dependabot-common 0.225.0 → 0.226.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eff50d0047fd94f2b62e76e55d42561e17780c26da251ba55cd04f493bce0cb5
-  data.tar.gz: 34d2e201f6198e4478a2b13d8e2c12162ae1a2e74b6c66ebfd45e12518379155
+  metadata.gz: 47e3c8b72c7026283675f4969109de44931af6b655978be6762eb1c846f92dc9
+  data.tar.gz: 4d1b71853adbe711c8ad038c27df1fabc2612de1226705ac3a55de8f70ccfa0c
 SHA512:
-  metadata.gz: 97d3947770789948f293026af11c4a8f065831ebf4c5ee5f06c3e2fe147766b5d4615b2497fbd7dfbfb4589a07df52a91de9c7041fe49cd74795fd3fb6be6437
-  data.tar.gz: 640a7855071b6c94d1a8e91972bf4e34792e6ffcf02ac38d1bb6a42e985fdfc3479b994c645fdb24d77fe450f84e39aef0e6bef2ab41c0394989f9c63f792f19
+  metadata.gz: e8edba97936c9846ec37066eb5ff03dfce9f24aa8e7fe688665b17939ce6e785f2e00a3bda2baf666422e7044daef0dbfbb84d770c02ef12ccbd9b12aeb8fca6
+  data.tar.gz: aacddd041d120483380bc7d3e6b6e757cc4f80c304d6bd8df7a911174b53f361e1a1d3926dd193c3cd1e7451d8c6b29370406dfcfee52dcb3264304319417c46

data/lib/dependabot/dependency_file.rb

@@ -44,7 +44,7 @@ module Dependabot
       @type = type
 
       begin
-        @mode = File.stat((symlink_target || path).sub(%r{^/}, "")).mode.to_s(8)
+        @mode = File.stat(realpath).mode.to_s(8)
       rescue StandardError
         @mode = mode
       end
@@ -76,6 +76,10 @@ module Dependabot
       Pathname.new(File.join(directory, name)).cleanpath.to_path
     end
 
+    def realpath
+      (symlink_target || path).sub(%r{^/}, "")
+    end
+
     def ==(other)
       return false unless other.instance_of?(self.class)
 

data/lib/dependabot/dependency_group.rb

@@ -9,34 +9,12 @@ require "yaml"
 
 module Dependabot
   class DependencyGroup
-    ANY_DEPENDENCY_NAME = "*"
-    SECURITY_UPDATES_ONLY = false
-
-    DEFAULT_UPDATE_TYPES = [
-      SEMVER_MAJOR = "major",
-      SEMVER_MINOR = "minor",
-      SEMVER_PATCH = "patch"
-    ].freeze
-
-    IGNORE_CONDITION_TYPES = {
-      SEMVER_MAJOR => Dependabot::Config::IgnoreCondition::MAJOR_VERSION_TYPE,
-      SEMVER_MINOR => Dependabot::Config::IgnoreCondition::MINOR_VERSION_TYPE,
-      SEMVER_PATCH => Dependabot::Config::IgnoreCondition::PATCH_VERSION_TYPE
-    }.freeze
-
-    class NullIgnoreCondition
-      def ignored_versions(_dependency, _security_updates_only)
-        []
-      end
-    end
-
     attr_reader :name, :rules, :dependencies
 
     def initialize(name:, rules:)
       @name = name
       @rules = rules
       @dependencies = []
-      @ignore_condition = generate_ignore_condition!
     end
 
     def contains?(dependency)
@@ -46,18 +24,6 @@ module Dependabot
       matches_pattern?(dependency.name) && matches_dependency_type?(dependency)
     end
 
-    # This method generates ignored versions for the given Dependency based on
-    # the any update-types we have defined.
-    def ignored_versions_for(dependency)
-      @ignore_condition.ignored_versions(dependency, SECURITY_UPDATES_ONLY)
-    end
-
-    def targets_highest_versions_possible?
-      return true unless experimental_rules_enabled?
-
-      update_types.include?(SEMVER_MAJOR)
-    end
-
     def to_h
       { "name" => name }
     end
@@ -93,46 +59,6 @@ module Dependabot
                                   end
     end
 
-    def pattern_rules?
-      rules.key?("patterns") && rules["patterns"]&.any?
-    end
-
-    def update_types
-      rules.fetch("update-types", DEFAULT_UPDATE_TYPES)
-    end
-
-    def generate_ignore_condition!
-      return NullIgnoreCondition.new unless experimental_rules_enabled?
-
-      ignored_update_types = ignored_update_types_for_rules
-
-      return NullIgnoreCondition.new unless ignored_update_types.any?
-
-      Dependabot.logger.debug("The #{name} group has set ignores for update-type(s): #{ignored_update_types}")
-
-      Dependabot::Config::IgnoreCondition.new(
-        dependency_name: ANY_DEPENDENCY_NAME,
-        update_types: ignored_update_types
-      )
-    end
-
-    def ignored_update_types_for_rules
-      unless update_types.is_a?(Array)
-        raise ArgumentError,
-              "The #{name} group has an unexpected value for update-types: '#{update_types}'"
-      end
-
-      unless update_types.any?
-        raise ArgumentError,
-              "The #{name} group has specified an empty array for update-types."
-      end
-
-      ignored_update_types = DEFAULT_UPDATE_TYPES - update_types
-      return [] if ignored_update_types.empty?
-
-      IGNORE_CONDITION_TYPES.fetch_values(*ignored_update_types)
-    end
-
     def experimental_rules_enabled?
       Dependabot::Experiments.enabled?(:grouped_updates_experimental_rules)
     end

data/lib/dependabot/file_fetchers/base.rb

@@ -108,6 +108,10 @@ module Dependabot
 
       private
 
+      def fetch_support_file(name)
+        fetch_file_if_present(name)&.tap { |f| f.support_file = true }
+      end
+
       def fetch_file_if_present(filename, fetch_submodules: false)
         unless repo_contents_path.nil?
           begin
@@ -128,8 +132,7 @@ module Dependabot
 
         fetch_file_from_host(filename, fetch_submodules: fetch_submodules)
       rescue *CLIENT_NOT_FOUND_ERRORS
-        path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
-        raise Dependabot::DependencyFileNotFound, path
+        nil
       end
 
       def load_cloned_file_if_present(filename)
@@ -159,19 +162,34 @@ module Dependabot
 
         path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
         content = _fetch_file_content(path, fetch_submodules: fetch_submodules)
-        type = "symlink" if @linked_paths.key?(path.gsub(%r{^/}, ""))
+        clean_path = path.gsub(%r{^/}, "")
+
+        linked_path = symlinked_subpath(clean_path)
+        type = "symlink" if linked_path
+        symlink_target = clean_path.sub(linked_path, @linked_paths.dig(linked_path, :path)) if type == "symlink"
 
         DependencyFile.new(
           name: Pathname.new(filename).cleanpath.to_path,
           directory: directory,
           type: type,
           content: content,
-          symlink_target: @linked_paths.dig(path.gsub(%r{^/}, ""), :path)
+          symlink_target: symlink_target
         )
       rescue *CLIENT_NOT_FOUND_ERRORS
         raise Dependabot::DependencyFileNotFound, path
       end
 
+      # Finds the first subpath in path that is a symlink
+      def symlinked_subpath(path)
+        subpaths(path).find { |subpath| @linked_paths.key?(subpath) }
+      end
+
+      # Given a "foo/bar/baz" path, returns ["foo", "foo/bar", "foo/bar/baz"]
+      def subpaths(path)
+        components = path.split("/")
+        components.map { |component| components[0..components.index(component)].join("/") }
+      end
+
       def repo_contents(dir: ".", ignore_base_directory: false,
                         raise_errors: true, fetch_submodules: false)
         dir = File.join(directory, dir) unless ignore_base_directory
@@ -375,7 +393,7 @@ module Dependabot
 
       def _gitlab_repo_contents(repo, path, commit)
         gitlab_client.
-          repo_tree(repo, path: path, ref_name: commit, per_page: 100).
+          repo_tree(repo, path: path, ref: commit, per_page: 100).
           map do |file|
             # GitLab API essentially returns the output from `git ls-tree`
             type = case file.type

data/lib/dependabot/git_commit_checker.rb

@@ -40,7 +40,6 @@ module Dependabot
     def pinned?
       raise "Not a git dependency!" unless git_dependency?
 
-      ref = dependency_source_details.fetch(:ref)
       branch = dependency_source_details.fetch(:branch)
 
       return false if ref.nil?
@@ -61,16 +60,14 @@ module Dependabot
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      version_tag?(dependency_source_details.fetch(:ref))
+      version_tag?(ref)
     end
 
     def pinned_ref_looks_like_commit_sha?
-      ref = dependency_source_details.fetch(:ref)
       ref_looks_like_commit_sha?(ref)
     end
 
     def head_commit_for_pinned_ref
-      ref = dependency_source_details.fetch(:ref)
       local_repo_git_metadata_fetcher.head_commit_for_ref_sha(ref)
     end
 
@@ -144,15 +141,14 @@ module Dependabot
     end
 
     def most_specific_tag_equivalent_to_pinned_ref
-      commit_sha = head_commit_for_local_branch(dependency_source_details.fetch(:ref))
+      commit_sha = head_commit_for_local_branch(ref)
       most_specific_version_tag_for_sha(commit_sha)
     end
 
     def local_tag_for_pinned_sha
-      return unless pinned_ref_looks_like_commit_sha?
+      return @local_tag_for_pinned_sha if defined?(@local_tag_for_pinned_sha)
 
-      commit_sha = dependency_source_details.fetch(:ref)
-      most_specific_version_tag_for_sha(commit_sha)
+      @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
     def git_repo_reachable?
@@ -223,7 +219,7 @@ module Dependabot
       return false unless tag
 
       commit_included_in_tag?(
-        commit: dependency_source_details.fetch(:ref),
+        commit: ref,
         tag: tag,
         allow_identical: true
       )
@@ -327,8 +323,11 @@ module Dependabot
     end
 
     def ref_or_branch
-      dependency_source_details.fetch(:ref) ||
-        dependency_source_details.fetch(:branch)
+      ref || dependency_source_details.fetch(:branch)
+    end
+
+    def ref
+      dependency_source_details.fetch(:ref)
     end
 
     def version_tag?(tag)
@@ -336,10 +335,18 @@ module Dependabot
     end
 
     def matches_existing_prefix?(tag)
-      return true unless ref_or_branch&.match?(VERSION_REGEX)
+      return true unless ref_or_branch
+
+      if version_tag?(ref_or_branch)
+        same_prefix?(ref_or_branch, tag)
+      else
+        local_tag_for_pinned_sha.nil? || same_prefix?(local_tag_for_pinned_sha, tag)
+      end
+    end
 
-      ref_or_branch.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
-        tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
+    def same_prefix?(tag, other_tag)
+      tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
+        other_tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
     def to_local_tag(tag)
@@ -417,7 +424,7 @@ module Dependabot
       return false unless dependency_source_details&.fetch(:ref, nil)
       return false unless pinned_ref_looks_like_version?
 
-      version = version_from_ref(dependency_source_details.fetch(:ref))
+      version = version_from_ref(ref)
       version.prerelease?
     end
 

data/lib/dependabot/git_metadata_fetcher.rb

@@ -47,8 +47,10 @@ module Dependabot
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
         # followed by a line break. When it isn't (e.g., with Bitbucket) it
-        # causes problems for our `sha_for_update_pack_line` logic
-        line = upload_pack.gsub(/.*git-upload-pack/, "").
+        # causes problems for our `sha_for_update_pack_line` logic. The format
+        # of this opening clause is documented at
+        # https://git-scm.com/docs/http-protocol#_smart_server_response
+        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "").
                lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end
@@ -177,7 +179,7 @@ module Dependabot
       # (GitHub, GitLab, BitBucket) work with or without the suffix.
       # That change has other ramifications, so it'd be better if Azure started supporting ".git"
       # like all the other providers.
-      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
       hostname = uri.hostname.to_s
       hostname == "dev.azure.com" || hostname.end_with?(".visualstudio.com")
@@ -186,8 +188,7 @@ module Dependabot
     # Add in username and password if present in credentials.
     # Credentials are never present for production Dependabot.
     def uri_with_auth(uri)
-      # Handle SCP-style git URIs
-      uri = "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}" if uri.start_with?("git@")
+      uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
       cred = credentials.select { |c| c["type"] == "git_source" }.
              find { |c| uri.host == c["host"] }

data/lib/dependabot/metadata_finders/base.rb

@@ -117,9 +117,8 @@ module Dependabot
       end
 
       def source
-        return @source if @source_lookup_attempted
+        return @source if defined?(@source)
 
-        @source_lookup_attempted = true
         @source = look_up_source
       end
 

data/lib/dependabot/pull_request_creator/bitbucket.rb

@@ -10,6 +10,9 @@ module Dependabot
                   :files, :commit_message, :pr_description, :pr_name,
                   :author_details, :labeler, :work_item
 
+      # BitBucket Cloud accepts > 1MB characters, but they display poorly in the UI, so limiting to 4x 65,536
+      PR_DESCRIPTION_MAX_LENGTH = 262_143 # 0 based count
+
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
                      author_details:, labeler: nil, work_item: nil)

data/lib/dependabot/pull_request_creator/github.rb

@@ -193,8 +193,7 @@ module Dependabot
                       end
 
             {
-              path: (file.symlink_target ||
-                     file.path).sub(%r{^/}, ""),
+              path: file.realpath,
               mode: (file.mode || "100644"),
               type: "blob"
             }.merge(content)

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -108,7 +108,8 @@ module Dependabot
           {
             action: file_action(file),
             file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content
+            content: file.content,
+            encoding: file.content_encoding
           }
         end
       end

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -529,18 +529,18 @@ module Dependabot
 
         # Filter out the conditions where from_config_file is false and dependency is in @dependencies
         valid_ignore_conditions = @ignore_conditions.select do |ic|
-          !ic[:from_config_file] && dependencies.any? { |dep| dep.name == ic[:dependency_name] }
+          ic["source"] =~ /\A@dependabot ignore/ && dependencies.any? { |dep| dep.name == ic["dependency-name"] }
         end
 
         # Return an empty string if no valid ignore conditions after filtering
         return "" if valid_ignore_conditions.empty?
 
         # Sort them by updated_at (or created_at if updated_at is nil), taking the latest 20
-        sorted_ignore_conditions = valid_ignore_conditions.sort_by { |ic| ic[:updated_at] || ic[:created_at] }.last(20)
+        sorted_ignore_conditions = valid_ignore_conditions.sort_by { |ic| ic["updated-at"] }.last(20)
 
         # Map each condition to a row string
         table_rows = sorted_ignore_conditions.map do |ic|
-          "| #{ic[:dependency_name]} | [#{ic[:version_requirement]}] |"
+          "| #{ic['dependency-name']} | [#{ic['version-requirement']}] |"
         end
 
         summary = "Most Recent Ignore Conditions Applied to This Pull Request"

data/lib/dependabot/pull_request_creator.rb

@@ -230,6 +230,8 @@ module Dependabot
         @pr_message_encoding = Azure::PR_DESCRIPTION_ENCODING if @pr_message_encoding.nil?
       when "codecommit"
         @pr_message_max_length = Codecommit::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
+      when "bitbucket"
+        @pr_message_max_length = Bitbucket::PR_DESCRIPTION_MAX_LENGTH if @pr_message_max_length.nil?
       end
 
       @message = MessageBuilder.new(

data/lib/dependabot/pull_request_updater/github.rb

@@ -144,8 +144,7 @@ module Dependabot
                       end
 
             {
-              path: (file.symlink_target ||
-                     file.path).sub(%r{^/}, ""),
+              path: file.realpath,
               mode: "100644",
               type: "blob"
             }.merge(content)

data/lib/dependabot/pull_request_updater/gitlab.rb

@@ -79,7 +79,8 @@ module Dependabot
           {
             action: file_action(file),
             file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content
+            content: file.content,
+            encoding: file.content_encoding
           }
         end
       end

data/lib/dependabot/shared_helpers.rb

@@ -191,6 +191,13 @@ module Dependabot
       reset_global_git_config(backup_git_config_path)
     end
 
+    # Handle SCP-style git URIs
+    def self.scp_to_standard(uri)
+      return uri unless uri.start_with?("git@")
+
+      "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}"
+    end
+
     def self.credential_helper_path
       File.join(__dir__, "../../bin/git-credential-store-immutable")
     end

data/lib/dependabot.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.225.0"
+  VERSION = "0.226.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.225.0
+  version: 0.226.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-31 00:00:00.000000000 Z
+date: 2023-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -84,14 +84,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.0
+        version: 1.18.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.0
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: excon
   requirement: !ruby/object:Gem::Requirement
@@ -101,7 +101,7 @@ dependencies:
         version: '0.96'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.100'
+        version: '0.101'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -111,35 +111,35 @@ dependencies:
         version: '0.96'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.100'
+        version: '0.101'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.7.4
+        version: 2.7.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.7.4
+        version: 2.7.10
 - !ruby/object:Gem::Dependency
   name: faraday-retry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: gitlab
   requirement: !ruby/object:Gem::Requirement
@@ -346,14 +346,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.17.1
+        version: 1.18.0
 - !ruby/object:Gem::Dependency
   name: stackprof
   requirement: !ruby/object:Gem::Requirement
@@ -486,7 +486,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.225.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.226.0
 post_install_message: 
 rdoc_options: []
 require_paths: