dependabot-common 0.212.0 → 0.213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5242196cd22b0092cbdaaf08f6d5ce3f4249d1eeccedada949822b0b14657e9c
-  data.tar.gz: f47437aa525423bdbb507dfa5b0978863e41f3010682ed1c6f321d2ac67efea9
+  metadata.gz: 23fa5c7ea872ca0849f22018af9b0811ad9044f03a4e7d59aa023b3dd80bd4e6
+  data.tar.gz: cea778ebef75ccec5afcd3e5932af78d9711c51c4c864ea02d65930fce8ca4dc
 SHA512:
-  metadata.gz: cad3f4c8848f45b07d7769bdf4a1b351e3cca4f921bb449cee629ddffc3c579df3b1dfc9343ecfdabd1192d1f1e207e82f8af0c8ee0f142af5856e5bee769d0e
-  data.tar.gz: c564e966eba317b8b5e61bf4d82df255248ee4932711d85854e38e843ce0f26d0dc22a649cb7e2f475e01f2b0fd61dce160a46a5ecdc0cbe61d560fd5b004587
+  metadata.gz: b14ad55cbabd2a49bd35c7f8012f95972515eead80a71363353a8978286e9d756fd97da5442cb3013acdebfb1a77c7f8f7c450bac553a2d6f52b12687fcf2d43
+  data.tar.gz: 86cbba3afb724d1ee0b6c1fd0bb357a33c288263b3032e0ef029e099b5d7f7d8d5104526a8890d6233fdb8850b56ecd05cb0746bd8e6fe8fd84338db8caa28dd

data/lib/dependabot/clients/bitbucket.rb

@@ -144,7 +144,14 @@ module Dependabot
       end
       # rubocop:enable Metrics/ParameterLists
 
+      def current_user
+        base_url = "https://api.bitbucket.org/2.0/user?fields=uuid"
+        response = get(base_url)
+        JSON.parse(response.body).fetch("uuid")
+      end
+
       def default_reviewers(repo)
+        current_uuid = current_user
         path = "#{repo}/default-reviewers?pagelen=100&fields=values.uuid,next"
         reviewers_url = base_url + path
 
@@ -153,7 +160,7 @@ module Dependabot
         reviewer_data = []
 
         default_reviewers.each do |reviewer|
-          reviewer_data.append({ uuid: reviewer.fetch("uuid") })
+          reviewer_data.append({ uuid: reviewer.fetch("uuid") }) unless current_uuid == reviewer.fetch("uuid")
         end
 
         reviewer_data

data/lib/dependabot/config/file.rb

@@ -71,7 +71,7 @@ module Dependabot
         commit_message = cfg&.dig(:"commit-message") || {}
         Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
           prefix: commit_message[:prefix],
-          prefix_development: commit_message[:"prefix-development"],
+          prefix_development: commit_message[:"prefix-development"] || commit_message[:prefix],
           include: commit_message[:include]
         )
       end

data/lib/dependabot/dependency.rb

@@ -37,11 +37,11 @@ module Dependabot
 
     attr_reader :name, :version, :requirements, :package_manager,
                 :previous_version, :previous_requirements,
-                :subdependency_metadata
+                :subdependency_metadata, :metadata
 
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil,
-                   subdependency_metadata: [], removed: false)
+                   subdependency_metadata: [], removed: false, metadata: {})
       @name = name
       @version = version
       @requirements = requirements.map { |req| symbolize_keys(req) }
@@ -54,6 +54,7 @@ module Dependabot
                                   map { |h| symbolize_keys(h) }
       end
       @removed = removed
+      @metadata = symbolize_keys(metadata || {})
 
       check_values
     end
@@ -105,6 +106,22 @@ module Dependabot
       display_name_builder.call(name)
     end
 
+    # Returns all detected versions of the dependency. Only ecosystems that
+    # support this feature will return more than the current version.
+    def all_versions
+      all_versions = metadata[:all_versions]
+      return [version].compact unless all_versions
+
+      all_versions.filter_map(&:version)
+    end
+
+    # This dependency is being indirectly updated by an update to another
+    # dependency. We don't need to try and update it ourselves but want to
+    # surface it to the user in the PR.
+    def informational_only?
+      metadata[:information_only]
+    end
+
     def ==(other)
       other.instance_of?(self.class) && to_h == other.to_h
     end

data/lib/dependabot/errors.rb

@@ -4,9 +4,9 @@ require "dependabot/utils"
 
 module Dependabot
   class DependabotError < StandardError
-    BASIC_AUTH_REGEX = %r{://(?<auth>[^:]*:[^@%\s]+(@|%40))}.freeze
+    BASIC_AUTH_REGEX = %r{://(?<auth>[^:]*:[^@%\s]+(@|%40))}
     # Remove any path segment from fury.io sources
-    FURY_IO_PATH_REGEX = %r{fury\.io/(?<path>.+)}.freeze
+    FURY_IO_PATH_REGEX = %r{fury\.io/(?<path>.+)}
 
     def initialize(message = nil)
       super(sanitize_message(message))
@@ -18,7 +18,7 @@ module Dependabot
       return message unless message.is_a?(String)
 
       path_regex =
-        Regexp.escape(Utils::BUMP_TMP_DIR_PATH) + "\/" +
+        Regexp.escape(Utils::BUMP_TMP_DIR_PATH) + "\\/" +
         Regexp.escape(Utils::BUMP_TMP_FILE_PREFIX) + "[a-zA-Z0-9-]*"
 
       message = message.gsub(/#{path_regex}/, "dependabot_tmp_dir").strip

data/lib/dependabot/experiments.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Experiments
+    @experiments = {}
+
+    def self.reset!
+      @experiments = {}
+    end
+
+    def self.register(name, value)
+      @experiments[name.to_sym] = value
+    end
+
+    def self.enabled?(name)
+      !!@experiments[name.to_sym]
+    end
+  end
+end

data/lib/dependabot/file_fetchers/base.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "stringio"
 require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"
@@ -69,6 +70,7 @@ module Dependabot
       end
 
       def commit
+        return cloned_commit if cloned_commit
         return source.commit if source.commit
 
         branch = target_branch || default_branch_for_repo
@@ -84,7 +86,11 @@ module Dependabot
       def clone_repo_contents
         @clone_repo_contents ||=
           _clone_repo_contents(target_directory: repo_contents_path)
-      rescue Dependabot::SharedHelpers::HelperSubprocessFailed
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+        if e.message.include?("fatal: Remote branch #{target_branch} not found in upstream origin")
+          raise Dependabot::BranchNotFound, target_branch
+        end
+
         raise Dependabot::RepoNotFound, source
       end
 
@@ -168,6 +174,97 @@ module Dependabot
                                 end
       end
 
+      def cloned_commit
+        return if repo_contents_path.nil? || !File.directory?(File.join(repo_contents_path, ".git"))
+
+        SharedHelpers.with_git_configured(credentials: credentials) do
+          Dir.chdir(repo_contents_path) do
+            return SharedHelpers.run_shell_command("git rev-parse HEAD")&.strip
+          end
+        end
+      end
+
+      def default_branch_for_repo
+        @default_branch_for_repo ||= client_for_provider.
+                                     fetch_default_branch(repo)
+      rescue *CLIENT_NOT_FOUND_ERRORS
+        raise Dependabot::RepoNotFound, source
+      end
+
+      def update_linked_paths(repo, path, commit, github_response)
+        case github_response.type
+        when "submodule"
+          sub_source = Source.from_url(github_response.submodule_git_url)
+          return unless sub_source
+
+          @linked_paths[path] = {
+            repo: sub_source.repo,
+            provider: sub_source.provider,
+            commit: github_response.sha,
+            path: "/"
+          }
+        when "symlink"
+          updated_path = File.join(File.dirname(path), github_response.target)
+          @linked_paths[path] = {
+            repo: repo,
+            provider: "github",
+            commit: commit,
+            path: Pathname.new(updated_path).cleanpath.to_path
+          }
+        end
+      end
+
+      def recurse_submodules_when_cloning?
+        false
+      end
+
+      def client_for_provider
+        case source.provider
+        when "github" then github_client
+        when "gitlab" then gitlab_client
+        when "azure" then azure_client
+        when "bitbucket" then bitbucket_client
+        when "codecommit" then codecommit_client
+        else raise "Unsupported provider '#{source.provider}'."
+        end
+      end
+
+      def github_client
+        @github_client ||=
+          Dependabot::Clients::GithubWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def gitlab_client
+        @gitlab_client ||=
+          Dependabot::Clients::GitlabWithRetries.for_source(
+            source: source,
+            credentials: credentials
+          )
+      end
+
+      def azure_client
+        @azure_client ||=
+          Dependabot::Clients::Azure.
+          for_source(source: source, credentials: credentials)
+      end
+
+      def bitbucket_client
+        # TODO: When self-hosted Bitbucket is supported this should use
+        # `Bitbucket.for_source`
+        @bitbucket_client ||=
+          Dependabot::Clients::BitbucketWithRetries.
+          for_bitbucket_dot_org(credentials: credentials)
+      end
+
+      def codecommit_client
+        @codecommit_client ||=
+          Dependabot::Clients::CodeCommit.
+          for_source(source: source, credentials: credentials)
+      end
+
       #################################################
       # INTERNAL METHODS (not for use by sub-classes) #
       #################################################
@@ -254,29 +351,6 @@ module Dependabot
         end
       end
 
-      def update_linked_paths(repo, path, commit, github_response)
-        case github_response.type
-        when "submodule"
-          sub_source = Source.from_url(github_response.submodule_git_url)
-          return unless sub_source
-
-          @linked_paths[path] = {
-            repo: sub_source.repo,
-            provider: sub_source.provider,
-            commit: github_response.sha,
-            path: "/"
-          }
-        when "symlink"
-          updated_path = File.join(File.dirname(path), github_response.target)
-          @linked_paths[path] = {
-            repo: repo,
-            provider: "github",
-            commit: commit,
-            path: Pathname.new(updated_path).cleanpath.to_path
-          }
-        end
-      end
-
       def _build_github_file_struct(file)
         OpenStruct.new(
           name: file.name,
@@ -473,13 +547,6 @@ module Dependabot
       end
       # rubocop:enable Metrics/AbcSize
 
-      def default_branch_for_repo
-        @default_branch_for_repo ||= client_for_provider.
-                                     fetch_default_branch(repo)
-      rescue *CLIENT_NOT_FOUND_ERRORS
-        raise Dependabot::RepoNotFound, source
-      end
-
       # Update the @linked_paths hash by exploiting a side-effect of
       # recursively calling `repo_contents` for each directory up the tree
       # until a submodule or symlink is found
@@ -504,6 +571,10 @@ module Dependabot
           max_by(&:length)
       end
 
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/BlockLength
       def _clone_repo_contents(target_directory:)
         SharedHelpers.with_git_configured(credentials: credentials) do
           path = target_directory || File.join("tmp", source.repo)
@@ -512,62 +583,54 @@ module Dependabot
           return path if Dir.exist?(File.join(path, ".git"))
 
           FileUtils.mkdir_p(path)
-          br_opt = " --branch #{source.branch} --single-branch" if source.branch
+
+          clone_options = StringIO.new
+          clone_options << "--no-tags --depth 1"
+          clone_options << if recurse_submodules_when_cloning?
+                             " --recurse-submodules --shallow-submodules"
+                           else
+                             " --no-recurse-submodules"
+                           end
+          clone_options << " --branch #{source.branch} --single-branch" if source.branch
           SharedHelpers.run_shell_command(
             <<~CMD
-              git clone --no-tags --no-recurse-submodules --depth 1#{br_opt} #{source.url} #{path}
+              git clone #{clone_options.string} #{source.url} #{path}
             CMD
           )
-          path
-        end
-      end
 
-      def client_for_provider
-        case source.provider
-        when "github" then github_client
-        when "gitlab" then gitlab_client
-        when "azure" then azure_client
-        when "bitbucket" then bitbucket_client
-        when "codecommit" then codecommit_client
-        else raise "Unsupported provider '#{source.provider}'."
-        end
-      end
-
-      def github_client
-        @github_client ||=
-          Dependabot::Clients::GithubWithRetries.for_source(
-            source: source,
-            credentials: credentials
-          )
-      end
-
-      def gitlab_client
-        @gitlab_client ||=
-          Dependabot::Clients::GitlabWithRetries.for_source(
-            source: source,
-            credentials: credentials
-          )
-      end
-
-      def azure_client
-        @azure_client ||=
-          Dependabot::Clients::Azure.
-          for_source(source: source, credentials: credentials)
-      end
-
-      def bitbucket_client
-        # TODO: When self-hosted Bitbucket is supported this should use
-        # `Bitbucket.for_source`
-        @bitbucket_client ||=
-          Dependabot::Clients::BitbucketWithRetries.
-          for_bitbucket_dot_org(credentials: credentials)
-      end
+          if source.commit
+            # This code will only be called for testing. Production will never pass a commit
+            # since Dependabot always wants to use the latest commit on a branch.
+            Dir.chdir(path) do
+              fetch_options = StringIO.new
+              fetch_options << "--depth 1"
+              fetch_options << if recurse_submodules_when_cloning?
+                                 " --recurse-submodules=on-demand"
+                               else
+                                 " --no-recurse-submodules"
+                               end
+              # Need to fetch the commit due to the --depth 1 above.
+              SharedHelpers.run_shell_command("git fetch #{fetch_options.string} origin #{source.commit}")
+
+              reset_options = StringIO.new
+              reset_options << "--hard"
+              reset_options << if recurse_submodules_when_cloning?
+                                 " --recurse-submodules"
+                               else
+                                 " --no-recurse-submodules"
+                               end
+              # Set HEAD to this commit so later calls so git reset HEAD will work.
+              SharedHelpers.run_shell_command("git reset #{reset_options.string} #{source.commit}")
+            end
+          end
 
-      def codecommit_client
-        @codecommit_client ||=
-          Dependabot::Clients::CodeCommit.
-          for_source(source: source, credentials: credentials)
+          path
+        end
       end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/BlockLength
     end
   end
 end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -14,34 +14,42 @@ module Dependabot
             raise ArgumentError, "must be an array of Dependency objects"
           end
 
-          @dependencies = dependencies
           @case_sensitive = case_sensitive
+          @dependencies = Hash.new { |hsh, key| hsh[key] = DependencySlot.new }
+          dependencies.each { |dep| self << dep }
         end
 
-        attr_reader :dependencies
+        def dependencies
+          @dependencies.values.filter_map(&:combined)
+        end
 
         def <<(dep)
           raise ArgumentError, "must be a Dependency object" unless dep.is_a?(Dependency)
 
-          existing_dependency = dependency_for_name(dep.name)
+          @dependencies[key_for_dependency(dep)] << dep
+          self
+        end
 
-          return self if existing_dependency&.to_h == dep.to_h
+        def +(other)
+          raise ArgumentError, "must be a DependencySet" unless other.is_a?(DependencySet)
 
-          if existing_dependency
-            dependencies[dependencies.index(existing_dependency)] =
-              combined_dependency(existing_dependency, dep)
-          else
-            dependencies << dep
+          other_names = other.dependencies.map(&:name)
+          other_names.each do |name|
+            all_versions = other.all_versions_for_name(name)
+            all_versions.each { |dep| self << dep }
           end
 
           self
         end
 
-        def +(other)
-          raise ArgumentError, "must be a DependencySet" unless other.is_a?(DependencySet)
+        def all_versions_for_name(name)
+          key = key_for_name(name)
+          @dependencies.key?(key) ? @dependencies[key].all_versions : []
+        end
 
-          other.dependencies.each { |dep| self << dep }
-          self
+        def dependency_for_name(name)
+          key = key_for_name(name)
+          @dependencies.key?(key) ? @dependencies[key].combined : nil
         end
 
         private
@@ -50,41 +58,98 @@ module Dependabot
           @case_sensitive
         end
 
-        def dependency_for_name(name)
-          return dependencies.find { |d| d.name == name } if case_sensitive?
+        def key_for_name(name)
+          case_sensitive? ? name : name.downcase
+        end
 
-          dependencies.find { |d| d.name&.downcase == name&.downcase }
+        def key_for_dependency(dep)
+          key_for_name(dep.name)
         end
 
-        def combined_dependency(old_dep, new_dep)
-          package_manager = old_dep.package_manager
-          v_cls = Utils.version_class_for_package_manager(package_manager)
-
-          # If we already have a requirement use the existing version
-          # (if present). Otherwise, use whatever the lowest version is
-          new_version =
-            if old_dep.requirements.any? then old_dep.version || new_dep.version
-            elsif !v_cls.correct?(new_dep.version) then old_dep.version
-            elsif !v_cls.correct?(old_dep.version) then new_dep.version
-            elsif v_cls.new(new_dep.version) > v_cls.new(old_dep.version)
-              old_dep.version
+        # There can only be one entry per dependency name in a `DependencySet`. Each entry
+        # is assigned a `DependencySlot`.
+        #
+        # In some ecosystems (like `npm_and_yarn`), however, multiple versions of a
+        # dependency may be encountered and added to the set. The `DependencySlot` retains
+        # all added versions and presents a single unified dependency for the entry
+        # that combines the attributes of these versions.
+        #
+        # The combined dependency is accessible via `DependencySet#dependencies` or
+        # `DependencySet#dependency_for_name`. The list of individual versions of the
+        # dependency is accessible via `DependencySet#all_versions_for_name`.
+        class DependencySlot
+          attr_reader :all_versions, :combined
+
+          def initialize
+            @all_versions = []
+            @combined = nil
+          end
+
+          def <<(dep)
+            return self if @all_versions.include?(dep)
+
+            @combined = if @combined
+                          combined_dependency(@combined, dep)
+                        else
+                          Dependency.new(
+                            name: dep.name,
+                            version: dep.version,
+                            requirements: dep.requirements,
+                            package_manager: dep.package_manager,
+                            subdependency_metadata: dep.subdependency_metadata
+                          )
+                        end
+
+            index_of_same_version =
+              @all_versions.find_index { |other| other.version == dep.version }
+
+            if index_of_same_version.nil?
+              @all_versions << dep
             else
-              new_dep.version
+              same_version = @all_versions[index_of_same_version]
+              @all_versions[index_of_same_version] = combined_dependency(same_version, dep)
             end
 
-          subdependency_metadata = (
-            (old_dep.subdependency_metadata || []) +
-            (new_dep.subdependency_metadata || [])
-          ).uniq
-
-          Dependency.new(
-            name: old_dep.name,
-            version: new_version,
-            requirements: (old_dep.requirements + new_dep.requirements).uniq,
-            package_manager: package_manager,
-            subdependency_metadata: subdependency_metadata
-          )
+            self
+          end
+
+          private
+
+          # Produces a new dependency by merging the attributes of `old_dep` with those of
+          # `new_dep`. Requirements and subdependency metadata will be combined and deduped.
+          # The version of the combined dependency is determined by the logic below.
+          def combined_dependency(old_dep, new_dep)
+            version = if old_dep.top_level? # Prefer a direct dependency over a transitive one
+                        old_dep.version || new_dep.version
+                      elsif !version_class.correct?(new_dep.version)
+                        old_dep.version
+                      elsif !version_class.correct?(old_dep.version)
+                        new_dep.version
+                      elsif version_class.new(new_dep.version) > version_class.new(old_dep.version)
+                        old_dep.version
+                      else
+                        new_dep.version
+                      end
+            requirements = (old_dep.requirements + new_dep.requirements).uniq
+            subdependency_metadata = (
+              (old_dep.subdependency_metadata || []) +
+              (new_dep.subdependency_metadata || [])
+            ).uniq
+
+            Dependency.new(
+              name: old_dep.name,
+              version: version,
+              requirements: requirements,
+              package_manager: old_dep.package_manager,
+              subdependency_metadata: subdependency_metadata
+            )
+          end
+
+          def version_class
+            @version_class ||= Utils.version_class_for_package_manager(@combined.package_manager)
+          end
         end
+        private_constant :DependencySlot
       end
     end
   end

data/lib/dependabot/git_commit_checker.rb

@@ -19,7 +19,7 @@ module Dependabot
         |
         [0-9]+\.[0-9]+(?:\.[a-z0-9\-]+)*
       )$
-    /ix.freeze
+    /ix
 
     def initialize(dependency:, credentials:,
                    ignored_versions: [], raise_on_ignored: false,
@@ -49,8 +49,14 @@ module Dependabot
       return true if branch
       return true if dependency.version&.start_with?(ref)
 
-      # Check the specified `ref` isn't actually a branch
-      !local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # If the specified `ref` is actually a tag, we're pinned
+      return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
+
+      # If the specified `ref` is actually a branch, we're NOT pinned
+      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+
+      # Otherwise, assume we're pinned
+      true
     end
 
     def pinned_ref_looks_like_version?
@@ -61,6 +67,10 @@ module Dependabot
 
     def pinned_ref_looks_like_commit_sha?
       ref = dependency_source_details.fetch(:ref)
+      ref_looks_like_commit_sha?(ref)
+    end
+
+    def ref_looks_like_commit_sha?(ref)
       return false unless ref&.match?(/^[0-9a-f]{6,40}$/)
 
       return false unless pinned?
@@ -365,17 +375,19 @@ module Dependabot
     def listing_tags
       return [] unless listing_source_url
 
-      tags = listing_repo_git_metadata_fetcher.tags
+      @listing_tags ||= begin
+        tags = listing_repo_git_metadata_fetcher.tags
 
-      if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
-        tags = tags.map do |tag|
-          tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+        if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
+          tags = tags.map do |tag|
+            tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+          end
         end
-      end
 
-      tags
-    rescue GitDependenciesNotReachable
-      []
+        tags
+      rescue GitDependenciesNotReachable
+        []
+      end
     end
 
     def listing_upload_pack

data/lib/dependabot/git_metadata_fetcher.rb

@@ -6,7 +6,7 @@ require "dependabot/errors"
 
 module Dependabot
   class GitMetadataFetcher
-    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i.freeze
+    KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i
 
     def initialize(url:, credentials:)
       @url = url