dependabot-bundler 0.103.3 → 0.104.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b3955c8a3cb5756607028ee4f13ca8ffd2f8578f9b4c5b247fc56ccc7f4865d2
|
4
|
+
data.tar.gz: 5b18aa92559e79eab68c4f70e39213ed32aee3e6324ce0f7acf38693d7f0c4b3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dadadec7982214f33fadacc7708b0a238b62ef1fc64d07cf2de1600194c0a28fc179d45909f98ae96e37012f26f5a5d151f310560e2b20bccb36b0a60e634c07
|
7
|
+
data.tar.gz: d8ad86d4c6899e16442f021fe69d9aaf4bfc15703ae5bc8609c4e032603cb243e35af7518e4d48d0cd21236ef23a42fc9adb80d9ff55d721fe87d1d29e983b3f
|
@@ -6,6 +6,7 @@ require "dependabot/bundler/file_updater/requirement_replacer"
|
|
6
6
|
require "dependabot/bundler/version"
|
7
7
|
require "dependabot/git_commit_checker"
|
8
8
|
|
9
|
+
# rubocop:disable Metrics/ClassLength
|
9
10
|
module Dependabot
|
10
11
|
module Bundler
|
11
12
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
@@ -27,6 +28,18 @@ module Dependabot
|
|
27
28
|
latest_resolvable_version_details&.fetch(:version)
|
28
29
|
end
|
29
30
|
|
31
|
+
def lowest_resolvable_security_fix_version
|
32
|
+
raise "Dependency not vulnerable!" unless vulnerable?
|
33
|
+
return latest_resolvable_version if git_dependency?
|
34
|
+
|
35
|
+
lowest_fix =
|
36
|
+
latest_version_finder(remove_git_source: false).
|
37
|
+
lowest_security_fix_version
|
38
|
+
return unless lowest_fix
|
39
|
+
|
40
|
+
resolvable?(lowest_fix) ? lowest_fix : latest_resolvable_version
|
41
|
+
end
|
42
|
+
|
30
43
|
def latest_resolvable_version_with_no_unlock
|
31
44
|
current_ver = dependency.version
|
32
45
|
return current_ver if git_dependency? && git_commit_checker.pinned?
|
@@ -63,18 +76,15 @@ module Dependabot
|
|
63
76
|
updated_source: updated_source,
|
64
77
|
latest_version: latest_version_details&.fetch(:version)&.to_s,
|
65
78
|
latest_resolvable_version:
|
66
|
-
|
79
|
+
preferred_resolvable_version_details&.fetch(:version)&.to_s
|
67
80
|
).updated_requirements
|
68
81
|
end
|
69
82
|
end
|
70
83
|
|
71
84
|
def requirements_unlocked_or_can_be?
|
72
85
|
dependency.requirements.
|
73
|
-
|
86
|
+
select { |r| requirement_class.new(r[:requirement]).specific? }.
|
74
87
|
all? do |req|
|
75
|
-
requirement = requirement_class.new(req[:requirement])
|
76
|
-
next true if requirement.satisfied_by?(Gem::Version.new("100000"))
|
77
|
-
|
78
88
|
file = dependency_files.find { |f| f.name == req.fetch(:file) }
|
79
89
|
updated = FileUpdater::RequirementReplacer.new(
|
80
90
|
dependency: dependency,
|
@@ -118,10 +128,36 @@ module Dependabot
|
|
118
128
|
force_updater.updated_dependencies
|
119
129
|
end
|
120
130
|
|
131
|
+
def preferred_resolvable_version_details
|
132
|
+
if vulnerable?
|
133
|
+
return { version: lowest_resolvable_security_fix_version }
|
134
|
+
end
|
135
|
+
|
136
|
+
latest_resolvable_version_details
|
137
|
+
end
|
138
|
+
|
121
139
|
def git_dependency?
|
122
140
|
git_commit_checker.git_dependency?
|
123
141
|
end
|
124
142
|
|
143
|
+
def resolvable?(version)
|
144
|
+
@resolvable ||= {}
|
145
|
+
@resolvable[version] ||=
|
146
|
+
begin
|
147
|
+
ForceUpdater.new(
|
148
|
+
dependency: dependency,
|
149
|
+
dependency_files: dependency_files,
|
150
|
+
credentials: credentials,
|
151
|
+
target_version: version,
|
152
|
+
requirements_update_strategy: requirements_update_strategy,
|
153
|
+
update_multiple_dependencies: false
|
154
|
+
).updated_dependencies
|
155
|
+
true
|
156
|
+
rescue Dependabot::DependencyFileNotResolvable
|
157
|
+
false
|
158
|
+
end
|
159
|
+
end
|
160
|
+
|
125
161
|
def latest_version_details(remove_git_source: false)
|
126
162
|
@latest_version_details ||= {}
|
127
163
|
@latest_version_details[remove_git_source] ||=
|
@@ -331,7 +367,8 @@ module Dependabot
|
|
331
367
|
dependency: dependency,
|
332
368
|
dependency_files: prepared_dependency_files,
|
333
369
|
credentials: credentials,
|
334
|
-
ignored_versions: ignored_versions
|
370
|
+
ignored_versions: ignored_versions,
|
371
|
+
security_advisories: security_advisories
|
335
372
|
)
|
336
373
|
end
|
337
374
|
end
|
@@ -349,6 +386,7 @@ module Dependabot
|
|
349
386
|
end
|
350
387
|
end
|
351
388
|
end
|
389
|
+
# rubocop:enable Metrics/ClassLength
|
352
390
|
|
353
391
|
Dependabot::UpdateCheckers.
|
354
392
|
register("bundler", Dependabot::Bundler::UpdateChecker)
|
@@ -16,12 +16,14 @@ module Dependabot
|
|
16
16
|
class UpdateChecker
|
17
17
|
class ForceUpdater
|
18
18
|
def initialize(dependency:, dependency_files:, credentials:,
|
19
|
-
target_version:, requirements_update_strategy
|
19
|
+
target_version:, requirements_update_strategy:,
|
20
|
+
update_multiple_dependencies: true)
|
20
21
|
@dependency = dependency
|
21
22
|
@dependency_files = dependency_files
|
22
23
|
@credentials = credentials
|
23
24
|
@target_version = target_version
|
24
25
|
@requirements_update_strategy = requirements_update_strategy
|
26
|
+
@update_multiple_dependencies = update_multiple_dependencies
|
25
27
|
end
|
26
28
|
|
27
29
|
def updated_dependencies
|
@@ -33,6 +35,10 @@ module Dependabot
|
|
33
35
|
attr_reader :dependency, :dependency_files, :credentials,
|
34
36
|
:target_version, :requirements_update_strategy
|
35
37
|
|
38
|
+
def update_multiple_dependencies?
|
39
|
+
@update_multiple_dependencies
|
40
|
+
end
|
41
|
+
|
36
42
|
def force_update
|
37
43
|
in_a_temporary_bundler_context do
|
38
44
|
other_updates = []
|
@@ -43,6 +49,8 @@ module Dependabot
|
|
43
49
|
specs = definition.resolve
|
44
50
|
dependencies_from([dependency] + other_updates, specs)
|
45
51
|
rescue ::Bundler::VersionConflict => e
|
52
|
+
raise unless update_multiple_dependencies?
|
53
|
+
|
46
54
|
# TODO: Not sure this won't unlock way too many things...
|
47
55
|
new_dependencies_to_unlock =
|
48
56
|
new_dependencies_to_unlock_from(
|
@@ -19,82 +19,116 @@ module Dependabot
|
|
19
19
|
include SharedBundlerHelpers
|
20
20
|
|
21
21
|
def initialize(dependency:, dependency_files:, credentials:,
|
22
|
-
ignored_versions:)
|
23
|
-
@dependency
|
24
|
-
@dependency_files
|
25
|
-
@credentials
|
26
|
-
@ignored_versions
|
22
|
+
ignored_versions:, security_advisories:)
|
23
|
+
@dependency = dependency
|
24
|
+
@dependency_files = dependency_files
|
25
|
+
@credentials = credentials
|
26
|
+
@ignored_versions = ignored_versions
|
27
|
+
@security_advisories = security_advisories
|
27
28
|
end
|
28
29
|
|
29
30
|
def latest_version_details
|
30
31
|
@latest_version_details ||= fetch_latest_version_details
|
31
32
|
end
|
32
33
|
|
34
|
+
def lowest_security_fix_version
|
35
|
+
@lowest_security_fix_version ||= fetch_lowest_security_fix_version
|
36
|
+
end
|
37
|
+
|
33
38
|
private
|
34
39
|
|
35
40
|
attr_reader :dependency, :dependency_files, :credentials,
|
36
|
-
:ignored_versions
|
41
|
+
:ignored_versions, :security_advisories
|
37
42
|
|
38
43
|
def fetch_latest_version_details
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
when NilClass then latest_rubygems_version_details
|
43
|
-
when ::Bundler::Source::Rubygems
|
44
|
-
if dependency_source.remotes.none? ||
|
45
|
-
dependency_source.remotes.first.to_s == "https://rubygems.org/"
|
46
|
-
latest_rubygems_version_details
|
47
|
-
else
|
48
|
-
latest_private_version_details
|
49
|
-
end
|
50
|
-
when ::Bundler::Source::Git then latest_git_version_details
|
44
|
+
if dependency_source.is_a?(::Bundler::Source::Git) &&
|
45
|
+
dependency.name != "bundler"
|
46
|
+
return latest_git_version_details
|
51
47
|
end
|
48
|
+
|
49
|
+
relevant_versions = registry_versions
|
50
|
+
relevant_versions = filter_prerelease_versions(relevant_versions)
|
51
|
+
relevant_versions = filter_ignored_versions(relevant_versions)
|
52
|
+
|
53
|
+
relevant_versions.empty? ? nil : { version: relevant_versions.max }
|
52
54
|
end
|
53
55
|
|
54
|
-
def
|
55
|
-
|
56
|
-
"https://rubygems.org/api/v1/versions/#{dependency.name}.json",
|
57
|
-
idempotent: true,
|
58
|
-
**SharedHelpers.excon_defaults
|
59
|
-
)
|
56
|
+
def fetch_lowest_security_fix_version
|
57
|
+
return if dependency_source.is_a?(::Bundler::Source::Git)
|
60
58
|
|
61
|
-
relevant_versions =
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
66
|
-
next true if ignore_reqs.any? { |r| r.satisfied_by?(version) }
|
59
|
+
relevant_versions = registry_versions
|
60
|
+
relevant_versions = filter_prerelease_versions(relevant_versions)
|
61
|
+
relevant_versions = filter_ignored_versions(relevant_versions)
|
62
|
+
relevant_versions = filter_vulnerable_versions(relevant_versions)
|
63
|
+
relevant_versions = filter_lower_versions(relevant_versions)
|
67
64
|
|
68
|
-
|
69
|
-
|
65
|
+
relevant_versions.min
|
66
|
+
end
|
70
67
|
|
71
|
-
|
72
|
-
|
68
|
+
def filter_prerelease_versions(versions_array)
|
69
|
+
versions_array.
|
70
|
+
reject { |v| v.prerelease? && !wants_prerelease? }
|
71
|
+
end
|
72
|
+
|
73
|
+
def filter_ignored_versions(versions_array)
|
74
|
+
versions_array.
|
75
|
+
reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
|
76
|
+
end
|
77
|
+
|
78
|
+
def filter_vulnerable_versions(versions_array)
|
79
|
+
arr = versions_array
|
80
|
+
|
81
|
+
security_advisories.each do |advisory|
|
82
|
+
arr = arr.reject { |v| advisory.vulnerable?(v) }
|
83
|
+
end
|
84
|
+
|
85
|
+
arr
|
86
|
+
end
|
73
87
|
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
88
|
+
def filter_lower_versions(versions_array)
|
89
|
+
versions_array.
|
90
|
+
select { |version| version > Gem::Version.new(dependency.version) }
|
91
|
+
end
|
92
|
+
|
93
|
+
def registry_versions
|
94
|
+
return rubygems_versions if dependency.name == "bundler"
|
95
|
+
return rubygems_versions unless dependency_source
|
96
|
+
return [] unless dependency_source.is_a?(::Bundler::Source::Rubygems)
|
97
|
+
|
98
|
+
remote = dependency_source.remotes.first
|
99
|
+
return rubygems_versions if remote.nil?
|
100
|
+
return rubygems_versions if remote.to_s == "https://rubygems.org/"
|
101
|
+
|
102
|
+
private_registry_versions
|
103
|
+
end
|
104
|
+
|
105
|
+
def rubygems_versions
|
106
|
+
@rubygems_versions ||=
|
107
|
+
begin
|
108
|
+
response = Excon.get(
|
109
|
+
"https://rubygems.org/api/v1/versions/#{dependency.name}.json",
|
110
|
+
idempotent: true,
|
111
|
+
**SharedHelpers.excon_defaults
|
112
|
+
)
|
113
|
+
|
114
|
+
JSON.parse(response.body).
|
115
|
+
map { |d| Gem::Version.new(d["number"]) }
|
116
|
+
end
|
78
117
|
rescue JSON::ParserError, Excon::Error::Timeout
|
79
|
-
|
118
|
+
@rubygems_versions = []
|
80
119
|
end
|
81
120
|
|
82
|
-
def
|
83
|
-
|
84
|
-
|
121
|
+
def private_registry_versions
|
122
|
+
@private_registry_versions ||=
|
123
|
+
in_a_temporary_bundler_context do
|
85
124
|
dependency_source.
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
end
|
94
|
-
end.
|
95
|
-
max_by(&:version)
|
96
|
-
spec.nil? ? nil : { version: spec.version }
|
97
|
-
end
|
125
|
+
fetchers.flat_map do |fetcher|
|
126
|
+
fetcher.
|
127
|
+
specs_with_retry([dependency.name], dependency_source).
|
128
|
+
search_all(dependency.name)
|
129
|
+
end.
|
130
|
+
map(&:version)
|
131
|
+
end
|
98
132
|
end
|
99
133
|
|
100
134
|
def latest_git_version_details
|
@@ -270,7 +270,8 @@ module Dependabot
|
|
270
270
|
dependency: dependency,
|
271
271
|
dependency_files: dependency_files,
|
272
272
|
credentials: credentials,
|
273
|
-
ignored_versions: ignored_versions
|
273
|
+
ignored_versions: ignored_versions,
|
274
|
+
security_advisories: []
|
274
275
|
).latest_version_details
|
275
276
|
end
|
276
277
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-bundler
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.104.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-04-
|
11
|
+
date: 2019-04-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.104.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.104.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|