dependabot-common 0.182.4 → 0.185.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/clients/bitbucket.rb +2 -1
  3. data/lib/dependabot/file_fetchers/base.rb +7 -1
  4. data/lib/dependabot/git_metadata_fetcher.rb +0 -6
  5. data/lib/dependabot/shared_helpers.rb +15 -4
  6. data/lib/dependabot/version.rb +1 -1
  7. metadata +23 -9
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 957437470dd6e13a459853d0561b8f00e490410386768082cf8c325219607d8d
4
- data.tar.gz: 175b54ada2e28ce6ec3f0674885e2573d5cf2d384e596c736691bb67cf772e13
3
+ metadata.gz: b56ea9f42fa8def1dc34297a9f854e901efaa0539b5a09fbe90dc35ae7d8108d
4
+ data.tar.gz: 356fd5d7415556bcc0dae58d9a66b1c2d51425044ec200150633e02c955c3174
5
5
  SHA512:
6
- metadata.gz: cbb3505238e8ca4e46e2c8c9d29811d5c35ded7cb225b2b7af16486cfd9e992ebfa55b61c3ea2234ded603784240e214afad5674de8f69234bae94f708b437fe
7
- data.tar.gz: 95bf9cbab7116998aa9840af9fca96f29be5a1d3b7a72ae63d0dbf27f0aace507693677f752f40d136b1a7a4cbc20bda38cc39ecea5a2cc455b51e9e21a14605
6
+ metadata.gz: 3b64c813f3396cd8cfebc2fb5f9cb60228edd68333da9e5411af81540e55bbc14a5eea0a1a734ee2c780cbae6bdb7d985c45aa16adc934d1e2b2f05025dd9ae7
7
+ data.tar.gz: 1a6fff1224aeeed66c120ffea9c54707e204ecab08a6e97ec8a7c4e95cf4507ed672689284bfdf1feb074eed3dc7d1ca2e2e0da6dd4182d4343b949e796291c9
data/lib/dependabot/clients/bitbucket.rb CHANGED
@@ -160,7 +160,8 @@ module Dependabot
160
160
  url,
161
161
  user: credentials&.fetch("username", nil),
162
162
  password: credentials&.fetch("password", nil),
163
- idempotent: true,
163
+ # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.
164
+ idempotent: false,
164
165
  **Dependabot::SharedHelpers.excon_defaults(
165
166
  headers: auth_header
166
167
  )
data/lib/dependabot/file_fetchers/base.rb CHANGED
@@ -446,7 +446,13 @@ module Dependabot
446
446
  )
447
447
  end
448
448
 
449
- Base64.decode64(tmp.content).force_encoding("UTF-8").encode
449
+ if tmp.content == ""
450
+ # The file may have exceeded the 1MB limit
451
+ # see https://github.blog/changelog/2022-05-03-increased-file-size-limit-when-retrieving-file-contents-via-rest-api/
452
+ github_client.contents(repo, path: path, ref: commit, accept: "application/vnd.github.v3.raw")
453
+ else
454
+ Base64.decode64(tmp.content).force_encoding("UTF-8").encode
455
+ end
450
456
  rescue Octokit::Forbidden => e
451
457
  raise unless e.message.include?("too_large")
452
458
 
data/lib/dependabot/git_metadata_fetcher.rb CHANGED
@@ -48,7 +48,6 @@ module Dependabot
48
48
 
49
49
  attr_reader :url, :credentials
50
50
 
51
- # rubocop:disable Metrics/PerceivedComplexity
52
51
  def fetch_upload_pack_for(uri)
53
52
  response = fetch_raw_upload_pack_for(uri)
54
53
  return response.body if response.status == 200
@@ -70,15 +69,10 @@ module Dependabot
70
69
 
71
70
  raise Dependabot::GitDependenciesNotReachable, [uri]
72
71
  rescue Excon::Error::Socket, Excon::Error::Timeout
73
- retry_count ||= 0
74
- retry_count += 1
75
-
76
- sleep(rand(0.9)) && retry if retry_count <= 2 && uri.match?(KNOWN_HOSTS)
77
72
  raise if uri.match?(KNOWN_HOSTS)
78
73
 
79
74
  raise Dependabot::GitDependenciesNotReachable, [uri]
80
75
  end
81
- # rubocop:enable Metrics/PerceivedComplexity
82
76
 
83
77
  def fetch_raw_upload_pack_for(uri)
84
78
  url = service_pack_uri(uri)
data/lib/dependabot/shared_helpers.rb CHANGED
@@ -160,8 +160,8 @@ module Dependabot
160
160
  end
161
161
 
162
162
  def self.with_git_configured(credentials:)
163
- backup_git_config_path = stash_global_git_config
164
- configure_git_to_use_https_with_credentials(credentials)
163
+ backup_git_config_path, safe_directories = stash_global_git_config
164
+ configure_git_to_use_https_with_credentials(credentials, safe_directories)
165
165
  yield
166
166
  rescue Errno::ENOSPC => e
167
167
  raise Dependabot::OutOfDisk, e.message
@@ -175,7 +175,7 @@ module Dependabot
175
175
 
176
176
  # rubocop:disable Metrics/AbcSize
177
177
  # rubocop:disable Metrics/PerceivedComplexity
178
- def self.configure_git_to_use_https_with_credentials(credentials)
178
+ def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
179
179
  File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
180
180
  file << "# Generated by dependabot/dependabot-core"
181
181
  end
@@ -190,6 +190,12 @@ module Dependabot
190
190
  allow_unsafe_shell_command: true
191
191
  )
192
192
 
193
+ # see https://github.blog/2022-04-12-git-security-vulnerability-announced/
194
+ safe_directories ||= []
195
+ safe_directories.each do |path|
196
+ run_shell_command("git config --global --add safe.directory #{path}")
197
+ end
198
+
193
199
  github_credentials = credentials.
194
200
  select { |c| c["type"] == "git_source" }.
195
201
  select { |c| c["host"] == "github.com" }.
@@ -267,8 +273,13 @@ module Dependabot
267
273
  digest = Digest::SHA2.hexdigest(contents)[0...10]
268
274
  backup_path = GIT_CONFIG_GLOBAL_PATH + ".backup-#{digest}"
269
275
 
276
+ # to preserve safe directories from global .gitconfig
277
+ output, process = Open3.capture2("git config --global --get-all safe.directory")
278
+ safe_directories = []
279
+ safe_directories = output.split("\n").compact if process.success?
280
+
270
281
  FileUtils.mv(GIT_CONFIG_GLOBAL_PATH, backup_path)
271
- backup_path
282
+ [backup_path, safe_directories]
272
283
  end
273
284
 
274
285
  def self.reset_global_git_config(backup_path)
data/lib/dependabot/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Dependabot
4
- VERSION = "0.182.4"
4
+ VERSION = "0.185.0"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.182.4
4
+ version: 0.185.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-04-26 00:00:00.000000000 Z
11
+ date: 2022-05-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -226,16 +226,30 @@ dependencies:
226
226
  name: debase
227
227
  requirement: !ruby/object:Gem::Requirement
228
228
  requirements:
229
- - - "~>"
229
+ - - '='
230
230
  - !ruby/object:Gem::Version
231
- version: 0.2.4.1
231
+ version: 0.2.3
232
232
  type: :development
233
233
  prerelease: false
234
234
  version_requirements: !ruby/object:Gem::Requirement
235
235
  requirements:
236
- - - "~>"
236
+ - - '='
237
+ - !ruby/object:Gem::Version
238
+ version: 0.2.3
239
+ - !ruby/object:Gem::Dependency
240
+ name: debase-ruby_core_source
241
+ requirement: !ruby/object:Gem::Requirement
242
+ requirements:
243
+ - - '='
244
+ - !ruby/object:Gem::Version
245
+ version: 0.10.14
246
+ type: :development
247
+ prerelease: false
248
+ version_requirements: !ruby/object:Gem::Requirement
249
+ requirements:
250
+ - - '='
237
251
  - !ruby/object:Gem::Version
238
- version: 0.2.4.1
252
+ version: 0.10.14
239
253
  - !ruby/object:Gem::Dependency
240
254
  name: debug
241
255
  requirement: !ruby/object:Gem::Requirement
@@ -312,14 +326,14 @@ dependencies:
312
326
  requirements:
313
327
  - - "~>"
314
328
  - !ruby/object:Gem::Version
315
- version: 1.27.0
329
+ version: 1.28.2
316
330
  type: :development
317
331
  prerelease: false
318
332
  version_requirements: !ruby/object:Gem::Requirement
319
333
  requirements:
320
334
  - - "~>"
321
335
  - !ruby/object:Gem::Version
322
- version: 1.27.0
336
+ version: 1.28.2
323
337
  - !ruby/object:Gem::Dependency
324
338
  name: ruby-debug-ide
325
339
  requirement: !ruby/object:Gem::Requirement
@@ -497,7 +511,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
497
511
  - !ruby/object:Gem::Version
498
512
  version: 2.7.3
499
513
  requirements: []
500
- rubygems_version: 3.2.32
514
+ rubygems_version: 3.3.7
501
515
  signing_key:
502
516
  specification_version: 4
503
517
  summary: Shared code used between Dependabot package managers