dependabot-bundler 0.235.0 → 0.236.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/v2/lib/functions/force_updater.rb +36 -7
  3. data/lib/dependabot/bundler/update_checker/force_updater.rb +6 -18
  4. data/lib/dependabot/bundler/version.rb +1 -1
  5. data/lib/dependabot/bundler.rb +1 -1
  6. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 38176c3434d5010be520cb43bc4c56a9932269422551b38ccd6e37dabd23e3d6
4
- data.tar.gz: bfd86e1e458314109a1694c60c663d0f487696400d8b7f69b8cd14e873b8ab78
3
+ metadata.gz: 4fd34dd5e86ac6b391a703c276d062a73f797c3f936658aebc25680ee886edc6
4
+ data.tar.gz: f06e52b4ddfaba21629b65ccc739eede69faccc75eb542cb2da726f3a1611cba
5
5
  SHA512:
6
- metadata.gz: 1d347d3d714957801878e9953f21dfe1607bf870cb4dca6954e18f5a10bbcd115784ba2a3544b5007917ac02c212b50a1aea94426066826116e2c7673e015a4e
7
- data.tar.gz: 1d6fbeb3dbd3adf3fa5731aa49bd3efdf24dee0c6c985bb07646ff0b55a15b5d4de8bf8aa5be5d6be9979ce7a7f3b077e9f330308686bac2b312980fbbb85c75
6
+ metadata.gz: 6e6ec483cbd9483321846361ade36c24bf9fca1c355e43bbffcfc7a3d25c7c8ec08f3e88137913d3538928fdde6b00bb3f82edb912fccff856ade082a5b00ba6
7
+ data.tar.gz: 1581d435a66c7753929a5adece2b9b9387477fad411de498afb85f9972ba99a1f6df9482597acbab5bacaf0b8cbda2a6f42e6de080b41572da9ac2255e3a9694
data/helpers/v2/lib/functions/force_updater.rb CHANGED
@@ -4,6 +4,7 @@
4
4
  module Functions
5
5
  class ForceUpdater
6
6
  class TransitiveDependencyError < StandardError; end
7
+ class TopLevelDependencyDowngradedError < StandardError; end
7
8
 
8
9
  def initialize(dependency_name:, target_version:, gemfile_name:,
9
10
  lockfile_name:, update_multiple_dependencies:)
@@ -21,13 +22,21 @@ module Functions
21
22
  definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
22
23
  definition.resolve_remotely!
23
24
  specs = definition.resolve
24
- updates = ([dependency_name, *dependencies_to_unlock] - subdependencies).uniq.map { |name| { name: name } }
25
+ updates = ([dependency_name, *dependencies_to_unlock] - subdependencies + extra_top_level_deps(specs)).uniq
26
+
27
+ updates = updates.map do |name|
28
+ {
29
+ name: name
30
+ }
31
+ end
32
+
25
33
  specs = specs.map do |dep|
26
34
  {
27
35
  name: dep.name,
28
36
  version: dep.version
29
37
  }
30
38
  end
39
+
31
40
  [updates, specs]
32
41
  rescue Bundler::SolveFailure => e
33
42
  raise unless update_multiple_dependencies?
@@ -53,6 +62,24 @@ module Functions
53
62
  :update_multiple_dependencies
54
63
  alias update_multiple_dependencies? update_multiple_dependencies
55
64
 
65
+ def extra_top_level_deps(specs)
66
+ top_level_dep_names.reject do |name|
67
+ original_version = original_specs.find { |s| s.name == name }&.version
68
+ new_version = specs[name].first&.version
69
+
70
+ if original_version == new_version
71
+ true
72
+ else
73
+ original_version = Gem::Version.new(original_version)
74
+ new_version = Gem::Version.new(new_version)
75
+
76
+ raise TopLevelDependencyDowngradedError if new_version < original_version
77
+
78
+ false
79
+ end
80
+ end
81
+ end
82
+
56
83
  def new_dependencies_to_unlock_from(error:, already_unlocked:)
57
84
  names = [*already_unlocked, dependency_name]
58
85
  extra_names_to_unlock = []
@@ -118,13 +145,15 @@ module Functions
118
145
  # subdependencies
119
146
  return [] unless lockfile
120
147
 
121
- all_deps = Bundler::LockfileParser.new(lockfile)
122
- .specs.map(&:name)
123
- top_level = Bundler::Definition
124
- .build(gemfile_name, lockfile_name, {})
125
- .dependencies.map(&:name)
148
+ original_specs.map(&:name) - top_level_dep_names
149
+ end
150
+
151
+ def top_level_dep_names
152
+ @top_level_dep_names ||= Bundler::Definition.build(gemfile_name, lockfile_name, {}).dependencies.map(&:name)
153
+ end
126
154
 
127
- all_deps - top_level
155
+ def original_specs
156
+ @original_specs ||= Bundler::LockfileParser.new(lockfile).specs
128
157
  end
129
158
 
130
159
  def unlock_gem(definition:, gem_name:)
data/lib/dependabot/bundler/update_checker/force_updater.rb CHANGED
@@ -78,15 +78,6 @@ module Dependabot
78
78
  ).parse
79
79
  end
80
80
 
81
- def top_level_dependencies
82
- @top_level_dependencies ||=
83
- FileParser.new(
84
- dependency_files: dependency_files.reject { |file| file.name == lockfile.name },
85
- credentials: credentials,
86
- source: nil
87
- ).parse
88
- end
89
-
90
81
  def dependencies_from(updated_deps, specs)
91
82
  # You might think we'd want to remove dependencies whose version
92
83
  # hadn't changed from this array. We don't. We still need to unlock
@@ -95,17 +86,14 @@ module Dependabot
95
86
  #
96
87
  # This is kind of a bug in Bundler, and we should try to fix it,
97
88
  # but resolving it won't necessarily be easy.
89
+ updated_deps.filter_map do |dep|
90
+ original_dep =
91
+ original_dependencies.find { |d| d.name == dep.fetch("name") }
92
+ spec = specs.find { |d| d.fetch("name") == dep.fetch("name") }
98
93
 
99
- # put the lead dependency first
100
- index = specs.index { |dep| dep["name"] == updated_deps.first["name"] }
101
- specs.unshift(specs.delete_at(index))
102
- specs.filter_map do |dep|
103
- next unless top_level_dependencies.find { |d| d.name == dep.fetch("name") }
104
-
105
- original_dep = original_dependencies.find { |d| d.name == dep.fetch("name") }
106
- next if dep.fetch("version") == original_dep.version
94
+ next if spec.fetch("version") == original_dep.version
107
95
 
108
- build_dependency(original_dep, dep)
96
+ build_dependency(original_dep, spec)
109
97
  end
110
98
  end
111
99
 
data/lib/dependabot/bundler/version.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "dependabot/version"
data/lib/dependabot/bundler.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  # These all need to be required so the various classes can be registered in a
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-bundler
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.235.0
4
+ version: 0.236.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-19 00:00:00.000000000 Z
11
+ date: 2023-10-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.235.0
19
+ version: 0.236.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.235.0
26
+ version: 0.236.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -282,7 +282,7 @@ licenses:
282
282
  - Nonstandard
283
283
  metadata:
284
284
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
285
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.235.0
285
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.236.0
286
286
  post_install_message:
287
287
  rdoc_options: []
288
288
  require_paths: