dependabot-common 0.123.0 → 0.124.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of dependabot-common might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/lib/dependabot/pull_request_creator.rb +1 -7
- data/lib/dependabot/pull_request_creator/branch_namer.rb +5 -5
- data/lib/dependabot/pull_request_creator/message_builder.rb +9 -1
- data/lib/dependabot/security_advisory.rb +45 -0
- data/lib/dependabot/update_checkers/base.rb +6 -0
- data/lib/dependabot/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 45ddffe6ea8f049656daee7b94bb0ff2c5c73cfb67746789c35a0557367c0ce3
|
|
4
|
+
data.tar.gz: 245e1180b6bcb30dd120e9d94162ded2d9cdc9cace6cb8fffdb8119ea411c851
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7d02322fb6f5a3a140e793deab8c048790750c15244c1b285a03b3df5753e85c799bfbf8c72d3f7686c9d3dd995da554d1e4f787773d15ccd43e1fccf2d63d8d
|
|
7
|
+
data.tar.gz: 982fbcc7a24947726bd39cddf7814c69fefd6086499f8d4137db1734e750e9649ab256b2faf67acc68b671060656507ab290e0c8de1147aa94a7c32fb98948b9
|
|
@@ -73,7 +73,7 @@ module Dependabot
|
|
|
73
73
|
end
|
|
74
74
|
|
|
75
75
|
def check_dependencies_have_previous_version
|
|
76
|
-
return if
|
|
76
|
+
return if dependencies.all? { |d| requirements_changed?(d) }
|
|
77
77
|
return if dependencies.all?(&:previous_version)
|
|
78
78
|
|
|
79
79
|
raise "Dependencies must have a previous version or changed " \
|
|
@@ -214,12 +214,6 @@ module Dependabot
|
|
|
214
214
|
)
|
|
215
215
|
end
|
|
216
216
|
|
|
217
|
-
def library?
|
|
218
|
-
return true if files.any? { |file| file.name.end_with?(".gemspec") }
|
|
219
|
-
|
|
220
|
-
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
221
|
-
end
|
|
222
|
-
|
|
223
217
|
def includes_security_fixes?
|
|
224
218
|
vulnerabilities_fixed.values.flatten.any?
|
|
225
219
|
end
|
|
@@ -165,12 +165,12 @@ module Dependabot
|
|
|
165
165
|
updated_reqs.first[:requirement]
|
|
166
166
|
end
|
|
167
167
|
|
|
168
|
-
# TODO:
|
|
169
|
-
#
|
|
170
|
-
#
|
|
168
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
169
|
+
# update checkers, which are also overriden by passing an explicit
|
|
170
|
+
# `requirements_update_strategy`.
|
|
171
|
+
#
|
|
172
|
+
# TODO re-use in MessageBuilder
|
|
171
173
|
def library?
|
|
172
|
-
return true if files.map(&:name).any? { |nm| nm.end_with?(".gemspec") }
|
|
173
|
-
|
|
174
174
|
dependencies.any? { |d| !d.appears_in_lockfile? }
|
|
175
175
|
end
|
|
176
176
|
|
|
@@ -459,8 +459,16 @@ module Dependabot
|
|
|
459
459
|
previous_ref(dependency) != new_ref(dependency)
|
|
460
460
|
end
|
|
461
461
|
|
|
462
|
+
# TODO: Bring this in line with existing library checks that we do in the
|
|
463
|
+
# update checkers, which are also overriden by passing an explicit
|
|
464
|
+
# `requirements_update_strategy`.
|
|
465
|
+
#
|
|
466
|
+
# TODO re-use in BranchNamer
|
|
462
467
|
def library?
|
|
463
|
-
|
|
468
|
+
# Reject any nested child gemspecs/vendored git dependencies
|
|
469
|
+
root_files = files.map(&:name).
|
|
470
|
+
select { |p| Pathname.new(p).dirname.to_s == "." }
|
|
471
|
+
return true if root_files.select { |nm| nm.end_with?(".gemspec") }.any?
|
|
464
472
|
|
|
465
473
|
dependencies.any? { |d| previous_version(d).nil? }
|
|
466
474
|
end
|
|
@@ -43,6 +43,51 @@ module Dependabot
|
|
|
43
43
|
safe_versions.any?
|
|
44
44
|
end
|
|
45
45
|
|
|
46
|
+
# Check if the advisory is fixed by the updated dependency
|
|
47
|
+
#
|
|
48
|
+
# @param dependency [Dependabot::Dependency] Updated dependency
|
|
49
|
+
# @return [Boolean]
|
|
50
|
+
def fixed_by?(dependency)
|
|
51
|
+
# Handle case mismatch between the security advisory and parsed name
|
|
52
|
+
return false unless dependency_name.downcase == dependency.name.downcase
|
|
53
|
+
return false unless package_manager == dependency.package_manager
|
|
54
|
+
# TODO: Support no previous version to the same level as dependency graph
|
|
55
|
+
# and security alerts. We currently ignore dependency updates without a
|
|
56
|
+
# previous version because we don't know if the dependency was vulerable.
|
|
57
|
+
return false unless dependency.previous_version
|
|
58
|
+
return false unless version_class.correct?(dependency.previous_version)
|
|
59
|
+
|
|
60
|
+
# Ignore deps that weren't previously vulnerable
|
|
61
|
+
return false unless affects_version?(dependency.previous_version)
|
|
62
|
+
|
|
63
|
+
# Select deps that are now fixed
|
|
64
|
+
!affects_version?(dependency.version)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# Check if the version is affected by the advisory
|
|
68
|
+
#
|
|
69
|
+
# @param version [Dependabot::<Package Manager>::Version] version class
|
|
70
|
+
# @return [Boolean]
|
|
71
|
+
def affects_version?(version)
|
|
72
|
+
return false unless version_class.correct?(version)
|
|
73
|
+
return false unless [*safe_versions, *vulnerable_versions].any?
|
|
74
|
+
|
|
75
|
+
version = version_class.new(version)
|
|
76
|
+
|
|
77
|
+
# If version is known safe for this advisory, it's not vulnerable
|
|
78
|
+
return false if safe_versions.any? { |r| r.satisfied_by?(version) }
|
|
79
|
+
|
|
80
|
+
# If in the vulnerable range and not known safe, it's vulnerable
|
|
81
|
+
return true if vulnerable_versions.any? { |r| r.satisfied_by?(version) }
|
|
82
|
+
|
|
83
|
+
# If a vulnerable range present but not met, it's not vulnerable
|
|
84
|
+
return false if vulnerable_versions.any?
|
|
85
|
+
|
|
86
|
+
# Finally, if no vulnerable range provided, but a safe range provided,
|
|
87
|
+
# and this versions isn't included (checked earler), it's vulnerable
|
|
88
|
+
safe_versions.any?
|
|
89
|
+
end
|
|
90
|
+
|
|
46
91
|
private
|
|
47
92
|
|
|
48
93
|
def convert_string_version_requirements
|
|
@@ -79,6 +79,12 @@ module Dependabot
|
|
|
79
79
|
raise NotImplementedError
|
|
80
80
|
end
|
|
81
81
|
|
|
82
|
+
# Lowest available security fix version not checking resolvability
|
|
83
|
+
# @return [Dependabot::<package manager>::Version, #to_s] version class
|
|
84
|
+
def lowest_security_fix_version
|
|
85
|
+
raise NotImplementedError
|
|
86
|
+
end
|
|
87
|
+
|
|
82
88
|
def lowest_resolvable_security_fix_version
|
|
83
89
|
raise NotImplementedError
|
|
84
90
|
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.124.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|