dependabot-common 0.235.0 → 0.237.0

data/lib/dependabot/file_updaters/artifact_updater.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/dependency_file"
 
 # This class provides a utility to check for arbitary modified files within a
@@ -9,8 +10,12 @@ require "dependabot/dependency_file"
 module Dependabot
   module FileUpdaters
     class ArtifactUpdater
+      extend T::Sig
+      extend T::Helpers
+
       # @param repo_contents_path [String, nil] the path we cloned the repository into
       # @param target_directory [String, nil] the path within a project directory we should inspect for changes
+      sig { params(repo_contents_path: T.nilable(String), target_directory: T.nilable(String)).void }
       def initialize(repo_contents_path:, target_directory:)
         @repo_contents_path = repo_contents_path
         @target_directory = target_directory
@@ -23,17 +28,24 @@ module Dependabot
       # @param only_paths [Array<String>, nil] An optional list of specific paths to check, if this is nil we will
       #                                        return every change we find within the `base_directory`
       # @return [Array<Dependabot::DependencyFile>]
+      sig do
+        params(base_directory: String, only_paths: T.nilable(T::Array[String]))
+          .returns(T::Array[Dependabot::DependencyFile])
+      end
       def updated_files(base_directory:, only_paths: nil)
         return [] unless repo_contents_path && target_directory
 
-        Dir.chdir(repo_contents_path) do
+        Dir.chdir(T.must(repo_contents_path)) do
           # rubocop:disable Performance/DeletePrefix
-          relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(target_directory)
+          relative_dir = Pathname.new(base_directory).sub(%r{\A/}, "").join(T.must(target_directory))
           # rubocop:enable Performance/DeletePrefix
 
-          status = SharedHelpers.run_shell_command(
-            "git status --untracked-files all --porcelain v1 #{relative_dir}",
-            fingerprint: "git status --untracked-files all --porcelain v1 <relative_dir>"
+          status = T.let(
+            SharedHelpers.run_shell_command(
+              "git status --untracked-files all --porcelain v1 #{relative_dir}",
+              fingerprint: "git status --untracked-files all --porcelain v1 <relative_dir>"
+            ),
+            String
           )
           changed_paths = status.split("\n").map(&:split)
           changed_paths.filter_map do |type, path|
@@ -51,7 +63,7 @@ module Dependabot
             operation = Dependabot::DependencyFile::Operation::DELETE if type == "D"
             operation = Dependabot::DependencyFile::Operation::CREATE if type == "??"
 
-            encoded_content, encoding = get_encoded_file_contents(path, operation)
+            encoded_content, encoding = get_encoded_file_contents(T.must(path), operation)
 
             create_dependency_file(
               name: file_path.to_s,
@@ -66,10 +78,19 @@ module Dependabot
 
       private
 
-      TEXT_ENCODINGS = %w(us-ascii utf-8).freeze
+      TEXT_ENCODINGS = T.let(%w(us-ascii utf-8).freeze, T::Array[String])
 
-      attr_reader :repo_contents_path, :target_directory
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { returns(T.nilable(String)) }
+      attr_reader :target_directory
 
+      sig do
+        params(
+          path: String,
+          operation: String
+        ).returns([T.nilable(String), String])
+      end
       def get_encoded_file_contents(path, operation)
         encoded_content = nil
         encoding = ""
@@ -86,6 +107,7 @@ module Dependabot
         [encoded_content, encoding]
       end
 
+      sig { params(path: String).returns(T::Boolean) }
       def binary_file?(path)
         return false unless File.exist?(path)
 
@@ -95,8 +117,13 @@ module Dependabot
         !TEXT_ENCODINGS.include?(encoding)
       end
 
+      sig do
+        overridable
+          .params(parameters: T::Hash[Symbol, T.untyped])
+          .returns(Dependabot::DependencyFile)
+      end
       def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**parameters)
+        Dependabot::DependencyFile.new(**T.unsafe(parameters))
       end
     end
   end

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -1,6 +1,7 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/dependency_file"
 require "dependabot/file_updaters/artifact_updater"
 
@@ -13,21 +14,30 @@ require "dependabot/file_updaters/artifact_updater"
 module Dependabot
   module FileUpdaters
     class VendorUpdater < ArtifactUpdater
+      extend T::Sig
+      extend T::Helpers
+
       # This provides backwards compatability for anyone who used this class
       # before the base ArtifactUpdater class was introduced and aligns the
       # method's public signatures with it's special-case domain.
+      sig { params(repo_contents_path: T.nilable(String), vendor_dir: T.nilable(String)).void }
       def initialize(repo_contents_path:, vendor_dir:)
         @repo_contents_path = repo_contents_path
         @vendor_dir = vendor_dir
         super(repo_contents_path: @repo_contents_path, target_directory: @vendor_dir)
       end
 
-      alias updated_vendor_cache_files updated_files
+      T.unsafe(self).alias_method :updated_vendor_cache_files, :updated_files
 
       private
 
+      sig do
+        override
+          .params(parameters: T::Hash[Symbol, T.untyped])
+          .returns(Dependabot::DependencyFile)
+      end
       def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**parameters.merge({ vendored_file: true }))
+        Dependabot::DependencyFile.new(**T.unsafe({ **parameters.merge({ vendored_file: true }) }))
       end
     end
   end

data/lib/dependabot/logger.rb

@@ -1,13 +1,18 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "logger"
+require "sorbet-runtime"
 
 module Dependabot
+  extend T::Sig
+
+  sig { returns(::Logger) }
   def self.logger
-    @logger ||= Logger.new(nil)
+    @logger ||= T.let(::Logger.new(nil), T.nilable(::Logger))
   end
 
+  sig { params(logger: ::Logger).void }
   def self.logger=(logger)
     @logger = logger
   end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
+require "sorbet-runtime"
 
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
@@ -12,6 +13,8 @@ module Dependabot
   module MetadataFinders
     class Base
       class ChangelogFinder
+        extend T::Sig
+
         require_relative "changelog_pruner"
         require_relative "commits_finder"
 
@@ -86,9 +89,9 @@ module Dependabot
           suggested_source = Source.from_url(suggested_changelog_url)
           return unless suggested_source&.provider == "github"
 
-          opts = { path: suggested_source.directory, ref: suggested_source.branch }.compact
+          opts = { path: suggested_source&.directory, ref: suggested_source&.branch }.compact
           suggested_source_client = github_client_for_source(suggested_source)
-          tmp_files = suggested_source_client.contents(suggested_source.repo, opts)
+          tmp_files = suggested_source_client.contents(suggested_source&.repo, opts)
 
           filename = suggested_changelog_url.split("/").last.split("#").first
           @changelog_from_suggested_url =
@@ -128,7 +131,10 @@ module Dependabot
             file = candidates.first if candidates.one?
             file ||=
               candidates.find do |f|
-                candidates -= [f] && next if fetch_file_text(f).nil?
+                if fetch_file_text(f).nil?
+                  candidates -= [f]
+                  next
+                end
                 pruner = ChangelogPruner.new(
                   dependency: dependency,
                   changelog_text: fetch_file_text(f)
@@ -159,11 +165,12 @@ module Dependabot
           fetch_file_text(changelog)
         end
 
+        sig { params(file: T.untyped).returns(T.nilable(String)) }
         def fetch_file_text(file)
           @file_text ||= {}
 
           unless @file_text.key?(file.download_url)
-            file_source = Source.from_url(file.html_url)
+            file_source = T.must(Source.from_url(file.html_url))
             @file_text[file.download_url] =
               case file_source.provider
               when "github" then fetch_github_file(file_source, file)
@@ -171,7 +178,7 @@ module Dependabot
               when "bitbucket" then fetch_bitbucket_file(file)
               when "azure" then fetch_azure_file(file)
               when "codecommit" then nil # TODO: git file from codecommit
-              else raise "Unsupported provider '#{provider}'"
+              else raise "Unsupported provider '#{file_source.provider}'"
               end
           end
 

data/lib/dependabot/pull_request_creator/commit_signer.rb

@@ -1,16 +1,40 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "time"
 require "tmpdir"
+require "sorbet-runtime"
 require "dependabot/pull_request_creator"
 
 module Dependabot
   class PullRequestCreator
     class CommitSigner
-      attr_reader :author_details, :commit_message, :tree_sha, :parent_sha,
-                  :signature_key
+      extend T::Sig
 
+      sig { returns(T::Hash[Symbol, String]) }
+      attr_reader :author_details
+
+      sig { returns(String) }
+      attr_reader :commit_message
+
+      sig { returns(String) }
+      attr_reader :tree_sha
+
+      sig { returns(String) }
+      attr_reader :parent_sha
+
+      sig { returns(String) }
+      attr_reader :signature_key
+
+      sig do
+        params(
+          author_details: T::Hash[Symbol, String],
+          commit_message: String,
+          tree_sha: String,
+          parent_sha: String,
+          signature_key: String
+        ).void
+      end
       def initialize(author_details:, commit_message:, tree_sha:, parent_sha:,
                      signature_key:)
         @author_details = author_details
@@ -20,6 +44,7 @@ module Dependabot
         @signature_key = signature_key
       end
 
+      sig { returns(String) }
       def signature
         begin
           require "gpgme"
@@ -39,20 +64,21 @@ module Dependabot
         opts = { mode: GPGME::SIG_MODE_DETACH, signer: email }
         crypto.sign(commit_object, opts).to_s
       rescue Errno::ENOTEMPTY
-        FileUtils.remove_entry(dir, true)
+        FileUtils.remove_entry(T.must(dir), true)
         # This appears to be a Ruby bug which occurs very rarely
         raise if @retrying
 
-        @retrying = true
+        @retrying = T.let(true, T.nilable(T::Boolean))
         retry
       ensure
-        FileUtils.remove_entry(dir, true)
+        FileUtils.remove_entry(T.must(dir), true)
       end
 
       private
 
+      sig { returns(String) }
       def commit_object
-        time_str = Time.parse(author_details[:date]).strftime("%s %z")
+        time_str = Time.parse(T.must(author_details[:date])).strftime("%s %z")
         name = author_details[:name]
         email = author_details[:email]
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -1,8 +1,9 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "octokit"
 require "securerandom"
+require "sorbet-runtime"
 require "dependabot/clients/github_with_retries"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/commit_signer"
@@ -10,6 +11,8 @@ module Dependabot
   class PullRequestCreator
     # rubocop:disable Metrics/ClassLength
     class Github
+      extend T::Sig
+
       # GitHub limits PR descriptions to a max of 65,536 characters:
       # https://github.com/orgs/community/discussions/27190#discussioncomment-3726017
       PR_DESCRIPTION_MAX_LENGTH = 65_535 # 0 based count
@@ -65,11 +68,11 @@ module Dependabot
       def branch_exists?(name)
         git_metadata_fetcher.ref_names.include?(name)
       rescue Dependabot::GitDependenciesNotReachable => e
-        raise e.cause if e.cause&.message&.include?("is disabled")
-        raise e.cause if e.cause.is_a?(Octokit::Unauthorized)
+        raise T.must(e.cause) if e.cause&.message&.include?("is disabled")
+        raise T.must(e.cause) if e.cause.is_a?(Octokit::Unauthorized)
         raise(RepoNotFound, source.url) unless repo_exists?
 
-        retrying ||= false
+        retrying ||= T.let(false, T::Boolean)
 
         msg = "Unexpected git error!\n\n#{e.cause&.class}: #{e.cause&.message}"
         raise msg if retrying
@@ -189,7 +192,7 @@ module Dependabot
           if file.type == "submodule"
             {
               path: file.path.sub(%r{^/}, ""),
-              mode: "160000",
+              mode: Dependabot::DependencyFile::Mode::SUBMODULE,
               type: "commit",
               sha: file.content
             }
@@ -207,7 +210,7 @@ module Dependabot
 
             {
               path: file.realpath,
-              mode: (file.mode || "100644"),
+              mode: (file.mode || Dependabot::DependencyFile::Mode::FILE),
               type: "blob"
             }.merge(content)
           end
@@ -249,14 +252,14 @@ module Dependabot
         rescue Octokit::UnprocessableEntity => e
           raise if e.message.match?(/Reference already exists/i)
 
-          retrying_branch_creation ||= false
+          retrying_branch_creation ||= T.let(false, T::Boolean)
           raise if retrying_branch_creation
 
           retrying_branch_creation = true
 
           # Branch creation will fail if a branch called `dependabot` already
           # exists, since git won't be able to create a dir with the same name
-          ref = "refs/heads/#{SecureRandom.hex[0..3] + branch_name}"
+          ref = "refs/heads/#{T.must(SecureRandom.hex[0..3]) + branch_name}"
           retry
         end
       end
@@ -320,7 +323,7 @@ module Dependabot
             "`@#{reviewers.first}`"
           else
             names = reviewers.map { |rv| "`@#{rv}`" }
-            "#{names[0..-2].join(', ')} and #{names[-1]}"
+            "#{T.must(names[0..-2]).join(', ')} and #{names[-1]}"
           end
 
         msg = "Dependabot tried to add #{reviewers_string} as "
@@ -371,7 +374,7 @@ module Dependabot
         # Sometimes PR creation fails with no details (presumably because the
         # details are internal). It doesn't hurt to retry in these cases, in
         # case the cause is a race.
-        retrying_pr_creation ||= false
+        retrying_pr_creation ||= T.let(false, T::Boolean)
         raise if retrying_pr_creation
 
         retrying_pr_creation = true

data/lib/dependabot/pull_request_creator/message.rb

@@ -1,12 +1,31 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class PullRequestCreator
     # Message is a static alternative to MessageBuilder
     class Message
-      attr_reader :commit_message, :pr_name, :pr_message
+      extend T::Sig
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :commit_message
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_name
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_message
+
+      sig do
+        params(
+          commit_message: T.nilable(String),
+          pr_name: T.nilable(String),
+          pr_message: T.nilable(String)
+        )
+          .void
+      end
       def initialize(commit_message: nil, pr_name: nil, pr_message: nil)
         @commit_message = commit_message
         @pr_name = pr_name

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: strong
 # frozen_string_literal: true
 
 require "commonmarker"
+require "sorbet-runtime"
 require "strscan"
 require "dependabot/pull_request_creator/message_builder"
 
@@ -9,6 +10,8 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class LinkAndMentionSanitizer
+        extend T::Sig
+
         GITHUB_USERNAME = /[a-z0-9]+(-[a-z0-9]+)*/i
         GITHUB_REF_REGEX = %r{
           (?:https?://)?
@@ -22,19 +25,24 @@ module Dependabot
         TEAM_MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@(?<org>#{GITHUB_USERNAME})/(?<team>#{GITHUB_USERNAME})/?}
         # End of string
         EOS_REGEX = /\z/
-        COMMONMARKER_OPTIONS = %i(
-          GITHUB_PRE_LANG FULL_INFO_STRING
-        ).freeze
-        COMMONMARKER_EXTENSIONS = %i(
-          table tasklist strikethrough autolink tagfilter
-        ).freeze
-
+        COMMONMARKER_OPTIONS = T.let(
+          %i(GITHUB_PRE_LANG FULL_INFO_STRING).freeze,
+          T::Array[Symbol]
+        )
+        COMMONMARKER_EXTENSIONS = T.let(
+          %i(table tasklist strikethrough autolink tagfilter).freeze,
+          T::Array[Symbol]
+        )
+
+        sig { returns(T.nilable(String)) }
         attr_reader :github_redirection_service
 
+        sig { params(github_redirection_service: T.nilable(String)).void }
         def initialize(github_redirection_service:)
           @github_redirection_service = github_redirection_service
         end
 
+        sig { params(text: String, unsafe: T::Boolean, format_html: T::Boolean).returns(String) }
         def sanitize_links_and_mentions(text:, unsafe: false, format_html: true)
           doc = CommonMarker.render_doc(
             text, :LIBERAL_HTML_TAG, COMMONMARKER_EXTENSIONS
@@ -53,6 +61,7 @@ module Dependabot
 
         private
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -77,6 +86,7 @@ module Dependabot
         # This is because there are ecosystems that have packages that follow the same pattern
         # (e.g. @angular/angular-cli), and we don't want to create an invalid link, since
         # team mentions link to `https://github.com/org/:organization_name/teams/:team_name`.
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_team_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -92,6 +102,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_links(doc)
           doc.walk do |node|
             if node.type == :link && node.url.match?(GITHUB_REF_REGEX)
@@ -101,7 +112,7 @@ module Dependabot
                   next
                 end
 
-                last_match = subnode.string_content.match(GITHUB_REF_REGEX)
+                last_match = T.must(subnode.string_content.match(GITHUB_REF_REGEX))
                 number = last_match.named_captures.fetch("number")
                 repo = last_match.named_captures.fetch("repo")
                 subnode.string_content = "#{repo}##{number}"
@@ -115,6 +126,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_nwo_text(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -125,8 +137,9 @@ module Dependabot
           end
         end
 
+        sig { params(node: CommonMarker::Node).void }
         def replace_nwo_node(node)
-          match = node.string_content.match(GITHUB_NWO_REGEX)
+          match = T.must(node.string_content.match(GITHUB_NWO_REGEX))
           repo = match.named_captures.fetch("repo")
           number = match.named_captures.fetch("number")
           new_node = build_nwo_text_node("#{repo}##{number}")
@@ -134,22 +147,24 @@ module Dependabot
           node.delete
         end
 
+        sig { params(text: String).returns(String) }
         def replace_github_host(text)
-          return text if !github_redirection_service.nil? && text.include?(github_redirection_service)
+          return text if !github_redirection_service.nil? && text.include?(T.must(github_redirection_service))
 
           text.gsub(
             /(www\.)?github.com/, github_redirection_service || "github.com"
           )
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
           scan = StringScanner.new(text)
 
           until scan.eos?
             line = scan.scan_until(MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(MENTION_REGEX)
+            line_match = T.must(line).match(MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -168,14 +183,15 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_team_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
 
           scan = StringScanner.new(text)
           until scan.eos?
             line = scan.scan_until(TEAM_MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(TEAM_MENTION_REGEX)
+            line_match = T.must(line).match(TEAM_MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -192,18 +208,21 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_link_text_nodes(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = insert_zero_width_space_in_mention(text)
           [code_node]
         end
 
+        sig { params(text: String).returns(CommonMarker::Node) }
         def build_nwo_text_node(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = text
           code_node
         end
 
+        sig { params(url: String, text: String).returns(CommonMarker::Node) }
         def create_link_node(url, text)
           link_node = CommonMarker::Node.new(:link)
           code_node = CommonMarker::Node.new(:code)
@@ -217,12 +236,14 @@ module Dependabot
         # email replies on dependabot pull requests triggering notifications to
         # users who've been mentioned in changelogs etc. PR email replies parse
         # the content of the pull request body in plain text.
+        sig { params(mention: String).returns(String) }
         def insert_zero_width_space_in_mention(mention)
           mention.sub("@", "@\u200B").encode("utf-8")
         end
 
+        sig { params(node: CommonMarker::Node).returns(T::Boolean) }
         def parent_node_link?(node)
-          node.type == :link || (node.parent && parent_node_link?(node.parent))
+          node.type == :link || (!node.parent.nil? && parent_node_link?(T.must(node.parent)))
         end
       end
     end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -1,12 +1,14 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/pull_request_creator/message_builder"
 
 module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class MetadataPresenter
+        extend T::Sig
         extend Forwardable
 
         attr_reader :dependency, :source, :metadata_finder,
@@ -154,7 +156,7 @@ module Dependabot
             msg += body
             msg + "</details>\n"
           else
-            "\n##{summary}\n\n#{body}"
+            "\n# #{summary}\n\n#{body}"
           end
         end
 
@@ -192,7 +194,7 @@ module Dependabot
             unaffected_versions
             affected_versions
           ).each do |tp|
-            type = tp.split("_").first.capitalize
+            type = T.must(tp.split("_").first).capitalize
             next unless details[tp]
 
             versions_string = details[tp].any? ? details[tp].join("; ") : "none"