dependabot-common 0.117.9 → 0.118.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/errors.rb +4 -1
- data/lib/dependabot/git_commit_checker.rb +18 -9
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +13 -10
- data/lib/dependabot/metadata_finders/base/changelog_pruner.rb +7 -11
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +10 -11
- data/lib/dependabot/metadata_finders/base/release_finder.rb +16 -8
- data/lib/dependabot/pull_request_creator/branch_namer.rb +19 -8
- data/lib/dependabot/pull_request_creator/labeler.rb +25 -12
- data/lib/dependabot/pull_request_creator/message_builder.rb +35 -21
- data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb +7 -3
- data/lib/dependabot/pull_request_updater.rb +13 -0
- data/lib/dependabot/pull_request_updater/github.rb +1 -1
- data/lib/dependabot/pull_request_updater/gitlab.rb +85 -0
- data/lib/dependabot/update_checkers/base.rb +5 -3
- data/lib/dependabot/version.rb +1 -1
- metadata +9 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ab9d87af6e9cb01ca5e5bbfdd395d72520672ccd491db473cb3813029702d1c8
|
4
|
+
data.tar.gz: 0a595869a5c00de445e98e0151e441e3a9b05d0c0e790cb6eec4e6c8c2682bff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 122b32a211a3dadfb2aa6325a57fd08cfa9923e37052ec840426915238ab46718cd8223195c0799e294dc9c4c4997dd5655d7386cf0c7b7845d36cbd07c6d42e
|
7
|
+
data.tar.gz: 199eb9dbb22dd28f2bd4b80f255eb27bf7e69cdf5d4f34b13d937ed6f60d81baf63c7a153a355e84019c760495bad94bb8d67b4e4087f5f87cb148561baf4941
|
data/lib/dependabot/errors.rb
CHANGED
@@ -25,7 +25,7 @@ module Dependabot
|
|
25
25
|
class OutOfMemory < DependabotError; end
|
26
26
|
|
27
27
|
#####################
|
28
|
-
# Repo
|
28
|
+
# Repo level errors #
|
29
29
|
#####################
|
30
30
|
|
31
31
|
class BranchNotFound < DependabotError
|
@@ -191,4 +191,7 @@ module Dependabot
|
|
191
191
|
super(msg)
|
192
192
|
end
|
193
193
|
end
|
194
|
+
|
195
|
+
# Raised by UpdateChecker if all candidate updates are ignored
|
196
|
+
class AllVersionsIgnored < DependabotError; end
|
194
197
|
end
|
@@ -21,11 +21,13 @@ module Dependabot
|
|
21
21
|
)$
|
22
22
|
/ix.freeze
|
23
23
|
|
24
|
-
def initialize(dependency:, credentials:,
|
24
|
+
def initialize(dependency:, credentials:,
|
25
|
+
ignored_versions: [], raise_on_ignored: false,
|
25
26
|
requirement_class: nil, version_class: nil)
|
26
27
|
@dependency = dependency
|
27
28
|
@credentials = credentials
|
28
29
|
@ignored_versions = ignored_versions
|
30
|
+
@raise_on_ignored = raise_on_ignored
|
29
31
|
@requirement_class = requirement_class
|
30
32
|
@version_class = version_class
|
31
33
|
end
|
@@ -85,15 +87,22 @@ module Dependabot
|
|
85
87
|
end
|
86
88
|
|
87
89
|
def local_tag_for_latest_version
|
88
|
-
|
90
|
+
tags =
|
89
91
|
local_tags.
|
90
|
-
select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
92
|
+
select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
|
93
|
+
filtered = tags.
|
94
|
+
reject { |t| tag_included_in_ignore_reqs?(t) }
|
95
|
+
if @raise_on_ignored && tags.any? && filtered.empty?
|
96
|
+
raise Dependabot::AllVersionsIgnored
|
97
|
+
end
|
98
|
+
|
99
|
+
tag = filtered.
|
100
|
+
reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }.
|
101
|
+
max_by do |t|
|
102
|
+
version = t.name.match(VERSION_REGEX).named_captures.
|
103
|
+
fetch("version")
|
104
|
+
version_class.new(version)
|
105
|
+
end
|
97
106
|
|
98
107
|
return unless tag
|
99
108
|
|
@@ -314,24 +314,29 @@ module Dependabot
|
|
314
314
|
end
|
315
315
|
|
316
316
|
def new_version
|
317
|
-
@new_version
|
318
|
-
|
317
|
+
return @new_version if defined?(@new_version)
|
318
|
+
|
319
|
+
new_version = git_source? && new_ref ? new_ref : dependency.version
|
320
|
+
@new_version = new_version&.gsub(/^v/, "")
|
319
321
|
end
|
320
322
|
|
321
323
|
def previous_ref
|
322
|
-
dependency.previous_requirements.map do |r|
|
324
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
323
325
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
324
|
-
end.compact.
|
326
|
+
end.compact.uniq
|
327
|
+
return previous_refs.first if previous_refs.count == 1
|
325
328
|
end
|
326
329
|
|
327
330
|
def new_ref
|
328
|
-
dependency.requirements.map do |r|
|
331
|
+
new_refs = dependency.requirements.map do |r|
|
329
332
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
330
|
-
end.compact.
|
333
|
+
end.compact.uniq
|
334
|
+
return new_refs.first if new_refs.count == 1
|
331
335
|
end
|
332
336
|
|
333
337
|
def ref_changed?
|
334
|
-
|
338
|
+
# We could go from multiple previous refs (nil) to a single new ref
|
339
|
+
previous_ref != new_ref
|
335
340
|
end
|
336
341
|
|
337
342
|
# TODO: Refactor me so that Composer doesn't need to be special cased
|
@@ -343,10 +348,8 @@ module Dependabot
|
|
343
348
|
requirements = dependency.requirements
|
344
349
|
sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
|
345
350
|
return false if sources.empty?
|
346
|
-
raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
|
347
351
|
|
348
|
-
|
349
|
-
source_type == "git"
|
352
|
+
sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
|
350
353
|
end
|
351
354
|
|
352
355
|
def major_version_upgrade?
|
@@ -139,19 +139,17 @@ module Dependabot
|
|
139
139
|
end
|
140
140
|
|
141
141
|
def previous_ref
|
142
|
-
dependency.previous_requirements.map do |r|
|
142
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
143
143
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
144
|
-
end.compact.
|
144
|
+
end.compact.uniq
|
145
|
+
return previous_refs.first if previous_refs.count == 1
|
145
146
|
end
|
146
147
|
|
147
148
|
def new_ref
|
148
|
-
dependency.requirements.map do |r|
|
149
|
+
new_refs = dependency.requirements.map do |r|
|
149
150
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
150
|
-
end.compact.
|
151
|
-
|
152
|
-
|
153
|
-
def ref_changed?
|
154
|
-
previous_ref && new_ref && previous_ref != new_ref
|
151
|
+
end.compact.uniq
|
152
|
+
return new_refs.first if new_refs.count == 1
|
155
153
|
end
|
156
154
|
|
157
155
|
# TODO: Refactor me so that Composer doesn't need to be special cased
|
@@ -163,10 +161,8 @@ module Dependabot
|
|
163
161
|
requirements = dependency.requirements
|
164
162
|
sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
|
165
163
|
return false if sources.empty?
|
166
|
-
raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
|
167
164
|
|
168
|
-
|
169
|
-
source_type == "git"
|
165
|
+
sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
|
170
166
|
end
|
171
167
|
|
172
168
|
def version_class
|
@@ -55,7 +55,7 @@ module Dependabot
|
|
55
55
|
return new_version
|
56
56
|
end
|
57
57
|
|
58
|
-
return new_ref if
|
58
|
+
return new_ref if new_ref && ref_changed?
|
59
59
|
|
60
60
|
tags = dependency_tags.
|
61
61
|
select { |tag| tag_matches_version?(tag, new_version) }.
|
@@ -73,7 +73,7 @@ module Dependabot
|
|
73
73
|
if git_source?(dependency.previous_requirements) &&
|
74
74
|
git_sha?(previous_version)
|
75
75
|
previous_version
|
76
|
-
elsif
|
76
|
+
elsif previous_ref && ref_changed?
|
77
77
|
previous_ref
|
78
78
|
elsif previous_version
|
79
79
|
tags = dependency_tags.
|
@@ -126,32 +126,31 @@ module Dependabot
|
|
126
126
|
|
127
127
|
sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
|
128
128
|
return false if sources.empty?
|
129
|
-
raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
|
130
129
|
|
131
|
-
|
132
|
-
source_type == "git"
|
130
|
+
sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
|
133
131
|
end
|
134
132
|
|
135
133
|
def ref_changed?
|
136
|
-
|
137
|
-
|
134
|
+
# We could go from multiple previous refs (nil) to a single new ref
|
138
135
|
previous_ref != new_ref
|
139
136
|
end
|
140
137
|
|
141
138
|
def previous_ref
|
142
139
|
return unless git_source?(dependency.previous_requirements)
|
143
140
|
|
144
|
-
dependency.previous_requirements.map do |r|
|
141
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
145
142
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
146
|
-
end.compact.
|
143
|
+
end.compact.uniq
|
144
|
+
return previous_refs.first if previous_refs.count == 1
|
147
145
|
end
|
148
146
|
|
149
147
|
def new_ref
|
150
148
|
return unless git_source?(dependency.previous_requirements)
|
151
149
|
|
152
|
-
dependency.requirements.map do |r|
|
150
|
+
new_refs = dependency.requirements.map do |r|
|
153
151
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
154
|
-
end.compact.
|
152
|
+
end.compact.uniq
|
153
|
+
return new_refs.first if new_refs.count == 1
|
155
154
|
end
|
156
155
|
|
157
156
|
def tag_matches_version?(tag, version)
|
@@ -251,8 +251,11 @@ module Dependabot
|
|
251
251
|
return ref_changed? ? previous_ref : nil
|
252
252
|
end
|
253
253
|
|
254
|
+
# Previous version looks like a git SHA and there's a previous ref, we
|
255
|
+
# could be changing to a nil previous ref in which case we want to
|
256
|
+
# fall back to tge sha version
|
254
257
|
if dependency.previous_version.match?(/^[0-9a-f]{40}$/) &&
|
255
|
-
ref_changed?
|
258
|
+
ref_changed? && previous_ref
|
256
259
|
previous_ref
|
257
260
|
else
|
258
261
|
dependency.previous_version
|
@@ -260,7 +263,11 @@ module Dependabot
|
|
260
263
|
end
|
261
264
|
|
262
265
|
def new_version
|
263
|
-
|
266
|
+
# New version looks like a git SHA and there's a new ref, guarding
|
267
|
+
# against changes to a nil new_ref (not certain this can actually
|
268
|
+
# happen atm)
|
269
|
+
if dependency.version.match?(/^[0-9a-f]{40}$/) && ref_changed? &&
|
270
|
+
new_ref
|
264
271
|
return new_ref
|
265
272
|
end
|
266
273
|
|
@@ -268,20 +275,21 @@ module Dependabot
|
|
268
275
|
end
|
269
276
|
|
270
277
|
def previous_ref
|
271
|
-
dependency.previous_requirements.map do |r|
|
278
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
272
279
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
273
|
-
end.compact.
|
280
|
+
end.compact.uniq
|
281
|
+
return previous_refs.first if previous_refs.count == 1
|
274
282
|
end
|
275
283
|
|
276
284
|
def new_ref
|
277
|
-
dependency.requirements.map do |r|
|
285
|
+
new_refs = dependency.requirements.map do |r|
|
278
286
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
279
|
-
end.compact.
|
287
|
+
end.compact.uniq
|
288
|
+
return new_refs.first if new_refs.count == 1
|
280
289
|
end
|
281
290
|
|
282
291
|
def ref_changed?
|
283
|
-
|
284
|
-
|
292
|
+
# We could go from multiple previous refs (nil) to a single new ref
|
285
293
|
previous_ref != new_ref
|
286
294
|
end
|
287
295
|
|
@@ -36,7 +36,7 @@ module Dependabot
|
|
36
36
|
|
37
37
|
dep = dependencies.first
|
38
38
|
|
39
|
-
if library? && ref_changed?(
|
39
|
+
if library? && ref_changed?(dep) && new_ref(dep)
|
40
40
|
"#{dependency_name_part}-#{new_ref(dep)}"
|
41
41
|
elsif library?
|
42
42
|
"#{dependency_name_part}-#{sanitized_requirement(dep)}"
|
@@ -116,9 +116,14 @@ module Dependabot
|
|
116
116
|
gsub(",", "-and-")
|
117
117
|
end
|
118
118
|
|
119
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
119
120
|
def new_version(dependency)
|
121
|
+
# Version looks like a git SHA and we could be updating to a specific
|
122
|
+
# ref in which case we return that otherwise we return a shorthand sha
|
120
123
|
if dependency.version.match?(/^[0-9a-f]{40}$/)
|
121
|
-
|
124
|
+
if ref_changed?(dependency) && new_ref(dependency)
|
125
|
+
return new_ref(dependency)
|
126
|
+
end
|
122
127
|
|
123
128
|
dependency.version[0..6]
|
124
129
|
elsif dependency.version == dependency.previous_version &&
|
@@ -130,22 +135,25 @@ module Dependabot
|
|
130
135
|
dependency.version
|
131
136
|
end
|
132
137
|
end
|
138
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
133
139
|
|
134
140
|
def previous_ref(dependency)
|
135
|
-
dependency.previous_requirements.map do |r|
|
141
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
136
142
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
137
|
-
end.compact.
|
143
|
+
end.compact.uniq
|
144
|
+
return previous_refs.first if previous_refs.count == 1
|
138
145
|
end
|
139
146
|
|
140
147
|
def new_ref(dependency)
|
141
|
-
dependency.requirements.map do |r|
|
148
|
+
new_refs = dependency.requirements.map do |r|
|
142
149
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
143
|
-
end.compact.
|
150
|
+
end.compact.uniq
|
151
|
+
return new_refs.first if new_refs.count == 1
|
144
152
|
end
|
145
153
|
|
146
154
|
def ref_changed?(dependency)
|
147
|
-
|
148
|
-
|
155
|
+
# We could go from multiple previous refs (nil) to a single new ref
|
156
|
+
previous_ref(dependency) != new_ref(dependency)
|
149
157
|
end
|
150
158
|
|
151
159
|
def new_library_requirement(dependency)
|
@@ -159,6 +167,9 @@ module Dependabot
|
|
159
167
|
updated_reqs.first[:requirement]
|
160
168
|
end
|
161
169
|
|
170
|
+
# TODO: Look into bringing this in line with existing library checks that
|
171
|
+
# we do in the update checkers, which are also overriden by passing an
|
172
|
+
# explicit `requirements_update_strategy`.
|
162
173
|
def library?
|
163
174
|
return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
|
164
175
|
|
@@ -6,6 +6,8 @@ module Dependabot
|
|
6
6
|
class PullRequestCreator
|
7
7
|
class Labeler
|
8
8
|
DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i.freeze
|
9
|
+
DEFAULT_DEPENDENCIES_LABEL = "dependencies"
|
10
|
+
DEFAULT_SECURITY_LABEL = "security"
|
9
11
|
|
10
12
|
@package_manager_labels = {}
|
11
13
|
|
@@ -170,12 +172,18 @@ module Dependabot
|
|
170
172
|
if custom_labels then custom_labels & labels
|
171
173
|
else
|
172
174
|
[
|
173
|
-
|
175
|
+
default_dependencies_label,
|
174
176
|
label_language? ? language_label : nil
|
175
177
|
].compact
|
176
178
|
end
|
177
179
|
end
|
178
180
|
|
181
|
+
# Find the exact match first and then fallback to *dependenc* label
|
182
|
+
def default_dependencies_label
|
183
|
+
labels.find { |l| l == DEFAULT_DEPENDENCIES_LABEL } ||
|
184
|
+
labels.find { |l| l.match?(DEPENDENCIES_LABEL_REGEX) }
|
185
|
+
end
|
186
|
+
|
179
187
|
def dependencies_label_exists?
|
180
188
|
labels.any? { |l| l.match?(DEPENDENCIES_LABEL_REGEX) }
|
181
189
|
end
|
@@ -260,7 +268,12 @@ module Dependabot
|
|
260
268
|
self.class.label_details_for_package_manager(package_manager).
|
261
269
|
fetch(:name)
|
262
270
|
|
263
|
-
@labels = [
|
271
|
+
@labels = [
|
272
|
+
*@labels,
|
273
|
+
DEFAULT_DEPENDENCIES_LABEL,
|
274
|
+
DEFAULT_SECURITY_LABEL,
|
275
|
+
langauge_name
|
276
|
+
].uniq
|
264
277
|
end
|
265
278
|
|
266
279
|
def create_dependencies_label
|
@@ -292,44 +305,44 @@ module Dependabot
|
|
292
305
|
|
293
306
|
def create_github_dependencies_label
|
294
307
|
github_client_for_source.add_label(
|
295
|
-
source.repo,
|
308
|
+
source.repo, DEFAULT_DEPENDENCIES_LABEL, "0366d6",
|
296
309
|
description: "Pull requests that update a dependency file",
|
297
310
|
accept: "application/vnd.github.symmetra-preview+json"
|
298
311
|
)
|
299
|
-
@labels = [*@labels,
|
312
|
+
@labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
|
300
313
|
rescue Octokit::UnprocessableEntity => e
|
301
314
|
raise unless e.errors.first.fetch(:code) == "already_exists"
|
302
315
|
|
303
|
-
@labels = [*@labels,
|
316
|
+
@labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
|
304
317
|
end
|
305
318
|
|
306
319
|
def create_gitlab_dependencies_label
|
307
320
|
gitlab_client_for_source.create_label(
|
308
|
-
source.repo,
|
321
|
+
source.repo, DEFAULT_DEPENDENCIES_LABEL, "#0366d6",
|
309
322
|
description: "Pull requests that update a dependency file"
|
310
323
|
)
|
311
|
-
@labels = [*@labels,
|
324
|
+
@labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
|
312
325
|
end
|
313
326
|
|
314
327
|
def create_github_security_label
|
315
328
|
github_client_for_source.add_label(
|
316
|
-
source.repo,
|
329
|
+
source.repo, DEFAULT_SECURITY_LABEL, "ee0701",
|
317
330
|
description: "Pull requests that address a security vulnerability",
|
318
331
|
accept: "application/vnd.github.symmetra-preview+json"
|
319
332
|
)
|
320
|
-
@labels = [*@labels,
|
333
|
+
@labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
|
321
334
|
rescue Octokit::UnprocessableEntity => e
|
322
335
|
raise unless e.errors.first.fetch(:code) == "already_exists"
|
323
336
|
|
324
|
-
@labels = [*@labels,
|
337
|
+
@labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
|
325
338
|
end
|
326
339
|
|
327
340
|
def create_gitlab_security_label
|
328
341
|
gitlab_client_for_source.create_label(
|
329
|
-
source.repo,
|
342
|
+
source.repo, DEFAULT_SECURITY_LABEL, "#ee0701",
|
330
343
|
description: "Pull requests that address a security vulnerability"
|
331
344
|
)
|
332
|
-
@labels = [*@labels,
|
345
|
+
@labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
|
333
346
|
end
|
334
347
|
|
335
348
|
def create_github_language_label
|
@@ -64,7 +64,7 @@ module Dependabot
|
|
64
64
|
pr_name +
|
65
65
|
if dependencies.count == 1
|
66
66
|
"#{dependencies.first.display_name} requirement "\
|
67
|
-
"
|
67
|
+
"#{from_version_msg(old_library_requirement(dependencies.first))}"\
|
68
68
|
"to #{new_library_requirement(dependencies.first)}"
|
69
69
|
else
|
70
70
|
names = dependencies.map(&:name)
|
@@ -79,16 +79,18 @@ module Dependabot
|
|
79
79
|
pr_name +
|
80
80
|
if dependencies.count == 1
|
81
81
|
dependency = dependencies.first
|
82
|
-
"#{dependency.display_name}
|
82
|
+
"#{dependency.display_name} "\
|
83
|
+
"#{from_version_msg(previous_version(dependency))}"\
|
83
84
|
"to #{new_version(dependency)}"
|
84
85
|
elsif updating_a_property?
|
85
86
|
dependency = dependencies.first
|
86
|
-
"#{property_name}
|
87
|
+
"#{property_name} "\
|
88
|
+
"#{from_version_msg(previous_version(dependency))}"\
|
87
89
|
"to #{new_version(dependency)}"
|
88
90
|
elsif updating_a_dependency_set?
|
89
91
|
dependency = dependencies.first
|
90
92
|
"#{dependency_set.fetch(:group)} dependency set "\
|
91
|
-
"
|
93
|
+
"#{from_version_msg(previous_version(dependency))}"\
|
92
94
|
"to #{new_version(dependency)}"
|
93
95
|
else
|
94
96
|
names = dependencies.map(&:name)
|
@@ -178,7 +180,7 @@ module Dependabot
|
|
178
180
|
|
179
181
|
dependency = dependencies.first
|
180
182
|
msg = "Bumps #{dependency_links.first} "\
|
181
|
-
"
|
183
|
+
"#{from_version_msg(previous_version(dependency))}"\
|
182
184
|
"to #{new_version(dependency)}."
|
183
185
|
|
184
186
|
if switching_from_ref_to_release?(dependency)
|
@@ -200,7 +202,7 @@ module Dependabot
|
|
200
202
|
dependency = dependencies.first
|
201
203
|
|
202
204
|
"Bumps `#{property_name}` "\
|
203
|
-
"
|
205
|
+
"#{from_version_msg(previous_version(dependency))}"\
|
204
206
|
"to #{new_version(dependency)}."
|
205
207
|
end
|
206
208
|
|
@@ -208,7 +210,7 @@ module Dependabot
|
|
208
210
|
dependency = dependencies.first
|
209
211
|
|
210
212
|
"Bumps `#{dependency_set.fetch(:group)}` "\
|
211
|
-
"dependency set
|
213
|
+
"dependency set #{from_version_msg(previous_version(dependency))}"\
|
212
214
|
"to #{new_version(dependency)}."
|
213
215
|
end
|
214
216
|
|
@@ -218,6 +220,12 @@ module Dependabot
|
|
218
220
|
"dependencies needed to be updated together."
|
219
221
|
end
|
220
222
|
|
223
|
+
def from_version_msg(previous_version)
|
224
|
+
return "" unless previous_version
|
225
|
+
|
226
|
+
"from #{previous_version} "
|
227
|
+
end
|
228
|
+
|
221
229
|
def updating_a_property?
|
222
230
|
dependencies.first.
|
223
231
|
requirements.
|
@@ -268,7 +276,8 @@ module Dependabot
|
|
268
276
|
end
|
269
277
|
|
270
278
|
dependencies.map do |dep|
|
271
|
-
"\n\nUpdates `#{dep.display_name}`
|
279
|
+
"\n\nUpdates `#{dep.display_name}` "\
|
280
|
+
"#{from_version_msg(previous_version(dep))}to "\
|
272
281
|
"#{new_version(dep)}"\
|
273
282
|
"#{metadata_links_for_dep(dep)}"
|
274
283
|
end.join
|
@@ -289,8 +298,9 @@ module Dependabot
|
|
289
298
|
end
|
290
299
|
|
291
300
|
dependencies.map do |dep|
|
292
|
-
msg = "\nUpdates `#{dep.display_name}`
|
293
|
-
"#{previous_version(dep)
|
301
|
+
msg = "\nUpdates `#{dep.display_name}` "\
|
302
|
+
"#{from_version_msg(previous_version(dep))}"\
|
303
|
+
"to #{new_version(dep)}"
|
294
304
|
|
295
305
|
if vulnerabilities_fixed[dep.name]&.one?
|
296
306
|
msg += " **This update includes a security fix.**"
|
@@ -567,7 +577,9 @@ module Dependabot
|
|
567
577
|
end
|
568
578
|
|
569
579
|
if dependency.previous_version.match?(/^[0-9a-f]{40}$/)
|
570
|
-
|
580
|
+
if ref_changed?(dependency) && previous_ref(dependency)
|
581
|
+
return previous_ref(dependency)
|
582
|
+
end
|
571
583
|
|
572
584
|
"`#{dependency.previous_version[0..6]}`"
|
573
585
|
elsif dependency.version == dependency.previous_version &&
|
@@ -582,7 +594,9 @@ module Dependabot
|
|
582
594
|
|
583
595
|
def new_version(dependency)
|
584
596
|
if dependency.version.match?(/^[0-9a-f]{40}$/)
|
585
|
-
|
597
|
+
if ref_changed?(dependency) && new_ref(dependency)
|
598
|
+
return new_ref(dependency)
|
599
|
+
end
|
586
600
|
|
587
601
|
"`#{dependency.version[0..6]}`"
|
588
602
|
elsif dependency.version == dependency.previous_version &&
|
@@ -601,15 +615,17 @@ module Dependabot
|
|
601
615
|
end
|
602
616
|
|
603
617
|
def previous_ref(dependency)
|
604
|
-
dependency.previous_requirements.map do |r|
|
618
|
+
previous_refs = dependency.previous_requirements.map do |r|
|
605
619
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
606
|
-
end.compact.
|
620
|
+
end.compact.uniq
|
621
|
+
return previous_refs.first if previous_refs.count == 1
|
607
622
|
end
|
608
623
|
|
609
624
|
def new_ref(dependency)
|
610
|
-
dependency.requirements.map do |r|
|
625
|
+
new_refs = dependency.requirements.map do |r|
|
611
626
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
612
|
-
end.compact.
|
627
|
+
end.compact.uniq
|
628
|
+
return new_refs.first if new_refs.count == 1
|
613
629
|
end
|
614
630
|
|
615
631
|
def old_library_requirement(dependency)
|
@@ -623,8 +639,6 @@ module Dependabot
|
|
623
639
|
req = old_reqs.first.fetch(:requirement)
|
624
640
|
return req if req
|
625
641
|
return previous_ref(dependency) if ref_changed?(dependency)
|
626
|
-
|
627
|
-
raise "No previous requirement!"
|
628
642
|
end
|
629
643
|
|
630
644
|
def new_library_requirement(dependency)
|
@@ -637,7 +651,9 @@ module Dependabot
|
|
637
651
|
|
638
652
|
req = updated_reqs.first.fetch(:requirement)
|
639
653
|
return req if req
|
640
|
-
|
654
|
+
if ref_changed?(dependency) && new_ref(dependency)
|
655
|
+
return new_ref(dependency)
|
656
|
+
end
|
641
657
|
|
642
658
|
raise "No new requirement!"
|
643
659
|
end
|
@@ -685,8 +701,6 @@ module Dependabot
|
|
685
701
|
end
|
686
702
|
|
687
703
|
def ref_changed?(dependency)
|
688
|
-
return false unless previous_ref(dependency)
|
689
|
-
|
690
704
|
previous_ref(dependency) != new_ref(dependency)
|
691
705
|
end
|
692
706
|
|
@@ -314,7 +314,7 @@ module Dependabot
|
|
314
314
|
azure_client_for_source.commits
|
315
315
|
|
316
316
|
@recent_azure_commit_messages.
|
317
|
-
reject { |c| c
|
317
|
+
reject { |c| azure_commit_author_email(c) == dependabot_email }.
|
318
318
|
reject { |c| c.fetch("comment")&.start_with?("Merge") }.
|
319
319
|
map { |c| c.fetch("comment") }.
|
320
320
|
compact.
|
@@ -355,7 +355,7 @@ module Dependabot
|
|
355
355
|
def recent_github_commits
|
356
356
|
@recent_github_commits ||=
|
357
357
|
github_client_for_source.commits(source.repo, per_page: 100)
|
358
|
-
rescue Octokit::Conflict
|
358
|
+
rescue Octokit::Conflict, Octokit::NotFound
|
359
359
|
@recent_github_commits ||= []
|
360
360
|
end
|
361
361
|
|
@@ -374,7 +374,7 @@ module Dependabot
|
|
374
374
|
azure_client_for_source.commits
|
375
375
|
|
376
376
|
@recent_azure_commit_messages.
|
377
|
-
find { |c| c
|
377
|
+
find { |c| azure_commit_author_email(c) == dependabot_email }&.
|
378
378
|
message&.
|
379
379
|
strip
|
380
380
|
end
|
@@ -389,6 +389,10 @@ module Dependabot
|
|
389
389
|
strip
|
390
390
|
end
|
391
391
|
|
392
|
+
def azure_commit_author_email(commit)
|
393
|
+
commit.fetch("author").fetch("email", "")
|
394
|
+
end
|
395
|
+
|
392
396
|
def github_client_for_source
|
393
397
|
@github_client_for_source ||=
|
394
398
|
Dependabot::Clients::GithubWithRetries.for_source(
|
@@ -1,6 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require "dependabot/pull_request_updater/github"
|
4
|
+
require "dependabot/pull_request_updater/gitlab"
|
4
5
|
|
5
6
|
module Dependabot
|
6
7
|
class PullRequestUpdater
|
@@ -25,6 +26,7 @@ module Dependabot
|
|
25
26
|
def update
|
26
27
|
case source.provider
|
27
28
|
when "github" then github_updater.update
|
29
|
+
when "gitlab" then gitlab_updater.update
|
28
30
|
else raise "Unsupported provider #{source.provider}"
|
29
31
|
end
|
30
32
|
end
|
@@ -43,5 +45,16 @@ module Dependabot
|
|
43
45
|
signature_key: signature_key
|
44
46
|
)
|
45
47
|
end
|
48
|
+
|
49
|
+
def gitlab_updater
|
50
|
+
Gitlab.new(
|
51
|
+
source: source,
|
52
|
+
base_commit: base_commit,
|
53
|
+
old_commit: old_commit,
|
54
|
+
files: files,
|
55
|
+
credentials: credentials,
|
56
|
+
pull_request_number: pull_request_number
|
57
|
+
)
|
58
|
+
end
|
46
59
|
end
|
47
60
|
end
|
@@ -162,7 +162,7 @@ module Dependabot
|
|
162
162
|
return nil if e.message.match?(/Reference does not exist/i)
|
163
163
|
return nil if e.message.match?(/Reference cannot be updated/i)
|
164
164
|
|
165
|
-
if e.message.match?(/
|
165
|
+
if e.message.match?(/protected branch/i) ||
|
166
166
|
e.message.match?(/not authorized to push/i) ||
|
167
167
|
e.message.match?(/must not contain merge commits/)
|
168
168
|
raise BranchProtected
|
@@ -0,0 +1,85 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "dependabot/clients/gitlab_with_retries"
|
4
|
+
require "dependabot/pull_request_creator"
|
5
|
+
require "gitlab"
|
6
|
+
|
7
|
+
module Dependabot
|
8
|
+
class PullRequestUpdater
|
9
|
+
class Gitlab
|
10
|
+
attr_reader :source, :files, :base_commit, :old_commit, :credentials,
|
11
|
+
:pull_request_number
|
12
|
+
|
13
|
+
def initialize(source:, base_commit:, old_commit:, files:,
|
14
|
+
credentials:, pull_request_number:)
|
15
|
+
@source = source
|
16
|
+
@base_commit = base_commit
|
17
|
+
@old_commit = old_commit
|
18
|
+
@files = files
|
19
|
+
@credentials = credentials
|
20
|
+
@pull_request_number = pull_request_number
|
21
|
+
end
|
22
|
+
|
23
|
+
def update
|
24
|
+
return unless merge_request_exists?
|
25
|
+
return unless branch_exists?(merge_request.source_branch)
|
26
|
+
|
27
|
+
create_commit
|
28
|
+
merge_request.source_branch
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def merge_request_exists?
|
34
|
+
merge_request
|
35
|
+
true
|
36
|
+
rescue ::Gitlab::Error::NotFound
|
37
|
+
false
|
38
|
+
end
|
39
|
+
|
40
|
+
def merge_request
|
41
|
+
@merge_request ||= gitlab_client_for_source.merge_request(
|
42
|
+
source.repo,
|
43
|
+
pull_request_number
|
44
|
+
)
|
45
|
+
end
|
46
|
+
|
47
|
+
def gitlab_client_for_source
|
48
|
+
@gitlab_client_for_source ||=
|
49
|
+
Dependabot::Clients::GitlabWithRetries.for_source(
|
50
|
+
source: source,
|
51
|
+
credentials: credentials
|
52
|
+
)
|
53
|
+
end
|
54
|
+
|
55
|
+
def branch_exists?(name)
|
56
|
+
gitlab_client_for_source.branch(source.repo, name)
|
57
|
+
rescue ::Gitlab::Error::NotFound
|
58
|
+
false
|
59
|
+
end
|
60
|
+
|
61
|
+
def commit_being_updated
|
62
|
+
gitlab_client_for_source.commit(source.repo, old_commit)
|
63
|
+
end
|
64
|
+
|
65
|
+
def create_commit
|
66
|
+
actions = files.map do |file|
|
67
|
+
{
|
68
|
+
action: "update",
|
69
|
+
file_path: file.type == "symlink" ? file.symlink_target : file.path,
|
70
|
+
content: file.content
|
71
|
+
}
|
72
|
+
end
|
73
|
+
|
74
|
+
gitlab_client_for_source.create_commit(
|
75
|
+
source.repo,
|
76
|
+
merge_request.source_branch,
|
77
|
+
commit_being_updated.title,
|
78
|
+
actions,
|
79
|
+
force: true,
|
80
|
+
start_branch: merge_request.target_branch
|
81
|
+
)
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
end
|
@@ -8,17 +8,19 @@ module Dependabot
|
|
8
8
|
module UpdateCheckers
|
9
9
|
class Base
|
10
10
|
attr_reader :dependency, :dependency_files, :credentials,
|
11
|
-
:ignored_versions, :
|
12
|
-
:requirements_update_strategy
|
11
|
+
:ignored_versions, :raise_on_ignored,
|
12
|
+
:security_advisories, :requirements_update_strategy
|
13
13
|
|
14
14
|
def initialize(dependency:, dependency_files:, credentials:,
|
15
|
-
ignored_versions: [],
|
15
|
+
ignored_versions: [], raise_on_ignored: false,
|
16
|
+
security_advisories: [],
|
16
17
|
requirements_update_strategy: nil)
|
17
18
|
@dependency = dependency
|
18
19
|
@dependency_files = dependency_files
|
19
20
|
@credentials = credentials
|
20
21
|
@requirements_update_strategy = requirements_update_strategy
|
21
22
|
@ignored_versions = ignored_versions
|
23
|
+
@raise_on_ignored = raise_on_ignored
|
22
24
|
@security_advisories = security_advisories
|
23
25
|
end
|
24
26
|
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-common
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.118.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-06-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-codecommit
|
@@ -118,14 +118,14 @@ dependencies:
|
|
118
118
|
requirements:
|
119
119
|
- - '='
|
120
120
|
- !ruby/object:Gem::Version
|
121
|
-
version: 4.
|
121
|
+
version: 4.15.0
|
122
122
|
type: :runtime
|
123
123
|
prerelease: false
|
124
124
|
version_requirements: !ruby/object:Gem::Requirement
|
125
125
|
requirements:
|
126
126
|
- - '='
|
127
127
|
- !ruby/object:Gem::Version
|
128
|
-
version: 4.
|
128
|
+
version: 4.15.0
|
129
129
|
- !ruby/object:Gem::Dependency
|
130
130
|
name: nokogiri
|
131
131
|
requirement: !ruby/object:Gem::Requirement
|
@@ -306,28 +306,28 @@ dependencies:
|
|
306
306
|
requirements:
|
307
307
|
- - "~>"
|
308
308
|
- !ruby/object:Gem::Version
|
309
|
-
version: 0.
|
309
|
+
version: 0.85.0
|
310
310
|
type: :development
|
311
311
|
prerelease: false
|
312
312
|
version_requirements: !ruby/object:Gem::Requirement
|
313
313
|
requirements:
|
314
314
|
- - "~>"
|
315
315
|
- !ruby/object:Gem::Version
|
316
|
-
version: 0.
|
316
|
+
version: 0.85.0
|
317
317
|
- !ruby/object:Gem::Dependency
|
318
318
|
name: vcr
|
319
319
|
requirement: !ruby/object:Gem::Requirement
|
320
320
|
requirements:
|
321
321
|
- - '='
|
322
322
|
- !ruby/object:Gem::Version
|
323
|
-
version:
|
323
|
+
version: 6.0.0
|
324
324
|
type: :development
|
325
325
|
prerelease: false
|
326
326
|
version_requirements: !ruby/object:Gem::Requirement
|
327
327
|
requirements:
|
328
328
|
- - '='
|
329
329
|
- !ruby/object:Gem::Version
|
330
|
-
version:
|
330
|
+
version: 6.0.0
|
331
331
|
- !ruby/object:Gem::Dependency
|
332
332
|
name: webmock
|
333
333
|
requirement: !ruby/object:Gem::Requirement
|
@@ -393,6 +393,7 @@ files:
|
|
393
393
|
- lib/dependabot/pull_request_creator/pr_name_prefixer.rb
|
394
394
|
- lib/dependabot/pull_request_updater.rb
|
395
395
|
- lib/dependabot/pull_request_updater/github.rb
|
396
|
+
- lib/dependabot/pull_request_updater/gitlab.rb
|
396
397
|
- lib/dependabot/security_advisory.rb
|
397
398
|
- lib/dependabot/shared_helpers.rb
|
398
399
|
- lib/dependabot/source.rb
|