dependabot-common 0.182.3 → 0.184.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/clients/bitbucket.rb +2 -1
  3. data/lib/dependabot/git_metadata_fetcher.rb +0 -6
  4. data/lib/dependabot/shared_helpers.rb +15 -4
  5. data/lib/dependabot/version.rb +1 -1
  6. metadata +5 -33
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5a267ab86dd573b42a5e59a3c774c6eebff8408c6e4971aae9094c2187c28a4d
4
- data.tar.gz: a78c5e2c3faa1a6e348a7d7d85bb302a54db7985fc3f4bb4a9cad1bc7ad8cacb
3
+ metadata.gz: 1f44df2ce3890d903dec3b0d80f09e001663aa8f4f8d312b2a58725234e7c0f2
4
+ data.tar.gz: 8ba71628492c1dcc6f16b0c1250439b591f21839116a20f0e50e59c80a6a728b
5
5
  SHA512:
6
- metadata.gz: 51ce9e29e664405eb9ebfa7f820c3fbe8955870812149ad944573b5299c8f372a7990397fcbd4dec70aeffd649e738add07d8992d592d6fade9c757de0ea09c3
7
- data.tar.gz: 011547f88cfc9308b013ddc9511f8a25826dc0d0eb322bbaa5ba386facf8562bea6beb8ecca23bdba1d44d3e0b3937595d6e627c0245a80d565ce5af829258e3
6
+ metadata.gz: 504bcbf1da5aa92ab8bc47dee907e45a0faa9e04cb095cba0391765e66e6c99978063ae807674e05d24301b2cb640e08da80efb456151649994d23280721f3a9
7
+ data.tar.gz: 5a62bdb0538b6eabfcb6b7ee7b5b17892a8766e45093139bba29701d2a3a59dc297a969407a4b47b46a3fd2ae86df847e88d2b14f033a1f72cff1079e0ba6e1e
data/lib/dependabot/clients/bitbucket.rb CHANGED
@@ -160,7 +160,8 @@ module Dependabot
160
160
  url,
161
161
  user: credentials&.fetch("username", nil),
162
162
  password: credentials&.fetch("password", nil),
163
- idempotent: true,
163
+ # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.
164
+ idempotent: false,
164
165
  **Dependabot::SharedHelpers.excon_defaults(
165
166
  headers: auth_header
166
167
  )
data/lib/dependabot/git_metadata_fetcher.rb CHANGED
@@ -48,7 +48,6 @@ module Dependabot
48
48
 
49
49
  attr_reader :url, :credentials
50
50
 
51
- # rubocop:disable Metrics/PerceivedComplexity
52
51
  def fetch_upload_pack_for(uri)
53
52
  response = fetch_raw_upload_pack_for(uri)
54
53
  return response.body if response.status == 200
@@ -70,15 +69,10 @@ module Dependabot
70
69
 
71
70
  raise Dependabot::GitDependenciesNotReachable, [uri]
72
71
  rescue Excon::Error::Socket, Excon::Error::Timeout
73
- retry_count ||= 0
74
- retry_count += 1
75
-
76
- sleep(rand(0.9)) && retry if retry_count <= 2 && uri.match?(KNOWN_HOSTS)
77
72
  raise if uri.match?(KNOWN_HOSTS)
78
73
 
79
74
  raise Dependabot::GitDependenciesNotReachable, [uri]
80
75
  end
81
- # rubocop:enable Metrics/PerceivedComplexity
82
76
 
83
77
  def fetch_raw_upload_pack_for(uri)
84
78
  url = service_pack_uri(uri)
data/lib/dependabot/shared_helpers.rb CHANGED
@@ -160,8 +160,8 @@ module Dependabot
160
160
  end
161
161
 
162
162
  def self.with_git_configured(credentials:)
163
- backup_git_config_path = stash_global_git_config
164
- configure_git_to_use_https_with_credentials(credentials)
163
+ backup_git_config_path, safe_directories = stash_global_git_config
164
+ configure_git_to_use_https_with_credentials(credentials, safe_directories)
165
165
  yield
166
166
  rescue Errno::ENOSPC => e
167
167
  raise Dependabot::OutOfDisk, e.message
@@ -175,7 +175,7 @@ module Dependabot
175
175
 
176
176
  # rubocop:disable Metrics/AbcSize
177
177
  # rubocop:disable Metrics/PerceivedComplexity
178
- def self.configure_git_to_use_https_with_credentials(credentials)
178
+ def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
179
179
  File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
180
180
  file << "# Generated by dependabot/dependabot-core"
181
181
  end
@@ -190,6 +190,12 @@ module Dependabot
190
190
  allow_unsafe_shell_command: true
191
191
  )
192
192
 
193
+ # see https://github.blog/2022-04-12-git-security-vulnerability-announced/
194
+ safe_directories ||= []
195
+ safe_directories.each do |path|
196
+ run_shell_command("git config --global --add safe.directory #{path}")
197
+ end
198
+
193
199
  github_credentials = credentials.
194
200
  select { |c| c["type"] == "git_source" }.
195
201
  select { |c| c["host"] == "github.com" }.
@@ -267,8 +273,13 @@ module Dependabot
267
273
  digest = Digest::SHA2.hexdigest(contents)[0...10]
268
274
  backup_path = GIT_CONFIG_GLOBAL_PATH + ".backup-#{digest}"
269
275
 
276
+ # to preserve safe directories from global .gitconfig
277
+ output, process = Open3.capture2("git config --global --get-all safe.directory")
278
+ safe_directories = []
279
+ safe_directories = output.split("\n").compact if process.success?
280
+
270
281
  FileUtils.mv(GIT_CONFIG_GLOBAL_PATH, backup_path)
271
- backup_path
282
+ [backup_path, safe_directories]
272
283
  end
273
284
 
274
285
  def self.reset_global_git_config(backup_path)
data/lib/dependabot/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Dependabot
4
- VERSION = "0.182.3"
4
+ VERSION = "0.184.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.182.3
4
+ version: 0.184.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-25 00:00:00.000000000 Z
11
+ date: 2022-05-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -222,20 +222,6 @@ dependencies:
222
222
  - - "<"
223
223
  - !ruby/object:Gem::Version
224
224
  version: '3.0'
225
- - !ruby/object:Gem::Dependency
226
- name: debase
227
- requirement: !ruby/object:Gem::Requirement
228
- requirements:
229
- - - "~>"
230
- - !ruby/object:Gem::Version
231
- version: 0.2.4.1
232
- type: :development
233
- prerelease: false
234
- version_requirements: !ruby/object:Gem::Requirement
235
- requirements:
236
- - - "~>"
237
- - !ruby/object:Gem::Version
238
- version: 0.2.4.1
239
225
  - !ruby/object:Gem::Dependency
240
226
  name: debug
241
227
  requirement: !ruby/object:Gem::Requirement
@@ -312,28 +298,14 @@ dependencies:
312
298
  requirements:
313
299
  - - "~>"
314
300
  - !ruby/object:Gem::Version
315
- version: 1.27.0
316
- type: :development
317
- prerelease: false
318
- version_requirements: !ruby/object:Gem::Requirement
319
- requirements:
320
- - - "~>"
321
- - !ruby/object:Gem::Version
322
- version: 1.27.0
323
- - !ruby/object:Gem::Dependency
324
- name: ruby-debug-ide
325
- requirement: !ruby/object:Gem::Requirement
326
- requirements:
327
- - - "~>"
328
- - !ruby/object:Gem::Version
329
- version: 0.7.3
301
+ version: 1.28.2
330
302
  type: :development
331
303
  prerelease: false
332
304
  version_requirements: !ruby/object:Gem::Requirement
333
305
  requirements:
334
306
  - - "~>"
335
307
  - !ruby/object:Gem::Version
336
- version: 0.7.3
308
+ version: 1.28.2
337
309
  - !ruby/object:Gem::Dependency
338
310
  name: simplecov
339
311
  requirement: !ruby/object:Gem::Requirement
@@ -497,7 +469,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
497
469
  - !ruby/object:Gem::Version
498
470
  version: 2.7.3
499
471
  requirements: []
500
- rubygems_version: 3.2.32
472
+ rubygems_version: 3.3.7
501
473
  signing_key:
502
474
  specification_version: 4
503
475
  summary: Shared code used between Dependabot package managers