dependabot-common 0.117.9 → 0.118.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f710414291a0cefb5182b4f60f8da211abcf76b2b42564cc22e03c497a2c9f6
-  data.tar.gz: c7e6f540ecca5e370eec9a7c6632d7a1d3408bbf999a99e222da931160da6de2
+  metadata.gz: ab9d87af6e9cb01ca5e5bbfdd395d72520672ccd491db473cb3813029702d1c8
+  data.tar.gz: 0a595869a5c00de445e98e0151e441e3a9b05d0c0e790cb6eec4e6c8c2682bff
 SHA512:
-  metadata.gz: c9840fd6d06b5f0fe8812b18ab2d0a713dea432affb9de3868ad6629730a83cbecfc9ae1c760d6c812a71fca5216e59d9a2a414a40eecfd3997a9d1cbb74a49f
-  data.tar.gz: d954e4e5ca6ba0463ec284afdc200b4e71e35df24801488965e814b68df4b106453e26434175ff0c573f0d7d15d49ea4157a2116688a6faae00f9fd1da71edde
+  metadata.gz: 122b32a211a3dadfb2aa6325a57fd08cfa9923e37052ec840426915238ab46718cd8223195c0799e294dc9c4c4997dd5655d7386cf0c7b7845d36cbd07c6d42e
+  data.tar.gz: 199eb9dbb22dd28f2bd4b80f255eb27bf7e69cdf5d4f34b13d937ed6f60d81baf63c7a153a355e84019c760495bad94bb8d67b4e4087f5f87cb148561baf4941

data/lib/dependabot/errors.rb

@@ -25,7 +25,7 @@ module Dependabot
   class OutOfMemory < DependabotError; end
 
   #####################
-  # Repo leval errors #
+  # Repo level errors #
   #####################
 
   class BranchNotFound < DependabotError
@@ -191,4 +191,7 @@ module Dependabot
       super(msg)
     end
   end
+
+  # Raised by UpdateChecker if all candidate updates are ignored
+  class AllVersionsIgnored < DependabotError; end
 end

data/lib/dependabot/git_commit_checker.rb

@@ -21,11 +21,13 @@ module Dependabot
       )$
     /ix.freeze
 
-    def initialize(dependency:, credentials:, ignored_versions: [],
+    def initialize(dependency:, credentials:,
+                   ignored_versions: [], raise_on_ignored: false,
                    requirement_class: nil, version_class: nil)
       @dependency = dependency
       @credentials = credentials
       @ignored_versions = ignored_versions
+      @raise_on_ignored = raise_on_ignored
       @requirement_class = requirement_class
       @version_class = version_class
     end
@@ -85,15 +87,22 @@ module Dependabot
     end
 
     def local_tag_for_latest_version
-      tag =
+      tags =
         local_tags.
-        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }.
-        reject { |t| tag_included_in_ignore_reqs?(t) }.
-        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }.
-        max_by do |t|
-          version = t.name.match(VERSION_REGEX).named_captures.fetch("version")
-          version_class.new(version)
-        end
+        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
+      filtered = tags.
+                 reject { |t| tag_included_in_ignore_reqs?(t) }
+      if @raise_on_ignored && tags.any? && filtered.empty?
+        raise Dependabot::AllVersionsIgnored
+      end
+
+      tag = filtered.
+            reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }.
+            max_by do |t|
+              version = t.name.match(VERSION_REGEX).named_captures.
+                        fetch("version")
+              version_class.new(version)
+            end
 
       return unless tag
 

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -314,24 +314,29 @@ module Dependabot
         end
 
         def new_version
-          @new_version ||= git_source? ? new_ref : dependency.version
-          @new_version&.gsub(/^v/, "")
+          return @new_version if defined?(@new_version)
+
+          new_version = git_source? && new_ref ? new_ref : dependency.version
+          @new_version = new_version&.gsub(/^v/, "")
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?
-          previous_ref && new_ref && previous_ref != new_ref
+          # We could go from multiple previous refs (nil) to a single new ref
+          previous_ref != new_ref
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased
@@ -343,10 +348,8 @@ module Dependabot
           requirements = dependency.requirements
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def major_version_upgrade?

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -139,19 +139,17 @@ module Dependabot
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
-        end
-
-        def ref_changed?
-          previous_ref && new_ref && previous_ref != new_ref
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased
@@ -163,10 +161,8 @@ module Dependabot
           requirements = dependency.requirements
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def version_class

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -55,7 +55,7 @@ module Dependabot
             return new_version
           end
 
-          return new_ref if git_source?(dependency.requirements) && ref_changed?
+          return new_ref if new_ref && ref_changed?
 
           tags = dependency_tags.
                  select { |tag| tag_matches_version?(tag, new_version) }.
@@ -73,7 +73,7 @@ module Dependabot
           if git_source?(dependency.previous_requirements) &&
              git_sha?(previous_version)
             previous_version
-          elsif git_source?(dependency.previous_requirements) && ref_changed?
+          elsif previous_ref && ref_changed?
             previous_ref
           elsif previous_version
             tags = dependency_tags.
@@ -126,32 +126,31 @@ module Dependabot
 
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def ref_changed?
-          return false unless previous_ref && new_ref
-
+          # We could go from multiple previous refs (nil) to a single new ref
           previous_ref != new_ref
         end
 
         def previous_ref
           return unless git_source?(dependency.previous_requirements)
 
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           return unless git_source?(dependency.previous_requirements)
 
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def tag_matches_version?(tag, version)

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -251,8 +251,11 @@ module Dependabot
             return ref_changed? ? previous_ref : nil
           end
 
+          # Previous version looks like a git SHA and there's a previous ref, we
+          # could be changing to a nil previous ref in which case we want to
+          # fall back to tge sha version
           if dependency.previous_version.match?(/^[0-9a-f]{40}$/) &&
-             ref_changed?
+             ref_changed? && previous_ref
             previous_ref
           else
             dependency.previous_version
@@ -260,7 +263,11 @@ module Dependabot
         end
 
         def new_version
-          if dependency.version.match?(/^[0-9a-f]{40}$/) && ref_changed?
+          # New version looks like a git SHA and there's a new ref, guarding
+          # against changes to a nil new_ref (not certain this can actually
+          # happen atm)
+          if dependency.version.match?(/^[0-9a-f]{40}$/) && ref_changed? &&
+             new_ref
             return new_ref
           end
 
@@ -268,20 +275,21 @@ module Dependabot
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?
-          return false unless previous_ref
-
+          # We could go from multiple previous refs (nil) to a single new ref
           previous_ref != new_ref
         end
 

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -36,7 +36,7 @@ module Dependabot
 
             dep = dependencies.first
 
-            if library? && ref_changed?(dependencies.first)
+            if library? && ref_changed?(dep) && new_ref(dep)
               "#{dependency_name_part}-#{new_ref(dep)}"
             elsif library?
               "#{dependency_name_part}-#{sanitized_requirement(dep)}"
@@ -116,9 +116,14 @@ module Dependabot
           gsub(",", "-and-")
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def new_version(dependency)
+        # Version looks like a git SHA and we could be updating to a specific
+        # ref in which case we return that otherwise we return a shorthand sha
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          return new_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && new_ref(dependency)
+            return new_ref(dependency)
+          end
 
           dependency.version[0..6]
         elsif dependency.version == dependency.previous_version &&
@@ -130,22 +135,25 @@ module Dependabot
           dependency.version
         end
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def previous_ref(dependency)
-        dependency.previous_requirements.map do |r|
+        previous_refs = dependency.previous_requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return previous_refs.first if previous_refs.count == 1
       end
 
       def new_ref(dependency)
-        dependency.requirements.map do |r|
+        new_refs = dependency.requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return new_refs.first if new_refs.count == 1
       end
 
       def ref_changed?(dependency)
-        previous_ref(dependency) && new_ref(dependency) &&
-          previous_ref(dependency) != new_ref(dependency)
+        # We could go from multiple previous refs (nil) to a single new ref
+        previous_ref(dependency) != new_ref(dependency)
       end
 
       def new_library_requirement(dependency)
@@ -159,6 +167,9 @@ module Dependabot
         updated_reqs.first[:requirement]
       end
 
+      # TODO: Look into bringing this in line with existing library checks that
+      # we do in the update checkers, which are also overriden by passing an
+      # explicit `requirements_update_strategy`.
       def library?
         return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
 

data/lib/dependabot/pull_request_creator/labeler.rb

@@ -6,6 +6,8 @@ module Dependabot
   class PullRequestCreator
     class Labeler
       DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i.freeze
+      DEFAULT_DEPENDENCIES_LABEL = "dependencies"
+      DEFAULT_SECURITY_LABEL = "security"
 
       @package_manager_labels = {}
 
@@ -170,12 +172,18 @@ module Dependabot
         if custom_labels then custom_labels & labels
         else
           [
-            labels.find { |l| l.match?(DEPENDENCIES_LABEL_REGEX) },
+            default_dependencies_label,
             label_language? ? language_label : nil
           ].compact
         end
       end
 
+      # Find the exact match first and then fallback to *dependenc* label
+      def default_dependencies_label
+        labels.find { |l| l == DEFAULT_DEPENDENCIES_LABEL } ||
+          labels.find { |l| l.match?(DEPENDENCIES_LABEL_REGEX) }
+      end
+
       def dependencies_label_exists?
         labels.any? { |l| l.match?(DEPENDENCIES_LABEL_REGEX) }
       end
@@ -260,7 +268,12 @@ module Dependabot
           self.class.label_details_for_package_manager(package_manager).
           fetch(:name)
 
-        @labels = [*@labels, "dependencies", "security", langauge_name].uniq
+        @labels = [
+          *@labels,
+          DEFAULT_DEPENDENCIES_LABEL,
+          DEFAULT_SECURITY_LABEL,
+          langauge_name
+        ].uniq
       end
 
       def create_dependencies_label
@@ -292,44 +305,44 @@ module Dependabot
 
       def create_github_dependencies_label
         github_client_for_source.add_label(
-          source.repo, "dependencies", "0366d6",
+          source.repo, DEFAULT_DEPENDENCIES_LABEL, "0366d6",
           description: "Pull requests that update a dependency file",
           accept: "application/vnd.github.symmetra-preview+json"
         )
-        @labels = [*@labels, "dependencies"].uniq
+        @labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
       rescue Octokit::UnprocessableEntity => e
         raise unless e.errors.first.fetch(:code) == "already_exists"
 
-        @labels = [*@labels, "dependencies"].uniq
+        @labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
       end
 
       def create_gitlab_dependencies_label
         gitlab_client_for_source.create_label(
-          source.repo, "dependencies", "#0366d6",
+          source.repo, DEFAULT_DEPENDENCIES_LABEL, "#0366d6",
           description: "Pull requests that update a dependency file"
         )
-        @labels = [*@labels, "dependencies"].uniq
+        @labels = [*@labels, DEFAULT_DEPENDENCIES_LABEL].uniq
       end
 
       def create_github_security_label
         github_client_for_source.add_label(
-          source.repo, "security", "ee0701",
+          source.repo, DEFAULT_SECURITY_LABEL, "ee0701",
           description: "Pull requests that address a security vulnerability",
           accept: "application/vnd.github.symmetra-preview+json"
         )
-        @labels = [*@labels, "security"].uniq
+        @labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
       rescue Octokit::UnprocessableEntity => e
         raise unless e.errors.first.fetch(:code) == "already_exists"
 
-        @labels = [*@labels, "security"].uniq
+        @labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
       end
 
       def create_gitlab_security_label
         gitlab_client_for_source.create_label(
-          source.repo, "security", "#ee0701",
+          source.repo, DEFAULT_SECURITY_LABEL, "#ee0701",
           description: "Pull requests that address a security vulnerability"
         )
-        @labels = [*@labels, "security"].uniq
+        @labels = [*@labels, DEFAULT_SECURITY_LABEL].uniq
       end
 
       def create_github_language_label

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -64,7 +64,7 @@ module Dependabot
         pr_name +
           if dependencies.count == 1
             "#{dependencies.first.display_name} requirement "\
-            "from #{old_library_requirement(dependencies.first)} "\
+            "#{from_version_msg(old_library_requirement(dependencies.first))}"\
             "to #{new_library_requirement(dependencies.first)}"
           else
             names = dependencies.map(&:name)
@@ -79,16 +79,18 @@ module Dependabot
         pr_name +
           if dependencies.count == 1
             dependency = dependencies.first
-            "#{dependency.display_name} from #{previous_version(dependency)} "\
+            "#{dependency.display_name} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           elsif updating_a_property?
             dependency = dependencies.first
-            "#{property_name} from #{previous_version(dependency)} "\
+            "#{property_name} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           elsif updating_a_dependency_set?
             dependency = dependencies.first
             "#{dependency_set.fetch(:group)} dependency set "\
-            "from #{previous_version(dependency)} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           else
             names = dependencies.map(&:name)
@@ -178,7 +180,7 @@ module Dependabot
 
         dependency = dependencies.first
         msg = "Bumps #{dependency_links.first} "\
-              "from #{previous_version(dependency)} "\
+              "#{from_version_msg(previous_version(dependency))}"\
               "to #{new_version(dependency)}."
 
         if switching_from_ref_to_release?(dependency)
@@ -200,7 +202,7 @@ module Dependabot
         dependency = dependencies.first
 
         "Bumps `#{property_name}` "\
-        "from #{previous_version(dependency)} "\
+        "#{from_version_msg(previous_version(dependency))}"\
         "to #{new_version(dependency)}."
       end
 
@@ -208,7 +210,7 @@ module Dependabot
         dependency = dependencies.first
 
         "Bumps `#{dependency_set.fetch(:group)}` "\
-        "dependency set from #{previous_version(dependency)} "\
+        "dependency set #{from_version_msg(previous_version(dependency))}"\
         "to #{new_version(dependency)}."
       end
 
@@ -218,6 +220,12 @@ module Dependabot
         "dependencies needed to be updated together."
       end
 
+      def from_version_msg(previous_version)
+        return "" unless previous_version
+
+        "from #{previous_version} "
+      end
+
       def updating_a_property?
         dependencies.first.
           requirements.
@@ -268,7 +276,8 @@ module Dependabot
         end
 
         dependencies.map do |dep|
-          "\n\nUpdates `#{dep.display_name}` from #{previous_version(dep)} to "\
+          "\n\nUpdates `#{dep.display_name}` "\
+          "#{from_version_msg(previous_version(dep))}to "\
           "#{new_version(dep)}"\
           "#{metadata_links_for_dep(dep)}"
         end.join
@@ -289,8 +298,9 @@ module Dependabot
         end
 
         dependencies.map do |dep|
-          msg = "\nUpdates `#{dep.display_name}` from "\
-                "#{previous_version(dep)} to #{new_version(dep)}"
+          msg = "\nUpdates `#{dep.display_name}` "\
+                "#{from_version_msg(previous_version(dep))}"\
+                "to #{new_version(dep)}"
 
           if vulnerabilities_fixed[dep.name]&.one?
             msg += " **This update includes a security fix.**"
@@ -567,7 +577,9 @@ module Dependabot
         end
 
         if dependency.previous_version.match?(/^[0-9a-f]{40}$/)
-          return previous_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && previous_ref(dependency)
+            return previous_ref(dependency)
+          end
 
           "`#{dependency.previous_version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -582,7 +594,9 @@ module Dependabot
 
       def new_version(dependency)
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          return new_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && new_ref(dependency)
+            return new_ref(dependency)
+          end
 
           "`#{dependency.version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -601,15 +615,17 @@ module Dependabot
       end
 
       def previous_ref(dependency)
-        dependency.previous_requirements.map do |r|
+        previous_refs = dependency.previous_requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return previous_refs.first if previous_refs.count == 1
       end
 
       def new_ref(dependency)
-        dependency.requirements.map do |r|
+        new_refs = dependency.requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return new_refs.first if new_refs.count == 1
       end
 
       def old_library_requirement(dependency)
@@ -623,8 +639,6 @@ module Dependabot
         req = old_reqs.first.fetch(:requirement)
         return req if req
         return previous_ref(dependency) if ref_changed?(dependency)
-
-        raise "No previous requirement!"
       end
 
       def new_library_requirement(dependency)
@@ -637,7 +651,9 @@ module Dependabot
 
         req = updated_reqs.first.fetch(:requirement)
         return req if req
-        return new_ref(dependency) if ref_changed?(dependency)
+        if ref_changed?(dependency) && new_ref(dependency)
+          return new_ref(dependency)
+        end
 
         raise "No new requirement!"
       end
@@ -685,8 +701,6 @@ module Dependabot
       end
 
       def ref_changed?(dependency)
-        return false unless previous_ref(dependency)
-
         previous_ref(dependency) != new_ref(dependency)
       end
 

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -314,7 +314,7 @@ module Dependabot
           azure_client_for_source.commits
 
         @recent_azure_commit_messages.
-          reject { |c| c.fetch("author").fetch("email") == dependabot_email }.
+          reject { |c| azure_commit_author_email(c) == dependabot_email }.
           reject { |c| c.fetch("comment")&.start_with?("Merge") }.
           map { |c| c.fetch("comment") }.
           compact.
@@ -355,7 +355,7 @@ module Dependabot
       def recent_github_commits
         @recent_github_commits ||=
           github_client_for_source.commits(source.repo, per_page: 100)
-      rescue Octokit::Conflict
+      rescue Octokit::Conflict, Octokit::NotFound
         @recent_github_commits ||= []
       end
 
@@ -374,7 +374,7 @@ module Dependabot
           azure_client_for_source.commits
 
         @recent_azure_commit_messages.
-          find { |c| c.fetch("author").fetch("email") == dependabot_email }&.
+          find { |c| azure_commit_author_email(c) == dependabot_email }&.
           message&.
           strip
       end
@@ -389,6 +389,10 @@ module Dependabot
           strip
       end
 
+      def azure_commit_author_email(commit)
+        commit.fetch("author").fetch("email", "")
+      end
+
       def github_client_for_source
         @github_client_for_source ||=
           Dependabot::Clients::GithubWithRetries.for_source(

data/lib/dependabot/pull_request_updater.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "dependabot/pull_request_updater/github"
+require "dependabot/pull_request_updater/gitlab"
 
 module Dependabot
   class PullRequestUpdater
@@ -25,6 +26,7 @@ module Dependabot
     def update
       case source.provider
       when "github" then github_updater.update
+      when "gitlab" then gitlab_updater.update
       else raise "Unsupported provider #{source.provider}"
       end
     end
@@ -43,5 +45,16 @@ module Dependabot
         signature_key: signature_key
       )
     end
+
+    def gitlab_updater
+      Gitlab.new(
+        source: source,
+        base_commit: base_commit,
+        old_commit: old_commit,
+        files: files,
+        credentials: credentials,
+        pull_request_number: pull_request_number
+      )
+    end
   end
 end

data/lib/dependabot/pull_request_updater/github.rb

@@ -162,7 +162,7 @@ module Dependabot
         return nil if e.message.match?(/Reference does not exist/i)
         return nil if e.message.match?(/Reference cannot be updated/i)
 
-        if e.message.match?(/force\-push to a protected/i) ||
+        if e.message.match?(/protected branch/i) ||
            e.message.match?(/not authorized to push/i) ||
            e.message.match?(/must not contain merge commits/)
           raise BranchProtected

data/lib/dependabot/pull_request_updater/gitlab.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "dependabot/clients/gitlab_with_retries"
+require "dependabot/pull_request_creator"
+require "gitlab"
+
+module Dependabot
+  class PullRequestUpdater
+    class Gitlab
+      attr_reader :source, :files, :base_commit, :old_commit, :credentials,
+                  :pull_request_number
+
+      def initialize(source:, base_commit:, old_commit:, files:,
+                     credentials:, pull_request_number:)
+        @source              = source
+        @base_commit         = base_commit
+        @old_commit          = old_commit
+        @files               = files
+        @credentials         = credentials
+        @pull_request_number = pull_request_number
+      end
+
+      def update
+        return unless merge_request_exists?
+        return unless branch_exists?(merge_request.source_branch)
+
+        create_commit
+        merge_request.source_branch
+      end
+
+      private
+
+      def merge_request_exists?
+        merge_request
+        true
+      rescue ::Gitlab::Error::NotFound
+        false
+      end
+
+      def merge_request
+        @merge_request ||= gitlab_client_for_source.merge_request(
+          source.repo,
+          pull_request_number
+        )
+      end
+
+      def gitlab_client_for_source
+        @gitlab_client_for_source ||=
+          Dependabot::Clients::GitlabWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def branch_exists?(name)
+        gitlab_client_for_source.branch(source.repo, name)
+      rescue ::Gitlab::Error::NotFound
+        false
+      end
+
+      def commit_being_updated
+        gitlab_client_for_source.commit(source.repo, old_commit)
+      end
+
+      def create_commit
+        actions = files.map do |file|
+          {
+            action: "update",
+            file_path: file.type == "symlink" ? file.symlink_target : file.path,
+            content: file.content
+          }
+        end
+
+        gitlab_client_for_source.create_commit(
+          source.repo,
+          merge_request.source_branch,
+          commit_being_updated.title,
+          actions,
+          force: true,
+          start_branch: merge_request.target_branch
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/base.rb

@@ -8,17 +8,19 @@ module Dependabot
   module UpdateCheckers
     class Base
       attr_reader :dependency, :dependency_files, :credentials,
-                  :ignored_versions, :security_advisories,
-                  :requirements_update_strategy
+                  :ignored_versions, :raise_on_ignored,
+                  :security_advisories, :requirements_update_strategy
 
       def initialize(dependency:, dependency_files:, credentials:,
-                     ignored_versions: [], security_advisories: [],
+                     ignored_versions: [], raise_on_ignored: false,
+                     security_advisories: [],
                      requirements_update_strategy: nil)
         @dependency = dependency
         @dependency_files = dependency_files
         @credentials = credentials
         @requirements_update_strategy = requirements_update_strategy
         @ignored_versions = ignored_versions
+        @raise_on_ignored = raise_on_ignored
         @security_advisories = security_advisories
       end
 

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.117.9"
+  VERSION = "0.118.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.117.9
+  version: 0.118.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-19 00:00:00.000000000 Z
+date: 2020-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -118,14 +118,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.14.1
+        version: 4.15.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.14.1
+        version: 4.15.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -306,28 +306,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.83.0
+        version: 0.85.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.83.0
+        version: 0.85.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -393,6 +393,7 @@ files:
 - lib/dependabot/pull_request_creator/pr_name_prefixer.rb
 - lib/dependabot/pull_request_updater.rb
 - lib/dependabot/pull_request_updater/github.rb
+- lib/dependabot/pull_request_updater/gitlab.rb
 - lib/dependabot/security_advisory.rb
 - lib/dependabot/shared_helpers.rb
 - lib/dependabot/source.rb