dependabot-common 0.224.0 → 0.226.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 967a29e273078457f5010415215784a3bf9bd8b9cd78e101ab8d7dc97ab42fba
-  data.tar.gz: c840404ceecf85c06defa6748f5075c1e336e3878f0f18c3d1c6282b986d86b4
+  metadata.gz: 47e3c8b72c7026283675f4969109de44931af6b655978be6762eb1c846f92dc9
+  data.tar.gz: 4d1b71853adbe711c8ad038c27df1fabc2612de1226705ac3a55de8f70ccfa0c
 SHA512:
-  metadata.gz: 1bdead2177caa4c1c9cd90371bf07cb8def978492718809f3a67ee995f24c4da02424989d25f87298ad2ac04b371c63108a9520d58e33d0b6f925446dfc0d5be
-  data.tar.gz: 2e5f484acea22c05982c2840317f7f559171ca239b846da310ac2ae40b7006fe10df16d1e26f204d3ccee0e163e8c51af5e283635f929edb1fbeaa5d6986c2ad
+  metadata.gz: e8edba97936c9846ec37066eb5ff03dfce9f24aa8e7fe688665b17939ce6e785f2e00a3bda2baf666422e7044daef0dbfbb84d770c02ef12ccbd9b12aeb8fca6
+  data.tar.gz: aacddd041d120483380bc7d3e6b6e757cc4f80c304d6bd8df7a911174b53f361e1a1d3926dd193c3cd1e7451d8c6b29370406dfcfee52dcb3264304319417c46

data/lib/dependabot/dependency_file.rb

@@ -44,7 +44,7 @@ module Dependabot
       @type = type
 
       begin
-        @mode = File.stat((symlink_target || path).sub(%r{^/}, "")).mode.to_s(8)
+        @mode = File.stat(realpath).mode.to_s(8)
       rescue StandardError
         @mode = mode
       end
@@ -76,6 +76,10 @@ module Dependabot
       Pathname.new(File.join(directory, name)).cleanpath.to_path
     end
 
+    def realpath
+      (symlink_target || path).sub(%r{^/}, "")
+    end
+
     def ==(other)
       return false unless other.instance_of?(self.class)
 

data/lib/dependabot/dependency_group.rb

@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+require "dependabot/experiments"
+require "dependabot/config/ignore_condition"
+require "dependabot/logger"
+
 require "wildcard_matcher"
 require "yaml"
 
@@ -54,5 +58,9 @@ module Dependabot
                                     "development"
                                   end
     end
+
+    def experimental_rules_enabled?
+      Dependabot::Experiments.enabled?(:grouped_updates_experimental_rules)
+    end
   end
 end

data/lib/dependabot/file_fetchers/base.rb

@@ -108,6 +108,10 @@ module Dependabot
 
       private
 
+      def fetch_support_file(name)
+        fetch_file_if_present(name)&.tap { |f| f.support_file = true }
+      end
+
       def fetch_file_if_present(filename, fetch_submodules: false)
         unless repo_contents_path.nil?
           begin
@@ -128,8 +132,7 @@ module Dependabot
 
         fetch_file_from_host(filename, fetch_submodules: fetch_submodules)
       rescue *CLIENT_NOT_FOUND_ERRORS
-        path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
-        raise Dependabot::DependencyFileNotFound, path
+        nil
       end
 
       def load_cloned_file_if_present(filename)
@@ -159,19 +162,34 @@ module Dependabot
 
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
         content = _fetch_file_content(path, fetch_submodules: fetch_submodules)
-        type = "symlink" if @linked_paths.key?(path.gsub(%r{^/}, ""))
+        clean_path = path.gsub(%r{^/}, "")
+
+        linked_path = symlinked_subpath(clean_path)
+        type = "symlink" if linked_path
+        symlink_target = clean_path.sub(linked_path, @linked_paths.dig(linked_path, :path)) if type == "symlink"
 
         DependencyFile.new(
           name: Pathname.new(filename).cleanpath.to_path,
           directory: directory,
           type: type,
           content: content,
-          symlink_target: @linked_paths.dig(path.gsub(%r{^/}, ""), :path)
+          symlink_target: symlink_target
         )
       rescue *CLIENT_NOT_FOUND_ERRORS
         raise Dependabot::DependencyFileNotFound, path
       end
 
+      # Finds the first subpath in path that is a symlink
+      def symlinked_subpath(path)
+        subpaths(path).find { |subpath| @linked_paths.key?(subpath) }
+      end
+
+      # Given a "foo/bar/baz" path, returns ["foo", "foo/bar", "foo/bar/baz"]
+      def subpaths(path)
+        components = path.split("/")
+        components.map { |component| components[0..components.index(component)].join("/") }
+      end
+
       def repo_contents(dir: ".", ignore_base_directory: false,
                         raise_errors: true, fetch_submodules: false)
         dir = File.join(directory, dir) unless ignore_base_directory
@@ -375,7 +393,7 @@ module Dependabot
 
       def _gitlab_repo_contents(repo, path, commit)
         gitlab_client.
-          repo_tree(repo, path: path, ref_name: commit, per_page: 100).
+          repo_tree(repo, path: path, ref: commit, per_page: 100).
           map do |file|
             # GitLab API essentially returns the output from `git ls-tree`
             type = case file.type

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -126,6 +126,7 @@ module Dependabot
               version: version,
               requirements: requirements,
               package_manager: old_dep.package_manager,
+              metadata: old_dep.metadata,
               subdependency_metadata: subdependency_metadata
             )
           end

data/lib/dependabot/git_commit_checker.rb

@@ -40,7 +40,6 @@ module Dependabot
     def pinned?
       raise "Not a git dependency!" unless git_dependency?
 
-      ref = dependency_source_details.fetch(:ref)
       branch = dependency_source_details.fetch(:branch)
 
       return false if ref.nil?
@@ -61,16 +60,14 @@ module Dependabot
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      version_tag?(dependency_source_details.fetch(:ref))
+      version_tag?(ref)
     end
 
     def pinned_ref_looks_like_commit_sha?
-      ref = dependency_source_details.fetch(:ref)
       ref_looks_like_commit_sha?(ref)
     end
 
     def head_commit_for_pinned_ref
-      ref = dependency_source_details.fetch(:ref)
       local_repo_git_metadata_fetcher.head_commit_for_ref_sha(ref)
     end
 
@@ -144,15 +141,14 @@ module Dependabot
     end
 
     def most_specific_tag_equivalent_to_pinned_ref
-      commit_sha = head_commit_for_local_branch(dependency_source_details.fetch(:ref))
+      commit_sha = head_commit_for_local_branch(ref)
       most_specific_version_tag_for_sha(commit_sha)
     end
 
     def local_tag_for_pinned_sha
-      return unless pinned_ref_looks_like_commit_sha?
+      return @local_tag_for_pinned_sha if defined?(@local_tag_for_pinned_sha)
 
-      commit_sha = dependency_source_details.fetch(:ref)
-      most_specific_version_tag_for_sha(commit_sha)
+      @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
     def git_repo_reachable?
@@ -223,7 +219,7 @@ module Dependabot
       return false unless tag
 
       commit_included_in_tag?(
-        commit: dependency_source_details.fetch(:ref),
+        commit: ref,
         tag: tag,
         allow_identical: true
       )
@@ -327,8 +323,11 @@ module Dependabot
     end
 
     def ref_or_branch
-      dependency_source_details.fetch(:ref) ||
-        dependency_source_details.fetch(:branch)
+      ref || dependency_source_details.fetch(:branch)
+    end
+
+    def ref
+      dependency_source_details.fetch(:ref)
     end
 
     def version_tag?(tag)
@@ -336,10 +335,18 @@ module Dependabot
     end
 
     def matches_existing_prefix?(tag)
-      return true unless ref_or_branch&.match?(VERSION_REGEX)
+      return true unless ref_or_branch
+
+      if version_tag?(ref_or_branch)
+        same_prefix?(ref_or_branch, tag)
+      else
+        local_tag_for_pinned_sha.nil? || same_prefix?(local_tag_for_pinned_sha, tag)
+      end
+    end
 
-      ref_or_branch.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
-        tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
+    def same_prefix?(tag, other_tag)
+      tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
+        other_tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
     def to_local_tag(tag)
@@ -417,7 +424,7 @@ module Dependabot
       return false unless dependency_source_details&.fetch(:ref, nil)
       return false unless pinned_ref_looks_like_version?
 
-      version = version_from_ref(dependency_source_details.fetch(:ref))
+      version = version_from_ref(ref)
       version.prerelease?
     end
 

data/lib/dependabot/git_metadata_fetcher.rb

@@ -47,8 +47,10 @@ module Dependabot
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
         # followed by a line break. When it isn't (e.g., with Bitbucket) it
-        # causes problems for our `sha_for_update_pack_line` logic
-        line = upload_pack.gsub(/.*git-upload-pack/, "").
+        # causes problems for our `sha_for_update_pack_line` logic. The format
+        # of this opening clause is documented at
+        # https://git-scm.com/docs/http-protocol#_smart_server_response
+        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "").
                lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end
@@ -177,7 +179,7 @@ module Dependabot
       # (GitHub, GitLab, BitBucket) work with or without the suffix.
       # That change has other ramifications, so it'd be better if Azure started supporting ".git"
       # like all the other providers.
-      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
       hostname = uri.hostname.to_s
       hostname == "dev.azure.com" || hostname.end_with?(".visualstudio.com")
@@ -186,8 +188,7 @@ module Dependabot
     # Add in username and password if present in credentials.
     # Credentials are never present for production Dependabot.
     def uri_with_auth(uri)
-      # Handle SCP-style git URIs
-      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
       cred = credentials.select { |c| c["type"] == "git_source" }.
              find { |c| uri.host == c["host"] }

data/lib/dependabot/metadata_finders/base.rb

@@ -117,9 +117,8 @@ module Dependabot
       end
 
       def source
-        return @source if @source_lookup_attempted
+        return @source if defined?(@source)
 
-        @source_lookup_attempted = true
         @source = look_up_source
       end
 

data/lib/dependabot/pull_request_creator/bitbucket.rb

@@ -10,6 +10,9 @@ module Dependabot
                   :files, :commit_message, :pr_description, :pr_name,
                   :author_details, :labeler, :work_item
 
+      # BitBucket Cloud accepts > 1MB characters, but they display poorly in the UI, so limiting to 4x 65,536
+      PR_DESCRIPTION_MAX_LENGTH = 262_143 # 0 based count
+
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
                      author_details:, labeler: nil, work_item: nil)

data/lib/dependabot/pull_request_creator/github.rb

@@ -193,8 +193,7 @@ module Dependabot
                       end
 
             {
-              path: (file.symlink_target ||
-                     file.path).sub(%r{^/}, ""),
+              path: file.realpath,
               mode: (file.mode || "100644"),
               type: "blob"
             }.merge(content)

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -108,7 +108,8 @@ module Dependabot
           {
             action: file_action(file),
             file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content
+            content: file.content,
+            encoding: file.content_encoding
           }
         end
       end

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -23,7 +23,7 @@ module Dependabot
                   :pr_message_header, :pr_message_footer,
                   :commit_message_options, :vulnerabilities_fixed,
                   :github_redirection_service, :dependency_group, :pr_message_max_length,
-                  :pr_message_encoding
+                  :pr_message_encoding, :ignore_conditions
 
       TRUNCATED_MSG = "...\n\n_Description has been truncated_"
 
@@ -31,7 +31,7 @@ module Dependabot
                      pr_message_header: nil, pr_message_footer: nil,
                      commit_message_options: {}, vulnerabilities_fixed: {},
                      github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE,
-                     dependency_group: nil, pr_message_max_length: nil, pr_message_encoding: nil)
+                     dependency_group: nil, pr_message_max_length: nil, pr_message_encoding: nil, ignore_conditions: [])
         @dependencies               = dependencies
         @files                      = files
         @source                     = source
@@ -44,6 +44,7 @@ module Dependabot
         @dependency_group           = dependency_group
         @pr_message_max_length      = pr_message_max_length
         @pr_message_encoding        = pr_message_encoding
+        @ignore_conditions          = ignore_conditions
       end
 
       attr_writer :pr_message_max_length
@@ -57,13 +58,31 @@ module Dependabot
       end
 
       def pr_message
-        msg = "#{suffixed_pr_message_header}#{commit_message_intro}#{metadata_cascades}#{prefixed_pr_message_footer}"
+        # TODO: Remove unignore_commands? feature flag once we are confident
+        # that it is working as expected
+        msg = if unignore_commands?
+                "#{suffixed_pr_message_header}" \
+                  "#{commit_message_intro}" \
+                  "#{metadata_cascades}" \
+                  "#{ignore_conditions_table}" \
+                  "#{prefixed_pr_message_footer}"
+              else
+                "#{suffixed_pr_message_header}" \
+                  "#{commit_message_intro}" \
+                  "#{metadata_cascades}" \
+                  "#{prefixed_pr_message_footer}"
+              end
+
         truncate_pr_message(msg)
       rescue StandardError => e
         Dependabot.logger.error("Error while generating PR message: #{e.message}")
         suffixed_pr_message_header + prefixed_pr_message_footer
       end
 
+      def unignore_commands?
+        Experiments.enabled?(:unignore_commands)
+      end
+
       # Truncate PR message as determined by the pr_message_max_length and pr_message_encoding instance variables
       # The encoding is used when calculating length, all messages are returned as ruby UTF_8 encoded string
       def truncate_pr_message(msg)
@@ -504,6 +523,46 @@ module Dependabot
         ).to_s
       end
 
+      def ignore_conditions_table
+        # Return an empty string if ignore_conditions is empty
+        return "" if @ignore_conditions.empty?
+
+        # Filter out the conditions where from_config_file is false and dependency is in @dependencies
+        valid_ignore_conditions = @ignore_conditions.select do |ic|
+          ic["source"] =~ /\A@dependabot ignore/ && dependencies.any? { |dep| dep.name == ic["dependency-name"] }
+        end
+
+        # Return an empty string if no valid ignore conditions after filtering
+        return "" if valid_ignore_conditions.empty?
+
+        # Sort them by updated_at (or created_at if updated_at is nil), taking the latest 20
+        sorted_ignore_conditions = valid_ignore_conditions.sort_by { |ic| ic["updated-at"] }.last(20)
+
+        # Map each condition to a row string
+        table_rows = sorted_ignore_conditions.map do |ic|
+          "| #{ic['dependency-name']} | [#{ic['version-requirement']}] |"
+        end
+
+        summary = "Most Recent Ignore Conditions Applied to This Pull Request"
+        build_table(summary, table_rows)
+      end
+
+      def build_table(summary, rows)
+        table_header = "| Dependency Name | Ignore Conditions |"
+        table_divider = "| --- | --- |"
+        table_body = rows.join("\n")
+        body = "\n#{[table_header, table_divider, table_body].join("\n")}\n"
+
+        if %w(azure bitbucket codecommit).include?(source.provider)
+          "\n##{summary}\n\n#{body}"
+        else
+          # Build the collapsible section
+          msg = "<details>\n<summary>#{summary}</summary>\n\n" \
+                "#{[table_header, table_divider, table_body].join("\n")}\n</details>"
+          "\n#{msg}\n"
+        end
+      end
+
       def changelog_url(dependency)
         metadata_finder(dependency).changelog_url
       end

data/lib/dependabot/pull_request_creator.rb

@@ -230,6 +230,8 @@ module Dependabot
         @pr_message_encoding = Azure::PR_DESCRIPTION_ENCODING if @pr_message_encoding.nil?
       when "codecommit"
         @pr_message_max_length = Codecommit::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
+      when "bitbucket"
+        @pr_message_max_length = Bitbucket::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
       end
 
       @message = MessageBuilder.new(

data/lib/dependabot/pull_request_updater/github.rb

@@ -144,8 +144,7 @@ module Dependabot
                       end
 
             {
-              path: (file.symlink_target ||
-                     file.path).sub(%r{^/}, ""),
+              path: file.realpath,
               mode: "100644",
               type: "blob"
             }.merge(content)

data/lib/dependabot/pull_request_updater/gitlab.rb

@@ -79,7 +79,8 @@ module Dependabot
           {
             action: file_action(file),
             file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content
+            content: file.content,
+            encoding: file.content_encoding
           }
         end
       end

data/lib/dependabot/shared_helpers.rb

@@ -191,6 +191,13 @@ module Dependabot
       reset_global_git_config(backup_git_config_path)
     end
 
+    # Handle SCP-style git URIs
+    def self.scp_to_standard(uri)
+      return uri unless uri.start_with?("git@")
+
+      "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}"
+    end
+
     def self.credential_helper_path
       File.join(__dir__, "../../bin/git-credential-store-immutable")
     end

data/lib/dependabot/update_checkers/base.rb

@@ -166,6 +166,7 @@ module Dependabot
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
           package_manager: dependency.package_manager,
+          metadata: dependency.metadata,
           subdependency_metadata: dependency.subdependency_metadata
         )
       end
@@ -181,6 +182,7 @@ module Dependabot
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
           package_manager: dependency.package_manager,
+          metadata: dependency.metadata,
           subdependency_metadata: dependency.subdependency_metadata
         )
       end

data/lib/dependabot.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.224.0"
+  VERSION = "0.226.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.224.0
+  version: 0.226.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-27 00:00:00.000000000 Z
+date: 2023-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -84,14 +84,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.0
+        version: 1.18.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.0
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: excon
   requirement: !ruby/object:Gem::Requirement
@@ -101,7 +101,7 @@ dependencies:
         version: '0.96'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.100'
+        version: '0.101'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -111,35 +111,35 @@ dependencies:
         version: '0.96'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.100'
+        version: '0.101'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.7.4
+        version: 2.7.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.7.4
+        version: 2.7.10
 - !ruby/object:Gem::Dependency
   name: faraday-retry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: gitlab
   requirement: !ruby/object:Gem::Requirement
@@ -346,14 +346,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: stackprof
   requirement: !ruby/object:Gem::Requirement
@@ -486,7 +486,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.224.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.226.0
 post_install_message: 
 rdoc_options: []
 require_paths: