RubyGems - dependabot-bundler - Versions diffs - 0.94.0 - Mend

dependabot-bundler 0.94.0

Files changed (33) hide show

checksums.yaml +7 -0
data/helpers/Makefile +9 -0
data/helpers/build +26 -0
data/lib/dependabot/bundler.rb +27 -0
data/lib/dependabot/bundler/file_fetcher.rb +216 -0
data/lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb +68 -0
data/lib/dependabot/bundler/file_fetcher/gemspec_finder.rb +96 -0
data/lib/dependabot/bundler/file_fetcher/path_gemspec_finder.rb +112 -0
data/lib/dependabot/bundler/file_fetcher/require_relative_finder.rb +65 -0
data/lib/dependabot/bundler/file_parser.rb +297 -0
data/lib/dependabot/bundler/file_parser/file_preparer.rb +84 -0
data/lib/dependabot/bundler/file_parser/gemfile_checker.rb +46 -0
data/lib/dependabot/bundler/file_updater.rb +125 -0
data/lib/dependabot/bundler/file_updater/gemfile_updater.rb +114 -0
data/lib/dependabot/bundler/file_updater/gemspec_dependency_name_finder.rb +50 -0
data/lib/dependabot/bundler/file_updater/gemspec_sanitizer.rb +296 -0
data/lib/dependabot/bundler/file_updater/gemspec_updater.rb +62 -0
data/lib/dependabot/bundler/file_updater/git_pin_replacer.rb +78 -0
data/lib/dependabot/bundler/file_updater/git_source_remover.rb +100 -0
data/lib/dependabot/bundler/file_updater/lockfile_updater.rb +387 -0
data/lib/dependabot/bundler/file_updater/requirement_replacer.rb +221 -0
data/lib/dependabot/bundler/metadata_finder.rb +204 -0
data/lib/dependabot/bundler/requirement.rb +29 -0
data/lib/dependabot/bundler/update_checker.rb +334 -0
data/lib/dependabot/bundler/update_checker/file_preparer.rb +279 -0
data/lib/dependabot/bundler/update_checker/force_updater.rb +259 -0
data/lib/dependabot/bundler/update_checker/latest_version_finder.rb +165 -0
data/lib/dependabot/bundler/update_checker/requirements_updater.rb +281 -0
data/lib/dependabot/bundler/update_checker/ruby_requirement_setter.rb +113 -0
data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb +244 -0
data/lib/dependabot/bundler/update_checker/version_resolver.rb +272 -0
data/lib/dependabot/bundler/version.rb +13 -0
metadata +200 -0

data/lib/dependabot/bundler/update_checker.rb ADDED Viewed

@@ -0,0 +1,334 @@
+# frozen_string_literal: true
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/bundler/file_updater/requirement_replacer"
+require "dependabot/bundler/version"
+require "dependabot/git_commit_checker"
+module Dependabot
+  module Bundler
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/force_updater"
+      require_relative "update_checker/file_preparer"
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_resolver"
+      require_relative "update_checker/latest_version_finder"
+      def latest_version
+        return latest_version_for_git_dependency if git_dependency?
+        latest_version_details&.fetch(:version)
+      end
+      def latest_resolvable_version
+        return latest_resolvable_version_for_git_dependency if git_dependency?
+        latest_resolvable_version_details&.fetch(:version)
+      end
+      def latest_resolvable_version_with_no_unlock
+        current_ver = dependency.version
+        return current_ver if git_dependency? && git_commit_checker.pinned?
+        @latest_resolvable_version_detail_with_no_unlock ||=
+          version_resolver(
+            remove_git_source: false,
+            unlock_requirement: false
+          ).latest_resolvable_version_details
+        if git_dependency?
+          @latest_resolvable_version_detail_with_no_unlock&.fetch(:commit_sha)
+        else
+          @latest_resolvable_version_detail_with_no_unlock&.fetch(:version)
+        end
+      end
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          update_strategy: requirements_update_strategy,
+          updated_source: updated_source,
+          latest_version: latest_version_details&.fetch(:version)&.to_s,
+          latest_resolvable_version:
+            latest_resolvable_version_details&.fetch(:version)&.to_s
+        ).updated_requirements
+      end
+      def requirements_unlocked_or_can_be?
+        dependency.requirements.
+          reject { |r| r[:requirement].nil? }.
+          all? do |req|
+            requirement = requirement_class.new(req[:requirement])
+            next true if requirement.satisfied_by?(Gem::Version.new("100000"))
+            file = dependency_files.find { |f| f.name == req.fetch(:file) }
+            updated = FileUpdater::RequirementReplacer.new(
+              dependency: dependency,
+              file_type: file.name.end_with?("gemspec") ? :gemspec : :gemfile,
+              updated_requirement: "whatever"
+            ).rewrite(file.content)
+            updated != file.content
+          end
+      end
+      def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        if @requirements_update_strategy
+          return @requirements_update_strategy.to_sym
+        end
+        # Otherwise, widen ranges for libraries and bump versions for apps
+        dependency.version.nil? ? :bump_versions_if_necessary : :bump_versions
+      end
+      private
+      def latest_version_resolvable_with_full_unlock?
+        return false unless latest_version
+        updated_dependencies = force_updater.updated_dependencies
+        updated_dependencies.none? do |dep|
+          old_version = dep.previous_version
+          next unless Gem::Version.correct?(old_version)
+          next if Gem::Version.new(old_version).prerelease?
+          Gem::Version.new(dep.version).prerelease?
+        end
+      rescue Dependabot::DependencyFileNotResolvable
+        false
+      end
+      def updated_dependencies_after_full_unlock
+        force_updater.updated_dependencies
+      end
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+      def latest_version_details(remove_git_source: false)
+        @latest_version_details ||= {}
+        @latest_version_details[remove_git_source] ||=
+          latest_version_finder(remove_git_source: remove_git_source).
+          latest_version_details
+      end
+      def latest_resolvable_version_details(remove_git_source: false)
+        @latest_resolvable_version_details ||= {}
+        @latest_resolvable_version_details[remove_git_source] ||=
+          version_resolver(remove_git_source: remove_git_source).
+          latest_resolvable_version_details
+      end
+      def latest_version_for_git_dependency
+        latest_release =
+          latest_version_details(remove_git_source: true)&.
+          fetch(:version)
+        # If there's been a release that includes the current pinned ref or
+        # that the current branch is behind, we switch to that release.
+        return latest_release if git_branch_or_ref_in_release?(latest_release)
+        # Otherwise, if the gem isn't pinned, the latest version is just the
+        # latest commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return git_commit_checker.head_commit_for_current_branch
+        end
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version
+          return latest_tag&.fetch(:tag_sha) || dependency.version
+        end
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        dependency.version
+      end
+      def latest_resolvable_version_for_git_dependency
+        latest_release = latest_resolvable_version_without_git_source
+        # If there's a resolvable release that includes the current pinned
+        # ref or that the current branch is behind, we switch to that release.
+        return latest_release if git_branch_or_ref_in_release?(latest_release)
+        # Otherwise, if the gem isn't pinned, the latest version is just the
+        # latest commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return latest_resolvable_commit_with_unchanged_git_source
+        end
+        # If the dependency is pinned to a tag that looks like a version then
+        # we want to update that tag. The latest version will then be the SHA
+        # of the latest tag that looks like a version.
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return new_tag.fetch(:tag_sha)
+        end
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        dependency.version
+      end
+      def latest_resolvable_version_without_git_source
+        return nil unless latest_version.is_a?(Gem::Version)
+        latest_resolvable_version_details(remove_git_source: true)&.
+        fetch(:version)
+      rescue Dependabot::DependencyFileNotResolvable
+        nil
+      end
+      def latest_resolvable_commit_with_unchanged_git_source
+        details = latest_resolvable_version_details(remove_git_source: false)
+        # If this dependency has a git version in the Gemfile.lock but not in
+        # the Gemfile (i.e., because they're out-of-sync) we might not get a
+        # commit_sha back from Bundler. In that case, return `nil`.
+        return unless details.key?(:commit_sha)
+        details.fetch(:commit_sha)
+      rescue Dependabot::DependencyFileNotResolvable
+        nil
+      end
+      def latest_git_tag_is_resolvable?
+        return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+        @latest_git_tag_is_resolvable_checked = true
+        return false if git_commit_checker.local_tag_for_latest_version.nil?
+        replacement_tag = git_commit_checker.local_tag_for_latest_version
+        VersionResolver.new(
+          dependency: dependency,
+          unprepared_dependency_files: dependency_files,
+          credentials: credentials,
+          ignored_versions: ignored_versions,
+          replacement_git_pin: replacement_tag.fetch(:tag)
+        ).latest_resolvable_version_details
+        @git_tag_resolvable = true
+      rescue Dependabot::DependencyFileNotResolvable
+        @git_tag_resolvable = false
+      end
+      def git_branch_or_ref_in_release?(release)
+        return false unless release
+        git_commit_checker.branch_or_ref_in_release?(release)
+      end
+      def updated_source
+        # Never need to update source, unless a git_dependency
+        return dependency_source_details unless git_dependency?
+        # Source becomes `nil` if switching to default rubygems
+        return nil if should_switch_source_from_git_to_rubygems?
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           latest_git_tag_is_resolvable?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+        # Otherwise return the original source
+        dependency_source_details
+      end
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+        sources.first
+      end
+      def should_switch_source_from_git_to_rubygems?
+        return false unless git_dependency?
+        return false if latest_resolvable_version_for_git_dependency.nil?
+        Gem::Version.correct?(latest_resolvable_version_for_git_dependency)
+      end
+      def force_updater
+        @force_updater ||=
+          ForceUpdater.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            target_version: latest_version,
+            requirements_update_strategy: requirements_update_strategy
+          )
+      end
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          )
+      end
+      def version_resolver(remove_git_source:, unlock_requirement: true)
+        @version_resolver ||= {}
+        @version_resolver[remove_git_source] ||= {}
+        @version_resolver[remove_git_source][unlock_requirement] ||=
+          begin
+            VersionResolver.new(
+              dependency: dependency,
+              unprepared_dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              remove_git_source: remove_git_source,
+              unlock_requirement: unlock_requirement,
+              latest_allowable_version: latest_version
+            )
+          end
+      end
+      def latest_version_finder(remove_git_source:)
+        @latest_version_finder ||= {}
+        @latest_version_finder[remove_git_source] ||=
+          begin
+            prepared_dependency_files = prepared_dependency_files(
+              remove_git_source: remove_git_source,
+              unlock_requirement: true
+            )
+            LatestVersionFinder.new(
+              dependency: dependency,
+              dependency_files: prepared_dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+          end
+      end
+      def prepared_dependency_files(remove_git_source:, unlock_requirement:,
+                                    latest_allowable_version: nil)
+        FilePreparer.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          remove_git_source: remove_git_source,
+          unlock_requirement: unlock_requirement,
+          latest_allowable_version: latest_allowable_version
+        ).prepared_dependency_files
+      end
+    end
+  end
+end
+Dependabot::UpdateCheckers.
+  register("bundler", Dependabot::Bundler::UpdateChecker)

data/lib/dependabot/bundler/update_checker/file_preparer.rb ADDED Viewed

@@ -0,0 +1,279 @@
+# frozen_string_literal: true
+require "dependabot/dependency_file"
+require "dependabot/bundler/update_checker"
+require "dependabot/bundler/file_updater/gemspec_sanitizer"
+require "dependabot/bundler/file_updater/git_pin_replacer"
+require "dependabot/bundler/file_updater/git_source_remover"
+require "dependabot/bundler/file_updater/requirement_replacer"
+require "dependabot/bundler/file_updater/gemspec_dependency_name_finder"
+require "dependabot/bundler/file_updater/lockfile_updater"
+require "dependabot/bundler/update_checker/ruby_requirement_setter"
+module Dependabot
+  module Bundler
+    class UpdateChecker
+      # This class takes a set of dependency files and sanitizes them for use
+      # in UpdateCheckers::Ruby::Bundler. In particular, it:
+      # - Removes any version requirement on the dependency being updated
+      #   (in the Gemfile)
+      # - Sanitizes any provided gemspecs to remove file imports etc. (since
+      #   Dependabot doesn't pull down the entire repo). This process is
+      #   imperfect - an alternative would be to clone the repo
+      # - Sets the ruby version in the Gemfile to be the lowest possible
+      #   version allowed by the gemspec, if the gemspec has a required ruby
+      #   version range
+      class FilePreparer
+        VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
+        # Can't be a constant because some of these don't exist in bundler
+        # 1.15, which Heroku uses, which causes an exception on boot.
+        def gemspec_sources
+          [
+            ::Bundler::Source::Path,
+            ::Bundler::Source::Gemspec
+          ]
+        end
+        def initialize(dependency_files:, dependency:,
+                       remove_git_source: false,
+                       unlock_requirement: true,
+                       replacement_git_pin: nil,
+                       latest_allowable_version: nil,
+                       lock_ruby_version: true)
+          @dependency_files         = dependency_files
+          @dependency               = dependency
+          @remove_git_source        = remove_git_source
+          @unlock_requirement       = unlock_requirement
+          @replacement_git_pin      = replacement_git_pin
+          @latest_allowable_version = latest_allowable_version
+          @lock_ruby_version        = lock_ruby_version
+        end
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/MethodLength
+        def prepared_dependency_files
+          files = []
+          if gemfile
+            files << DependencyFile.new(
+              name: gemfile.name,
+              content: gemfile_content_for_update_check(gemfile),
+              directory: gemfile.directory
+            )
+          end
+          top_level_gemspecs.each do |gemspec|
+            files << DependencyFile.new(
+              name: gemspec.name,
+              content: gemspec_content_for_update_check(gemspec),
+              directory: gemspec.directory
+            )
+          end
+          path_gemspecs.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: sanitize_gemspec_content(file.content),
+              directory: file.directory,
+              support_file: file.support_file?
+            )
+          end
+          evaled_gemfiles.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: gemfile_content_for_update_check(file),
+              directory: file.directory
+            )
+          end
+          # No editing required for lockfile or Ruby version file
+          files += [lockfile, ruby_version_file, *imported_ruby_files].compact
+        end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/MethodLength
+        private
+        attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                    :latest_allowable_version
+        def remove_git_source?
+          @remove_git_source
+        end
+        def unlock_requirement?
+          @unlock_requirement
+        end
+        def replace_git_pin?
+          !replacement_git_pin.nil?
+        end
+        def gemfile
+          dependency_files.find { |f| f.name == "Gemfile" } ||
+            dependency_files.find { |f| f.name == "gems.rb" }
+        end
+        def evaled_gemfiles
+          dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+        def lockfile
+          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+            dependency_files.find { |f| f.name == "gems.locked" }
+        end
+        def top_level_gemspecs
+          dependency_files.
+            select { |f| f.name.end_with?(".gemspec") }.
+            reject(&:support_file?)
+        end
+        def ruby_version_file
+          dependency_files.find { |f| f.name == ".ruby-version" }
+        end
+        def path_gemspecs
+          all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
+          all - top_level_gemspecs
+        end
+        def imported_ruby_files
+          dependency_files.
+            select { |f| f.name.end_with?(".rb") }.
+            reject { |f| f.name == "gems.rb" }
+        end
+        def gemfile_content_for_update_check(file)
+          content = file.content
+          content = replace_gemfile_constraint(content, file.name)
+          content = remove_git_source(content) if remove_git_source?
+          content = replace_git_pin(content) if replace_git_pin?
+          content = lock_ruby_version(content) if lock_ruby_version?(file)
+          content
+        end
+        def gemspec_content_for_update_check(gemspec)
+          content = gemspec.content
+          content = replace_gemspec_constraint(content, gemspec.name)
+          sanitize_gemspec_content(content)
+        end
+        def replace_gemfile_constraint(content, filename)
+          FileUpdater::RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemfile,
+            updated_requirement: updated_version_requirement_string(filename),
+            insert_if_bare: true
+          ).rewrite(content)
+        end
+        def replace_gemspec_constraint(content, filename)
+          FileUpdater::RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemspec,
+            updated_requirement: updated_version_requirement_string(filename),
+            insert_if_bare: true
+          ).rewrite(content)
+        end
+        def sanitize_gemspec_content(gemspec_content)
+          new_version = replacement_version_for_gemspec(gemspec_content)
+          FileUpdater::GemspecSanitizer.
+            new(replacement_version: new_version).
+            rewrite(gemspec_content)
+        end
+        def updated_version_requirement_string(filename)
+          lower_bound_req = updated_version_req_lower_bound(filename)
+          return lower_bound_req if latest_allowable_version.nil?
+          unless Gem::Version.correct?(latest_allowable_version)
+            return lower_bound_req
+          end
+          lower_bound_req + ", <= #{latest_allowable_version}"
+        end
+        def updated_version_req_lower_bound(filename)
+          original_req = dependency.requirements.
+                         find { |r| r.fetch(:file) == filename }&.
+                         fetch(:requirement)
+          if original_req && !unlock_requirement? then original_req
+          elsif dependency.version&.match?(/^[0-9a-f]{40}$/) then ">= 0"
+          elsif dependency.version then ">= #{dependency.version}"
+          else
+            version_for_requirement =
+              dependency.requirements.map { |r| r[:requirement] }.
+              reject { |req_string| req_string.start_with?("<") }.
+              select { |req_string| req_string.match?(VERSION_REGEX) }.
+              map { |req_string| req_string.match(VERSION_REGEX) }.
+              select { |version| Gem::Version.correct?(version) }.
+              max_by { |version| Gem::Version.new(version) }
+            ">= #{version_for_requirement || 0}"
+          end
+        end
+        def remove_git_source(content)
+          FileUpdater::GitSourceRemover.new(
+            dependency: dependency
+          ).rewrite(content)
+        end
+        def replace_git_pin(content)
+          FileUpdater::GitPinReplacer.new(
+            dependency: dependency,
+            new_pin: replacement_git_pin
+          ).rewrite(content)
+        end
+        def lock_ruby_version(gemfile_content)
+          top_level_gemspecs.each do |gs|
+            gemfile_content =
+              RubyRequirementSetter.new(gemspec: gs).rewrite(gemfile_content)
+          end
+          gemfile_content
+        end
+        def lock_ruby_version?(file)
+          @lock_ruby_version && file == gemfile
+        end
+        def replacement_version_for_gemspec(gemspec_content)
+          return "0.0.1" unless lockfile
+          gemspec_specs =
+            ::Bundler::LockfileParser.new(sanitized_lockfile_content).specs.
+            select { |s| gemspec_sources.include?(s.source.class) }
+          gem_name =
+            FileUpdater::GemspecDependencyNameFinder.
+            new(gemspec_content: gemspec_content).
+            dependency_name
+          return gemspec_specs.first&.version || "0.0.1" unless gem_name
+          spec = gemspec_specs.find { |s| s.name == gem_name }
+          spec&.version || gemspec_specs.first&.version || "0.0.1"
+        end
+        def sanitized_lockfile_content
+          re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
+          lockfile.content.gsub(re, "")
+        end
+      end
+    end
+  end
+end