dependabot-common 0.142.1 → 0.143.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/config.rb +7 -0
- data/lib/dependabot/config/file.rb +79 -0
- data/lib/dependabot/config/file_fetcher.rb +50 -0
- data/lib/dependabot/config/ignore_condition.rb +100 -0
- data/lib/dependabot/config/update_config.rb +67 -0
- data/lib/dependabot/file_fetchers/base.rb +1 -0
- data/lib/dependabot/git_commit_checker.rb +5 -5
- data/lib/dependabot/pull_request_creator/branch_namer.rb +13 -12
- data/lib/dependabot/update_checkers/base.rb +5 -5
- data/lib/dependabot/version.rb +1 -1
- metadata +9 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b77a9d2b68d327cac78394acd6c7452e0f802512434ee5fe38b62cde2e2e8393
|
4
|
+
data.tar.gz: 4b532ba4ddd784f4adb93977bd34c28bdfd54ae1f8f5500ad9b3179febd1db17
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 922b4ae93a6beeffa8e1d11e5b6a5cb329fc7b833ae54e102a6a9dc944681df11ed32a3bdfe04e12b03e2ce96e6d0a5cf40476ba01958112206c93495a2fcd0e
|
7
|
+
data.tar.gz: 504b7550c05fcd284c4b41107dd92dbb362666c3258dae96cc42477c50ae6eef12adaaa8e2c68cb9bf6f8cc6f274fdad8a0f28131777f29d069c715d52e24e32
|
@@ -0,0 +1,79 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "dependabot/config/update_config"
|
4
|
+
|
5
|
+
module Dependabot
|
6
|
+
module Config
|
7
|
+
# Configuration for the repository, a parsed dependabot.yaml.
|
8
|
+
class File
|
9
|
+
attr_reader :updates, :registries
|
10
|
+
|
11
|
+
def initialize(updates:, registries: nil)
|
12
|
+
@updates = updates || []
|
13
|
+
@registries = registries || []
|
14
|
+
end
|
15
|
+
|
16
|
+
def update_config(package_manager, directory: nil, target_branch: nil)
|
17
|
+
dir = directory || "/"
|
18
|
+
package_ecosystem = PACKAGE_MANAGER_LOOKUP.invert.fetch(package_manager)
|
19
|
+
cfg = updates.find do |u|
|
20
|
+
u[:"package-ecosystem"] == package_ecosystem && u[:directory] == dir &&
|
21
|
+
(target_branch.nil? || u[:"target-branch"] == target_branch)
|
22
|
+
end
|
23
|
+
Dependabot::Config::UpdateConfig.new(
|
24
|
+
ignore_conditions: ignore_conditions(cfg),
|
25
|
+
commit_message_options: commit_message_options(cfg)
|
26
|
+
)
|
27
|
+
end
|
28
|
+
|
29
|
+
# Parse the YAML config file
|
30
|
+
def self.parse(config)
|
31
|
+
parsed = YAML.safe_load(config, symbolize_names: true)
|
32
|
+
version = parsed[:version]
|
33
|
+
raise InvalidConfigError, "invalid version #{version}" if version && version != 2
|
34
|
+
|
35
|
+
File.new(updates: parsed[:updates], registries: parsed[:registries])
|
36
|
+
end
|
37
|
+
|
38
|
+
private
|
39
|
+
|
40
|
+
PACKAGE_MANAGER_LOOKUP = {
|
41
|
+
"bundler" => "bundler",
|
42
|
+
"cargo" => "cargo",
|
43
|
+
"composer" => "composer",
|
44
|
+
"docker" => "docker",
|
45
|
+
"elm" => "elm",
|
46
|
+
"github-actions" => "github_actions",
|
47
|
+
"gitsubmodule" => "submodules",
|
48
|
+
"gomod" => "go_modules",
|
49
|
+
"gradle" => "gradle",
|
50
|
+
"maven" => "maven",
|
51
|
+
"mix" => "hex",
|
52
|
+
"nuget" => "nuget",
|
53
|
+
"npm" => "npm_and_yarn",
|
54
|
+
"pip" => "pip",
|
55
|
+
"terraform" => "terraform"
|
56
|
+
}.freeze
|
57
|
+
|
58
|
+
def ignore_conditions(cfg)
|
59
|
+
ignores = cfg&.dig(:ignore) || []
|
60
|
+
ignores.map do |ic|
|
61
|
+
Dependabot::Config::IgnoreCondition.new(
|
62
|
+
dependency_name: ic[:"dependency-name"],
|
63
|
+
versions: ic[:versions],
|
64
|
+
update_types: ic[:"update-types"]
|
65
|
+
)
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
def commit_message_options(cfg)
|
70
|
+
commit_message = cfg&.dig(:"commit-message") || {}
|
71
|
+
Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
|
72
|
+
prefix: commit_message[:prefix],
|
73
|
+
prefix_development: commit_message[:"prefix-development"],
|
74
|
+
include: commit_message[:include]
|
75
|
+
)
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
@@ -0,0 +1,50 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "dependabot/file_fetchers/base"
|
4
|
+
require "dependabot/config/file"
|
5
|
+
|
6
|
+
module Dependabot
|
7
|
+
module Config
|
8
|
+
class FileFetcher < Dependabot::FileFetchers::Base
|
9
|
+
CONFIG_FILE_PATHS = %w(.github/dependabot.yml .github/dependabot.yaml).freeze
|
10
|
+
|
11
|
+
def self.required_files_in?(filenames)
|
12
|
+
CONFIG_FILE_PATHS.any? { |file| filenames.include?(file) }
|
13
|
+
end
|
14
|
+
|
15
|
+
def self.required_files_message
|
16
|
+
"Repo must contain either a #{CONFIG_FILE_PATHS.join(' or a ')} file"
|
17
|
+
end
|
18
|
+
|
19
|
+
def config_file
|
20
|
+
@config_file ||= files.first
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def fetch_files
|
26
|
+
fetched_files = []
|
27
|
+
|
28
|
+
CONFIG_FILE_PATHS.each do |file|
|
29
|
+
fn = Pathname.new("/#{file}").relative_path_from(directory)
|
30
|
+
|
31
|
+
begin
|
32
|
+
config_file = fetch_file_from_host(fn)
|
33
|
+
if config_file
|
34
|
+
fetched_files << config_file
|
35
|
+
break
|
36
|
+
end
|
37
|
+
rescue Dependabot::DependencyFileNotFound
|
38
|
+
next
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
unless self.class.required_files_in?(fetched_files.map(&:name))
|
43
|
+
raise Dependabot::DependencyFileNotFound, self.class.required_files_message
|
44
|
+
end
|
45
|
+
|
46
|
+
fetched_files
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
@@ -0,0 +1,100 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Dependabot
|
4
|
+
module Config
|
5
|
+
# Filters versions that should not be considered for dependency updates
|
6
|
+
class IgnoreCondition
|
7
|
+
PATCH_VERSION_TYPE = "version-update:semver-patch"
|
8
|
+
MINOR_VERSION_TYPE = "version-update:semver-minor"
|
9
|
+
MAJOR_VERSION_TYPE = "version-update:semver-major"
|
10
|
+
|
11
|
+
ALL_VERSIONS = ">= 0"
|
12
|
+
|
13
|
+
attr_reader :dependency_name, :versions, :update_types
|
14
|
+
|
15
|
+
def initialize(dependency_name:, versions: nil, update_types: nil)
|
16
|
+
@dependency_name = dependency_name
|
17
|
+
@versions = versions || []
|
18
|
+
@update_types = update_types || []
|
19
|
+
end
|
20
|
+
|
21
|
+
def ignored_versions(dependency, security_updates_only)
|
22
|
+
return versions if security_updates_only
|
23
|
+
return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
|
24
|
+
|
25
|
+
versions_by_type(dependency) + versions
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def transformed_update_types
|
31
|
+
update_types.map(&:downcase).map(&:strip).compact
|
32
|
+
end
|
33
|
+
|
34
|
+
def versions_by_type(dependency)
|
35
|
+
transformed_update_types.flat_map do |t|
|
36
|
+
case t
|
37
|
+
when PATCH_VERSION_TYPE
|
38
|
+
ignore_patch(dependency.version)
|
39
|
+
when MINOR_VERSION_TYPE
|
40
|
+
ignore_minor(dependency.version)
|
41
|
+
when MAJOR_VERSION_TYPE
|
42
|
+
ignore_major(dependency.version)
|
43
|
+
else
|
44
|
+
[]
|
45
|
+
end
|
46
|
+
end.compact
|
47
|
+
end
|
48
|
+
|
49
|
+
def ignore_patch(version)
|
50
|
+
parts = version.split(".")
|
51
|
+
return [] unless parts.size > 2
|
52
|
+
|
53
|
+
lower_parts = parts.first(2) + ["a"]
|
54
|
+
upper_parts = parts.first(2)
|
55
|
+
upper_parts[1] = upper_parts[1].to_i + 1
|
56
|
+
lower_bound = ">= #{lower_parts.join('.')}"
|
57
|
+
upper_bound = "< #{upper_parts.join('.')}"
|
58
|
+
["#{lower_bound}, #{upper_bound}"]
|
59
|
+
end
|
60
|
+
|
61
|
+
def ignore_minor(version)
|
62
|
+
parts = version.split(".")
|
63
|
+
return [] if parts.size < 2
|
64
|
+
|
65
|
+
if Gem::Version.correct?(version)
|
66
|
+
lower_parts = parts.first(2) + ["a"]
|
67
|
+
upper_parts = parts.first(1)
|
68
|
+
lower_parts[1] = lower_parts[1].to_i + 1
|
69
|
+
upper_parts[0] = upper_parts[0].to_i + 1
|
70
|
+
else
|
71
|
+
lower_parts = parts.first(1) + ["a"]
|
72
|
+
upper_parts = parts.first(1)
|
73
|
+
begin
|
74
|
+
upper_parts[0] = Integer(upper_parts[0]) + 1
|
75
|
+
rescue ArgumentError
|
76
|
+
upper_parts.push(999_999)
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
lower_bound = ">= #{lower_parts.join('.')}"
|
81
|
+
upper_bound = "< #{upper_parts.join('.')}"
|
82
|
+
["#{lower_bound}, #{upper_bound}"]
|
83
|
+
end
|
84
|
+
|
85
|
+
def ignore_major(version)
|
86
|
+
parts = version.split(".")
|
87
|
+
return [] unless parts.size > 1
|
88
|
+
|
89
|
+
lower_parts = parts.first(1) + ["a"]
|
90
|
+
upper_parts = parts.first(1)
|
91
|
+
lower_parts[0] = lower_parts[0].to_i + 1
|
92
|
+
upper_parts[0] = upper_parts[0].to_i + 2
|
93
|
+
lower_bound = ">= #{lower_parts.join('.')}"
|
94
|
+
upper_bound = "< #{upper_parts.join('.')}"
|
95
|
+
|
96
|
+
["#{lower_bound}, #{upper_bound}"]
|
97
|
+
end
|
98
|
+
end
|
99
|
+
end
|
100
|
+
end
|
@@ -0,0 +1,67 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "dependabot/config/ignore_condition"
|
4
|
+
|
5
|
+
module Dependabot
|
6
|
+
module Config
|
7
|
+
# Configuration for a single ecosystem
|
8
|
+
class UpdateConfig
|
9
|
+
attr_reader :commit_message_options, :ignore_conditions
|
10
|
+
def initialize(ignore_conditions: nil, commit_message_options: nil)
|
11
|
+
@ignore_conditions = ignore_conditions || []
|
12
|
+
@commit_message_options = commit_message_options
|
13
|
+
end
|
14
|
+
|
15
|
+
def ignored_versions_for(dependency, security_updates_only: false)
|
16
|
+
normalizer = name_normaliser_for(dependency)
|
17
|
+
dep_name = name_normaliser_for(dependency).call(dependency.name)
|
18
|
+
|
19
|
+
@ignore_conditions.
|
20
|
+
select { |ic| self.class.wildcard_match?(normalizer.call(ic.dependency_name), dep_name) }.
|
21
|
+
map { |ic| ic.ignored_versions(dependency, security_updates_only) }.
|
22
|
+
flatten.
|
23
|
+
compact.
|
24
|
+
uniq
|
25
|
+
end
|
26
|
+
|
27
|
+
def self.wildcard_match?(wildcard_string, candidate_string)
|
28
|
+
return false unless wildcard_string && candidate_string
|
29
|
+
|
30
|
+
regex_string = "a#{wildcard_string.downcase}a".split("*").
|
31
|
+
map { |p| Regexp.quote(p) }.
|
32
|
+
join(".*").gsub(/^a|a$/, "")
|
33
|
+
regex = /^#{regex_string}$/
|
34
|
+
regex.match?(candidate_string.downcase)
|
35
|
+
end
|
36
|
+
|
37
|
+
private
|
38
|
+
|
39
|
+
def name_normaliser_for(dep)
|
40
|
+
name_normaliser ||= {}
|
41
|
+
name_normaliser[dep] ||= Dependency.name_normaliser_for_package_manager(dep.package_manager)
|
42
|
+
end
|
43
|
+
|
44
|
+
class CommitMessageOptions
|
45
|
+
attr_reader :prefix, :prefix_development, :include
|
46
|
+
|
47
|
+
def initialize(prefix:, prefix_development:, include:)
|
48
|
+
@prefix = prefix
|
49
|
+
@prefix_development = prefix_development
|
50
|
+
@include = include
|
51
|
+
end
|
52
|
+
|
53
|
+
def include_scope?
|
54
|
+
@include == "scope"
|
55
|
+
end
|
56
|
+
|
57
|
+
def to_h
|
58
|
+
{
|
59
|
+
prefix: @prefix,
|
60
|
+
prefix_development: @prefix_development,
|
61
|
+
include_scope: include_scope?
|
62
|
+
}
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
@@ -92,7 +92,7 @@ module Dependabot
|
|
92
92
|
local_tags.
|
93
93
|
select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
|
94
94
|
filtered = tags.
|
95
|
-
reject { |t|
|
95
|
+
reject { |t| tag_included_in_ignore_requirements?(t) }
|
96
96
|
raise Dependabot::AllVersionsIgnored if @raise_on_ignored && tags.any? && filtered.empty?
|
97
97
|
|
98
98
|
tag = filtered.
|
@@ -317,8 +317,8 @@ module Dependabot
|
|
317
317
|
listing_repo_git_metadata_fetcher.upload_pack
|
318
318
|
end
|
319
319
|
|
320
|
-
def
|
321
|
-
ignored_versions.
|
320
|
+
def ignore_requirements
|
321
|
+
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
322
322
|
end
|
323
323
|
|
324
324
|
def wants_prerelease?
|
@@ -330,9 +330,9 @@ module Dependabot
|
|
330
330
|
version_class.new(version).prerelease?
|
331
331
|
end
|
332
332
|
|
333
|
-
def
|
333
|
+
def tag_included_in_ignore_requirements?(tag)
|
334
334
|
version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
|
335
|
-
|
335
|
+
ignore_requirements.any? { |r| r.satisfied_by?(version_class.new(version)) }
|
336
336
|
end
|
337
337
|
|
338
338
|
def tag_is_prerelease?(tag)
|
@@ -17,7 +17,6 @@ module Dependabot
|
|
17
17
|
@prefix = prefix
|
18
18
|
end
|
19
19
|
|
20
|
-
# rubocop:disable Metrics/PerceivedComplexity
|
21
20
|
def new_branch_name
|
22
21
|
@name ||=
|
23
22
|
begin
|
@@ -34,23 +33,13 @@ module Dependabot
|
|
34
33
|
tr("@", "")
|
35
34
|
end
|
36
35
|
|
37
|
-
|
38
|
-
|
39
|
-
if library? && ref_changed?(dep) && new_ref(dep)
|
40
|
-
"#{dependency_name_part}-#{new_ref(dep)}"
|
41
|
-
elsif library?
|
42
|
-
"#{dependency_name_part}-#{sanitized_requirement(dep)}"
|
43
|
-
else
|
44
|
-
"#{dependency_name_part}-#{new_version(dep)}"
|
45
|
-
end
|
36
|
+
"#{dependency_name_part}-#{branch_version_suffix}"
|
46
37
|
end
|
47
38
|
|
48
39
|
# Some users need branch names without slashes
|
49
40
|
sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
|
50
41
|
end
|
51
42
|
|
52
|
-
# rubocop:enable Metrics/PerceivedComplexity
|
53
|
-
|
54
43
|
private
|
55
44
|
|
56
45
|
def prefixes
|
@@ -98,6 +87,18 @@ module Dependabot
|
|
98
87
|
@dependency_set
|
99
88
|
end
|
100
89
|
|
90
|
+
def branch_version_suffix
|
91
|
+
dep = dependencies.first
|
92
|
+
|
93
|
+
if library? && ref_changed?(dep) && new_ref(dep)
|
94
|
+
new_ref(dep)
|
95
|
+
elsif library?
|
96
|
+
sanitized_requirement(dep)
|
97
|
+
else
|
98
|
+
new_version(dep)
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
101
102
|
def sanitized_requirement(dependency)
|
102
103
|
new_library_requirement(dependency).
|
103
104
|
delete(" ").
|
@@ -38,7 +38,7 @@ module Dependabot
|
|
38
38
|
|
39
39
|
def can_update?(requirements_to_unlock:)
|
40
40
|
# Can't update if all versions are being ignored
|
41
|
-
return false if
|
41
|
+
return false if ignore_requirements.include?(requirement_class.new(">= 0"))
|
42
42
|
|
43
43
|
if dependency.version
|
44
44
|
version_can_update?(requirements_to_unlock: requirements_to_unlock)
|
@@ -141,6 +141,10 @@ module Dependabot
|
|
141
141
|
security_advisories.any? { |a| a.vulnerable?(version) }
|
142
142
|
end
|
143
143
|
|
144
|
+
def ignore_requirements
|
145
|
+
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
146
|
+
end
|
147
|
+
|
144
148
|
private
|
145
149
|
|
146
150
|
def latest_version_resolvable_with_full_unlock?
|
@@ -296,10 +300,6 @@ module Dependabot
|
|
296
300
|
|
297
301
|
changed_requirements.none? { |r| r[:requirement] == :unfixable }
|
298
302
|
end
|
299
|
-
|
300
|
-
def ignore_reqs
|
301
|
-
ignored_versions.map { |req| requirement_class.new(req.split(",")) }
|
302
|
-
end
|
303
303
|
end
|
304
304
|
end
|
305
305
|
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-common
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.143.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-04-
|
11
|
+
date: 2021-04-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: activesupport
|
@@ -298,14 +298,14 @@ dependencies:
|
|
298
298
|
requirements:
|
299
299
|
- - "~>"
|
300
300
|
- !ruby/object:Gem::Version
|
301
|
-
version: 1.
|
301
|
+
version: 1.13.0
|
302
302
|
type: :development
|
303
303
|
prerelease: false
|
304
304
|
version_requirements: !ruby/object:Gem::Requirement
|
305
305
|
requirements:
|
306
306
|
- - "~>"
|
307
307
|
- !ruby/object:Gem::Version
|
308
|
-
version: 1.
|
308
|
+
version: 1.13.0
|
309
309
|
- !ruby/object:Gem::Dependency
|
310
310
|
name: simplecov
|
311
311
|
requirement: !ruby/object:Gem::Requirement
|
@@ -391,6 +391,11 @@ files:
|
|
391
391
|
- lib/dependabot/clients/codecommit.rb
|
392
392
|
- lib/dependabot/clients/github_with_retries.rb
|
393
393
|
- lib/dependabot/clients/gitlab_with_retries.rb
|
394
|
+
- lib/dependabot/config.rb
|
395
|
+
- lib/dependabot/config/file.rb
|
396
|
+
- lib/dependabot/config/file_fetcher.rb
|
397
|
+
- lib/dependabot/config/ignore_condition.rb
|
398
|
+
- lib/dependabot/config/update_config.rb
|
394
399
|
- lib/dependabot/dependency.rb
|
395
400
|
- lib/dependabot/dependency_file.rb
|
396
401
|
- lib/dependabot/errors.rb
|