dependabot-common 0.209.0 → 0.212.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/clients/azure.rb +1 -1
- data/lib/dependabot/clients/bitbucket.rb +2 -2
- data/lib/dependabot/config/ignore_condition.rb +1 -1
- data/lib/dependabot/dependency.rb +16 -12
- data/lib/dependabot/errors.rb +7 -7
- data/lib/dependabot/file_fetchers/base.rb +4 -4
- data/lib/dependabot/file_parsers/base/dependency_set.rb +1 -1
- data/lib/dependabot/file_updaters/vendor_updater.rb +3 -3
- data/lib/dependabot/git_commit_checker.rb +6 -2
- data/lib/dependabot/git_metadata_fetcher.rb +2 -2
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +5 -5
- data/lib/dependabot/metadata_finders/base/changelog_pruner.rb +4 -4
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +4 -4
- data/lib/dependabot/metadata_finders/base/release_finder.rb +4 -4
- data/lib/dependabot/pull_request_creator/branch_namer.rb +10 -12
- data/lib/dependabot/pull_request_creator/github.rb +5 -5
- data/lib/dependabot/pull_request_creator/labeler.rb +2 -0
- data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb +1 -1
- data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb +10 -10
- data/lib/dependabot/pull_request_creator/message_builder.rb +49 -39
- data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb +5 -10
- data/lib/dependabot/pull_request_updater/azure.rb +7 -3
- data/lib/dependabot/pull_request_updater/github.rb +1 -1
- data/lib/dependabot/security_advisory.rb +6 -3
- data/lib/dependabot/shared_helpers.rb +12 -12
- data/lib/dependabot/source.rb +2 -2
- data/lib/dependabot/update_checkers/base.rb +1 -1
- data/lib/dependabot/version.rb +1 -1
- metadata +38 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5242196cd22b0092cbdaaf08f6d5ce3f4249d1eeccedada949822b0b14657e9c
|
|
4
|
+
data.tar.gz: f47437aa525423bdbb507dfa5b0978863e41f3010682ed1c6f321d2ac67efea9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cad3f4c8848f45b07d7769bdf4a1b351e3cca4f921bb449cee629ddffc3c579df3b1dfc9343ecfdabd1192d1f1e207e82f8af0c8ee0f142af5856e5bee769d0e
|
|
7
|
+
data.tar.gz: c564e966eba317b8b5e61bf4d82df255248ee4932711d85854e38e843ce0f26d0dc22a649cb7e2f475e01f2b0fd61dce160a46a5ecdc0cbe61d560fd5b004587
|
|
@@ -310,7 +310,7 @@ module Dependabot
|
|
|
310
310
|
# https://developercommunity.visualstudio.com/content/problem/608770/remove-4000-character-limit-on-pull-request-descri.html
|
|
311
311
|
pr_description = pr_description.dup.force_encoding(Encoding::UTF_16)
|
|
312
312
|
if pr_description.length > MAX_PR_DESCRIPTION_LENGTH
|
|
313
|
-
truncated_msg = "...\n\n_Description has been truncated_".
|
|
313
|
+
truncated_msg = (+"...\n\n_Description has been truncated_").force_encoding(Encoding::UTF_16)
|
|
314
314
|
truncate_length = MAX_PR_DESCRIPTION_LENGTH - truncated_msg.length
|
|
315
315
|
pr_description = (pr_description[0..truncate_length] + truncated_msg)
|
|
316
316
|
end
|
|
@@ -189,8 +189,8 @@ module Dependabot
|
|
|
189
189
|
raise NotFound if response.status == 404
|
|
190
190
|
|
|
191
191
|
if response.status >= 400
|
|
192
|
-
raise "Unhandled Bitbucket error!\n"\
|
|
193
|
-
"Status: #{response.status}\n"\
|
|
192
|
+
raise "Unhandled Bitbucket error!\n" \
|
|
193
|
+
"Status: #{response.status}\n" \
|
|
194
194
|
"Body: #{response.body}"
|
|
195
195
|
end
|
|
196
196
|
|
|
@@ -41,7 +41,7 @@ module Dependabot
|
|
|
41
41
|
|
|
42
42
|
def initialize(name:, requirements:, package_manager:, version: nil,
|
|
43
43
|
previous_version: nil, previous_requirements: nil,
|
|
44
|
-
subdependency_metadata: [])
|
|
44
|
+
subdependency_metadata: [], removed: false)
|
|
45
45
|
@name = name
|
|
46
46
|
@version = version
|
|
47
47
|
@requirements = requirements.map { |req| symbolize_keys(req) }
|
|
@@ -53,6 +53,7 @@ module Dependabot
|
|
|
53
53
|
@subdependency_metadata = subdependency_metadata&.
|
|
54
54
|
map { |h| symbolize_keys(h) }
|
|
55
55
|
end
|
|
56
|
+
@removed = removed
|
|
56
57
|
|
|
57
58
|
check_values
|
|
58
59
|
end
|
|
@@ -61,6 +62,10 @@ module Dependabot
|
|
|
61
62
|
requirements.any?
|
|
62
63
|
end
|
|
63
64
|
|
|
65
|
+
def removed?
|
|
66
|
+
@removed
|
|
67
|
+
end
|
|
68
|
+
|
|
64
69
|
def to_h
|
|
65
70
|
{
|
|
66
71
|
"name" => name,
|
|
@@ -69,7 +74,8 @@ module Dependabot
|
|
|
69
74
|
"previous_version" => previous_version,
|
|
70
75
|
"previous_requirements" => previous_requirements,
|
|
71
76
|
"package_manager" => package_manager,
|
|
72
|
-
"subdependency_metadata" => subdependency_metadata
|
|
77
|
+
"subdependency_metadata" => subdependency_metadata,
|
|
78
|
+
"removed" => removed? ? true : nil
|
|
73
79
|
}.compact
|
|
74
80
|
end
|
|
75
81
|
|
|
@@ -114,9 +120,7 @@ module Dependabot
|
|
|
114
120
|
private
|
|
115
121
|
|
|
116
122
|
def check_values
|
|
117
|
-
if [version, previous_version].any?
|
|
118
|
-
raise ArgumentError, "blank strings must not be provided as versions"
|
|
119
|
-
end
|
|
123
|
+
raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
|
|
120
124
|
|
|
121
125
|
check_requirement_fields
|
|
122
126
|
check_subdependency_metadata
|
|
@@ -124,8 +128,8 @@ module Dependabot
|
|
|
124
128
|
|
|
125
129
|
def check_requirement_fields
|
|
126
130
|
requirement_fields = [requirements, previous_requirements].compact
|
|
127
|
-
unless requirement_fields.all?
|
|
128
|
-
requirement_fields.flatten.all?
|
|
131
|
+
unless requirement_fields.all?(Array) &&
|
|
132
|
+
requirement_fields.flatten.all?(Hash)
|
|
129
133
|
raise ArgumentError, "requirements must be an array of hashes"
|
|
130
134
|
end
|
|
131
135
|
|
|
@@ -133,9 +137,9 @@ module Dependabot
|
|
|
133
137
|
optional_keys = %i(metadata)
|
|
134
138
|
unless requirement_fields.flatten.
|
|
135
139
|
all? { |r| required_keys.sort == (r.keys - optional_keys).sort }
|
|
136
|
-
raise ArgumentError, "each requirement must have the following "\
|
|
137
|
-
"required keys: #{required_keys.join(', ')}."\
|
|
138
|
-
"Optionally, it may have the following keys: "\
|
|
140
|
+
raise ArgumentError, "each requirement must have the following " \
|
|
141
|
+
"required keys: #{required_keys.join(', ')}." \
|
|
142
|
+
"Optionally, it may have the following keys: " \
|
|
139
143
|
"#{optional_keys.join(', ')}."
|
|
140
144
|
end
|
|
141
145
|
|
|
@@ -148,13 +152,13 @@ module Dependabot
|
|
|
148
152
|
return unless subdependency_metadata
|
|
149
153
|
|
|
150
154
|
unless subdependency_metadata.is_a?(Array) &&
|
|
151
|
-
subdependency_metadata.all?
|
|
155
|
+
subdependency_metadata.all?(Hash)
|
|
152
156
|
raise ArgumentError, "subdependency_metadata must be an array of hashes"
|
|
153
157
|
end
|
|
154
158
|
end
|
|
155
159
|
|
|
156
160
|
def symbolize_keys(hash)
|
|
157
|
-
hash.keys.
|
|
161
|
+
hash.keys.to_h { |k| [k.to_sym, hash[k]] }
|
|
158
162
|
end
|
|
159
163
|
end
|
|
160
164
|
end
|
data/lib/dependabot/errors.rb
CHANGED
|
@@ -124,8 +124,8 @@ module Dependabot
|
|
|
124
124
|
|
|
125
125
|
def initialize(source)
|
|
126
126
|
@source = sanitize_source(source)
|
|
127
|
-
msg = "The following source could not be reached as it requires "\
|
|
128
|
-
"authentication (and any provided details were invalid or lacked "\
|
|
127
|
+
msg = "The following source could not be reached as it requires " \
|
|
128
|
+
"authentication (and any provided details were invalid or lacked " \
|
|
129
129
|
"the required permissions): #{@source}"
|
|
130
130
|
super(msg)
|
|
131
131
|
end
|
|
@@ -173,7 +173,7 @@ module Dependabot
|
|
|
173
173
|
@dependency_urls =
|
|
174
174
|
dependency_urls.flatten.map { |uri| filter_sensitive_data(uri) }
|
|
175
175
|
|
|
176
|
-
msg = "The following git URLs could not be retrieved: "\
|
|
176
|
+
msg = "The following git URLs could not be retrieved: " \
|
|
177
177
|
"#{@dependency_urls.join(', ')}"
|
|
178
178
|
super(msg)
|
|
179
179
|
end
|
|
@@ -185,7 +185,7 @@ module Dependabot
|
|
|
185
185
|
def initialize(dependency)
|
|
186
186
|
@dependency = dependency
|
|
187
187
|
|
|
188
|
-
msg = "The branch or reference specified for #{@dependency} could not "\
|
|
188
|
+
msg = "The branch or reference specified for #{@dependency} could not " \
|
|
189
189
|
"be retrieved"
|
|
190
190
|
super(msg)
|
|
191
191
|
end
|
|
@@ -196,7 +196,7 @@ module Dependabot
|
|
|
196
196
|
|
|
197
197
|
def initialize(*dependencies)
|
|
198
198
|
@dependencies = dependencies.flatten
|
|
199
|
-
msg = "The following path based dependencies could not be retrieved: "\
|
|
199
|
+
msg = "The following path based dependencies could not be retrieved: " \
|
|
200
200
|
"#{@dependencies.join(', ')}"
|
|
201
201
|
super(msg)
|
|
202
202
|
end
|
|
@@ -210,8 +210,8 @@ module Dependabot
|
|
|
210
210
|
@declared_path = declared_path
|
|
211
211
|
@discovered_path = discovered_path
|
|
212
212
|
|
|
213
|
-
msg = "The module path '#{@declared_path}' found in #{@go_mod} doesn't "\
|
|
214
|
-
"match the actual path '#{@discovered_path}' in the dependency's "\
|
|
213
|
+
msg = "The module path '#{@declared_path}' found in #{@go_mod} doesn't " \
|
|
214
|
+
"match the actual path '#{@discovered_path}' in the dependency's " \
|
|
215
215
|
"go.mod"
|
|
216
216
|
super(msg)
|
|
217
217
|
end
|
|
@@ -141,7 +141,7 @@ module Dependabot
|
|
|
141
141
|
|
|
142
142
|
path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
|
|
143
143
|
content = _fetch_file_content(path, fetch_submodules: fetch_submodules)
|
|
144
|
-
type = @linked_paths.key?(path.gsub(%r{^/}, ""))
|
|
144
|
+
type = "symlink" if @linked_paths.key?(path.gsub(%r{^/}, ""))
|
|
145
145
|
|
|
146
146
|
DependencyFile.new(
|
|
147
147
|
name: Pathname.new(filename).cleanpath.to_path,
|
|
@@ -233,8 +233,8 @@ module Dependabot
|
|
|
233
233
|
repo_path = File.join(clone_repo_contents, relative_path)
|
|
234
234
|
return [] unless Dir.exist?(repo_path)
|
|
235
235
|
|
|
236
|
-
Dir.entries(repo_path).
|
|
237
|
-
next if
|
|
236
|
+
Dir.entries(repo_path).filter_map do |name|
|
|
237
|
+
next if name == "." || name == ".."
|
|
238
238
|
|
|
239
239
|
absolute_path = File.join(repo_path, name)
|
|
240
240
|
type = if File.symlink?(absolute_path)
|
|
@@ -251,7 +251,7 @@ module Dependabot
|
|
|
251
251
|
type: type,
|
|
252
252
|
size: 0 # NOTE: added for parity with github contents API
|
|
253
253
|
)
|
|
254
|
-
end
|
|
254
|
+
end
|
|
255
255
|
end
|
|
256
256
|
|
|
257
257
|
def update_linked_paths(repo, path, commit, github_response)
|
|
@@ -10,7 +10,7 @@ module Dependabot
|
|
|
10
10
|
class DependencySet
|
|
11
11
|
def initialize(dependencies = [], case_sensitive: false)
|
|
12
12
|
unless dependencies.is_a?(Array) &&
|
|
13
|
-
dependencies.all?
|
|
13
|
+
dependencies.all?(Dependency)
|
|
14
14
|
raise ArgumentError, "must be an array of Dependency objects"
|
|
15
15
|
end
|
|
16
16
|
|
|
@@ -18,9 +18,9 @@ module Dependabot
|
|
|
18
18
|
return [] unless repo_contents_path && vendor_dir
|
|
19
19
|
|
|
20
20
|
Dir.chdir(repo_contents_path) do
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
21
|
+
# rubocop:disable Performance/DeletePrefix
|
|
22
|
+
relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(vendor_dir)
|
|
23
|
+
# rubocop:enable Performance/DeletePrefix
|
|
24
24
|
|
|
25
25
|
status = SharedHelpers.run_shell_command(
|
|
26
26
|
"git status --untracked-files all --porcelain v1 #{relative_dir}"
|
|
@@ -86,6 +86,10 @@ module Dependabot
|
|
|
86
86
|
raise Dependabot::GitDependencyReferenceNotFound, dependency.name
|
|
87
87
|
end
|
|
88
88
|
|
|
89
|
+
def head_commit_for_local_branch(name)
|
|
90
|
+
local_repo_git_metadata_fetcher.head_commit_for_ref(name)
|
|
91
|
+
end
|
|
92
|
+
|
|
89
93
|
def local_tags_for_latest_version_commit_sha
|
|
90
94
|
tags = allowed_version_tags
|
|
91
95
|
max_tag = max_version_tag(tags)
|
|
@@ -274,8 +278,8 @@ module Dependabot
|
|
|
274
278
|
end
|
|
275
279
|
|
|
276
280
|
def bitbucket_commit_comparison_status(ref1, ref2)
|
|
277
|
-
url = "https://api.bitbucket.org/2.0/repositories/"\
|
|
278
|
-
"#{listing_source_repo}/commits/?"\
|
|
281
|
+
url = "https://api.bitbucket.org/2.0/repositories/" \
|
|
282
|
+
"#{listing_source_repo}/commits/?" \
|
|
279
283
|
"include=#{ref2}&exclude=#{ref1}"
|
|
280
284
|
|
|
281
285
|
client = Clients::BitbucketWithRetries.
|
|
@@ -88,7 +88,7 @@ module Dependabot
|
|
|
88
88
|
service_pack_uri = uri
|
|
89
89
|
service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
|
|
90
90
|
|
|
91
|
-
env = { "PATH" => ENV
|
|
91
|
+
env = { "PATH" => ENV.fetch("PATH", nil) }
|
|
92
92
|
command = "git ls-remote #{service_pack_uri}"
|
|
93
93
|
command = SharedHelpers.escape_command(command)
|
|
94
94
|
|
|
@@ -125,7 +125,7 @@ module Dependabot
|
|
|
125
125
|
full_ref_name = line.split.last
|
|
126
126
|
next unless full_ref_name.start_with?("refs/tags", "refs/heads")
|
|
127
127
|
|
|
128
|
-
peeled_lines << line && next if line.strip.end_with?("^{}")
|
|
128
|
+
(peeled_lines << line) && next if line.strip.end_with?("^{}")
|
|
129
129
|
|
|
130
130
|
ref_name = full_ref_name.sub(%r{^refs/(tags|heads)/}, "").strip
|
|
131
131
|
sha = sha_for_update_pack_line(line)
|
|
@@ -239,7 +239,7 @@ module Dependabot
|
|
|
239
239
|
files += github_client.contents(source.repo, opts)
|
|
240
240
|
|
|
241
241
|
files.uniq.each do |f|
|
|
242
|
-
next unless
|
|
242
|
+
next unless f.type == "dir" && f.name.match?(/docs?/o)
|
|
243
243
|
|
|
244
244
|
opts = { path: f.path, ref: ref }.compact
|
|
245
245
|
files += github_client.contents(source.repo, opts)
|
|
@@ -300,16 +300,16 @@ module Dependabot
|
|
|
300
300
|
end
|
|
301
301
|
|
|
302
302
|
def previous_ref
|
|
303
|
-
previous_refs = dependency.previous_requirements.
|
|
303
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
304
304
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
305
|
-
end.
|
|
305
|
+
end.uniq
|
|
306
306
|
return previous_refs.first if previous_refs.count == 1
|
|
307
307
|
end
|
|
308
308
|
|
|
309
309
|
def new_ref
|
|
310
|
-
new_refs = dependency.requirements.
|
|
310
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
311
311
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
312
|
-
end.
|
|
312
|
+
end.uniq
|
|
313
313
|
return new_refs.first if new_refs.count == 1
|
|
314
314
|
end
|
|
315
315
|
|
|
@@ -137,16 +137,16 @@ module Dependabot
|
|
|
137
137
|
end
|
|
138
138
|
|
|
139
139
|
def previous_ref
|
|
140
|
-
previous_refs = dependency.previous_requirements.
|
|
140
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
141
141
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
142
|
-
end.
|
|
142
|
+
end.uniq
|
|
143
143
|
return previous_refs.first if previous_refs.count == 1
|
|
144
144
|
end
|
|
145
145
|
|
|
146
146
|
def new_ref
|
|
147
|
-
new_refs = dependency.requirements.
|
|
147
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
148
148
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
149
|
-
end.
|
|
149
|
+
end.uniq
|
|
150
150
|
return new_refs.first if new_refs.count == 1
|
|
151
151
|
end
|
|
152
152
|
|
|
@@ -136,18 +136,18 @@ module Dependabot
|
|
|
136
136
|
def previous_ref
|
|
137
137
|
return unless git_source?(dependency.previous_requirements)
|
|
138
138
|
|
|
139
|
-
previous_refs = dependency.previous_requirements.
|
|
139
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
140
140
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
141
|
-
end.
|
|
141
|
+
end.uniq
|
|
142
142
|
return previous_refs.first if previous_refs.count == 1
|
|
143
143
|
end
|
|
144
144
|
|
|
145
145
|
def new_ref
|
|
146
146
|
return unless git_source?(dependency.previous_requirements)
|
|
147
147
|
|
|
148
|
-
new_refs = dependency.requirements.
|
|
148
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
149
149
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
150
|
-
end.
|
|
150
|
+
end.uniq
|
|
151
151
|
return new_refs.first if new_refs.count == 1
|
|
152
152
|
end
|
|
153
153
|
|
|
@@ -275,16 +275,16 @@ module Dependabot
|
|
|
275
275
|
end
|
|
276
276
|
|
|
277
277
|
def previous_ref
|
|
278
|
-
previous_refs = dependency.previous_requirements.
|
|
278
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
279
279
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
280
|
-
end.
|
|
280
|
+
end.uniq
|
|
281
281
|
return previous_refs.first if previous_refs.count == 1
|
|
282
282
|
end
|
|
283
283
|
|
|
284
284
|
def new_ref
|
|
285
|
-
new_refs = dependency.requirements.
|
|
285
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
286
286
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
287
|
-
end.
|
|
287
|
+
end.uniq
|
|
288
288
|
return new_refs.first if new_refs.count == 1
|
|
289
289
|
end
|
|
290
290
|
|
|
@@ -90,7 +90,9 @@ module Dependabot
|
|
|
90
90
|
def branch_version_suffix
|
|
91
91
|
dep = dependencies.first
|
|
92
92
|
|
|
93
|
-
if
|
|
93
|
+
if dep.removed?
|
|
94
|
+
"-removed"
|
|
95
|
+
elsif library? && ref_changed?(dep) && new_ref(dep)
|
|
94
96
|
new_ref(dep)
|
|
95
97
|
elsif library?
|
|
96
98
|
sanitized_requirement(dep)
|
|
@@ -127,24 +129,24 @@ module Dependabot
|
|
|
127
129
|
elsif dependency.version == dependency.previous_version &&
|
|
128
130
|
package_manager == "docker"
|
|
129
131
|
dependency.requirements.
|
|
130
|
-
|
|
131
|
-
|
|
132
|
+
filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
|
|
133
|
+
first.split(":").last[0..6]
|
|
132
134
|
else
|
|
133
135
|
dependency.version
|
|
134
136
|
end
|
|
135
137
|
end
|
|
136
138
|
|
|
137
139
|
def previous_ref(dependency)
|
|
138
|
-
previous_refs = dependency.previous_requirements.
|
|
140
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
139
141
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
140
|
-
end.
|
|
142
|
+
end.uniq
|
|
141
143
|
return previous_refs.first if previous_refs.count == 1
|
|
142
144
|
end
|
|
143
145
|
|
|
144
146
|
def new_ref(dependency)
|
|
145
|
-
new_refs = dependency.requirements.
|
|
147
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
146
148
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
147
|
-
end.
|
|
149
|
+
end.uniq
|
|
148
150
|
return new_refs.first if new_refs.count == 1
|
|
149
151
|
end
|
|
150
152
|
|
|
@@ -185,11 +187,7 @@ module Dependabot
|
|
|
185
187
|
# Remove forbidden characters (those not already replaced elsewhere)
|
|
186
188
|
gsub(%r{[^A-Za-z0-9/\-_.(){}]}, "").
|
|
187
189
|
# Slashes can't be followed by periods
|
|
188
|
-
gsub(%r{/\.}, "/dot-").
|
|
189
|
-
# Two or more sequential periods are forbidden
|
|
190
|
-
gsub(/\.+/, ".").
|
|
191
|
-
# Two or more sequential slashes are forbidden
|
|
192
|
-
gsub(%r{/+}, "/").
|
|
190
|
+
gsub(%r{/\.}, "/dot-").squeeze(".").squeeze("/").
|
|
193
191
|
# Trailing periods are forbidden
|
|
194
192
|
sub(/\.$/, "")
|
|
195
193
|
end
|
|
@@ -219,7 +219,7 @@ module Dependabot
|
|
|
219
219
|
retry_count ||= 0
|
|
220
220
|
retry_count += 1
|
|
221
221
|
if retry_count > 10
|
|
222
|
-
raise "Repeatedly failed to create or update branch #{branch_name} "\
|
|
222
|
+
raise "Repeatedly failed to create or update branch #{branch_name} " \
|
|
223
223
|
"with commit #{commit.sha}."
|
|
224
224
|
end
|
|
225
225
|
|
|
@@ -269,7 +269,7 @@ module Dependabot
|
|
|
269
269
|
|
|
270
270
|
def add_reviewers_to_pull_request(pull_request)
|
|
271
271
|
reviewers_hash =
|
|
272
|
-
reviewers.keys.
|
|
272
|
+
reviewers.keys.to_h { |k| [k.to_sym, reviewers[k]] }
|
|
273
273
|
|
|
274
274
|
github_client_for_source.request_pull_request_review(
|
|
275
275
|
source.repo,
|
|
@@ -299,7 +299,7 @@ module Dependabot
|
|
|
299
299
|
|
|
300
300
|
def comment_with_invalid_reviewer(pull_request, message)
|
|
301
301
|
reviewers_hash =
|
|
302
|
-
reviewers.keys.
|
|
302
|
+
reviewers.keys.to_h { |k| [k.to_sym, reviewers[k]] }
|
|
303
303
|
reviewers = []
|
|
304
304
|
reviewers += reviewers_hash[:reviewers] || []
|
|
305
305
|
reviewers += (reviewers_hash[:team_reviewers] || []).
|
|
@@ -315,9 +315,9 @@ module Dependabot
|
|
|
315
315
|
|
|
316
316
|
msg = "Dependabot tried to add #{reviewers_string} as "
|
|
317
317
|
msg += reviewers.count > 1 ? "reviewers" : "a reviewer"
|
|
318
|
-
msg += " to this PR, but received the following error from GitHub:\n\n"\
|
|
318
|
+
msg += " to this PR, but received the following error from GitHub:\n\n" \
|
|
319
319
|
"```\n" \
|
|
320
|
-
"#{message}\n"\
|
|
320
|
+
"#{message}\n" \
|
|
321
321
|
"```"
|
|
322
322
|
|
|
323
323
|
github_client_for_source.add_comment(
|
|
@@ -105,7 +105,9 @@ module Dependabot
|
|
|
105
105
|
new_version_parts = version(dep).split(/[.+]/)
|
|
106
106
|
old_version_parts = previous_version(dep)&.split(/[.+]/) || []
|
|
107
107
|
all_parts = new_version_parts.first(3) + old_version_parts.first(3)
|
|
108
|
+
# rubocop:disable Performance/RedundantEqualityComparisonBlock
|
|
108
109
|
next 0 unless all_parts.all? { |part| part.to_i.to_s == part }
|
|
110
|
+
# rubocop:enable Performance/RedundantEqualityComparisonBlock
|
|
109
111
|
next 1 if new_version_parts[0] != old_version_parts[0]
|
|
110
112
|
next 2 if new_version_parts[1] != old_version_parts[1]
|
|
111
113
|
|
|
@@ -63,7 +63,7 @@ module Dependabot
|
|
|
63
63
|
def release_cascade
|
|
64
64
|
return "" unless releases_text && releases_url
|
|
65
65
|
|
|
66
|
-
msg = "*Sourced from [#{dependency.display_name}'s releases]"\
|
|
66
|
+
msg = "*Sourced from [#{dependency.display_name}'s releases]" \
|
|
67
67
|
"(#{releases_url}).*\n\n"
|
|
68
68
|
msg += quote_and_truncate(releases_text)
|
|
69
69
|
msg = link_issues(text: msg)
|
|
@@ -80,8 +80,8 @@ module Dependabot
|
|
|
80
80
|
def changelog_cascade
|
|
81
81
|
return "" unless changelog_url && changelog_text
|
|
82
82
|
|
|
83
|
-
msg = "*Sourced from "\
|
|
84
|
-
"[#{dependency.display_name}'s changelog]"\
|
|
83
|
+
msg = "*Sourced from " \
|
|
84
|
+
"[#{dependency.display_name}'s changelog]" \
|
|
85
85
|
"(#{changelog_url}).*\n\n"
|
|
86
86
|
msg += quote_and_truncate(changelog_text)
|
|
87
87
|
msg = link_issues(text: msg)
|
|
@@ -95,8 +95,8 @@ module Dependabot
|
|
|
95
95
|
def upgrade_guide_cascade
|
|
96
96
|
return "" unless upgrade_guide_url && upgrade_guide_text
|
|
97
97
|
|
|
98
|
-
msg = "*Sourced from "\
|
|
99
|
-
"[#{dependency.display_name}'s upgrade guide]"\
|
|
98
|
+
msg = "*Sourced from " \
|
|
99
|
+
"[#{dependency.display_name}'s upgrade guide]" \
|
|
100
100
|
"(#{upgrade_guide_url}).*\n\n"
|
|
101
101
|
msg += quote_and_truncate(upgrade_guide_text)
|
|
102
102
|
msg = link_issues(text: msg)
|
|
@@ -112,7 +112,7 @@ module Dependabot
|
|
|
112
112
|
|
|
113
113
|
msg = ""
|
|
114
114
|
|
|
115
|
-
commits.
|
|
115
|
+
commits.last(10).reverse_each do |commit|
|
|
116
116
|
title = commit[:message].strip.split("\n").first
|
|
117
117
|
title = title.slice(0..76) + "..." if title && title.length > 80
|
|
118
118
|
title = title&.gsub(/(?<=[^\w.-])([_*`~])/, '\\1')
|
|
@@ -124,8 +124,8 @@ module Dependabot
|
|
|
124
124
|
|
|
125
125
|
msg +=
|
|
126
126
|
if commits.count > 10
|
|
127
|
-
"- Additional commits viewable in "\
|
|
128
|
-
|
|
127
|
+
"- Additional commits viewable in " \
|
|
128
|
+
"[compare view](#{commits_url})\n"
|
|
129
129
|
else
|
|
130
130
|
"- See full diff in [compare view](#{commits_url})\n"
|
|
131
131
|
end
|
|
@@ -175,8 +175,8 @@ module Dependabot
|
|
|
175
175
|
|
|
176
176
|
def vulnerability_source_line(details)
|
|
177
177
|
if details["source_url"] && details["source_name"]
|
|
178
|
-
"*Sourced from [#{details['source_name']}]"\
|
|
179
|
-
|
|
178
|
+
"*Sourced from [#{details['source_name']}]" \
|
|
179
|
+
"(#{details['source_url']}).*\n\n"
|
|
180
180
|
elsif details["source_name"]
|
|
181
181
|
"*Sourced from #{details['source_name']}.*\n\n"
|
|
182
182
|
else
|
|
@@ -74,9 +74,9 @@ module Dependabot
|
|
|
74
74
|
|
|
75
75
|
pr_name +
|
|
76
76
|
if dependencies.count == 1
|
|
77
|
-
"#{dependencies.first.display_name} requirement "\
|
|
78
|
-
|
|
79
|
-
|
|
77
|
+
"#{dependencies.first.display_name} requirement " \
|
|
78
|
+
"#{from_version_msg(old_library_requirement(dependencies.first))}" \
|
|
79
|
+
"to #{new_library_requirement(dependencies.first)}"
|
|
80
80
|
else
|
|
81
81
|
names = dependencies.map(&:name)
|
|
82
82
|
"requirements for #{names[0..-2].join(', ')} and #{names[-1]}"
|
|
@@ -90,19 +90,19 @@ module Dependabot
|
|
|
90
90
|
pr_name +
|
|
91
91
|
if dependencies.count == 1
|
|
92
92
|
dependency = dependencies.first
|
|
93
|
-
"#{dependency.display_name} "\
|
|
94
|
-
|
|
95
|
-
|
|
93
|
+
"#{dependency.display_name} " \
|
|
94
|
+
"#{from_version_msg(previous_version(dependency))}" \
|
|
95
|
+
"to #{new_version(dependency)}"
|
|
96
96
|
elsif updating_a_property?
|
|
97
97
|
dependency = dependencies.first
|
|
98
|
-
"#{property_name} "\
|
|
99
|
-
|
|
100
|
-
|
|
98
|
+
"#{property_name} " \
|
|
99
|
+
"#{from_version_msg(previous_version(dependency))}" \
|
|
100
|
+
"to #{new_version(dependency)}"
|
|
101
101
|
elsif updating_a_dependency_set?
|
|
102
102
|
dependency = dependencies.first
|
|
103
|
-
"#{dependency_set.fetch(:group)} dependency set "\
|
|
104
|
-
|
|
105
|
-
|
|
103
|
+
"#{dependency_set.fetch(:group)} dependency set " \
|
|
104
|
+
"#{from_version_msg(previous_version(dependency))}" \
|
|
105
|
+
"to #{new_version(dependency)}"
|
|
106
106
|
else
|
|
107
107
|
names = dependencies.map(&:name)
|
|
108
108
|
"#{names[0..-2].join(', ')} and #{names[-1]}"
|
|
@@ -174,8 +174,8 @@ module Dependabot
|
|
|
174
174
|
return unless signoff_details.is_a?(Hash)
|
|
175
175
|
return unless signoff_details[:org_name] && signoff_details[:org_email]
|
|
176
176
|
|
|
177
|
-
"On-behalf-of: @#{signoff_details[:org_name]} "\
|
|
178
|
-
|
|
177
|
+
"On-behalf-of: @#{signoff_details[:org_name]} " \
|
|
178
|
+
"<#{signoff_details[:org_email]}>"
|
|
179
179
|
end
|
|
180
180
|
|
|
181
181
|
def requirement_commit_message_intro
|
|
@@ -200,8 +200,8 @@ module Dependabot
|
|
|
200
200
|
return multidependency_intro if dependencies.count > 1
|
|
201
201
|
|
|
202
202
|
dependency = dependencies.first
|
|
203
|
-
msg = "Bumps #{dependency_links.first} "\
|
|
204
|
-
"#{from_version_msg(previous_version(dependency))}"\
|
|
203
|
+
msg = "Bumps #{dependency_links.first} " \
|
|
204
|
+
"#{from_version_msg(previous_version(dependency))}" \
|
|
205
205
|
"to #{new_version(dependency)}."
|
|
206
206
|
|
|
207
207
|
msg += " This release includes the previously tagged commit." if switching_from_ref_to_release?(dependency)
|
|
@@ -220,23 +220,23 @@ module Dependabot
|
|
|
220
220
|
def multidependency_property_intro
|
|
221
221
|
dependency = dependencies.first
|
|
222
222
|
|
|
223
|
-
"Bumps `#{property_name}` "\
|
|
224
|
-
|
|
225
|
-
|
|
223
|
+
"Bumps `#{property_name}` " \
|
|
224
|
+
"#{from_version_msg(previous_version(dependency))}" \
|
|
225
|
+
"to #{new_version(dependency)}."
|
|
226
226
|
end
|
|
227
227
|
|
|
228
228
|
def dependency_set_intro
|
|
229
229
|
dependency = dependencies.first
|
|
230
230
|
|
|
231
|
-
"Bumps `#{dependency_set.fetch(:group)}` "\
|
|
232
|
-
|
|
233
|
-
|
|
231
|
+
"Bumps `#{dependency_set.fetch(:group)}` " \
|
|
232
|
+
"dependency set #{from_version_msg(previous_version(dependency))}" \
|
|
233
|
+
"to #{new_version(dependency)}."
|
|
234
234
|
end
|
|
235
235
|
|
|
236
236
|
def multidependency_intro
|
|
237
|
-
"Bumps #{dependency_links[0..-2].join(', ')} "\
|
|
238
|
-
|
|
239
|
-
|
|
237
|
+
"Bumps #{dependency_links[0..-2].join(', ')} " \
|
|
238
|
+
"and #{dependency_links[-1]}. These " \
|
|
239
|
+
"dependencies needed to be updated together."
|
|
240
240
|
end
|
|
241
241
|
|
|
242
242
|
def from_version_msg(previous_version)
|
|
@@ -293,10 +293,14 @@ module Dependabot
|
|
|
293
293
|
return metadata_links_for_dep(dependencies.first) if dependencies.count == 1
|
|
294
294
|
|
|
295
295
|
dependencies.map do |dep|
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
296
|
+
if dep.removed?
|
|
297
|
+
"\n\nRemoves `#{dep.display_name}`"
|
|
298
|
+
else
|
|
299
|
+
"\n\nUpdates `#{dep.display_name}` " \
|
|
300
|
+
"#{from_version_msg(previous_version(dep))}to " \
|
|
301
|
+
"#{new_version(dep)}" \
|
|
302
|
+
"#{metadata_links_for_dep(dep)}"
|
|
303
|
+
end
|
|
300
304
|
end.join
|
|
301
305
|
end
|
|
302
306
|
|
|
@@ -313,9 +317,13 @@ module Dependabot
|
|
|
313
317
|
return metadata_cascades_for_dep(dependencies.first) if dependencies.one?
|
|
314
318
|
|
|
315
319
|
dependencies.map do |dep|
|
|
316
|
-
msg =
|
|
317
|
-
|
|
318
|
-
|
|
320
|
+
msg = if dep.removed?
|
|
321
|
+
"\nRemoves `#{dep.display_name}`"
|
|
322
|
+
else
|
|
323
|
+
"\nUpdates `#{dep.display_name}` " \
|
|
324
|
+
"#{from_version_msg(previous_version(dep))}" \
|
|
325
|
+
"to #{new_version(dep)}"
|
|
326
|
+
end
|
|
319
327
|
|
|
320
328
|
if vulnerabilities_fixed[dep.name]&.one?
|
|
321
329
|
msg += " **This update includes a security fix.**"
|
|
@@ -328,6 +336,8 @@ module Dependabot
|
|
|
328
336
|
end
|
|
329
337
|
|
|
330
338
|
def metadata_cascades_for_dep(dependency)
|
|
339
|
+
return "" if dependency.removed?
|
|
340
|
+
|
|
331
341
|
MetadataPresenter.new(
|
|
332
342
|
dependency: dependency,
|
|
333
343
|
source: source,
|
|
@@ -417,21 +427,21 @@ module Dependabot
|
|
|
417
427
|
|
|
418
428
|
def docker_digest_from_reqs(requirements)
|
|
419
429
|
requirements.
|
|
420
|
-
|
|
421
|
-
|
|
430
|
+
filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
|
|
431
|
+
first
|
|
422
432
|
end
|
|
423
433
|
|
|
424
434
|
def previous_ref(dependency)
|
|
425
|
-
previous_refs = dependency.previous_requirements.
|
|
435
|
+
previous_refs = dependency.previous_requirements.filter_map do |r|
|
|
426
436
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
427
|
-
end.
|
|
437
|
+
end.uniq
|
|
428
438
|
return previous_refs.first if previous_refs.count == 1
|
|
429
439
|
end
|
|
430
440
|
|
|
431
441
|
def new_ref(dependency)
|
|
432
|
-
new_refs = dependency.requirements.
|
|
442
|
+
new_refs = dependency.requirements.filter_map do |r|
|
|
433
443
|
r.dig(:source, "ref") || r.dig(:source, :ref)
|
|
434
|
-
end.
|
|
444
|
+
end.uniq
|
|
435
445
|
return new_refs.first if new_refs.count == 1
|
|
436
446
|
end
|
|
437
447
|
|
|
@@ -483,7 +493,7 @@ module Dependabot
|
|
|
483
493
|
|
|
484
494
|
def switching_from_ref_to_release?(dependency)
|
|
485
495
|
unless dependency.previous_version&.match?(/^[0-9a-f]{40}$/) ||
|
|
486
|
-
dependency.previous_version.nil? && previous_ref(dependency)
|
|
496
|
+
(dependency.previous_version.nil? && previous_ref(dependency))
|
|
487
497
|
return false
|
|
488
498
|
end
|
|
489
499
|
|
|
@@ -280,8 +280,7 @@ module Dependabot
|
|
|
280
280
|
reject { |c| c.author&.type == "Bot" }.
|
|
281
281
|
reject { |c| c.commit&.message&.start_with?("Merge") }.
|
|
282
282
|
map(&:commit).
|
|
283
|
-
|
|
284
|
-
compact.
|
|
283
|
+
filter_map(&:message).
|
|
285
284
|
map(&:strip)
|
|
286
285
|
end
|
|
287
286
|
|
|
@@ -292,8 +291,7 @@ module Dependabot
|
|
|
292
291
|
@recent_gitlab_commit_messages.
|
|
293
292
|
reject { |c| c.author_email == dependabot_email }.
|
|
294
293
|
reject { |c| c.message&.start_with?("merge !") }.
|
|
295
|
-
|
|
296
|
-
compact.
|
|
294
|
+
filter_map(&:message).
|
|
297
295
|
map(&:strip)
|
|
298
296
|
end
|
|
299
297
|
|
|
@@ -304,8 +302,7 @@ module Dependabot
|
|
|
304
302
|
@recent_azure_commit_messages.
|
|
305
303
|
reject { |c| azure_commit_author_email(c) == dependabot_email }.
|
|
306
304
|
reject { |c| c.fetch("comment")&.start_with?("Merge") }.
|
|
307
|
-
|
|
308
|
-
compact.
|
|
305
|
+
filter_map { |c| c.fetch("comment") }.
|
|
309
306
|
map(&:strip)
|
|
310
307
|
end
|
|
311
308
|
|
|
@@ -315,8 +312,7 @@ module Dependabot
|
|
|
315
312
|
|
|
316
313
|
@recent_bitbucket_commit_messages.
|
|
317
314
|
reject { |c| bitbucket_commit_author_email(c) == dependabot_email }.
|
|
318
|
-
|
|
319
|
-
compact.
|
|
315
|
+
filter_map { |c| c.fetch("message", nil) }.
|
|
320
316
|
reject { |m| m.start_with?("Merge") }.
|
|
321
317
|
map(&:strip)
|
|
322
318
|
end
|
|
@@ -327,8 +323,7 @@ module Dependabot
|
|
|
327
323
|
@recent_codecommit_commit_messages.commits.
|
|
328
324
|
reject { |c| c.author.email == dependabot_email }.
|
|
329
325
|
reject { |c| c.message&.start_with?("Merge") }.
|
|
330
|
-
|
|
331
|
-
compact.
|
|
326
|
+
filter_map(&:message).
|
|
332
327
|
map(&:strip)
|
|
333
328
|
end
|
|
334
329
|
|
|
@@ -11,16 +11,17 @@ module Dependabot
|
|
|
11
11
|
OBJECT_ID_FOR_BRANCH_DELETE = "0000000000000000000000000000000000000000"
|
|
12
12
|
|
|
13
13
|
attr_reader :source, :files, :base_commit, :old_commit, :credentials,
|
|
14
|
-
:pull_request_number
|
|
14
|
+
:pull_request_number, :author_details
|
|
15
15
|
|
|
16
16
|
def initialize(source:, files:, base_commit:, old_commit:,
|
|
17
|
-
credentials:, pull_request_number:)
|
|
17
|
+
credentials:, pull_request_number:, author_details: nil)
|
|
18
18
|
@source = source
|
|
19
19
|
@files = files
|
|
20
20
|
@base_commit = base_commit
|
|
21
21
|
@old_commit = old_commit
|
|
22
22
|
@credentials = credentials
|
|
23
23
|
@pull_request_number = pull_request_number
|
|
24
|
+
@author_details = author_details
|
|
24
25
|
end
|
|
25
26
|
|
|
26
27
|
def update
|
|
@@ -74,12 +75,15 @@ module Dependabot
|
|
|
74
75
|
end
|
|
75
76
|
|
|
76
77
|
def create_temp_branch
|
|
78
|
+
author = author_details&.slice(:name, :email, :date)
|
|
79
|
+
author = nil unless author&.any?
|
|
80
|
+
|
|
77
81
|
response = azure_client_for_source.create_commit(
|
|
78
82
|
temp_branch_name,
|
|
79
83
|
base_commit,
|
|
80
84
|
commit_message,
|
|
81
85
|
files,
|
|
82
|
-
|
|
86
|
+
author
|
|
83
87
|
)
|
|
84
88
|
|
|
85
89
|
JSON.parse(response.body).fetch("refUpdates").first.fetch("newObjectId")
|
|
@@ -173,7 +173,7 @@ module Dependabot
|
|
|
173
173
|
|
|
174
174
|
if e.message.match?(/protected branch/i) ||
|
|
175
175
|
e.message.match?(/not authorized to push/i) ||
|
|
176
|
-
e.message.
|
|
176
|
+
e.message.include?("must not contain merge commits") ||
|
|
177
177
|
e.message.match?(/required status check/i)
|
|
178
178
|
raise BranchProtected
|
|
179
179
|
end
|
|
@@ -51,7 +51,7 @@ module Dependabot
|
|
|
51
51
|
# @return [Boolean]
|
|
52
52
|
def fixed_by?(dependency)
|
|
53
53
|
# Handle case mismatch between the security advisory and parsed name
|
|
54
|
-
return false unless dependency_name.
|
|
54
|
+
return false unless dependency_name.casecmp(dependency.name).zero?
|
|
55
55
|
return false unless package_manager == dependency.package_manager
|
|
56
56
|
# TODO: Support no previous version to the same level as dependency graph
|
|
57
57
|
# and security alerts. We currently ignore dependency updates without a
|
|
@@ -62,6 +62,9 @@ module Dependabot
|
|
|
62
62
|
# Ignore deps that weren't previously vulnerable
|
|
63
63
|
return false unless affects_version?(dependency.previous_version)
|
|
64
64
|
|
|
65
|
+
# Removing a dependency is a way to fix the vulnerability
|
|
66
|
+
return true if dependency.removed?
|
|
67
|
+
|
|
65
68
|
# Select deps that are now fixed
|
|
66
69
|
!affects_version?(dependency.version)
|
|
67
70
|
end
|
|
@@ -109,13 +112,13 @@ module Dependabot
|
|
|
109
112
|
def check_version_requirements
|
|
110
113
|
unless vulnerable_versions.is_a?(Array) &&
|
|
111
114
|
vulnerable_versions.all? { |i| requirement_class <= i.class }
|
|
112
|
-
raise ArgumentError, "vulnerable_versions must be an array "\
|
|
115
|
+
raise ArgumentError, "vulnerable_versions must be an array " \
|
|
113
116
|
"of #{requirement_class} instances"
|
|
114
117
|
end
|
|
115
118
|
|
|
116
119
|
unless safe_versions.is_a?(Array) &&
|
|
117
120
|
safe_versions.all? { |i| requirement_class <= i.class }
|
|
118
|
-
raise ArgumentError, "safe_versions must be an array "\
|
|
121
|
+
raise ArgumentError, "safe_versions must be an array " \
|
|
119
122
|
"of #{requirement_class} instances"
|
|
120
123
|
end
|
|
121
124
|
end
|
|
@@ -17,9 +17,9 @@ require "dependabot/version"
|
|
|
17
17
|
module Dependabot
|
|
18
18
|
module SharedHelpers
|
|
19
19
|
GIT_CONFIG_GLOBAL_PATH = File.expand_path("~/.gitconfig")
|
|
20
|
-
USER_AGENT = "dependabot-core/#{Dependabot::VERSION} "\
|
|
21
|
-
"#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} "\
|
|
22
|
-
"(#{RUBY_PLATFORM}) "\
|
|
20
|
+
USER_AGENT = "dependabot-core/#{Dependabot::VERSION} " \
|
|
21
|
+
"#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
|
|
22
|
+
"(#{RUBY_PLATFORM}) " \
|
|
23
23
|
"(+https://github.com/dependabot/dependabot-core)"
|
|
24
24
|
SIGKILL = 9
|
|
25
25
|
|
|
@@ -32,7 +32,7 @@ module Dependabot
|
|
|
32
32
|
reset_git_repo(repo_contents_path)
|
|
33
33
|
# Handle missing directories by creating an empty one and relying on the
|
|
34
34
|
# file fetcher to raise a DependencyFileNotFound error
|
|
35
|
-
FileUtils.mkdir_p(path)
|
|
35
|
+
FileUtils.mkdir_p(path)
|
|
36
36
|
Dir.chdir(path) { yield(path) }
|
|
37
37
|
else
|
|
38
38
|
in_a_temporary_directory(directory, &block)
|
|
@@ -40,7 +40,7 @@ module Dependabot
|
|
|
40
40
|
end
|
|
41
41
|
|
|
42
42
|
def self.in_a_temporary_directory(directory = "/")
|
|
43
|
-
|
|
43
|
+
FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
|
|
44
44
|
tmp_dir = Dir.mktmpdir(Utils::BUMP_TMP_FILE_PREFIX, Utils::BUMP_TMP_DIR_PATH)
|
|
45
45
|
|
|
46
46
|
begin
|
|
@@ -188,7 +188,7 @@ module Dependabot
|
|
|
188
188
|
# a wrapper binary that only allows non-mutating commands. Without this,
|
|
189
189
|
# whenever the credentials are deemed to be invalid, they're erased.
|
|
190
190
|
run_shell_command(
|
|
191
|
-
"git config --global credential.helper "\
|
|
191
|
+
"git config --global credential.helper " \
|
|
192
192
|
"'!#{credential_helper_path} --file #{Dir.pwd}/git.store'",
|
|
193
193
|
allow_unsafe_shell_command: true
|
|
194
194
|
)
|
|
@@ -224,7 +224,7 @@ module Dependabot
|
|
|
224
224
|
next unless cred["username"] && cred["password"]
|
|
225
225
|
|
|
226
226
|
authenticated_url =
|
|
227
|
-
"https://#{cred.fetch('username')}:#{cred.fetch('password')}"\
|
|
227
|
+
"https://#{cred.fetch('username')}:#{cred.fetch('password')}" \
|
|
228
228
|
"@#{cred.fetch('host')}"
|
|
229
229
|
|
|
230
230
|
git_store_content += authenticated_url + "\n"
|
|
@@ -241,23 +241,23 @@ module Dependabot
|
|
|
241
241
|
# NOTE: we use --global here (rather than --system) so that Dependabot
|
|
242
242
|
# can be run without privileged access
|
|
243
243
|
run_shell_command(
|
|
244
|
-
"git config --global --replace-all url.https://#{host}/."\
|
|
244
|
+
"git config --global --replace-all url.https://#{host}/." \
|
|
245
245
|
"insteadOf ssh://git@#{host}/"
|
|
246
246
|
)
|
|
247
247
|
run_shell_command(
|
|
248
|
-
"git config --global --add url.https://#{host}/."\
|
|
248
|
+
"git config --global --add url.https://#{host}/." \
|
|
249
249
|
"insteadOf ssh://git@#{host}:"
|
|
250
250
|
)
|
|
251
251
|
run_shell_command(
|
|
252
|
-
"git config --global --add url.https://#{host}/."\
|
|
252
|
+
"git config --global --add url.https://#{host}/." \
|
|
253
253
|
"insteadOf git@#{host}:"
|
|
254
254
|
)
|
|
255
255
|
run_shell_command(
|
|
256
|
-
"git config --global --add url.https://#{host}/."\
|
|
256
|
+
"git config --global --add url.https://#{host}/." \
|
|
257
257
|
"insteadOf git@#{host}/"
|
|
258
258
|
)
|
|
259
259
|
run_shell_command(
|
|
260
|
-
"git config --global --add url.https://#{host}/."\
|
|
260
|
+
"git config --global --add url.https://#{host}/." \
|
|
261
261
|
"insteadOf git://#{host}/"
|
|
262
262
|
)
|
|
263
263
|
end
|
data/lib/dependabot/source.rb
CHANGED
|
@@ -109,8 +109,8 @@ module Dependabot
|
|
|
109
109
|
def initialize(provider:, repo:, directory: nil, branch: nil, commit: nil,
|
|
110
110
|
hostname: nil, api_endpoint: nil)
|
|
111
111
|
if (hostname.nil? ^ api_endpoint.nil?) && (provider != "codecommit")
|
|
112
|
-
msg = "Both hostname and api_endpoint must be specified if either "\
|
|
113
|
-
"are. Alternatively, both may be left blank to use the "\
|
|
112
|
+
msg = "Both hostname and api_endpoint must be specified if either " \
|
|
113
|
+
"are. Alternatively, both may be left blank to use the " \
|
|
114
114
|
"provider's defaults."
|
|
115
115
|
raise msg
|
|
116
116
|
end
|
|
@@ -287,7 +287,7 @@ module Dependabot
|
|
|
287
287
|
|
|
288
288
|
def version_from_requirements
|
|
289
289
|
@version_from_requirements ||=
|
|
290
|
-
dependency.requirements.
|
|
290
|
+
dependency.requirements.filter_map { |r| r.fetch(:requirement) }.
|
|
291
291
|
flat_map { |req_str| requirement_class.requirements_array(req_str) }.
|
|
292
292
|
flat_map(&:requirements).
|
|
293
293
|
reject { |req_array| req_array.first.start_with?("<") }.
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.212.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-09-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: activesupport
|
|
@@ -98,20 +98,20 @@ dependencies:
|
|
|
98
98
|
requirements:
|
|
99
99
|
- - "~>"
|
|
100
100
|
- !ruby/object:Gem::Version
|
|
101
|
-
version: '1.
|
|
101
|
+
version: '1.11'
|
|
102
102
|
- - ">="
|
|
103
103
|
- !ruby/object:Gem::Version
|
|
104
|
-
version: 1.
|
|
104
|
+
version: 1.11.0
|
|
105
105
|
type: :runtime
|
|
106
106
|
prerelease: false
|
|
107
107
|
version_requirements: !ruby/object:Gem::Requirement
|
|
108
108
|
requirements:
|
|
109
109
|
- - "~>"
|
|
110
110
|
- !ruby/object:Gem::Version
|
|
111
|
-
version: '1.
|
|
111
|
+
version: '1.11'
|
|
112
112
|
- - ">="
|
|
113
113
|
- !ruby/object:Gem::Version
|
|
114
|
-
version: 1.
|
|
114
|
+
version: 1.11.0
|
|
115
115
|
- !ruby/object:Gem::Dependency
|
|
116
116
|
name: excon
|
|
117
117
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -132,14 +132,14 @@ dependencies:
|
|
|
132
132
|
requirements:
|
|
133
133
|
- - '='
|
|
134
134
|
- !ruby/object:Gem::Version
|
|
135
|
-
version: 2.
|
|
135
|
+
version: 2.5.2
|
|
136
136
|
type: :runtime
|
|
137
137
|
prerelease: false
|
|
138
138
|
version_requirements: !ruby/object:Gem::Requirement
|
|
139
139
|
requirements:
|
|
140
140
|
- - '='
|
|
141
141
|
- !ruby/object:Gem::Version
|
|
142
|
-
version: 2.
|
|
142
|
+
version: 2.5.2
|
|
143
143
|
- !ruby/object:Gem::Dependency
|
|
144
144
|
name: gitlab
|
|
145
145
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -284,6 +284,20 @@ dependencies:
|
|
|
284
284
|
- - "~>"
|
|
285
285
|
- !ruby/object:Gem::Version
|
|
286
286
|
version: '2.0'
|
|
287
|
+
- !ruby/object:Gem::Dependency
|
|
288
|
+
name: parallel_tests
|
|
289
|
+
requirement: !ruby/object:Gem::Requirement
|
|
290
|
+
requirements:
|
|
291
|
+
- - "~>"
|
|
292
|
+
- !ruby/object:Gem::Version
|
|
293
|
+
version: 3.12.0
|
|
294
|
+
type: :development
|
|
295
|
+
prerelease: false
|
|
296
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
297
|
+
requirements:
|
|
298
|
+
- - "~>"
|
|
299
|
+
- !ruby/object:Gem::Version
|
|
300
|
+
version: 3.12.0
|
|
287
301
|
- !ruby/object:Gem::Dependency
|
|
288
302
|
name: rake
|
|
289
303
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -332,14 +346,28 @@ dependencies:
|
|
|
332
346
|
requirements:
|
|
333
347
|
- - "~>"
|
|
334
348
|
- !ruby/object:Gem::Version
|
|
335
|
-
version: 1.
|
|
349
|
+
version: 1.36.0
|
|
350
|
+
type: :development
|
|
351
|
+
prerelease: false
|
|
352
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
353
|
+
requirements:
|
|
354
|
+
- - "~>"
|
|
355
|
+
- !ruby/object:Gem::Version
|
|
356
|
+
version: 1.36.0
|
|
357
|
+
- !ruby/object:Gem::Dependency
|
|
358
|
+
name: rubocop-performance
|
|
359
|
+
requirement: !ruby/object:Gem::Requirement
|
|
360
|
+
requirements:
|
|
361
|
+
- - "~>"
|
|
362
|
+
- !ruby/object:Gem::Version
|
|
363
|
+
version: 1.14.2
|
|
336
364
|
type: :development
|
|
337
365
|
prerelease: false
|
|
338
366
|
version_requirements: !ruby/object:Gem::Requirement
|
|
339
367
|
requirements:
|
|
340
368
|
- - "~>"
|
|
341
369
|
- !ruby/object:Gem::Version
|
|
342
|
-
version: 1.
|
|
370
|
+
version: 1.14.2
|
|
343
371
|
- !ruby/object:Gem::Dependency
|
|
344
372
|
name: ruby-debug-ide
|
|
345
373
|
requirement: !ruby/object:Gem::Requirement
|