dependabot-bundler 0.380.0 → 0.381.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c28d7f789c7e18806f0c0141599adc1c277f932587d2331f77bf54200333df9
-  data.tar.gz: bb053e4ca2a32b6cd63abd04443327f74a12df2fd6dc472a6646cde5a57e2411
+  metadata.gz: d6dace53b7c6c93f276ae838f5c2c44f941388b5e129380ba19350ebb7f13eff
+  data.tar.gz: ce2a77ec63b75dadeb2eda06b97c443b92130d968b70f907de766b7749351901
 SHA512:
-  metadata.gz: c4d4fd80b03f35f2110e390984ec3b6d7111860e996f005f05abb5fdf90a6c3c4e4babc0891e15a8bda3a1b1bc563483c6389df6ca82f6eb9e9f83941a31e6c0
-  data.tar.gz: 833760e2485382ce9e0ebda893341d098bdced4c4de9c682637063c225564b528f7afb3e91688528f30ceace54fa8f6caa71ea0d9ca6364b84aa62e954c5509c
+  metadata.gz: fa101fe9112a94de4a65f83570bbd57343e0a90ca0f2a66e178752c9b05ec604d352f4a11712e3832afb5d2ab699147c100894bfb971da9bed6a397f7c4417cb
+  data.tar.gz: f0ee43f8880fc22c0b8521c5290dfd46575c663c133bedde28b41e51f5ebb7ad81b519e96a28ce621b88395822df6a57ccf465cd73cd7b726205f612f1b31ed3

data/helpers/v2/build

@@ -19,8 +19,8 @@ fi
 
 cd "$install_dir"
 
-# Default to Bundler 4, with an override for controlled testing/rollouts.
-bundler_constraint="${DEPENDABOT_BUNDLER_VERSION_CONSTRAINT:-${BUNDLER_VERSION_CONSTRAINT:-~> 4.0}}"
+# Default to Bundler 2, with an override for controlled testing/rollouts.
+bundler_constraint="${DEPENDABOT_BUNDLER_VERSION_CONSTRAINT:-${BUNDLER_VERSION_CONSTRAINT:-~> 2}}"
 
 export GEM_HOME=$install_dir/.bundle
 

data/helpers/v2/lib/bundler_version_constraint.rb

@@ -8,7 +8,7 @@
 # Used by both `run.rb` (for activation via `gem`) and the helper specs so
 # the rollback/staged-rollout behavior is exercised by real code.
 module BundlerVersionConstraint
-  DEFAULT_ACTIVATION_CONSTRAINT = ">= 2.4, < 5"
+  DEFAULT_ACTIVATION_CONSTRAINT = ">= 2.4, < 3"
 
   def self.resolve(env: ENV, default: DEFAULT_ACTIVATION_CONSTRAINT)
     env.fetch(

data/helpers/v2/monkey_patches/definition_ruby_version_patch.rb

@@ -26,7 +26,7 @@ module BundlerDefinitionRubyVersionPatch
         Gem::Specification.new("Ruby\0", requested_version)
     end
 
-    %w(2.5.3 2.6.10 2.7.8 3.0.7 3.1.6 3.2.8 3.3.8).each do |version|
+    %w(2.5.3 2.6.10 2.7.8 3.0.7 3.1.6 3.2.8 3.3.8 3.4.8).each do |version|
       sources.metadata_source.specs << Gem::Specification.new("Ruby\0", version)
     end
 

data/helpers/v2/run.rb

@@ -3,10 +3,11 @@
 
 require_relative "lib/bundler_version_constraint"
 
-# Allow Bundler 4 by default with an upper bound to prevent unintended future
-# major versions. Honor DEPENDABOT_BUNDLER_VERSION_CONSTRAINT (or its
-# BUNDLER_VERSION_CONSTRAINT fallback) so staged rollouts and emergency
-# rollbacks performed by the build script are respected at activation time.
+# Activate Bundler 2 by default with an upper bound to prevent unintended
+# future major versions (Bundler 4 lives in the v4 helper tree). Honor
+# DEPENDABOT_BUNDLER_VERSION_CONSTRAINT (or its BUNDLER_VERSION_CONSTRAINT
+# fallback) so staged rollouts and emergency rollbacks performed by the build
+# script are respected at activation time.
 bundler_constraint = BundlerVersionConstraint.resolve
 gem "bundler", *BundlerVersionConstraint.activation_clauses(bundler_constraint)
 require "bundler"

data/helpers/v2/spec/bundler_version_constraint_spec.rb

@@ -6,12 +6,10 @@ require_relative "../lib/bundler_version_constraint"
 
 RSpec.describe BundlerVersionConstraint do
   describe "helper runtime activation" do
-    it "is running a supported Bundler major version" do
-      # Bundler 3 was intentionally skipped upstream (Bundler jumped from 2.7
-      # straight to 4.0 to align with RubyGems) so the supported window is
-      # 2.x or 4.x.
+    it "is running Bundler 2" do
+      # The v2 helper tree pins Bundler 2.x; Bundler 4 lives in the v4 tree.
       bundler_major = Bundler::VERSION.split(".").first.to_i
-      expect(bundler_major).to be_between(2, 4)
+      expect(bundler_major).to eq(2)
     end
   end
 
@@ -35,7 +33,7 @@ RSpec.describe BundlerVersionConstraint do
     end
 
     it "uses the default activation constraint when no env var is set" do
-      expect(described_class.resolve(env: {})).to eq(">= 2.4, < 5")
+      expect(described_class.resolve(env: {})).to eq(">= 2.4, < 3")
     end
 
     it "honours an explicit default override" do
@@ -45,11 +43,11 @@ RSpec.describe BundlerVersionConstraint do
 
   describe ".activation_clauses" do
     it "splits comma-separated requirement strings into trimmed clauses" do
-      expect(described_class.activation_clauses(">= 2.4, < 5")).to eq([">= 2.4", "< 5"])
+      expect(described_class.activation_clauses(">= 2.4, < 3")).to eq([">= 2.4", "< 3"])
     end
 
     it "returns a single clause for a single requirement" do
-      expect(described_class.activation_clauses("~> 4.0")).to eq(["~> 4.0"])
+      expect(described_class.activation_clauses("~> 2")).to eq(["~> 2"])
     end
   end
 

data/helpers/v4/.gitignore

@@ -0,0 +1,8 @@
+/.bundle
+/.env
+/tmp
+/dependabot-*.gem
+Gemfile.lock
+spec/fixtures/projects/*/.bundle/
+!spec/fixtures/projects/**/Gemfile.lock
+!spec/fixtures/projects/**/vendor

data/helpers/v4/Gemfile

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "dependabot-common", path: "../../../common"
+
+gemspec path: "../.."

data/helpers/v4/build

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+
+set -e
+
+helpers_dir=$(cd -P "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+
+if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
+  install_dir="$helpers_dir"
+else
+  install_dir="$DEPENDABOT_NATIVE_HELPERS_PATH/bundler/v4"
+  mkdir -p "$install_dir"
+
+  cp -r \
+    "$helpers_dir/lib" \
+    "$helpers_dir/monkey_patches" \
+    "$helpers_dir/run.rb" \
+    "$install_dir"
+fi
+
+cd "$install_dir"
+
+# Default to Bundler 4, with an override for controlled testing/rollouts.
+bundler_constraint="${DEPENDABOT_BUNDLER_VERSION_CONSTRAINT:-${BUNDLER_VERSION_CONSTRAINT:-~> 4.0}}"
+
+export GEM_HOME=$install_dir/.bundle
+
+gem install bundler -v "$bundler_constraint" --no-document
+
+# Resolve the Bundler version that was actually installed in GEM_HOME to ensure
+# consistency with what was requested and to avoid picking up system gems.
+default_version=$(ruby -e '
+  gemspecs = Dir.glob("#{ENV["GEM_HOME"]}/specifications/bundler-*.gemspec")
+  latest = gemspecs.max_by { |f| Gem::Version.new(File.basename(f).match(/bundler-(.*)\.gemspec/)[1]) }
+  abort("No bundler gemspec found in #{ENV["GEM_HOME"]}/specifications") unless latest
+  print File.basename(latest).match(/bundler-(.*)\.gemspec/)[1]
+')
+
+if [ -z "$default_version" ]; then
+  echo "error: failed to resolve installed Bundler version in $GEM_HOME" >&2
+  exit 1
+fi
+
+if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
+  bundle _"$default_version"_ install
+fi

data/helpers/v4/lib/bundler_version_constraint.rb

@@ -0,0 +1,25 @@
+# typed: true
+# frozen_string_literal: true
+
+# Resolves the Bundler version constraint that the native helper should use
+# at activation time. Honors DEPENDABOT_BUNDLER_VERSION_CONSTRAINT, falling
+# back to BUNDLER_VERSION_CONSTRAINT, and finally to the supplied default.
+#
+# Used by both `run.rb` (for activation via `gem`) and the helper specs so
+# the rollback/staged-rollout behavior is exercised by real code.
+module BundlerVersionConstraint
+  DEFAULT_ACTIVATION_CONSTRAINT = ">= 4, < 5"
+
+  def self.resolve(env: ENV, default: DEFAULT_ACTIVATION_CONSTRAINT)
+    env.fetch(
+      "DEPENDABOT_BUNDLER_VERSION_CONSTRAINT",
+      env.fetch("BUNDLER_VERSION_CONSTRAINT", default)
+    )
+  end
+
+  # Splits a comma-separated requirement string into the individual clauses
+  # accepted by Kernel#gem (e.g. ">= 2.4, < 5" -> [">= 2.4", "< 5"]).
+  def self.activation_clauses(constraint)
+    constraint.split(",").map(&:strip)
+  end
+end

data/helpers/v4/lib/functions/conflicting_dependency_resolver.rb

@@ -0,0 +1,87 @@
+# typed: true
+# frozen_string_literal: true
+
+module Functions
+  class ConflictingDependencyResolver
+    def initialize(dependency_name:, target_version:, lockfile_name:)
+      @dependency_name = dependency_name
+      @target_version = target_version
+      @lockfile_name = lockfile_name
+    end
+
+    # Finds any dependencies in the lockfile that have a subdependency on the
+    # given dependency that does not satisfly the target_version.
+    # @return [Array<Hash{String => String}]
+    #   * explanation [String] a sentence explaining the conflict
+    #   * name [String] the blocking dependencies name
+    #   * version [String] the version of the blocking dependency
+    #   * requirement [String] the requirement on the target_dependency
+    def conflicting_dependencies
+      parent_specs.flat_map do |parent_spec|
+        top_level_specs_for(parent_spec).map do |top_level|
+          dependency = parent_spec.dependencies.find { |bd| bd.name == dependency_name }
+          {
+            "explanation" => explanation(parent_spec, dependency, top_level),
+            "name" => parent_spec.name,
+            "version" => parent_spec.version.to_s,
+            "requirement" => dependency.requirement.to_s
+          }
+        end
+      end
+    end
+
+    private
+
+    attr_reader :dependency_name
+    attr_reader :target_version
+    attr_reader :lockfile_name
+
+    def parent_specs
+      version = Gem::Version.new(target_version)
+      parsed_lockfile.specs.filter do |spec|
+        spec.dependencies.any? do |dep|
+          dep.name == dependency_name &&
+            !dep.requirement.satisfied_by?(version)
+        end
+      end
+    end
+
+    def top_level_specs_for(parent_spec)
+      return [parent_spec] if top_level?(parent_spec)
+
+      parsed_lockfile.specs.filter do |spec|
+        spec.dependencies.any? do |dep|
+          dep.name == parent_spec.name && top_level?(spec)
+        end
+      end
+    end
+
+    def top_level?(spec)
+      parsed_lockfile.dependencies.key?(spec.name)
+    end
+
+    def explanation(spec, dependency, top_level)
+      if spec.name == top_level.name
+        "#{spec.name} (#{spec.version}) requires #{dependency_name} (#{dependency.requirement})"
+      else
+        "#{top_level.name} (#{top_level.version}) requires #{dependency_name} " \
+          "(#{dependency.requirement}) via #{spec.name} (#{spec.version})"
+      end
+    end
+
+    def parsed_lockfile
+      @parsed_lockfile ||= Bundler::LockfileParser.new(lockfile)
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+  end
+end

data/helpers/v4/lib/functions/dependency_source.rb

@@ -0,0 +1,90 @@
+# typed: true
+# frozen_string_literal: true
+
+module Functions
+  class DependencySource
+    attr_reader :gemfile_name
+    attr_reader :dependency_name
+
+    RUBYGEMS = "rubygems"
+    PRIVATE_REGISTRY = "private"
+    GIT = "git"
+    OTHER = "other"
+
+    def initialize(gemfile_name:, dependency_name:)
+      @gemfile_name = gemfile_name
+      @dependency_name = dependency_name
+    end
+
+    def type
+      bundler_source = specified_source || default_source
+      type_of(bundler_source)
+    end
+
+    def latest_git_version(dependency_source_url:, dependency_source_branch:)
+      source = Bundler::Source::Git.new(
+        "uri" => dependency_source_url,
+        "branch" => dependency_source_branch,
+        "name" => dependency_name,
+        "submodules" => true
+      )
+
+      # Tell Bundler we're fine with fetching the source remotely
+      source.instance_variable_set(:@allow_remote, true)
+
+      spec = source.specs.first
+      { version: spec.version, commit_sha: spec.source.revision }
+    end
+
+    def private_registry_versions
+      bundler_source = specified_source || default_source
+
+      bundler_source
+        .fetchers.flat_map do |fetcher|
+          index = fetcher.specs([dependency_name], bundler_source)
+          # Bundler 4 removed Index#search_all; use #search which returns all matches
+          specs = index.respond_to?(:search_all) ? index.search_all(dependency_name) : index.search(dependency_name)
+          specs.map(&:version)
+        end
+    end
+
+    private
+
+    def type_of(bundler_source)
+      case bundler_source
+      when Bundler::Source::Rubygems
+        remote = bundler_source.remotes.first
+        if remote.nil? || remote.to_s == "https://rubygems.org/"
+          RUBYGEMS
+        else
+          PRIVATE_REGISTRY
+        end
+      when Bundler::Source::Git
+        GIT
+      else
+        OTHER
+      end
+    end
+
+    def specified_source
+      return @specified_source if defined? @specified_source
+
+      @specified_source = definition.dependencies
+                                    .find { |dep| dep.name == dependency_name }&.source
+    end
+
+    def default_source
+      definition.send(:sources).default_source
+    end
+
+    def definition
+      @definition ||= Bundler::Definition.build(gemfile_name, nil, {})
+    end
+
+    def serialize_bundler_source(source)
+      {
+        type: source.class.to_s
+      }
+    end
+  end
+end

data/helpers/v4/lib/functions/file_parser.rb

@@ -0,0 +1,119 @@
+# typed: true
+# frozen_string_literal: true
+
+require "uri"
+
+module Functions
+  class FileParser
+    def initialize(lockfile_name:)
+      @lockfile_name = lockfile_name
+    end
+
+    attr_reader :lockfile_name
+
+    def parsed_gemfile(gemfile_name:)
+      Bundler::Definition.build(gemfile_name, nil, {})
+                         .dependencies.select(&:current_platform?)
+                         .reject { |dep| local_sources.include?(dep.source.class) }
+                         .map { |dep| serialize_bundler_dependency(dep) }
+    end
+
+    def parsed_gemspec(gemspec_name:)
+      Bundler.load_gemspec_uncached(gemspec_name)
+             .dependencies
+             .map { |dep| serialize_bundler_dependency(dep) }
+    end
+
+    private
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def parsed_lockfile
+      return unless lockfile
+
+      @parsed_lockfile ||= Bundler::LockfileParser.new(lockfile)
+    end
+
+    def source_from_lockfile(dependency_name)
+      parsed_lockfile&.specs&.find { |s| s.name == dependency_name }&.source
+    end
+
+    def source_for(dependency)
+      source = dependency.source
+      if lockfile && default_rubygems?(source)
+        # If there's a lockfile and the Gemfile doesn't have anything
+        # interesting to say about the source, check that.
+        source = source_from_lockfile(dependency.name)
+      end
+      raise "Bad source: #{source}" unless sources.include?(source.class)
+
+      return nil if default_rubygems?(source)
+
+      details = { type: source.class.name.split("::").last.downcase }
+      details.merge!(git_source_details(source)) if source.is_a?(Bundler::Source::Git)
+      details[:url] = source.remotes.first.to_s if source.is_a?(Bundler::Source::Rubygems)
+      details
+    end
+
+    def git_source_details(source)
+      {
+        url: source.uri,
+        branch: source.branch,
+        ref: source.ref
+      }
+    end
+
+    RUBYGEMS_HOSTS = [
+      "rubygems.org",
+      "www.rubygems.org"
+    ].freeze
+
+    def default_rubygems?(source)
+      return true if source.nil?
+      return false unless source.is_a?(Bundler::Source::Rubygems)
+
+      source.remotes.any? do |r|
+        RUBYGEMS_HOSTS.include?(URI(r.to_s).host)
+      end
+    end
+
+    def serialize_bundler_dependency(dependency)
+      {
+        name: dependency.name,
+        requirement: dependency.requirement,
+        groups: dependency.groups,
+        source: source_for(dependency),
+        type: dependency.type
+      }
+    end
+
+    # Can't be a constant because some of these don't exist in bundler
+    # 1.15, which used to cause issues on Heroku (causing exception on boot).
+    # TODO: Check if this will be an issue with multiple bundler versions
+    def sources
+      [
+        NilClass,
+        Bundler::Source::Rubygems,
+        Bundler::Source::Git,
+        *local_sources,
+        Bundler::Source::Metadata
+      ]
+    end
+
+    def local_sources
+      [
+        Bundler::Source::Path,
+        Bundler::Source::Gemspec
+      ]
+    end
+  end
+end

data/helpers/v4/lib/functions/force_updater.rb

@@ -0,0 +1,189 @@
+# typed: true
+# frozen_string_literal: true
+
+module Functions
+  class ForceUpdater
+    class TopLevelDependencyDowngradedError < StandardError; end
+
+    def initialize(
+      dependency_name:,
+      target_version:,
+      gemfile_name:,
+      lockfile_name:,
+      update_multiple_dependencies:
+    )
+      @dependency_name = dependency_name
+      @target_version = target_version
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+      @update_multiple_dependencies = update_multiple_dependencies
+    end
+
+    def run
+      dependencies_to_unlock = []
+
+      begin
+        definition = build_definition(dependencies_to_unlock: dependencies_to_unlock)
+        definition.resolve_remotely!
+        specs = definition.resolve
+        updates = ([dependency_name, *dependencies_to_unlock] - subdependencies + extra_top_level_deps(specs)).uniq
+
+        updates = updates.map do |name|
+          {
+            name: name
+          }
+        end
+
+        specs = specs.map do |dep|
+          {
+            name: dep.name,
+            version: dep.version
+          }
+        end
+
+        [updates, specs]
+      rescue Bundler::SolveFailure => e
+        raise unless update_multiple_dependencies?
+
+        # TODO: Not sure this won't unlock way too many things...
+        new_dependencies_to_unlock =
+          new_dependencies_to_unlock_from(
+            error: e,
+            already_unlocked: dependencies_to_unlock
+          )
+
+        raise if new_dependencies_to_unlock.none?
+
+        dependencies_to_unlock |= new_dependencies_to_unlock
+        retry
+      end
+    end
+
+    private
+
+    attr_reader :dependency_name
+    attr_reader :target_version
+    attr_reader :gemfile_name
+    attr_reader :lockfile_name
+    attr_reader :credentials
+    attr_reader :update_multiple_dependencies
+    alias update_multiple_dependencies? update_multiple_dependencies
+
+    def extra_top_level_deps(specs)
+      top_level_dep_names.reject do |name|
+        original_version = original_specs.find { |s| s.name == name }&.version
+        new_version = specs[name].first&.version
+
+        if original_version == new_version
+          true
+        else
+          original_version = Gem::Version.new(original_version)
+          new_version = Gem::Version.new(new_version)
+
+          raise TopLevelDependencyDowngradedError if new_version < original_version
+
+          false
+        end
+      end
+    end
+
+    def new_dependencies_to_unlock_from(error:, already_unlocked:)
+      names = [*already_unlocked, dependency_name]
+      extra_names_to_unlock = []
+
+      incompatibility = error.cause.incompatibility
+
+      while incompatibility.conflict?
+        cause = incompatibility.cause
+        incompatibility = cause.incompatibility
+
+        incompatibility.terms.each do |term|
+          name = term.package.name
+          extra_names_to_unlock << name unless names.include?(name)
+        end
+      end
+
+      extra_names_to_unlock
+    end
+
+    def build_definition(dependencies_to_unlock:)
+      gems_to_unlock = dependencies_to_unlock + [dependency_name]
+      definition = Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: gems_to_unlock + subdependencies,
+        conservative: true
+      )
+
+      # Remove the Gemfile / gemspec requirements on the gems we're
+      # unlocking (i.e., completely unlock them)
+      gems_to_unlock.each do |gem_name|
+        unlock_gem(definition: definition, gem_name: gem_name)
+      end
+
+      dep = definition.dependencies
+                      .find { |d| d.name == dependency_name }
+
+      if dep
+        # Set the requirement for the gem we're forcing an update of
+        new_req = Gem::Requirement.create("= #{target_version}")
+        dep.instance_variable_set(:@requirement, new_req)
+        dep.source = nil if dep.source.is_a?(Bundler::Source::Git)
+
+        definition
+      else
+        # If the dependency is not found in the Gemfile it means this is a
+        # transitive dependency. To force update it, we recreate a definition
+        # from the Gemfile, but add an extra dependency to it that pins the
+        # dependency we want to update.
+        gemfile = Pathname.new(gemfile_name).expand_path
+        builder = Bundler::Dsl.new
+        builder.eval_gemfile(gemfile)
+        builder.gem dependency_name, "= #{target_version}"
+        builder.to_definition(
+          lockfile_name,
+          gems: gems_to_unlock + subdependencies,
+          conservative: true
+        )
+      end
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name && File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      original_specs.map(&:name) - top_level_dep_names
+    end
+
+    def top_level_dep_names
+      @top_level_dep_names ||= Bundler::Definition.build(gemfile_name, lockfile_name, {}).dependencies.map(&:name)
+    end
+
+    def original_specs
+      @original_specs ||= Bundler::LockfileParser.new(lockfile).specs
+    end
+
+    def unlock_gem(definition:, gem_name:)
+      dep = definition.dependencies.find { |d| d.name == gem_name }
+      version = definition.locked_gems.specs
+                          .find { |d| d.name == gem_name }.version
+
+      dep&.instance_variable_set(
+        :@requirement,
+        Gem::Requirement.create(">= #{version}")
+      )
+    end
+  end
+end