dependabot-common 0.215.0 → 0.216.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/clients/azure.rb +69 -0
- data/lib/dependabot/clients/bitbucket.rb +3 -1
- data/lib/dependabot/clients/github_with_retries.rb +6 -0
- data/lib/dependabot/config/file_fetcher.rb +1 -1
- data/lib/dependabot/config/ignore_condition.rb +20 -13
- data/lib/dependabot/dependency.rb +63 -2
- data/lib/dependabot/dependency_file.rb +1 -1
- data/lib/dependabot/errors.rb +1 -1
- data/lib/dependabot/file_fetchers/base.rb +15 -4
- data/lib/dependabot/file_parsers/base/dependency_set.rb +19 -12
- data/lib/dependabot/file_parsers/base.rb +0 -2
- data/lib/dependabot/git_metadata_fetcher.rb +30 -25
- data/lib/dependabot/group_rule.rb +11 -0
- data/lib/dependabot/metadata_finders/README.md +1 -1
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +53 -11
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +40 -3
- data/lib/dependabot/metadata_finders/base/release_finder.rb +1 -1
- data/lib/dependabot/pull_request_creator/branch_namer/group_rule_strategy.rb +28 -0
- data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb +208 -0
- data/lib/dependabot/pull_request_creator/branch_namer.rb +28 -179
- data/lib/dependabot/pull_request_creator/labeler.rb +5 -1
- data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb +3 -1
- data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb +1 -1
- data/lib/dependabot/pull_request_creator/message_builder.rb +22 -81
- data/lib/dependabot/pull_request_creator.rb +1 -0
- data/lib/dependabot/security_advisory.rb +1 -1
- data/lib/dependabot/shared_helpers.rb +16 -3
- data/lib/dependabot/simple_instrumentor.rb +19 -0
- data/lib/dependabot/source.rb +7 -7
- data/lib/dependabot/version.rb +18 -1
- data/lib/dependabot.rb +1 -0
- metadata +46 -62
- data/lib/dependabot/notifications.rb +0 -18
- data/lib/rubygems_version_patch.rb +0 -14
@@ -26,7 +26,7 @@ module Dependabot
|
|
26
26
|
def initialize(source:, dependencies:, files:, credentials:,
|
27
27
|
pr_message_header: nil, pr_message_footer: nil,
|
28
28
|
commit_message_options: {}, vulnerabilities_fixed: {},
|
29
|
-
github_redirection_service:)
|
29
|
+
github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE)
|
30
30
|
@dependencies = dependencies
|
31
31
|
@files = files
|
32
32
|
@source = source
|
@@ -110,18 +110,18 @@ module Dependabot
|
|
110
110
|
if dependencies.count == 1
|
111
111
|
dependency = dependencies.first
|
112
112
|
"#{dependency.display_name} " \
|
113
|
-
"#{from_version_msg(
|
114
|
-
"to #{
|
113
|
+
"#{from_version_msg(dependency.humanized_previous_version)}" \
|
114
|
+
"to #{dependency.humanized_version}"
|
115
115
|
elsif updating_a_property?
|
116
116
|
dependency = dependencies.first
|
117
117
|
"#{property_name} " \
|
118
|
-
"#{from_version_msg(
|
119
|
-
"to #{
|
118
|
+
"#{from_version_msg(dependency.humanized_previous_version)}" \
|
119
|
+
"to #{dependency.humanized_version}"
|
120
120
|
elsif updating_a_dependency_set?
|
121
121
|
dependency = dependencies.first
|
122
122
|
"#{dependency_set.fetch(:group)} dependency set " \
|
123
|
-
"#{from_version_msg(
|
124
|
-
"to #{
|
123
|
+
"#{from_version_msg(dependency.humanized_previous_version)}" \
|
124
|
+
"to #{dependency.humanized_version}"
|
125
125
|
else
|
126
126
|
names = dependencies.map(&:name).uniq
|
127
127
|
if names.count == 1
|
@@ -231,8 +231,8 @@ module Dependabot
|
|
231
231
|
|
232
232
|
dependency = dependencies.first
|
233
233
|
msg = "Bumps #{dependency_links.first} " \
|
234
|
-
"#{from_version_msg(
|
235
|
-
"to #{
|
234
|
+
"#{from_version_msg(dependency.humanized_previous_version)}" \
|
235
|
+
"to #{dependency.humanized_version}."
|
236
236
|
|
237
237
|
msg += " This release includes the previously tagged commit." if switching_from_ref_to_release?(dependency)
|
238
238
|
|
@@ -252,16 +252,16 @@ module Dependabot
|
|
252
252
|
dependency = dependencies.first
|
253
253
|
|
254
254
|
"Bumps `#{property_name}` " \
|
255
|
-
"#{from_version_msg(
|
256
|
-
"to #{
|
255
|
+
"#{from_version_msg(dependency.humanized_previous_version)}" \
|
256
|
+
"to #{dependency.humanized_version}."
|
257
257
|
end
|
258
258
|
|
259
259
|
def dependency_set_intro
|
260
260
|
dependency = dependencies.first
|
261
261
|
|
262
262
|
"Bumps `#{dependency_set.fetch(:group)}` " \
|
263
|
-
"dependency set #{from_version_msg(
|
264
|
-
"to #{
|
263
|
+
"dependency set #{from_version_msg(dependency.humanized_previous_version)}" \
|
264
|
+
"to #{dependency.humanized_version}."
|
265
265
|
end
|
266
266
|
|
267
267
|
def multidependency_intro
|
@@ -273,7 +273,7 @@ module Dependabot
|
|
273
273
|
def transitive_multidependency_intro
|
274
274
|
dependency = dependencies.first
|
275
275
|
|
276
|
-
msg = "Bumps #{dependency_links[0]} to #{
|
276
|
+
msg = "Bumps #{dependency_links[0]} to #{dependency.humanized_version}"
|
277
277
|
|
278
278
|
msg += if dependencies.count > 2
|
279
279
|
" and updates ancestor dependencies #{dependency_links[0..-2].join(', ')} " \
|
@@ -369,8 +369,8 @@ module Dependabot
|
|
369
369
|
"\n\nRemoves `#{dep.display_name}`"
|
370
370
|
else
|
371
371
|
"\n\nUpdates `#{dep.display_name}` " \
|
372
|
-
"#{from_version_msg(
|
373
|
-
"#{
|
372
|
+
"#{from_version_msg(dep.humanized_previous_version)}to " \
|
373
|
+
"#{dep.humanized_version}" \
|
374
374
|
"#{metadata_links_for_dep(dep)}"
|
375
375
|
end
|
376
376
|
end.join
|
@@ -393,8 +393,8 @@ module Dependabot
|
|
393
393
|
"\nRemoves `#{dep.display_name}`\n"
|
394
394
|
else
|
395
395
|
"\nUpdates `#{dep.display_name}` " \
|
396
|
-
"#{from_version_msg(
|
397
|
-
"to #{
|
396
|
+
"#{from_version_msg(dep.humanized_previous_version)}" \
|
397
|
+
"to #{dep.humanized_version}"
|
398
398
|
end
|
399
399
|
|
400
400
|
if vulnerabilities_fixed[dep.name]&.one?
|
@@ -462,61 +462,6 @@ module Dependabot
|
|
462
462
|
)
|
463
463
|
end
|
464
464
|
|
465
|
-
def previous_version(dependency)
|
466
|
-
# If we don't have a previous version, we *may* still be able to figure
|
467
|
-
# one out if a ref was provided and has been changed (in which case the
|
468
|
-
# previous ref was essentially the version).
|
469
|
-
if dependency.previous_version.nil?
|
470
|
-
return ref_changed?(dependency) ? previous_ref(dependency) : nil
|
471
|
-
end
|
472
|
-
|
473
|
-
if dependency.previous_version.match?(/^[0-9a-f]{40}$/)
|
474
|
-
return previous_ref(dependency) if ref_changed?(dependency) && previous_ref(dependency)
|
475
|
-
|
476
|
-
"`#{dependency.previous_version[0..6]}`"
|
477
|
-
elsif dependency.version == dependency.previous_version &&
|
478
|
-
package_manager == "docker"
|
479
|
-
digest = docker_digest_from_reqs(dependency.previous_requirements)
|
480
|
-
"`#{digest.split(':').last[0..6]}`"
|
481
|
-
else
|
482
|
-
dependency.previous_version
|
483
|
-
end
|
484
|
-
end
|
485
|
-
|
486
|
-
def new_version(dependency)
|
487
|
-
if dependency.version.match?(/^[0-9a-f]{40}$/)
|
488
|
-
return new_ref(dependency) if ref_changed?(dependency) && new_ref(dependency)
|
489
|
-
|
490
|
-
"`#{dependency.version[0..6]}`"
|
491
|
-
elsif dependency.version == dependency.previous_version &&
|
492
|
-
package_manager == "docker"
|
493
|
-
digest = docker_digest_from_reqs(dependency.requirements)
|
494
|
-
"`#{digest.split(':').last[0..6]}`"
|
495
|
-
else
|
496
|
-
dependency.version
|
497
|
-
end
|
498
|
-
end
|
499
|
-
|
500
|
-
def docker_digest_from_reqs(requirements)
|
501
|
-
requirements.
|
502
|
-
filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }.
|
503
|
-
first
|
504
|
-
end
|
505
|
-
|
506
|
-
def previous_ref(dependency)
|
507
|
-
previous_refs = dependency.previous_requirements.filter_map do |r|
|
508
|
-
r.dig(:source, "ref") || r.dig(:source, :ref)
|
509
|
-
end.uniq
|
510
|
-
return previous_refs.first if previous_refs.count == 1
|
511
|
-
end
|
512
|
-
|
513
|
-
def new_ref(dependency)
|
514
|
-
new_refs = dependency.requirements.filter_map do |r|
|
515
|
-
r.dig(:source, "ref") || r.dig(:source, :ref)
|
516
|
-
end.uniq
|
517
|
-
return new_refs.first if new_refs.count == 1
|
518
|
-
end
|
519
|
-
|
520
465
|
def old_library_requirement(dependency)
|
521
466
|
old_reqs =
|
522
467
|
dependency.previous_requirements - dependency.requirements
|
@@ -527,7 +472,7 @@ module Dependabot
|
|
527
472
|
|
528
473
|
req = old_reqs.first.fetch(:requirement)
|
529
474
|
return req if req
|
530
|
-
return previous_ref
|
475
|
+
return dependency.previous_ref if dependency.ref_changed?
|
531
476
|
end
|
532
477
|
|
533
478
|
def new_library_requirement(dependency)
|
@@ -540,15 +485,11 @@ module Dependabot
|
|
540
485
|
|
541
486
|
req = updated_reqs.first.fetch(:requirement)
|
542
487
|
return req if req
|
543
|
-
return new_ref
|
488
|
+
return dependency.new_ref if dependency.ref_changed? && dependency.new_ref
|
544
489
|
|
545
490
|
raise "No new requirement!"
|
546
491
|
end
|
547
492
|
|
548
|
-
def ref_changed?(dependency)
|
549
|
-
previous_ref(dependency) != new_ref(dependency)
|
550
|
-
end
|
551
|
-
|
552
493
|
# TODO: Bring this in line with existing library checks that we do in the
|
553
494
|
# update checkers, which are also overriden by passing an explicit
|
554
495
|
# `requirements_update_strategy`.
|
@@ -560,12 +501,12 @@ module Dependabot
|
|
560
501
|
select { |p| Pathname.new(p).dirname.to_s == "." }
|
561
502
|
return true if root_files.select { |nm| nm.end_with?(".gemspec") }.any?
|
562
503
|
|
563
|
-
dependencies.any? { |d|
|
504
|
+
dependencies.any? { |d| d.humanized_previous_version.nil? }
|
564
505
|
end
|
565
506
|
|
566
507
|
def switching_from_ref_to_release?(dependency)
|
567
508
|
unless dependency.previous_version&.match?(/^[0-9a-f]{40}$/) ||
|
568
|
-
(dependency.previous_version.nil? && previous_ref
|
509
|
+
(dependency.previous_version.nil? && dependency.previous_ref)
|
569
510
|
return false
|
570
511
|
end
|
571
512
|
|
@@ -1,6 +1,5 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
require "active_support/notifications"
|
4
3
|
require "digest"
|
5
4
|
require "English"
|
6
5
|
require "excon"
|
@@ -10,9 +9,10 @@ require "open3"
|
|
10
9
|
require "shellwords"
|
11
10
|
require "tmpdir"
|
12
11
|
|
12
|
+
require "dependabot/simple_instrumentor"
|
13
13
|
require "dependabot/utils"
|
14
14
|
require "dependabot/errors"
|
15
|
-
require "dependabot
|
15
|
+
require "dependabot"
|
16
16
|
|
17
17
|
module Dependabot
|
18
18
|
module SharedHelpers
|
@@ -97,6 +97,7 @@ module Dependabot
|
|
97
97
|
|
98
98
|
if ENV["DEBUG_HELPERS"] == "true"
|
99
99
|
puts env_cmd
|
100
|
+
puts function
|
100
101
|
puts stdout
|
101
102
|
puts stderr
|
102
103
|
end
|
@@ -116,6 +117,8 @@ module Dependabot
|
|
116
117
|
process_termsig: process.termsig
|
117
118
|
}
|
118
119
|
|
120
|
+
check_out_of_memory_error(stderr, error_context)
|
121
|
+
|
119
122
|
response = JSON.parse(stdout)
|
120
123
|
return response["result"] if process.success?
|
121
124
|
|
@@ -134,6 +137,16 @@ module Dependabot
|
|
134
137
|
end
|
135
138
|
# rubocop:enable Metrics/MethodLength
|
136
139
|
|
140
|
+
def self.check_out_of_memory_error(stderr, error_context)
|
141
|
+
return unless stderr&.include?("JavaScript heap out of memory")
|
142
|
+
|
143
|
+
raise HelperSubprocessFailed.new(
|
144
|
+
message: "JavaScript heap out of memory",
|
145
|
+
error_class: "Dependabot::OutOfMemoryError",
|
146
|
+
error_context: error_context
|
147
|
+
)
|
148
|
+
end
|
149
|
+
|
137
150
|
def self.excon_middleware
|
138
151
|
Excon.defaults[:middlewares] +
|
139
152
|
[Excon::Middleware::Decompress] +
|
@@ -151,7 +164,7 @@ module Dependabot
|
|
151
164
|
options ||= {}
|
152
165
|
headers = options.delete(:headers)
|
153
166
|
{
|
154
|
-
instrumentor:
|
167
|
+
instrumentor: Dependabot::SimpleInstrumentor,
|
155
168
|
connect_timeout: 5,
|
156
169
|
write_timeout: 5,
|
157
170
|
read_timeout: 20,
|
@@ -0,0 +1,19 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Dependabot
|
4
|
+
module SimpleInstrumentor
|
5
|
+
class << self
|
6
|
+
attr_accessor :events, :subscribers
|
7
|
+
|
8
|
+
def subscribe(&block)
|
9
|
+
@subscribers ||= []
|
10
|
+
@subscribers << block
|
11
|
+
end
|
12
|
+
|
13
|
+
def instrument(name, params = {}, &block)
|
14
|
+
@subscribers&.each { |s| s.call(name, params) }
|
15
|
+
yield if block
|
16
|
+
end
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
data/lib/dependabot/source.rb
CHANGED
@@ -5,7 +5,7 @@ module Dependabot
|
|
5
5
|
GITHUB_SOURCE = %r{
|
6
6
|
(?<provider>github)
|
7
7
|
(?:\.com)[/:]
|
8
|
-
(?<repo>[\w.-]+/(?:
|
8
|
+
(?<repo>[\w.-]+/(?:[\w.-])+)
|
9
9
|
(?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
|
10
10
|
}x
|
11
11
|
|
@@ -14,28 +14,28 @@ module Dependabot
|
|
14
14
|
(?<username>[^@]+@)*
|
15
15
|
(?<host>[^/]+)
|
16
16
|
[/:]
|
17
|
-
(?<repo>[\w.-]+/(?:
|
17
|
+
(?<repo>[\w.-]+/(?:[\w.-])+)
|
18
18
|
(?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
|
19
19
|
}x
|
20
20
|
|
21
21
|
GITLAB_SOURCE = %r{
|
22
22
|
(?<provider>gitlab)
|
23
23
|
(?:\.com)[/:]
|
24
|
-
(?<repo>[^/]+/(?:
|
24
|
+
(?<repo>[^/]+/(?:[^/])+((?!/tree|/blob/|/-)/[^/]+)?)
|
25
25
|
(?:(?:/tree|/blob)/(?<branch>[^/]+)/(?<directory>.*)[\#|/].*)?
|
26
26
|
}x
|
27
27
|
|
28
28
|
BITBUCKET_SOURCE = %r{
|
29
29
|
(?<provider>bitbucket)
|
30
30
|
(?:\.org)[/:]
|
31
|
-
(?<repo>[\w.-]+/(?:
|
31
|
+
(?<repo>[\w.-]+/(?:[\w.-])+)
|
32
32
|
(?:(?:/src)/(?<branch>[^/]+)/(?<directory>.*)[\#|/])?
|
33
33
|
}x
|
34
34
|
|
35
35
|
AZURE_SOURCE = %r{
|
36
36
|
(?<provider>azure)
|
37
37
|
(?:\.com)[/:]
|
38
|
-
(?<repo>[\w.-]+/([\w.-]+/)?(?:_git/)(?:
|
38
|
+
(?<repo>[\w.-]+/([\w.-]+/)?(?:_git/)(?:[\w.-])+)
|
39
39
|
}x
|
40
40
|
|
41
41
|
CODECOMMIT_SOURCE = %r{
|
@@ -70,7 +70,7 @@ module Dependabot
|
|
70
70
|
|
71
71
|
new(
|
72
72
|
provider: captures.fetch("provider"),
|
73
|
-
repo: captures.fetch("repo"),
|
73
|
+
repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
|
74
74
|
directory: captures.fetch("directory"),
|
75
75
|
branch: captures.fetch("branch")
|
76
76
|
)
|
@@ -87,7 +87,7 @@ module Dependabot
|
|
87
87
|
|
88
88
|
new(
|
89
89
|
provider: "github",
|
90
|
-
repo: captures.fetch("repo"),
|
90
|
+
repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
|
91
91
|
directory: captures.fetch("directory"),
|
92
92
|
branch: captures.fetch("branch"),
|
93
93
|
hostname: captures.fetch("host"),
|
data/lib/dependabot/version.rb
CHANGED
@@ -1,5 +1,22 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
module Dependabot
|
4
|
-
|
4
|
+
class Version < Gem::Version
|
5
|
+
def initialize(version)
|
6
|
+
@original_version = version
|
7
|
+
|
8
|
+
super
|
9
|
+
end
|
10
|
+
|
11
|
+
# Opt-in to Rubygems 4 behavior
|
12
|
+
def self.correct?(version)
|
13
|
+
return false if version.nil?
|
14
|
+
|
15
|
+
version.to_s.match?(ANCHORED_VERSION_PATTERN)
|
16
|
+
end
|
17
|
+
|
18
|
+
def to_semver
|
19
|
+
@original_version
|
20
|
+
end
|
21
|
+
end
|
5
22
|
end
|