dependabot-common 0.154.0 → 0.154.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: af277195b0ae65a3c391db6e6acd0102be4a47bd135950789353db2487fda651
-  data.tar.gz: 8d03fd259755386024fd8c65352e092047692dc85b2da443843434db9fd33ac1
+  metadata.gz: 02a4303ddbc0c6b4c33dcc3fd0b8eec8e25ce611dce9f3ff04d124345ce07af7
+  data.tar.gz: 05f7e8cbaa781fa68f65255b9ba85d0e72e208c7f186c512174b27a575270ea8
 SHA512:
-  metadata.gz: 63321eba26689fa32d13618518f77aad5f132bcd6b632adc5b3d3c334069dc4c80428e662dd2feaa2778c67e718878f8b17217e3e79f6de3e47a18d146ea260c
-  data.tar.gz: 45a8f791bb0b0a141777ebc4f7892e198b7bd928448aba15c7222c47b97daf4b8967c7831a676b9620d15b4fca8ea029d73b90ca8ce2b8dee92e771613672a04
+  metadata.gz: 405f5276e0cbd1ec5fd0be0ec5e0a8041f736a4273a8299057e52bcc7e87d923aa610194a03b69abc8e010e7ad74697fe064fa0027343f8b7026a49f8eeb9fa8
+  data.tar.gz: 1234936367fc1adc7222965976a0b5329e93fc0fb1ff662587b44c07c2b8f78618f427dce72023409077b3ef1275471ebb0a590c1d736384481d0b785dad1d14

data/lib/dependabot/clients/bitbucket_with_retries.rb

@@ -29,7 +29,7 @@ module Dependabot
 
       def initialize(max_retries: 3, **args)
         @max_retries = max_retries || 3
-        @client = Bitbucket.new(args)
+        @client = Bitbucket.new(**args)
       end
 
       def method_missing(method_name, *args, &block)

data/lib/dependabot/dependency.rb

@@ -154,7 +154,7 @@ module Dependabot
     end
 
     def symbolize_keys(hash)
-      Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
+      hash.keys.map { |k| [k.to_sym, hash[k]] }.to_h
     end
   end
 end

data/lib/dependabot/file_fetchers/base.rb

@@ -330,8 +330,8 @@ module Dependabot
 
         response.files.map do |file|
           OpenStruct.new(
-            name: file.absolute_path,
-            path: file.absolute_path,
+            name: File.basename(file.relative_path),
+            path: file.relative_path,
             type: "file",
             size: 0 # file size would require new api call per file..
           )

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -25,7 +25,7 @@ module Dependabot
           status = SharedHelpers.run_shell_command(
             "git status --untracked-files all --porcelain v1 #{relative_dir}"
           )
-          changed_paths = status.split("\n").map { |l| l.split(" ") }
+          changed_paths = status.split("\n").map(&:split)
           changed_paths.map do |type, path|
             # The following types are possible to be returned:
             # M = Modified = Default for DependencyFile

data/lib/dependabot/git_metadata_fetcher.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "open3"
 require "dependabot/errors"
 
 module Dependabot
@@ -52,6 +53,9 @@ module Dependabot
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
 
+      response_with_git = fetch_raw_upload_pack_with_git_for(uri)
+      return response_with_git.body if response_with_git.status == 200
+
       raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
 
       raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
@@ -86,6 +90,23 @@ module Dependabot
       )
     end
 
+    def fetch_raw_upload_pack_with_git_for(uri)
+      service_pack_uri = uri
+      service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
+
+      command = "git ls-remote #{service_pack_uri}"
+      env = { "PATH" => ENV["PATH"] }
+
+      stdout, stderr, process = Open3.capture3(env, command)
+      # package the command response like a HTTP response so error handling
+      # remains unchanged
+      if process.success?
+        OpenStruct.new(body: stdout, status: 200)
+      else
+        OpenStruct.new(body: stderr, status: 500)
+      end
+    end
+
     def tags_for_upload_pack
       refs_for_upload_pack.
         select { |ref| ref.ref_type == :tag }.
@@ -106,7 +127,7 @@ module Dependabot
       peeled_lines = []
 
       result = upload_pack.lines.each_with_object({}) do |line, res|
-        full_ref_name = line.split(" ").last
+        full_ref_name = line.split.last
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
         peeled_lines << line && next if line.strip.end_with?("^{}")
@@ -174,7 +195,7 @@ module Dependabot
     end
 
     def sha_for_update_pack_line(line)
-      line.split(" ").first.chars.last(40).join
+      line.split.first.chars.last(40).join
     end
 
     def excon_defaults

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -167,7 +167,7 @@ module Dependabot
 
         def serialize_release(release)
           rel = release
-          title = "## #{rel.name.to_s != '' ? rel.name : rel.tag_name}\n"
+          title = "## #{rel.name.to_s == '' ? rel.tag_name : rel.name}\n"
           body = if rel.body.to_s.gsub(/\n*\z/m, "") == ""
                    "No release notes provided."
                  else
@@ -178,7 +178,7 @@ module Dependabot
         end
 
         def release_body_includes_title?(release)
-          title = release.name.to_s != "" ? release.name : release.tag_name
+          title = release.name.to_s == "" ? release.tag_name : release.name
           release.body.to_s.match?(/\A\s*\#*\s*#{Regexp.quote(title)}/m)
         end
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -267,7 +267,7 @@ module Dependabot
 
       def add_reviewers_to_pull_request(pull_request)
         reviewers_hash =
-          Hash[reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }]
+          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
 
         github_client_for_source.request_pull_request_review(
           source.repo,
@@ -297,7 +297,7 @@ module Dependabot
 
       def comment_with_invalid_reviewer(pull_request, message)
         reviewers_hash =
-          Hash[reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }]
+          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
         reviewers = []
         reviewers += reviewers_hash[:reviewers] || []
         reviewers += (reviewers_hash[:team_reviewers] || []).

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -153,7 +153,7 @@ module Dependabot
 
       def add_approvers_to_merge_request(merge_request)
         approvers_hash =
-          Hash[approvers.keys.map { |k| [k.to_sym, approvers[k]] }]
+          approvers.keys.map { |k| [k.to_sym, approvers[k]] }.to_h
 
         gitlab_client_for_source.edit_merge_request_approvers(
           source.repo,

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -51,10 +51,10 @@ module Dependabot
           doc.walk do |node|
             if node.type == :text &&
                node.string_content.match?(MENTION_REGEX)
-              nodes = if !parent_node_link?(node)
-                        build_mention_nodes(node.string_content)
-                      else
+              nodes = if parent_node_link?(node)
                         build_mention_link_text_nodes(node.string_content)
+                      else
+                        build_mention_nodes(node.string_content)
                       end
 
               nodes.each do |n|

data/lib/dependabot/shared_helpers.rb

@@ -1,12 +1,13 @@
 # frozen_string_literal: true
 
-require "json"
-require "tmpdir"
-require "excon"
-require "English"
 require "digest"
+require "English"
+require "excon"
+require "fileutils"
+require "json"
 require "open3"
 require "shellwords"
+require "tmpdir"
 
 require "dependabot/utils"
 require "dependabot/errors"
@@ -64,7 +65,7 @@ module Dependabot
 
     # Escapes all special characters, e.g. = & | <>
     def self.escape_command(command)
-      command_parts = command.split(" ").map(&:strip).reject(&:empty?)
+      command_parts = command.split.map(&:strip).reject(&:empty?)
       Shellwords.join(command_parts)
     end
 

data/lib/dependabot/update_checkers/version_filters.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module UpdateCheckers
+    module VersionFilters
+      def self.filter_vulnerable_versions(versions_array, security_advisories)
+        versions_array.reject do |v|
+          security_advisories.any? do |a|
+            if v.is_a?(Gem::Version)
+              a.vulnerable?(v)
+            else
+              a.vulnerable?(v.fetch(:version))
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.154.0"
+  VERSION = "0.154.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.154.0
+  version: 0.154.5
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-15 00:00:00.000000000 Z
+date: 2021-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -81,7 +81,7 @@ dependencies:
         version: 0.20.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: 0.23.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -91,7 +91,7 @@ dependencies:
         version: 0.20.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: 0.22.0
+        version: 0.23.0
 - !ruby/object:Gem::Dependency
   name: docker_registry2
   requirement: !ruby/object:Gem::Requirement
@@ -446,6 +446,7 @@ files:
 - lib/dependabot/update_checkers.rb
 - lib/dependabot/update_checkers/README.md
 - lib/dependabot/update_checkers/base.rb
+- lib/dependabot/update_checkers/version_filters.rb
 - lib/dependabot/utils.rb
 - lib/dependabot/version.rb
 - lib/rubygems_version_patch.rb