dependabot-common 0.118.1 → 0.118.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5508a2fb0bd77cff97062f9dc172973b650958b6f0b2f2ae9e35f2b11185eb6
-  data.tar.gz: 873df8dae15041c881b82ae1b7ca6e25c4044563acd2b883a2a7b04093ffc392
+  metadata.gz: ab9d87af6e9cb01ca5e5bbfdd395d72520672ccd491db473cb3813029702d1c8
+  data.tar.gz: 0a595869a5c00de445e98e0151e441e3a9b05d0c0e790cb6eec4e6c8c2682bff
 SHA512:
-  metadata.gz: 922fda6863fefe18f76385e2f56b60609fad004ceff52fbc47056a6908b83a1fab69139741312980ed62e4fd5b4ea172766ba458f9e8216867990dcc10d81a33
-  data.tar.gz: 70afe1040d4fa6f4787e2eb339f4b380b10142e184706342d05ad2b140c1f79673c5b00be353fb58eee640d48cabc4866df524fe4fbbf3810757366405707537
+  metadata.gz: 122b32a211a3dadfb2aa6325a57fd08cfa9923e37052ec840426915238ab46718cd8223195c0799e294dc9c4c4997dd5655d7386cf0c7b7845d36cbd07c6d42e
+  data.tar.gz: 199eb9dbb22dd28f2bd4b80f255eb27bf7e69cdf5d4f34b13d937ed6f60d81baf63c7a153a355e84019c760495bad94bb8d67b4e4087f5f87cb148561baf4941

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -314,24 +314,29 @@ module Dependabot
         end
 
         def new_version
-          @new_version ||= git_source? ? new_ref : dependency.version
-          @new_version&.gsub(/^v/, "")
+          return @new_version if defined?(@new_version)
+
+          new_version = git_source? && new_ref ? new_ref : dependency.version
+          @new_version = new_version&.gsub(/^v/, "")
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?
-          previous_ref && new_ref && previous_ref != new_ref
+          # We could go from multiple previous refs (nil) to a single new ref
+          previous_ref != new_ref
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased
@@ -343,10 +348,8 @@ module Dependabot
           requirements = dependency.requirements
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def major_version_upgrade?

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -139,19 +139,17 @@ module Dependabot
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
-        end
-
-        def ref_changed?
-          previous_ref && new_ref && previous_ref != new_ref
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased
@@ -163,10 +161,8 @@ module Dependabot
           requirements = dependency.requirements
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def version_class

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -55,7 +55,7 @@ module Dependabot
             return new_version
           end
 
-          return new_ref if git_source?(dependency.requirements) && ref_changed?
+          return new_ref if new_ref && ref_changed?
 
           tags = dependency_tags.
                  select { |tag| tag_matches_version?(tag, new_version) }.
@@ -73,7 +73,7 @@ module Dependabot
           if git_source?(dependency.previous_requirements) &&
              git_sha?(previous_version)
             previous_version
-          elsif git_source?(dependency.previous_requirements) && ref_changed?
+          elsif previous_ref && ref_changed?
             previous_ref
           elsif previous_version
             tags = dependency_tags.
@@ -126,32 +126,31 @@ module Dependabot
 
           sources = requirements.map { |r| r.fetch(:source) }.uniq.compact
           return false if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
 
-          source_type = sources.first[:type] || sources.first.fetch("type")
-          source_type == "git"
+          sources.all? { |s| s[:type] == "git" || s["type"] == "git" }
         end
 
         def ref_changed?
-          return false unless previous_ref && new_ref
-
+          # We could go from multiple previous refs (nil) to a single new ref
           previous_ref != new_ref
         end
 
         def previous_ref
           return unless git_source?(dependency.previous_requirements)
 
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           return unless git_source?(dependency.previous_requirements)
 
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def tag_matches_version?(tag, version)

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -251,8 +251,11 @@ module Dependabot
             return ref_changed? ? previous_ref : nil
           end
 
+          # Previous version looks like a git SHA and there's a previous ref, we
+          # could be changing to a nil previous ref in which case we want to
+          # fall back to tge sha version
           if dependency.previous_version.match?(/^[0-9a-f]{40}$/) &&
-             ref_changed?
+             ref_changed? && previous_ref
             previous_ref
           else
             dependency.previous_version
@@ -260,7 +263,11 @@ module Dependabot
         end
 
         def new_version
-          if dependency.version.match?(/^[0-9a-f]{40}$/) && ref_changed?
+          # New version looks like a git SHA and there's a new ref, guarding
+          # against changes to a nil new_ref (not certain this can actually
+          # happen atm)
+          if dependency.version.match?(/^[0-9a-f]{40}$/) && ref_changed? &&
+             new_ref
             return new_ref
           end
 
@@ -268,20 +275,21 @@ module Dependabot
         end
 
         def previous_ref
-          dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          dependency.requirements.map do |r|
+          new_refs = dependency.requirements.map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.first
+          end.compact.uniq
+          return new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?
-          return false unless previous_ref
-
+          # We could go from multiple previous refs (nil) to a single new ref
           previous_ref != new_ref
         end
 

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -36,7 +36,7 @@ module Dependabot
 
             dep = dependencies.first
 
-            if library? && ref_changed?(dependencies.first)
+            if library? && ref_changed?(dep) && new_ref(dep)
               "#{dependency_name_part}-#{new_ref(dep)}"
             elsif library?
               "#{dependency_name_part}-#{sanitized_requirement(dep)}"
@@ -116,9 +116,14 @@ module Dependabot
           gsub(",", "-and-")
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def new_version(dependency)
+        # Version looks like a git SHA and we could be updating to a specific
+        # ref in which case we return that otherwise we return a shorthand sha
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          return new_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && new_ref(dependency)
+            return new_ref(dependency)
+          end
 
           dependency.version[0..6]
         elsif dependency.version == dependency.previous_version &&
@@ -130,22 +135,25 @@ module Dependabot
           dependency.version
         end
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def previous_ref(dependency)
-        dependency.previous_requirements.map do |r|
+        previous_refs = dependency.previous_requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return previous_refs.first if previous_refs.count == 1
       end
 
       def new_ref(dependency)
-        dependency.requirements.map do |r|
+        new_refs = dependency.requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return new_refs.first if new_refs.count == 1
       end
 
       def ref_changed?(dependency)
-        previous_ref(dependency) && new_ref(dependency) &&
-          previous_ref(dependency) != new_ref(dependency)
+        # We could go from multiple previous refs (nil) to a single new ref
+        previous_ref(dependency) != new_ref(dependency)
       end
 
       def new_library_requirement(dependency)
@@ -159,6 +167,9 @@ module Dependabot
         updated_reqs.first[:requirement]
       end
 
+      # TODO: Look into bringing this in line with existing library checks that
+      # we do in the update checkers, which are also overriden by passing an
+      # explicit `requirements_update_strategy`.
       def library?
         return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
 

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -64,7 +64,7 @@ module Dependabot
         pr_name +
           if dependencies.count == 1
             "#{dependencies.first.display_name} requirement "\
-            "from #{old_library_requirement(dependencies.first)} "\
+            "#{from_version_msg(old_library_requirement(dependencies.first))}"\
             "to #{new_library_requirement(dependencies.first)}"
           else
             names = dependencies.map(&:name)
@@ -79,16 +79,18 @@ module Dependabot
         pr_name +
           if dependencies.count == 1
             dependency = dependencies.first
-            "#{dependency.display_name} from #{previous_version(dependency)} "\
+            "#{dependency.display_name} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           elsif updating_a_property?
             dependency = dependencies.first
-            "#{property_name} from #{previous_version(dependency)} "\
+            "#{property_name} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           elsif updating_a_dependency_set?
             dependency = dependencies.first
             "#{dependency_set.fetch(:group)} dependency set "\
-            "from #{previous_version(dependency)} "\
+            "#{from_version_msg(previous_version(dependency))}"\
             "to #{new_version(dependency)}"
           else
             names = dependencies.map(&:name)
@@ -178,7 +180,7 @@ module Dependabot
 
         dependency = dependencies.first
         msg = "Bumps #{dependency_links.first} "\
-              "from #{previous_version(dependency)} "\
+              "#{from_version_msg(previous_version(dependency))}"\
               "to #{new_version(dependency)}."
 
         if switching_from_ref_to_release?(dependency)
@@ -200,7 +202,7 @@ module Dependabot
         dependency = dependencies.first
 
         "Bumps `#{property_name}` "\
-        "from #{previous_version(dependency)} "\
+        "#{from_version_msg(previous_version(dependency))}"\
         "to #{new_version(dependency)}."
       end
 
@@ -208,7 +210,7 @@ module Dependabot
         dependency = dependencies.first
 
         "Bumps `#{dependency_set.fetch(:group)}` "\
-        "dependency set from #{previous_version(dependency)} "\
+        "dependency set #{from_version_msg(previous_version(dependency))}"\
         "to #{new_version(dependency)}."
       end
 
@@ -218,6 +220,12 @@ module Dependabot
         "dependencies needed to be updated together."
       end
 
+      def from_version_msg(previous_version)
+        return "" unless previous_version
+
+        "from #{previous_version} "
+      end
+
       def updating_a_property?
         dependencies.first.
           requirements.
@@ -268,7 +276,8 @@ module Dependabot
         end
 
         dependencies.map do |dep|
-          "\n\nUpdates `#{dep.display_name}` from #{previous_version(dep)} to "\
+          "\n\nUpdates `#{dep.display_name}` "\
+          "#{from_version_msg(previous_version(dep))}to "\
           "#{new_version(dep)}"\
           "#{metadata_links_for_dep(dep)}"
         end.join
@@ -289,8 +298,9 @@ module Dependabot
         end
 
         dependencies.map do |dep|
-          msg = "\nUpdates `#{dep.display_name}` from "\
-                "#{previous_version(dep)} to #{new_version(dep)}"
+          msg = "\nUpdates `#{dep.display_name}` "\
+                "#{from_version_msg(previous_version(dep))}"\
+                "to #{new_version(dep)}"
 
           if vulnerabilities_fixed[dep.name]&.one?
             msg += " **This update includes a security fix.**"
@@ -567,7 +577,9 @@ module Dependabot
         end
 
         if dependency.previous_version.match?(/^[0-9a-f]{40}$/)
-          return previous_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && previous_ref(dependency)
+            return previous_ref(dependency)
+          end
 
           "`#{dependency.previous_version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -582,7 +594,9 @@ module Dependabot
 
       def new_version(dependency)
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          return new_ref(dependency) if ref_changed?(dependency)
+          if ref_changed?(dependency) && new_ref(dependency)
+            return new_ref(dependency)
+          end
 
           "`#{dependency.version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -601,15 +615,17 @@ module Dependabot
       end
 
       def previous_ref(dependency)
-        dependency.previous_requirements.map do |r|
+        previous_refs = dependency.previous_requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return previous_refs.first if previous_refs.count == 1
       end
 
       def new_ref(dependency)
-        dependency.requirements.map do |r|
+        new_refs = dependency.requirements.map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.first
+        end.compact.uniq
+        return new_refs.first if new_refs.count == 1
       end
 
       def old_library_requirement(dependency)
@@ -623,8 +639,6 @@ module Dependabot
         req = old_reqs.first.fetch(:requirement)
         return req if req
         return previous_ref(dependency) if ref_changed?(dependency)
-
-        raise "No previous requirement!"
       end
 
       def new_library_requirement(dependency)
@@ -637,7 +651,9 @@ module Dependabot
 
         req = updated_reqs.first.fetch(:requirement)
         return req if req
-        return new_ref(dependency) if ref_changed?(dependency)
+        if ref_changed?(dependency) && new_ref(dependency)
+          return new_ref(dependency)
+        end
 
         raise "No new requirement!"
       end
@@ -685,8 +701,6 @@ module Dependabot
       end
 
       def ref_changed?(dependency)
-        return false unless previous_ref(dependency)
-
         previous_ref(dependency) != new_ref(dependency)
       end
 

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -355,7 +355,7 @@ module Dependabot
       def recent_github_commits
         @recent_github_commits ||=
           github_client_for_source.commits(source.repo, per_page: 100)
-      rescue Octokit::Conflict
+      rescue Octokit::Conflict, Octokit::NotFound
         @recent_github_commits ||= []
       end
 

data/lib/dependabot/pull_request_updater.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "dependabot/pull_request_updater/github"
+require "dependabot/pull_request_updater/gitlab"
 
 module Dependabot
   class PullRequestUpdater
@@ -25,6 +26,7 @@ module Dependabot
     def update
       case source.provider
       when "github" then github_updater.update
+      when "gitlab" then gitlab_updater.update
       else raise "Unsupported provider #{source.provider}"
       end
     end
@@ -43,5 +45,16 @@ module Dependabot
         signature_key: signature_key
       )
     end
+
+    def gitlab_updater
+      Gitlab.new(
+        source: source,
+        base_commit: base_commit,
+        old_commit: old_commit,
+        files: files,
+        credentials: credentials,
+        pull_request_number: pull_request_number
+      )
+    end
   end
 end

data/lib/dependabot/pull_request_updater/github.rb

@@ -162,7 +162,7 @@ module Dependabot
         return nil if e.message.match?(/Reference does not exist/i)
         return nil if e.message.match?(/Reference cannot be updated/i)
 
-        if e.message.match?(/force\-push to a protected/i) ||
+        if e.message.match?(/protected branch/i) ||
            e.message.match?(/not authorized to push/i) ||
            e.message.match?(/must not contain merge commits/)
           raise BranchProtected

data/lib/dependabot/pull_request_updater/gitlab.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require "dependabot/clients/gitlab_with_retries"
+require "dependabot/pull_request_creator"
+require "gitlab"
+
+module Dependabot
+  class PullRequestUpdater
+    class Gitlab
+      attr_reader :source, :files, :base_commit, :old_commit, :credentials,
+                  :pull_request_number
+
+      def initialize(source:, base_commit:, old_commit:, files:,
+                     credentials:, pull_request_number:)
+        @source              = source
+        @base_commit         = base_commit
+        @old_commit          = old_commit
+        @files               = files
+        @credentials         = credentials
+        @pull_request_number = pull_request_number
+      end
+
+      def update
+        return unless merge_request_exists?
+        return unless branch_exists?(merge_request.source_branch)
+
+        create_commit
+        merge_request.source_branch
+      end
+
+      private
+
+      def merge_request_exists?
+        merge_request
+        true
+      rescue ::Gitlab::Error::NotFound
+        false
+      end
+
+      def merge_request
+        @merge_request ||= gitlab_client_for_source.merge_request(
+          source.repo,
+          pull_request_number
+        )
+      end
+
+      def gitlab_client_for_source
+        @gitlab_client_for_source ||=
+          Dependabot::Clients::GitlabWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def branch_exists?(name)
+        gitlab_client_for_source.branch(source.repo, name)
+      rescue ::Gitlab::Error::NotFound
+        false
+      end
+
+      def commit_being_updated
+        gitlab_client_for_source.commit(source.repo, old_commit)
+      end
+
+      def create_commit
+        actions = files.map do |file|
+          {
+            action: "update",
+            file_path: file.type == "symlink" ? file.symlink_target : file.path,
+            content: file.content
+          }
+        end
+
+        gitlab_client_for_source.create_commit(
+          source.repo,
+          merge_request.source_branch,
+          commit_being_updated.title,
+          actions,
+          force: true,
+          start_branch: merge_request.target_branch
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.118.1"
+  VERSION = "0.118.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.118.1
+  version: 0.118.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-04 00:00:00.000000000 Z
+date: 2020-06-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -118,14 +118,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.14.1
+        version: 4.15.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.14.1
+        version: 4.15.0
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -306,28 +306,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.83.0
+        version: 0.85.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.83.0
+        version: 0.85.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -393,6 +393,7 @@ files:
 - lib/dependabot/pull_request_creator/pr_name_prefixer.rb
 - lib/dependabot/pull_request_updater.rb
 - lib/dependabot/pull_request_updater/github.rb
+- lib/dependabot/pull_request_updater/gitlab.rb
 - lib/dependabot/security_advisory.rb
 - lib/dependabot/shared_helpers.rb
 - lib/dependabot/source.rb