dependabot-common 0.182.4 → 0.185.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 957437470dd6e13a459853d0561b8f00e490410386768082cf8c325219607d8d
-  data.tar.gz: 175b54ada2e28ce6ec3f0674885e2573d5cf2d384e596c736691bb67cf772e13
+  metadata.gz: b56ea9f42fa8def1dc34297a9f854e901efaa0539b5a09fbe90dc35ae7d8108d
+  data.tar.gz: 356fd5d7415556bcc0dae58d9a66b1c2d51425044ec200150633e02c955c3174
 SHA512:
-  metadata.gz: cbb3505238e8ca4e46e2c8c9d29811d5c35ded7cb225b2b7af16486cfd9e992ebfa55b61c3ea2234ded603784240e214afad5674de8f69234bae94f708b437fe
-  data.tar.gz: 95bf9cbab7116998aa9840af9fca96f29be5a1d3b7a72ae63d0dbf27f0aace507693677f752f40d136b1a7a4cbc20bda38cc39ecea5a2cc455b51e9e21a14605
+  metadata.gz: 3b64c813f3396cd8cfebc2fb5f9cb60228edd68333da9e5411af81540e55bbc14a5eea0a1a734ee2c780cbae6bdb7d985c45aa16adc934d1e2b2f05025dd9ae7
+  data.tar.gz: 1a6fff1224aeeed66c120ffea9c54707e204ecab08a6e97ec8a7c4e95cf4507ed672689284bfdf1feb074eed3dc7d1ca2e2e0da6dd4182d4343b949e796291c9

data/lib/dependabot/clients/bitbucket.rb

@@ -160,7 +160,8 @@ module Dependabot
           url,
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
-          idempotent: true,
+          # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.
+          idempotent: false,
           **Dependabot::SharedHelpers.excon_defaults(
             headers: auth_header
           )

data/lib/dependabot/file_fetchers/base.rb

@@ -446,7 +446,13 @@ module Dependabot
           )
         end
 
-        Base64.decode64(tmp.content).force_encoding("UTF-8").encode
+        if tmp.content == ""
+          # The file may have exceeded the 1MB limit
+          # see https://github.blog/changelog/2022-05-03-increased-file-size-limit-when-retrieving-file-contents-via-rest-api/
+          github_client.contents(repo, path: path, ref: commit, accept: "application/vnd.github.v3.raw")
+        else
+          Base64.decode64(tmp.content).force_encoding("UTF-8").encode
+        end
       rescue Octokit::Forbidden => e
         raise unless e.message.include?("too_large")
 

data/lib/dependabot/git_metadata_fetcher.rb

@@ -48,7 +48,6 @@ module Dependabot
 
     attr_reader :url, :credentials
 
-    # rubocop:disable Metrics/PerceivedComplexity
     def fetch_upload_pack_for(uri)
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
@@ -70,15 +69,10 @@ module Dependabot
 
       raise Dependabot::GitDependenciesNotReachable, [uri]
     rescue Excon::Error::Socket, Excon::Error::Timeout
-      retry_count ||= 0
-      retry_count += 1
-
-      sleep(rand(0.9)) && retry if retry_count <= 2 && uri.match?(KNOWN_HOSTS)
       raise if uri.match?(KNOWN_HOSTS)
 
       raise Dependabot::GitDependenciesNotReachable, [uri]
     end
-    # rubocop:enable Metrics/PerceivedComplexity
 
     def fetch_raw_upload_pack_for(uri)
       url = service_pack_uri(uri)

data/lib/dependabot/shared_helpers.rb

@@ -160,8 +160,8 @@ module Dependabot
     end
 
     def self.with_git_configured(credentials:)
-      backup_git_config_path = stash_global_git_config
-      configure_git_to_use_https_with_credentials(credentials)
+      backup_git_config_path, safe_directories = stash_global_git_config
+      configure_git_to_use_https_with_credentials(credentials, safe_directories)
       yield
     rescue Errno::ENOSPC => e
       raise Dependabot::OutOfDisk, e.message
@@ -175,7 +175,7 @@ module Dependabot
 
     # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
-    def self.configure_git_to_use_https_with_credentials(credentials)
+    def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
       File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
         file << "# Generated by dependabot/dependabot-core"
       end
@@ -190,6 +190,12 @@ module Dependabot
         allow_unsafe_shell_command: true
       )
 
+      # see https://github.blog/2022-04-12-git-security-vulnerability-announced/
+      safe_directories ||= []
+      safe_directories.each do |path|
+        run_shell_command("git config --global --add safe.directory #{path}")
+      end
+
       github_credentials = credentials.
                            select { |c| c["type"] == "git_source" }.
                            select { |c| c["host"] == "github.com" }.
@@ -267,8 +273,13 @@ module Dependabot
       digest = Digest::SHA2.hexdigest(contents)[0...10]
       backup_path = GIT_CONFIG_GLOBAL_PATH + ".backup-#{digest}"
 
+      # to preserve safe directories from global .gitconfig
+      output, process = Open3.capture2("git config --global --get-all safe.directory")
+      safe_directories = []
+      safe_directories = output.split("\n").compact if process.success?
+
       FileUtils.mv(GIT_CONFIG_GLOBAL_PATH, backup_path)
-      backup_path
+      [backup_path, safe_directories]
     end
 
     def self.reset_global_git_config(backup_path)

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.182.4"
+  VERSION = "0.185.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.182.4
+  version: 0.185.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-26 00:00:00.000000000 Z
+date: 2022-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -226,16 +226,30 @@ dependencies:
   name: debase
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.4.1
+        version: 0.2.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.2.3
+- !ruby/object:Gem::Dependency
+  name: debase-ruby_core_source
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.14
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
       - !ruby/object:Gem::Version
-        version: 0.2.4.1
+        version: 0.10.14
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -312,14 +326,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.27.0
+        version: 1.28.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.27.0
+        version: 1.28.2
 - !ruby/object:Gem::Dependency
   name: ruby-debug-ide
   requirement: !ruby/object:Gem::Requirement
@@ -497,7 +511,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.7.3
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Shared code used between Dependabot package managers