dependabot-common 0.212.0 → 0.213.0

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -1,20 +1,23 @@
 # frozen_string_literal: true
 
+require "digest"
+
 require "dependabot/metadata_finders"
 require "dependabot/pull_request_creator"
 
 module Dependabot
   class PullRequestCreator
     class BranchNamer
-      attr_reader :dependencies, :files, :target_branch, :separator, :prefix
+      attr_reader :dependencies, :files, :target_branch, :separator, :prefix, :max_length
 
       def initialize(dependencies:, files:, target_branch:, separator: "/",
-                     prefix: "dependabot")
+                     prefix: "dependabot", max_length: nil)
         @dependencies  = dependencies
         @files         = files
         @target_branch = target_branch
         @separator     = separator
         @prefix        = prefix
+        @max_length    = max_length
       end
 
       def new_branch_name
@@ -37,7 +40,15 @@ module Dependabot
           end
 
         # Some users need branch names without slashes
-        sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
+        sanitized_name = sanitize_ref(File.join(prefixes, @name).gsub("/", separator))
+
+        # Shorten the ref in case users refs have length limits
+        if @max_length && (sanitized_name.length > @max_length)
+          sha = Digest::SHA1.hexdigest(sanitized_name)[0, @max_length]
+          sanitized_name[[@max_length - sha.size, 0].max..] = sha
+        end
+
+        sanitized_name
       end
 
       private
@@ -181,7 +192,7 @@ module Dependabot
 
       def sanitize_ref(ref)
         # This isn't a complete implementation of git's ref validation, but it
-        # covers most cases that crop up. Its list of allowed charactersr is a
+        # covers most cases that crop up. Its list of allowed characters is a
         # bit stricter than git's, but that's for cosmetic reasons.
         ref.
           # Remove forbidden characters (those not already replaced elsewhere)

data/lib/dependabot/pull_request_creator/labeler.rb

@@ -5,7 +5,7 @@ require "dependabot/pull_request_creator"
 module Dependabot
   class PullRequestCreator
     class Labeler
-      DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i.freeze
+      DEPENDENCIES_LABEL_REGEX = %r{^[^/]*dependenc[^/]+$}i
       DEFAULT_DEPENDENCIES_LABEL = "dependencies"
       DEFAULT_SECURITY_LABEL = "security"
 
@@ -271,7 +271,7 @@ module Dependabot
       end
 
       def fetch_azure_labels
-        langauge_name =
+        language_name =
           self.class.label_details_for_package_manager(package_manager).
           fetch(:name)
 
@@ -279,7 +279,7 @@ module Dependabot
           *@labels,
           DEFAULT_DEPENDENCIES_LABEL,
           DEFAULT_SECURITY_LABEL,
-          langauge_name
+          language_name
         ].uniq
       end
 
@@ -374,16 +374,16 @@ module Dependabot
       end
 
       def create_gitlab_language_label
-        langauge_name =
+        language_name =
           self.class.label_details_for_package_manager(package_manager).
           fetch(:name)
         gitlab_client_for_source.create_label(
           source.repo,
-          langauge_name,
+          language_name,
           "#" + self.class.label_details_for_package_manager(package_manager).
                 fetch(:colour)
         )
-        @labels = [*@labels, langauge_name].uniq
+        @labels = [*@labels, language_name].uniq
       end
 
       def github_client_for_source

data/lib/dependabot/pull_request_creator/message_builder/issue_linker.rb

@@ -6,15 +6,15 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class IssueLinker
-        REPO_REGEX = %r{(?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)}.freeze
-        TAG_REGEX = /(?<tag>(?:\#|GH-)\d+)/i.freeze
+        REPO_REGEX = %r{(?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)}
+        TAG_REGEX = /(?<tag>(?:\#|GH-)\d+)/i
         ISSUE_LINK_REGEXS = [
           /
             (?:(?<=[^A-Za-z0-9\[\\]|^)\\*#{TAG_REGEX}(?=[^A-Za-z0-9\-]|$))|
             (?:(?<=\s|^)#{REPO_REGEX}#{TAG_REGEX}(?=[^A-Za-z0-9\-]|$))
-          /x.freeze,
-          /\[#{TAG_REGEX}\](?=[^A-Za-z0-9\-\(])/.freeze,
-          /\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i.freeze
+          /x,
+          /\[#{TAG_REGEX}\](?=[^A-Za-z0-9\-\(])/,
+          /\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i
         ].freeze
 
         attr_reader :source_url

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -8,17 +8,19 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class LinkAndMentionSanitizer
-        GITHUB_USERNAME = /[a-z0-9]+(-[a-z0-9]+)*/i.freeze
+        GITHUB_USERNAME = /[a-z0-9]+(-[a-z0-9]+)*/i
         GITHUB_REF_REGEX = %r{
           (?:https?://)?
           github\.com/(?<repo>#{GITHUB_USERNAME}/[^/\s]+)/
           (?:issue|pull)s?/(?<number>\d+)
-        }x.freeze
-        MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@#{GITHUB_USERNAME}/?}.freeze
+        }x
+        # [^/\s#]+ means one or more characters not matching (^) the class /, whitespace (\s), or #
+        GITHUB_NWO_REGEX = %r{(?<repo>#{GITHUB_USERNAME}/[^/\s#]+)#(?<number>\d+)}
+        MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@#{GITHUB_USERNAME}/?}
         # regex to match a team mention on github
-        TEAM_MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@(?<org>#{GITHUB_USERNAME})/(?<team>#{GITHUB_USERNAME})/?}.freeze
+        TEAM_MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@(?<org>#{GITHUB_USERNAME})/(?<team>#{GITHUB_USERNAME})/?}
         # End of string
-        EOS_REGEX = /\z/.freeze
+        EOS_REGEX = /\z/
         COMMONMARKER_OPTIONS = %i(
           GITHUB_PRE_LANG FULL_INFO_STRING
         ).freeze
@@ -40,6 +42,7 @@ module Dependabot
           sanitize_team_mentions(doc)
           sanitize_mentions(doc)
           sanitize_links(doc)
+          sanitize_nwo_text(doc)
 
           mode = unsafe ? :UNSAFE : :DEFAULT
           doc.to_html(([mode] + COMMONMARKER_OPTIONS), COMMONMARKER_EXTENSIONS)
@@ -109,6 +112,25 @@ module Dependabot
           end
         end
 
+        def sanitize_nwo_text(doc)
+          doc.walk do |node|
+            if node.type == :text &&
+               node.string_content.match?(GITHUB_NWO_REGEX) &&
+               !parent_node_link?(node)
+              replace_nwo_node(node)
+            end
+          end
+        end
+
+        def replace_nwo_node(node)
+          match = node.string_content.match(GITHUB_NWO_REGEX)
+          repo = match.named_captures.fetch("repo")
+          number = match.named_captures.fetch("number")
+          new_node = build_nwo_text_node("#{repo}##{number}")
+          node.insert_before(new_node)
+          node.delete
+        end
+
         def replace_github_host(text)
           text.gsub(
             /(www\.)?github.com/, github_redirection_service || "github.com"
@@ -171,6 +193,12 @@ module Dependabot
           [code_node]
         end
 
+        def build_nwo_text_node(text)
+          code_node = CommonMarker::Node.new(:code)
+          code_node.string_content = text
+          code_node
+        end
+
         def create_link_node(url, text)
           link_node = CommonMarker::Node.new(:link)
           code_node = CommonMarker::Node.new(:code)

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -153,7 +153,7 @@ module Dependabot
             msg += body
             msg + "</details>\n"
           else
-            "\n\##{summary}\n\n#{body}"
+            "\n##{summary}\n\n#{body}"
           end
         end
 
@@ -245,8 +245,6 @@ module Dependabot
         end
 
         def sanitize_links_and_mentions(text, unsafe: false)
-          return text unless source.provider == "github"
-
           LinkAndMentionSanitizer.
             new(github_redirection_service: github_redirection_service).
             sanitize_links_and_mentions(text: text, unsafe: unsafe)

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -3,6 +3,7 @@
 require "pathname"
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
+require "dependabot/logger"
 require "dependabot/metadata_finders"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/message"
@@ -38,7 +39,12 @@ module Dependabot
       end
 
       def pr_name
-        pr_name = pr_name_prefixer.pr_name_prefix
+        begin
+          pr_name = pr_name_prefixer.pr_name_prefix
+        rescue StandardError => e
+          Dependabot.logger.error("Error while generating PR name: #{e.message}")
+          pr_name = ""
+        end
         pr_name += library? ? library_pr_name : application_pr_name
         return pr_name if files.first.directory == "/"
 
@@ -48,6 +54,9 @@ module Dependabot
       def pr_message
         suffixed_pr_message_header + commit_message_intro + \
           metadata_cascades + prefixed_pr_message_footer
+      rescue StandardError => e
+        Dependabot.logger.error("Error while generating PR message: #{e.message}")
+        suffixed_pr_message_header + prefixed_pr_message_footer
       end
 
       def commit_message
@@ -56,6 +65,11 @@ module Dependabot
         message += metadata_links
         message += "\n\n" + message_trailers if message_trailers
         message
+      rescue StandardError => e
+        Dependabot.logger.error("Error while generating commit message: #{e.message}")
+        message = commit_subject
+        message += "\n\n" + message_trailers if message_trailers
+        message
       end
 
       def message
@@ -78,11 +92,16 @@ module Dependabot
               "#{from_version_msg(old_library_requirement(dependencies.first))}" \
               "to #{new_library_requirement(dependencies.first)}"
           else
-            names = dependencies.map(&:name)
-            "requirements for #{names[0..-2].join(', ')} and #{names[-1]}"
+            names = dependencies.map(&:name).uniq
+            if names.count == 1
+              "requirements for #{names.first}"
+            else
+              "requirements for #{names[0..-2].join(', ')} and #{names[-1]}"
+            end
           end
       end
 
+      # rubocop:disable Metrics/AbcSize
       def application_pr_name
         pr_name = "bump "
         pr_name = pr_name.capitalize if pr_name_prefixer.capitalize_first_word?
@@ -104,10 +123,15 @@ module Dependabot
               "#{from_version_msg(previous_version(dependency))}" \
               "to #{new_version(dependency)}"
           else
-            names = dependencies.map(&:name)
-            "#{names[0..-2].join(', ')} and #{names[-1]}"
+            names = dependencies.map(&:name).uniq
+            if names.count == 1
+              names.first
+            else
+              "#{names[0..-2].join(', ')} and #{names[-1]}"
+            end
           end
       end
+      # rubocop:enable Metrics/AbcSize
 
       def pr_name_prefix
         pr_name_prefixer.pr_name_prefix
@@ -192,11 +216,17 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
       def version_commit_message_intro
         return multidependency_property_intro if dependencies.count > 1 && updating_a_property?
 
         return dependency_set_intro if dependencies.count > 1 && updating_a_dependency_set?
 
+        return transitive_removed_dependency_intro if dependencies.count > 1 && removing_a_transitive_dependency?
+
+        return transitive_multidependency_intro if dependencies.count > 1 &&
+                                                   updating_top_level_and_transitive_dependencies?
+
         return multidependency_intro if dependencies.count > 1
 
         dependency = dependencies.first
@@ -216,6 +246,7 @@ module Dependabot
       end
 
       # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
 
       def multidependency_property_intro
         dependency = dependencies.first
@@ -239,6 +270,38 @@ module Dependabot
           "dependencies needed to be updated together."
       end
 
+      def transitive_multidependency_intro
+        dependency = dependencies.first
+
+        msg = "Bumps #{dependency_links[0]} to #{new_version(dependency)}"
+
+        msg += if dependencies.count > 2
+                 " and updates ancestor dependencies #{dependency_links[0..-2].join(', ')} " \
+                   "and #{dependency_links[-1]}. "
+               else
+                 " and updates ancestor dependency #{dependency_links[1]}. "
+               end
+
+        msg += "These dependencies need to be updated together.\n"
+
+        msg
+      end
+
+      def transitive_removed_dependency_intro
+        msg = "Removes #{dependency_links[0]}. It's no longer used after updating"
+
+        msg += if dependencies.count > 2
+                 " ancestor dependencies #{dependency_links[0..-2].join(', ')} " \
+                   "and #{dependency_links[-1]}. "
+               else
+                 " ancestor dependency #{dependency_links[1]}. "
+               end
+
+        msg += "These dependencies need to be updated together.\n"
+
+        msg
+      end
+
       def from_version_msg(previous_version)
         return "" unless previous_version
 
@@ -257,6 +320,15 @@ module Dependabot
           any? { |r| r.dig(:metadata, :dependency_set) }
       end
 
+      def removing_a_transitive_dependency?
+        dependencies.any?(&:removed?)
+      end
+
+      def updating_top_level_and_transitive_dependencies?
+        dependencies.any?(&:top_level?) &&
+          dependencies.any? { |dep| !dep.top_level? }
+      end
+
       def property_name
         @property_name ||= dependencies.first.requirements.
                            find { |r| r.dig(:metadata, :property_name) }&.
@@ -318,7 +390,7 @@ module Dependabot
 
         dependencies.map do |dep|
           msg = if dep.removed?
-                  "\nRemoves `#{dep.display_name}`"
+                  "\nRemoves `#{dep.display_name}`\n"
                 else
                   "\nUpdates `#{dep.display_name}` " \
                     "#{from_version_msg(previous_version(dep))}" \

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -43,11 +43,12 @@ module Dependabot
       end
 
       def capitalize_first_word?
-        return !commit_message_options[:prefix]&.strip&.match?(/\A[a-z]/) if commit_message_options.key?(:prefix)
-
         return capitalise_first_word_from_last_dependabot_commit_style if last_dependabot_commit_style
 
         capitalise_first_word_from_previous_commits
+      rescue StandardError
+        # ignoring failure due to network call to find out if the PR should be capitalized
+        false
       end
 
       private

data/lib/dependabot/pull_request_creator.rb

@@ -48,7 +48,7 @@ module Dependabot
                 :custom_labels, :author_details, :signature_key,
                 :commit_message_options, :vulnerabilities_fixed,
                 :reviewers, :assignees, :milestone, :branch_name_separator,
-                :branch_name_prefix, :github_redirection_service,
+                :branch_name_prefix, :branch_name_max_length, :github_redirection_service,
                 :custom_headers, :provider_metadata
 
     def initialize(source:, base_commit:, dependencies:, files:, credentials:,
@@ -57,7 +57,8 @@ module Dependabot
                    commit_message_options: {}, vulnerabilities_fixed: {},
                    reviewers: nil, assignees: nil, milestone: nil,
                    branch_name_separator: "/", branch_name_prefix: "dependabot",
-                   label_language: false, automerge_candidate: false,
+                   branch_name_max_length: nil, label_language: false,
+                   automerge_candidate: false,
                    github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE,
                    custom_headers: nil, require_up_to_date_base: false,
                    provider_metadata: {}, message: nil)
@@ -78,6 +79,7 @@ module Dependabot
       @vulnerabilities_fixed      = vulnerabilities_fixed
       @branch_name_separator      = branch_name_separator
       @branch_name_prefix         = branch_name_prefix
+      @branch_name_max_length     = branch_name_max_length
       @label_language             = label_language
       @automerge_candidate        = automerge_candidate
       @github_redirection_service = github_redirection_service
@@ -232,7 +234,8 @@ module Dependabot
           files: files,
           target_branch: source.branch,
           separator: branch_name_separator,
-          prefix: branch_name_prefix
+          prefix: branch_name_prefix,
+          max_length: branch_name_max_length
         )
     end
 

data/lib/dependabot/pull_request_updater/azure.rb

@@ -53,7 +53,7 @@ module Dependabot
       end
 
       # Currently the PR diff in ADO shows difference in commits instead of actual diff in files.
-      # This workaround is done to get the target branch commit history on the source branch alongwith file changes
+      # This workaround puts the target branch commit history on the source branch along with the file changes.
       def update_source_branch
         # 1) Push the file changes to a newly created temporary branch (from base commit)
         new_commit = create_temp_branch

data/lib/dependabot/pull_request_updater/github.rb

@@ -182,28 +182,31 @@ module Dependabot
       end
 
       def commit_message
-        # Take the commit message from the old commit
-        commit_being_updated.message
+        fallback_message =
+          "#{pull_request.title}" \
+          "\n\n" \
+          "Dependabot couldn't find the original pull request head commit, " \
+          "#{old_commit}."
+
+        # Take the commit message from the old commit. If the old commit can't
+        # be found, use the PR title as the commit message.
+        commit_being_updated&.message || fallback_message
       end
 
       def commit_being_updated
-        @commit_being_updated ||=
+        return @commit_being_updated if defined?(@commit_being_updated)
+
+        @commit_being_updated =
           if pull_request.commits == 1
             github_client_for_source.
               git_commit(source.repo, pull_request.head.sha)
           else
-            author_name = author_details&.fetch(:name, nil) || "dependabot"
             commits =
               github_client_for_source.
-              pull_request_commits(source.repo, pull_request_number).
-              reverse
-
-            commit =
-              commits.find { |c| c.sha == old_commit } ||
-              commits.find { |c| c.commit.author.name.include?(author_name) } ||
-              commits.first
+              pull_request_commits(source.repo, pull_request_number)
 
-            commit.commit
+            commit = commits.find { |c| c.sha == old_commit }
+            commit&.commit
           end
       end
 

data/lib/dependabot/pull_request_updater.rb

@@ -69,7 +69,8 @@ module Dependabot
         old_commit: old_commit,
         files: files,
         credentials: credentials,
-        pull_request_number: pull_request_number
+        pull_request_number: pull_request_number,
+        author_details: author_details
       )
     end
   end

data/lib/dependabot/source.rb

@@ -7,7 +7,7 @@ module Dependabot
       (?:\.com)[/:]
       (?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)
       (?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
-    }x.freeze
+    }x
 
     GITHUB_ENTERPRISE_SOURCE = %r{
       (?<protocol>(http://|https://|git://|ssh://))*
@@ -16,27 +16,27 @@ module Dependabot
       [/:]
       (?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)
       (?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
-    }x.freeze
+    }x
 
     GITLAB_SOURCE = %r{
       (?<provider>gitlab)
       (?:\.com)[/:]
-      (?<repo>(?!\.git|/tree|/blob)[\w./-]+?)(?:\.git)?
-      (?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/].*)?$
-    }x.freeze
+      (?<repo>[^/]+/(?:(?!\.git)[^/])+((?!/tree|/blob/|/-)/[^/]+)?)
+      (?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/].*)?
+    }x
 
     BITBUCKET_SOURCE = %r{
       (?<provider>bitbucket)
       (?:\.org)[/:]
       (?<repo>[\w.-]+/(?:(?!\.git|\.\s)[\w.-])+)
       (?:(?:/src)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
-    }x.freeze
+    }x
 
     AZURE_SOURCE = %r{
       (?<provider>azure)
       (?:\.com)[/:]
       (?<repo>[\w.-]+/([\w.-]+/)?(?:_git/)(?:(?!\.git|\.\s)[\w.-])+)
-    }x.freeze
+    }x
 
     CODECOMMIT_SOURCE = %r{
       (?<protocol>(http://|https://|git://|ssh://))
@@ -48,7 +48,7 @@ module Dependabot
       (?:/)?(?<directory>[^?]*)?
       [?]?
       (?<ref>.*)?
-    }x.freeze
+    }x
 
     SOURCE_REGEX = /
       (?:#{GITHUB_SOURCE})|
@@ -56,7 +56,7 @@ module Dependabot
       (?:#{BITBUCKET_SOURCE})|
       (?:#{AZURE_SOURCE})|
       (?:#{CODECOMMIT_SOURCE})
-    /x.freeze
+    /x
 
     IGNORED_PROVIDER_HOSTS = %w(gitbox.apache.org svn.apache.org fuchsia.googlesource.com).freeze
 

data/lib/dependabot/update_checkers/base.rb

@@ -120,7 +120,7 @@ module Dependabot
         Utils.requirement_class_for_package_manager(dependency.package_manager)
       end
 
-      # For some langauges, the manifest file may be constructed such that
+      # For some languages, the manifest file may be constructed such that
       # Dependabot has no way to update it (e.g., if it fetches its versions
       # from a web API). This method is overridden in those cases.
       def requirements_unlocked_or_can_be?

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.212.0"
+  VERSION = "0.213.0"
 end