dependabot-common 0.211.0 → 0.213.0

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -10,38 +10,46 @@ module Dependabot
       class DependencySet
         def initialize(dependencies = [], case_sensitive: false)
           unless dependencies.is_a?(Array) &&
-                 dependencies.all? { |dep| dep.is_a?(Dependency) }
+                 dependencies.all?(Dependency)
             raise ArgumentError, "must be an array of Dependency objects"
           end
 
-          @dependencies = dependencies
           @case_sensitive = case_sensitive
+          @dependencies = Hash.new { |hsh, key| hsh[key] = DependencySlot.new }
+          dependencies.each { |dep| self << dep }
         end
 
-        attr_reader :dependencies
+        def dependencies
+          @dependencies.values.filter_map(&:combined)
+        end
 
         def <<(dep)
           raise ArgumentError, "must be a Dependency object" unless dep.is_a?(Dependency)
 
-          existing_dependency = dependency_for_name(dep.name)
+          @dependencies[key_for_dependency(dep)] << dep
+          self
+        end
 
-          return self if existing_dependency&.to_h == dep.to_h
+        def +(other)
+          raise ArgumentError, "must be a DependencySet" unless other.is_a?(DependencySet)
 
-          if existing_dependency
-            dependencies[dependencies.index(existing_dependency)] =
-              combined_dependency(existing_dependency, dep)
-          else
-            dependencies << dep
+          other_names = other.dependencies.map(&:name)
+          other_names.each do |name|
+            all_versions = other.all_versions_for_name(name)
+            all_versions.each { |dep| self << dep }
           end
 
           self
         end
 
-        def +(other)
-          raise ArgumentError, "must be a DependencySet" unless other.is_a?(DependencySet)
+        def all_versions_for_name(name)
+          key = key_for_name(name)
+          @dependencies.key?(key) ? @dependencies[key].all_versions : []
+        end
 
-          other.dependencies.each { |dep| self << dep }
-          self
+        def dependency_for_name(name)
+          key = key_for_name(name)
+          @dependencies.key?(key) ? @dependencies[key].combined : nil
         end
 
         private
@@ -50,41 +58,98 @@ module Dependabot
           @case_sensitive
         end
 
-        def dependency_for_name(name)
-          return dependencies.find { |d| d.name == name } if case_sensitive?
+        def key_for_name(name)
+          case_sensitive? ? name : name.downcase
+        end
 
-          dependencies.find { |d| d.name&.downcase == name&.downcase }
+        def key_for_dependency(dep)
+          key_for_name(dep.name)
         end
 
-        def combined_dependency(old_dep, new_dep)
-          package_manager = old_dep.package_manager
-          v_cls = Utils.version_class_for_package_manager(package_manager)
-
-          # If we already have a requirement use the existing version
-          # (if present). Otherwise, use whatever the lowest version is
-          new_version =
-            if old_dep.requirements.any? then old_dep.version || new_dep.version
-            elsif !v_cls.correct?(new_dep.version) then old_dep.version
-            elsif !v_cls.correct?(old_dep.version) then new_dep.version
-            elsif v_cls.new(new_dep.version) > v_cls.new(old_dep.version)
-              old_dep.version
+        # There can only be one entry per dependency name in a `DependencySet`. Each entry
+        # is assigned a `DependencySlot`.
+        #
+        # In some ecosystems (like `npm_and_yarn`), however, multiple versions of a
+        # dependency may be encountered and added to the set. The `DependencySlot` retains
+        # all added versions and presents a single unified dependency for the entry
+        # that combines the attributes of these versions.
+        #
+        # The combined dependency is accessible via `DependencySet#dependencies` or
+        # `DependencySet#dependency_for_name`. The list of individual versions of the
+        # dependency is accessible via `DependencySet#all_versions_for_name`.
+        class DependencySlot
+          attr_reader :all_versions, :combined
+
+          def initialize
+            @all_versions = []
+            @combined = nil
+          end
+
+          def <<(dep)
+            return self if @all_versions.include?(dep)
+
+            @combined = if @combined
+                          combined_dependency(@combined, dep)
+                        else
+                          Dependency.new(
+                            name: dep.name,
+                            version: dep.version,
+                            requirements: dep.requirements,
+                            package_manager: dep.package_manager,
+                            subdependency_metadata: dep.subdependency_metadata
+                          )
+                        end
+
+            index_of_same_version =
+              @all_versions.find_index { |other| other.version == dep.version }
+
+            if index_of_same_version.nil?
+              @all_versions << dep
             else
-              new_dep.version
+              same_version = @all_versions[index_of_same_version]
+              @all_versions[index_of_same_version] = combined_dependency(same_version, dep)
             end
 
-          subdependency_metadata = (
-            (old_dep.subdependency_metadata || []) +
-            (new_dep.subdependency_metadata || [])
-          ).uniq
-
-          Dependency.new(
-            name: old_dep.name,
-            version: new_version,
-            requirements: (old_dep.requirements + new_dep.requirements).uniq,
-            package_manager: package_manager,
-            subdependency_metadata: subdependency_metadata
-          )
+            self
+          end
+
+          private
+
+          # Produces a new dependency by merging the attributes of `old_dep` with those of
+          # `new_dep`. Requirements and subdependency metadata will be combined and deduped.
+          # The version of the combined dependency is determined by the logic below.
+          def combined_dependency(old_dep, new_dep)
+            version = if old_dep.top_level? # Prefer a direct dependency over a transitive one
+                        old_dep.version || new_dep.version
+                      elsif !version_class.correct?(new_dep.version)
+                        old_dep.version
+                      elsif !version_class.correct?(old_dep.version)
+                        new_dep.version
+                      elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
+                        old_dep.version
+                      else
+                        new_dep.version
+                      end
+            requirements = (old_dep.requirements + new_dep.requirements).uniq
+            subdependency_metadata = (
+              (old_dep.subdependency_metadata || []) +
+              (new_dep.subdependency_metadata || [])
+            ).uniq
+
+            Dependency.new(
+              name: old_dep.name,
+              version: version,
+              requirements: requirements,
+              package_manager: old_dep.package_manager,
+              subdependency_metadata: subdependency_metadata
+            )
+          end
+
+          def version_class
+            @version_class ||= Utils.version_class_for_package_manager(@combined.package_manager)
+          end
         end
+        private_constant :DependencySlot
       end
     end
   end

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -18,7 +18,9 @@ module Dependabot
         return [] unless repo_contents_path && vendor_dir
 
         Dir.chdir(repo_contents_path) do
+          # rubocop:disable Performance/DeletePrefix
           relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(vendor_dir)
+          # rubocop:enable Performance/DeletePrefix
 
           status = SharedHelpers.run_shell_command(
             "git status --untracked-files all --porcelain v1 #{relative_dir}"

data/lib/dependabot/git_commit_checker.rb

@@ -19,7 +19,7 @@ module Dependabot
         |
         [0-9]+\.[0-9]+(?:\.[a-z0-9\-]+)*
       )$
-    /ix.freeze
+    /ix
 
     def initialize(dependency:, credentials:,
                    ignored_versions: [], raise_on_ignored: false,
@@ -49,8 +49,14 @@ module Dependabot
       return true if branch
       return true if dependency.version&.start_with?(ref)
 
-      # Check the specified `ref` isn't actually a branch
-      !local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # If the specified `ref` is actually a tag, we're pinned
+      return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
+
+      # If the specified `ref` is actually a branch, we're NOT pinned
+      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+
+      # Otherwise, assume we're pinned
+      true
     end
 
     def pinned_ref_looks_like_version?
@@ -61,6 +67,10 @@ module Dependabot
 
     def pinned_ref_looks_like_commit_sha?
       ref = dependency_source_details.fetch(:ref)
+      ref_looks_like_commit_sha?(ref)
+    end
+
+    def ref_looks_like_commit_sha?(ref)
       return false unless ref&.match?(/^[0-9a-f]{6,40}$/)
 
       return false unless pinned?
@@ -86,6 +96,10 @@ module Dependabot
       raise Dependabot::GitDependencyReferenceNotFound, dependency.name
     end
 
+    def head_commit_for_local_branch(name)
+      local_repo_git_metadata_fetcher.head_commit_for_ref(name)
+    end
+
     def local_tags_for_latest_version_commit_sha
       tags = allowed_version_tags
       max_tag = max_version_tag(tags)
@@ -274,8 +288,8 @@ module Dependabot
     end
 
     def bitbucket_commit_comparison_status(ref1, ref2)
-      url = "https://api.bitbucket.org/2.0/repositories/"\
-            "#{listing_source_repo}/commits/?"\
+      url = "https://api.bitbucket.org/2.0/repositories/" \
+            "#{listing_source_repo}/commits/?" \
             "include=#{ref2}&exclude=#{ref1}"
 
       client = Clients::BitbucketWithRetries.
@@ -361,17 +375,19 @@ module Dependabot
     def listing_tags
       return [] unless listing_source_url
 
-      tags = listing_repo_git_metadata_fetcher.tags
+      @listing_tags ||= begin
+        tags = listing_repo_git_metadata_fetcher.tags
 
-      if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
-        tags = tags.map do |tag|
-          tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+        if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
+          tags = tags.map do |tag|
+            tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+          end
         end
-      end
 
-      tags
-    rescue GitDependenciesNotReachable
-      []
+        tags
+      rescue GitDependenciesNotReachable
+        []
+      end
     end
 
     def listing_upload_pack

data/lib/dependabot/git_metadata_fetcher.rb

@@ -6,7 +6,7 @@ require "dependabot/errors"
 
 module Dependabot
   class GitMetadataFetcher
-    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i.freeze
+    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i
 
     def initialize(url:, credentials:)
       @url = url
@@ -88,7 +88,7 @@ module Dependabot
       service_pack_uri = uri
       service_pack_uri += ".git" unless service_pack_uri.end_with?(".git")
 
-      env = { "PATH" => ENV["PATH"] }
+      env = { "PATH" => ENV.fetch("PATH", nil) }
       command = "git ls-remote #{service_pack_uri}"
       command = SharedHelpers.escape_command(command)
 
@@ -125,7 +125,7 @@ module Dependabot
         full_ref_name = line.split.last
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
-        peeled_lines << line && next if line.strip.end_with?("^{}")
+        (peeled_lines << line) && next if line.strip.end_with?("^{}")
 
         ref_name = full_ref_name.sub(%r{^refs/(tags|heads)/}, "").strip
         sha = sha_for_update_pack_line(line)

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -239,7 +239,7 @@ module Dependabot
           files += github_client.contents(source.repo, opts)
 
           files.uniq.each do |f|
-            next unless %w(doc docs).include?(f.name) && f.type == "dir"
+            next unless f.type == "dir" && f.name.match?(/docs?/o)
 
             opts = { path: f.path, ref: ref }.compact
             files += github_client.contents(source.repo, opts)
@@ -300,16 +300,16 @@ module Dependabot
         end
 
         def previous_ref
-          previous_refs = dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          new_refs = dependency.requirements.map do |r|
+          new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return new_refs.first if new_refs.count == 1
         end
 

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -137,16 +137,16 @@ module Dependabot
         end
 
         def previous_ref
-          previous_refs = dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          new_refs = dependency.requirements.map do |r|
+          new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return new_refs.first if new_refs.count == 1
         end
 

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -136,18 +136,18 @@ module Dependabot
         def previous_ref
           return unless git_source?(dependency.previous_requirements)
 
-          previous_refs = dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           return unless git_source?(dependency.previous_requirements)
 
-          new_refs = dependency.requirements.map do |r|
+          new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return new_refs.first if new_refs.count == 1
         end
 

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -275,16 +275,16 @@ module Dependabot
         end
 
         def previous_ref
-          previous_refs = dependency.previous_requirements.map do |r|
+          previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
-          new_refs = dependency.requirements.map do |r|
+          new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
-          end.compact.uniq
+          end.uniq
           return new_refs.first if new_refs.count == 1
         end
 

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -1,20 +1,23 @@
 # frozen_string_literal: true
 
+require "digest"
+
 require "dependabot/metadata_finders"
 require "dependabot/pull_request_creator"
 
 module Dependabot
   class PullRequestCreator
     class BranchNamer
-      attr_reader :dependencies, :files, :target_branch, :separator, :prefix
+      attr_reader :dependencies, :files, :target_branch, :separator, :prefix, :max_length
 
       def initialize(dependencies:, files:, target_branch:, separator: "/",
-                     prefix: "dependabot")
+                     prefix: "dependabot", max_length: nil)
         @dependencies  = dependencies
         @files         = files
         @target_branch = target_branch
         @separator     = separator
         @prefix        = prefix
+        @max_length    = max_length
       end
 
       def new_branch_name
@@ -37,7 +40,15 @@ module Dependabot
           end
 
         # Some users need branch names without slashes
-        sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
+        sanitized_name = sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
+
+        # Shorten the ref in case users refs have length limits
+        if @max_length && (sanitized_name.length > @max_length)
+          sha = Digest::SHA1.hexdigest(sanitized_name)[0, @max_length]
+          sanitized_name[[@max_length - sha.size, 0].max..] = sha
+        end
+
+        sanitized_name
       end
 
       private
@@ -90,7 +101,9 @@ module Dependabot
       def branch_version_suffix
         dep = dependencies.first
 
-        if library? && ref_changed?(dep) && new_ref(dep)
+        if dep.removed?
+          "-removed"
+        elsif library? && ref_changed?(dep) && new_ref(dep)
           new_ref(dep)
         elsif library?
           sanitized_requirement(dep)
@@ -127,24 +140,24 @@ module Dependabot
         elsif dependency.version == dependency.previous_version &&
               package_manager == "docker"
           dependency.requirements.
-            map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
-            compact.first.split(":").last[0..6]
+            filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
+            first.split(":").last[0..6]
         else
           dependency.version
         end
       end
 
       def previous_ref(dependency)
-        previous_refs = dependency.previous_requirements.map do |r|
+        previous_refs = dependency.previous_requirements.filter_map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.uniq
+        end.uniq
         return previous_refs.first if previous_refs.count == 1
       end
 
       def new_ref(dependency)
-        new_refs = dependency.requirements.map do |r|
+        new_refs = dependency.requirements.filter_map do |r|
           r.dig(:source, "ref") || r.dig(:source, :ref)
-        end.compact.uniq
+        end.uniq
         return new_refs.first if new_refs.count == 1
       end
 
@@ -179,17 +192,13 @@ module Dependabot
 
       def sanitize_ref(ref)
         # This isn't a complete implementation of git's ref validation, but it
-        # covers most cases that crop up. Its list of allowed charactersr is a
+        # covers most cases that crop up. Its list of allowed characters is a
         # bit stricter than git's, but that's for cosmetic reasons.
         ref.
           # Remove forbidden characters (those not already replaced elsewhere)
           gsub(%r{[^A-Za-z0-9/\-_.(){}]}, "").
           # Slashes can't be followed by periods
-          gsub(%r{/\.}, "/dot-").
-          # Two or more sequential periods are forbidden
-          gsub(/\.+/, ".").
-          # Two or more sequential slashes are forbidden
-          gsub(%r{/+}, "/").
+          gsub(%r{/\.}, "/dot-").squeeze(".").squeeze("/").
           # Trailing periods are forbidden
           sub(/\.$/, "")
       end

data/lib/dependabot/pull_request_creator/github.rb

@@ -219,7 +219,7 @@ module Dependabot
         retry_count ||= 0
         retry_count += 1
         if retry_count > 10
-          raise "Repeatedly failed to create or update branch #{branch_name} "\
+          raise "Repeatedly failed to create or update branch #{branch_name} " \
                 "with commit #{commit.sha}."
         end
 
@@ -269,7 +269,7 @@ module Dependabot
 
       def add_reviewers_to_pull_request(pull_request)
         reviewers_hash =
-          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
+          reviewers.keys.to_h { |k| [k.to_sym, reviewers[k]] }
 
         github_client_for_source.request_pull_request_review(
           source.repo,
@@ -299,7 +299,7 @@ module Dependabot
 
       def comment_with_invalid_reviewer(pull_request, message)
         reviewers_hash =
-          reviewers.keys.map { |k| [k.to_sym, reviewers[k]] }.to_h
+          reviewers.keys.to_h { |k| [k.to_sym, reviewers[k]] }
         reviewers = []
         reviewers += reviewers_hash[:reviewers] || []
         reviewers += (reviewers_hash[:team_reviewers] || []).
@@ -315,9 +315,9 @@ module Dependabot
 
         msg = "Dependabot tried to add #{reviewers_string} as "
         msg += reviewers.count > 1 ? "reviewers" : "a reviewer"
-        msg += " to this PR, but received the following error from GitHub:\n\n"\
+        msg += " to this PR, but received the following error from GitHub:\n\n" \
                "```\n" \
-               "#{message}\n"\
+               "#{message}\n" \
                "```"
 
         github_client_for_source.add_comment(

data/lib/dependabot/pull_request_creator/labeler.rb

@@ -5,7 +5,7 @@ require "dependabot/pull_request_creator"
 module Dependabot
   class PullRequestCreator
     class Labeler
-      DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i.freeze
+      DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i
       DEFAULT_DEPENDENCIES_LABEL = "dependencies"
       DEFAULT_SECURITY_LABEL = "security"
 
@@ -105,7 +105,9 @@ module Dependabot
           new_version_parts = version(dep).split(/[.+]/)
           old_version_parts = previous_version(dep)&.split(/[.+]/) || []
           all_parts = new_version_parts.first(3) + old_version_parts.first(3)
+          # rubocop:disable Performance/RedundantEqualityComparisonBlock
           next 0 unless all_parts.all? { |part| part.to_i.to_s == part }
+          # rubocop:enable Performance/RedundantEqualityComparisonBlock
           next 1 if new_version_parts[0] != old_version_parts[0]
           next 2 if new_version_parts[1] != old_version_parts[1]
 
@@ -269,7 +271,7 @@ module Dependabot
       end
 
       def fetch_azure_labels
-        langauge_name =
+        language_name =
           self.class.label_details_for_package_manager(package_manager).
           fetch(:name)
 
@@ -277,7 +279,7 @@ module Dependabot
           *@labels,
           DEFAULT_DEPENDENCIES_LABEL,
           DEFAULT_SECURITY_LABEL,
-          langauge_name
+          language_name
         ].uniq
       end
 
@@ -372,16 +374,16 @@ module Dependabot
       end
 
       def create_gitlab_language_label
-        langauge_name =
+        language_name =
           self.class.label_details_for_package_manager(package_manager).
           fetch(:name)
         gitlab_client_for_source.create_label(
           source.repo,
-          langauge_name,
+          language_name,
           "#" + self.class.label_details_for_package_manager(package_manager).
                 fetch(:colour)
         )
-        @labels = [*@labels, langauge_name].uniq
+        @labels = [*@labels, language_name].uniq
       end
 
       def github_client_for_source

data/lib/dependabot/pull_request_creator/message_builder/issue_linker.rb

@@ -6,15 +6,15 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class IssueLinker
-        REPO_REGEX = %r{(?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)}.freeze
-        TAG_REGEX = /(?<tag>(?:\#|GH-)\d+)/i.freeze
+        REPO_REGEX = %r{(?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)}
+        TAG_REGEX = /(?<tag>(?:\#|GH-)\d+)/i
         ISSUE_LINK_REGEXS = [
           /
             (?:(?<=[^A-Za-z0-9\[\\]|^)\\*#{TAG_REGEX}(?=[^A-Za-z0-9\-]|$))|
             (?:(?<=\s|^)#{REPO_REGEX}#{TAG_REGEX}(?=[^A-Za-z0-9\-]|$))
-          /x.freeze,
-          /\[#{TAG_REGEX}\](?=[^A-Za-z0-9\-\(])/.freeze,
-          /\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i.freeze
+          /x,
+          /\[#{TAG_REGEX}\](?=[^A-Za-z0-9\-\(])/,
+          /\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i
         ].freeze
 
         attr_reader :source_url