dependabot-common 0.124.2 → 0.124.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of dependabot-common might be problematic. Click here for more details.

Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/file_updaters/vendor_updater.rb +11 -2
  3. data/lib/dependabot/security_advisory.rb +11 -2
  4. data/lib/dependabot/shared_helpers.rb +11 -4
  5. data/lib/dependabot/version.rb +1 -1
  6. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f8c1c6ce7dbce6606fe13ea021cddbdf6cc73561227f1e944024b0cd59c066f8
4
- data.tar.gz: 43be3e7cd0d8c583d2286a909d5c616b126eda8d1800db931ebf9ed66ee013bd
3
+ metadata.gz: e0a5d3aa4b677c2fd4c3fc1b8671021edb5f4ebe9149740b207b38bf4d727348
4
+ data.tar.gz: 22c454cef095aad5114f08a26949df26f0339575c98e6a490c5effec9c3dc7ab
5
5
  SHA512:
6
- metadata.gz: d8a3a6a7ca1e6910132f9c102c13547310eb38e1ac899df526a7fe6bf0cb8ebc264962b3f5ff9376a77f85e5cc5f385de81d58a1ccbfd165c295a9c9c5270d96
7
- data.tar.gz: 90c3aa1296c25e4616de3f29b83d5fb49c6dea2e05ccc12fa1c1f69d37342442cfc41acad10a9258d88352c21ff988a3417ae768fb559365873e317413194c23
6
+ metadata.gz: f5846d2d3684f2d8427486b8328168f35509d3da7228c2d9e263e7c4cd4e7bc45fbc30a16b873eedf0ef0c8e0b1218908164f92579e18cd57874a310eb3eec01
7
+ data.tar.gz: 9c433bd6f40e0969c02bb92168e1e46c34d4a597aeeb2be8b06faf1db4502b686fc9cf55101426816fd9c2b6b2e515c1bbea96169f1a13009d04109ee66103f9
data/lib/dependabot/file_updaters/vendor_updater.rb CHANGED
@@ -18,7 +18,10 @@ module Dependabot
18
18
  return [] unless repo_contents_path && vendor_dir
19
19
 
20
20
  Dir.chdir(repo_contents_path) do
21
- relative_dir = vendor_dir.sub("#{repo_contents_path}/", "")
21
+ relative_dir = Pathname.new(vendor_dir).relative_path_from(
22
+ repo_contents_path
23
+ )
24
+
22
25
  status = SharedHelpers.run_shell_command(
23
26
  "git status --untracked-files=all --porcelain=v1 #{relative_dir}"
24
27
  )
@@ -31,8 +34,14 @@ module Dependabot
31
34
  encoding = Dependabot::DependencyFile::ContentEncoding::BASE64
32
35
  encoded_content = Base64.encode64(encoded_content) unless deleted
33
36
  end
37
+
38
+ project_root =
39
+ Pathname.new(File.expand_path(File.join(Dir.pwd, base_directory)))
40
+ file_path =
41
+ Pathname.new(path).expand_path.relative_path_from(project_root)
42
+
34
43
  Dependabot::DependencyFile.new(
35
- name: path,
44
+ name: file_path.to_s,
36
45
  content: encoded_content,
37
46
  directory: base_directory,
38
47
  deleted: deleted,
data/lib/dependabot/security_advisory.rb CHANGED
@@ -43,8 +43,13 @@ module Dependabot
43
43
  safe_versions.any?
44
44
  end
45
45
 
46
- def fixes_advisory?(dependency)
47
- return false unless dependency_name == dependency.name
46
+ # Check if the advisory is fixed by the updated dependency
47
+ #
48
+ # @param dependency [Dependabot::Dependency] Updated dependency
49
+ # @return [Boolean]
50
+ def fixed_by?(dependency)
51
+ # Handle case mismatch between the security advisory and parsed name
52
+ return false unless dependency_name.downcase == dependency.name.downcase
48
53
  return false unless package_manager == dependency.package_manager
49
54
  # TODO: Support no previous version to the same level as dependency graph
50
55
  # and security alerts. We currently ignore dependency updates without a
@@ -59,6 +64,10 @@ module Dependabot
59
64
  !affects_version?(dependency.version)
60
65
  end
61
66
 
67
+ # Check if the version is affected by the advisory
68
+ #
69
+ # @param version [Dependabot::<Package Manager>::Version] version class
70
+ # @return [Boolean]
62
71
  def affects_version?(version)
63
72
  return false unless version_class.correct?(version)
64
73
  return false unless [*safe_versions, *vulnerable_versions].any?
data/lib/dependabot/shared_helpers.rb CHANGED
@@ -19,6 +19,7 @@ module Dependabot
19
19
  "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} "\
20
20
  "(#{RUBY_PLATFORM}) "\
21
21
  "(+https://github.com/dependabot/dependabot-core)"
22
+ SIGKILL = 9
22
23
 
23
24
  class ChildProcessFailed < StandardError
24
25
  attr_reader :error_class, :error_message, :error_backtrace
@@ -42,6 +43,9 @@ module Dependabot
42
43
  path = Pathname.new(File.join(repo_contents_path, directory)).
43
44
  expand_path
44
45
  reset_git_repo(repo_contents_path)
46
+ # Handle missing directories by creating an empty one and relying on the
47
+ # file fetcher to raise a DependencyFileNotFound error
48
+ FileUtils.mkdir_p(path) unless Dir.exist?(path)
45
49
  Dir.chdir(path) { yield(path) }
46
50
  else
47
51
  in_a_temporary_directory(directory, &block)
@@ -58,13 +62,14 @@ module Dependabot
58
62
  end
59
63
 
60
64
  class HelperSubprocessFailed < StandardError
61
- attr_reader :error_class, :error_context
65
+ attr_reader :error_class, :error_context, :trace
62
66
 
63
- def initialize(message:, error_context:, error_class: nil)
67
+ def initialize(message:, error_context:, error_class: nil, trace: nil)
64
68
  super(message)
65
69
  @error_class = error_class || ""
66
70
  @error_context = error_context
67
71
  @command = error_context[:command]
72
+ @trace = trace
68
73
  end
69
74
 
70
75
  def raven_context
@@ -104,7 +109,8 @@ module Dependabot
104
109
  args: args,
105
110
  time_taken: time_taken,
106
111
  stderr_output: stderr ? stderr[0..50_000] : "", # Truncate to ~100kb
107
- process_exit_value: process.to_s
112
+ process_exit_value: process.to_s,
113
+ process_termsig: process.termsig
108
114
  }
109
115
 
110
116
  response = JSON.parse(stdout)
@@ -113,7 +119,8 @@ module Dependabot
113
119
  raise HelperSubprocessFailed.new(
114
120
  message: response["error"],
115
121
  error_class: response["error_class"],
116
- error_context: error_context
122
+ error_context: error_context,
123
+ trace: response["trace"]
117
124
  )
118
125
  rescue JSON::ParserError
119
126
  raise HelperSubprocessFailed.new(
data/lib/dependabot/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Dependabot
4
- VERSION = "0.124.2"
4
+ VERSION = "0.124.7"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.124.2
4
+ version: 0.124.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-10-26 00:00:00.000000000 Z
11
+ date: 2020-11-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-codecommit
@@ -438,7 +438,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
438
438
  - !ruby/object:Gem::Version
439
439
  version: 2.7.3
440
440
  requirements: []
441
- rubygems_version: 3.1.2
441
+ rubygems_version: 3.1.4
442
442
  signing_key:
443
443
  specification_version: 4
444
444
  summary: Shared code used between Dependabot package managers