dependabot-common 0.227.0 → 0.229.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e7821b483eacc96c321f9dba2b95892317ba3c73f530820c5490677488c3399
-  data.tar.gz: bc801665fabf999aac3d5065b1e2689fc98df6b98baa082e64da043fc1ef7995
+  metadata.gz: 5e851f5d32a6d2f1add4781ed00d14b25638fe48034eb33def72ee00e9a2bcf3
+  data.tar.gz: 74ea5d577f55d6a8a304bc52a91296130f619548c9c40813baeae1c47ee25640
 SHA512:
-  metadata.gz: 2e1fb470523d4ea14fbe43f15155f089489fec19354aeb391d5bfa860944ea3286ed40db48630b7861dbcf6cdb2534a637d8f76e3ce322b14a9d0a8365c885a9
-  data.tar.gz: f486b2b36383f38064575b3022929ce110cab12ef863762dbae31a8d36691e0a8af59e2252a31b960a3b53d31f1ab8758f10411a8a53a3e12a50ff007a96f410
+  metadata.gz: ee6e2b243a1fb81ab46f2a02f136227c5cd147a38922f00db9fc44c89115e27f8ddb7c0445085cd16439fe35c0b1bc8609d693e108d63672cff7f88cbe13c40d
+  data.tar.gz: e059c7e5da28f0e4c45ad0171cf955ae25b113a7bbb779458a3b3fbe0e52ef39cbb6d78c180a257b9b963fcb85632cbcc80d20c2021996e070240509b5019ada

data/lib/dependabot/clients/azure.rb

@@ -373,7 +373,7 @@ module Dependabot
       end
 
       def tags_creation_forbidden?(response)
-        return if response.body.empty?
+        return false if response.body.empty?
 
         message = JSON.parse(response.body).fetch("message", nil)
         message&.include?("TF401289")

data/lib/dependabot/clients/gitlab_with_retries.rb

@@ -7,6 +7,11 @@ module Dependabot
     class GitlabWithRetries
       RETRYABLE_ERRORS = [Gitlab::Error::BadGateway].freeze
 
+      class ContentEncoding
+        BASE64 = "base64"
+        TEXT = "text"
+      end
+
       #######################
       # Constructor methods #
       #######################
@@ -60,6 +65,24 @@ module Dependabot
         @client = ::Gitlab::Client.new(args)
       end
 
+      # Create commit in gitlab repo with correctly mapped file actions
+      #
+      # @param [String] repo
+      # @param [String] branch_name
+      # @param [String] commit_message
+      # @param [Array<Dependabot::DependencyFile>] files
+      # @param [Hash] options
+      # @return [Gitlab::ObjectifiedHash]
+      def create_commit(repo, branch_name, commit_message, files, **options)
+        @client.create_commit(
+          repo,
+          branch_name,
+          commit_message,
+          file_actions(files),
+          **options
+        )
+      end
+
       def method_missing(method_name, *args, &block)
         retry_connection_failures do
           if @client.respond_to?(method_name)
@@ -85,6 +108,47 @@ module Dependabot
           retry_attempt <= @max_retries ? retry : raise
         end
       end
+
+      private
+
+      # Array of file actions for a commit
+      #
+      # @param [Array<Dependabot::DependencyFile>] files
+      # @return [Array<Hash>]
+      def file_actions(files)
+        files.map do |file|
+          {
+            action: file_action(file),
+            encoding: file_encoding(file),
+            file_path: file.type == "symlink" ? file.symlink_target : file.path,
+            content: file.content
+          }
+        end
+      end
+
+      # Single file action
+      #
+      # @param [Dependabot::DependencyFile] file
+      # @return [String]
+      def file_action(file)
+        if file.operation == Dependabot::DependencyFile::Operation::DELETE
+          "delete"
+        elsif file.operation == Dependabot::DependencyFile::Operation::CREATE
+          "create"
+        else
+          "update"
+        end
+      end
+
+      # Encoding option for gitlab commit operation
+      #
+      # @param [Dependabot::DependencyFile] file
+      # @return [String]
+      def file_encoding(file)
+        return ContentEncoding::BASE64 if file.content_encoding == Dependabot::DependencyFile::ContentEncoding::BASE64
+
+        ContentEncoding::TEXT
+      end
     end
   end
 end

data/lib/dependabot/dependency.rb

@@ -157,14 +157,14 @@ module Dependabot
       previous_refs = previous_requirements.filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
-      return previous_refs.first if previous_refs.count == 1
+      previous_refs.first if previous_refs.count == 1
     end
 
     def new_ref
       new_refs = requirements.filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
-      return new_refs.first if new_refs.count == 1
+      new_refs.first if new_refs.count == 1
     end
 
     def ref_changed?

data/lib/dependabot/dependency_group.rb

@@ -9,12 +9,21 @@ require "yaml"
 
 module Dependabot
   class DependencyGroup
-    attr_reader :name, :rules, :dependencies
+    attr_reader :name, :rules, :dependencies, :handled_dependencies
 
     def initialize(name:, rules:)
       @name = name
       @rules = rules
       @dependencies = []
+      @handled_dependencies = Set.new
+    end
+
+    def add_to_handled(*dependencies)
+      @handled_dependencies += dependencies.map(&:name)
+    end
+
+    def add_all_to_handled
+      @handled_dependencies += dependencies.map(&:name)
     end
 
     def contains?(dependency)

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -333,14 +333,14 @@ module Dependabot
           previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?

data/lib/dependabot/metadata_finders/base/changelog_pruner.rb

@@ -140,14 +140,14 @@ module Dependabot
           previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.count == 1
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -139,7 +139,7 @@ module Dependabot
           previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
@@ -148,7 +148,7 @@ module Dependabot
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.count == 1
         end
 
         def tag_matches_version?(tag, version)

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -189,7 +189,7 @@ module Dependabot
         end
 
         def version_regex(version)
-          /(?:[^0-9\.]|\A)#{Regexp.escape(version || "unknown")}\z/
+          /(?:[^0-9\.]|\A)#{Regexp.escape(version || 'unknown')}\z/
         end
 
         def version_class
@@ -285,14 +285,14 @@ module Dependabot
           previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?

data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb

@@ -131,14 +131,14 @@ module Dependabot
           previous_refs = dependency.previous_requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return previous_refs.first if previous_refs.count == 1
+          previous_refs.first if previous_refs.count == 1
         end
 
         def new_ref(dependency)
           new_refs = dependency.requirements.filter_map do |r|
             r.dig(:source, "ref") || r.dig(:source, :ref)
           end.uniq
-          return new_refs.first if new_refs.count == 1
+          new_refs.first if new_refs.count == 1
         end
 
         def ref_changed?(dependency)

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -99,32 +99,10 @@ module Dependabot
           source.repo,
           branch_name,
           commit_message,
-          file_actions
+          files
         )
       end
 
-      def file_actions
-        files.map do |file|
-          {
-            action: file_action(file),
-            file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content,
-            encoding: file.content_encoding
-          }
-        end
-      end
-
-      # @param [DependencyFile] file
-      def file_action(file)
-        if file.operation == Dependabot::DependencyFile::Operation::DELETE
-          "delete"
-        elsif file.operation == Dependabot::DependencyFile::Operation::CREATE
-          "create"
-        else
-          "update"
-        end
-      end
-
       def create_submodule_update_commit
         file = files.first
 

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -622,7 +622,8 @@ module Dependabot
 
         req = old_reqs.first.fetch(:requirement)
         return req if req
-        return dependency.previous_ref if dependency.ref_changed?
+
+        dependency.previous_ref if dependency.ref_changed?
       end
 
       def new_library_requirement(dependency)
@@ -649,7 +650,7 @@ module Dependabot
         # Reject any nested child gemspecs/vendored git dependencies
         root_files = files.map(&:name).
                      select { |p| Pathname.new(p).dirname.to_s == "." }
-        return true if root_files.select { |nm| nm.end_with?(".gemspec") }.any?
+        return true if root_files.any? { |nm| nm.end_with?(".gemspec") }
 
         dependencies.any? { |d| d.humanized_previous_version.nil? }
       end

data/lib/dependabot/pull_request_updater/gitlab.rb

@@ -68,33 +68,11 @@ module Dependabot
           source.repo,
           merge_request.source_branch,
           commit_being_updated.title,
-          file_actions,
+          files,
           force: true,
           start_branch: merge_request.target_branch
         )
       end
-
-      def file_actions
-        files.map do |file|
-          {
-            action: file_action(file),
-            file_path: file.type == "symlink" ? file.symlink_target : file.path,
-            content: file.content,
-            encoding: file.content_encoding
-          }
-        end
-      end
-
-      # @param [DependencyFile] file
-      def file_action(file)
-        if file.operation == Dependabot::DependencyFile::Operation::DELETE
-          "delete"
-        elsif file.operation == Dependabot::DependencyFile::Operation::CREATE
-          "create"
-        else
-          "update"
-        end
-      end
     end
   end
 end

data/lib/dependabot/shared_helpers.rb

@@ -17,7 +17,7 @@ require "dependabot"
 
 module Dependabot
   module SharedHelpers
-    GIT_CONFIG_GLOBAL_PATH = File.expand_path("~/.gitconfig")
+    GIT_CONFIG_GLOBAL_PATH = File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH)
     USER_AGENT = "dependabot-core/#{Dependabot::VERSION} " \
                  "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
                  "(#{RUBY_PLATFORM}) " \
@@ -182,13 +182,23 @@ module Dependabot
     end
 
     def self.with_git_configured(credentials:)
-      backup_git_config_path, safe_directories = stash_global_git_config
-      configure_git_to_use_https_with_credentials(credentials, safe_directories)
-      yield
+      safe_directories = find_safe_directories
+
+      FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
+
+      previous_config = ENV.fetch("GIT_CONFIG_GLOBAL", nil)
+
+      begin
+        ENV["GIT_CONFIG_GLOBAL"] = GIT_CONFIG_GLOBAL_PATH
+        configure_git_to_use_https_with_credentials(credentials, safe_directories)
+        yield
+      ensure
+        ENV["GIT_CONFIG_GLOBAL"] = previous_config
+      end
     rescue Errno::ENOSPC => e
       raise Dependabot::OutOfDisk, e.message
     ensure
-      reset_global_git_config(backup_git_config_path)
+      FileUtils.rm_f(GIT_CONFIG_GLOBAL_PATH)
     end
 
     # Handle SCP-style git URIs
@@ -221,7 +231,6 @@ module Dependabot
       )
 
       # see https://github.blog/2022-04-12-git-security-vulnerability-announced/
-      safe_directories ||= []
       safe_directories.each do |path|
         run_shell_command("git config --global --add safe.directory #{path}")
       end
@@ -296,30 +305,12 @@ module Dependabot
       end
     end
 
-    def self.stash_global_git_config
-      return unless File.exist?(GIT_CONFIG_GLOBAL_PATH)
-
-      contents = File.read(GIT_CONFIG_GLOBAL_PATH)
-      digest = Digest::SHA2.hexdigest(contents)[0...10]
-      backup_path = GIT_CONFIG_GLOBAL_PATH + ".backup-#{digest}"
-
+    def self.find_safe_directories
       # to preserve safe directories from global .gitconfig
       output, process = Open3.capture2("git config --global --get-all safe.directory")
       safe_directories = []
       safe_directories = output.split("\n").compact if process.success?
-
-      FileUtils.mv(GIT_CONFIG_GLOBAL_PATH, backup_path)
-      [backup_path, safe_directories]
-    end
-
-    def self.reset_global_git_config(backup_path)
-      if backup_path.nil?
-        FileUtils.rm(GIT_CONFIG_GLOBAL_PATH)
-        return
-      end
-      return unless File.exist?(backup_path)
-
-      FileUtils.mv(backup_path, GIT_CONFIG_GLOBAL_PATH)
+      safe_directories
     end
 
     def self.run_shell_command(command,

data/lib/dependabot/utils.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "tmpdir"
 require "set"
 
 # TODO: in due course, these "registries" should live in a wrapper gem, not
@@ -7,7 +8,7 @@ require "set"
 module Dependabot
   module Utils
     BUMP_TMP_FILE_PREFIX = "dependabot_"
-    BUMP_TMP_DIR_PATH = "tmp"
+    BUMP_TMP_DIR_PATH = File.expand_path(Dir::Tmpname.create("", "tmp") { nil })
 
     @version_classes = {}
 

data/lib/dependabot.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.227.0"
+  VERSION = "0.229.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.227.0
+  version: 0.229.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-18 00:00:00.000000000 Z
+date: 2023-08-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -332,14 +332,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -486,7 +486,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.227.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.229.0
 post_install_message: 
 rdoc_options: []
 require_paths: