dependabot-common 0.153.0 → 0.154.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b925e841b375add05925858919a097192f19103ecb0c8dad020e9715421cccfc
-  data.tar.gz: cac534a9f4284d6b32a9821974be5004a7b8eaa8074e35de672334cce0e1d2fd
+  metadata.gz: db112d90ccd776ed7e343b38e963fa9612bf4e5b814e6a9c4a5867aea1a3c32b
+  data.tar.gz: 414df7ccf9cca26acf0d9eb2d95341657b27b0b635662ce001b059fd19cbbb09
 SHA512:
-  metadata.gz: edcfde9f70df1bccbb99069846d8edfdfac6d8cbf30c9560a4bceb9f20548dec39c6cfdca6cb38bdeb332825bd23ed5b9e272be2bd646b3b0daf0cc1dbe15eb3
-  data.tar.gz: a7d41315db7c663d2ec22aa91a61d80ca39f4e0ad4b59eb1ca75733289a85b234a350f72701368acebbcdb29411c96b1a793f2811b8e029e775e01426e051801
+  metadata.gz: 613c7b103e9184a4b53f20abf6b9ddb8089642d5beb5036908d8429bfc68e6215115d575ac6162172be2910063d432004d25e10841457119ba65e7e3060870e3
+  data.tar.gz: ddb0f753e6b5039f4103378c45abc9981e9607ca33b2da31274c5b22a934cd1e19fc8bae4a7f47e682ccff54f1f6fa8e64fe55d5e6e7b2d8aa32fde6b1ad1d9d

data/lib/dependabot/clients/bitbucket_with_retries.rb

@@ -29,7 +29,7 @@ module Dependabot
 
       def initialize(max_retries: 3, **args)
         @max_retries = max_retries || 3
-        @client = Bitbucket.new(args)
+        @client = Bitbucket.new(**args)
       end
 
       def method_missing(method_name, *args, &block)

data/lib/dependabot/dependency.rb

@@ -154,7 +154,7 @@ module Dependabot
     end
 
     def symbolize_keys(hash)
-      Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
+      hash.keys.map { |k| [k.to_sym, hash[k]] }.to_h
     end
   end
 end

data/lib/dependabot/file_fetchers/base.rb

@@ -330,8 +330,8 @@ module Dependabot
 
         response.files.map do |file|
           OpenStruct.new(
-            name: file.absolute_path,
-            path: file.absolute_path,
+            name: File.basename(file.relative_path),
+            path: file.relative_path,
             type: "file",
             size: 0 # file size would require new api call per file..
           )

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -25,7 +25,7 @@ module Dependabot
           status = SharedHelpers.run_shell_command(
             "git status --untracked-files all --porcelain v1 #{relative_dir}"
           )
-          changed_paths = status.split("\n").map { |l| l.split(" ") }
+          changed_paths = status.split("\n").map(&:split)
           changed_paths.map do |type, path|
             # The following types are possible to be returned:
             # M = Modified = Default for DependencyFile

data/lib/dependabot/git_metadata_fetcher.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "open3"
 require "dependabot/errors"
 
 module Dependabot
@@ -52,6 +53,9 @@ module Dependabot
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
 
+      response_with_git = fetch_raw_upload_pack_with_git_for(uri)
+      return response_with_git.body if response_with_git.status == 200
+
       raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
 
       raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
@@ -86,6 +90,23 @@ module Dependabot
       )
     end
 
+    def fetch_raw_upload_pack_with_git_for(uri)
+      service_pack_uri = uri
+      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
+
+      command = "git ls-remote #{service_pack_uri}"
+      env = { "PATH" => ENV["PATH"] }
+
+      stdout, stderr, process = Open3.capture3(env, command)
+      # package the command response like a HTTP response so error handling
+      # remains unchanged
+      if process.success?
+        OpenStruct.new(body: stdout, status: 200)
+      else
+        OpenStruct.new(body: stderr, status: 500)
+      end
+    end
+
     def tags_for_upload_pack
       refs_for_upload_pack.
         select { |ref| ref.ref_type == :tag }.
@@ -106,7 +127,7 @@ module Dependabot
       peeled_lines = []
 
       result = upload_pack.lines.each_with_object({}) do |line, res|
-        full_ref_name = line.split(" ").last
+        full_ref_name = line.split.last
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
         peeled_lines << line && next if line.strip.end_with?("^{}")
@@ -174,7 +195,7 @@ module Dependabot
     end
 
     def sha_for_update_pack_line(line)
-      line.split(" ").first.chars.last(40).join
+      line.split.first.chars.last(40).join
     end
 
     def excon_defaults

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -167,7 +167,7 @@ module Dependabot
 
         def serialize_release(release)
           rel = release
-          title = "## #{rel.name.to_s != '' ? rel.name : rel.tag_name}\n"
+          title = "## #{rel.name.to_s == '' ? rel.tag_name : rel.name}\n"
           body = if rel.body.to_s.gsub(/\n*\z/m, "") == ""
                    "No release notes provided."
                  else
@@ -178,7 +178,7 @@ module Dependabot
         end
 
         def release_body_includes_title?(release)
-          title = release.name.to_s != "" ? release.name : release.tag_name
+          title = release.name.to_s == "" ? release.tag_name : release.name
           release.body.to_s.match?(/\A\s*\#*\s*#{Regexp.quote(title)}/m)
         end
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -267,7 +267,7 @@ module Dependabot
 
       def add_reviewers_to_pull_request(pull_request)
         reviewers_hash =
-          Hash[reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }]
+          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
 
         github_client_for_source.request_pull_request_review(
           source.repo,
@@ -297,7 +297,7 @@ module Dependabot
 
       def comment_with_invalid_reviewer(pull_request, message)
         reviewers_hash =
-          Hash[reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }]
+          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
         reviewers = []
         reviewers += reviewers_hash[:reviewers] || []
         reviewers += (reviewers_hash[:team_reviewers] || []).

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -153,7 +153,7 @@ module Dependabot
 
       def add_approvers_to_merge_request(merge_request)
         approvers_hash =
-          Hash[approvers.keys.map { |k| [k.to_sym, approvers[k]] }]
+          approvers.keys.map { |k| [k.to_sym, approvers[k]] }.to_h
 
         gitlab_client_for_source.edit_merge_request_approvers(
           source.repo,

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -51,10 +51,10 @@ module Dependabot
           doc.walk do |node|
             if node.type == :text &&
                node.string_content.match?(MENTION_REGEX)
-              nodes = if !parent_node_link?(node)
-                        build_mention_nodes(node.string_content)
-                      else
+              nodes = if parent_node_link?(node)
                         build_mention_link_text_nodes(node.string_content)
+                      else
+                        build_mention_nodes(node.string_content)
                       end
 
               nodes.each do |n|

data/lib/dependabot/shared_helpers.rb

@@ -1,12 +1,13 @@
 # frozen_string_literal: true
 
-require "json"
-require "tmpdir"
-require "excon"
-require "English"
 require "digest"
+require "English"
+require "excon"
+require "fileutils"
+require "json"
 require "open3"
 require "shellwords"
+require "tmpdir"
 
 require "dependabot/utils"
 require "dependabot/errors"
@@ -64,7 +65,7 @@ module Dependabot
 
     # Escapes all special characters, e.g. = & | <>
     def self.escape_command(command)
-      command_parts = command.split(" ").map(&:strip).reject(&:empty?)
+      command_parts = command.split.map(&:strip).reject(&:empty?)
       Shellwords.join(command_parts)
     end
 

data/lib/dependabot/update_checkers/version_filters.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module UpdateCheckers
+    module VersionFilters
+      def self.filter_vulnerable_versions(versions_array, security_advisories)
+        versions_array.reject do |v|
+          security_advisories.any? do |a|
+            if v.is_a?(Gem::Version)
+              a.vulnerable?(v)
+            else
+              a.vulnerable?(v.fetch(:version))
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.153.0"
+  VERSION = "0.154.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.153.0
+  version: 0.154.4
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-14 00:00:00.000000000 Z
+date: 2021-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -81,7 +81,7 @@ dependencies:
         version: 0.20.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: 0.23.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -91,7 +91,7 @@ dependencies:
         version: 0.20.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: 0.23.0
 - !ruby/object:Gem::Dependency
   name: docker_registry2
   requirement: !ruby/object:Gem::Requirement
@@ -446,6 +446,7 @@ files:
 - lib/dependabot/update_checkers.rb
 - lib/dependabot/update_checkers/README.md
 - lib/dependabot/update_checkers/base.rb
+- lib/dependabot/update_checkers/version_filters.rb
 - lib/dependabot/utils.rb
 - lib/dependabot/version.rb
 - lib/rubygems_version_patch.rb