dependabot-common 0.223.0 → 0.225.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18ecca84ce32ec9c88e10c027588144887dcbec20f59878d30d8d3c26d0d41f4
-  data.tar.gz: 4a13a9d395adf5c8567523e6afb21ab4dc2d265b98d30f2c99bee1b19d8c5119
+  metadata.gz: eff50d0047fd94f2b62e76e55d42561e17780c26da251ba55cd04f493bce0cb5
+  data.tar.gz: 34d2e201f6198e4478a2b13d8e2c12162ae1a2e74b6c66ebfd45e12518379155
 SHA512:
-  metadata.gz: 9ce88a617e9e8d0952c76630f8f8c76956a38f66cedc06e2da6f360ceaf9b28a52fef49be84102213a4262d96abf56c7ec55c6d75fc53e6e6b6653d3c8f363b1
-  data.tar.gz: 4b58cd7780d8c2c4f8d18a0622a7a16d2f0ace2204098d5376b4077fef02a1b6629cea77c4b280f745b4e4946568d9be2014e6e38f31ac088696eb981d69019a
+  metadata.gz: 97d3947770789948f293026af11c4a8f065831ebf4c5ee5f06c3e2fe147766b5d4615b2497fbd7dfbfb4589a07df52a91de9c7041fe49cd74795fd3fb6be6437
+  data.tar.gz: 640a7855071b6c94d1a8e91972bf4e34792e6ffcf02ac38d1bb6a42e985fdfc3479b994c645fdb24d77fe450f84e39aef0e6bef2ab41c0394989f9c63f792f19

data/lib/dependabot/clients/azure.rb

@@ -22,8 +22,6 @@ module Dependabot
 
       RETRYABLE_ERRORS = [InternalServerError, BadGateway, ServiceNotAvailable].freeze
 
-      MAX_PR_DESCRIPTION_LENGTH = 3999
-
       #######################
       # Constructor methods #
       #######################
@@ -174,7 +172,6 @@ module Dependabot
       def create_pull_request(pr_name, source_branch, target_branch,
                               pr_description, labels,
                               reviewers = nil, assignees = nil, work_item = nil)
-        pr_description = truncate_pr_description(pr_description)
 
         content = {
           sourceRefName: "refs/heads/" + source_branch,
@@ -375,19 +372,6 @@ module Dependabot
         end
       end
 
-      def truncate_pr_description(pr_description)
-        # Azure DevOps only support descriptions up to 4000 characters in UTF-16
-        # encoding.
-        # https://developercommunity.visualstudio.com/content/problem/608770/remove-4000-character-limit-on-pull-request-descri.html
-        pr_description = pr_description.dup.force_encoding(Encoding::UTF_16)
-        if pr_description.length > MAX_PR_DESCRIPTION_LENGTH
-          truncated_msg = (+"...\n\n_Description has been truncated_").force_encoding(Encoding::UTF_16)
-          truncate_length = MAX_PR_DESCRIPTION_LENGTH - truncated_msg.length
-          pr_description = (pr_description[0..truncate_length] + truncated_msg)
-        end
-        pr_description.force_encoding(Encoding::UTF_8)
-      end
-
       def tags_creation_forbidden?(response)
         return if response.body.empty?
 

data/lib/dependabot/dependency_group.rb

@@ -1,16 +1,42 @@
 # frozen_string_literal: true
 
+require "dependabot/experiments"
+require "dependabot/config/ignore_condition"
+require "dependabot/logger"
+
 require "wildcard_matcher"
 require "yaml"
 
 module Dependabot
   class DependencyGroup
+    ANY_DEPENDENCY_NAME = "*"
+    SECURITY_UPDATES_ONLY = false
+
+    DEFAULT_UPDATE_TYPES = [
+      SEMVER_MAJOR = "major",
+      SEMVER_MINOR = "minor",
+      SEMVER_PATCH = "patch"
+    ].freeze
+
+    IGNORE_CONDITION_TYPES = {
+      SEMVER_MAJOR => Dependabot::Config::IgnoreCondition::MAJOR_VERSION_TYPE,
+      SEMVER_MINOR => Dependabot::Config::IgnoreCondition::MINOR_VERSION_TYPE,
+      SEMVER_PATCH => Dependabot::Config::IgnoreCondition::PATCH_VERSION_TYPE
+    }.freeze
+
+    class NullIgnoreCondition
+      def ignored_versions(_dependency, _security_updates_only)
+        []
+      end
+    end
+
     attr_reader :name, :rules, :dependencies
 
     def initialize(name:, rules:)
       @name = name
       @rules = rules
       @dependencies = []
+      @ignore_condition = generate_ignore_condition!
     end
 
     def contains?(dependency)
@@ -20,6 +46,18 @@ module Dependabot
       matches_pattern?(dependency.name) && matches_dependency_type?(dependency)
     end
 
+    # This method generates ignored versions for the given Dependency based on
+    # the any update-types we have defined.
+    def ignored_versions_for(dependency)
+      @ignore_condition.ignored_versions(dependency, SECURITY_UPDATES_ONLY)
+    end
+
+    def targets_highest_versions_possible?
+      return true unless experimental_rules_enabled?
+
+      update_types.include?(SEMVER_MAJOR)
+    end
+
     def to_h
       { "name" => name }
     end
@@ -54,5 +92,49 @@ module Dependabot
                                     "development"
                                   end
     end
+
+    def pattern_rules?
+      rules.key?("patterns") && rules["patterns"]&.any?
+    end
+
+    def update_types
+      rules.fetch("update-types", DEFAULT_UPDATE_TYPES)
+    end
+
+    def generate_ignore_condition!
+      return NullIgnoreCondition.new unless experimental_rules_enabled?
+
+      ignored_update_types = ignored_update_types_for_rules
+
+      return NullIgnoreCondition.new unless ignored_update_types.any?
+
+      Dependabot.logger.debug("The #{name} group has set ignores for update-type(s): #{ignored_update_types}")
+
+      Dependabot::Config::IgnoreCondition.new(
+        dependency_name: ANY_DEPENDENCY_NAME,
+        update_types: ignored_update_types
+      )
+    end
+
+    def ignored_update_types_for_rules
+      unless update_types.is_a?(Array)
+        raise ArgumentError,
+              "The #{name} group has an unexpected value for update-types: '#{update_types}'"
+      end
+
+      unless update_types.any?
+        raise ArgumentError,
+              "The #{name} group has specified an empty array for update-types."
+      end
+
+      ignored_update_types = DEFAULT_UPDATE_TYPES - update_types
+      return [] if ignored_update_types.empty?
+
+      IGNORE_CONDITION_TYPES.fetch_values(*ignored_update_types)
+    end
+
+    def experimental_rules_enabled?
+      Dependabot::Experiments.enabled?(:grouped_updates_experimental_rules)
+    end
   end
 end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -126,6 +126,7 @@ module Dependabot
               version: version,
               requirements: requirements,
               package_manager: old_dep.package_manager,
+              metadata: old_dep.metadata,
               subdependency_metadata: subdependency_metadata
             )
           end

data/lib/dependabot/git_metadata_fetcher.rb

@@ -112,13 +112,17 @@ module Dependabot
       command = "git ls-remote #{service_pack_uri}"
       command = SharedHelpers.escape_command(command)
 
-      stdout, stderr, process = Open3.capture3(env, command)
-      # package the command response like a HTTP response so error handling
-      # remains unchanged
-      if process.success?
-        OpenStruct.new(body: stdout, status: 200)
+      begin
+        stdout, stderr, process = Open3.capture3(env, command)
+        # package the command response like a HTTP response so error handling remains unchanged
+      rescue Errno::ENOENT => e # thrown when `git` isn't installed...
+        OpenStruct.new(body: e.message, status: 500)
       else
-        OpenStruct.new(body: stderr, status: 500)
+        if process.success?
+          OpenStruct.new(body: stdout, status: 200)
+        else
+          OpenStruct.new(body: stderr, status: 500)
+        end
       end
     end
 

data/lib/dependabot/pull_request_creator/azure.rb

@@ -10,6 +10,11 @@ module Dependabot
                   :files, :commit_message, :pr_description, :pr_name,
                   :author_details, :labeler, :reviewers, :assignees, :work_item
 
+      # Azure DevOps limits PR descriptions to a max of 4,000 characters in UTF-16 encoding:
+      # https://developercommunity.visualstudio.com/content/problem/608770/remove-4000-character-limit-on-pull-request-descri.html
+      PR_DESCRIPTION_MAX_LENGTH = 3_999 # 0 based count
+      PR_DESCRIPTION_ENCODING = Encoding::UTF_16
+
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
                      author_details:, labeler:, reviewers: nil, assignees: nil, work_item: nil)

data/lib/dependabot/pull_request_creator/codecommit.rb

@@ -10,6 +10,10 @@ module Dependabot
                   :files, :commit_message, :pr_description, :pr_name,
                   :author_details, :labeler
 
+      # CodeCommit limits PR descriptions to a max length of 10,240 characters:
+      # https://docs.aws.amazon.com/codecommit/latest/APIReference/API_PullRequest.html
+      PR_DESCRIPTION_MAX_LENGTH = 10_239 # 0 based count
+
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
                      author_details:, labeler:, require_up_to_date_base:)

data/lib/dependabot/pull_request_creator/github.rb

@@ -9,7 +9,9 @@ module Dependabot
   class PullRequestCreator
     # rubocop:disable Metrics/ClassLength
     class Github
-      MAX_PR_DESCRIPTION_LENGTH = 65_536 # characters (see #create_pull_request)
+      # GitHub limits PR descriptions to a max of 65,536 characters:
+      # https://github.com/orgs/community/discussions/27190#discussioncomment-3726017
+      PR_DESCRIPTION_MAX_LENGTH = 65_535 # 0 based count
 
       attr_reader :source, :branch_name, :base_commit, :credentials,
                   :files, :pr_description, :pr_name, :commit_message,
@@ -349,18 +351,6 @@ module Dependabot
       end
 
       def create_pull_request
-        # Limit PR description to MAX_PR_DESCRIPTION_LENGTH (65,536) characters
-        # and truncate with message if over. The API limit is 262,144 bytes
-        # (https://github.community/t/maximum-length-for-the-comment-body-in-issues-and-pr/148867/2).
-        # As Ruby strings are UTF-8 encoded, this is a pessimistic limit: it
-        # presumes the case where all characters are 4 bytes.
-        pr_description = @pr_description.dup
-        if pr_description && pr_description.length > MAX_PR_DESCRIPTION_LENGTH
-          truncated_msg = "...\n\n_Description has been truncated_"
-          truncate_length = MAX_PR_DESCRIPTION_LENGTH - truncated_msg.length
-          pr_description = (pr_description[0, truncate_length] + truncated_msg)
-        end
-
         github_client_for_source.create_pull_request(
           source.repo,
           target_branch,

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -22,13 +22,16 @@ module Dependabot
       attr_reader :source, :dependencies, :files, :credentials,
                   :pr_message_header, :pr_message_footer,
                   :commit_message_options, :vulnerabilities_fixed,
-                  :github_redirection_service, :dependency_group
+                  :github_redirection_service, :dependency_group, :pr_message_max_length,
+                  :pr_message_encoding, :ignore_conditions
+
+      TRUNCATED_MSG = "...\n\n_Description has been truncated_"
 
       def initialize(source:, dependencies:, files:, credentials:,
                      pr_message_header: nil, pr_message_footer: nil,
                      commit_message_options: {}, vulnerabilities_fixed: {},
                      github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE,
-                     dependency_group: nil)
+                     dependency_group: nil, pr_message_max_length: nil, pr_message_encoding: nil, ignore_conditions: [])
         @dependencies               = dependencies
         @files                      = files
         @source                     = source
@@ -39,8 +42,15 @@ module Dependabot
         @vulnerabilities_fixed      = vulnerabilities_fixed
         @github_redirection_service = github_redirection_service
         @dependency_group           = dependency_group
+        @pr_message_max_length      = pr_message_max_length
+        @pr_message_encoding        = pr_message_encoding
+        @ignore_conditions          = ignore_conditions
       end
 
+      attr_writer :pr_message_max_length
+
+      attr_writer :pr_message_encoding
+
       def pr_name
         name = dependency_group ? group_pr_name : solo_pr_name
         name[0] = name[0].capitalize if pr_name_prefixer.capitalize_first_word?
@@ -48,13 +58,49 @@ module Dependabot
       end
 
       def pr_message
-        suffixed_pr_message_header + commit_message_intro +
-          metadata_cascades + prefixed_pr_message_footer
+        # TODO: Remove unignore_commands? feature flag once we are confident
+        # that it is working as expected
+        msg = if unignore_commands?
+                "#{suffixed_pr_message_header}" \
+                  "#{commit_message_intro}" \
+                  "#{metadata_cascades}" \
+                  "#{ignore_conditions_table}" \
+                  "#{prefixed_pr_message_footer}"
+              else
+                "#{suffixed_pr_message_header}" \
+                  "#{commit_message_intro}" \
+                  "#{metadata_cascades}" \
+                  "#{prefixed_pr_message_footer}"
+              end
+
+        truncate_pr_message(msg)
       rescue StandardError => e
         Dependabot.logger.error("Error while generating PR message: #{e.message}")
         suffixed_pr_message_header + prefixed_pr_message_footer
       end
 
+      def unignore_commands?
+        Experiments.enabled?(:unignore_commands)
+      end
+
+      # Truncate PR message as determined by the pr_message_max_length and pr_message_encoding instance variables
+      # The encoding is used when calculating length, all messages are returned as ruby UTF_8 encoded string
+      def truncate_pr_message(msg)
+        return msg if pr_message_max_length.nil?
+
+        msg = msg.dup
+        msg = msg.force_encoding(pr_message_encoding) unless pr_message_encoding.nil?
+
+        if msg.length > pr_message_max_length
+          tr_msg = pr_message_encoding.nil? ? TRUNCATED_MSG : (+TRUNCATED_MSG).dup.force_encoding(pr_message_encoding)
+          trunc_length = pr_message_max_length - tr_msg.length
+          msg = (msg[0..trunc_length] + tr_msg)
+        end
+        # if we used a custom encoding for calculating length, then we need to force back to UTF-8
+        msg.force_encoding(Encoding::UTF_8) unless pr_message_encoding.nil?
+        msg
+      end
+
       def commit_message
         message = commit_subject + "\n\n"
         message += commit_message_intro
@@ -477,6 +523,46 @@ module Dependabot
         ).to_s
       end
 
+      def ignore_conditions_table
+        # Return an empty string if ignore_conditions is empty
+        return "" if @ignore_conditions.empty?
+
+        # Filter out the conditions where from_config_file is false and dependency is in @dependencies
+        valid_ignore_conditions = @ignore_conditions.select do |ic|
+          !ic[:from_config_file] && dependencies.any? { |dep| dep.name == ic[:dependency_name] }
+        end
+
+        # Return an empty string if no valid ignore conditions after filtering
+        return "" if valid_ignore_conditions.empty?
+
+        # Sort them by updated_at (or created_at if updated_at is nil), taking the latest 20
+        sorted_ignore_conditions = valid_ignore_conditions.sort_by { |ic| ic[:updated_at] || ic[:created_at] }.last(20)
+
+        # Map each condition to a row string
+        table_rows = sorted_ignore_conditions.map do |ic|
+          "| #{ic[:dependency_name]} | [#{ic[:version_requirement]}] |"
+        end
+
+        summary = "Most Recent Ignore Conditions Applied to This Pull Request"
+        build_table(summary, table_rows)
+      end
+
+      def build_table(summary, rows)
+        table_header = "| Dependency Name | Ignore Conditions |"
+        table_divider = "| --- | --- |"
+        table_body = rows.join("\n")
+        body = "\n#{[table_header, table_divider, table_body].join("\n")}\n"
+
+        if %w(azure bitbucket codecommit).include?(source.provider)
+          "\n##{summary}\n\n#{body}"
+        else
+          # Build the collapsible section
+          msg = "<details>\n<summary>#{summary}</summary>\n\n" \
+                "#{[table_header, table_divider, table_body].join("\n")}\n</details>"
+          "\n#{msg}\n"
+        end
+      end
+
       def changelog_url(dependency)
         metadata_finder(dependency).changelog_url
       end

data/lib/dependabot/pull_request_creator.rb

@@ -49,7 +49,8 @@ module Dependabot
                 :commit_message_options, :vulnerabilities_fixed,
                 :reviewers, :assignees, :milestone, :branch_name_separator,
                 :branch_name_prefix, :branch_name_max_length, :github_redirection_service,
-                :custom_headers, :provider_metadata, :dependency_group
+                :custom_headers, :provider_metadata, :dependency_group, :pr_message_max_length,
+                :pr_message_encoding
 
     def initialize(source:, base_commit:, dependencies:, files:, credentials:,
                    pr_message_header: nil, pr_message_footer: nil,
@@ -61,7 +62,8 @@ module Dependabot
                    automerge_candidate: false,
                    github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE,
                    custom_headers: nil, require_up_to_date_base: false,
-                   provider_metadata: {}, message: nil, dependency_group: nil)
+                   provider_metadata: {}, message: nil, dependency_group: nil, pr_message_max_length: nil,
+                   pr_message_encoding: nil)
       @dependencies               = dependencies
       @source                     = source
       @base_commit                = base_commit
@@ -88,6 +90,8 @@ module Dependabot
       @provider_metadata          = provider_metadata
       @message                    = message
       @dependency_group           = dependency_group
+      @pr_message_max_length      = pr_message_max_length
+      @pr_message_encoding        = pr_message_encoding
 
       check_dependencies_have_previous_version
     end
@@ -216,19 +220,32 @@ module Dependabot
     end
 
     def message
-      @message ||=
-        MessageBuilder.new(
-          source: source,
-          dependencies: dependencies,
-          files: files,
-          credentials: credentials,
-          commit_message_options: commit_message_options,
-          pr_message_header: pr_message_header,
-          pr_message_footer: pr_message_footer,
-          vulnerabilities_fixed: vulnerabilities_fixed,
-          github_redirection_service: github_redirection_service,
-          dependency_group: dependency_group
-        )
+      return @message unless @message.nil?
+
+      case source.provider
+      when "github"
+        @pr_message_max_length = Github::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
+      when "azure"
+        @pr_message_max_length = Azure::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
+        @pr_message_encoding = Azure::PR_DESCRIPTION_ENCODING if @pr_message_encoding.nil?
+      when "codecommit"
+        @pr_message_max_length = Codecommit::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
+      end
+
+      @message = MessageBuilder.new(
+        source: source,
+        dependencies: dependencies,
+        files: files,
+        credentials: credentials,
+        commit_message_options: commit_message_options,
+        pr_message_header: pr_message_header,
+        pr_message_footer: pr_message_footer,
+        vulnerabilities_fixed: vulnerabilities_fixed,
+        github_redirection_service: github_redirection_service,
+        dependency_group: dependency_group,
+        pr_message_max_length: pr_message_max_length,
+        pr_message_encoding: pr_message_encoding
+      )
     end
 
     def branch_namer

data/lib/dependabot/update_checkers/base.rb

@@ -166,6 +166,7 @@ module Dependabot
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
           package_manager: dependency.package_manager,
+          metadata: dependency.metadata,
           subdependency_metadata: dependency.subdependency_metadata
         )
       end
@@ -181,6 +182,7 @@ module Dependabot
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
           package_manager: dependency.package_manager,
+          metadata: dependency.metadata,
           subdependency_metadata: dependency.subdependency_metadata
         )
       end

data/lib/dependabot.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.223.0"
+  VERSION = "0.225.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.223.0
+  version: 0.225.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-25 00:00:00.000000000 Z
+date: 2023-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -486,7 +486,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.223.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.225.0
 post_install_message: 
 rdoc_options: []
 require_paths: