dependabot-common 0.122.0 → 0.124.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of dependabot-common might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/dependabot/file_updaters/vendor_updater.rb +6 -32
- data/lib/dependabot/pull_request_creator.rb +1 -7
- data/lib/dependabot/pull_request_creator/branch_namer.rb +5 -5
- data/lib/dependabot/pull_request_creator/message_builder.rb +9 -1
- data/lib/dependabot/shared_helpers.rb +18 -27
- data/lib/dependabot/update_checkers/base.rb +6 -0
- data/lib/dependabot/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bd5f760de88f18b1b02d000700ee31816399598f649fb1c0dc517d9e4ee64f53
|
|
4
|
+
data.tar.gz: 66afb451c31cbcf860a06b605ccfc7303aea932ec52092f0c11206ae5f3d68e8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9d83ee81a113febfbc73a802696a0cc2dbe0e09a3f55f86f7e601fe1f8e7692ff8c0bf21ddfa9c4e9d54b65327364a5cda53b3e1ee0c35483aaefa7239fc8f2c
|
|
7
|
+
data.tar.gz: 4dccba4c87d90ac14a87d8a2ef659da8c00746730c258b36b68b55bf76f15dce8914e61bce5a30c7b2de286093908c7b2e91bb59013b7cf86caa424921b78a9e
|
|
@@ -5,35 +5,6 @@ require "dependabot/dependency_file"
|
|
|
5
5
|
module Dependabot
|
|
6
6
|
module FileUpdaters
|
|
7
7
|
class VendorUpdater
|
|
8
|
-
# notable filenames without a reliable extension:
|
|
9
|
-
TEXT_FILE_NAMES = [
|
|
10
|
-
"README",
|
|
11
|
-
"LICENSE",
|
|
12
|
-
"Gemfile",
|
|
13
|
-
"Gemfile.lock",
|
|
14
|
-
".bundlecache",
|
|
15
|
-
".gitignore"
|
|
16
|
-
].freeze
|
|
17
|
-
|
|
18
|
-
TEXT_FILE_EXTS = [
|
|
19
|
-
# code
|
|
20
|
-
".rb",
|
|
21
|
-
".erb",
|
|
22
|
-
".gemspec",
|
|
23
|
-
".js",
|
|
24
|
-
".html",
|
|
25
|
-
# config
|
|
26
|
-
".json",
|
|
27
|
-
".xml",
|
|
28
|
-
".toml",
|
|
29
|
-
".yaml",
|
|
30
|
-
".yml",
|
|
31
|
-
# docs
|
|
32
|
-
".md",
|
|
33
|
-
".txt",
|
|
34
|
-
".go"
|
|
35
|
-
].freeze
|
|
36
|
-
|
|
37
8
|
def initialize(repo_contents_path:, vendor_dir:)
|
|
38
9
|
@repo_contents_path = repo_contents_path
|
|
39
10
|
@vendor_dir = vendor_dir
|
|
@@ -73,13 +44,16 @@ module Dependabot
|
|
|
73
44
|
|
|
74
45
|
private
|
|
75
46
|
|
|
47
|
+
BINARY_ENCODINGS = %w(application/x-tarbinary binary).freeze
|
|
48
|
+
|
|
76
49
|
attr_reader :repo_contents_path, :vendor_dir
|
|
77
50
|
|
|
78
51
|
def binary_file?(path)
|
|
79
|
-
return false
|
|
80
|
-
|
|
52
|
+
return false unless File.exist?(path)
|
|
53
|
+
|
|
54
|
+
encoding = `file -b --mime-encoding #{path}`.strip
|
|
81
55
|
|
|
82
|
-
|
|
56
|
+
BINARY_ENCODINGS.include?(encoding)
|
|
83
57
|
end
|
|
84
58
|
end
|
|
85
59
|
end
|
|
@@ -73,7 +73,7 @@ module Dependabot
|
|
|
73
73
|
end
|
|
74
74
|
|
|
75
75
|
def check_dependencies_have_previous_version
|
|
76
|
-
return if
|
|
76
|
+
return if dependencies.all? { |d| requirements_changed?(d) }
|
|
77
77
|
return if dependencies.all?(&:previous_version)
|
|
78
78
|
|
|
79
79
|
raise "Dependencies must have a previous version or changed " \
|
|
@@ -214,12 +214,6 @@ module Dependabot
|
|
|
214
214
|
)
|
|
215
215
|
end
|
|
216
216
|
|
|
217
|
-
def library?
|
|
218
|
-
return true if files.any? { |file| file.name.end_with?(".gemspec") }
|
|
219
|
-
|
|
220
|
-
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
221
|
-
end
|
|
222
|
-
|
|
223
217
|
def includes_security_fixes?
|
|
224
218
|
vulnerabilities_fixed.values.flatten.any?
|
|
225
219
|
end
|
|
@@ -165,12 +165,12 @@ module Dependabot
|
|
|
165
165
|
updated_reqs.first[:requirement]
|
|
166
166
|
end
|
|
167
167
|
|
|
168
|
-
# TODO:
|
|
169
|
-
#
|
|
170
|
-
#
|
|
168
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
169
|
+
# update checkers, which are also overriden by passing an explicit
|
|
170
|
+
# `requirements_update_strategy`.
|
|
171
|
+
#
|
|
172
|
+
# TODO re-use in MessageBuilder
|
|
171
173
|
def library?
|
|
172
|
-
return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
|
|
173
|
-
|
|
174
174
|
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
175
175
|
end
|
|
176
176
|
|
|
@@ -459,8 +459,16 @@ module Dependabot
|
|
|
459
459
|
previous_ref(dependency) != new_ref(dependency)
|
|
460
460
|
end
|
|
461
461
|
|
|
462
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
463
|
+
# update checkers, which are also overriden by passing an explicit
|
|
464
|
+
# `requirements_update_strategy`.
|
|
465
|
+
#
|
|
466
|
+
# TODO re-use in BranchNamer
|
|
462
467
|
def library?
|
|
463
|
-
|
|
468
|
+
# Reject any nested child gemspecs/vendored git dependencies
|
|
469
|
+
root_files = files.map(&:name).
|
|
470
|
+
select { |p| Pathname.new(p).dirname.to_s == "." }
|
|
471
|
+
return true if root_files.select { |nm| nm.end_with?(".gemspec") }.any?
|
|
464
472
|
|
|
465
473
|
dependencies.any? { |d| previous_version(d).nil? }
|
|
466
474
|
end
|
|
@@ -57,34 +57,12 @@ module Dependabot
|
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
|
|
60
|
-
def self.in_a_forked_process
|
|
61
|
-
read, write = IO.pipe
|
|
62
|
-
|
|
63
|
-
pid = fork do
|
|
64
|
-
read.close
|
|
65
|
-
result = yield
|
|
66
|
-
rescue Exception => e # rubocop:disable Lint/RescueException
|
|
67
|
-
result = { _error_details: { error_class: e.class.to_s,
|
|
68
|
-
error_message: e.message,
|
|
69
|
-
error_backtrace: e.backtrace } }
|
|
70
|
-
ensure
|
|
71
|
-
Marshal.dump(result, write)
|
|
72
|
-
exit!(0)
|
|
73
|
-
end
|
|
74
|
-
|
|
75
|
-
write.close
|
|
76
|
-
result = read.read
|
|
77
|
-
Process.wait(pid)
|
|
78
|
-
result = Marshal.load(result) # rubocop:disable Security/MarshalLoad
|
|
79
|
-
|
|
80
|
-
return result unless result.is_a?(Hash) && result[:_error_details]
|
|
81
|
-
|
|
82
|
-
raise ChildProcessFailed, result[:_error_details]
|
|
83
|
-
end
|
|
84
|
-
|
|
85
60
|
class HelperSubprocessFailed < StandardError
|
|
86
|
-
|
|
61
|
+
attr_reader :error_class, :error_context
|
|
62
|
+
|
|
63
|
+
def initialize(message:, error_context:, error_class: nil)
|
|
87
64
|
super(message)
|
|
65
|
+
@error_class = error_class || ""
|
|
88
66
|
@error_context = error_context
|
|
89
67
|
@command = error_context[:command]
|
|
90
68
|
end
|
|
@@ -110,6 +88,11 @@ module Dependabot
|
|
|
110
88
|
stdout, stderr, process = Open3.capture3(*env_cmd, stdin_data: stdin_data)
|
|
111
89
|
time_taken = Time.now - start
|
|
112
90
|
|
|
91
|
+
if ENV["DEBUG_HELPERS"] == "true"
|
|
92
|
+
puts stdout
|
|
93
|
+
puts stderr
|
|
94
|
+
end
|
|
95
|
+
|
|
113
96
|
# Some package managers output useful stuff to stderr instead of stdout so
|
|
114
97
|
# we want to parse this, most package manager will output garbage here so
|
|
115
98
|
# would mess up json response from stdout
|
|
@@ -129,11 +112,13 @@ module Dependabot
|
|
|
129
112
|
|
|
130
113
|
raise HelperSubprocessFailed.new(
|
|
131
114
|
message: response["error"],
|
|
115
|
+
error_class: response["error_class"],
|
|
132
116
|
error_context: error_context
|
|
133
117
|
)
|
|
134
118
|
rescue JSON::ParserError
|
|
135
119
|
raise HelperSubprocessFailed.new(
|
|
136
120
|
message: stdout || "No output from command",
|
|
121
|
+
error_class: "JSON::ParserError",
|
|
137
122
|
error_context: error_context
|
|
138
123
|
)
|
|
139
124
|
end
|
|
@@ -173,6 +158,9 @@ module Dependabot
|
|
|
173
158
|
end
|
|
174
159
|
|
|
175
160
|
def self.configure_git_to_use_https_with_credentials(credentials)
|
|
161
|
+
File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
|
|
162
|
+
file << "# Generated by dependabot/dependabot-core"
|
|
163
|
+
end
|
|
176
164
|
configure_git_to_use_https
|
|
177
165
|
configure_git_credentials(credentials)
|
|
178
166
|
end
|
|
@@ -258,7 +246,10 @@ module Dependabot
|
|
|
258
246
|
end
|
|
259
247
|
|
|
260
248
|
def self.reset_global_git_config(backup_path)
|
|
261
|
-
|
|
249
|
+
if backup_path.nil?
|
|
250
|
+
FileUtils.rm(GIT_CONFIG_GLOBAL_PATH)
|
|
251
|
+
return
|
|
252
|
+
end
|
|
262
253
|
return unless File.exist?(backup_path)
|
|
263
254
|
|
|
264
255
|
FileUtils.mv(backup_path, GIT_CONFIG_GLOBAL_PATH)
|
|
@@ -79,6 +79,12 @@ module Dependabot
|
|
|
79
79
|
raise NotImplementedError
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
# Lowest available security fix version not checking resolvability
|
|
83
|
+
# @return [Dependabot::<package manager>::Version, #to_s] version class
|
|
84
|
+
def lowest_security_fix_version
|
|
85
|
+
raise NotImplementedError
|
|
86
|
+
end
|
|
87
|
+
|
|
82
88
|
def lowest_resolvable_security_fix_version
|
|
83
89
|
raise NotImplementedError
|
|
84
90
|
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.124.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|
|
@@ -292,14 +292,14 @@ dependencies:
|
|
|
292
292
|
requirements:
|
|
293
293
|
- - "~>"
|
|
294
294
|
- !ruby/object:Gem::Version
|
|
295
|
-
version: 0.
|
|
295
|
+
version: 0.93.0
|
|
296
296
|
type: :development
|
|
297
297
|
prerelease: false
|
|
298
298
|
version_requirements: !ruby/object:Gem::Requirement
|
|
299
299
|
requirements:
|
|
300
300
|
- - "~>"
|
|
301
301
|
- !ruby/object:Gem::Version
|
|
302
|
-
version: 0.
|
|
302
|
+
version: 0.93.0
|
|
303
303
|
- !ruby/object:Gem::Dependency
|
|
304
304
|
name: simplecov
|
|
305
305
|
requirement: !ruby/object:Gem::Requirement
|