dependabot-bundler 0.94.0

data/lib/dependabot/bundler/file_updater/gemspec_updater.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GemspecUpdater
+        require_relative "requirement_replacer"
+
+        def initialize(dependencies:, gemspec:)
+          @dependencies = dependencies
+          @gemspec = gemspec
+        end
+
+        def updated_gemspec_content
+          content = gemspec.content
+
+          dependencies.each do |dependency|
+            content = replace_gemspec_version_requirement(
+              gemspec, dependency, content
+            )
+          end
+
+          content
+        end
+
+        private
+
+        attr_reader :dependencies, :gemspec
+
+        def replace_gemspec_version_requirement(gemspec, dependency, content)
+          return content unless requirement_changed?(gemspec, dependency)
+
+          updated_requirement =
+            dependency.requirements.
+            find { |r| r[:file] == gemspec.name }.
+            fetch(:requirement)
+
+          previous_requirement =
+            dependency.previous_requirements.
+            find { |r| r[:file] == gemspec.name }.
+            fetch(:requirement)
+
+          RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemspec,
+            updated_requirement: updated_requirement,
+            previous_requirement: previous_requirement
+          ).rewrite(content)
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater/git_pin_replacer.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GitPinReplacer
+        attr_reader :dependency, :new_pin
+
+        def initialize(dependency:, new_pin:)
+          @dependency = dependency
+          @new_pin = new_pin
+        end
+
+        def rewrite(content)
+          buffer = Parser::Source::Buffer.new("(gemfile_content)")
+          buffer.source = content
+          ast = Parser::CurrentRuby.new.parse(buffer)
+
+          Rewriter.
+            new(dependency: dependency, new_pin: new_pin).
+            rewrite(buffer, ast)
+        end
+
+        class Rewriter < Parser::TreeRewriter
+          PIN_KEYS = %i(ref tag).freeze
+          attr_reader :dependency, :new_pin
+
+          def initialize(dependency:, new_pin:)
+            @dependency = dependency
+            @new_pin = new_pin
+          end
+
+          def on_send(node)
+            return unless declares_targeted_gem?(node)
+            return unless node.children.last.type == :hash
+
+            kwargs_node = node.children.last
+            kwargs_node.children.each do |hash_pair|
+              next unless PIN_KEYS.include?(key_from_hash_pair(hash_pair))
+
+              update_value(hash_pair)
+            end
+          end
+
+          private
+
+          def declares_targeted_gem?(node)
+            return false unless node.children[1] == :gem
+
+            node.children[2].children.first == dependency.name
+          end
+
+          def key_from_hash_pair(node)
+            node.children.first.children.first.to_sym
+          end
+
+          def update_value(hash_pair)
+            value_node = hash_pair.children.last
+            open_quote_character, close_quote_character =
+              extract_quote_characters_from(value_node)
+
+            replace(
+              value_node.loc.expression,
+              %(#{open_quote_character}#{new_pin}#{close_quote_character})
+            )
+          end
+
+          def extract_quote_characters_from(value_node)
+            [value_node.loc.begin.source, value_node.loc.end.source]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater/git_source_remover.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_updater"
+
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class GitSourceRemover
+        attr_reader :dependency
+
+        def initialize(dependency:)
+          @dependency = dependency
+        end
+
+        def rewrite(content)
+          buffer = Parser::Source::Buffer.new("(gemfile_content)")
+          buffer.source = content
+          ast = Parser::CurrentRuby.new.parse(buffer)
+
+          Rewriter.new(dependency: dependency).rewrite(buffer, ast)
+        end
+
+        class Rewriter < Parser::TreeRewriter
+          # TODO: Hack until Bundler 1.16.0 is available on Heroku
+          GOOD_KEYS = %i(
+            group groups path glob name require platform platforms type
+            source install_if
+          ).freeze
+
+          attr_reader :dependency
+
+          def initialize(dependency:)
+            @dependency = dependency
+          end
+
+          def on_send(node)
+            return unless declares_targeted_gem?(node)
+            return unless node.children.last.type == :hash
+
+            kwargs_node = node.children.last
+            keys = kwargs_node.children.map do |hash_pair|
+              key_from_hash_pair(hash_pair)
+            end
+
+            if keys.none? { |key| GOOD_KEYS.include?(key) }
+              remove_all_kwargs(node)
+            else
+              remove_git_related_kwargs(kwargs_node)
+            end
+          end
+
+          private
+
+          def declares_targeted_gem?(node)
+            return false unless node.children[1] == :gem
+
+            node.children[2].children.first == dependency.name
+          end
+
+          def key_from_hash_pair(node)
+            node.children.first.children.first.to_sym
+          end
+
+          def remove_all_kwargs(node)
+            kwargs_node = node.children.last
+
+            range_to_remove =
+              kwargs_node.loc.expression.join(node.children[-2].loc.end.end)
+
+            remove(range_to_remove)
+          end
+
+          def remove_git_related_kwargs(kwargs_node)
+            good_key_index = nil
+            hash_pairs = kwargs_node.children
+
+            hash_pairs.each_with_index do |hash_pair, index|
+              if GOOD_KEYS.include?(key_from_hash_pair(hash_pair))
+                good_key_index = index
+                next
+              end
+
+              range_to_remove =
+                if good_key_index.nil?
+                  next_arg_start = hash_pairs[index + 1].loc.expression.begin
+                  hash_pair.loc.expression.join(next_arg_start)
+                else
+                  last_arg_end = hash_pairs[good_key_index].loc.expression.end
+                  hash_pair.loc.expression.join(last_arg_end)
+                end
+
+              remove(range_to_remove)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_updater/lockfile_updater.rb

@@ -0,0 +1,387 @@
+# frozen_string_literal: true
+
+require "bundler"
+
+require "bundler_definition_ruby_version_patch"
+require "bundler_definition_bundler_version_patch"
+require "bundler_git_source_patch"
+
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/bundler/file_updater"
+require "dependabot/git_commit_checker"
+
+# rubocop:disable Metrics/ClassLength
+module Dependabot
+  module Bundler
+    class FileUpdater
+      class LockfileUpdater
+        require_relative "gemfile_updater"
+        require_relative "gemspec_updater"
+        require_relative "gemspec_sanitizer"
+        require_relative "gemspec_dependency_name_finder"
+
+        LOCKFILE_ENDING =
+          /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+        GIT_DEPENDENCIES_SECTION = /GIT\n.*?\n\n(?!GIT)/m.freeze
+        GIT_DEPENDENCY_DETAILS = /GIT\n.*?\n\n/m.freeze
+        GEM_NOT_FOUND_ERROR_REGEX =
+          /locked to (?<name>[^\s]+) \(|not find (?<name>[^\s]+)-\d/.freeze
+        RETRYABLE_ERRORS = [::Bundler::HTTPError].freeze
+
+        # Can't be a constant because some of these don't exist in bundler
+        # 1.15, which Heroku uses, which causes an exception on boot.
+        def gemspec_sources
+          [
+            ::Bundler::Source::Path,
+            ::Bundler::Source::Gemspec
+          ]
+        end
+
+        def initialize(dependencies:, dependency_files:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def updated_lockfile_content
+          @updated_lockfile_content ||=
+            begin
+              updated_content = build_updated_lockfile
+
+              if lockfile.content == updated_content
+                raise "Expected content to change!"
+              end
+
+              updated_content
+            end
+        end
+
+        private
+
+        attr_reader :dependencies, :dependency_files, :credentials
+
+        def build_updated_lockfile
+          base_dir = dependency_files.first.directory
+          lockfile_body =
+            SharedHelpers.in_a_temporary_directory(base_dir) do |tmp_dir|
+              write_temporary_dependency_files
+
+              SharedHelpers.in_a_forked_process do
+                # Set the path for path gemspec correctly
+                ::Bundler.instance_variable_set(:@root, tmp_dir)
+
+                # Remove installed gems from the default Rubygems index
+                ::Gem::Specification.all = []
+
+                # Set auth details
+                relevant_credentials.each do |cred|
+                  token = cred["token"] ||
+                          "#{cred['username']}:#{cred['password']}"
+
+                  ::Bundler.settings.set_command_option(
+                    cred.fetch("host"),
+                    token.gsub("@", "%40F").gsub("?", "%3F")
+                  )
+                end
+
+                generate_lockfile
+              end
+            end
+          post_process_lockfile(lockfile_body)
+        end
+
+        def write_temporary_dependency_files
+          File.write(gemfile.name, updated_gemfile_content(gemfile))
+          File.write(lockfile.name, sanitized_lockfile_body)
+
+          top_level_gemspecs.each do |gemspec|
+            path = gemspec.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            updated_content = updated_gemspec_content(gemspec)
+            File.write(path, sanitized_gemspec_content(updated_content))
+          end
+
+          write_ruby_version_file
+          write_path_gemspecs
+          write_imported_ruby_files
+
+          evaled_gemfiles.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, updated_gemfile_content(file))
+          end
+        end
+
+        def generate_lockfile
+          dependencies_to_unlock = dependencies.map(&:name)
+
+          begin
+            definition = build_definition(dependencies_to_unlock)
+
+            old_reqs = lock_deps_being_updated_to_exact_versions(definition)
+
+            definition.resolve_remotely!
+
+            old_reqs.each do |dep_name, old_req|
+              d_dep = definition.dependencies.find { |d| d.name == dep_name }
+              if old_req == :none then definition.dependencies.delete(d_dep)
+              else d_dep.instance_variable_set(:@requirement, old_req)
+              end
+            end
+
+            definition.to_lock
+          rescue ::Bundler::GemNotFound => error
+            unlock_yanked_gem(dependencies_to_unlock, error) && retry
+          rescue ::Bundler::VersionConflict => error
+            unlock_blocking_subdeps(dependencies_to_unlock, error) && retry
+          rescue *RETRYABLE_ERRORS
+            raise if @retrying
+
+            @retrying = true
+            sleep(rand(1.0..5.0))
+            retry
+          end
+        end
+
+        def unlock_yanked_gem(dependencies_to_unlock, error)
+          raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+          gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                     named_captures["name"]
+          raise if dependencies_to_unlock.include?(gem_name)
+
+          dependencies_to_unlock << gem_name
+        end
+
+        def unlock_blocking_subdeps(dependencies_to_unlock, error)
+          all_deps =  ::Bundler::LockfileParser.new(sanitized_lockfile_body).
+                      specs.map(&:name).map(&:to_s)
+          top_level = build_definition([]).dependencies.
+                      map(&:name).map(&:to_s)
+          allowed_new_unlocks = all_deps - top_level - dependencies_to_unlock
+
+          # Unlock any sub-dependencies that Bundler reports caused the
+          # conflict
+          potentials_deps =
+            error.cause.conflicts.values.
+            flat_map(&:requirement_trees).
+            map do |tree|
+              tree.find { |req| allowed_new_unlocks.include?(req.name) }
+            end.compact.map(&:name)
+
+          # If there's nothing more we can unlock, give up
+          raise if potentials_deps.none?
+
+          dependencies_to_unlock.append(*potentials_deps)
+        end
+
+        def build_definition(dependencies_to_unlock)
+          defn = ::Bundler::Definition.build(
+            gemfile.name,
+            lockfile.name,
+            gems: dependencies_to_unlock
+          )
+
+          # Bundler unlocks the sub-dependencies of gems it is passed even
+          # if those sub-deps are top-level dependencies. We only want true
+          # subdeps unlocked, like they were in the UpdateChecker, so we
+          # mutate the unlocked gems array.
+          unlocked = defn.instance_variable_get(:@unlock).fetch(:gems)
+          must_not_unlock = defn.dependencies.map(&:name).map(&:to_s) -
+                            dependencies_to_unlock
+          unlocked.reject! { |n| must_not_unlock.include?(n) }
+
+          defn
+        end
+
+        def lock_deps_being_updated_to_exact_versions(definition)
+          dependencies.each_with_object({}) do |dep, old_reqs|
+            defn_dep = definition.dependencies.find { |d| d.name == dep.name }
+
+            if defn_dep.nil?
+              definition.dependencies <<
+                ::Bundler::Dependency.new(dep.name, dep.version)
+              old_reqs[dep.name] = :none
+            elsif git_dependency?(dep) &&
+                  defn_dep.source.is_a?(::Bundler::Source::Git)
+              defn_dep.source.unlock!
+            elsif Gem::Version.correct?(dep.version)
+              new_req = Gem::Requirement.create("= #{dep.version}")
+              old_reqs[dep.name] = defn_dep.requirement
+              defn_dep.instance_variable_set(:@requirement, new_req)
+            end
+          end
+        end
+
+        def write_ruby_version_file
+          return unless ruby_version_file
+
+          path = ruby_version_file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, ruby_version_file.content)
+        end
+
+        def write_path_gemspecs
+          path_gemspecs.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, sanitized_gemspec_content(file.content))
+          end
+        end
+
+        def write_imported_ruby_files
+          imported_ruby_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+        end
+
+        def path_gemspecs
+          all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
+          all - top_level_gemspecs
+        end
+
+        def imported_ruby_files
+          dependency_files.
+            select { |f| f.name.end_with?(".rb") }.
+            reject { |f| f.name == "gems.rb" }
+        end
+
+        def top_level_gemspecs
+          dependency_files.
+            select { |file| file.name.end_with?(".gemspec") }.
+            reject(&:support_file?)
+        end
+
+        def ruby_version_file
+          dependency_files.find { |f| f.name == ".ruby-version" }
+        end
+
+        def post_process_lockfile(lockfile_body)
+          lockfile_body = reorder_git_dependencies(lockfile_body)
+          replace_lockfile_ending(lockfile_body)
+        end
+
+        def reorder_git_dependencies(lockfile_body)
+          new_section = lockfile_body.match(GIT_DEPENDENCIES_SECTION)&.to_s
+          old_section = lockfile.content.match(GIT_DEPENDENCIES_SECTION)&.to_s
+
+          return lockfile_body unless new_section && old_section
+
+          new_deps = new_section.scan(GIT_DEPENDENCY_DETAILS)
+          old_deps = old_section.scan(GIT_DEPENDENCY_DETAILS)
+
+          return lockfile_body unless new_deps.count == old_deps.count
+
+          reordered_new_section = new_deps.sort_by do |new_dep_details|
+            remote = new_dep_details.match(/remote: (?<remote>.*\n)/)[:remote]
+            i = old_deps.index { |details| details.include?(remote) }
+
+            # If this dependency isn't in the old lockfile then we can't rely
+            # on that (presumably outdated) lockfile to do reordering.
+            # Instead, we just return the default-ordered content just
+            # generated.
+            return lockfile_body unless i
+
+            i
+          end.join
+
+          lockfile_body.gsub(new_section, reordered_new_section)
+        end
+
+        def replace_lockfile_ending(lockfile_body)
+          # Re-add the old `BUNDLED WITH` version (and remove the RUBY VERSION
+          # if it wasn't previously present in the lockfile)
+          lockfile_body.gsub(
+            LOCKFILE_ENDING,
+            lockfile.content.match(LOCKFILE_ENDING)&.[](:ending) || "\n"
+          )
+        end
+
+        def sanitized_gemspec_content(gemspec_content)
+          new_version = replacement_version_for_gemspec(gemspec_content)
+
+          GemspecSanitizer.
+            new(replacement_version: new_version).
+            rewrite(gemspec_content)
+        end
+
+        def replacement_version_for_gemspec(gemspec_content)
+          return "0.0.1" unless lockfile
+
+          gemspec_specs =
+            ::Bundler::LockfileParser.new(sanitized_lockfile_body).specs.
+            select { |s| gemspec_sources.include?(s.source.class) }
+
+          gem_name =
+            GemspecDependencyNameFinder.new(gemspec_content: gemspec_content).
+            dependency_name
+
+          return gemspec_specs.first&.version || "0.0.1" unless gem_name
+
+          spec = gemspec_specs.find { |s| s.name == gem_name }
+          spec&.version || gemspec_specs.first&.version || "0.0.1"
+        end
+
+        def relevant_credentials
+          credentials.select do |cred|
+            next true if cred["type"] == "git_source"
+            next true if cred["type"] == "rubygems_server"
+
+            false
+          end
+        end
+
+        def updated_gemfile_content(file)
+          GemfileUpdater.new(
+            dependencies: dependencies,
+            gemfile: file
+          ).updated_gemfile_content
+        end
+
+        def updated_gemspec_content(gemspec)
+          GemspecUpdater.new(
+            dependencies: dependencies,
+            gemspec: gemspec
+          ).updated_gemspec_content
+        end
+
+        def gemfile
+          @gemfile ||= dependency_files.find { |f| f.name == "Gemfile" } ||
+                       dependency_files.find { |f| f.name == "gems.rb" }
+        end
+
+        def lockfile
+          @lockfile ||=
+            dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+            dependency_files.find { |f| f.name == "gems.locked" }
+        end
+
+        def sanitized_lockfile_body
+          lockfile.content.gsub(LOCKFILE_ENDING, "")
+        end
+
+        def evaled_gemfiles
+          @evaled_gemfiles ||=
+            dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+
+        def git_dependency?(dep)
+          GitCommitChecker.new(
+            dependency: dep,
+            credentials: credentials
+          ).git_dependency?
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/ClassLength