dependabot-common 0.211.0 → 0.213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e1b0e492dee111c834810de7850faa8a0bb5150e281d5eb32e8b44802f2be1f
-  data.tar.gz: 2c9c14aeb59e0d6c33b1630c5425529dff45624f9b1657390ae644dd8d0abbbf
+  metadata.gz: 23fa5c7ea872ca0849f22018af9b0811ad9044f03a4e7d59aa023b3dd80bd4e6
+  data.tar.gz: cea778ebef75ccec5afcd3e5932af78d9711c51c4c864ea02d65930fce8ca4dc
 SHA512:
-  metadata.gz: 821283e91686501710d6146944b8b10f559cd7ed9e0084edfc5176027083c24b26918a273c823f5fd829f575d5e1a29ead356db403307ba0e36147de30e9e3de
-  data.tar.gz: 768791aeb20b739bd36d4b788164f5d9e11f096879b7ac517cc4fbaa81462f58e1e1cb1d03a8fce5183b0af4da2ac5458a482dc31ee36cc6d5bf09697300c5ef
+  metadata.gz: b14ad55cbabd2a49bd35c7f8012f95972515eead80a71363353a8978286e9d756fd97da5442cb3013acdebfb1a77c7f8f7c450bac553a2d6f52b12687fcf2d43
+  data.tar.gz: 86cbba3afb724d1ee0b6c1fd0bb357a33c288263b3032e0ef029e099b5d7f7d8d5104526a8890d6233fdb8850b56ecd05cb0746bd8e6fe8fd84338db8caa28dd

data/lib/dependabot/clients/azure.rb

@@ -310,7 +310,7 @@ module Dependabot
         # https://developercommunity.visualstudio.com/content/problem/608770/remove-4000-character-limit-on-pull-request-descri.html
         pr_description = pr_description.dup.force_encoding(Encoding::UTF_16)
         if pr_description.length > MAX_PR_DESCRIPTION_LENGTH
-          truncated_msg = "...\n\n_Description has been truncated_".dup.force_encoding(Encoding::UTF_16)
+          truncated_msg = (+"...\n\n_Description has been truncated_").force_encoding(Encoding::UTF_16)
           truncate_length = MAX_PR_DESCRIPTION_LENGTH - truncated_msg.length
           pr_description = (pr_description[0..truncate_length] + truncated_msg)
         end

data/lib/dependabot/clients/bitbucket.rb

@@ -144,7 +144,14 @@ module Dependabot
       end
       # rubocop:enable Metrics/ParameterLists
 
+      def current_user
+        base_url = "https://api.bitbucket.org/2.0/user?fields=uuid"
+        response = get(base_url)
+        JSON.parse(response.body).fetch("uuid")
+      end
+
       def default_reviewers(repo)
+        current_uuid = current_user
         path = "#{repo}/default-reviewers?pagelen=100&fields=values.uuid,next"
         reviewers_url = base_url + path
 
@@ -153,7 +160,7 @@ module Dependabot
         reviewer_data = []
 
         default_reviewers.each do |reviewer|
-          reviewer_data.append({ uuid: reviewer.fetch("uuid") })
+          reviewer_data.append({ uuid: reviewer.fetch("uuid") }) unless current_uuid == reviewer.fetch("uuid")
         end
 
         reviewer_data
@@ -189,8 +196,8 @@ module Dependabot
         raise NotFound if response.status == 404
 
         if response.status >= 400
-          raise "Unhandled Bitbucket error!\n"\
-                "Status: #{response.status}\n"\
+          raise "Unhandled Bitbucket error!\n" \
+                "Status: #{response.status}\n" \
                 "Body: #{response.body}"
         end
 

data/lib/dependabot/config/file.rb

@@ -71,7 +71,7 @@ module Dependabot
         commit_message = cfg&.dig(:"commit-message") || {}
         Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
           prefix: commit_message[:prefix],
-          prefix_development: commit_message[:"prefix-development"],
+          prefix_development: commit_message[:"prefix-development"] || commit_message[:prefix],
           include: commit_message[:include]
         )
       end

data/lib/dependabot/config/ignore_condition.rb

@@ -28,7 +28,7 @@ module Dependabot
       private
 
       def transformed_update_types
-        update_types.map(&:downcase).map(&:strip).compact
+        update_types.map(&:downcase).filter_map(&:strip)
       end
 
       def versions_by_type(dependency)

data/lib/dependabot/dependency.rb

@@ -37,11 +37,11 @@ module Dependabot
 
     attr_reader :name, :version, :requirements, :package_manager,
                 :previous_version, :previous_requirements,
-                :subdependency_metadata
+                :subdependency_metadata, :metadata
 
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil,
-                   subdependency_metadata: [], removed: false)
+                   subdependency_metadata: [], removed: false, metadata: {})
       @name = name
       @version = version
       @requirements = requirements.map { |req| symbolize_keys(req) }
@@ -54,6 +54,7 @@ module Dependabot
                                   map { |h| symbolize_keys(h) }
       end
       @removed = removed
+      @metadata = symbolize_keys(metadata || {})
 
       check_values
     end
@@ -105,6 +106,22 @@ module Dependabot
       display_name_builder.call(name)
     end
 
+    # Returns all detected versions of the dependency. Only ecosystems that
+    # support this feature will return more than the current version.
+    def all_versions
+      all_versions = metadata[:all_versions]
+      return [version].compact unless all_versions
+
+      all_versions.filter_map(&:version)
+    end
+
+    # This dependency is being indirectly updated by an update to another
+    # dependency. We don't need to try and update it ourselves but want to
+    # surface it to the user in the PR.
+    def informational_only?
+      metadata[:information_only]
+    end
+
     def ==(other)
       other.instance_of?(self.class) && to_h == other.to_h
     end
@@ -120,9 +137,7 @@ module Dependabot
     private
 
     def check_values
-      if [version, previous_version].any? { |v| v == "" }
-        raise ArgumentError, "blank strings must not be provided as versions"
-      end
+      raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
 
       check_requirement_fields
       check_subdependency_metadata
@@ -130,8 +145,8 @@ module Dependabot
 
     def check_requirement_fields
       requirement_fields = [requirements, previous_requirements].compact
-      unless requirement_fields.all? { |r| r.is_a?(Array) } &&
-             requirement_fields.flatten.all? { |r| r.is_a?(Hash) }
+      unless requirement_fields.all?(Array) &&
+             requirement_fields.flatten.all?(Hash)
         raise ArgumentError, "requirements must be an array of hashes"
       end
 
@@ -139,9 +154,9 @@ module Dependabot
       optional_keys = %i(metadata)
       unless requirement_fields.flatten.
              all? { |r| required_keys.sort == (r.keys - optional_keys).sort }
-        raise ArgumentError, "each requirement must have the following "\
-                             "required keys: #{required_keys.join(', ')}."\
-                             "Optionally, it may have the following keys: "\
+        raise ArgumentError, "each requirement must have the following " \
+                             "required keys: #{required_keys.join(', ')}." \
+                             "Optionally, it may have the following keys: " \
                              "#{optional_keys.join(', ')}."
       end
 
@@ -154,13 +169,13 @@ module Dependabot
       return unless subdependency_metadata
 
       unless subdependency_metadata.is_a?(Array) &&
-             subdependency_metadata.all? { |r| r.is_a?(Hash) }
+             subdependency_metadata.all?(Hash)
         raise ArgumentError, "subdependency_metadata must be an array of hashes"
       end
     end
 
     def symbolize_keys(hash)
-      hash.keys.map { |k| [k.to_sym, hash[k]] }.to_h
+      hash.keys.to_h { |k| [k.to_sym, hash[k]] }
     end
   end
 end

data/lib/dependabot/errors.rb

@@ -4,9 +4,9 @@ require "dependabot/utils"
 
 module Dependabot
   class DependabotError < StandardError
-    BASIC_AUTH_REGEX = %r{://(?<auth>[^:]*:[^@%\s]+(@|%40))}.freeze
+    BASIC_AUTH_REGEX = %r{://(?<auth>[^:]*:[^@%\s]+(@|%40))}
     # Remove any path segment from fury.io sources
-    FURY_IO_PATH_REGEX = %r{fury\.io/(?<path>.+)}.freeze
+    FURY_IO_PATH_REGEX = %r{fury\.io/(?<path>.+)}
 
     def initialize(message = nil)
       super(sanitize_message(message))
@@ -18,7 +18,7 @@ module Dependabot
       return message unless message.is_a?(String)
 
       path_regex =
-        Regexp.escape(Utils::BUMP_TMP_DIR_PATH) + "\/" +
+        Regexp.escape(Utils::BUMP_TMP_DIR_PATH) + "\\/" +
         Regexp.escape(Utils::BUMP_TMP_FILE_PREFIX) + "[a-zA-Z0-9-]*"
 
       message = message.gsub(/#{path_regex}/, "dependabot_tmp_dir").strip
@@ -124,8 +124,8 @@ module Dependabot
 
     def initialize(source)
       @source = sanitize_source(source)
-      msg = "The following source could not be reached as it requires "\
-            "authentication (and any provided details were invalid or lacked "\
+      msg = "The following source could not be reached as it requires " \
+            "authentication (and any provided details were invalid or lacked " \
             "the required permissions): #{@source}"
       super(msg)
     end
@@ -173,7 +173,7 @@ module Dependabot
       @dependency_urls =
         dependency_urls.flatten.map { |uri| filter_sensitive_data(uri) }
 
-      msg = "The following git URLs could not be retrieved: "\
+      msg = "The following git URLs could not be retrieved: " \
             "#{@dependency_urls.join(', ')}"
       super(msg)
     end
@@ -185,7 +185,7 @@ module Dependabot
     def initialize(dependency)
       @dependency = dependency
 
-      msg = "The branch or reference specified for #{@dependency} could not "\
+      msg = "The branch or reference specified for #{@dependency} could not " \
             "be retrieved"
       super(msg)
     end
@@ -196,7 +196,7 @@ module Dependabot
 
     def initialize(*dependencies)
       @dependencies = dependencies.flatten
-      msg = "The following path based dependencies could not be retrieved: "\
+      msg = "The following path based dependencies could not be retrieved: " \
             "#{@dependencies.join(', ')}"
       super(msg)
     end
@@ -210,8 +210,8 @@ module Dependabot
       @declared_path = declared_path
       @discovered_path = discovered_path
 
-      msg = "The module path '#{@declared_path}' found in #{@go_mod} doesn't "\
-            "match the actual path '#{@discovered_path}' in the dependency's "\
+      msg = "The module path '#{@declared_path}' found in #{@go_mod} doesn't " \
+            "match the actual path '#{@discovered_path}' in the dependency's " \
             "go.mod"
       super(msg)
     end

data/lib/dependabot/experiments.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Experiments
+    @experiments = {}
+
+    def self.reset!
+      @experiments = {}
+    end
+
+    def self.register(name, value)
+      @experiments[name.to_sym] = value
+    end
+
+    def self.enabled?(name)
+      !!@experiments[name.to_sym]
+    end
+  end
+end

data/lib/dependabot/file_fetchers/base.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "stringio"
 require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"
@@ -69,6 +70,7 @@ module Dependabot
       end
 
       def commit
+        return cloned_commit if cloned_commit
         return source.commit if source.commit
 
         branch = target_branch || default_branch_for_repo
@@ -84,7 +86,11 @@ module Dependabot
       def clone_repo_contents
         @clone_repo_contents ||=
           _clone_repo_contents(target_directory: repo_contents_path)
-      rescue Dependabot::SharedHelpers::HelperSubprocessFailed
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+        if e.message.include?("fatal: Remote branch #{target_branch} not found in upstream origin")
+          raise Dependabot::BranchNotFound, target_branch
+        end
+
         raise Dependabot::RepoNotFound, source
       end
 
@@ -141,7 +147,7 @@ module Dependabot
 
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
         content = _fetch_file_content(path, fetch_submodules: fetch_submodules)
-        type = @linked_paths.key?(path.gsub(%r{^/}, "")) ? "symlink" : type
+        type = "symlink" if @linked_paths.key?(path.gsub(%r{^/}, ""))
 
         DependencyFile.new(
           name: Pathname.new(filename).cleanpath.to_path,
@@ -168,6 +174,97 @@ module Dependabot
                                 end
       end
 
+      def cloned_commit
+        return if repo_contents_path.nil? || !File.directory?(File.join(repo_contents_path, ".git"))
+
+        SharedHelpers.with_git_configured(credentials: credentials) do
+          Dir.chdir(repo_contents_path) do
+            return SharedHelpers.run_shell_command("git rev-parse HEAD")&.strip
+          end
+        end
+      end
+
+      def default_branch_for_repo
+        @default_branch_for_repo ||= client_for_provider.
+                                     fetch_default_branch(repo)
+      rescue *CLIENT_NOT_FOUND_ERRORS
+        raise Dependabot::RepoNotFound, source
+      end
+
+      def update_linked_paths(repo, path, commit, github_response)
+        case github_response.type
+        when "submodule"
+          sub_source = Source.from_url(github_response.submodule_git_url)
+          return unless sub_source
+
+          @linked_paths[path] = {
+            repo: sub_source.repo,
+            provider: sub_source.provider,
+            commit: github_response.sha,
+            path: "/"
+          }
+        when "symlink"
+          updated_path = File.join(File.dirname(path), github_response.target)
+          @linked_paths[path] = {
+            repo: repo,
+            provider: "github",
+            commit: commit,
+            path: Pathname.new(updated_path).cleanpath.to_path
+          }
+        end
+      end
+
+      def recurse_submodules_when_cloning?
+        false
+      end
+
+      def client_for_provider
+        case source.provider
+        when "github" then github_client
+        when "gitlab" then gitlab_client
+        when "azure" then azure_client
+        when "bitbucket" then bitbucket_client
+        when "codecommit" then codecommit_client
+        else raise "Unsupported provider '#{source.provider}'."
+        end
+      end
+
+      def github_client
+        @github_client ||=
+          Dependabot::Clients::GithubWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def gitlab_client
+        @gitlab_client ||=
+          Dependabot::Clients::GitlabWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def azure_client
+        @azure_client ||=
+          Dependabot::Clients::Azure.
+          for_source(source: source, credentials: credentials)
+      end
+
+      def bitbucket_client
+        # TODO: When self-hosted Bitbucket is supported this should use
+        # `Bitbucket.for_source`
+        @bitbucket_client ||=
+          Dependabot::Clients::BitbucketWithRetries.
+          for_bitbucket_dot_org(credentials: credentials)
+      end
+
+      def codecommit_client
+        @codecommit_client ||=
+          Dependabot::Clients::CodeCommit.
+          for_source(source: source, credentials: credentials)
+      end
+
       #################################################
       # INTERNAL METHODS (not for use by sub-classes) #
       #################################################
@@ -233,8 +330,8 @@ module Dependabot
         repo_path = File.join(clone_repo_contents, relative_path)
         return [] unless Dir.exist?(repo_path)
 
-        Dir.entries(repo_path).map do |name|
-          next if [".", ".."].include?(name)
+        Dir.entries(repo_path).filter_map do |name|
+          next if name == "." || name == ".."
 
           absolute_path = File.join(repo_path, name)
           type = if File.symlink?(absolute_path)
@@ -251,29 +348,6 @@ module Dependabot
             type: type,
             size: 0 # NOTE: added for parity with github contents API
           )
-        end.compact
-      end
-
-      def update_linked_paths(repo, path, commit, github_response)
-        case github_response.type
-        when "submodule"
-          sub_source = Source.from_url(github_response.submodule_git_url)
-          return unless sub_source
-
-          @linked_paths[path] = {
-            repo: sub_source.repo,
-            provider: sub_source.provider,
-            commit: github_response.sha,
-            path: "/"
-          }
-        when "symlink"
-          updated_path = File.join(File.dirname(path), github_response.target)
-          @linked_paths[path] = {
-            repo: repo,
-            provider: "github",
-            commit: commit,
-            path: Pathname.new(updated_path).cleanpath.to_path
-          }
         end
       end
 
@@ -473,13 +547,6 @@ module Dependabot
       end
       # rubocop:enable Metrics/AbcSize
 
-      def default_branch_for_repo
-        @default_branch_for_repo ||= client_for_provider.
-                                     fetch_default_branch(repo)
-      rescue *CLIENT_NOT_FOUND_ERRORS
-        raise Dependabot::RepoNotFound, source
-      end
-
       # Update the @linked_paths hash by exploiting a side-effect of
       # recursively calling `repo_contents` for each directory up the tree
       # until a submodule or symlink is found
@@ -504,6 +571,10 @@ module Dependabot
           max_by(&:length)
       end
 
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/BlockLength
       def _clone_repo_contents(target_directory:)
         SharedHelpers.with_git_configured(credentials: credentials) do
           path = target_directory || File.join("tmp", source.repo)
@@ -512,62 +583,54 @@ module Dependabot
           return path if Dir.exist?(File.join(path, ".git"))
 
           FileUtils.mkdir_p(path)
-          br_opt = " --branch #{source.branch} --single-branch" if source.branch
+
+          clone_options = StringIO.new
+          clone_options << "--no-tags --depth 1"
+          clone_options << if recurse_submodules_when_cloning?
+                             " --recurse-submodules --shallow-submodules"
+                           else
+                             " --no-recurse-submodules"
+                           end
+          clone_options << " --branch #{source.branch} --single-branch" if source.branch
           SharedHelpers.run_shell_command(
             <<~CMD
-              git clone --no-tags --no-recurse-submodules --depth 1#{br_opt} #{source.url} #{path}
+              git clone #{clone_options.string} #{source.url} #{path}
             CMD
           )
-          path
-        end
-      end
-
-      def client_for_provider
-        case source.provider
-        when "github" then github_client
-        when "gitlab" then gitlab_client
-        when "azure" then azure_client
-        when "bitbucket" then bitbucket_client
-        when "codecommit" then codecommit_client
-        else raise "Unsupported provider '#{source.provider}'."
-        end
-      end
-
-      def github_client
-        @github_client ||=
-          Dependabot::Clients::GithubWithRetries.for_source(
-            source: source,
-            credentials: credentials
-          )
-      end
-
-      def gitlab_client
-        @gitlab_client ||=
-          Dependabot::Clients::GitlabWithRetries.for_source(
-            source: source,
-            credentials: credentials
-          )
-      end
 
-      def azure_client
-        @azure_client ||=
-          Dependabot::Clients::Azure.
-          for_source(source: source, credentials: credentials)
-      end
-
-      def bitbucket_client
-        # TODO: When self-hosted Bitbucket is supported this should use
-        # `Bitbucket.for_source`
-        @bitbucket_client ||=
-          Dependabot::Clients::BitbucketWithRetries.
-          for_bitbucket_dot_org(credentials: credentials)
-      end
+          if source.commit
+            # This code will only be called for testing. Production will never pass a commit
+            # since Dependabot always wants to use the latest commit on a branch.
+            Dir.chdir(path) do
+              fetch_options = StringIO.new
+              fetch_options << "--depth 1"
+              fetch_options << if recurse_submodules_when_cloning?
+                                 " --recurse-submodules=on-demand"
+                               else
+                                 " --no-recurse-submodules"
+                               end
+              # Need to fetch the commit due to the --depth 1 above.
+              SharedHelpers.run_shell_command("git fetch #{fetch_options.string} origin #{source.commit}")
+
+              reset_options = StringIO.new
+              reset_options << "--hard"
+              reset_options << if recurse_submodules_when_cloning?
+                                 " --recurse-submodules"
+                               else
+                                 " --no-recurse-submodules"
+                               end
+              # Set HEAD to this commit so later calls so git reset HEAD will work.
+              SharedHelpers.run_shell_command("git reset #{reset_options.string} #{source.commit}")
+            end
+          end
 
-      def codecommit_client
-        @codecommit_client ||=
-          Dependabot::Clients::CodeCommit.
-          for_source(source: source, credentials: credentials)
+          path
+        end
       end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/BlockLength
     end
   end
 end