dependabot-common 0.235.0 → 0.237.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b22cec48025b20921f000f63975cfc9db22dac670fa8ef6710fda754c288f68
-  data.tar.gz: 901b6246fde924caa2adfdcba0bc19dbd86833133c6cf951967024b656f68918
+  metadata.gz: e29557fff3ec856a4ebcb95a2b53dd70f91b5d7f2ea66cd6230e90dbcbbc2dc0
+  data.tar.gz: f6b2ce2a845422872e58b37681909fb4357bb1ebcac22c1085db113dc2429426
 SHA512:
-  metadata.gz: 819445f789764166001ff2f6ce532e6bd60ecb1a644eb4bb20ec00a15c433c58608af56e3c75bbccba479c2f6b81fd415298083f9d4e74c24ba382881a35280c
-  data.tar.gz: 3b5f7aa169756240055ded3136f8daae04cc52129a42f0566eddc90232a302427b889ef512534f5e865609d7a7ba526f82deb7cea2b59138c4533e61fa01971a
+  metadata.gz: 367d715ab3cb1b0c2c498555419e2212e9986c8e824128ce56695c00cdc190371fa0b7b9115258146ff0573f2e4a8461e1c66651b9d84bb2fdb7b0fe00b901ff
+  data.tar.gz: 4e5b3e040476f17cb7cf268ccc0cae90f17178da6a5954b14ca2a2ce280cf0f067b1ce8b88ecc8da5c04ae919cc34b670258b1555f9bfb707fb061cc8439acb3

data/lib/dependabot/clients/azure.rb

@@ -271,9 +271,9 @@ module Dependabot
             )
           )
 
-          raise InternalServerError if response&.status == 500
-          raise BadGateway if response&.status == 502
-          raise ServiceNotAvailable if response&.status == 503
+          raise InternalServerError if response.status == 500
+          raise BadGateway if response.status == 502
+          raise ServiceNotAvailable if response.status == 503
         end
 
         raise Unauthorized if response&.status == 401

data/lib/dependabot/config/file.rb

@@ -1,19 +1,37 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/config/update_config"
+require "sorbet-runtime"
 
 module Dependabot
   module Config
     # Configuration for the repository, a parsed dependabot.yaml.
     class File
-      attr_reader :updates, :registries
+      extend T::Sig
 
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
+      attr_reader :updates
+
+      sig { returns T::Array[T.untyped] }
+      attr_reader :registries
+
+      sig do
+        params(
+          updates: T.nilable(T::Array[T::Hash[Symbol, String]]),
+          registries: T.nilable(T::Array[T.untyped])
+        )
+          .void
+      end
       def initialize(updates:, registries: nil)
-        @updates = updates || []
-        @registries = registries || []
+        @updates = T.let(updates || [], T::Array[T::Hash[Symbol, String]])
+        @registries = T.let(registries || [], T::Array[T.untyped])
       end
 
+      sig do
+        params(package_manager: String, directory: T.nilable(String), target_branch: T.nilable(String))
+          .returns(UpdateConfig)
+      end
       def update_config(package_manager, directory: nil, target_branch: nil)
         dir = directory || "/"
         package_ecosystem = PACKAGE_MANAGER_LOOKUP.invert.fetch(package_manager)
@@ -21,13 +39,14 @@ module Dependabot
           u[:"package-ecosystem"] == package_ecosystem && u[:directory] == dir &&
             (target_branch.nil? || u[:"target-branch"] == target_branch)
         end
-        Dependabot::Config::UpdateConfig.new(
+        UpdateConfig.new(
           ignore_conditions: ignore_conditions(cfg),
           commit_message_options: commit_message_options(cfg)
         )
       end
 
       # Parse the YAML config file
+      sig { params(config: String).returns(File) }
       def self.parse(config)
         parsed = YAML.safe_load(config, symbolize_names: true)
         version = parsed[:version]
@@ -38,7 +57,7 @@ module Dependabot
 
       private
 
-      PACKAGE_MANAGER_LOOKUP = {
+      PACKAGE_MANAGER_LOOKUP = T.let({
         "bundler" => "bundler",
         "cargo" => "cargo",
         "composer" => "composer",
@@ -56,12 +75,13 @@ module Dependabot
         "pub" => "pub",
         "swift" => "swift",
         "terraform" => "terraform"
-      }.freeze
+      }.freeze, T::Hash[String, String])
 
+      sig { params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Array[IgnoreCondition]) }
       def ignore_conditions(cfg)
         ignores = cfg&.dig(:ignore) || []
         ignores.map do |ic|
-          Dependabot::Config::IgnoreCondition.new(
+          IgnoreCondition.new(
             dependency_name: ic[:"dependency-name"],
             versions: ic[:versions],
             update_types: ic[:"update-types"]
@@ -69,9 +89,12 @@ module Dependabot
         end
       end
 
+      sig do
+        params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(UpdateConfig::CommitMessageOptions)
+      end
       def commit_message_options(cfg)
         commit_message = cfg&.dig(:"commit-message") || {}
-        Dependabot::Config::UpdateConfig::CommitMessageOptions.new(
+        UpdateConfig::CommitMessageOptions.new(
           prefix: commit_message[:prefix],
           prefix_development: commit_message[:"prefix-development"] || commit_message[:prefix],
           include: commit_message[:include]

data/lib/dependabot/config/file_fetcher.rb

@@ -6,7 +6,7 @@ require "dependabot/config/file"
 
 module Dependabot
   module Config
-    class FileFetcher < Dependabot::FileFetchers::Base
+    class FileFetcher < FileFetchers::Base
       CONFIG_FILE_PATHS = %w(.github/dependabot.yml .github/dependabot.yaml).freeze
 
       def self.required_files_in?(filenames)
@@ -35,13 +35,13 @@ module Dependabot
               fetched_files << config_file
               break
             end
-          rescue Dependabot::DependencyFileNotFound
+          rescue DependencyFileNotFound
             next
           end
         end
 
         unless self.class.required_files_in?(fetched_files.map(&:name))
-          raise Dependabot::DependencyFileNotFound.new(nil, self.class.required_files_message)
+          raise DependencyFileNotFound.new(nil, self.class.required_files_message)
         end
 
         fetched_files

data/lib/dependabot/config/ignore_condition.rb

@@ -1,24 +1,43 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Config
     # Filters versions that should not be considered for dependency updates
     class IgnoreCondition
+      extend T::Sig
+
       PATCH_VERSION_TYPE = "version-update:semver-patch"
       MINOR_VERSION_TYPE = "version-update:semver-minor"
       MAJOR_VERSION_TYPE = "version-update:semver-major"
 
       ALL_VERSIONS = ">= 0"
 
-      attr_reader :dependency_name, :versions, :update_types
+      sig { returns(String) }
+      attr_reader :dependency_name
+
+      sig { returns(T::Array[String]) }
+      attr_reader :versions
 
+      sig { returns(T::Array[String]) }
+      attr_reader :update_types
+
+      sig do
+        params(
+          dependency_name: String,
+          versions: T.any(NilClass, T::Array[String]),
+          update_types: T.any(NilClass, T::Array[String])
+        ).void
+      end
       def initialize(dependency_name:, versions: nil, update_types: nil)
-        @dependency_name = dependency_name
-        @versions = versions || []
-        @update_types = update_types || []
+        @dependency_name = T.let(dependency_name, String)
+        @versions = T.let(versions || [], T::Array[String])
+        @update_types = T.let(update_types || [], T::Array[String])
       end
 
+      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
       def ignored_versions(dependency, security_updates_only)
         return versions if security_updates_only
         return [ALL_VERSIONS] if versions.empty? && transformed_update_types.empty?
@@ -28,10 +47,12 @@ module Dependabot
 
       private
 
+      sig { returns(T::Array[String]) }
       def transformed_update_types
         update_types.map(&:downcase).filter_map(&:strip)
       end
 
+      sig { params(dependency: Dependency).returns(T::Array[T.untyped]) }
       def versions_by_type(dependency)
         version = correct_version_for(dependency)
         return [] unless version
@@ -52,9 +73,10 @@ module Dependabot
         end.compact
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_patch(version)
         parts = version.split(".")
-        version_parts = parts.fill(0, parts.length...2)
+        version_parts = parts.fill("0", parts.length...2)
         upper_parts = version_parts.first(1) + [version_parts[1].to_i + 1]
         lower_bound = "> #{version}"
         upper_bound = "< #{upper_parts.join('.')}"
@@ -62,9 +84,10 @@ module Dependabot
         ["#{lower_bound}, #{upper_bound}"]
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_minor(version)
         parts = version.split(".")
-        version_parts = parts.fill(0, parts.length...2)
+        version_parts = parts.fill("0", parts.length...2)
         lower_parts = version_parts.first(1) + [version_parts[1].to_i + 1] + ["a"]
         upper_parts = version_parts.first(0) + [version_parts[0].to_i + 1]
         lower_bound = ">= #{lower_parts.join('.')}"
@@ -73,6 +96,7 @@ module Dependabot
         ["#{lower_bound}, #{upper_bound}"]
       end
 
+      sig { params(version: String).returns(T::Array[String]) }
       def ignore_major(version)
         version_parts = version.split(".")
         lower_parts = [version_parts[0].to_i + 1] + ["a"]
@@ -81,6 +105,7 @@ module Dependabot
         [lower_bound]
       end
 
+      sig { params(dependency: Dependency).returns(T.nilable(Version)) }
       def correct_version_for(dependency)
         version = dependency.version
         return if version.nil? || version.empty?
@@ -91,10 +116,11 @@ module Dependabot
         version_class.new(version)
       end
 
+      sig { params(package_manager: String).returns(T.class_of(Version)) }
       def version_class_for(package_manager)
         Utils.version_class_for_package_manager(package_manager)
       rescue StandardError
-        Dependabot::Version
+        Version
       end
     end
   end

data/lib/dependabot/config/update_config.rb

@@ -1,30 +1,46 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/config/ignore_condition"
+require "sorbet-runtime"
 
 module Dependabot
   module Config
     # Configuration for a single ecosystem
     class UpdateConfig
-      attr_reader :commit_message_options, :ignore_conditions
+      extend T::Sig
+
+      sig { returns(T.nilable(CommitMessageOptions)) }
+      attr_reader :commit_message_options
+
+      sig { returns(T::Array[IgnoreCondition]) }
+      attr_reader :ignore_conditions
+
+      sig do
+        params(
+          ignore_conditions: T.nilable(T::Array[IgnoreCondition]),
+          commit_message_options: T.nilable(CommitMessageOptions)
+        ).void
+      end
       def initialize(ignore_conditions: nil, commit_message_options: nil)
-        @ignore_conditions = ignore_conditions || []
+        @ignore_conditions = T.let(ignore_conditions || [], T::Array[IgnoreCondition])
         @commit_message_options = commit_message_options
       end
 
+      sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
       def ignored_versions_for(dependency, security_updates_only: false)
         normalizer = name_normaliser_for(dependency)
-        dep_name = normalizer.call(dependency.name)
+        dep_name = T.must(normalizer).call(dependency.name)
 
         @ignore_conditions
-          .select { |ic| self.class.wildcard_match?(normalizer.call(ic.dependency_name), dep_name) }
+          .select { |ic| self.class.wildcard_match?(T.must(normalizer).call(ic.dependency_name), dep_name) }
           .map { |ic| ic.ignored_versions(dependency, security_updates_only) }
           .flatten
           .compact
           .uniq
       end
 
+      sig { params(wildcard_string: T.nilable(String), candidate_string: T.nilable(String)).returns(T::Boolean) }
       def self.wildcard_match?(wildcard_string, candidate_string)
         return false unless wildcard_string && candidate_string
 
@@ -37,24 +53,44 @@ module Dependabot
 
       private
 
+      sig { params(dep: Dependency).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
       def name_normaliser_for(dep)
         name_normaliser ||= {}
         name_normaliser[dep] ||= Dependency.name_normaliser_for_package_manager(dep.package_manager)
       end
 
       class CommitMessageOptions
-        attr_reader :prefix, :prefix_development, :include
+        extend T::Sig
 
+        sig { returns(T.nilable(String)) }
+        attr_reader :prefix
+
+        sig { returns(T.nilable(String)) }
+        attr_reader :prefix_development
+
+        sig { returns(T.nilable(String)) }
+        attr_reader :include
+
+        sig do
+          params(
+            prefix: T.nilable(String),
+            prefix_development: T.nilable(String),
+            include: T.nilable(String)
+          )
+            .void
+        end
         def initialize(prefix:, prefix_development:, include:)
           @prefix = prefix
           @prefix_development = prefix_development
           @include = include
         end
 
+        sig { returns(T::Boolean) }
         def include_scope?
           @include == "scope"
         end
 
+        sig { returns(T::Hash[Symbol, String]) }
         def to_h
           {
             prefix: @prefix,

data/lib/dependabot/config.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 module Dependabot

data/lib/dependabot/dependency_file.rb

@@ -1,13 +1,47 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "pathname"
+require "sorbet-runtime"
 
 module Dependabot
   class DependencyFile
-    attr_accessor :name, :content, :directory, :type, :support_file,
-                  :vendored_file, :symlink_target, :content_encoding,
-                  :operation, :mode
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_accessor :name
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :content
+
+    sig { returns(String) }
+    attr_accessor :directory
+
+    sig { returns(String) }
+    attr_accessor :type
+
+    sig { returns(T::Boolean) }
+    attr_accessor :support_file
+
+    sig { returns(T::Boolean) }
+    attr_accessor :vendored_file
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :symlink_target
+
+    sig { returns(String) }
+    attr_accessor :content_encoding
+
+    sig { returns(String) }
+    attr_accessor :operation
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :mode
+
+    # The directory that this file was fetched for. This is useful for multi-directory
+    # updates, where a set of files that are related to each other are updated together.
+    sig { returns(T.nilable(String)) }
+    attr_accessor :job_directory
 
     class ContentEncoding
       UTF_8 = "utf-8"
@@ -20,18 +54,41 @@ module Dependabot
       DELETE = "delete"
     end
 
+    class Mode
+      FILE = "100644"
+      SUBMODULE = "160000"
+    end
+
+    sig do
+      params(
+        name: String,
+        content: T.nilable(String),
+        directory: String,
+        type: String,
+        support_file: T::Boolean,
+        vendored_file: T::Boolean,
+        symlink_target: T.nilable(String),
+        content_encoding: String,
+        deleted: T::Boolean,
+        operation: String,
+        mode: T.nilable(String),
+        job_directory: T.nilable(String)
+      )
+        .void
+    end
     def initialize(name:, content:, directory: "/", type: "file",
                    support_file: false, vendored_file: false, symlink_target: nil,
                    content_encoding: ContentEncoding::UTF_8, deleted: false,
-                   operation: Operation::UPDATE, mode: nil)
+                   operation: Operation::UPDATE, mode: nil, job_directory: nil)
       @name = name
       @content = content
-      @directory = clean_directory(directory)
+      @directory = T.let(clean_directory(directory), String)
       @symlink_target = symlink_target
       @support_file = support_file
       @vendored_file = vendored_file
       @content_encoding = content_encoding
       @operation = operation
+      @job_directory = job_directory
 
       # Make deleted override the operation. Deleted is kept when operation
       # was introduced to keep compatibility with downstream dependants.
@@ -45,7 +102,7 @@ module Dependabot
       @type = type
 
       begin
-        @mode = File.stat(realpath).mode.to_s(8)
+        @mode = T.let(File.stat(realpath).mode.to_s(8), T.nilable(String))
       rescue StandardError
         @mode = mode
       end
@@ -56,6 +113,7 @@ module Dependabot
       raise "Only symlinked files must specify a target!" if symlink_target
     end
 
+    sig { returns(T::Hash[String, T.untyped]) }
     def to_h
       details = {
         "name" => name,
@@ -69,66 +127,83 @@ module Dependabot
         "mode" => mode
       }
 
+      details["job_directory"] = job_directory if job_directory
       details["symlink_target"] = symlink_target if symlink_target
       details
     end
 
+    sig { returns(String) }
     def path
       Pathname.new(File.join(directory, name)).cleanpath.to_path
     end
 
+    sig { returns(String) }
     def realpath
       (symlink_target || path).sub(%r{^/}, "")
     end
 
+    sig { params(other: BasicObject).returns(T::Boolean) }
     def ==(other)
-      return false unless other.instance_of?(self.class)
-
-      my_hash = to_h.reject { |k| k == "support_file" }
-      their_hash = other.to_h.reject { |k| k == "support_file" }
-      my_hash == their_hash
+      case other
+      when DependencyFile
+        my_hash = to_h.reject { |k| k == "support_file" }
+        their_hash = other.to_h.reject { |k| k == "support_file" }
+        my_hash == their_hash
+      else
+        false
+      end
     end
 
+    sig { returns(Integer) }
     def hash
       to_h.hash
     end
 
+    sig { params(other: BasicObject).returns(T::Boolean) }
     def eql?(other)
       self == other
     end
 
+    sig { returns(T::Boolean) }
     def support_file?
       @support_file
     end
 
+    sig { returns(T::Boolean) }
     def vendored_file?
       @vendored_file
     end
 
+    sig { returns(T::Boolean) }
     def deleted
       @operation == Operation::DELETE
     end
 
+    sig { params(deleted: T::Boolean).void }
     def deleted=(deleted)
       @operation = deleted ? Operation::DELETE : Operation::UPDATE
     end
 
+    sig { returns(T::Boolean) }
     def deleted?
       deleted
     end
 
+    sig { returns(T::Boolean) }
     def binary?
       content_encoding == ContentEncoding::BASE64
     end
 
+    sig { returns(String) }
     def decoded_content
-      return Base64.decode64(content) if binary?
+      return Base64.decode64(T.must(content)) if binary?
 
-      content
+      T.must(content)
     end
 
     private
 
+    sig { params(directory: String).returns(String) }
     def clean_directory(directory)
       # Directory should always start with a `/`
       directory.sub(%r{^/*}, "/")

data/lib/dependabot/dependency_group.rb

@@ -1,23 +1,41 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/experiments"
 require "dependabot/config/ignore_condition"
 require "dependabot/logger"
 
+require "sorbet-runtime"
 require "wildcard_matcher"
 require "yaml"
 
 module Dependabot
   class DependencyGroup
-    attr_reader :name, :rules, :dependencies
+    extend T::Sig
 
+    sig { returns(String) }
+    attr_reader :name
+
+    sig { returns(T::Hash[String, T.any(String, T::Array[String])]) }
+    attr_reader :rules
+
+    sig { returns(T::Array[Dependabot::Dependency]) }
+    attr_reader :dependencies
+
+    sig do
+      params(
+        name: String,
+        rules: T::Hash[String, T.untyped]
+      )
+        .void
+    end
     def initialize(name:, rules:)
       @name = name
       @rules = rules
-      @dependencies = []
+      @dependencies = T.let([], T::Array[Dependabot::Dependency])
     end
 
+    sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
     def contains?(dependency)
       return true if @dependencies.include?(dependency)
       return false if matches_excluded_pattern?(dependency.name)
@@ -25,11 +43,13 @@ module Dependabot
       matches_pattern?(dependency.name) && matches_dependency_type?(dependency)
     end
 
+    sig { returns(T::Hash[String, String]) }
     def to_h
       { "name" => name }
     end
 
     # Provides a debug utility to view the group as it appears in the config file.
+    sig { returns(String) }
     def to_config_yaml
       {
         "groups" => { name => rules }
@@ -38,18 +58,21 @@ module Dependabot
 
     private
 
+    sig { params(dependency_name: String).returns(T::Boolean) }
     def matches_pattern?(dependency_name)
       return true unless rules.key?("patterns") # If no patterns are defined, we pass this check by default
 
-      rules["patterns"].any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
+      T.unsafe(rules["patterns"]).any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
     end
 
+    sig { params(dependency_name: String).returns(T::Boolean) }
     def matches_excluded_pattern?(dependency_name)
       return false unless rules.key?("exclude-patterns") # If there are no exclusions, fail by default
 
-      rules["exclude-patterns"].any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
+      T.unsafe(rules["exclude-patterns"]).any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
     end
 
+    sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
     def matches_dependency_type?(dependency)
       return true unless rules.key?("dependency-type") # If no dependency-type is set, match by default
 
@@ -60,6 +83,7 @@ module Dependabot
                                   end
     end
 
+    sig { returns(T::Boolean) }
     def experimental_rules_enabled?
       Dependabot::Experiments.enabled?(:grouped_updates_experimental_rules)
     end