RubyGems - dependabot-bundler - Versions diffs - 0.95.5 → 0.95.6 - Mend

dependabot-bundler 0.95.5 → 0.95.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

data/lib/dependabot/bundler/update_checker/ruby_requirement_setter.rb DELETED Viewed

@@ -1,113 +0,0 @@
-# frozen_string_literal: true
-require "parser/current"
-require "dependabot/bundler/update_checker"
-module Dependabot
-  module Bundler
-    class UpdateChecker
-      class RubyRequirementSetter
-        RUBY_VERSIONS =
-          %w(1.8.7 1.9.3 2.0.0 2.1.10 2.2.10 2.3.8 2.4.5 2.5.3 2.6.0).freeze
-        attr_reader :gemspec
-        def initialize(gemspec:)
-          @gemspec = gemspec
-        end
-        def rewrite(content)
-          return content unless gemspec_declares_ruby_requirement?
-          buffer = Parser::Source::Buffer.new("(gemfile_content)")
-          buffer.source = content
-          ast = Parser::CurrentRuby.new.parse(buffer)
-          if declares_ruby_version?(ast)
-            GemfileRewriter.new(
-              ruby_version: ruby_version
-            ).rewrite(buffer, ast)
-          else
-            "ruby '#{ruby_version}'\n" + content
-          end
-        end
-        private
-        def gemspec_declares_ruby_requirement?
-          !ruby_requirement.nil?
-        end
-        def declares_ruby_version?(node)
-          return false unless node.is_a?(Parser::AST::Node)
-          return true if node.type == :send && node.children[1] == :ruby
-          node.children.any? { |cn| declares_ruby_version?(cn) }
-        end
-        def ruby_version
-          requirement = Gem::Requirement.new(ruby_requirement)
-          ruby_version =
-            RUBY_VERSIONS.
-            map { |v| Gem::Version.new(v) }.sort.
-            find { |v| requirement.satisfied_by?(v) }
-          raise "Couldn't find Ruby version!" unless ruby_version
-          ruby_version
-        end
-        # rubocop:disable Security/Eval
-        def ruby_requirement
-          ast = Parser::CurrentRuby.parse(gemspec.content)
-          requirement_node = find_ruby_requirement_node(ast)
-          return unless requirement_node
-          eval(requirement_node.children[2].loc.expression.source)
-        end
-        # rubocop:enable Security/Eval
-        def find_ruby_requirement_node(node)
-          return unless node.is_a?(Parser::AST::Node)
-          return node if declares_ruby_requirement?(node)
-          node.children.find do |cn|
-            requirement_node = find_ruby_requirement_node(cn)
-            break requirement_node if requirement_node
-          end
-        end
-        def declares_ruby_requirement?(node)
-          return false unless node.is_a?(Parser::AST::Node)
-          node.children[1] == :required_ruby_version=
-        end
-        class GemfileRewriter < Parser::TreeRewriter
-          def initialize(ruby_version:)
-            @ruby_version = ruby_version
-          end
-          def on_send(node)
-            return unless declares_ruby_version?(node)
-            assigned_version_node = node.children[2]
-            replace(assigned_version_node.loc.expression, "'#{ruby_version}'")
-          end
-          private
-          attr_reader :ruby_version
-          def declares_ruby_version?(node)
-            return false unless node.is_a?(Parser::AST::Node)
-            return false unless node.type == :send
-            node.children[1] == :ruby
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb DELETED Viewed

@@ -1,244 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/monkey_patches/bundler/definition_ruby_version_patch"
-require "dependabot/monkey_patches/bundler/definition_bundler_version_patch"
-require "dependabot/monkey_patches/bundler/git_source_patch"
-require "excon"
-require "dependabot/bundler/update_checker"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-module Dependabot
-  module Bundler
-    class UpdateChecker
-      module SharedBundlerHelpers
-        GIT_REGEX = /reset --hard [^\s]*` in directory (?<path>[^\s]*)/.freeze
-        GIT_REF_REGEX = /not exist in the repository (?<path>[^\s]*)\./.freeze
-        PATH_REGEX = /The path `(?<path>.*)` does not exist/.freeze
-        RETRYABLE_ERRORS = %w(
-          Bundler::HTTPError
-          Bundler::Fetcher::FallbackError
-        ).freeze
-        RETRYABLE_PRIVATE_REGISTRY_ERRORS = %w(
-          Bundler::GemNotFound
-          Gem::InvalidSpecificationException
-          Bundler::VersionConflict
-          Bundler::HTTPError
-          Bundler::Fetcher::FallbackError
-        ).freeze
-        attr_reader :dependency_files, :credentials
-        #########################
-        # Bundler context setup #
-        #########################
-        def in_a_temporary_bundler_context(error_handling: true)
-          base_directory = dependency_files.first.directory
-          SharedHelpers.in_a_temporary_directory(base_directory) do |tmp_dir|
-            write_temporary_dependency_files
-            SharedHelpers.in_a_forked_process do
-              # Set the path for path gemspec correctly
-              ::Bundler.instance_variable_set(:@root, tmp_dir)
-              # Remove installed gems from the default Rubygems index
-              ::Gem::Specification.all = []
-              # Set auth details
-              relevant_credentials.each do |cred|
-                token = cred["token"] ||
-                        "#{cred['username']}:#{cred['password']}"
-                ::Bundler.settings.set_command_option(
-                  cred.fetch("host"),
-                  token.gsub("@", "%40F").gsub("?", "%3F")
-                )
-              end
-              yield
-            end
-          end
-        rescue SharedHelpers::ChildProcessFailed => error
-          retry_count ||= 0
-          retry_count += 1
-          if retryable_error?(error) && retry_count <= 2
-            sleep(rand(1.0..5.0)) && retry
-          end
-          raise unless error_handling
-          # Raise more descriptive errors
-          handle_bundler_errors(error)
-        end
-        def retryable_error?(error)
-          return true if RETRYABLE_ERRORS.include?(error.error_class)
-          unless RETRYABLE_PRIVATE_REGISTRY_ERRORS.include?(error.error_class)
-            return false
-          end
-          private_registry_credentials.any?
-        end
-        # rubocop:disable Metrics/CyclomaticComplexity
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/AbcSize
-        # rubocop:disable Metrics/MethodLength
-        def handle_bundler_errors(error)
-          msg = error.error_class + " with message: " + error.error_message
-          case error.error_class
-          when "Bundler::Dsl::DSLError", "Bundler::GemspecError"
-            # We couldn't evaluate the Gemfile, let alone resolve it
-            raise Dependabot::DependencyFileNotEvaluatable, msg
-          when "Bundler::Source::Git::MissingGitRevisionError"
-            gem_name =
-              error.error_message.match(GIT_REF_REGEX).
-              named_captures["path"].
-              split("/").last
-            raise GitDependencyReferenceNotFound, gem_name
-          when "Bundler::PathError"
-            gem_name =
-              error.error_message.match(PATH_REGEX).
-              named_captures["path"].
-              split("/").last.split("-")[0..-2].join
-            raise Dependabot::PathDependenciesNotReachable, [gem_name]
-          when "Bundler::Source::Git::GitCommandError"
-            if error.error_message.match?(GIT_REGEX)
-              # We couldn't find the specified branch / commit (or the two
-              # weren't compatible).
-              gem_name =
-                error.error_message.match(GIT_REGEX).
-                named_captures["path"].
-                split("/").last.split("-")[0..-2].join
-              raise GitDependencyReferenceNotFound, gem_name
-            end
-            bad_uris = inaccessible_git_dependencies.map { |s| s.source.uri }
-            raise unless bad_uris.any?
-            # We don't have access to one of repos required
-            raise Dependabot::GitDependenciesNotReachable, bad_uris
-          when "Bundler::GemNotFound", "Gem::InvalidSpecificationException",
-               "Bundler::VersionConflict"
-            # Bundler threw an error during resolution. Any of:
-            # - the gem doesn't exist in any of the specified sources
-            # - the gem wasn't specified properly
-            # - the gem was specified at an incompatible version
-            raise Dependabot::DependencyFileNotResolvable, msg
-          when "Bundler::Fetcher::AuthenticationRequiredError"
-            regex = /bundle config (?<source>.*) username:password/
-            source = error.error_message.match(regex)[:source]
-            raise Dependabot::PrivateSourceAuthenticationFailure, source
-          when "Bundler::Fetcher::BadAuthenticationError"
-            regex = /Bad username or password for (?<source>.*)\.$/
-            source = error.error_message.match(regex)[:source]
-            raise Dependabot::PrivateSourceAuthenticationFailure, source
-          when "Bundler::Fetcher::CertificateFailureError"
-            regex = /verify the SSL certificate for (?<source>.*)\.$/
-            source = error.error_message.match(regex)[:source]
-            raise Dependabot::PrivateSourceCertificateFailure, source
-          when "Bundler::HTTPError"
-            regex = /Could not fetch specs from (?<source>.*)$/
-            if error.error_message.match?(regex)
-              source = error.error_message.match(regex)[:source]
-              raise if source.include?("rubygems.org")
-              raise Dependabot::PrivateSourceTimedOut, source
-            end
-            # JFrog can serve a 403 if the credentials provided are good but
-            # don't have access to a particular gem.
-            raise unless error.error_message.include?("permitted to deploy")
-            raise unless jfrog_source
-            raise Dependabot::PrivateSourceAuthenticationFailure, jfrog_source
-          else raise
-          end
-        end
-        # rubocop:enable Metrics/CyclomaticComplexity
-        # rubocop:enable Metrics/PerceivedComplexity
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/MethodLength
-        def inaccessible_git_dependencies
-          in_a_temporary_bundler_context(error_handling: false) do
-            ::Bundler::Definition.build(gemfile.name, nil, {}).dependencies.
-              reject do |spec|
-                next true unless spec.source.is_a?(::Bundler::Source::Git)
-                # Piggy-back off some private Bundler methods to configure the
-                # URI with auth details in the same way Bundler does.
-                git_proxy = spec.source.send(:git_proxy)
-                uri = spec.source.uri.gsub("git://", "https://")
-                uri = git_proxy.send(:configured_uri_for, uri)
-                uri += ".git" unless uri.end_with?(".git")
-                uri += "/info/refs?service=git-upload-pack"
-                begin
-                  Excon.get(
-                    uri,
-                    idempotent: true,
-                    **SharedHelpers.excon_defaults
-                  ).status == 200
-                rescue Excon::Error::Socket, Excon::Error::Timeout
-                  false
-                end
-              end
-          end
-        end
-        def jfrog_source
-          in_a_temporary_bundler_context(error_handling: false) do
-            ::Bundler::Definition.build(gemfile.name, nil, {}).
-              send(:sources).
-              rubygems_remotes.
-              find { |uri| uri.host.include?("jfrog") }&.
-              host
-          end
-        end
-        def write_temporary_dependency_files
-          dependency_files.each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, file.content)
-          end
-          File.write(lockfile.name, sanitized_lockfile_body) if lockfile
-        end
-        def relevant_credentials
-          private_registry_credentials + git_source_credentials
-        end
-        def private_registry_credentials
-          credentials.select { |cred| cred["type"] == "rubygems_server" }
-        end
-        def git_source_credentials
-          credentials.select { |cred| cred["type"] == "git_source" }
-        end
-        def gemfile
-          dependency_files.find { |f| f.name == "Gemfile" } ||
-            dependency_files.find { |f| f.name == "gems.rb" }
-        end
-        def lockfile
-          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
-            dependency_files.find { |f| f.name == "gems.locked" }
-        end
-        def sanitized_lockfile_body
-          re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(re, "")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/bundler/update_checker/version_resolver.rb DELETED Viewed

@@ -1,272 +0,0 @@
-# frozen_string_literal: true
-require "dependabot/monkey_patches/bundler/definition_ruby_version_patch"
-require "dependabot/monkey_patches/bundler/definition_bundler_version_patch"
-require "dependabot/monkey_patches/bundler/git_source_patch"
-require "excon"
-require "dependabot/bundler/update_checker"
-require "dependabot/bundler/file_updater/lockfile_updater"
-require "dependabot/bundler/requirement"
-require "dependabot/shared_helpers"
-require "dependabot/errors"
-module Dependabot
-  module Bundler
-    class UpdateChecker
-      class VersionResolver
-        require_relative "file_preparer"
-        require_relative "latest_version_finder"
-        require_relative "shared_bundler_helpers"
-        include SharedBundlerHelpers
-        GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
-        def initialize(dependency:, unprepared_dependency_files:,
-                       credentials:, ignored_versions:,
-                       replacement_git_pin: nil, remove_git_source: false,
-                       unlock_requirement: true,
-                       latest_allowable_version: nil)
-          @dependency                  = dependency
-          @unprepared_dependency_files = unprepared_dependency_files
-          @credentials                 = credentials
-          @ignored_versions            = ignored_versions
-          @replacement_git_pin         = replacement_git_pin
-          @remove_git_source           = remove_git_source
-          @unlock_requirement          = unlock_requirement
-          @latest_allowable_version    = latest_allowable_version
-        end
-        def latest_resolvable_version_details
-          @latest_resolvable_version_details ||=
-            fetch_latest_resolvable_version_details
-        end
-        private
-        attr_reader :dependency, :unprepared_dependency_files, :credentials,
-                    :ignored_versions, :replacement_git_pin,
-                    :latest_allowable_version
-        def remove_git_source?
-          @remove_git_source
-        end
-        def unlock_requirement?
-          @unlock_requirement
-        end
-        def dependency_files
-          @dependency_files ||=
-            FilePreparer.new(
-              dependency: dependency,
-              dependency_files: unprepared_dependency_files,
-              replacement_git_pin: replacement_git_pin,
-              remove_git_source: remove_git_source?,
-              unlock_requirement: unlock_requirement?,
-              latest_allowable_version: latest_allowable_version
-            ).prepared_dependency_files
-        end
-        # rubocop:disable Metrics/CyclomaticComplexity
-        # rubocop:disable Metrics/PerceivedComplexity
-        def fetch_latest_resolvable_version_details
-          return latest_version_details unless gemfile
-          SharedHelpers.with_git_configured(credentials: credentials) do
-            in_a_temporary_bundler_context do
-              dep = dependency_from_definition
-              # If the dependency wasn't found in the definition, but *is*
-              # included in a gemspec, it's because the Gemfile didn't import
-              # the gemspec. This is unusual, but the correct behaviour if/when
-              # it happens is to behave as if the repo was gemspec-only.
-              if dep.nil? && dependency.requirements.any?
-                next latest_version_details
-              end
-              # Otherwise, if the dependency wasn't found it's because it is a
-              # subdependency that was removed when attempting to update it.
-              next nil if dep.nil?
-              # If the old Gemfile index was used then it won't have checked
-              # Ruby compatibility. Fix that by doing the check manually (and
-              # saying no update is possible if the Ruby version is a mismatch)
-              next nil if ruby_version_incompatible?(dep)
-              details = { version: dep.version }
-              if dep.source.instance_of?(::Bundler::Source::Git)
-                details[:commit_sha] = dep.source.revision
-              end
-              details
-            end
-          end
-        rescue Dependabot::DependencyFileNotResolvable => error
-          return if ignored_versions.any? && !dependency.appears_in_lockfile?
-          raise unless ruby_lock_error?(error)
-          @gemspec_ruby_unlocked = true
-          regenerate_dependency_files_without_ruby_lock && retry
-        end
-        # rubocop:enable Metrics/CyclomaticComplexity
-        # rubocop:enable Metrics/PerceivedComplexity
-        def ruby_lock_error?(error)
-          return false unless error.message.include?(" for gem \"ruby\0\"")
-          return false if @gemspec_ruby_unlocked
-          dependency_files.any? { |f| f.name.end_with?(".gemspec") }
-        end
-        def regenerate_dependency_files_without_ruby_lock
-          @dependency_files =
-            FilePreparer.new(
-              dependency: dependency,
-              dependency_files: unprepared_dependency_files,
-              replacement_git_pin: replacement_git_pin,
-              remove_git_source: remove_git_source?,
-              unlock_requirement: unlock_requirement?,
-              latest_allowable_version: latest_allowable_version,
-              lock_ruby_version: false
-            ).prepared_dependency_files
-        end
-        # rubocop:disable Metrics/CyclomaticComplexity
-        # rubocop:disable Metrics/PerceivedComplexity
-        def dependency_from_definition(unlock_subdependencies: true)
-          dependencies_to_unlock = [dependency.name]
-          dependencies_to_unlock += subdependencies if unlock_subdependencies
-          begin
-            definition = build_definition(dependencies_to_unlock)
-            definition.resolve_remotely!
-          rescue ::Bundler::GemNotFound => error
-            unlock_yanked_gem(dependencies_to_unlock, error) && retry
-          rescue ::Bundler::HTTPError => error
-            # Retry network errors
-            attempt ||= 1
-            attempt += 1
-            raise if attempt > 3 || !error.message.include?("Network error")
-            retry
-          end
-          dep = definition.resolve.find { |d| d.name == dependency.name }
-          return dep if dep
-          return if dependency.requirements.any? || !unlock_subdependencies
-          # If no definition was found and we're updating a sub-dependency,
-          # try again but without unlocking any other sub-dependencies
-          dependency_from_definition(unlock_subdependencies: false)
-        end
-        # rubocop:enable Metrics/CyclomaticComplexity
-        # rubocop:enable Metrics/PerceivedComplexity
-        def unlock_yanked_gem(dependencies_to_unlock, error)
-          raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
-          gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
-                     named_captures["name"]
-          raise if dependencies_to_unlock.include?(gem_name)
-          dependencies_to_unlock << gem_name
-        end
-        def subdependencies
-          # If there's no lockfile we don't need to worry about
-          # subdependencies
-          return [] unless lockfile
-          all_deps =  ::Bundler::LockfileParser.new(sanitized_lockfile_body).
-                      specs.map(&:name).map(&:to_s)
-          top_level = build_definition([]).dependencies.
-                      map(&:name).map(&:to_s)
-          all_deps - top_level
-        end
-        def ruby_version_incompatible?(dep)
-          return false unless dep.source.is_a?(::Bundler::Source::Rubygems)
-          fetcher = dep.source.fetchers.first.fetchers.first
-          # It's only the old index we have a problem with
-          return false unless fetcher.is_a?(::Bundler::Fetcher::Dependency)
-          # If no Ruby version is specified, we don't have a problem
-          return false unless ruby_version
-          versions = Excon.get(
-            "#{fetcher.fetch_uri}api/v1/versions/#{dependency.name}.json",
-            idempotent: true,
-            **SharedHelpers.excon_defaults
-          )
-          # Give the benefit of the doubt if something goes wrong fetching
-          # version details (could be that it's a private index, etc.)
-          return false unless versions.status == 200
-          ruby_requirement =
-            JSON.parse(versions.body).
-            find { |details| details["number"] == dep.version.to_s }&.
-            fetch("ruby_version", nil)
-          # Give the benefit of the doubt if we can't find the version's
-          # required Ruby version.
-          return false unless ruby_requirement
-          ruby_requirement = Requirement.new(ruby_requirement)
-          !ruby_requirement.satisfied_by?(ruby_version)
-        rescue JSON::ParserError, Excon::Error::Socket, Excon::Error::Timeout
-          # Give the benefit of the doubt if something goes wrong fetching
-          # version details (could be that it's a private index, etc.)
-          false
-        end
-        def build_definition(dependencies_to_unlock)
-          # Note: we lock shared dependencies to avoid any top-level
-          # dependencies getting unlocked (which would happen if they were
-          # also subdependencies of the dependency being unlocked)
-          ::Bundler::Definition.build(
-            gemfile.name,
-            lockfile&.name,
-            gems: dependencies_to_unlock,
-            lock_shared_dependencies: true
-          )
-        end
-        def ruby_version
-          return nil unless gemfile
-          @ruby_version ||= build_definition([]).ruby_version&.gem_version
-        end
-        def latest_version_details
-          @latest_version_details ||=
-            LatestVersionFinder.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              credentials: credentials,
-              ignored_versions: ignored_versions
-            ).latest_version_details
-        end
-        def gemfile
-          dependency_files.find { |f| f.name == "Gemfile" } ||
-            dependency_files.find { |f| f.name == "gems.rb" }
-        end
-        def lockfile
-          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
-            dependency_files.find { |f| f.name == "gems.locked" }
-        end
-        def sanitized_lockfile_body
-          re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-          lockfile.content.gsub(re, "")
-        end
-      end
-    end
-  end
-end