dependabot-bundler 0.262.0 → 0.263.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f3110295d89e7d09947a48ccb7a3c623684e62392a2467e5708dc83ca1d1c698
-  data.tar.gz: d675d23e1adab94cad313a607d02cc1712491f90d3fcd9649d6bd6874de223f9
+  metadata.gz: 50457240c048f6430b4894d8f032b2eab8bbda90c88566bbbee21e6d4d29fcbe
+  data.tar.gz: c907811fc0c0ea30a9b9bb62f59c53182515b1cc94bf6e94d65899d588afa1cc
 SHA512:
-  metadata.gz: 7c3680e4726f1b5999721dee5a0d2df0587f6ed4391a59a5ff3af16116c965088dd2cb582147e1ad7eb73c10b67bf05a9ac100d71a4229daf2ea63680c6a9f1e
-  data.tar.gz: 3a2e33646daacd25c82ae4be8a664f21ce41b185dba0d24ae2adee045e5c70c3be1e4baf3adfcd2f9cc65f53ba3ebb812041158564dd59e28dfe767f43ce2d9b
+  metadata.gz: f230c5e09b5cd4c5a6d92012a6a7590d6edeb22f0663a1f2bdc26911202360c4edbcb02304f2f128b4ce9e44ec763d19d2fac00bde79a0a5dc507addc768b8ff
+  data.tar.gz: eca4288984f2fe056f60c3147a20347f599e49294b8c9e66aae53069577ea8300c89a0085fbfc59528dbf53be28ee32289435f2f75f27038065c931f73cf576a

data/lib/dependabot/bundler/file_fetcher/path_gemspec_finder.rb

@@ -1,10 +1,11 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "pathname"
 require "parser/current"
 require "dependabot/bundler/file_fetcher"
 require "dependabot/errors"
+require "sorbet-runtime"
 
 module Dependabot
   module Bundler
@@ -12,36 +13,42 @@ module Dependabot
       # Finds the paths of any gemspecs declared using `path: ` in the
       # passed Gemfile.
       class PathGemspecFinder
+        extend T::Sig
+
+        sig { params(gemfile: Dependabot::DependencyFile).void }
         def initialize(gemfile:)
           @gemfile = gemfile
         end
 
+        sig { returns(T::Array[String]) }
         def path_gemspec_paths
-          ast = Parser::CurrentRuby.parse(gemfile.content)
+          ast = Parser::CurrentRuby.parse(gemfile&.content)
           find_path_gemspec_paths(ast)
         rescue Parser::SyntaxError
-          raise Dependabot::DependencyFileNotParseable, gemfile.path
+          raise Dependabot::DependencyFileNotParseable, T.must(gemfile).path
         end
 
         private
 
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :gemfile
 
+        sig { params(node: T.untyped).returns(T::Array[T.untyped]) }
         def find_path_gemspec_paths(node)
           return [] unless node.is_a?(Parser::AST::Node)
 
           if declares_path_dependency?(node)
             path_node = path_node_for_gem_declaration(node)
 
-            unless path_node.type == :str
-              path = gemfile.path
+            unless path_node&.type == :str
+              path = gemfile&.path
               msg = "Dependabot only supports uninterpolated string arguments " \
                     "for path dependencies. Got " \
-                    "`#{path_node.loc.expression.source}`"
-              raise Dependabot::DependencyFileNotParseable.new(path, msg)
+                    "`#{path_node&.loc&.expression&.source}`"
+              raise Dependabot::DependencyFileNotParseable.new(T.must(path), msg)
             end
 
-            path = path_node.loc.expression.source.gsub(/['"]/, "")
+            path = T.must(path_node).loc.expression.source.gsub(/['"]/, "")
             return [clean_path(path)]
           end
 
@@ -50,12 +57,14 @@ module Dependabot
           end
         end
 
+        sig { returns(T.nilable(String)) }
         def current_dir
-          @current_dir ||= gemfile.name.rpartition("/").first
+          @current_dir ||= T.let(gemfile&.name&.rpartition("/")&.first, T.nilable(String))
           @current_dir = nil if @current_dir == ""
           @current_dir
         end
 
+        sig { params(node: Parser::AST::Node).returns(T::Boolean) }
         def declares_path_dependency?(node)
           return false unless node.is_a?(Parser::AST::Node)
           return false unless node.children[1] == :gem
@@ -63,6 +72,7 @@ module Dependabot
           !path_node_for_gem_declaration(node).nil?
         end
 
+        sig { params(path: String).returns(Pathname) }
         def clean_path(path)
           if Pathname.new(path).absolute?
             base_path = Pathname.new(File.expand_path(Dir.pwd))
@@ -72,6 +82,7 @@ module Dependabot
           Pathname.new(path).cleanpath
         end
 
+        sig { params(node: Parser::AST::Node).returns(T.nilable(Parser::AST::Node)) }
         def path_node_for_gem_declaration(node)
           return unless node.children.last.type == :hash
 
@@ -86,6 +97,7 @@ module Dependabot
           path_hash_pair.children.last
         end
 
+        sig { params(node: Parser::AST::Node).returns(Symbol) }
         def key_from_hash_pair(node)
           node.children.first.children.first.to_sym
         end

data/lib/dependabot/bundler/file_updater/ruby_requirement_setter.rb

@@ -12,7 +12,7 @@ module Dependabot
         class RubyVersionNotFound < StandardError; end
 
         RUBY_VERSIONS = %w(
-          1.8.7 1.9.3 2.0.0 2.1.10 2.2.10 2.3.8 2.4.10 2.5.9 2.6.9 2.7.6 3.0.6 3.1.4 3.2.2 3.3.1
+          1.8.7 1.9.3 2.0.0 2.1.10 2.2.10 2.3.8 2.4.10 2.5.9 2.6.9 2.7.6 3.0.6 3.1.4 3.2.2 3.3.3
         ).freeze
 
         attr_reader :gemspec

data/lib/dependabot/bundler/requirement.rb

@@ -11,6 +11,11 @@ module Dependabot
     class Requirement < Dependabot::Requirement
       extend T::Sig
 
+      sig { params(req: T::Hash[Symbol, String], version: Gem::Version).returns(T::Boolean) }
+      def self.satisfied_by?(req, version)
+        new(req[:requirement]).satisfied_by?(version)
+      end
+
       # For consistency with other languages, we define a requirements array.
       # Ruby doesn't have an `OR` separator for requirements, so it always
       # contains a single element.

data/lib/dependabot/bundler/update_checker/force_updater.rb

@@ -51,6 +51,13 @@ module Dependabot
         end
 
         def force_update
+          requirement = dependency.requirements.find { |req| req[:file] == gemfile.name }
+          manifest_requirement_not_satisfied = requirement && !Requirement.satisfied_by?(requirement, target_version)
+
+          if manifest_requirement_not_satisfied && requirements_update_strategy.lockfile_only?
+            raise Dependabot::DependencyFileNotResolvable
+          end
+
           in_a_native_bundler_context(error_handling: false) do |tmp_dir|
             updated_deps, specs = NativeHelpers.run_bundler_subprocess(
               bundler_version: bundler_version,
@@ -67,10 +74,10 @@ module Dependabot
               }
             )
             dependencies_from(updated_deps, specs)
+          rescue SharedHelpers::HelperSubprocessFailed => e
+            msg = e.error_class + " with message: " + e.message
+            raise Dependabot::DependencyFileNotResolvable, msg
           end
-        rescue SharedHelpers::HelperSubprocessFailed => e
-          msg = e.error_class + " with message: " + e.message
-          raise Dependabot::DependencyFileNotResolvable, msg
         end
 
         def original_dependencies

data/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -39,7 +39,7 @@ module Dependabot
         end
 
         def updated_requirements
-          return requirements if update_strategy == RequirementsUpdateStrategy::LockfileOnly
+          return requirements if update_strategy.lockfile_only?
 
           requirements.map do |req|
             if req[:file].include?(".gemspec")
@@ -102,8 +102,7 @@ module Dependabot
         end
 
         def new_version_satisfies?(req)
-          original_req = Gem::Requirement.new(req[:requirement].split(","))
-          original_req.satisfied_by?(latest_resolvable_version)
+          Requirement.satisfied_by?(req, latest_resolvable_version)
         end
 
         def update_gemfile_range(requirements)

data/lib/dependabot/bundler/update_checker.rb

@@ -42,9 +42,9 @@ module Dependabot
         lowest_fix =
           latest_version_finder(remove_git_source: false)
           .lowest_security_fix_version
-        return unless lowest_fix
+        return unless lowest_fix && resolvable?(lowest_fix)
 
-        resolvable?(lowest_fix) ? lowest_fix : latest_resolvable_version
+        lowest_fix
       end
 
       def latest_resolvable_version_with_no_unlock
@@ -77,7 +77,7 @@ module Dependabot
 
       def requirements_unlocked_or_can_be?
         return true if requirements_unlocked?
-        return false if requirements_update_strategy == RequirementsUpdateStrategy::LockfileOnly
+        return false if requirements_update_strategy.lockfile_only?
 
         dependency.specific_requirements
                   .all? do |req|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.262.0
+  version: 0.263.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-20 00:00:00.000000000 Z
+date: 2024-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.262.0
+        version: 0.263.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.262.0
+        version: 0.263.0
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.262.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
 post_install_message: 
 rdoc_options: []
 require_paths: