dependabot-common 0.235.0 → 0.237.0

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -59,20 +59,11 @@ module Dependabot
       end
 
       def pr_message
-        # TODO: Remove unignore_commands? feature flag once we are confident
-        # that it is working as expected
-        msg = if unignore_commands?
-                "#{suffixed_pr_message_header}" \
-                  "#{commit_message_intro}" \
-                  "#{metadata_cascades}" \
-                  "#{ignore_conditions_table}" \
-                  "#{prefixed_pr_message_footer}"
-              else
-                "#{suffixed_pr_message_header}" \
-                  "#{commit_message_intro}" \
-                  "#{metadata_cascades}" \
-                  "#{prefixed_pr_message_footer}"
-              end
+        msg = "#{suffixed_pr_message_header}" \
+              "#{commit_message_intro}" \
+              "#{metadata_cascades}" \
+              "#{ignore_conditions_table}" \
+              "#{prefixed_pr_message_footer}"
 
         truncate_pr_message(msg)
       rescue StandardError => e
@@ -80,10 +71,6 @@ module Dependabot
         suffixed_pr_message_header + prefixed_pr_message_footer
       end
 
-      def unignore_commands?
-        Experiments.enabled?(:unignore_commands)
-      end
-
       # Truncate PR message as determined by the pr_message_max_length and pr_message_encoding instance variables
       # The encoding is used when calculating length, all messages are returned as ruby UTF_8 encoded string
       def truncate_pr_message(msg)

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -132,7 +132,7 @@ module Dependabot
         case last_dependabot_commit_style
         when :gitmoji then true
         when :conventional_prefix, :conventional_prefix_with_scope
-          last_dependabot_commit_message.match?(/: (\[[Ss]ecurity\] )?(B|U)/)
+          last_dependabot_commit_title.match?(/: (\[[Ss]ecurity\] )?(B|U)/)
         else raise "Unknown commit style #{last_dependabot_commit_style}"
         end
       end
@@ -152,7 +152,7 @@ module Dependabot
       end
 
       def last_dependabot_commit_style
-        return unless (msg = last_dependabot_commit_message)
+        return unless (msg = last_dependabot_commit_title)
 
         return :gitmoji if msg.start_with?("⬆️")
         return :conventional_prefix if msg.match?(/\A(chore|build|upgrade):/i)
@@ -162,7 +162,7 @@ module Dependabot
       end
 
       def last_dependabot_commit_prefix
-        last_dependabot_commit_message&.split(/[:(]/)&.first
+        last_dependabot_commit_title&.split(/[:(]/)&.first
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
@@ -245,7 +245,7 @@ module Dependabot
           ANGULAR_PREFIXES.any? { |pre| message.match?(/#{pre}[:(]/i) }
         end
 
-        return last_dependabot_commit_message&.start_with?(/[A-Z]/) if semantic_messages.none?
+        return last_dependabot_commit_title&.start_with?(/[A-Z]/) if semantic_messages.none?
 
         capitalized_msgs = semantic_messages
                            .select { |m| m.start_with?(/[A-Z]/) }
@@ -329,6 +329,12 @@ module Dependabot
                                           .map(&:strip)
       end
 
+      def last_dependabot_commit_title
+        return @last_dependabot_commit_title if defined?(@last_dependabot_commit_title)
+
+        @last_dependabot_commit_title = last_dependabot_commit_message&.split("\n")&.first
+      end
+
       def last_dependabot_commit_message
         @last_dependabot_commit_message ||=
           case source.provider

data/lib/dependabot/pull_request_updater/github.rb

@@ -128,7 +128,7 @@ module Dependabot
           if file.type == "submodule"
             {
               path: file.path.sub(%r{^/}, ""),
-              mode: "160000",
+              mode: Dependabot::DependencyFile::Mode::SUBMODULE,
               type: "commit",
               sha: file.content
             }
@@ -146,7 +146,7 @@ module Dependabot
 
             {
               path: file.realpath,
-              mode: "100644",
+              mode: Dependabot::DependencyFile::Mode::FILE,
               type: "blob"
             }.merge(content)
           end

data/lib/dependabot/shared_helpers.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: strict
 # frozen_string_literal: true
 
 require "digest"
@@ -8,6 +8,7 @@ require "fileutils"
 require "json"
 require "open3"
 require "shellwords"
+require "sorbet-runtime"
 require "tmpdir"
 
 require "dependabot/simple_instrumentor"
@@ -18,20 +19,34 @@ require "dependabot"
 
 module Dependabot
   module SharedHelpers
-    GIT_CONFIG_GLOBAL_PATH = File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH)
-    USER_AGENT = "dependabot-core/#{Dependabot::VERSION} " \
-                 "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
-                 "(#{RUBY_PLATFORM}) " \
-                 "(+https://github.com/dependabot/dependabot-core)".freeze
+    extend T::Sig
+
+    GIT_CONFIG_GLOBAL_PATH = T.let(File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH), String)
+    USER_AGENT = T.let(
+      "dependabot-core/#{Dependabot::VERSION} " \
+      "#{Excon::USER_AGENT} ruby/#{RUBY_VERSION} " \
+      "(#{RUBY_PLATFORM}) " \
+      "(+https://github.com/dependabot/dependabot-core)".freeze,
+      String
+    )
     SIGKILL = 9
 
+    sig do
+      type_parameters(:T)
+        .params(
+          directory: String,
+          repo_contents_path: T.nilable(String),
+          block: T.proc.params(arg0: T.any(Pathname, String)).returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
     def self.in_a_temporary_repo_directory(directory = "/", repo_contents_path = nil, &block)
       if repo_contents_path
         # If a workspace has been defined to allow orcestration of the git repo
         # by the runtime we should defer to it, otherwise we prepare the folder
         # for direct use and yield.
         if Dependabot::Workspace.active_workspace
-          Dependabot::Workspace.active_workspace.change(&block)
+          T.must(Dependabot::Workspace.active_workspace).change(&block)
         else
           path = Pathname.new(File.join(repo_contents_path, directory)).expand_path
           reset_git_repo(repo_contents_path)
@@ -46,9 +61,18 @@ module Dependabot
       end
     end
 
-    def self.in_a_temporary_directory(directory = "/")
+    sig do
+      type_parameters(:T)
+        .params(
+          directory: String,
+          _block: T.proc.params(arg0: T.any(Pathname, String)).returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
+    def self.in_a_temporary_directory(directory = "/", &_block)
       FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
       tmp_dir = Dir.mktmpdir(Utils::BUMP_TMP_FILE_PREFIX, Utils::BUMP_TMP_DIR_PATH)
+      path = Pathname.new(File.join(tmp_dir, directory)).expand_path
 
       begin
         path = Pathname.new(File.join(tmp_dir, directory)).expand_path
@@ -60,28 +84,59 @@ module Dependabot
     end
 
     class HelperSubprocessFailed < Dependabot::DependabotError
-      attr_reader :error_class, :error_context, :trace
+      extend T::Sig
+
+      sig { returns(String) }
+      attr_reader :error_class
+
+      sig { returns(T::Hash[Symbol, String]) }
+      attr_reader :error_context
+
+      sig { returns(T.nilable(T::Array[String])) }
+      attr_reader :trace
 
+      sig do
+        params(
+          message: String,
+          error_context: T::Hash[Symbol, String],
+          error_class: T.nilable(String),
+          trace: T.nilable(T::Array[String])
+        ).void
+      end
       def initialize(message:, error_context:, error_class: nil, trace: nil)
         super(message)
-        @error_class = error_class || "HelperSubprocessFailed"
+        @error_class = T.let(error_class || "HelperSubprocessFailed", String)
         @error_context = error_context
-        @fingerprint = error_context[:fingerprint] || error_context[:command]
+        @fingerprint = T.let(error_context[:fingerprint] || error_context[:command], T.nilable(String))
         @trace = trace
       end
 
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def raven_context
         { fingerprint: [@fingerprint], extra: @error_context.except(:stderr_output, :fingerprint) }
       end
     end
 
     # Escapes all special characters, e.g. = & | <>
+    sig { params(command: String).returns(String) }
     def self.escape_command(command)
       command_parts = command.split.map(&:strip).reject(&:empty?)
       Shellwords.join(command_parts)
     end
 
     # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/AbcSize
+    sig do
+      params(
+        command: String,
+        function: String,
+        args: T.any(T::Array[String], T::Hash[Symbol, String]),
+        env: T.nilable(T::Hash[String, String]),
+        stderr_to_stdout: T::Boolean,
+        allow_unsafe_shell_command: T::Boolean
+      )
+        .returns(T.nilable(T.any(String, T::Hash[String, T.untyped], T::Array[T::Hash[String, T.untyped]])))
+    end
     def self.run_helper_subprocess(command:, function:, args:, env: nil,
                                    stderr_to_stdout: false,
                                    allow_unsafe_shell_command: false)
@@ -95,11 +150,11 @@ module Dependabot
       if ENV["DEBUG_FUNCTION"] == function
         puts helper_subprocess_bash_command(stdin_data: stdin_data, command: cmd, env: env)
         # Pause execution so we can run helpers inside the temporary directory
-        debugger # rubocop:disable Lint/Debugger
+        T.unsafe(self).debugger
       end
 
       env_cmd = [env, cmd].compact
-      stdout, stderr, process = Open3.capture3(*env_cmd, stdin_data: stdin_data)
+      stdout, stderr, process = T.unsafe(Open3).capture3(*env_cmd, stdin_data: stdin_data)
       time_taken = Time.now - start
 
       if ENV["DEBUG_HELPERS"] == "true"
@@ -126,24 +181,27 @@ module Dependabot
 
       check_out_of_memory_error(stderr, error_context)
 
-      response = JSON.parse(stdout)
-      return response["result"] if process.success?
-
-      raise HelperSubprocessFailed.new(
-        message: response["error"],
-        error_class: response["error_class"],
-        error_context: error_context,
-        trace: response["trace"]
-      )
-    rescue JSON::ParserError
-      raise HelperSubprocessFailed.new(
-        message: stdout || "No output from command",
-        error_class: "JSON::ParserError",
-        error_context: error_context
-      )
+      begin
+        response = JSON.parse(stdout)
+        return response["result"] if process.success?
+
+        raise HelperSubprocessFailed.new(
+          message: response["error"],
+          error_class: response["error_class"],
+          error_context: error_context,
+          trace: response["trace"]
+        )
+      rescue JSON::ParserError
+        raise HelperSubprocessFailed.new(
+          message: stdout || "No output from command",
+          error_class: "JSON::ParserError",
+          error_context: error_context
+        )
+      end
     end
 
     # rubocop:enable Metrics/MethodLength
+    sig { params(stderr: T.nilable(String), error_context: T::Hash[Symbol, String]).void }
     def self.check_out_of_memory_error(stderr, error_context)
       return unless stderr&.include?("JavaScript heap out of memory")
 
@@ -154,12 +212,14 @@ module Dependabot
       )
     end
 
+    sig { returns(T::Array[T.class_of(Excon::Middleware::Base)]) }
     def self.excon_middleware
-      Excon.defaults[:middlewares] +
+      T.must(T.cast(Excon.defaults, T::Hash[Symbol, T::Array[T.class_of(Excon::Middleware::Base)]])[:middlewares]) +
         [Excon::Middleware::Decompress] +
         [Excon::Middleware::RedirectFollower]
     end
 
+    sig { params(headers: T.nilable(T::Hash[String, String])).returns(T::Hash[String, String]) }
     def self.excon_headers(headers = nil)
       headers ||= {}
       {
@@ -167,9 +227,10 @@ module Dependabot
       }.merge(headers)
     end
 
+    sig { params(options: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Hash[Symbol, T.untyped]) }
     def self.excon_defaults(options = nil)
       options ||= {}
-      headers = options.delete(:headers)
+      headers = T.cast(options.delete(:headers), T.nilable(T::Hash[String, String]))
       {
         instrumentor: Dependabot::SimpleInstrumentor,
         connect_timeout: 5,
@@ -182,7 +243,15 @@ module Dependabot
       }.merge(options)
     end
 
-    def self.with_git_configured(credentials:)
+    sig do
+      type_parameters(:T)
+        .params(
+          credentials: T::Array[T::Hash[String, String]],
+          _block: T.proc.returns(T.type_parameter(:T))
+        )
+        .returns(T.type_parameter(:T))
+    end
+    def self.with_git_configured(credentials:, &_block)
       safe_directories = find_safe_directories
 
       FileUtils.mkdir_p(Utils::BUMP_TMP_DIR_PATH)
@@ -203,18 +272,20 @@ module Dependabot
     end
 
     # Handle SCP-style git URIs
+    sig { params(uri: String).returns(String) }
     def self.scp_to_standard(uri)
       return uri unless uri.start_with?("git@")
 
-      "https://#{uri.split('git@').last.sub(%r{:/?}, '/')}"
+      "https://#{T.must(uri.split('git@').last).sub(%r{:/?}, '/')}"
     end
 
+    sig { returns(String) }
     def self.credential_helper_path
       File.join(__dir__, "../../bin/git-credential-store-immutable")
     end
 
-    # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
+    sig { params(credentials: T::Array[T::Hash[String, String]], safe_directories: T::Array[String]).void }
     def self.configure_git_to_use_https_with_credentials(credentials, safe_directories)
       File.open(GIT_CONFIG_GLOBAL_PATH, "w") do |file|
         file << "# Generated by dependabot/dependabot-core"
@@ -274,6 +345,7 @@ module Dependabot
     # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/PerceivedComplexity
 
+    sig { params(host: String).void }
     def self.configure_git_to_use_https(host)
       # NOTE: we use --global here (rather than --system) so that Dependabot
       # can be run without privileged access
@@ -299,6 +371,7 @@ module Dependabot
       )
     end
 
+    sig { params(path: String).void }
     def self.reset_git_repo(path)
       Dir.chdir(path) do
         run_shell_command("git reset HEAD --hard")
@@ -306,6 +379,7 @@ module Dependabot
       end
     end
 
+    sig { returns(T::Array[String]) }
     def self.find_safe_directories
       # to preserve safe directories from global .gitconfig
       output, process = Open3.capture2("git config --global --get-all safe.directory")
@@ -314,6 +388,15 @@ module Dependabot
       safe_directories
     end
 
+    sig do
+      params(
+        command: String,
+        allow_unsafe_shell_command: T::Boolean,
+        env: T.nilable(T::Hash[String, String]),
+        fingerprint: T.nilable(String),
+        stderr_to_stdout: T::Boolean
+      ).returns(String)
+    end
     def self.run_shell_command(command,
                                allow_unsafe_shell_command: false,
                                env: {},
@@ -347,6 +430,7 @@ module Dependabot
       )
     end
 
+    sig { params(command: String, stdin_data: String, env: T.nilable(T::Hash[String, String])).returns(String) }
     def self.helper_subprocess_bash_command(command:, stdin_data:, env:)
       escaped_stdin_data = stdin_data.gsub("\"", "\\\"")
       env_keys = env ? env.compact.map { |k, v| "#{k}=#{v}" }.join(" ") + " " : ""

data/lib/dependabot/simple_instrumentor.rb

@@ -1,16 +1,35 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module SimpleInstrumentor
     class << self
-      attr_accessor :events, :subscribers
+      extend T::Sig
+      extend T::Generic
+
+      sig { returns(T.nilable(T::Array[T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void])) }
+      attr_accessor :subscribers
 
+      sig { params(block: T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void).void }
       def subscribe(&block)
-        @subscribers ||= []
+        @subscribers ||= T.let(
+          [],
+          T.nilable(T::Array[T.proc.params(name: String, params: T::Hash[Symbol, T.untyped]).void])
+        )
         @subscribers << block
       end
 
+      sig do
+        type_parameters(:T)
+          .params(
+            name: String,
+            params: T::Hash[Symbol, T.untyped],
+            block: T.proc.returns(T.type_parameter(:T))
+          )
+          .returns(T.nilable(T.type_parameter(:T)))
+      end
       def instrument(name, params = {}, &block)
         @subscribers&.each { |s| s.call(name, params) }
         yield if block

data/lib/dependabot/source.rb

@@ -1,8 +1,12 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class Source
+    extend T::Sig
+
     GITHUB_SOURCE = %r{
       (?<provider>github)
       (?:\.com)[/:]
@@ -59,24 +63,48 @@ module Dependabot
       (?:#{CODECOMMIT_SOURCE})
     /x
 
-    IGNORED_PROVIDER_HOSTS = %w(gitbox.apache.org svn.apache.org fuchsia.googlesource.com).freeze
+    IGNORED_PROVIDER_HOSTS = T.let(%w(gitbox.apache.org svn.apache.org fuchsia.googlesource.com).freeze,
+                                   T::Array[String])
+
+    sig { returns(String) }
+    attr_accessor :provider
+
+    sig { returns(String) }
+    attr_accessor :repo
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :directory
 
-    attr_accessor :provider, :repo, :directory, :branch, :commit,
-                  :hostname, :api_endpoint
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_accessor :directories
 
+    sig { returns(T.nilable(String)) }
+    attr_accessor :branch
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :commit
+
+    sig { returns(String) }
+    attr_accessor :hostname
+
+    sig { returns(T.nilable(String)) }
+    attr_accessor :api_endpoint
+
+    sig { params(url_string: T.nilable(String)).returns(T.nilable(Source)) }
     def self.from_url(url_string)
       return github_enterprise_from_url(url_string) unless url_string&.match?(SOURCE_REGEX)
 
-      captures = url_string.match(SOURCE_REGEX).named_captures
+      captures = T.must(url_string.match(SOURCE_REGEX)).named_captures
 
       new(
-        provider: captures.fetch("provider"),
-        repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
+        provider: T.must(captures.fetch("provider")),
+        repo: T.must(captures.fetch("repo")).delete_suffix(".git").delete_suffix("."),
         directory: captures.fetch("directory"),
         branch: captures.fetch("branch")
       )
     end
 
+    sig { params(url_string: T.nilable(String)).returns(T.nilable(Source)) }
     def self.github_enterprise_from_url(url_string)
       captures = url_string&.match(GITHUB_ENTERPRISE_SOURCE)&.named_captures
       return unless captures
@@ -88,7 +116,7 @@ module Dependabot
 
       new(
         provider: "github",
-        repo: captures.fetch("repo").delete_suffix(".git").delete_suffix("."),
+        repo: T.must(captures.fetch("repo")).delete_suffix(".git").delete_suffix("."),
         directory: captures.fetch("directory"),
         branch: captures.fetch("branch"),
         hostname: captures.fetch("host"),
@@ -96,18 +124,30 @@ module Dependabot
       )
     end
 
+    sig { params(base_url: String).returns(T::Boolean) }
     def self.github_enterprise?(base_url)
       resp = Excon.get(File.join(base_url, "status"))
       resp.status == 200 &&
         # Alternatively: resp.headers["Server"] == "GitHub.com", but this
         # currently doesn't work with development environments
-        resp.headers["X-GitHub-Request-Id"] &&
-        !resp.headers["X-GitHub-Request-Id"].empty?
+        ((resp.headers["X-GitHub-Request-Id"] && !resp.headers["X-GitHub-Request-Id"]&.empty?) || false)
     rescue StandardError
       false
     end
 
-    def initialize(provider:, repo:, directory: nil, branch: nil, commit: nil,
+    sig do
+      params(
+        provider: String,
+        repo: String,
+        directory: T.nilable(String),
+        directories: T.nilable(T::Array[String]),
+        branch: T.nilable(String),
+        commit: T.nilable(String),
+        hostname: T.nilable(String),
+        api_endpoint: T.nilable(String)
+      ).void
+    end
+    def initialize(provider:, repo:, directory: nil, directories: nil, branch: nil, commit: nil,
                    hostname: nil, api_endpoint: nil)
       if (hostname.nil? ^ api_endpoint.nil?) && (provider != "codecommit")
         msg = "Both hostname and api_endpoint must be specified if either " \
@@ -119,16 +159,19 @@ module Dependabot
       @provider = provider
       @repo = repo
       @directory = directory
+      @directories = directories
       @branch = branch
       @commit = commit
-      @hostname = hostname || default_hostname(provider)
-      @api_endpoint = api_endpoint || default_api_endpoint(provider)
+      @hostname = T.let(hostname || default_hostname(provider), String)
+      @api_endpoint = T.let(api_endpoint || default_api_endpoint(provider), T.nilable(String))
     end
 
+    sig { returns(String) }
     def url
       "https://" + hostname + "/" + repo
     end
 
+    sig { returns(String) }
     def url_with_directory
       return url if [nil, ".", "/"].include?(directory)
 
@@ -149,25 +192,29 @@ module Dependabot
       end
     end
 
+    sig { returns(String) }
     def organization
-      repo.split("/").first
+      T.must(repo.split("/").first)
     end
 
+    sig { returns(String) }
     def project
       raise "Project is an Azure DevOps concept only" unless provider == "azure"
 
       parts = repo.split("/_git/")
-      return parts.first.split("/").last if parts.first.split("/").count == 2
+      return T.must(T.must(parts.first).split("/").last) if parts.first&.split("/")&.count == 2
 
-      parts.last
+      T.must(parts.last)
     end
 
+    sig { returns(String) }
     def unscoped_repo
-      repo.split("/").last
+      T.must(repo.split("/").last)
     end
 
     private
 
+    sig { params(provider: String).returns(String) }
     def default_hostname(provider)
       case provider
       when "github" then "github.com"
@@ -179,6 +226,7 @@ module Dependabot
       end
     end
 
+    sig { params(provider: String).returns(T.nilable(String)) }
     def default_api_endpoint(provider)
       case provider
       when "github" then "https://api.github.com/"

data/lib/dependabot/update_checkers/version_filters.rb

@@ -1,9 +1,20 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module UpdateCheckers
     module VersionFilters
+      extend T::Sig
+
+      sig do
+        params(
+          versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, String])],
+          security_advisories: T::Array[SecurityAdvisory]
+        )
+          .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, String])])
+      end
       def self.filter_vulnerable_versions(versions_array, security_advisories)
         versions_array.reject do |v|
           security_advisories.any? do |a|