80,15 +80,13 @@ module Dependabot
         latest_version_for_req_updater = latest_version_details&.fetch(:version)&.to_s
         latest_resolvable_version_for_req_updater = preferred_resolvable_version_details&.fetch(:version)&.to_s
 
-        wrap_requirements(
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            update_strategy: T.must(requirements_update_strategy),
-            updated_source: updated_source,
-            latest_version: latest_version_for_req_updater,
-            latest_resolvable_version: latest_resolvable_version_for_req_updater
-          ).updated_requirements
-        )
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          update_strategy: T.must(requirements_update_strategy),
+          updated_source: updated_source,
+          latest_version: latest_version_for_req_updater,
+          latest_resolvable_version: latest_resolvable_version_for_req_updater
+        ).updated_requirements
       end
 
       sig { returns(T::Boolean) }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.382.0
+        version: 0.383.0
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -294,8 +294,10 @@ files:
 - helpers/v4/lib/functions/version_resolver.rb
 - helpers/v4/monkey_patches/definition_bundler_version_patch.rb
 - helpers/v4/monkey_patches/definition_ruby_version_patch.rb
+- helpers/v4/monkey_patches/endpoint_specification_metadata_patch.rb
 - helpers/v4/monkey_patches/git_source_patch.rb
 - helpers/v4/run.rb
+- helpers/v4/spec/bundler_endpoint_specification_metadata_patch_spec.rb
 - helpers/v4/spec/bundler_version_constraint_spec.rb
 - helpers/v4/spec/functions/conflicting_dependency_resolver_spec.rb
 - helpers/v4/spec/functions/dependency_source_spec.rb
@@ -349,7 +351,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib