dependabot-common 0.119.4 → 0.120.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c084a2dd6045074bdde8be081749cf0bb32dc4fcaa99b07bf6eea049cd798dd6
-  data.tar.gz: 3201d221483932d06cadd03304dcb8b65561bc1778d3aefca45416fc260e94cf
+  metadata.gz: 83263fa7e5a3d1dbd38624d9476cab98b226ef442af42cd6e9324dcb61226476
+  data.tar.gz: a47175b2fb55cb804e95a1f438f21de893f73b3921b319bcb296e3ff7f0397da
 SHA512:
-  metadata.gz: 68a073b8397b7128e2f63076267e1f3efb4b7c3501674e7e657ac4ee3a6cd8e5d8f55e7cb368758045dddbb179289ec7a6a45f1eeca2d8376c9b9758d8ca8577
-  data.tar.gz: bc1cddb30b8d543019e3434963b224f3feb58cf50abe19b9a360606db3ba4340fcb8d007716302b29a9e25a79e305590b060285e19aa139a6c186203b81ca534
+  metadata.gz: c04da188b4d2914b86db40c0640074d45010ce6f0834117b3b6b9faf6371893af47bafd643b4d905a5db2f853c21e3c6cc8c40df38659b93281299820fb6b812
+  data.tar.gz: f6e8639ddfc7ffdd50926c3f32e1087076f3e66ad915eb074663669537b37b993df346dda6fc35144e0fd02aedba423b609e5d6eb596d35ecc67cace0c2c12f7

data/lib/dependabot/clients/azure.rb

@@ -153,8 +153,9 @@ module Dependabot
           "/pushes?api-version=5.0", content.to_json)
       end
 
+      # rubocop:disable Metrics/ParameterLists
       def create_pull_request(pr_name, source_branch, target_branch,
-                              pr_description, labels)
+                              pr_description, labels, work_item = nil)
         # Azure DevOps only support descriptions up to 4000 characters
         # https://developercommunity.visualstudio.com/content/problem/608770/remove-4000-character-limit-on-pull-request-descri.html
         azure_max_length = 3999
@@ -163,13 +164,15 @@ module Dependabot
           truncate_length = azure_max_length - truncated_msg.length
           pr_description = pr_description[0..truncate_length] + truncated_msg
         end
+        # rubocop:enable Metrics/ParameterLists
 
         content = {
           sourceRefName: "refs/heads/" + source_branch,
           targetRefName: "refs/heads/" + target_branch,
           title: pr_name,
           description: pr_description,
-          labels: labels.map { |label| { name: label } }
+          labels: labels.map { |label| { name: label } },
+          workItemRefs: [{ id: work_item }]
         }
 
         post(source.api_endpoint +
@@ -181,11 +184,12 @@ module Dependabot
       def get(url)
         response = Excon.get(
           url,
-          headers: auth_header,
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
           idempotent: true,
-          **SharedHelpers.excon_defaults
+          **SharedHelpers.excon_defaults(
+            headers: auth_header
+          )
         )
         raise NotFound if response.status == 404
 
@@ -195,16 +199,17 @@ module Dependabot
       def post(url, json)
         response = Excon.post(
           url,
-          headers: auth_header.merge(
-            {
-              "Content-Type" => "application/json"
-            }
-          ),
           body: json,
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
           idempotent: true,
-          **SharedHelpers.excon_defaults
+          **SharedHelpers.excon_defaults(
+            headers: auth_header.merge(
+              {
+                "Content-Type" => "application/json"
+              }
+            )
+          )
         )
         raise NotFound if response.status == 404
 

data/lib/dependabot/git_metadata_fetcher.rb

@@ -183,7 +183,7 @@ module Dependabot
 
     def excon_defaults
       # Some git hosts are slow when returning a large number of tags
-      SharedHelpers.excon_defaults.merge(read_timeout: 20)
+      SharedHelpers.excon_defaults(read_timeout: 20)
     end
   end
 end

data/lib/dependabot/pull_request_creator.rb

@@ -17,13 +17,23 @@ module Dependabot
     class RepoDisabled < StandardError; end
     class NoHistoryInCommon < StandardError; end
 
+    # AnnotationError is raised if a PR was created, but failed annotation
+    class AnnotationError < StandardError
+      attr_reader :cause, :pull_request
+      def initialize(cause, pull_request)
+        super(cause.message)
+        @cause = cause
+        @pull_request = pull_request
+      end
+    end
+
     attr_reader :source, :dependencies, :files, :base_commit,
                 :credentials, :pr_message_header, :pr_message_footer,
                 :custom_labels, :author_details, :signature_key,
                 :commit_message_options, :vulnerabilities_fixed,
                 :reviewers, :assignees, :milestone, :branch_name_separator,
                 :branch_name_prefix, :github_redirection_service,
-                :custom_headers
+                :custom_headers, :provider_metadata
 
     def initialize(source:, base_commit:, dependencies:, files:, credentials:,
                    pr_message_header: nil, pr_message_footer: nil,
@@ -33,7 +43,8 @@ module Dependabot
                    branch_name_separator: "/", branch_name_prefix: "dependabot",
                    label_language: false, automerge_candidate: false,
                    github_redirection_service: "github-redirect.dependabot.com",
-                   custom_headers: nil, require_up_to_date_base: false)
+                   custom_headers: nil, require_up_to_date_base: false,
+                   provider_metadata: {})
       @dependencies               = dependencies
       @source                     = source
       @base_commit                = base_commit
@@ -56,6 +67,7 @@ module Dependabot
       @github_redirection_service = github_redirection_service
       @custom_headers             = custom_headers
       @require_up_to_date_base    = require_up_to_date_base
+      @provider_metadata          = provider_metadata
 
       check_dependencies_have_previous_version
     end
@@ -142,7 +154,8 @@ module Dependabot
         pr_description: message_builder.pr_message,
         pr_name: message_builder.pr_name,
         author_details: author_details,
-        labeler: labeler
+        labeler: labeler,
+        work_item: provider_metadata&.fetch(:work_item, nil)
       )
     end
 

data/lib/dependabot/pull_request_creator/azure.rb

@@ -8,11 +8,11 @@ module Dependabot
     class Azure
       attr_reader :source, :branch_name, :base_commit, :credentials,
                   :files, :commit_message, :pr_description, :pr_name,
-                  :author_details, :labeler
+                  :author_details, :labeler, :work_item
 
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
-                     author_details:, labeler:)
+                     author_details:, labeler:, work_item: nil)
         @source         = source
         @branch_name    = branch_name
         @base_commit    = base_commit
@@ -23,6 +23,7 @@ module Dependabot
         @pr_name        = pr_name
         @author_details = author_details
         @labeler        = labeler
+        @work_item      = work_item
       end
 
       def create
@@ -46,9 +47,7 @@ module Dependabot
       end
 
       def branch_exists?
-        @branch_ref ||= azure_client_for_source.branch(branch_name)
-
-        @branch_ref
+        azure_client_for_source.branch(branch_name)
       rescue ::Azure::Error::NotFound
         false
       end
@@ -79,7 +78,8 @@ module Dependabot
           branch_name,
           source.branch || default_branch,
           pr_description,
-          labeler.labels_for_pr
+          labeler.labels_for_pr,
+          work_item
         )
       end
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -7,6 +7,7 @@ require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/commit_signer"
 module Dependabot
   class PullRequestCreator
+    # rubocop:disable Metrics/ClassLength
     class Github
       attr_reader :source, :branch_name, :base_commit, :credentials,
                   :files, :pr_description, :pr_name, :commit_message,
@@ -41,7 +42,7 @@ module Dependabot
         return if require_up_to_date_base? && !base_commit_is_up_to_date?
 
         create_annotated_pull_request
-      rescue Octokit::Error => e
+      rescue AnnotationError, Octokit::Error => e
         handle_error(e)
       end
 
@@ -111,7 +112,11 @@ module Dependabot
         pull_request = create_pull_request
         return unless pull_request
 
-        annotate_pull_request(pull_request)
+        begin
+          annotate_pull_request(pull_request)
+        rescue StandardError => e
+          raise AnnotationError.new(e, pull_request)
+        end
 
         pull_request
       end
@@ -417,24 +422,49 @@ module Dependabot
       end
 
       def handle_error(err)
-        case err
+        cause = case err
+                when AnnotationError
+                  err.cause
+                else
+                  err
+                end
+
+        case cause
         when Octokit::Forbidden
-          raise RepoDisabled, err.message if err.message.include?("disabled")
-          raise RepoArchived, err.message if err.message.include?("archived")
+          if err.message.include?("disabled")
+            raise_custom_error err, RepoDisabled, err.message
+          elsif err.message.include?("archived")
+            raise_custom_error err, RepoArchived, err.message
+          end
 
           raise err
         when Octokit::NotFound
           raise err if repo_exists?
 
-          raise RepoNotFound, err.message
+          raise_custom_error err, RepoNotFound, err.message
         when Octokit::UnprocessableEntity
-          raise err unless err.message.include?("no history in common")
+          if err.message.include?("no history in common")
+            raise_custom_error err, NoHistoryInCommon, err.message
+          end
 
-          raise NoHistoryInCommon, err.message
+          raise err
         else
           raise err
         end
       end
+
+      def raise_custom_error(base_err, type, message)
+        case base_err
+        when AnnotationError
+          raise AnnotationError.new(
+            type.new(message),
+            base_err.pull_request
+          )
+        else
+          raise type, message
+        end
+      end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -10,6 +10,7 @@ require "dependabot/pull_request_creator"
 module Dependabot
   class PullRequestCreator
     class MessageBuilder
+      require_relative "message_builder/metadata_presenter"
       require_relative "message_builder/issue_linker"
       require_relative "message_builder/link_and_mention_sanitizer"
       require_relative "pr_name_prefixer"
@@ -312,240 +313,38 @@ module Dependabot
         end.join
       end
 
-      def metadata_cascades_for_dep(dep)
-        break_tag = source_provider_supports_html? ? "\n<br />" : "\n\n"
-
-        msg = ""
-        msg += vulnerabilities_cascade(dep)
-        msg += release_cascade(dep)
-        msg += changelog_cascade(dep)
-        msg += upgrade_guide_cascade(dep)
-        msg += commits_cascade(dep)
-        msg += maintainer_changes_cascade(dep)
-        msg += break_tag unless msg == ""
-        "\n" + sanitize_links_and_mentions(msg, unsafe: true)
-      end
-
-      def vulnerabilities_cascade(dep)
-        fixed_vulns = vulnerabilities_fixed[dep.name]
-        return "" unless fixed_vulns&.any?
-
-        msg = ""
-        fixed_vulns.each { |v| msg += serialized_vulnerability_details(v) }
-        msg = sanitize_template_tags(msg)
-        msg = sanitize_links_and_mentions(msg)
-
-        build_details_tag(summary: "Vulnerabilities fixed", body: msg)
-      end
-
-      def release_cascade(dep)
-        return "" unless releases_text(dep) && releases_url(dep)
-
-        msg = "*Sourced from [#{dep.display_name}'s releases]"\
-              "(#{releases_url(dep)}).*\n\n"
-        msg +=
-          begin
-            release_note_lines = releases_text(dep).split("\n").first(50)
-            release_note_lines = release_note_lines.map { |line| "> #{line}\n" }
-            if release_note_lines.count == 50
-              release_note_lines << truncated_line
-            end
-            release_note_lines.join
-          end
-        msg = link_issues(text: msg, dependency: dep)
-        msg = fix_relative_links(
-          text: msg,
-          base_url: source_url(dep) + "/blob/HEAD/"
-        )
-        msg = sanitize_template_tags(msg)
-        msg = sanitize_links_and_mentions(msg)
-
-        build_details_tag(summary: "Release notes", body: msg)
-      end
-
-      def changelog_cascade(dep)
-        return "" unless changelog_url(dep) && changelog_text(dep)
-
-        msg = "*Sourced from "\
-              "[#{dep.display_name}'s changelog](#{changelog_url(dep)}).*\n\n"
-        msg +=
-          begin
-            changelog_lines = changelog_text(dep).split("\n").first(50)
-            changelog_lines = changelog_lines.map { |line| "> #{line}\n" }
-            changelog_lines << truncated_line if changelog_lines.count == 50
-            changelog_lines.join
-          end
-        msg = link_issues(text: msg, dependency: dep)
-        msg = fix_relative_links(text: msg, base_url: changelog_url(dep))
-        msg = sanitize_template_tags(msg)
-        msg = sanitize_links_and_mentions(msg)
-
-        build_details_tag(summary: "Changelog", body: msg)
-      end
-
-      def upgrade_guide_cascade(dep)
-        return "" unless upgrade_url(dep) && upgrade_text(dep)
-
-        msg = "*Sourced from "\
-              "[#{dep.display_name}'s upgrade guide]"\
-              "(#{upgrade_url(dep)}).*\n\n"
-        msg +=
-          begin
-            upgrade_lines = upgrade_text(dep).split("\n").first(50)
-            upgrade_lines = upgrade_lines.map { |line| "> #{line}\n" }
-            upgrade_lines << truncated_line if upgrade_lines.count == 50
-            upgrade_lines.join
-          end
-        msg = link_issues(text: msg, dependency: dep)
-        msg = fix_relative_links(text: msg, base_url: upgrade_url(dep))
-        msg = sanitize_template_tags(msg)
-        msg = sanitize_links_and_mentions(msg)
-
-        build_details_tag(summary: "Upgrade guide", body: msg)
-      end
-
-      def commits_cascade(dep)
-        return "" unless commits_url(dep) && commits(dep)
-
-        msg = ""
-
-        commits(dep).reverse.first(10).each do |commit|
-          title = commit[:message].strip.split("\n").first
-          title = title.slice(0..76) + "..." if title && title.length > 80
-          title = title&.gsub(/(?<=[^\w.-])([_*`~])/, '\\1')
-          sha = commit[:sha][0, 7]
-          msg += "- [`#{sha}`](#{commit[:html_url]}) #{title}\n"
-        end
-
-        msg = msg.gsub(/\<.*?\>/) { |tag| "\\#{tag}" }
-
-        msg +=
-          if commits(dep).count > 10
-            "- Additional commits viewable in "\
-            "[compare view](#{commits_url(dep)})\n"
-          else
-            "- See full diff in [compare view](#{commits_url(dep)})\n"
-          end
-        msg = link_issues(text: msg, dependency: dep)
-        msg = sanitize_links_and_mentions(msg)
-
-        build_details_tag(summary: "Commits", body: msg)
-      end
-
-      def maintainer_changes_cascade(dep)
-        return "" unless maintainer_changes(dep)
-
-        build_details_tag(
-          summary: "Maintainer changes",
-          body: sanitize_links_and_mentions(maintainer_changes(dep)) + "\n"
-        )
-      end
-
-      def build_details_tag(summary:, body:)
-        # Azure DevOps does not support <details> tag (https://developercommunity.visualstudio.com/content/problem/608769/add-support-for-in-markdown.html)
-        # CodeCommit does not support the <details> tag (no url available)
-        if source_provider_supports_html?
-          msg = "<details>\n<summary>#{summary}</summary>\n\n"
-          msg += body
-          msg + "</details>\n"
-        else
-          "\n\##{summary}\n\n#{body}"
-        end
-      end
-
-      def source_provider_supports_html?
-        !%w(azure codecommit).include?(source.provider)
-      end
-
-      def serialized_vulnerability_details(details)
-        msg = vulnerability_source_line(details)
-
-        if details["title"]
-          msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n"
-        end
-
-        if (description = details["description"])
-          description.strip.lines.first(20).each { |line| msg += "> #{line}" }
-          msg += truncated_line if description.strip.lines.count > 20
-        end
-
-        msg += "\n" unless msg.end_with?("\n")
-        msg += "> \n"
-        msg += vulnerability_version_range_lines(details)
-        msg + "\n"
-      end
-
-      def vulnerability_source_line(details)
-        if details["source_url"] && details["source_name"]
-          "*Sourced from [#{details['source_name']}]"\
-          "(#{details['source_url']}).*\n\n"
-        elsif details["source_name"]
-          "*Sourced from #{details['source_name']}.*\n\n"
-        else
-          ""
-        end
-      end
-
-      def vulnerability_version_range_lines(details)
-        msg = ""
-        %w(patched_versions unaffected_versions affected_versions).each do |tp|
-          type = tp.split("_").first.capitalize
-          next unless details[tp]
-
-          versions_string = details[tp].any? ? details[tp].join("; ") : "none"
-          versions_string = versions_string.gsub(/(?<!\\)~/, '\~')
-          msg += "> #{type} versions: #{versions_string}\n"
-        end
-        msg
-      end
-
-      def truncated_line
-        # Tables can spill out of truncated details, so we close them
-        "></tr></table> ... (truncated)\n"
-      end
-
-      def releases_url(dependency)
-        metadata_finder(dependency).releases_url
-      end
-
-      def releases_text(dependency)
-        metadata_finder(dependency).releases_text
+      def metadata_cascades_for_dep(dependency)
+        MetadataPresenter.new(
+          dependency: dependency,
+          source: source,
+          metadata_finder: metadata_finder(dependency),
+          vulnerabilities_fixed: vulnerabilities_fixed[dependency.name],
+          github_redirection_service: github_redirection_service
+        ).to_s
       end
 
       def changelog_url(dependency)
         metadata_finder(dependency).changelog_url
       end
 
-      def changelog_text(dependency)
-        metadata_finder(dependency).changelog_text
-      end
-
-      def upgrade_url(dependency)
-        metadata_finder(dependency).upgrade_guide_url
-      end
-
-      def upgrade_text(dependency)
-        metadata_finder(dependency).upgrade_guide_text
-      end
-
       def commits_url(dependency)
         metadata_finder(dependency).commits_url
       end
 
-      def commits(dependency)
-        metadata_finder(dependency).commits
+      def homepage_url(dependency)
+        metadata_finder(dependency).homepage_url
       end
 
-      def maintainer_changes(dependency)
-        metadata_finder(dependency).maintainer_changes
+      def releases_url(dependency)
+        metadata_finder(dependency).releases_url
       end
 
       def source_url(dependency)
         metadata_finder(dependency).source_url
       end
 
-      def homepage_url(dependency)
-        metadata_finder(dependency).homepage_url
+      def upgrade_url(dependency)
+        metadata_finder(dependency).upgrade_guide_url
       end
 
       def metadata_finder(dependency)
@@ -656,48 +455,6 @@ module Dependabot
         raise "No new requirement!"
       end
 
-      def link_issues(text:, dependency:)
-        IssueLinker.
-          new(source_url: source_url(dependency)).
-          link_issues(text: text)
-      end
-
-      def fix_relative_links(text:, base_url:)
-        text.gsub(/\[.*?\]\([^)]+\)/) do |link|
-          next link if link.include?("://")
-
-          relative_path = link.match(/\((.*?)\)/).captures.last
-          base = base_url.split("://").last.gsub(%r{[^/]*$}, "")
-          path = File.join(base, relative_path)
-          absolute_path =
-            base_url.sub(
-              %r{(?<=://).*$},
-              Pathname.new(path).cleanpath.to_s
-            )
-          link.gsub(relative_path, absolute_path)
-        end
-      end
-
-      def sanitize_links_and_mentions(text, unsafe: false)
-        return text unless source.provider == "github"
-
-        LinkAndMentionSanitizer.
-          new(github_redirection_service: github_redirection_service).
-          sanitize_links_and_mentions(text: text, unsafe: unsafe)
-      end
-
-      def sanitize_template_tags(text)
-        text.gsub(/\<.*?\>/) do |tag|
-          tag_contents = tag.match(/\<(.*?)\>/).captures.first.strip
-
-          # Unclosed calls to template overflow out of the blockquote block,
-          # wrecking the rest of our PRs. Other tags don't share this problem.
-          next "\\#{tag}" if tag_contents.start_with?("template")
-
-          tag
-        end
-      end
-
       def ref_changed?(dependency)
         previous_ref(dependency) != new_ref(dependency)
       end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -0,0 +1,270 @@
+# frozen_string_literal: true
+
+require "dependabot/pull_request_creator/message_builder"
+
+module Dependabot
+  class PullRequestCreator
+    class MessageBuilder
+      class MetadataPresenter
+        extend Forwardable
+
+        attr_reader :dependency, :source, :metadata_finder,
+                    :vulnerabilities_fixed, :github_redirection_service
+
+        def_delegators :metadata_finder,
+                       :changelog_url,
+                       :changelog_text,
+                       :commits_url,
+                       :commits,
+                       :maintainer_changes,
+                       :releases_url,
+                       :releases_text,
+                       :source_url,
+                       :upgrade_guide_url,
+                       :upgrade_guide_text
+
+        def initialize(dependency:, source:, metadata_finder:,
+                       vulnerabilities_fixed:, github_redirection_service:)
+          @dependency = dependency
+          @source = source
+          @metadata_finder = metadata_finder
+          @vulnerabilities_fixed = vulnerabilities_fixed
+          @github_redirection_service = github_redirection_service
+        end
+
+        def to_s
+          msg = ""
+          msg += vulnerabilities_cascade
+          msg += release_cascade
+          msg += changelog_cascade
+          msg += upgrade_guide_cascade
+          msg += commits_cascade
+          msg += maintainer_changes_cascade
+          msg += break_tag unless msg == ""
+          "\n" + sanitize_links_and_mentions(msg, unsafe: true)
+        end
+
+        private
+
+        def vulnerabilities_cascade
+          return "" unless vulnerabilities_fixed&.any?
+
+          msg = ""
+          vulnerabilities_fixed.each do |v|
+            msg += serialized_vulnerability_details(v)
+          end
+
+          msg = sanitize_template_tags(msg)
+          msg = sanitize_links_and_mentions(msg)
+
+          build_details_tag(summary: "Vulnerabilities fixed", body: msg)
+        end
+
+        def release_cascade
+          return "" unless releases_text && releases_url
+
+          msg = "*Sourced from [#{dependency.display_name}'s releases]"\
+                "(#{releases_url}).*\n\n"
+          msg += quote_and_truncate(releases_text)
+          msg = link_issues(text: msg)
+          msg = fix_relative_links(
+            text: msg,
+            base_url: source_url + "/blob/HEAD/"
+          )
+          msg = sanitize_template_tags(msg)
+          msg = sanitize_links_and_mentions(msg)
+
+          build_details_tag(summary: "Release notes", body: msg)
+        end
+
+        def changelog_cascade
+          return "" unless changelog_url && changelog_text
+
+          msg = "*Sourced from "\
+                "[#{dependency.display_name}'s changelog]"\
+                "(#{changelog_url}).*\n\n"
+          msg += quote_and_truncate(changelog_text)
+          msg = link_issues(text: msg)
+          msg = fix_relative_links(text: msg, base_url: changelog_url)
+          msg = sanitize_template_tags(msg)
+          msg = sanitize_links_and_mentions(msg)
+
+          build_details_tag(summary: "Changelog", body: msg)
+        end
+
+        def upgrade_guide_cascade
+          return "" unless upgrade_guide_url && upgrade_guide_text
+
+          msg = "*Sourced from "\
+                "[#{dependency.display_name}'s upgrade guide]"\
+                "(#{upgrade_guide_url}).*\n\n"
+          msg += quote_and_truncate(upgrade_guide_text)
+          msg = link_issues(text: msg)
+          msg = fix_relative_links(text: msg, base_url: upgrade_guide_url)
+          msg = sanitize_template_tags(msg)
+          msg = sanitize_links_and_mentions(msg)
+
+          build_details_tag(summary: "Upgrade guide", body: msg)
+        end
+
+        def commits_cascade
+          return "" unless commits_url && commits
+
+          msg = ""
+
+          commits.reverse.first(10).each do |commit|
+            title = commit[:message].strip.split("\n").first
+            title = title.slice(0..76) + "..." if title && title.length > 80
+            title = title&.gsub(/(?<=[^\w.-])([_*`~])/, '\\1')
+            sha = commit[:sha][0, 7]
+            msg += "- [`#{sha}`](#{commit[:html_url]}) #{title}\n"
+          end
+
+          msg = msg.gsub(/\<.*?\>/) { |tag| "\\#{tag}" }
+
+          msg +=
+            if commits.count > 10
+              "- Additional commits viewable in "\
+              "[compare view](#{commits_url})\n"
+            else
+              "- See full diff in [compare view](#{commits_url})\n"
+            end
+          msg = link_issues(text: msg)
+          msg = sanitize_links_and_mentions(msg)
+
+          build_details_tag(summary: "Commits", body: msg)
+        end
+
+        def maintainer_changes_cascade
+          return "" unless maintainer_changes
+
+          build_details_tag(
+            summary: "Maintainer changes",
+            body: sanitize_links_and_mentions(maintainer_changes) + "\n"
+          )
+        end
+
+        def build_details_tag(summary:, body:)
+          # Azure DevOps does not support <details> tag (https://developercommunity.visualstudio.com/content/problem/608769/add-support-for-in-markdown.html)
+          # CodeCommit does not support the <details> tag (no url available)
+          if source_provider_supports_html?
+            msg = "<details>\n<summary>#{summary}</summary>\n\n"
+            msg += body
+            msg + "</details>\n"
+          else
+            "\n\##{summary}\n\n#{body}"
+          end
+        end
+
+        def serialized_vulnerability_details(details)
+          msg = vulnerability_source_line(details)
+
+          if details["title"]
+            msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n"
+          end
+
+          if (description = details["description"])
+            description.strip.lines.first(20).each { |line| msg += "> #{line}" }
+            msg += truncated_line if description.strip.lines.count > 20
+          end
+
+          msg += "\n" unless msg.end_with?("\n")
+          msg += "> \n"
+          msg += vulnerability_version_range_lines(details)
+          msg + "\n"
+        end
+
+        def vulnerability_source_line(details)
+          if details["source_url"] && details["source_name"]
+            "*Sourced from [#{details['source_name']}]"\
+            "(#{details['source_url']}).*\n\n"
+          elsif details["source_name"]
+            "*Sourced from #{details['source_name']}.*\n\n"
+          else
+            ""
+          end
+        end
+
+        def vulnerability_version_range_lines(details)
+          msg = ""
+          %w(
+            patched_versions
+            unaffected_versions
+            affected_versions
+          ).each do |tp|
+            type = tp.split("_").first.capitalize
+            next unless details[tp]
+
+            versions_string = details[tp].any? ? details[tp].join("; ") : "none"
+            versions_string = versions_string.gsub(/(?<!\\)~/, '\~')
+            msg += "> #{type} versions: #{versions_string}\n"
+          end
+          msg
+        end
+
+        def link_issues(text:)
+          IssueLinker.
+            new(source_url: source_url).
+            link_issues(text: text)
+        end
+
+        def fix_relative_links(text:, base_url:)
+          text.gsub(/\[.*?\]\([^)]+\)/) do |link|
+            next link if link.include?("://")
+
+            relative_path = link.match(/\((.*?)\)/).captures.last
+            base = base_url.split("://").last.gsub(%r{[^/]*$}, "")
+            path = File.join(base, relative_path)
+            absolute_path =
+              base_url.sub(
+                %r{(?<=://).*$},
+                Pathname.new(path).cleanpath.to_s
+              )
+            link.gsub(relative_path, absolute_path)
+          end
+        end
+
+        def quote_and_truncate(text, limit: 50)
+          lines = text.split("\n")
+          lines.first(limit).tap do |limited_lines|
+            limited_lines.map! { |line| "> #{line}\n" }
+            limited_lines << truncated_line if lines.count > limit
+          end.join
+        end
+
+        def truncated_line
+          # Tables can spill out of truncated details, so we close them
+          "></tr></table> \n ... (truncated)\n"
+        end
+
+        def break_tag
+          source_provider_supports_html? ? "\n<br />" : "\n\n"
+        end
+
+        def source_provider_supports_html?
+          !%w(azure codecommit).include?(source.provider)
+        end
+
+        def sanitize_links_and_mentions(text, unsafe: false)
+          return text unless source.provider == "github"
+
+          LinkAndMentionSanitizer.
+            new(github_redirection_service: github_redirection_service).
+            sanitize_links_and_mentions(text: text, unsafe: unsafe)
+        end
+
+        def sanitize_template_tags(text)
+          text.gsub(/\<.*?\>/) do |tag|
+            tag_contents = tag.match(/\<(.*?)\>/).captures.first.strip
+
+            # Unclosed calls to template overflow out of the blockquote block,
+            # wrecking the rest of our PRs. Other tags don't share this problem.
+            next "\\#{tag}" if tag_contents.start_with?("template")
+
+            tag
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/shared_helpers.rb

@@ -13,6 +13,10 @@ module Dependabot
     BUMP_TMP_FILE_PREFIX = "dependabot_"
     BUMP_TMP_DIR_PATH = "tmp"
     GIT_CONFIG_GLOBAL_PATH = File.expand_path("~/.gitconfig")
+    USER_AGENT = "dependabot-core/#{Dependabot::VERSION} "\
+                 "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} "\
+                 "(#{RUBY_PLATFORM}) "\
+                 "(+https://github.com/dependabot/dependabot-core)"
 
     class ChildProcessFailed < StandardError
       attr_reader :error_class, :error_message, :error_backtrace
@@ -138,14 +142,23 @@ module Dependabot
         [Excon::Middleware::RedirectFollower]
     end
 
-    def self.excon_defaults
+    def self.excon_headers(headers = nil)
+      headers ||= {}
+      {
+        "User-Agent" => USER_AGENT
+      }.merge(headers)
+    end
+
+    def self.excon_defaults(options = nil)
+      options ||= {}
       {
         connect_timeout: 5,
         write_timeout: 5,
         read_timeout: 20,
         omit_default_port: true,
-        middlewares: excon_middleware
-      }
+        middlewares: excon_middleware,
+        headers: excon_headers(options[:headers])
+      }.merge(options)
     end
 
     def self.with_git_configured(credentials:)

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.119.4"
+  VERSION = "0.120.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.119.4
+  version: 0.120.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-09-15 00:00:00.000000000 Z
+date: 2020-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -292,14 +292,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.90.0
+        version: 0.91.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.90.0
+        version: 0.91.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -376,6 +376,7 @@ files:
 - lib/dependabot/pull_request_creator/message_builder.rb
 - lib/dependabot/pull_request_creator/message_builder/issue_linker.rb
 - lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb
+- lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb
 - lib/dependabot/pull_request_creator/pr_name_prefixer.rb
 - lib/dependabot/pull_request_updater.rb
 - lib/dependabot/pull_request_updater/github.rb