dependabot-common 0.124.5 → 0.125.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ae9fb3f0b4e57a5bc62613e0317f515a95cec8dbdbdb829e33705d61cb3885d
-  data.tar.gz: 36d33ee3b0efb66fc37fb7e82d136363546c8c31563413348af8d9214e748adb
+  metadata.gz: 5cea5014538128815ea1ee0d391d71280e703663a69dad5ee6a9f8c30059b33d
+  data.tar.gz: d12e2a67cc6b8aea8b95be0ac1908941464ae5fb77b15ee94fff757a80bf6675
 SHA512:
-  metadata.gz: 1eac76f2204fd69a6b3bfa060b347b2104a86f6dccea367f2cd93fa395c3a041378ea9d5b584fdf2ef4d4498b772edf00acf9da1fae654900f5d76eceafb094d
-  data.tar.gz: 5e2234c10a99e762058d931036ec67d89b55eaa845de460a565dd758fa022e227ce55c41d9397452ca1fd580a6bb31bf26e5e274a23fb9a0c438e83d27e3c161
+  metadata.gz: 766afa6f3226f4ebbf46a3a9e6b14eb3c2b9d28da0a24e1b5a0ad4f3c6e6e7e01047c1902d070cbbbf007ba0b963c282ec17baf98618634befe3e2ffdde5f67d
+  data.tar.gz: 01a5c62d6ee5ee5a5462625af55f4df60d480f3f9a642668aa16173be7a1af013e85b11ba13443ce6614cc76a60d2f18b34b5edc3c1415e9a22e39a927e980e7

data/lib/dependabot/clients/azure.rb

@@ -95,9 +95,7 @@ module Dependabot
                       "/_apis/git/repositories/" + source.unscoped_repo +
                       "/commits"
 
-        unless branch_name.to_s.empty?
-          commits_url += "?searchCriteria.itemVersion.version=" + branch_name
-        end
+        commits_url += "?searchCriteria.itemVersion.version=" + branch_name unless branch_name.to_s.empty?
 
         response = get(commits_url)
 

data/lib/dependabot/file_fetchers/base.rb

@@ -113,9 +113,7 @@ module Dependabot
       def load_cloned_file_if_present(filename)
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
         repo_path = File.join(clone_repo_contents, path)
-        unless File.exist?(repo_path)
-          raise Dependabot::DependencyFileNotFound, path
-        end
+        raise Dependabot::DependencyFileNotFound, path unless File.exist?(repo_path)
 
         content = File.read(repo_path)
         type = if File.symlink?(repo_path)
@@ -135,9 +133,7 @@ module Dependabot
       end
 
       def fetch_file_from_host(filename, type: "file", fetch_submodules: false)
-        unless repo_contents_path.nil?
-          return load_cloned_file_if_present(filename)
-        end
+        return load_cloned_file_if_present(filename) unless repo_contents_path.nil?
 
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
         content = _fetch_file_content(path, fetch_submodules: fetch_submodules)
@@ -480,10 +476,10 @@ module Dependabot
           return path if Dir.exist?(File.join(path, ".git"))
 
           FileUtils.mkdir_p(path)
-          br_opt = " --branch=#{source.branch} --single-branch" if source.branch
+          br_opt = " --branch #{source.branch} --single-branch" if source.branch
           SharedHelpers.run_shell_command(
             <<~CMD
-              git clone --no-tags --no-recurse-submodules --depth=1#{br_opt} #{source.url} #{path}
+              git clone --no-tags --no-recurse-submodules --depth 1#{br_opt} #{source.url} #{path}
             CMD
           )
           path

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -21,9 +21,7 @@ module Dependabot
         attr_reader :dependencies
 
         def <<(dep)
-          unless dep.is_a?(Dependency)
-            raise ArgumentError, "must be a Dependency object"
-          end
+          raise ArgumentError, "must be a Dependency object" unless dep.is_a?(Dependency)
 
           existing_dependency = dependency_for_name(dep.name)
 
@@ -40,9 +38,7 @@ module Dependabot
         end
 
         def +(other)
-          unless other.is_a?(DependencySet)
-            raise ArgumentError, "must be a DependencySet"
-          end
+          raise ArgumentError, "must be a DependencySet" unless other.is_a?(DependencySet)
 
           other.dependencies.each { |dep| self << dep }
           self

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -23,7 +23,7 @@ module Dependabot
           )
 
           status = SharedHelpers.run_shell_command(
-            "git status --untracked-files=all --porcelain=v1 #{relative_dir}"
+            "git status --untracked-files all --porcelain v1 #{relative_dir}"
           )
           changed_paths = status.split("\n").map { |l| l.split(" ") }
           changed_paths.map do |type, path|

data/lib/dependabot/git_commit_checker.rb

@@ -93,9 +93,7 @@ module Dependabot
         select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
       filtered = tags.
                  reject { |t| tag_included_in_ignore_reqs?(t) }
-      if @raise_on_ignored && tags.any? && filtered.empty?
-        raise Dependabot::AllVersionsIgnored
-      end
+      raise Dependabot::AllVersionsIgnored if @raise_on_ignored && tags.any? && filtered.empty?
 
       tag = filtered.
             reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }.

data/lib/dependabot/git_metadata_fetcher.rb

@@ -52,13 +52,9 @@ module Dependabot
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
 
-      unless uri.match?(KNOWN_HOSTS)
-        raise Dependabot::GitDependenciesNotReachable, [uri]
-      end
+      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
 
-      if response.status < 400
-        raise "Unexpected response: #{response.status} - #{response.body}"
-      end
+      raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
 
       if uri.match?(/github\.com/i)
         response = response.data

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -100,9 +100,7 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
 
         def changelog_from_suggested_url
-          if defined?(@changelog_from_suggested_url)
-            return @changelog_from_suggested_url
-          end
+          return @changelog_from_suggested_url if defined?(@changelog_from_suggested_url)
           return unless suggested_changelog_url
 
           # TODO: Support other providers

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -51,9 +51,7 @@ module Dependabot
         def new_tag
           new_version = dependency.version
 
-          if git_source?(dependency.requirements) && git_sha?(new_version)
-            return new_version
-          end
+          return new_version if git_source?(dependency.requirements) && git_sha?(new_version)
 
           return new_ref if new_ref && ref_changed?
 
@@ -98,9 +96,7 @@ module Dependabot
         end
 
         def version_from_tag(tag)
-          if version_class.correct?(tag.gsub(/^v/, ""))
-            version_class.new(tag.gsub(/^v/, ""))
-          end
+          version_class.new(tag.gsub(/^v/, "")) if version_class.correct?(tag.gsub(/^v/, ""))
 
           return unless tag.gsub(/^[^\d]*/, "").length > 1
           return unless version_class.correct?(tag.gsub(/^[^\d]*/, ""))
@@ -156,9 +152,7 @@ module Dependabot
         def tag_matches_version?(tag, version)
           return false unless version
 
-          unless version_class.correct?(version)
-            return tag.match?(/(?:[^0-9\.]|\A)#{Regexp.escape(version)}\z/)
-          end
+          return tag.match?(/(?:[^0-9\.]|\A)#{Regexp.escape(version)}\z/) unless version_class.correct?(version)
 
           version_regex = GitCommitChecker::VERSION_REGEX
           return false unless tag.match?(version_regex)

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -120,9 +120,7 @@ module Dependabot
         # Version looks like a git SHA and we could be updating to a specific
         # ref in which case we return that otherwise we return a shorthand sha
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          if ref_changed?(dependency) && new_ref(dependency)
-            return new_ref(dependency)
-          end
+          return new_ref(dependency) if ref_changed?(dependency) && new_ref(dependency)
 
           dependency.version[0..6]
         elsif dependency.version == dependency.previous_version &&

data/lib/dependabot/pull_request_creator/github.rb

@@ -443,9 +443,7 @@ module Dependabot
 
           raise_custom_error err, RepoNotFound, err.message
         when Octokit::UnprocessableEntity
-          if err.message.include?("no history in common")
-            raise_custom_error err, NoHistoryInCommon, err.message
-          end
+          raise_custom_error err, NoHistoryInCommon, err.message if err.message.include?("no history in common")
 
           raise err
         else

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -92,9 +92,7 @@ module Dependabot
       end
 
       def create_commit
-        if files.count == 1 && files.first.type == "submodule"
-          return create_submodule_update_commit
-        end
+        return create_submodule_update_commit if files.count == 1 && files.first.type == "submodule"
 
         actions = files.map do |file|
           if file.type == "symlink"

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -169,13 +169,9 @@ module Dependabot
 
       # rubocop:disable Metrics/PerceivedComplexity
       def version_commit_message_intro
-        if dependencies.count > 1 && updating_a_property?
-          return multidependency_property_intro
-        end
+        return multidependency_property_intro if dependencies.count > 1 && updating_a_property?
 
-        if dependencies.count > 1 && updating_a_dependency_set?
-          return dependency_set_intro
-        end
+        return dependency_set_intro if dependencies.count > 1 && updating_a_dependency_set?
 
         return multidependency_intro if dependencies.count > 1
 
@@ -184,9 +180,7 @@ module Dependabot
               "#{from_version_msg(previous_version(dependency))}"\
               "to #{new_version(dependency)}."
 
-        if switching_from_ref_to_release?(dependency)
-          msg += " This release includes the previously tagged commit."
-        end
+        msg += " This release includes the previously tagged commit." if switching_from_ref_to_release?(dependency)
 
         if vulnerabilities_fixed[dependency.name]&.one?
           msg += " **This update includes a security fix.**"
@@ -272,9 +266,7 @@ module Dependabot
       end
 
       def metadata_links
-        if dependencies.count == 1
-          return metadata_links_for_dep(dependencies.first)
-        end
+        return metadata_links_for_dep(dependencies.first) if dependencies.count == 1
 
         dependencies.map do |dep|
           "\n\nUpdates `#{dep.display_name}` "\
@@ -294,9 +286,7 @@ module Dependabot
       end
 
       def metadata_cascades
-        if dependencies.one?
-          return metadata_cascades_for_dep(dependencies.first)
-        end
+        return metadata_cascades_for_dep(dependencies.first) if dependencies.one?
 
         dependencies.map do |dep|
           msg = "\nUpdates `#{dep.display_name}` "\
@@ -375,9 +365,7 @@ module Dependabot
         end
 
         if dependency.previous_version.match?(/^[0-9a-f]{40}$/)
-          if ref_changed?(dependency) && previous_ref(dependency)
-            return previous_ref(dependency)
-          end
+          return previous_ref(dependency) if ref_changed?(dependency) && previous_ref(dependency)
 
           "`#{dependency.previous_version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -391,9 +379,7 @@ module Dependabot
 
       def new_version(dependency)
         if dependency.version.match?(/^[0-9a-f]{40}$/)
-          if ref_changed?(dependency) && new_ref(dependency)
-            return new_ref(dependency)
-          end
+          return new_ref(dependency) if ref_changed?(dependency) && new_ref(dependency)
 
           "`#{dependency.version[0..6]}`"
         elsif dependency.version == dependency.previous_version &&
@@ -448,9 +434,7 @@ module Dependabot
 
         req = updated_reqs.first.fetch(:requirement)
         return req if req
-        if ref_changed?(dependency) && new_ref(dependency)
-          return new_ref(dependency)
-        end
+        return new_ref(dependency) if ref_changed?(dependency) && new_ref(dependency)
 
         raise "No new requirement!"
       end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -159,9 +159,7 @@ module Dependabot
         def serialized_vulnerability_details(details)
           msg = vulnerability_source_line(details)
 
-          if details["title"]
-            msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n"
-          end
+          msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n" if details["title"]
 
           if (description = details["description"])
             description.strip.lines.first(20).each { |line| msg += "> #{line}" }

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -42,13 +42,9 @@ module Dependabot
       end
 
       def capitalize_first_word?
-        if commit_message_options.key?(:prefix)
-          return !commit_message_options[:prefix]&.strip&.match?(/\A[a-z]/)
-        end
+        return !commit_message_options[:prefix]&.strip&.match?(/\A[a-z]/) if commit_message_options.key?(:prefix)
 
-        if last_dependabot_commit_style
-          return capitalise_first_word_from_last_dependabot_commit_style
-        end
+        return capitalise_first_word_from_last_dependabot_commit_style if last_dependabot_commit_style
 
         capitalise_first_word_from_previous_commits
       end
@@ -63,15 +59,11 @@ module Dependabot
 
       def commit_prefix
         # If a preferred prefix has been explicitly provided, use it
-        if commit_message_options.key?(:prefix)
-          return prefix_from_explicitly_provided_details
-        end
+        return prefix_from_explicitly_provided_details if commit_message_options.key?(:prefix)
 
         # Otherwise, if there is a previous Dependabot commit and it used a
         # known style, use that as our model for subsequent commits
-        if last_dependabot_commit_style
-          return prefix_for_last_dependabot_commit_style
-        end
+        return prefix_for_last_dependabot_commit_style if last_dependabot_commit_style
 
         # Otherwise we need to detect the user's preferred style from the
         # existing commits on their repo
@@ -89,9 +81,7 @@ module Dependabot
       end
 
       def explicitly_provided_prefix_string
-        unless commit_message_options.key?(:prefix)
-          raise "No explicitly provided prefix!"
-        end
+        raise "No explicitly provided prefix!" unless commit_message_options.key?(:prefix)
 
         if dependencies.any?(&:production?)
           commit_message_options[:prefix].to_s
@@ -181,9 +171,7 @@ module Dependabot
         end
 
         # Definitely not using Angular commits if < 30% match angular commits
-        if angular_messages.count.to_f / recent_commit_messages.count < 0.3
-          return false
-        end
+        return false if angular_messages.count.to_f / recent_commit_messages.count < 0.3
 
         eslint_only_pres = ESLINT_PREFIXES.map(&:downcase) - ANGULAR_PREFIXES
         angular_only_pres = ANGULAR_PREFIXES - ESLINT_PREFIXES.map(&:downcase)
@@ -244,9 +232,7 @@ module Dependabot
             "build"
           end
 
-        if capitalize_angular_commit_prefix?
-          commit_prefix = commit_prefix.capitalize
-        end
+        commit_prefix = commit_prefix.capitalize if capitalize_angular_commit_prefix?
 
         commit_prefix
       end
@@ -256,9 +242,7 @@ module Dependabot
           ANGULAR_PREFIXES.any? { |pre| message.match?(/#{pre}[:(]/i) }
         end
 
-        if semantic_messages.none?
-          return last_dependabot_commit_message&.start_with?(/[A-Z]/)
-        end
+        return last_dependabot_commit_message&.start_with?(/[A-Z]/) if semantic_messages.none?
 
         capitalized_msgs = semantic_messages.
                            select { |m| m.start_with?(/[A-Z]/) }

data/lib/dependabot/shared_helpers.rb

@@ -19,6 +19,7 @@ module Dependabot
                  "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} "\
                  "(#{RUBY_PLATFORM}) "\
                  "(+https://github.com/dependabot/dependabot-core)"
+    SIGKILL = 9
 
     class ChildProcessFailed < StandardError
       attr_reader :error_class, :error_message, :error_backtrace
@@ -84,10 +85,10 @@ module Dependabot
 
     def self.run_helper_subprocess(command:, function:, args:, env: nil,
                                    stderr_to_stdout: false,
-                                   escape_command_str: true)
+                                   allow_unsafe_shell_command: false)
       start = Time.now
       stdin_data = JSON.dump(function: function, args: args)
-      cmd = escape_command_str ? escape_command(command) : command
+      cmd = allow_unsafe_shell_command ? command : escape_command(command)
       env_cmd = [env, cmd].compact
       stdout, stderr, process = Open3.capture3(*env_cmd, stdin_data: stdin_data)
       time_taken = Time.now - start
@@ -108,7 +109,8 @@ module Dependabot
         args: args,
         time_taken: time_taken,
         stderr_output: stderr ? stderr[0..50_000] : "", # Truncate to ~100kb
-        process_exit_value: process.to_s
+        process_exit_value: process.to_s,
+        process_termsig: process.termsig
       }
 
       response = JSON.parse(stdout)
@@ -174,15 +176,23 @@ module Dependabot
       # Note: we use --global here (rather than --system) so that Dependabot
       # can be run without privileged access
       run_shell_command(
-        'git config --global --replace-all url."https://github.com/".'\
-        "insteadOf ssh://git@github.com/ && "\
-        'git config --global --add url."https://github.com/".'\
-        "insteadOf ssh://git@github.com: && "\
-        'git config --global --add url."https://github.com/".'\
-        "insteadOf git@github.com: && "\
-        'git config --global --add url."https://github.com/".'\
-        "insteadOf git@github.com/ && "\
-        'git config --global --add url."https://github.com/".'\
+        "git config --global --replace-all url.https://github.com/."\
+        "insteadOf ssh://git@github.com/"
+      )
+      run_shell_command(
+        "git config --global --add url.https://github.com/."\
+        "insteadOf ssh://git@github.com:"
+      )
+      run_shell_command(
+        "git config --global --add url.https://github.com/."\
+        "insteadOf git@github.com:"
+      )
+      run_shell_command(
+        "git config --global --add url.https://github.com/."\
+        "insteadOf git@github.com/"
+      )
+      run_shell_command(
+        "git config --global --add url.https://github.com/."\
         "insteadOf git://github.com/"
       )
     end
@@ -197,7 +207,8 @@ module Dependabot
         File.join(__dir__, "../../bin/git-credential-store-immutable")
       run_shell_command(
         "git config --global credential.helper "\
-        "'!#{credential_helper_path} --file=#{Dir.pwd}/git.store'"
+        "'!#{credential_helper_path} --file #{Dir.pwd}/git.store'",
+        allow_unsafe_shell_command: true
       )
 
       github_credentials = credentials.
@@ -235,7 +246,8 @@ module Dependabot
 
     def self.reset_git_repo(path)
       Dir.chdir(path) do
-        run_shell_command("git reset HEAD --hard && git clean -fx")
+        run_shell_command("git reset HEAD --hard")
+        run_shell_command("git clean -fx")
       end
     end
 
@@ -260,9 +272,10 @@ module Dependabot
       FileUtils.mv(backup_path, GIT_CONFIG_GLOBAL_PATH)
     end
 
-    def self.run_shell_command(command)
+    def self.run_shell_command(command, allow_unsafe_shell_command: false)
       start = Time.now
-      stdout, process = Open3.capture2e(command)
+      cmd = allow_unsafe_shell_command ? command : escape_command(command)
+      stdout, process = Open3.capture2e(cmd)
       time_taken = Time.now - start
 
       # Raise an error with the output from the shell session if the
@@ -270,7 +283,7 @@ module Dependabot
       return stdout if process.success?
 
       error_context = {
-        command: command,
+        command: cmd,
         time_taken: time_taken,
         process_exit_value: process.to_s
       }

data/lib/dependabot/update_checkers/base.rb

@@ -48,9 +48,7 @@ module Dependabot
       end
 
       def updated_dependencies(requirements_to_unlock:)
-        unless can_update?(requirements_to_unlock: requirements_to_unlock)
-          return []
-        end
+        return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)
 
         case requirements_to_unlock&.to_sym
         when :none then [updated_dependency_without_unlock]
@@ -93,6 +91,16 @@ module Dependabot
         raise NotImplementedError
       end
 
+      # Finds any dependencies in the lockfile that have a subdependency on the
+      # given dependency that do not satisfy the target_version.
+      # @return [Array<Hash{String => String}]
+      #   name [String] the blocking dependencies name
+      #   version [String] the version of the blocking dependency
+      #   requirement [String] the requirement on the target_dependency
+      def conflicting_dependencies
+        [] # return an empty array for ecosystems that don't support this yet
+      end
+
       def latest_resolvable_previous_version(_updated_version)
         dependency.version
       end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.124.5"
+  VERSION = "0.125.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.124.5
+  version: 0.125.1
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-30 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit