dependabot-bundler 0.263.0 → 0.264.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50457240c048f6430b4894d8f032b2eab8bbda90c88566bbbee21e6d4d29fcbe
-  data.tar.gz: c907811fc0c0ea30a9b9bb62f59c53182515b1cc94bf6e94d65899d588afa1cc
+  metadata.gz: dcc0bc531e33ee50374a4f53b0e72e3522ad9b2b9c0b5470b047f6a72933446f
+  data.tar.gz: 91ec4898f9462acc61fa9204e1ae198f454cd9d2a325026d53d451d4d903cbf5
 SHA512:
-  metadata.gz: f230c5e09b5cd4c5a6d92012a6a7590d6edeb22f0663a1f2bdc26911202360c4edbcb02304f2f128b4ce9e44ec763d19d2fac00bde79a0a5dc507addc768b8ff
-  data.tar.gz: eca4288984f2fe056f60c3147a20347f599e49294b8c9e66aae53069577ea8300c89a0085fbfc59528dbf53be28ee32289435f2f75f27038065c931f73cf576a
+  metadata.gz: 80c13a67225b597da16fa1925a71eb2a0dd8b423205c68261ec52b93b17bf600b0c3b7a1a958b18fb01ba82dc83d66ecc850545a597aeb0b62d9d7653af468ac
+  data.tar.gz: 5a636844b3dbc57420f47ac32b6922634c92a139de00e204c5df7ecb48c3d577a233c4e1a33c09e42ef5a46e45ff9c45e3aeecb74c2983429548c6d64466ffb2

data/helpers/v2/spec/ruby_version_spec.rb

@@ -9,13 +9,13 @@ RSpec.describe BundlerDefinitionRubyVersionPatch do
   include_context "when stubbing rubygems compact index"
 
   let(:project_name) { "ruby_version_implied" }
+  let(:ui) { Bundler.ui }
 
   before do
-    @ui = Bundler.ui
     Bundler.ui = Bundler::UI::Silent.new
   end
 
-  after { Bundler.ui = @ui }
+  after { Bundler.ui = ui }
 
   it "updates to the most recent version" do
     in_tmp_folder do

data/lib/dependabot/bundler/file_fetcher/included_path_finder.rb

@@ -0,0 +1,133 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "pathname"
+require "parser/current"
+require "dependabot/bundler/file_fetcher"
+require "dependabot/errors"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # Finds the paths of any files included using `require_relative` and `eval` in the
+      # passed file.
+      class IncludedPathFinder
+        extend T::Sig
+
+        sig { params(file: Dependabot::DependencyFile).void }
+        def initialize(file:)
+          @file = file
+        end
+
+        sig { returns(T::Array[String]) }
+        def find_included_paths
+          ast = Parser::CurrentRuby.parse(file.content)
+          find_require_relative_paths(ast) + find_eval_paths(ast)
+        rescue Parser::SyntaxError
+          raise Dependabot::DependencyFileNotParseable, file.path
+        end
+
+        private
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :file
+
+        sig { params(node: T.untyped).returns(T::Array[String]) }
+        def find_require_relative_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_require_relative?(node)
+            return [] unless node.children[2].type == :str
+
+            path = node.children[2].loc.expression.source.gsub(/['"]/, "")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            path += ".rb" unless path.end_with?(".rb")
+            return [Pathname.new(path).cleanpath.to_path]
+          end
+
+          node.children.flat_map do |child_node|
+            find_require_relative_paths(child_node)
+          end
+        end
+
+        sig { params(node: T.untyped).returns(T::Array[String]) }
+        def find_eval_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_eval?(node)
+            eval_arg = node.children[2]
+            if eval_arg.is_a?(Parser::AST::Node)
+              file_read_node = find_file_read_node(eval_arg)
+              path = extract_path_from_file_read(file_read_node) if file_read_node
+              return [path] if path
+            end
+          end
+
+          node.children.flat_map do |child_node|
+            find_eval_paths(child_node)
+          end
+        end
+
+        sig { params(node: Parser::AST::Node).returns(T.nilable(Parser::AST::Node)) }
+        def find_file_read_node(node)
+          return nil unless node.is_a?(Parser::AST::Node)
+
+          # Check if the node represents a method call (:send)
+          # and if the method name is :read
+          method_name = node.children[1]
+          receiver_node = node.children[0]
+
+          if node.type == :send && method_name == :read && receiver_node.is_a?(Parser::AST::Node)
+            # Check if the receiver of the :read method call is :File
+            receiver_const = receiver_node.children[1]
+            return node if receiver_const == :File
+          end
+
+          # Recursively search for a file read node in the children
+          node.children.each do |child|
+            next unless child.is_a?(Parser::AST::Node)
+
+            result = find_file_read_node(child)
+            return result if result
+          end
+
+          nil
+        end
+
+        sig { params(node: Parser::AST::Node).returns(T.nilable(String)) }
+        def extract_path_from_file_read(node)
+          return nil unless node.is_a?(Parser::AST::Node)
+
+          expand_path_node = node.children[2]
+          if expand_path_node.type == :send && expand_path_node.children[1] == :expand_path
+            path_node = expand_path_node.children[2]
+            return path_node.loc.expression.source.gsub(/['"]/, "") if path_node.type == :str
+          end
+          nil
+        end
+
+        sig { returns(T.nilable(String)) }
+        def current_dir
+          @current_dir ||= T.let(file.name.rpartition("/").first, T.nilable(String))
+          @current_dir = nil if @current_dir == ""
+          @current_dir
+        end
+
+        sig { params(node: Parser::AST::Node).returns(T::Boolean) }
+        def declares_require_relative?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :require_relative
+        end
+
+        sig { params(node: Parser::AST::Node).returns(T::Boolean) }
+        def declares_eval?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :eval
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_fetcher.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -17,18 +17,21 @@ module Dependabot
       require "dependabot/bundler/file_fetcher/gemspec_finder"
       require "dependabot/bundler/file_fetcher/path_gemspec_finder"
       require "dependabot/bundler/file_fetcher/child_gemfile_finder"
-      require "dependabot/bundler/file_fetcher/require_relative_finder"
+      require "dependabot/bundler/file_fetcher/included_path_finder"
 
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
         return true if filenames.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
 
         filenames.include?("Gemfile") || filenames.include?("gems.rb")
       end
 
+      sig { override.returns(String) }
       def self.required_files_message
         "Repo must contain either a Gemfile, a gemspec, or a gems.rb."
       end
 
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.nilable(String)])) }
       def ecosystem_versions
         {
           package_managers: {
@@ -39,41 +42,47 @@ module Dependabot
 
       sig { override.returns(T::Array[DependencyFile]) }
       def fetch_files
-        fetched_files = []
-        fetched_files << gemfile if gemfile
-        fetched_files << lockfile if gemfile && lockfile
+        fetched_files = T.let([], T::Array[DependencyFile])
+        fetched_files << T.must(gemfile) if gemfile
+        fetched_files << T.must(lockfile) if gemfile && lockfile
         fetched_files += child_gemfiles
         fetched_files += gemspecs
-        fetched_files << ruby_version_file if ruby_version_file
-        fetched_files << tool_versions_file if tool_versions_file
+        fetched_files << T.must(ruby_version_file) if ruby_version_file
+        fetched_files << T.must(tool_versions_file) if tool_versions_file
         fetched_files += path_gemspecs
-        fetched_files += require_relative_files(fetched_files)
+        fetched_files += find_included_files(fetched_files)
 
         uniq_files(fetched_files)
       end
 
       private
 
+      sig { params(fetched_files: T::Array[DependencyFile]).returns(T::Array[DependencyFile]) }
       def uniq_files(fetched_files)
         uniq_files = fetched_files.reject(&:support_file?).uniq
         uniq_files += fetched_files
                       .reject { |f| uniq_files.map(&:name).include?(f.name) }
       end
 
+      sig { returns(T.nilable(DependencyFile)) }
       def gemfile
         return @gemfile if defined?(@gemfile)
 
-        @gemfile = fetch_file_if_present("gems.rb") || fetch_file_if_present("Gemfile")
+        @gemfile = T.let(fetch_file_if_present("gems.rb") || fetch_file_if_present("Gemfile"),
+                         T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(DependencyFile)) }
       def lockfile
         return @lockfile if defined?(@lockfile)
 
-        @lockfile = fetch_file_if_present("gems.locked") || fetch_file_if_present("Gemfile.lock")
+        @lockfile = T.let(fetch_file_if_present("gems.locked") || fetch_file_if_present("Gemfile.lock"),
+                          T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def gemspecs
-        return @gemspecs if defined?(@gemspecs)
+        return T.must(@gemspecs) if defined?(@gemspecs)
 
         gemspecs_paths =
           gemspec_directories
@@ -83,11 +92,17 @@ module Dependabot
               .map { |f| File.join(d, f.name) }
           end
 
-        @gemspecs = gemspecs_paths.map { |n| fetch_file_from_host(n) }
+        @gemspecs ||= T.let(
+          gemspecs_paths.map do |n|
+            fetch_file_from_host(n)
+          end,
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
       rescue Octokit::NotFound
         []
       end
 
+      sig { returns(T::Array[String]) }
       def gemspec_directories
         gemfiles = ([gemfile] + child_gemfiles).compact
         directories =
@@ -98,18 +113,21 @@ module Dependabot
         directories.empty? ? ["."] : directories
       end
 
+      sig { returns(T.nilable(DependencyFile)) }
       def ruby_version_file
         return unless gemfile
 
-        @ruby_version_file ||= fetch_support_file(".ruby-version")
+        @ruby_version_file ||= T.let(fetch_support_file(".ruby-version"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(DependencyFile)) }
       def tool_versions_file
         return unless gemfile
 
-        @tool_versions_file ||= fetch_support_file(".tool-versions")
+        @tool_versions_file ||= T.let(fetch_support_file(".tool-versions"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def path_gemspecs
         gemspec_files = T.let([], T::Array[Dependabot::DependencyFile])
         unfetchable_gems = []
@@ -141,21 +159,25 @@ module Dependabot
         gemspec_files
       end
 
+      sig { returns(T::Array[Pathname]) }
       def path_gemspec_paths
         fetch_path_gemspec_paths.map { |path| Pathname.new(path) }
       end
 
-      def require_relative_files(files)
+      sig { params(files: T::Array[DependencyFile]).returns(T::Array[DependencyFile]) }
+      def find_included_files(files)
         ruby_files =
           files.select { |f| f.name.end_with?(".rb", "Gemfile", ".gemspec") }
 
         paths = ruby_files.flat_map do |file|
-          RequireRelativeFinder.new(file: file).require_relative_paths
+          IncludedPathFinder.new(file: file).find_included_paths
         end
 
-        @require_relative_files ||=
+        @find_included_files ||= T.let(
           paths.map { |path| fetch_file_from_host(path) }
-               .tap { |req_files| req_files.each { |f| f.support_file = true } }
+               .tap { |req_files| req_files.each { |f| f.support_file = true } },
+          T.nilable(T::Array[DependencyFile])
+        )
       end
 
       sig { params(dir_path: T.any(String, Pathname)).returns(T::Array[DependencyFile]) }
@@ -166,9 +188,10 @@ module Dependabot
           .map { |fp| fetch_file_from_host(fp, fetch_submodules: true) }
       end
 
+      sig { returns(T::Array[String]) }
       def fetch_path_gemspec_paths
         if lockfile
-          parsed_lockfile = CachedLockfileParser.parse(sanitized_lockfile_content)
+          parsed_lockfile = CachedLockfileParser.parse(T.must(sanitized_lockfile_content))
           parsed_lockfile.specs
                          .select { |s| s.source.instance_of?(::Bundler::Source::Path) }
                          .map { |s| s.source.path }.uniq
@@ -179,26 +202,35 @@ module Dependabot
           end.uniq
         end
       rescue ::Bundler::LockfileError
-        raise Dependabot::DependencyFileNotParseable, lockfile.path
+        raise Dependabot::DependencyFileNotParseable, T.must(lockfile).path
       rescue ::Bundler::Plugin::UnknownSourceError
         # Quietly ignore plugin errors - we'll raise a better error during
         # parsing
         []
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def child_gemfiles
         return [] unless gemfile
 
-        @child_gemfiles ||=
-          fetch_child_gemfiles(file: gemfile, previously_fetched_files: [])
+        @child_gemfiles ||= T.let(
+          fetch_child_gemfiles(file: T.must(gemfile), previously_fetched_files: []),
+          T.nilable(T::Array[DependencyFile])
+        )
       end
 
       # TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+
+      sig { returns T.nilable(String) }
       def sanitized_lockfile_content
         regex = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
-        lockfile.content.gsub(regex, "")
+        lockfile&.content&.gsub(regex, "")
       end
 
+      sig do
+        params(file: DependencyFile,
+               previously_fetched_files: T::Array[DependencyFile]).returns(T::Array[DependencyFile])
+      end
       def fetch_child_gemfiles(file:, previously_fetched_files:)
         paths = ChildGemfileFinder.new(gemfile: file).child_gemfile_paths
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bundler
 version: !ruby/object:Gem::Version
-  version: 0.263.0
+  version: 0.264.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-27 00:00:00.000000000 Z
+date: 2024-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.263.0
+        version: 0.264.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.263.0
+        version: 0.264.0
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
@@ -310,8 +310,8 @@ files:
 - lib/dependabot/bundler/file_fetcher.rb
 - lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb
 - lib/dependabot/bundler/file_fetcher/gemspec_finder.rb
+- lib/dependabot/bundler/file_fetcher/included_path_finder.rb
 - lib/dependabot/bundler/file_fetcher/path_gemspec_finder.rb
-- lib/dependabot/bundler/file_fetcher/require_relative_finder.rb
 - lib/dependabot/bundler/file_parser.rb
 - lib/dependabot/bundler/file_parser/file_preparer.rb
 - lib/dependabot/bundler/file_parser/gemfile_declaration_finder.rb
@@ -345,7 +345,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
 post_install_message: 
 rdoc_options: []
 require_paths:

data/lib/dependabot/bundler/file_fetcher/require_relative_finder.rb

@@ -1,70 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-require "pathname"
-require "parser/current"
-require "dependabot/bundler/file_fetcher"
-require "dependabot/errors"
-require "sorbet-runtime"
-
-module Dependabot
-  module Bundler
-    class FileFetcher
-      # Finds the paths of any files included using `require_relative` in the
-      # passed file.
-      class RequireRelativeFinder
-        extend T::Sig
-
-        sig { params(file: Dependabot::DependencyFile).void }
-        def initialize(file:)
-          @file = file
-        end
-
-        sig { returns(T::Array[String]) }
-        def require_relative_paths
-          ast = Parser::CurrentRuby.parse(file.content)
-          find_require_relative_paths(ast)
-        rescue Parser::SyntaxError
-          raise Dependabot::DependencyFileNotParseable, file.path
-        end
-
-        private
-
-        sig { returns(Dependabot::DependencyFile) }
-        attr_reader :file
-
-        sig { params(node: T.untyped).returns(T::Array[T.untyped]) }
-        def find_require_relative_paths(node)
-          return [] unless node.is_a?(Parser::AST::Node)
-
-          if declares_require_relative?(node)
-            return [] unless node.children[2].type == :str
-
-            path = node.children[2].loc.expression.source.gsub(/['"]/, "")
-            path = File.join(current_dir, path) unless current_dir.nil?
-            path += ".rb" unless path.end_with?(".rb")
-            return [Pathname.new(path).cleanpath.to_path]
-          end
-
-          node.children.flat_map do |child_node|
-            find_require_relative_paths(child_node)
-          end
-        end
-
-        sig { returns(T.nilable(String)) }
-        def current_dir
-          @current_dir ||= T.let(file.name.rpartition("/").first, T.nilable(String))
-          @current_dir = nil if @current_dir == ""
-          @current_dir
-        end
-
-        sig { params(node: Parser::AST::Node).returns(T::Boolean) }
-        def declares_require_relative?(node)
-          return false unless node.is_a?(Parser::AST::Node)
-
-          node.children[1] == :require_relative
-        end
-      end
-    end
-  end
-end