dependabot-cargo 0.105.8 → 0.106.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d72eac954e3572f22dd32ea1755573f8120b42fd323a10d07a3feb275df0c313
-  data.tar.gz: 102f03acd039888f2855dc60af2ac78a3e495dcd8b533afcb45b356e9b2d0380
+  metadata.gz: 9ad6b10c46549f96f58f8a85203c1aed3ad784931288b5453d14cb1a245f4b41
+  data.tar.gz: fe9f8e9f82dff4018c10e750592e1b0907694ddc404fbdcadb86ddd579061f24
 SHA512:
-  metadata.gz: f5ef535fb480add4efd25975f20909f69ec8351ee31ee96259125270d29ca46167c69318cae3881a4f98c27b6c8787a9ffdc657adeab638efd72e16013a4711d
-  data.tar.gz: 181690b5db7ed56f5bde830b5c9707008e7d4c37776a109443f5e72166e102ace2145ea64d2ef41be184898dd953e4abbe0ede122da589bb3d8582731147aba2
+  metadata.gz: 772fa72f987966c4883553fa07795bbe3a20221d47e19b9c1d88720e36d1ec3b692f63d5a3f379962a8e66ccf22d9bdf52e425967fab8779eddd0da9a84f2833
+  data.tar.gz: 7ab49f001d3b4e5b9a333e847e166c5445b71995a40b0c31a82e40655182a0fed36faf4dbc05c74c3567b6b217e543609916abd77ddb870533cb65439990b396

data/lib/dependabot/cargo/update_checker.rb

@@ -42,6 +42,17 @@ module Dependabot
           end
       end
 
+      def lowest_resolvable_security_fix_version
+        raise "Dependency not vulnerable!" unless vulnerable?
+
+        if defined?(@lowest_resolvable_security_fix_version)
+          return @lowest_resolvable_security_fix_version
+        end
+
+        @lowest_resolvable_security_fix_version =
+          fetch_lowest_resolvable_security_fix_version
+      end
+
       def latest_resolvable_version_with_no_unlock
         return if path_dependency?
 
@@ -57,9 +68,7 @@ module Dependabot
         RequirementsUpdater.new(
           requirements: dependency.requirements,
           updated_source: updated_source,
-          latest_resolvable_version: latest_resolvable_version&.to_s,
-          latest_version: latest_version&.to_s,
-          library: library?,
+          target_version: target_version,
           update_strategy: requirement_update_strategy
         ).updated_requirements
       end
@@ -75,6 +84,10 @@ module Dependabot
         raise NotImplementedError
       end
 
+      def target_version
+        library? ? latest_version&.to_s : preferred_resolvable_version&.to_s
+      end
+
       def library?
         # If it has a lockfile, treat it as an application. Otherwise treat it
         # as a library.
@@ -194,6 +207,33 @@ module Dependabot
         ).latest_resolvable_version
       end
 
+      def fetch_lowest_resolvable_security_fix_version
+        fix_version = latest_version_finder.lowest_security_fix_version
+        return latest_resolvable_version if fix_version.nil?
+
+        if path_dependency? || git_dependency? || git_subdependency?
+          return latest_resolvable_version
+        end
+
+        prepared_files = FilePreparer.new(
+          dependency_files: dependency_files,
+          dependency: dependency,
+          unlock_requirement: true,
+          latest_allowable_version: fix_version
+        ).prepared_dependency_files
+
+        resolved_fix_version = VersionResolver.new(
+          dependency: dependency,
+          prepared_dependency_files: prepared_files,
+          original_dependency_files: dependency_files,
+          credentials: credentials
+        ).latest_resolvable_version
+
+        return fix_version if fix_version == resolved_fix_version
+
+        latest_resolvable_version
+      end
+
       def updated_source
         # Never need to update source, unless a git_dependency
         return dependency_source_details unless git_dependency?

data/lib/dependabot/cargo/update_checker/requirements_updater.rb

@@ -21,25 +21,16 @@ module Dependabot
           %i(bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, updated_source:, update_strategy:,
-                       library:, latest_version:, latest_resolvable_version:)
+                       target_version:)
           @requirements = requirements
           @updated_source = updated_source
           @update_strategy = update_strategy
-          @library = library
 
           check_update_strategy
 
-          if latest_version && version_class.correct?(latest_version)
-            @latest_version = version_class.new(latest_version)
-          end
-
-          if latest_resolvable_version &&
-             version_class.correct?(latest_resolvable_version)
-            @latest_resolvable_version =
-              version_class.new(latest_resolvable_version)
-          end
+          return unless target_version && version_class.correct?(target_version)
 
-          @latest_version ||= @latest_resolvable_version
+          @target_version = version_class.new(target_version)
         end
 
         def updated_requirements
@@ -62,15 +53,8 @@ module Dependabot
 
         private
 
-        attr_reader :requirements, :updated_source, :update_strategy
-
-        def library?
-          @library
-        end
-
-        def target_version
-          library? ? @latest_version : @latest_resolvable_version
-        end
+        attr_reader :requirements, :updated_source, :update_strategy,
+                    :target_version
 
         def check_update_strategy
           return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-cargo
 version: !ruby/object:Gem::Version
-  version: 0.105.8
+  version: 0.106.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-19 00:00:00.000000000 Z
+date: 2019-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.105.8
+        version: 0.106.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.105.8
+        version: 0.106.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement