dependabot-bundler 0.138.3 → 0.138.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6fe43d8a687e3405df9f2704529fe54f9e79cdb75b6246d43a32e32e5a7b1928
-  data.tar.gz: 67b1b3afd35f559613e57f6ef2a26ef9ee0c50910072b40c5d9ac412b830ed91
+  metadata.gz: c508c2f2ed7c44b477686d7385a08b08f9cc3b22821d4fd1a96f6228d7f7b7ae
+  data.tar.gz: 89ef7a905d30d6b46191760a893c119b8e45814e8fdd4a6fd6150327ecccf7f2
 SHA512:
-  metadata.gz: 55bd706fffed2c9caa866237eea57fde3f91a83f465014865dacf2252094ad31e9098d0894c9b85da77f08e5ae0941f8a74ca1f1cfecec447775aa20541bcfae
-  data.tar.gz: 563832a40283d4c9f29175b0cddc850ac88e461e65905e255f94234aee9c913690525016a2d12cbfdedb17f4d5c0873214863b324207277bbfc80bccee7c7f8f
+  metadata.gz: e91dae1d2fbed29ba408ab4bcc854662b3e36634d425732216e98bc92c881170b475325c0bca09e50803bdc9835cf28456aaf9c59d0620c6ba2c96920a9d3032
+  data.tar.gz: 28cba5afca8459dfc9c2e7e9ec64065ed1da409d0391c40847cf9c5353ea21f56da8b3228b0462209789abf08022b40e547e1677df694874d3c708f4bcf33c6c

data/helpers/v1/run.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "bundler"
 require "json"
 

data/helpers/v2/build

@@ -11,6 +11,7 @@ fi
 helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
 cp -r \
   "$helpers_dir/lib" \
+  "$helpers_dir/monkey_patches" \
   "$helpers_dir/run.rb" \
   "$helpers_dir/Gemfile" \
   "$install_dir"

data/helpers/v2/lib/functions.rb

@@ -1,59 +1,107 @@
-require "functions/file_parser"
+# frozen_string_literal: true
+
 require "functions/conflicting_dependency_resolver"
+require "functions/dependency_source"
+require "functions/file_parser"
+require "functions/force_updater"
+require "functions/lockfile_updater"
+require "functions/version_resolver"
 
 module Functions
   class NotImplementedError < StandardError; end
 
   def self.parsed_gemfile(lockfile_name:, gemfile_name:, dir:)
     set_bundler_flags_and_credentials(dir: dir, credentials: [],
-      using_bundler2: false)
+                                      using_bundler2: false)
     FileParser.new(lockfile_name: lockfile_name).
       parsed_gemfile(gemfile_name: gemfile_name)
   end
 
   def self.parsed_gemspec(lockfile_name:, gemspec_name:, dir:)
     set_bundler_flags_and_credentials(dir: dir, credentials: [],
-      using_bundler2: false)
+                                      using_bundler2: false)
     FileParser.new(lockfile_name: lockfile_name).
       parsed_gemspec(gemspec_name: gemspec_name)
   end
 
   def self.vendor_cache_dir(dir:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: [],
+                                      using_bundler2: false)
+    Bundler.app_cache
   end
 
   def self.update_lockfile(dir:, gemfile_name:, lockfile_name:, using_bundler2:,
                            credentials:, dependencies:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+    LockfileUpdater.new(
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name,
+      dependencies: dependencies
+    ).run
   end
 
   def self.force_update(dir:, dependency_name:, target_version:, gemfile_name:,
                         lockfile_name:, using_bundler2:, credentials:,
                         update_multiple_dependencies:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+    ForceUpdater.new(
+      dependency_name: dependency_name,
+      target_version: target_version,
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name,
+      update_multiple_dependencies: update_multiple_dependencies
+    ).run
   end
 
   def self.dependency_source_type(gemfile_name:, dependency_name:, dir:,
                                   credentials:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).type
   end
 
   def self.depencency_source_latest_git_version(gemfile_name:, dependency_name:,
                                                 dir:, credentials:,
                                                 dependency_source_url:,
                                                 dependency_source_branch:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).latest_git_version(
+      dependency_source_url: dependency_source_url,
+      dependency_source_branch: dependency_source_branch
+    )
   end
 
   def self.private_registry_versions(gemfile_name:, dependency_name:, dir:,
                                      credentials:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: false)
+
+    DependencySource.new(
+      gemfile_name: gemfile_name,
+      dependency_name: dependency_name
+    ).private_registry_versions
   end
 
   def self.resolve_version(dependency_name:, dependency_requirements:,
                            gemfile_name:, lockfile_name:, using_bundler2:,
                            dir:, credentials:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials, using_bundler2: using_bundler2)
+    VersionResolver.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name
+    ).version_details
   end
 
   def self.jfrog_source(dir:, gemfile_name:, credentials:, using_bundler2:)
@@ -61,7 +109,26 @@ module Functions
   end
 
   def self.git_specs(dir:, gemfile_name:, credentials:, using_bundler2:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials,
+                                      using_bundler2: using_bundler2)
+
+    git_specs = Bundler::Definition.build(gemfile_name, nil, {}).dependencies.
+                select do |spec|
+      spec.source.is_a?(Bundler::Source::Git)
+    end
+    git_specs.map do |spec|
+      # Piggy-back off some private Bundler methods to configure the
+      # URI with auth details in the same way Bundler does.
+      git_proxy = spec.source.send(:git_proxy)
+      auth_uri = spec.source.uri.gsub("git://", "https://")
+      auth_uri = git_proxy.send(:configured_uri_for, auth_uri)
+      auth_uri += ".git" unless auth_uri.end_with?(".git")
+      auth_uri += "/info/refs?service=git-upload-pack"
+      {
+        uri: spec.source.uri,
+        auth_uri: auth_uri
+      }
+    end
   end
 
   def self.set_bundler_flags_and_credentials(dir:, credentials:,

data/helpers/v2/lib/functions/dependency_source.rb

@@ -0,0 +1,86 @@
+module Functions
+  class DependencySource
+    attr_reader :gemfile_name, :dependency_name
+
+    RUBYGEMS = "rubygems"
+    PRIVATE_REGISTRY = "private"
+    GIT = "git"
+    OTHER = "other"
+
+    def initialize(gemfile_name:, dependency_name:)
+      @gemfile_name = gemfile_name
+      @dependency_name = dependency_name
+    end
+
+    def type
+      bundler_source = specified_source || default_source
+      type_of(bundler_source)
+    end
+
+    def latest_git_version(dependency_source_url:, dependency_source_branch:)
+      source = Bundler::Source::Git.new(
+        "uri" => dependency_source_url,
+        "branch" => dependency_source_branch,
+        "name" => dependency_name,
+        "submodules" => true
+      )
+
+      # Tell Bundler we're fine with fetching the source remotely
+      source.instance_variable_set(:@allow_remote, true)
+
+      spec = source.specs.first
+      { version: spec.version, commit_sha: spec.source.revision }
+    end
+
+    def private_registry_versions
+      bundler_source = specified_source || default_source
+
+      bundler_source.
+        fetchers.flat_map do |fetcher|
+          fetcher.
+            specs_with_retry([dependency_name], bundler_source).
+            search_all(dependency_name)
+        end.
+        map(&:version)
+    end
+
+    private
+
+    def type_of(bundler_source)
+      case bundler_source
+      when Bundler::Source::Rubygems
+        remote = bundler_source.remotes.first
+        if remote.nil? || remote.to_s == "https://rubygems.org/"
+          RUBYGEMS
+        else
+          PRIVATE_REGISTRY
+        end
+      when Bundler::Source::Git
+        GIT
+      else
+        OTHER
+      end
+    end
+
+    def specified_source
+      return @specified_source if defined? @specified_source
+
+      @specified_source = definition.dependencies.
+        find { |dep| dep.name == dependency_name }&.source
+    end
+
+    def default_source
+      definition.send(:sources).default_source
+    end
+
+    def definition
+      @definition ||= Bundler::Definition.build(gemfile_name, nil, {})
+    end
+
+    def serialize_bundler_source(source)
+      {
+        type: source.class.to_s
+      }
+    end
+  end
+end

data/helpers/v2/lib/functions/force_updater.rb

@@ -0,0 +1,167 @@
+module Functions
+  class ForceUpdater
+    class TransitiveDependencyError < StandardError; end
+
+    def initialize(dependency_name:, target_version:, gemfile_name:,
+                   lockfile_name:, update_multiple_dependencies:)
+      @dependency_name = dependency_name
+      @target_version = target_version
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @update_multiple_dependencies = update_multiple_dependencies
+    end
+
+    def run
+      # Only allow upgrades. Otherwise it's unlikely that this
+      # resolution will be found by the FileUpdater
+      Bundler.settings.set_command_option(
+        "only_update_to_newer_versions",
+        true
+      )
+
+      dependencies_to_unlock = []
+
+      begin
+        definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
+        definition.resolve_remotely!
+        specs = definition.resolve
+        updates = [{ name: dependency_name }] +
+                  dependencies_to_unlock.map { |dep| { name: dep.name } }
+        specs = specs.map do |dep|
+          {
+            name: dep.name,
+            version: dep.version
+          }
+        end
+        [updates, specs]
+      rescue Bundler::VersionConflict => e
+        raise unless update_multiple_dependencies?
+
+        # TODO: Not sure this won't unlock way too many things...
+        new_dependencies_to_unlock =
+          new_dependencies_to_unlock_from(
+            error: e,
+            already_unlocked: dependencies_to_unlock
+          )
+
+        raise if new_dependencies_to_unlock.none?
+
+        dependencies_to_unlock += new_dependencies_to_unlock
+        retry
+      end
+    end
+
+    private
+
+    attr_reader :dependency_name, :target_version, :gemfile_name,
+                :lockfile_name, :credentials,
+                :update_multiple_dependencies
+    alias update_multiple_dependencies? update_multiple_dependencies
+
+    def new_dependencies_to_unlock_from(error:, already_unlocked:)
+      potentials_deps =
+        relevant_conflicts(error, already_unlocked).
+        flat_map(&:requirement_trees).
+        reject do |tree|
+          # If the final requirement wasn't specific, it can't be binding
+          next true if tree.last.requirement == Gem::Requirement.new(">= 0")
+
+          # If the conflict wasn't for the dependency we're updating then
+          # we don't have enough info to reject it
+          next false unless tree.last.name == dependency_name
+
+          # If the final requirement *was* for the dependency we're updating
+          # then we can ignore the tree if it permits the target version
+          tree.last.requirement.satisfied_by?(
+            Gem::Version.new(target_version)
+          )
+        end.map(&:first)
+
+      potentials_deps.
+        reject { |dep| already_unlocked.map(&:name).include?(dep.name) }.
+        reject { |dep| [dependency_name, "ruby\0"].include?(dep.name) }.
+        uniq
+    end
+
+    def relevant_conflicts(error, dependencies_being_unlocked)
+      names = [*dependencies_being_unlocked.map(&:name), dependency_name]
+
+      # For a conflict to be relevant to the updates we're making it must be
+      # 1) caused by a new requirement introduced by our unlocking, or
+      # 2) caused by an old requirement that prohibits the update.
+      # Hence, we look at the beginning and end of the requirement trees
+      error.cause.conflicts.values.
+        select do |conflict|
+          conflict.requirement_trees.any? do |t|
+            names.include?(t.last.name) || names.include?(t.first.name)
+          end
+        end
+    end
+
+    def build_definition(dependencies_to_unlock:)
+      gems_to_unlock = dependencies_to_unlock.map(&:name) + [dependency_name]
+      definition = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: gems_to_unlock + subdependencies,
+        lock_shared_dependencies: true
+      )
+
+      # Remove the Gemfile / gemspec requirements on the gems we're
+      # unlocking (i.e., completely unlock them)
+      gems_to_unlock.each do |gem_name|
+        unlock_gem(definition: definition, gem_name: gem_name)
+      end
+
+      dep = definition.dependencies.
+            find { |d| d.name == dependency_name }
+
+      # If the dependency is not found in the Gemfile it means this is a
+      # transitive dependency that we can't force update.
+      raise TransitiveDependencyError unless dep
+
+      # Set the requirement for the gem we're forcing an update of
+      new_req = Gem::Requirement.create("= #{target_version}")
+      dep.instance_variable_set(:@requirement, new_req)
+      dep.source = nil if dep.source.is_a?(Bundler::Source::Git)
+
+      definition
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s)
+      top_level = Bundler::Definition.
+                  build(gemfile_name, lockfile_name, {}).
+                  dependencies.map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def unlock_gem(definition:, gem_name:)
+      dep = definition.dependencies.find { |d| d.name == gem_name }
+      version = definition.locked_gems.specs.
+                find { |d| d.name == gem_name }.version
+
+      dep&.instance_variable_set(
+        :@requirement,
+        Gem::Requirement.create(">= #{version}")
+      )
+    end
+  end
+end

data/helpers/v2/lib/functions/lockfile_updater.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+
+module Functions
+  class LockfileUpdater
+    RETRYABLE_ERRORS = [Bundler::HTTPError].freeze
+    GEM_NOT_FOUND_ERROR_REGEX =
+      /
+        locked\sto\s(?<name>[^\s]+)\s\(|
+        not\sfind\s(?<name>[^\s]+)-\d|
+        has\s(?<name>[^\s]+)\slocked\sat
+      /x.freeze
+
+    def initialize(gemfile_name:, lockfile_name:, dependencies:)
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @dependencies = dependencies
+    end
+
+    def run
+      generate_lockfile
+    end
+
+    private
+
+    attr_reader :gemfile_name, :lockfile_name, :dependencies
+
+    def generate_lockfile
+      dependencies_to_unlock = dependencies.map { |d| d.fetch("name") }
+
+      begin
+        definition = build_definition(dependencies_to_unlock)
+
+        old_reqs = lock_deps_being_updated_to_exact_versions(definition)
+
+        definition.resolve_remotely!
+
+        old_reqs.each do |dep_name, old_req|
+          d_dep = definition.dependencies.find { |d| d.name == dep_name }
+          if old_req == :none then definition.dependencies.delete(d_dep)
+          else
+            d_dep.instance_variable_set(:@requirement, old_req)
+          end
+        end
+
+        cache_vendored_gems(definition) if Bundler.app_cache.exist?
+
+        definition.to_lock
+      rescue Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue Bundler::VersionConflict => e
+        unlock_blocking_subdeps(dependencies_to_unlock, e) && retry
+      rescue *RETRYABLE_ERRORS
+        raise if @retrying
+
+        @retrying = true
+        sleep(rand(1.0..5.0))
+        retry
+      end
+    end
+
+    def cache_vendored_gems(definition)
+      # Dependencies that have been unlocked for the update (including
+      # sub-dependencies)
+      unlocked_gems = definition.instance_variable_get(:@unlock).
+                      fetch(:gems).reject { |gem| __keep_on_prune?(gem) }
+      bundler_opts = {
+        cache_all: true,
+        cache_all_platforms: true,
+        no_prune: true
+      }
+
+      Bundler.settings.temporary(**bundler_opts) do
+        # Fetch and cache gems on all platforms without pruning
+        Bundler::Runtime.new(nil, definition).cache
+
+        # Only prune unlocked gems (the original implementation is in
+        # Bundler::Runtime)
+        cache_path = Bundler.app_cache
+        resolve = definition.resolve
+        prune_gem_cache(resolve, cache_path, unlocked_gems)
+        prune_git_and_path_cache(resolve, cache_path)
+      end
+    end
+
+    # This is not officially supported and may be removed without notice.
+    def __keep_on_prune?(spec_name)
+      unless (specs = Bundler.settings[:persistent_gems_after_clean])
+        return false
+      end
+
+      specs.include?(spec_name)
+    end
+
+    # Copied from Bundler::Runtime: Modified to only prune gems that have
+    # been unlocked
+    def prune_gem_cache(resolve, cache_path, unlocked_gems)
+      cached_gems = Dir["#{cache_path}/*.gem"]
+
+      outdated_gems = cached_gems.reject do |path|
+        spec = Bundler.rubygems.spec_from_gem path
+
+        !unlocked_gems.include?(spec.name) || resolve.any? do |s|
+          s.name == spec.name && s.version == spec.version &&
+            !s.source.is_a?(Bundler::Source::Git)
+        end
+      end
+
+      return unless outdated_gems.any?
+
+      outdated_gems.each do |path|
+        File.delete(path)
+      end
+    end
+
+    # Copied from Bundler::Runtime
+    def prune_git_and_path_cache(resolve, cache_path)
+      cached_git_and_path = Dir["#{cache_path}/*/.bundlecache"]
+
+      outdated_git_and_path = cached_git_and_path.reject do |path|
+        name = File.basename(File.dirname(path))
+
+        resolve.any? do |s|
+          s.source.respond_to?(:app_cache_dirname) &&
+            s.source.app_cache_dirname == name
+        end
+      end
+
+      return unless outdated_git_and_path.any?
+
+      outdated_git_and_path.each do |path|
+        path = File.dirname(path)
+        FileUtils.rm_rf(path)
+      end
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def unlock_blocking_subdeps(dependencies_to_unlock, error)
+      all_deps =  Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s)
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+      allowed_new_unlocks = all_deps - top_level - dependencies_to_unlock
+
+      raise if allowed_new_unlocks.none?
+
+      # Unlock any sub-dependencies that Bundler reports caused the
+      # conflict
+      potentials_deps =
+        error.cause.conflicts.values.
+        flat_map(&:requirement_trees).
+        map do |tree|
+          tree.find { |req| allowed_new_unlocks.include?(req.name) }
+        end.compact.map(&:name)
+
+      # If there are specific dependencies we can unlock, unlock them
+      return dependencies_to_unlock.append(*potentials_deps) if potentials_deps.any?
+
+      # Fall back to unlocking *all* sub-dependencies. This is required
+      # because Bundler's VersionConflict objects don't include enough
+      # information to chart the full path through all conflicts unwound
+      dependencies_to_unlock.append(*allowed_new_unlocks)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def build_definition(dependencies_to_unlock)
+      defn = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock
+      )
+
+      # Bundler unlocks the sub-dependencies of gems it is passed even
+      # if those sub-deps are top-level dependencies. We only want true
+      # subdeps unlocked, like they were in the UpdateChecker, so we
+      # mutate the unlocked gems array.
+      unlocked = defn.instance_variable_get(:@unlock).fetch(:gems)
+      must_not_unlock = defn.dependencies.map(&:name).map(&:to_s) -
+                        dependencies_to_unlock
+      unlocked.reject! { |n| must_not_unlock.include?(n) }
+
+      defn
+    end
+
+    def lock_deps_being_updated_to_exact_versions(definition)
+      dependencies.each_with_object({}) do |dep, old_reqs|
+        defn_dep = definition.dependencies.find do |d|
+          d.name == dep.fetch("name")
+        end
+
+        if defn_dep.nil?
+          definition.dependencies <<
+            Bundler::Dependency.new(dep.fetch("name"), dep.fetch("version"))
+          old_reqs[dep.fetch("name")] = :none
+        elsif git_dependency?(dep) &&
+              defn_dep.source.is_a?(Bundler::Source::Git)
+          defn_dep.source.unlock!
+        elsif Gem::Version.correct?(dep.fetch("version"))
+          new_req = Gem::Requirement.create("= #{dep.fetch('version')}")
+          old_reqs[dep.fetch("name")] = defn_dep.requirement
+          defn_dep.instance_variable_set(:@requirement, new_req)
+        end
+      end
+    end
+
+    def git_dependency?(dep)
+      sources = dep.fetch("requirements").map { |r| r.fetch("source") }
+      sources.all? { |s| s&.fetch("type", nil) == "git" }
+    end
+
+    def lockfile
+      @lockfile ||= File.read(lockfile_name)
+    end
+  end
+end

data/helpers/v2/lib/functions/version_resolver.rb

@@ -0,0 +1,140 @@
+module Functions
+  class VersionResolver
+    GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
+
+    attr_reader :dependency_name, :dependency_requirements,
+                :gemfile_name, :lockfile_name
+
+    def initialize(dependency_name:, dependency_requirements:,
+                   gemfile_name:, lockfile_name:)
+      @dependency_name = dependency_name
+      @dependency_requirements = dependency_requirements
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+    end
+
+    def version_details
+      dep = dependency_from_definition
+
+      # If the dependency wasn't found in the definition, but *is*
+      # included in a gemspec, it's because the Gemfile didn't import
+      # the gemspec. This is unusual, but the correct behaviour if/when
+      # it happens is to behave as if the repo was gemspec-only.
+      if dep.nil? && dependency_requirements.any?
+        return "latest"
+      end
+
+      # Otherwise, if the dependency wasn't found it's because it is a
+      # subdependency that was removed when attempting to update it.
+      return nil if dep.nil?
+
+      # If the dependency is Bundler itself then we can't trust the
+      # version that has been returned (it's the version Dependabot is
+      # running on, rather than the true latest resolvable version).
+      return nil if dep.name == "bundler"
+
+      details = {
+        version: dep.version,
+        ruby_version: ruby_version,
+        fetcher: fetcher_class(dep)
+      }
+      if dep.source.instance_of?(::Bundler::Source::Git)
+        details[:commit_sha] = dep.source.revision
+      end
+      details
+    end
+
+    private
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def dependency_from_definition(unlock_subdependencies: true)
+      dependencies_to_unlock = [dependency_name]
+      dependencies_to_unlock += subdependencies if unlock_subdependencies
+      begin
+        definition = build_definition(dependencies_to_unlock)
+        definition.resolve_remotely!
+      rescue ::Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue ::Bundler::HTTPError => e
+        # Retry network errors
+        # Note: in_a_native_bundler_context will also retry `Bundler::HTTPError` errors
+        # up to three times meaning we'll end up retrying this error up to six times
+        # TODO: Could we get rid of this retry logic and only rely on
+        # SharedBundlerHelpers.in_a_native_bundler_context
+        attempt ||= 1
+        attempt += 1
+        raise if attempt > 3 || !e.message.include?("Network error")
+
+        retry
+      end
+
+      dep = definition.resolve.find { |d| d.name == dependency_name }
+      return dep if dep
+      return if dependency_requirements.any? || !unlock_subdependencies
+
+      # If no definition was found and we're updating a sub-dependency,
+      # try again but without unlocking any other sub-dependencies
+      dependency_from_definition(unlock_subdependencies: false)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  ::Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s).uniq
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def build_definition(dependencies_to_unlock)
+      # Note: we lock shared dependencies to avoid any top-level
+      # dependencies getting unlocked (which would happen if they were
+      # also subdependencies of the dependency being unlocked)
+      ::Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock,
+        lock_shared_dependencies: true
+      )
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name
+          return unless File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def fetcher_class(dep)
+      return unless dep.source.is_a?(::Bundler::Source::Rubygems)
+
+      dep.source.fetchers.first.fetchers.first.class.to_s
+    end
+
+    def ruby_version
+      return nil unless gemfile_name
+
+      @ruby_version ||= build_definition([]).ruby_version&.gem_version
+    end
+  end
+end

data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb

@@ -8,11 +8,11 @@ module BundlerDefinitionRubyVersionPatch
       if ruby_version
         requested_version = ruby_version.to_gem_version_with_patchlevel
         sources.metadata_source.specs <<
-          Gem::Specification.new("ruby\0", requested_version)
+          Gem::Specification.new("Ruby\0", requested_version)
       end
 
       sources.metadata_source.specs <<
-        Gem::Specification.new("ruby\0", "2.5.3p105")
+        Gem::Specification.new("Ruby\0", "2.5.3p105")
     end
   end
 end

data/helpers/v2/run.rb

@@ -2,7 +2,7 @@ require "bundler"
 require "json"
 
 $LOAD_PATH.unshift(File.expand_path("./lib", __dir__))
-$LOAD_PATH.unshift(File.expand_path("../v1/monkey_patches", __dir__))
+$LOAD_PATH.unshift(File.expand_path("./monkey_patches", __dir__))
 
 # Bundler monkey patches
 require "definition_ruby_version_patch"

data/helpers/v2/spec/functions/dependency_source_spec.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::DependencySource do
+  include_context "in a temporary bundler directory"
+
+  let(:dependency_source) do
+    described_class.new(
+      gemfile_name: "Gemfile",
+      dependency_name: dependency_name
+    )
+  end
+
+  let(:dependency_name) { "business" }
+
+  let(:project_name) { "specified_source_no_lockfile" }
+  let(:registry_url) { "https://repo.fury.io/greysteil/" }
+  let(:gemfury_business_url) do
+    "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
+  end
+
+  before do
+    stub_request(:get, registry_url + "versions").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 404)
+    stub_request(:get, registry_url + "api/v1/dependencies").
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200)
+    stub_request(:get, gemfury_business_url).
+      with(basic_auth: ["SECRET_CODES", ""]).
+      to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+  end
+
+  describe "#private_registry_versions" do
+    subject(:private_registry_versions) do
+      in_tmp_folder { dependency_source.private_registry_versions }
+    end
+
+    it "returns all versions from the private source" do
+      is_expected.to eq([
+                          Gem::Version.new("1.5.0"),
+                          Gem::Version.new("1.9.0"),
+                          Gem::Version.new("1.10.0.beta")
+                        ])
+    end
+
+    context "specified as the default source" do
+      let(:project_name) { "specified_default_source_no_lockfile" }
+
+      it "returns all versions from the private source" do
+        is_expected.to eq([
+                            Gem::Version.new("1.5.0"),
+                            Gem::Version.new("1.9.0"),
+                            Gem::Version.new("1.10.0.beta")
+                          ])
+      end
+    end
+
+    context "that we don't have authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 401)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that we have bad authentication details for" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 403)
+      end
+
+      it "blows up with a useful error" do
+        error_class = Bundler::Fetcher::BadAuthenticationError
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(error_class)
+            expect(error.message).to include("Bad username or password for")
+          end
+      end
+    end
+
+    context "that bad-requested, but was a private repo" do
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 400)
+      end
+
+      it "blows up with a useful error" do
+        expect { private_registry_versions }.
+          to raise_error do |error|
+            expect(error).to be_a(Bundler::HTTPError)
+            expect(error.message).
+              to include("Could not fetch specs from")
+          end
+      end
+    end
+
+    context "that doesn't have details of the gem" do
+      before do
+        stub_request(:get, gemfury_business_url).
+          with(basic_auth: ["SECRET_CODES", ""]).
+          to_return(status: 404)
+
+        # Stub indexes to return details of other gems (but not this one)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it { is_expected.to be_empty }
+    end
+
+    context "that only implements the old Bundler index format..." do
+      let(:project_name) { "sidekiq_pro" }
+      let(:dependency_name) { "sidekiq-pro" }
+      let(:registry_url) { "https://gems.contribsys.com/" }
+
+      before do
+        stub_request(:get, registry_url + "versions").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "api/v1/dependencies").
+          with(basic_auth: %w(username password)).
+          to_return(status: 404)
+        stub_request(:get, registry_url + "specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_response")
+          )
+        stub_request(:get, registry_url + "prerelease_specs.4.8.gz").
+          with(basic_auth: %w(username password)).
+          to_return(
+            status: 200,
+            body: fixture("ruby", "contribsys_old_index_prerelease_response")
+          )
+      end
+
+      it "returns all versions from the private source" do
+        expect(private_registry_versions.length).to eql(70)
+        expect(private_registry_versions.min).to eql(Gem::Version.new("1.0.0"))
+        expect(private_registry_versions.max).to eql(Gem::Version.new("3.5.2"))
+      end
+    end
+  end
+end

data/helpers/v2/spec/functions/version_resolver_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::VersionResolver do
+  include_context "in a temporary bundler directory"
+  include_context "stub rubygems compact index"
+
+  let(:version_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: "Gemfile",
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "business" }
+  let(:dependency_requirements) do
+    [{
+      file: "Gemfile",
+      requirement: requirement_string,
+      groups: [],
+      source: source
+    }]
+  end
+  let(:source) { nil }
+
+  let(:rubygems_url) { "https://index.rubygems.org/api/v1/" }
+  let(:old_index_url) { rubygems_url + "dependencies" }
+
+  describe "#version_details" do
+    subject do
+      in_tmp_folder { version_resolver.version_details }
+    end
+
+    let(:project_name) { "gemfile" }
+    let(:requirement_string) { " >= 0" }
+
+    its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+    its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::CompactIndex") }
+
+    context "with a private gemserver source" do
+      include_context "stub rubygems compact index"
+
+      let(:project_name) { "specified_source" }
+      let(:requirement_string) { ">= 0" }
+
+      before do
+        gemfury_url = "https://repo.fury.io/greysteil/"
+        gemfury_deps_url = gemfury_url + "api/v1/dependencies"
+
+        stub_request(:get, gemfury_url + "versions").
+          to_return(status: 200, body: fixture("ruby", "gemfury-index"))
+        stub_request(:get, gemfury_url + "info/business").to_return(status: 404)
+        stub_request(:get, gemfury_deps_url).to_return(status: 200)
+        stub_request(:get, gemfury_deps_url + "?gems=business,statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=business").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.9.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) }
+      its([:fetcher]) { is_expected.to be_nil }
+    end
+
+    context "when Bundler's compact index is down" do
+      before do
+        stub_request(:get, "https://index.rubygems.org/versions").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, "https://index.rubygems.org/info/public_suffix").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, old_index_url).to_return(status: 200)
+        stub_request(:get, old_index_url + "?gems=business,statesman").
+          to_return(
+            status: 200,
+            body: fixture("ruby",
+                          "rubygems_responses",
+                          "dependencies-default-gemfile")
+          )
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+  end
+end

data/helpers/v2/spec/functions_spec.rb

@@ -5,18 +5,7 @@ require "native_spec_helper"
 RSpec.describe Functions do
   # Verify v1 method signatures are exist, but raise as NYI
   {
-    vendor_cache_dir: [ :dir ],
-    update_lockfile: [ :dir, :gemfile_name, :lockfile_name, :using_bundler2, :credentials, :dependencies ],
-    force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
-                    :credentials, :update_multiple_dependencies ],
-    dependency_source_type: [ :gemfile_name, :dependency_name, :dir, :credentials ],
-    depencency_source_latest_git_version: [ :gemfile_name, :dependency_name, :dir, :credentials, :dependency_source_url,
-                                            :dependency_source_branch  ],
-    private_registry_versions: [:gemfile_name, :dependency_name, :dir, :credentials ],
-    resolve_version: [:dependency_name, :dependency_requirements, :gemfile_name, :lockfile_name, :using_bundler2,
-                      :dir, :credentials],
-    jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
-    git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
+    jfrog_source: %i(dir gemfile_name credentials using_bundler2)
   }.each do |function, kwargs|
     describe "::#{function}" do
       let(:args) do

data/lib/dependabot/bundler/file_updater/requirement_replacer.rb

@@ -167,6 +167,8 @@ module Dependabot
             req_string.include?(" ")
           end
 
+          EQUALITY_OPERATOR = /(?<![<>!])=/.freeze
+
           def use_equality_operator?(requirement_nodes)
             return true if requirement_nodes.none?
 
@@ -178,7 +180,7 @@ module Dependabot
                 requirement_nodes.first.children.first.loc.expression.source
               end
 
-            req_string.match?(/(?<![<>])=/)
+            req_string.match?(EQUALITY_OPERATOR)
           end
 
           def new_requirement_string(quote_characters:,
@@ -203,7 +205,7 @@ module Dependabot
             # Gem::Requirement serializes exact matches as a string starting
             # with `=`. We may need to remove that equality operator if it
             # wasn't used originally.
-            tmp_req = tmp_req.gsub(/(?<![<>])=/, "") unless use_equality_operator
+            tmp_req = tmp_req.gsub(EQUALITY_OPERATOR, "") unless use_equality_operator
 
             tmp_req.strip
           end

data/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -188,7 +188,7 @@ module Dependabot
               req
             end
           when "<", "<=" then [update_greatest_version(req, latest_version)]
-          when "~>" then convert_twidle_to_range(req, latest_version)
+          when "~>" then convert_twiddle_to_range(req, latest_version)
           when "!=" then []
           when ">", ">=" then raise UnfixableRequirement
           else raise "Unexpected operation for requirement: #{op}"
@@ -214,7 +214,7 @@ module Dependabot
           end
         end
 
-        def convert_twidle_to_range(requirement, version_to_be_permitted)
+        def convert_twiddle_to_range(requirement, version_to_be_permitted)
           version = requirement.requirements.first.last
           version = version.release if version.prerelease?
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.138.3
+  version: 0.138.4
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-24 00:00:00.000000000 Z
+date: 2021-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.3
+        version: 0.138.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.3
+        version: 0.138.4
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -211,13 +211,19 @@ files:
 - helpers/v2/build
 - helpers/v2/lib/functions.rb
 - helpers/v2/lib/functions/conflicting_dependency_resolver.rb
+- helpers/v2/lib/functions/dependency_source.rb
 - helpers/v2/lib/functions/file_parser.rb
+- helpers/v2/lib/functions/force_updater.rb
+- helpers/v2/lib/functions/lockfile_updater.rb
+- helpers/v2/lib/functions/version_resolver.rb
 - helpers/v2/monkey_patches/definition_bundler_version_patch.rb
 - helpers/v2/monkey_patches/definition_ruby_version_patch.rb
 - helpers/v2/monkey_patches/git_source_patch.rb
 - helpers/v2/run.rb
 - helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb
+- helpers/v2/spec/functions/dependency_source_spec.rb
 - helpers/v2/spec/functions/file_parser_spec.rb
+- helpers/v2/spec/functions/version_resolver_spec.rb
 - helpers/v2/spec/functions_spec.rb
 - helpers/v2/spec/native_spec_helper.rb
 - helpers/v2/spec/shared_contexts.rb