dependabot-bundler 0.385.0 → 0.386.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/v2/monkey_patches/endpoint_specification_metadata_patch.rb +33 -0
- data/helpers/v2/run.rb +1 -0
- data/helpers/v2/spec/bundler_endpoint_specification_metadata_patch_spec.rb +49 -0
- data/helpers/v2/spec/native_spec_helper.rb +1 -0
- data/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb +19 -2
- metadata +6 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0f0e20b61f6f25f9cab555ba872e5f1e087435c8262e077340dbd54ffc4d06b6
|
|
4
|
+
data.tar.gz: f25535c60a1fbb733644a2e0429cc9cac5a63150b757ac0b4f14788884f62f31
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0c80cce29ae7d8641213f9f6189627f3ef2e4d005b5039286638e7b7de35693744161b9c8668983ce46bc814c912c6264665060649f33c2ee43ad951f2faf399
|
|
7
|
+
data.tar.gz: 32a6267dd3b4e3682a726dafdcfc043e0259b3fee6881f8fbee7b35ab85ad9393a3d21a54ea39024f8ca70796a725d85fe05e76e479a9925e391e8ee0d049198
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
# typed: false
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "bundler/endpoint_specification"
|
|
5
|
+
|
|
6
|
+
# Bundler parses the metadata a registry's compact index (`/info/<gem>`)
|
|
7
|
+
# returns per gem version. Its guard is `next unless v`, but an empty array
|
|
8
|
+
# `[]` is truthy, so for an empty `checksum` it calls `Checksum.from_api(nil)`
|
|
9
|
+
# -> `nil.match?(...)` and raises `Bundler::GemspecError` ("There was an error
|
|
10
|
+
# parsing the metadata for the gem ..."), aborting the whole resolution.
|
|
11
|
+
#
|
|
12
|
+
# GitHub Packages serves this empty-checksum shape for some old gems (e.g.
|
|
13
|
+
# failbot 2.0.1), so one such gem blocks every update for the repo. Compact-
|
|
14
|
+
# index checksum verification landed in Bundler 2.5, so both the Bundler 2 and
|
|
15
|
+
# Bundler 4 helpers parse checksums and need this patch (the Bundler 2 helper
|
|
16
|
+
# activates ">= 2.4, < 3", i.e. a checksum-parsing 2.5+).
|
|
17
|
+
#
|
|
18
|
+
# Drop nil/empty metadata values before Bundler parses them. An empty checksum
|
|
19
|
+
# carries nothing to verify, so skipping it is safe; well-formed values (and
|
|
20
|
+
# genuinely malformed ones, which still raise) are untouched.
|
|
21
|
+
module BundlerEndpointSpecificationMetadataPatch
|
|
22
|
+
def parse_metadata(data)
|
|
23
|
+
if data.respond_to?(:reject)
|
|
24
|
+
data = data.reject do |_key, value|
|
|
25
|
+
value.nil? || (value.respond_to?(:empty?) && value.empty?)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
super
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
Bundler::EndpointSpecification.prepend(BundlerEndpointSpecificationMetadataPatch)
|
data/helpers/v2/run.rb
CHANGED
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# typed: false
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "native_spec_helper"
|
|
5
|
+
|
|
6
|
+
RSpec.describe BundlerEndpointSpecificationMetadataPatch do
|
|
7
|
+
let(:spec_fetcher) { instance_double(Bundler::Fetcher, uri: URI("https://example.com")) }
|
|
8
|
+
|
|
9
|
+
def build_spec(metadata)
|
|
10
|
+
Bundler::EndpointSpecification.new("failbot", "2.0.1", "ruby", spec_fetcher, [], metadata)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
it "does not raise when the registry serves an empty checksum array" do
|
|
14
|
+
expect { build_spec([["checksum", []]]) }.not_to raise_error
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
it "leaves the checksum unset for an empty checksum array" do
|
|
18
|
+
spec = build_spec([["checksum", []]])
|
|
19
|
+
expect(spec.checksum).to be_nil
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
# The compact-index parser can emit a value-less entry (`["checksum"]`) rather
|
|
23
|
+
# than an empty array, depending on the RubyGems GemParser version. Both shapes
|
|
24
|
+
# reach this code, so both must be tolerated.
|
|
25
|
+
it "does not raise when the checksum entry has no value at all" do
|
|
26
|
+
expect { build_spec([["checksum"]]) }.not_to raise_error
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "ignores nil and blank metadata values" do
|
|
30
|
+
expect { build_spec([["checksum", nil], ["ruby", []]]) }.not_to raise_error
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
it "still parses a well-formed checksum" do
|
|
34
|
+
digest = "f" * 64
|
|
35
|
+
spec = build_spec([["checksum", [digest]]])
|
|
36
|
+
expect(spec.checksum).not_to be_nil
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
it "still parses ruby and rubygems requirements" do
|
|
40
|
+
spec = build_spec([["ruby", [">= 3.1"]], ["rubygems", [">= 3.0"]], ["checksum", []]])
|
|
41
|
+
expect(spec.required_ruby_version.to_s).to eq(">= 3.1")
|
|
42
|
+
expect(spec.required_rubygems_version.to_s).to eq(">= 3.0")
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
it "still raises on a genuinely malformed (non-empty) checksum" do
|
|
46
|
+
expect { build_spec([["checksum", ["not-a-valid-digest"]]]) }
|
|
47
|
+
.to raise_error(Bundler::GemspecError)
|
|
48
|
+
end
|
|
49
|
+
end
|
|
@@ -21,6 +21,7 @@ $LOAD_PATH.unshift(File.expand_path("../../spec_helpers", __dir__))
|
|
|
21
21
|
require "definition_ruby_version_patch"
|
|
22
22
|
require "definition_bundler_version_patch"
|
|
23
23
|
require "git_source_patch"
|
|
24
|
+
require "endpoint_specification_metadata_patch"
|
|
24
25
|
|
|
25
26
|
require "functions"
|
|
26
27
|
|
|
@@ -8,6 +8,7 @@ require "uri"
|
|
|
8
8
|
require "dependabot/bundler/update_checker"
|
|
9
9
|
require "dependabot/bundler/native_helpers"
|
|
10
10
|
require "dependabot/bundler/helpers"
|
|
11
|
+
require "dependabot/logger"
|
|
11
12
|
require "dependabot/registry_client"
|
|
12
13
|
require "dependabot/shared_helpers"
|
|
13
14
|
require "dependabot/errors"
|
|
@@ -41,9 +42,11 @@ module Dependabot
|
|
|
41
42
|
# Raised by Bundler when a registry's compact index (`/info/<gem>`) returns
|
|
42
43
|
# gem metadata it can't parse (e.g. an illformed `ruby:`/`rubygems:`
|
|
43
44
|
# requirement). This means the *registry* served bad data, not that the
|
|
44
|
-
# user's dependency files are broken.
|
|
45
|
+
# user's dependency files are broken. The trailing `detail` capture keeps
|
|
46
|
+
# Bundler's own explanation (e.g. `Illformed requirement [...]`) so the
|
|
47
|
+
# exact parse failure is preserved rather than discarded.
|
|
45
48
|
REGISTRY_METADATA_ERROR_REGEX =
|
|
46
|
-
/error parsing the metadata for the gem (?<gem>\S+) \((?<version>[^)]+)\)/
|
|
49
|
+
/error parsing the metadata for the gem (?<gem>\S+) \((?<version>[^)]+)\):?\s*(?<detail>.*)/m
|
|
47
50
|
|
|
48
51
|
module BundlerErrorPatterns
|
|
49
52
|
MISSING_AUTH_REGEX = /bundle config set --global (?<source>.*) username:password/
|
|
@@ -217,8 +220,22 @@ module Dependabot
|
|
|
217
220
|
source = private_registry_source
|
|
218
221
|
return nil unless source
|
|
219
222
|
|
|
223
|
+
# Bundler's original message identifies which gem/version the registry
|
|
224
|
+
# served unparseable metadata for, and why (e.g. the illformed
|
|
225
|
+
# requirement string). The structured job error only records the source
|
|
226
|
+
# host, so log the full message here to keep the offending gem
|
|
227
|
+
# diagnosable from the updater logs.
|
|
228
|
+
Dependabot.logger.error(
|
|
229
|
+
"Registry #{source} returned unparseable compact-index metadata for " \
|
|
230
|
+
"#{match[:gem]} (#{match[:version]}); raising PrivateSourceBadResponse. " \
|
|
231
|
+
"Original Bundler error: #{error.message.strip}"
|
|
232
|
+
)
|
|
233
|
+
|
|
234
|
+
parse_detail = match[:detail].to_s.strip.gsub(/\s*\n\s*/, "; ")
|
|
220
235
|
detail = "Invalid gem metadata returned for #{match[:gem]} (#{match[:version]}) " \
|
|
221
236
|
"by the source: #{source}"
|
|
237
|
+
detail += " (#{parse_detail})" unless parse_detail.empty?
|
|
238
|
+
|
|
222
239
|
Dependabot::PrivateSourceBadResponse.new(source, detail)
|
|
223
240
|
end
|
|
224
241
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-bundler
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.386.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.386.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.386.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: parallel
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -269,8 +269,10 @@ files:
|
|
|
269
269
|
- helpers/v2/lib/functions/version_resolver.rb
|
|
270
270
|
- helpers/v2/monkey_patches/definition_bundler_version_patch.rb
|
|
271
271
|
- helpers/v2/monkey_patches/definition_ruby_version_patch.rb
|
|
272
|
+
- helpers/v2/monkey_patches/endpoint_specification_metadata_patch.rb
|
|
272
273
|
- helpers/v2/monkey_patches/git_source_patch.rb
|
|
273
274
|
- helpers/v2/run.rb
|
|
275
|
+
- helpers/v2/spec/bundler_endpoint_specification_metadata_patch_spec.rb
|
|
274
276
|
- helpers/v2/spec/bundler_version_constraint_spec.rb
|
|
275
277
|
- helpers/v2/spec/functions/conflicting_dependency_resolver_spec.rb
|
|
276
278
|
- helpers/v2/spec/functions/dependency_source_spec.rb
|
|
@@ -351,7 +353,7 @@ licenses:
|
|
|
351
353
|
- MIT
|
|
352
354
|
metadata:
|
|
353
355
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
354
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
356
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.386.0
|
|
355
357
|
rdoc_options: []
|
|
356
358
|
require_paths:
|
|
357
359
|
- lib
|