dependabot-common 0.142.0 → 0.143.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f833b9f5da589fa423f0926391c8f184c7251b28bf02c9adab60efbb1c67a6c7
-  data.tar.gz: f771557404e3a72bd0f8a8a1ff8e1b68dcc77f333e2b4e2500d396937457755f
+  metadata.gz: cb8de338ea7c3bb3273bd23ccc824a13d3658cc694f182776b889d3f67414c68
+  data.tar.gz: 63d9ca895ad038b2ce5d80c3a35bdcb175f8b023e1b09edd85a55d7c387c0609
 SHA512:
-  metadata.gz: 0cde2d2466ec8add1b242087d720de1fe14c7c90df7a13411489272a7bf1112827d4127e34a92ec33d3540bd65f71e45c8533b0ec0f008a39543c9ae675ba1d1
-  data.tar.gz: 8f5cca6b9e06eaa591c731fea3ee4a6017cf400d8175b039aa018bc39b50d2bd735a7cdf7a4af5faf6d5287906eed73c0fd7c9310479ec65891cd8c45191ce65
+  metadata.gz: 7850b7c2b9b02b76453f40347a79e5afca046d295a2ae160c27ec11dd05efc9359d34414ed4e28be46b7678aa8d47abbd8ecb24643cb3cc86573c88d979e7334
+  data.tar.gz: 34110bdb90cb8fef78980ccb724f98c21753f2bce36be8bca3b5896671daa19e756b4430ff24864fbb35ac2caaa57fdaa67a0f84ba0d1cbb54e0baf8b880160e

data/lib/dependabot/clients/azure.rb

@@ -201,9 +201,11 @@ module Dependabot
           }
         ]
 
-        post(source.api_endpoint + source.organization + "/" + source.project +
-          "/_apis/git/repositories/" + source.unscoped_repo +
-          "/refs?api-version=5.0", content.to_json)
+        response = post(source.api_endpoint + source.organization + "/" + source.project +
+                        "/_apis/git/repositories/" + source.unscoped_repo +
+                        "/refs?api-version=5.0", content.to_json)
+
+        JSON.parse(response.body).fetch("value").first
       end
       # rubocop:enable Metrics/ParameterLists
 

data/lib/dependabot/config.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Config
+    class InvalidConfigError < StandardError; end
+  end
+end

data/lib/dependabot/config/file.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "dependabot/config/update_config"
+
+module Dependabot
+  module Config
+    # Configuration for the repository, a parsed dependabot.yaml.
+    class File
+      attr_reader :updates, :registries
+
+      def initialize(updates:, registries: nil)
+        @updates = updates || []
+        @registries = registries || []
+      end
+
+      def update_config(package_manager, directory: nil, target_branch: nil)
+        dir = directory || "/"
+        package_ecosystem = PACKAGE_MANAGER_LOOKUP.invert.fetch(package_manager)
+        cfg = updates.find do |u|
+          u[:"package-ecosystem"] == package_ecosystem && u[:directory] == dir &&
+            (target_branch.nil? || u[:"target-branch"] == target_branch)
+        end
+        Dependabot::Config::UpdateConfig.new(
+          ignore_conditions: ignore_conditions(cfg),
+          commit_message_options: commit_message_options(cfg)
+        )
+      end
+
+      # Parse the YAML config file
+      def self.parse(config)
+        parsed = YAML.safe_load(config, symbolize_names: true)
+        version = parsed[:version]
+        raise InvalidConfigError, "invalid version #{version}" if version && version != 2
+
+        File.new(updates: parsed[:updates], registries: parsed[:registries])
+      end
+
+      private
+
+      PACKAGE_MANAGER_LOOKUP = {
+        "bundler" => "bundler",
+        "cargo" => "cargo",
+        "composer" => "composer",
+        "docker" => "docker",
+        "elm" => "elm",
+        "github-actions" => "github_actions",
+        "gitsubmodule" => "submodules",
+        "gomod" => "go_modules",
+        "gradle" => "gradle",
+        "maven" => "maven",
+        "mix" => "hex",
+        "nuget" => "nuget",
+        "npm" => "npm_and_yarn",
+        "pip" => "pip",
+        "terraform" => "terraform"
+      }.freeze
+
+      def ignore_conditions(cfg)
+        ignores = cfg&.dig(:ignore) || []
+        ignores.map do |ic|
+          Dependabot::Config::IgnoreCondition.new(
+            dependency_name: ic[:"dependency-name"],
+            versions: ic[:versions],
+            update_types: ic[:"update-types"]
+          )
+        end
+      end
+
+      def commit_message_options(cfg)
+        commit_message = cfg&.dig(:"commit-message") || {}
+        Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
+          prefix: commit_message[:prefix],
+          prefix_development: commit_message[:"prefix-development"],
+          include: commit_message[:include]
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/config/file_fetcher.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers/base"
+require "dependabot/config/file"
+
+module Dependabot
+  module Config
+    class FileFetcher < Dependabot::FileFetchers::Base
+      CONFIG_FILE_PATHS = %w(.github/dependabot.yml .github/dependabot.yaml).freeze
+
+      def self.required_files_in?(filenames)
+        CONFIG_FILE_PATHS.any? { |file| filenames.include?(file) }
+      end
+
+      def self.required_files_message
+        "Repo must contain either a #{CONFIG_FILE_PATHS.join(' or a ')} file"
+      end
+
+      def config_file
+        @config_file ||= files.first
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+
+        CONFIG_FILE_PATHS.each do |file|
+          fn = Pathname.new("/#{file}").relative_path_from(directory)
+
+          begin
+            config_file = fetch_file_from_host(fn)
+            if config_file
+              fetched_files << config_file
+              break
+            end
+          rescue Dependabot::DependencyFileNotFound
+            next
+          end
+        end
+
+        unless self.class.required_files_in?(fetched_files.map(&:name))
+          raise Dependabot::DependencyFileNotFound, self.class.required_files_message
+        end
+
+        fetched_files
+      end
+    end
+  end
+end

data/lib/dependabot/config/ignore_condition.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Config
+    # Filters versions that should not be considered for dependency updates
+    class IgnoreCondition
+      PATCH_VERSION_TYPE = "version-update:semver-patch"
+      MINOR_VERSION_TYPE = "version-update:semver-minor"
+      MAJOR_VERSION_TYPE = "version-update:semver-major"
+
+      ALL_VERSIONS = ">= 0"
+
+      attr_reader :dependency_name, :versions, :update_types
+
+      def initialize(dependency_name:, versions: nil, update_types: nil)
+        @dependency_name = dependency_name
+        @versions = versions || []
+        @update_types = update_types || []
+      end
+
+      def ignored_versions(dependency)
+        return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
+
+        versions_by_type(dependency) + versions
+      end
+
+      private
+
+      def transformed_update_types
+        update_types.map(&:downcase).map(&:strip).compact
+      end
+
+      def versions_by_type(dependency)
+        transformed_update_types.flat_map do |t|
+          case t
+          when PATCH_VERSION_TYPE
+            ignore_patch(dependency.version)
+          when MINOR_VERSION_TYPE
+            ignore_minor(dependency.version)
+          when MAJOR_VERSION_TYPE
+            ignore_major(dependency.version)
+          else
+            []
+          end
+        end.compact
+      end
+
+      def ignore_patch(version)
+        parts = version.split(".")
+        return [] unless parts.size > 2
+
+        lower_parts = parts.first(2) + ["a"]
+        upper_parts = parts.first(2)
+        upper_parts[1] = upper_parts[1].to_i + 1
+        lower_bound = ">= #{lower_parts.join('.')}"
+        upper_bound = "< #{upper_parts.join('.')}"
+        ["#{lower_bound}, #{upper_bound}"]
+      end
+
+      def ignore_minor(version)
+        parts = version.split(".")
+        return [] if parts.size < 2
+
+        if Gem::Version.correct?(version)
+          lower_parts = parts.first(2) + ["a"]
+          upper_parts = parts.first(1)
+          lower_parts[1] = lower_parts[1].to_i + 1
+          upper_parts[0] = upper_parts[0].to_i + 1
+        else
+          lower_parts = parts.first(1) + ["a"]
+          upper_parts = parts.first(1)
+          begin
+            upper_parts[0] = Integer(upper_parts[0]) + 1
+          rescue ArgumentError
+            upper_parts.push(999_999)
+          end
+        end
+
+        lower_bound = ">= #{lower_parts.join('.')}"
+        upper_bound = "< #{upper_parts.join('.')}"
+        ["#{lower_bound}, #{upper_bound}"]
+      end
+
+      def ignore_major(version)
+        parts = version.split(".")
+        return [] unless parts.size > 1
+
+        lower_parts = parts.first(1) + ["a"]
+        upper_parts = parts.first(1)
+        lower_parts[0] = lower_parts[0].to_i + 1
+        upper_parts[0] = upper_parts[0].to_i + 2
+        lower_bound = ">= #{lower_parts.join('.')}"
+        upper_bound = "< #{upper_parts.join('.')}"
+
+        ["#{lower_bound}, #{upper_bound}"]
+      end
+    end
+  end
+end

data/lib/dependabot/config/update_config.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "dependabot/config/ignore_condition"
+
+module Dependabot
+  module Config
+    # Configuration for a single ecosystem
+    class UpdateConfig
+      attr_reader :commit_message_options, :ignore_conditions
+      def initialize(ignore_conditions: nil, commit_message_options: nil)
+        @ignore_conditions = ignore_conditions || []
+        @commit_message_options = commit_message_options
+      end
+
+      def ignored_versions_for(dependency)
+        normalizer = name_normaliser_for(dependency)
+        dep_name = name_normaliser_for(dependency).call(dependency.name)
+        @ignore_conditions.
+          select { |ic| self.class.wildcard_match?(normalizer.call(ic.dependency_name), dep_name) }.
+          map { |ic| ic.ignored_versions(dependency) }.
+          flatten.
+          compact.
+          uniq
+      end
+
+      def self.wildcard_match?(wildcard_string, candidate_string)
+        return false unless wildcard_string && candidate_string
+
+        regex_string = "a#{wildcard_string.downcase}a".split("*").
+                       map { |p| Regexp.quote(p) }.
+                       join(".*").gsub(/^a|a$/, "")
+        regex = /^#{regex_string}$/
+        regex.match?(candidate_string.downcase)
+      end
+
+      private
+
+      def name_normaliser_for(dep)
+        name_normaliser ||= {}
+        name_normaliser[dep] ||= Dependency.name_normaliser_for_package_manager(dep.package_manager)
+      end
+
+      class CommitMessageOptions
+        attr_reader :prefix, :prefix_development, :include
+
+        def initialize(prefix:, prefix_development:, include:)
+          @prefix = prefix
+          @prefix_development = prefix_development
+          @include = include
+        end
+
+        def include_scope?
+          @include == "scope"
+        end
+
+        def to_h
+          {
+            prefix: @prefix,
+            prefix_development: @prefix_development,
+            include_scope: include_scope?
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_fetchers/base.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"
 require "dependabot/errors"

data/lib/dependabot/git_commit_checker.rb

@@ -92,7 +92,7 @@ module Dependabot
         local_tags.
         select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
       filtered = tags.
-                 reject { |t| tag_included_in_ignore_reqs?(t) }
+                 reject { |t| tag_included_in_ignore_requirements?(t) }
       raise Dependabot::AllVersionsIgnored if @raise_on_ignored && tags.any? && filtered.empty?
 
       tag = filtered.
@@ -317,8 +317,8 @@ module Dependabot
       listing_repo_git_metadata_fetcher.upload_pack
     end
 
-    def ignore_reqs
-      ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+    def ignore_requirements
+      ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
     end
 
     def wants_prerelease?
@@ -330,9 +330,9 @@ module Dependabot
       version_class.new(version).prerelease?
     end
 
-    def tag_included_in_ignore_reqs?(tag)
+    def tag_included_in_ignore_requirements?(tag)
       version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
-      ignore_reqs.any? { |r| r.satisfied_by?(version_class.new(version)) }
+      ignore_requirements.any? { |r| r.satisfied_by?(version_class.new(version)) }
     end
 
     def tag_is_prerelease?(tag)

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -17,7 +17,6 @@ module Dependabot
         @prefix        = prefix
       end
 
-      # rubocop:disable Metrics/PerceivedComplexity
       def new_branch_name
         @name ||=
           begin
@@ -34,23 +33,13 @@ module Dependabot
                   tr("@", "")
               end
 
-            dep = dependencies.first
-
-            if library? && ref_changed?(dep) && new_ref(dep)
-              "#{dependency_name_part}-#{new_ref(dep)}"
-            elsif library?
-              "#{dependency_name_part}-#{sanitized_requirement(dep)}"
-            else
-              "#{dependency_name_part}-#{new_version(dep)}"
-            end
+            "#{dependency_name_part}-#{branch_version_suffix}"
           end
 
         # Some users need branch names without slashes
         sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
       end
 
-      # rubocop:enable Metrics/PerceivedComplexity
-
       private
 
       def prefixes
@@ -98,6 +87,18 @@ module Dependabot
         @dependency_set
       end
 
+      def branch_version_suffix
+        dep = dependencies.first
+
+        if library? && ref_changed?(dep) && new_ref(dep)
+          new_ref(dep)
+        elsif library?
+          sanitized_requirement(dep)
+        else
+          new_version(dep)
+        end
+      end
+
       def sanitized_requirement(dependency)
         new_library_requirement(dependency).
           delete(" ").

data/lib/dependabot/pull_request_updater/azure.rb

@@ -6,6 +6,8 @@ require "securerandom"
 module Dependabot
   class PullRequestUpdater
     class Azure
+      class PullRequestUpdateFailed < Dependabot::DependabotError; end
+
       OBJECT_ID_FOR_BRANCH_DELETE = "0000000000000000000000000000000000000000"
 
       attr_reader :source, :files, :base_commit, :old_commit, :credentials,
@@ -55,9 +57,11 @@ module Dependabot
         # 1) Push the file changes to a newly created temporary branch (from base commit)
         new_commit = create_temp_branch
         # 2) Update PR source branch to point to the temp branch head commit.
-        update_branch(source_branch_name, old_source_branch_commit, new_commit)
+        response = update_branch(source_branch_name, old_source_branch_commit, new_commit)
         # 3) Delete temp branch
         update_branch(temp_branch_name, new_commit, OBJECT_ID_FOR_BRANCH_DELETE)
+
+        raise PullRequestUpdateFailed, response.fetch("customMessage", nil) unless response.fetch("success", false)
       end
 
       def pull_request

data/lib/dependabot/update_checkers/base.rb

@@ -38,7 +38,7 @@ module Dependabot
 
       def can_update?(requirements_to_unlock:)
         # Can't update if all versions are being ignored
-        return false if ignore_reqs.include?(requirement_class.new(">= 0"))
+        return false if ignore_requirements.include?(requirement_class.new(">= 0"))
 
         if dependency.version
           version_can_update?(requirements_to_unlock: requirements_to_unlock)
@@ -141,6 +141,10 @@ module Dependabot
         security_advisories.any? { |a| a.vulnerable?(version) }
       end
 
+      def ignore_requirements
+        ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+      end
+
       private
 
       def latest_version_resolvable_with_full_unlock?
@@ -296,10 +300,6 @@ module Dependabot
 
         changed_requirements.none? { |r| r[:requirement] == :unfixable }
       end
-
-      def ignore_reqs
-        ignored_versions.map { |req| requirement_class.new(req.split(",")) }
-      end
     end
   end
 end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.142.0"
+  VERSION = "0.143.3"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.142.0
+  version: 0.143.3
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-15 00:00:00.000000000 Z
+date: 2021-04-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -298,14 +298,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.12.0
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -391,6 +391,11 @@ files:
 - lib/dependabot/clients/codecommit.rb
 - lib/dependabot/clients/github_with_retries.rb
 - lib/dependabot/clients/gitlab_with_retries.rb
+- lib/dependabot/config.rb
+- lib/dependabot/config/file.rb
+- lib/dependabot/config/file_fetcher.rb
+- lib/dependabot/config/ignore_condition.rb
+- lib/dependabot/config/update_config.rb
 - lib/dependabot/dependency.rb
 - lib/dependabot/dependency_file.rb
 - lib/dependabot/errors.rb