dependabot-common 0.118.3 → 0.118.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/git_metadata_fetcher.rb +0 -2
  3. data/lib/dependabot/metadata_finders/base/changelog_finder.rb +0 -2
  4. data/lib/dependabot/pull_request_creator/labeler.rb +15 -14
  5. data/lib/dependabot/pull_request_creator/message_builder.rb +4 -4
  6. data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb +4 -4
  7. data/lib/dependabot/version.rb +1 -1
  8. metadata +8 -8
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d722e5df4607da96bfecc6e9f8fee39ff7ece6b069aaa25652c37fe1899e862b
4
- data.tar.gz: '002249968a3815f8ece501ee39825d7b98630d44a2015c3e198346452646cb33'
3
+ metadata.gz: 3aa2fa4ee99aae2148aba335da32c724f150b7b444ce0da890b348951a92833c
4
+ data.tar.gz: 0f51c1cf161b807edab14e3b0d025aa554122e103a206c39e6e1ecaf6f99b6d4
5
5
  SHA512:
6
- metadata.gz: 255df4e43643c130fd8e947a49e8c951234e6e66da0fef3c165f4521d176b478c70bff9dd2fa223a26641c4124280681100d8cd3c17ec3839cebf99465a3b7a8
7
- data.tar.gz: 5beed00fd52d9f8ed67e50580f9eb509dab6071c8ade88f22002e70d4007cefc88b4a592360b887356cd74d4a76e58db575a970822bbe8db90a132ab577f9b73
6
+ metadata.gz: e6da87803c67049bdca51fd5594a92eee652942c3fd51f868ca583856a78770b908285bc04008d6c23ff944b8565213727ff73e53c09a0931c98d28f93bdb021
7
+ data.tar.gz: 9e155ad29f7c812a38e4fdb5925bf449e3bc4014d320344cab90466e2bd3e31936e02db7adb79838427d0116362d7e14f4b82e456783da92b4491372d877988f
data/lib/dependabot/git_metadata_fetcher.rb CHANGED
@@ -47,7 +47,6 @@ module Dependabot
47
47
 
48
48
  attr_reader :url, :credentials
49
49
 
50
- # rubocop:disable Metrics/CyclomaticComplexity
51
50
  # rubocop:disable Metrics/PerceivedComplexity
52
51
  def fetch_upload_pack_for(uri)
53
52
  response = fetch_raw_upload_pack_for(uri)
@@ -79,7 +78,6 @@ module Dependabot
79
78
 
80
79
  raise Dependabot::GitDependenciesNotReachable, [uri]
81
80
  end
82
- # rubocop:enable Metrics/CyclomaticComplexity
83
81
  # rubocop:enable Metrics/PerceivedComplexity
84
82
 
85
83
  def fetch_raw_upload_pack_for(uri)
data/lib/dependabot/metadata_finders/base/changelog_finder.rb CHANGED
@@ -76,7 +76,6 @@ module Dependabot
76
76
 
77
77
  private
78
78
 
79
- # rubocop:disable Metrics/CyclomaticComplexity
80
79
  # rubocop:disable Metrics/PerceivedComplexity
81
80
  def changelog
82
81
  return unless changelog_from_suggested_url || source
@@ -98,7 +97,6 @@ module Dependabot
98
97
  # Fall back to the changelog (or nil) from the default branch
99
98
  default_branch_changelog
100
99
  end
101
- # rubocop:enable Metrics/CyclomaticComplexity
102
100
  # rubocop:enable Metrics/PerceivedComplexity
103
101
 
104
102
  def changelog_from_suggested_url
data/lib/dependabot/pull_request_creator/labeler.rb CHANGED
@@ -89,21 +89,9 @@ module Dependabot
89
89
  @automerge_candidate
90
90
  end
91
91
 
92
- # rubocop:disable Metrics/PerceivedComplexity
93
92
  def update_type
94
93
  return unless dependencies.any?(&:previous_version)
95
94
 
96
- precision = dependencies.map do |dep|
97
- new_version_parts = version(dep).split(".")
98
- old_version_parts = previous_version(dep)&.split(".") || []
99
- all_parts = new_version_parts.first(3) + old_version_parts.first(3)
100
- next 0 unless all_parts.all? { |part| part.to_i.to_s == part }
101
- next 1 if new_version_parts[0] != old_version_parts[0]
102
- next 2 if new_version_parts[1] != old_version_parts[1]
103
-
104
- 3
105
- end.min
106
-
107
95
  case precision
108
96
  when 0 then "non-semver"
109
97
  when 1 then "major"
@@ -112,7 +100,18 @@ module Dependabot
112
100
  end
113
101
  end
114
102
 
115
- # rubocop:enable Metrics/PerceivedComplexity
103
+ def precision
104
+ dependencies.map do |dep|
105
+ new_version_parts = version(dep).split(/[.+]/)
106
+ old_version_parts = previous_version(dep)&.split(/[.+]/) || []
107
+ all_parts = new_version_parts.first(3) + old_version_parts.first(3)
108
+ next 0 unless all_parts.all? { |part| part.to_i.to_s == part }
109
+ next 1 if new_version_parts[0] != old_version_parts[0]
110
+ next 2 if new_version_parts[1] != old_version_parts[1]
111
+
112
+ 3
113
+ end.min
114
+ end
116
115
 
117
116
  def version(dep)
118
117
  return dep.version if version_class.correct?(dep.version)
@@ -192,8 +191,10 @@ module Dependabot
192
191
  !security_label.nil?
193
192
  end
194
193
 
194
+ # Find the exact match first and then fallback to * security* label
195
195
  def security_label
196
- labels.find { |l| l.match?(/security/i) }
196
+ labels.find { |l| l == DEFAULT_SECURITY_LABEL } ||
197
+ labels.find { |l| l.match?(/security/i) }
197
198
  end
198
199
 
199
200
  def label_update_type?
data/lib/dependabot/pull_request_creator/message_builder.rb CHANGED
@@ -323,7 +323,7 @@ module Dependabot
323
323
  msg += commits_cascade(dep)
324
324
  msg += maintainer_changes_cascade(dep)
325
325
  msg += break_tag unless msg == ""
326
- "\n" + sanitize_links_and_mentions(msg)
326
+ "\n" + sanitize_links_and_mentions(msg, unsafe: true)
327
327
  end
328
328
 
329
329
  def vulnerabilities_cascade(dep)
@@ -437,7 +437,7 @@ module Dependabot
437
437
 
438
438
  build_details_tag(
439
439
  summary: "Maintainer changes",
440
- body: maintainer_changes(dep) + "\n"
440
+ body: sanitize_links_and_mentions(maintainer_changes(dep)) + "\n"
441
441
  )
442
442
  end
443
443
 
@@ -680,12 +680,12 @@ module Dependabot
680
680
  end
681
681
  end
682
682
 
683
- def sanitize_links_and_mentions(text)
683
+ def sanitize_links_and_mentions(text, unsafe: false)
684
684
  return text unless source.provider == "github"
685
685
 
686
686
  LinkAndMentionSanitizer.
687
687
  new(github_redirection_service: github_redirection_service).
688
- sanitize_links_and_mentions(text: text)
688
+ sanitize_links_and_mentions(text: text, unsafe: unsafe)
689
689
  end
690
690
 
691
691
  def sanitize_template_tags(text)
data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb CHANGED
@@ -17,9 +17,8 @@ module Dependabot
17
17
  MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@#{GITHUB_USERNAME}/?}.freeze
18
18
  # End of string
19
19
  EOS_REGEX = /\z/.freeze
20
- # We rely on GitHub to do the HTML sanitization
21
20
  COMMONMARKER_OPTIONS = %i(
22
- UNSAFE GITHUB_PRE_LANG FULL_INFO_STRING
21
+ GITHUB_PRE_LANG FULL_INFO_STRING
23
22
  ).freeze
24
23
  COMMONMARKER_EXTENSIONS = %i(
25
24
  table tasklist strikethrough autolink tagfilter
@@ -31,14 +30,15 @@ module Dependabot
31
30
  @github_redirection_service = github_redirection_service
32
31
  end
33
32
 
34
- def sanitize_links_and_mentions(text:)
33
+ def sanitize_links_and_mentions(text:, unsafe: false)
35
34
  doc = CommonMarker.render_doc(
36
35
  text, :LIBERAL_HTML_TAG, COMMONMARKER_EXTENSIONS
37
36
  )
38
37
 
39
38
  sanitize_mentions(doc)
40
39
  sanitize_links(doc)
41
- doc.to_html(COMMONMARKER_OPTIONS, COMMONMARKER_EXTENSIONS)
40
+ mode = unsafe ? :UNSAFE : :DEFAULT
41
+ doc.to_html(([mode] + COMMONMARKER_OPTIONS), COMMONMARKER_EXTENSIONS)
42
42
  end
43
43
 
44
44
  private
data/lib/dependabot/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Dependabot
4
- VERSION = "0.118.3"
4
+ VERSION = "0.118.8"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.118.3
4
+ version: 0.118.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-06-18 00:00:00.000000000 Z
11
+ date: 2020-07-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-codecommit
@@ -104,28 +104,28 @@ dependencies:
104
104
  requirements:
105
105
  - - "~>"
106
106
  - !ruby/object:Gem::Version
107
- version: '0.66'
107
+ version: '0.75'
108
108
  type: :runtime
109
109
  prerelease: false
110
110
  version_requirements: !ruby/object:Gem::Requirement
111
111
  requirements:
112
112
  - - "~>"
113
113
  - !ruby/object:Gem::Version
114
- version: '0.66'
114
+ version: '0.75'
115
115
  - !ruby/object:Gem::Dependency
116
116
  name: gitlab
117
117
  requirement: !ruby/object:Gem::Requirement
118
118
  requirements:
119
119
  - - '='
120
120
  - !ruby/object:Gem::Version
121
- version: 4.15.0
121
+ version: 4.16.1
122
122
  type: :runtime
123
123
  prerelease: false
124
124
  version_requirements: !ruby/object:Gem::Requirement
125
125
  requirements:
126
126
  - - '='
127
127
  - !ruby/object:Gem::Version
128
- version: 4.15.0
128
+ version: 4.16.1
129
129
  - !ruby/object:Gem::Dependency
130
130
  name: nokogiri
131
131
  requirement: !ruby/object:Gem::Requirement
@@ -306,14 +306,14 @@ dependencies:
306
306
  requirements:
307
307
  - - "~>"
308
308
  - !ruby/object:Gem::Version
309
- version: 0.85.0
309
+ version: 0.88.0
310
310
  type: :development
311
311
  prerelease: false
312
312
  version_requirements: !ruby/object:Gem::Requirement
313
313
  requirements:
314
314
  - - "~>"
315
315
  - !ruby/object:Gem::Version
316
- version: 0.85.0
316
+ version: 0.88.0
317
317
  - !ruby/object:Gem::Dependency
318
318
  name: vcr
319
319
  requirement: !ruby/object:Gem::Requirement