dependabot-common 0.234.0 → 0.236.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 621688a92a0526cbe086c2fe30d824e0827ba4d98f7a7f4218560f80311579a2
-  data.tar.gz: 9643f1ea4eb456787c3b6db3962e0c5fe67cb793fff44415be1b4c6d1f6d79c0
+  metadata.gz: 945c135096f005a7d416b56d1e8f9e6b91e1a02b0590758887eba5a110fb5b19
+  data.tar.gz: 0cc101754418b3b1aa682c273e5c6ed2fa72b796d72a9b4d30b3c0f0aa41c39b
 SHA512:
-  metadata.gz: a3461d4923d3826280c52e4ddbb936e55ec13e2f1d448b8a99b66a2f0d6996a5db592f06810084b8f8a9795c1d4d7070d40f24bbe3e444b1563ac61cc58cd35f
-  data.tar.gz: 9903829aa7321ee5c3f7840a62bc32baa9c6be48d3b4ad682c939b65a78d965d7ff0c6eefbe683a868b4af945aeb204d12c8c4a908fe9f597346a4ff08a4d6ce
+  metadata.gz: 76e41c5707a11e8a5b17df8fa71fc81a4ebbf1a3fd71469931d84cebe1573588afa6605751af2a65c849884bcdf0dd79b5bc4a1d63b9ac69d39466cf8a4b952e
+  data.tar.gz: 53204ad41f102502301e483b3175280673849b0ab0d530b8458aa77289251dfaf287f9ee051e90bd5b39722a7b25a2993e8a49aa15c03982e82990df475fd9dd

data/lib/dependabot/config/file.rb

@@ -2,11 +2,14 @@
 # frozen_string_literal: true
 
 require "dependabot/config/update_config"
+require "sorbet-runtime"
 
 module Dependabot
   module Config
     # Configuration for the repository, a parsed dependabot.yaml.
     class File
+      extend T::Sig
+
       attr_reader :updates, :registries
 
       def initialize(updates:, registries: nil)
@@ -14,6 +17,10 @@ module Dependabot
         @registries = registries || []
       end
 
+      sig do
+        params(package_manager: String, directory: T.nilable(String), target_branch: T.nilable(String))
+          .returns(UpdateConfig)
+      end
       def update_config(package_manager, directory: nil, target_branch: nil)
         dir = directory || "/"
         package_ecosystem = PACKAGE_MANAGER_LOOKUP.invert.fetch(package_manager)
@@ -21,13 +28,14 @@ module Dependabot
           u[:"package-ecosystem"] == package_ecosystem && u[:directory] == dir &&
             (target_branch.nil? || u[:"target-branch"] == target_branch)
         end
-        Dependabot::Config::UpdateConfig.new(
+        UpdateConfig.new(
           ignore_conditions: ignore_conditions(cfg),
           commit_message_options: commit_message_options(cfg)
         )
       end
 
       # Parse the YAML config file
+      sig { params(config: String).returns(File) }
       def self.parse(config)
         parsed = YAML.safe_load(config, symbolize_names: true)
         version = parsed[:version]
@@ -58,10 +66,11 @@ module Dependabot
         "terraform" => "terraform"
       }.freeze
 
+      sig { params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Array[IgnoreCondition]) }
       def ignore_conditions(cfg)
         ignores = cfg&.dig(:ignore) || []
         ignores.map do |ic|
-          Dependabot::Config::IgnoreCondition.new(
+          IgnoreCondition.new(
             dependency_name: ic[:"dependency-name"],
             versions: ic[:versions],
             update_types: ic[:"update-types"]
@@ -69,9 +78,12 @@ module Dependabot
         end
       end
 
+      sig do
+        params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(UpdateConfig::CommitMessageOptions)
+      end
       def commit_message_options(cfg)
         commit_message = cfg&.dig(:"commit-message") || {}
-        Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
+        UpdateConfig::CommitMessageOptions.new(
           prefix: commit_message[:prefix],
           prefix_development: commit_message[:"prefix-development"] || commit_message[:prefix],
           include: commit_message[:include]

data/lib/dependabot/config/file_fetcher.rb

@@ -6,7 +6,7 @@ require "dependabot/config/file"
 
 module Dependabot
   module Config
-    class FileFetcher < Dependabot::FileFetchers::Base
+    class FileFetcher < FileFetchers::Base
       CONFIG_FILE_PATHS = %w(.github/dependabot.yml .github/dependabot.yaml).freeze
 
       def self.required_files_in?(filenames)
@@ -35,13 +35,13 @@ module Dependabot
               fetched_files << config_file
               break
             end
-          rescue Dependabot::DependencyFileNotFound
+          rescue DependencyFileNotFound
             next
           end
         end
 
         unless self.class.required_files_in?(fetched_files.map(&:name))
-          raise Dependabot::DependencyFileNotFound.new(nil, self.class.required_files_message)
+          raise DependencyFileNotFound.new(nil, self.class.required_files_message)
         end
 
         fetched_files

data/lib/dependabot/config/ignore_condition.rb

@@ -1,24 +1,43 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Config
     # Filters versions that should not be considered for dependency updates
     class IgnoreCondition
+      extend T::Sig
+
       PATCH_VERSION_TYPE = "version-update:semver-patch"
       MINOR_VERSION_TYPE = "version-update:semver-minor"
       MAJOR_VERSION_TYPE = "version-update:semver-major"
 
       ALL_VERSIONS = ">= 0"
 
-      attr_reader :dependency_name, :versions, :update_types
+      sig { returns(String) }
+      attr_reader :dependency_name
+
+      sig { returns(T::Array[String]) }
+      attr_reader :versions
 
+      sig { returns(T::Array[String]) }
+      attr_reader :update_types
+
+      sig do
+        params(
+          dependency_name: String,
+          versions: T.any(NilClass, T::Array[String]),
+          update_types: T.any(NilClass, T::Array[String])
+        ).void
+      end
       def initialize(dependency_name:, versions: nil, update_types: nil)
-        @dependency_name = dependency_name
-        @versions = versions || []
-        @update_types = update_types || []
+        @dependency_name = T.let(dependency_name, String)
+        @versions = T.let(versions || [], T::Array[String])
+        @update_types = T.let(update_types || [], T::Array[String])
       end
 
+      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
       def ignored_versions(dependency, security_updates_only)
         return versions if security_updates_only
         return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
@@ -28,10 +47,12 @@ module Dependabot
 
       private
 
+      sig { returns(T::Array[String]) }
       def transformed_update_types
         update_types.map(&:downcase).filter_map(&:strip)
       end
 
+      sig { params(dependency: Dependency).returns(T::Array[T.untyped]) }
       def versions_by_type(dependency)
         version = correct_version_for(dependency)
         return [] unless version
@@ -52,9 +73,10 @@ module Dependabot
         end.compact
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_patch(version)
         parts = version.split(".")
-        version_parts = parts.fill(0, parts.length...2)
+        version_parts = parts.fill("0", parts.length...2)
         upper_parts = version_parts.first(1) + [version_parts[1].to_i + 1]
         lower_bound = "> #{version}"
         upper_bound = "< #{upper_parts.join('.')}"
@@ -62,9 +84,10 @@ module Dependabot
         ["#{lower_bound}, #{upper_bound}"]
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_minor(version)
         parts = version.split(".")
-        version_parts = parts.fill(0, parts.length...2)
+        version_parts = parts.fill("0", parts.length...2)
         lower_parts = version_parts.first(1) + [version_parts[1].to_i + 1] + ["a"]
         upper_parts = version_parts.first(0) + [version_parts[0].to_i + 1]
         lower_bound = ">= #{lower_parts.join('.')}"
@@ -73,6 +96,7 @@ module Dependabot
         ["#{lower_bound}, #{upper_bound}"]
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_major(version)
         version_parts = version.split(".")
         lower_parts = [version_parts[0].to_i + 1] + ["a"]
@@ -81,6 +105,7 @@ module Dependabot
         [lower_bound]
       end
 
+      sig { params(dependency: Dependency).returns(T.nilable(Version)) }
       def correct_version_for(dependency)
         version = dependency.version
         return if version.nil? || version.empty?
@@ -91,10 +116,11 @@ module Dependabot
         version_class.new(version)
       end
 
+      sig { params(package_manager: String).returns(T.class_of(Version)) }
       def version_class_for(package_manager)
         Utils.version_class_for_package_manager(package_manager)
       rescue StandardError
-        Dependabot::Version
+        Version
       end
     end
   end

data/lib/dependabot/config/update_config.rb

@@ -2,17 +2,32 @@
 # frozen_string_literal: true
 
 require "dependabot/config/ignore_condition"
+require "sorbet-runtime"
 
 module Dependabot
   module Config
     # Configuration for a single ecosystem
     class UpdateConfig
-      attr_reader :commit_message_options, :ignore_conditions
+      extend T::Sig
+
+      sig { returns(T.nilable(CommitMessageOptions)) }
+      attr_reader :commit_message_options
+
+      sig { returns(T::Array[IgnoreCondition]) }
+      attr_reader :ignore_conditions
+
+      sig do
+        params(
+          ignore_conditions: T.nilable(T::Array[IgnoreCondition]),
+          commit_message_options: T.nilable(CommitMessageOptions)
+        ).void
+      end
       def initialize(ignore_conditions: nil, commit_message_options: nil)
         @ignore_conditions = ignore_conditions || []
         @commit_message_options = commit_message_options
       end
 
+      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
       def ignored_versions_for(dependency, security_updates_only: false)
         normalizer = name_normaliser_for(dependency)
         dep_name = normalizer.call(dependency.name)
@@ -25,6 +40,7 @@ module Dependabot
           .uniq
       end
 
+      sig { params(wildcard_string: T.nilable(String), candidate_string: T.nilable(String)).returns(T::Boolean) }
       def self.wildcard_match?(wildcard_string, candidate_string)
         return false unless wildcard_string && candidate_string
 
@@ -43,6 +59,8 @@ module Dependabot
       end
 
       class CommitMessageOptions
+        extend T::Sig
+
         attr_reader :prefix, :prefix_development, :include
 
         def initialize(prefix:, prefix_development:, include:)

data/lib/dependabot/config.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 module Dependabot

data/lib/dependabot/dependency_file.rb

@@ -20,6 +20,11 @@ module Dependabot
       DELETE = "delete"
     end
 
+    class Mode
+      FILE = "100644"
+      SUBMODULE = "160000"
+    end
+
     def initialize(name:, content:, directory: "/", type: "file",
                    support_file: false, vendored_file: false, symlink_target: nil,
                    content_encoding: ContentEncoding::UTF_8, deleted: false,

data/lib/dependabot/errors.rb

@@ -5,7 +5,7 @@ require "dependabot/utils"
 
 module Dependabot
   class DependabotError < StandardError
-    BASIC_AUTH_REGEX = %r{://(?<auth>[^:]*:[^@%\s]+(@|%40))}
+    BASIC_AUTH_REGEX = %r{://(?<auth>[^:@]*:[^@%\s/]+(@|%40))}
     # Remove any path segment from fury.io sources
     FURY_IO_PATH_REGEX = %r{fury\.io/(?<path>.+)}
 
@@ -54,6 +54,15 @@ module Dependabot
   # Repo level errors #
   #####################
 
+  class DirectoryNotFound < DependabotError
+    attr_reader :directory_name
+
+    def initialize(directory_name, msg = nil)
+      @directory_name = directory_name
+      super(msg)
+    end
+  end
+
   class BranchNotFound < DependabotError
     attr_reader :branch_name
 

data/lib/dependabot/file_fetchers/base.rb

@@ -57,6 +57,7 @@ module Dependabot
         @credentials = credentials
         @repo_contents_path = repo_contents_path
         @linked_paths = {}
+        @submodules = []
         @options = options
       end
 
@@ -100,7 +101,7 @@ module Dependabot
           raise Dependabot::OutOfDisk
         end
 
-        raise Dependabot::RepoNotFound, source
+        raise Dependabot::RepoNotFound.new(source, e.message)
       end
 
       def ecosystem_versions
@@ -154,7 +155,8 @@ module Dependabot
           directory: directory,
           type: type,
           content: content,
-          symlink_target: symlink_target
+          symlink_target: symlink_target,
+          support_file: in_submodule?(path)
         )
       end
 
@@ -185,6 +187,10 @@ module Dependabot
         subpaths(path).find { |subpath| @linked_paths.key?(subpath) }
       end
 
+      def in_submodule?(path)
+        subpaths(path.delete_prefix("/")).any? { |subpath| @submodules.include?(subpath) }
+      end
+
       # Given a "foo/bar/baz" path, returns ["foo", "foo/bar", "foo/bar/baz"]
       def subpaths(path)
         components = path.split("/")
@@ -194,7 +200,7 @@ module Dependabot
       def repo_contents(dir: ".", ignore_base_directory: false,
                         raise_errors: true, fetch_submodules: false)
         dir = File.join(directory, dir) unless ignore_base_directory
-        path = Pathname.new(File.join(dir)).cleanpath.to_path.gsub(%r{^/*}, "")
+        path = Pathname.new(dir).cleanpath.to_path.gsub(%r{^/*}, "")
 
         @repo_contents ||= {}
         @repo_contents[dir] ||= if repo_contents_path
@@ -309,6 +315,8 @@ module Dependabot
 
         _fetch_repo_contents_fully_specified(provider, repo, tmp_path, commit)
       rescue *CLIENT_NOT_FOUND_ERRORS
+        raise Dependabot::DirectoryNotFound, directory if path == directory.gsub(%r{^/*}, "")
+
         result = raise_errors ? -> { raise } : -> { [] }
         retrying ||= false
 
@@ -631,6 +639,8 @@ module Dependabot
                 git clone #{clone_options.string} #{source.url} #{path}
               CMD
             )
+
+            @submodules = find_submodules(path) if recurse_submodules_when_cloning?
           rescue SharedHelpers::HelperSubprocessFailed => e
             raise unless e.message.match(GIT_SUBMODULE_ERROR_REGEX) && e.message.downcase.include?("submodule")
 
@@ -682,6 +692,21 @@ module Dependabot
         bom = (+"\xEF\xBB\xBF").force_encoding(Encoding::BINARY)
         Base64.decode64(str).delete_prefix(bom).force_encoding("UTF-8").encode
       end
+
+      def find_submodules(path)
+        SharedHelpers.run_shell_command(
+          <<~CMD
+            git -C #{path} ls-files --stage
+          CMD
+        ).split("\n").filter_map do |line|
+          info = line.split
+
+          type = info.first
+          path = info.last
+
+          next path if type == DependencyFile::Mode::SUBMODULE
+        end
+      end
     end
   end
 end

data/lib/dependabot/file_updaters/artifact_updater.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/dependency_file"
 
 # This class provides a utility to check for arbitary modified files within a
@@ -9,8 +10,12 @@ require "dependabot/dependency_file"
 module Dependabot
   module FileUpdaters
     class ArtifactUpdater
+      extend T::Sig
+      extend T::Helpers
+
       # @param repo_contents_path [String, nil] the path we cloned the repository into
       # @param target_directory [String, nil] the path within a project directory we should inspect for changes
+      sig { params(repo_contents_path: T.nilable(String), target_directory: T.nilable(String)).void }
       def initialize(repo_contents_path:, target_directory:)
         @repo_contents_path = repo_contents_path
         @target_directory = target_directory
@@ -23,17 +28,24 @@ module Dependabot
       # @param only_paths [Array<String>, nil] An optional list of specific paths to check, if this is nil we will
       #                                        return every change we find within the `base_directory`
       # @return [Array<Dependabot::DependencyFile>]
+      sig do
+        params(base_directory: String, only_paths: T.nilable(T::Array[String]))
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
       def updated_files(base_directory:, only_paths: nil)
         return [] unless repo_contents_path && target_directory
 
-        Dir.chdir(repo_contents_path) do
+        Dir.chdir(T.must(repo_contents_path)) do
           # rubocop:disable Performance/DeletePrefix
-          relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(target_directory)
+          relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(T.must(target_directory))
           # rubocop:enable Performance/DeletePrefix
 
-          status = SharedHelpers.run_shell_command(
-            "git status --untracked-files all --porcelain v1 #{relative_dir}",
-            fingerprint: "git status --untracked-files all --porcelain v1 <relative_dir>"
+          status = T.let(
+            SharedHelpers.run_shell_command(
+              "git status --untracked-files all --porcelain v1 #{relative_dir}",
+              fingerprint: "git status --untracked-files all --porcelain v1 <relative_dir>"
+            ),
+            String
           )
           changed_paths = status.split("\n").map(&:split)
           changed_paths.filter_map do |type, path|
@@ -51,7 +63,7 @@ module Dependabot
             operation = Dependabot::DependencyFile::Operation::DELETE if type == "D"
             operation = Dependabot::DependencyFile::Operation::CREATE if type == "??"
 
-            encoded_content, encoding = get_encoded_file_contents(path, operation)
+            encoded_content, encoding = get_encoded_file_contents(T.must(path), operation)
 
             create_dependency_file(
               name: file_path.to_s,
@@ -66,10 +78,19 @@ module Dependabot
 
       private
 
-      TEXT_ENCODINGS = %w(us-ascii utf-8).freeze
+      TEXT_ENCODINGS = T.let(%w(us-ascii utf-8).freeze, T::Array[String])
 
-      attr_reader :repo_contents_path, :target_directory
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { returns(T.nilable(String)) }
+      attr_reader :target_directory
 
+      sig do
+        params(
+          path: String,
+          operation: String
+        ).returns([T.nilable(String), String])
+      end
       def get_encoded_file_contents(path, operation)
         encoded_content = nil
         encoding = ""
@@ -86,6 +107,7 @@ module Dependabot
         [encoded_content, encoding]
       end
 
+      sig { params(path: String).returns(T::Boolean) }
       def binary_file?(path)
         return false unless File.exist?(path)
 
@@ -95,8 +117,13 @@ module Dependabot
         !TEXT_ENCODINGS.include?(encoding)
       end
 
+      sig do
+        overridable
+          .params(parameters: T::Hash[Symbol, T.untyped])
+          .returns(Dependabot::DependencyFile)
+      end
       def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**parameters)
+        Dependabot::DependencyFile.new(**T.unsafe(parameters))
       end
     end
   end

data/lib/dependabot/file_updaters/base.rb

@@ -1,18 +1,45 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module FileUpdaters
     class Base
-      attr_reader :dependencies, :dependency_files, :repo_contents_path,
-                  :credentials, :options
+      extend T::Sig
+      extend T::Helpers
+      abstract!
+
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      attr_reader :dependencies
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
 
+      sig { returns(T::Array[T::Hash[String, String]]) }
+      attr_reader :credentials
+
+      sig { returns(T::Hash[Symbol, T.untyped]) }
+      attr_reader :options
+
+      sig { overridable.returns(String) }
       def self.updated_files_regex
         raise NotImplementedError
       end
 
-      def initialize(dependencies:, dependency_files:, repo_contents_path: nil,
-                     credentials:, options: {})
+      sig do
+        params(
+          dependencies: T::Array[Dependabot::Dependency],
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[T::Hash[String, String]],
+          repo_contents_path: T.nilable(String),
+          options: T::Hash[Symbol, T.untyped]
+        ).void
+      end
+      def initialize(dependencies:, dependency_files:, credentials:, repo_contents_path: nil, options: {})
         @dependencies = dependencies
         @dependency_files = dependency_files
         @repo_contents_path = repo_contents_path
@@ -22,31 +49,36 @@ module Dependabot
         check_required_files
       end
 
+      sig { overridable.returns(T::Array[::Dependabot::DependencyFile]) }
       def updated_dependency_files
         raise NotImplementedError
       end
 
       private
 
+      sig { overridable.void }
       def check_required_files
         raise NotImplementedError
       end
 
+      sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
       def get_original_file(filename)
         dependency_files.find { |f| f.name == filename }
       end
 
+      sig { params(file: Dependabot::DependencyFile).returns(T::Boolean) }
       def file_changed?(file)
         dependencies.any? { |dep| requirement_changed?(file, dep) }
       end
 
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def requirement_changed?(file, dependency)
-        changed_requirements =
-          dependency.requirements - dependency.previous_requirements
+        changed_requirements = dependency.requirements - dependency.previous_requirements
 
         changed_requirements.any? { |f| f[:file] == file.name }
       end
 
+      sig { params(file: Dependabot::DependencyFile, content: String).returns(Dependabot::DependencyFile) }
       def updated_file(file:, content:)
         updated_file = file.dup
         updated_file.content = content

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -1,6 +1,7 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/dependency_file"
 require "dependabot/file_updaters/artifact_updater"
 
@@ -13,21 +14,30 @@ require "dependabot/file_updaters/artifact_updater"
 module Dependabot
   module FileUpdaters
     class VendorUpdater < ArtifactUpdater
+      extend T::Sig
+      extend T::Helpers
+
       # This provides backwards compatability for anyone who used this class
       # before the base ArtifactUpdater class was introduced and aligns the
       # method's public signatures with it's special-case domain.
+      sig { params(repo_contents_path: T.nilable(String), vendor_dir: T.nilable(String)).void }
       def initialize(repo_contents_path:, vendor_dir:)
         @repo_contents_path = repo_contents_path
         @vendor_dir = vendor_dir
         super(repo_contents_path: @repo_contents_path, target_directory: @vendor_dir)
       end
 
-      alias updated_vendor_cache_files updated_files
+      T.unsafe(self).alias_method :updated_vendor_cache_files, :updated_files
 
       private
 
+      sig do
+        override
+          .params(parameters: T::Hash[Symbol, T.untyped])
+          .returns(Dependabot::DependencyFile)
+      end
       def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**parameters.merge({ vendored_file: true }))
+        Dependabot::DependencyFile.new(**T.unsafe({ **parameters.merge({ vendored_file: true }) }))
       end
     end
   end

data/lib/dependabot/logger.rb

@@ -1,13 +1,18 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "logger"
+require "sorbet-runtime"
 
 module Dependabot
+  extend T::Sig
+
+  sig { returns(::Logger) }
   def self.logger
-    @logger ||= Logger.new(nil)
+    @logger ||= T.let(::Logger.new(nil), T.nilable(::Logger))
   end
 
+  sig { params(logger: ::Logger).void }
   def self.logger=(logger)
     @logger = logger
   end

data/lib/dependabot/pull_request_creator/commit_signer.rb

@@ -1,16 +1,40 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "time"
 require "tmpdir"
+require "sorbet-runtime"
 require "dependabot/pull_request_creator"
 
 module Dependabot
   class PullRequestCreator
     class CommitSigner
-      attr_reader :author_details, :commit_message, :tree_sha, :parent_sha,
-                  :signature_key
+      extend T::Sig
 
+      sig { returns(T::Hash[Symbol, String]) }
+      attr_reader :author_details
+
+      sig { returns(String) }
+      attr_reader :commit_message
+
+      sig { returns(String) }
+      attr_reader :tree_sha
+
+      sig { returns(String) }
+      attr_reader :parent_sha
+
+      sig { returns(String) }
+      attr_reader :signature_key
+
+      sig do
+        params(
+          author_details: T::Hash[Symbol, String],
+          commit_message: String,
+          tree_sha: String,
+          parent_sha: String,
+          signature_key: String
+        ).void
+      end
       def initialize(author_details:, commit_message:, tree_sha:, parent_sha:,
                      signature_key:)
         @author_details = author_details
@@ -20,6 +44,7 @@ module Dependabot
         @signature_key = signature_key
       end
 
+      sig { returns(String) }
       def signature
         begin
           require "gpgme"
@@ -39,20 +64,21 @@ module Dependabot
         opts = { mode: GPGME::SIG_MODE_DETACH, signer: email }
         crypto.sign(commit_object, opts).to_s
       rescue Errno::ENOTEMPTY
-        FileUtils.remove_entry(dir, true)
+        FileUtils.remove_entry(T.must(dir), true)
         # This appears to be a Ruby bug which occurs very rarely
         raise if @retrying
 
-        @retrying = true
+        @retrying = T.let(true, T.nilable(T::Boolean))
         retry
       ensure
-        FileUtils.remove_entry(dir, true)
+        FileUtils.remove_entry(T.must(dir), true)
       end
 
       private
 
+      sig { returns(String) }
       def commit_object
-        time_str = Time.parse(author_details[:date]).strftime("%s %z")
+        time_str = Time.parse(T.must(author_details[:date])).strftime("%s %z")
         name = author_details[:name]
         email = author_details[:email]
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -189,7 +189,7 @@ module Dependabot
           if file.type == "submodule"
             {
               path: file.path.sub(%r{^/}, ""),
-              mode: "160000",
+              mode: Dependabot::DependencyFile::Mode::SUBMODULE,
               type: "commit",
               sha: file.content
             }
@@ -207,7 +207,7 @@ module Dependabot
 
             {
               path: file.realpath,
-              mode: (file.mode || "100644"),
+              mode: (file.mode || Dependabot::DependencyFile::Mode::FILE),
               type: "blob"
             }.merge(content)
           end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -154,7 +154,7 @@ module Dependabot
             msg += body
             msg + "</details>\n"
           else
-            "\n##{summary}\n\n#{body}"
+            "\n# #{summary}\n\n#{body}"
           end
         end
 

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -59,20 +59,11 @@ module Dependabot
       end
 
       def pr_message
-        # TODO: Remove unignore_commands? feature flag once we are confident
-        # that it is working as expected
-        msg = if unignore_commands?
-                "#{suffixed_pr_message_header}" \
-                  "#{commit_message_intro}" \
-                  "#{metadata_cascades}" \
-                  "#{ignore_conditions_table}" \
-                  "#{prefixed_pr_message_footer}"
-              else
-                "#{suffixed_pr_message_header}" \
-                  "#{commit_message_intro}" \
-                  "#{metadata_cascades}" \
-                  "#{prefixed_pr_message_footer}"
-              end
+        msg = "#{suffixed_pr_message_header}" \
+              "#{commit_message_intro}" \
+              "#{metadata_cascades}" \
+              "#{ignore_conditions_table}" \
+              "#{prefixed_pr_message_footer}"
 
         truncate_pr_message(msg)
       rescue StandardError => e
@@ -80,10 +71,6 @@ module Dependabot
         suffixed_pr_message_header + prefixed_pr_message_footer
       end
 
-      def unignore_commands?
-        Experiments.enabled?(:unignore_commands)
-      end
-
       # Truncate PR message as determined by the pr_message_max_length and pr_message_encoding instance variables
       # The encoding is used when calculating length, all messages are returned as ruby UTF_8 encoded string
       def truncate_pr_message(msg)

data/lib/dependabot/pull_request_updater/github.rb

@@ -128,7 +128,7 @@ module Dependabot
           if file.type == "submodule"
             {
               path: file.path.sub(%r{^/}, ""),
-              mode: "160000",
+              mode: Dependabot::DependencyFile::Mode::SUBMODULE,
               type: "commit",
               sha: file.content
             }
@@ -146,7 +146,7 @@ module Dependabot
 
             {
               path: file.realpath,
-              mode: "100644",
+              mode: Dependabot::DependencyFile::Mode::FILE,
               type: "blob"
             }.merge(content)
           end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.234.0"
+  VERSION = "0.236.0"
 end

data/lib/wildcard_matcher.rb

@@ -1,6 +1,8 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 class WildcardMatcher
   extend T::Sig
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.234.0
+  version: 0.236.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-10-12 00:00:00.000000000 Z
+date: 2023-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -188,6 +188,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: opentelemetry-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: parser
   requirement: !ruby/object:Gem::Requirement
@@ -514,7 +528,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.234.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.236.0
 post_install_message: 
 rdoc_options: []
 require_paths: