dependabot-common 0.236.0 → 0.237.0

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
+require "sorbet-runtime"
 
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
@@ -12,6 +13,8 @@ module Dependabot
   module MetadataFinders
     class Base
       class ChangelogFinder
+        extend T::Sig
+
         require_relative "changelog_pruner"
         require_relative "commits_finder"
 
@@ -86,9 +89,9 @@ module Dependabot
           suggested_source = Source.from_url(suggested_changelog_url)
           return unless suggested_source&.provider == "github"
 
-          opts = { path: suggested_source.directory, ref: suggested_source.branch }.compact
+          opts = { path: suggested_source&.directory, ref: suggested_source&.branch }.compact
           suggested_source_client = github_client_for_source(suggested_source)
-          tmp_files = suggested_source_client.contents(suggested_source.repo, opts)
+          tmp_files = suggested_source_client.contents(suggested_source&.repo, opts)
 
           filename = suggested_changelog_url.split("/").last.split("#").first
           @changelog_from_suggested_url =
@@ -128,7 +131,10 @@ module Dependabot
             file = candidates.first if candidates.one?
             file ||=
               candidates.find do |f|
-                candidates -= [f] && next if fetch_file_text(f).nil?
+                if fetch_file_text(f).nil?
+                  candidates -= [f]
+                  next
+                end
                 pruner = ChangelogPruner.new(
                   dependency: dependency,
                   changelog_text: fetch_file_text(f)
@@ -159,11 +165,12 @@ module Dependabot
           fetch_file_text(changelog)
         end
 
+        sig { params(file: T.untyped).returns(T.nilable(String)) }
         def fetch_file_text(file)
           @file_text ||= {}
 
           unless @file_text.key?(file.download_url)
-            file_source = Source.from_url(file.html_url)
+            file_source = T.must(Source.from_url(file.html_url))
             @file_text[file.download_url] =
               case file_source.provider
               when "github" then fetch_github_file(file_source, file)
@@ -171,7 +178,7 @@ module Dependabot
               when "bitbucket" then fetch_bitbucket_file(file)
               when "azure" then fetch_azure_file(file)
               when "codecommit" then nil # TODO: git file from codecommit
-              else raise "Unsupported provider '#{provider}'"
+              else raise "Unsupported provider '#{file_source.provider}'"
               end
           end
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -1,8 +1,9 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "octokit"
 require "securerandom"
+require "sorbet-runtime"
 require "dependabot/clients/github_with_retries"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/commit_signer"
@@ -10,6 +11,8 @@ module Dependabot
   class PullRequestCreator
     # rubocop:disable Metrics/ClassLength
     class Github
+      extend T::Sig
+
       # GitHub limits PR descriptions to a max of 65,536 characters:
       # https://github.com/orgs/community/discussions/27190#discussioncomment-3726017
       PR_DESCRIPTION_MAX_LENGTH = 65_535 # 0 based count
@@ -65,11 +68,11 @@ module Dependabot
       def branch_exists?(name)
         git_metadata_fetcher.ref_names.include?(name)
       rescue Dependabot::GitDependenciesNotReachable => e
-        raise e.cause if e.cause&.message&.include?("is disabled")
-        raise e.cause if e.cause.is_a?(Octokit::Unauthorized)
+        raise T.must(e.cause) if e.cause&.message&.include?("is disabled")
+        raise T.must(e.cause) if e.cause.is_a?(Octokit::Unauthorized)
         raise(RepoNotFound, source.url) unless repo_exists?
 
-        retrying ||= false
+        retrying ||= T.let(false, T::Boolean)
 
         msg = "Unexpected git error!\n\n#{e.cause&.class}: #{e.cause&.message}"
         raise msg if retrying
@@ -249,14 +252,14 @@ module Dependabot
         rescue Octokit::UnprocessableEntity => e
           raise if e.message.match?(/Reference already exists/i)
 
-          retrying_branch_creation ||= false
+          retrying_branch_creation ||= T.let(false, T::Boolean)
           raise if retrying_branch_creation
 
           retrying_branch_creation = true
 
           # Branch creation will fail if a branch called `dependabot` already
           # exists, since git won't be able to create a dir with the same name
-          ref = "refs/heads/#{SecureRandom.hex[0..3] + branch_name}"
+          ref = "refs/heads/#{T.must(SecureRandom.hex[0..3]) + branch_name}"
           retry
         end
       end
@@ -320,7 +323,7 @@ module Dependabot
             "`@#{reviewers.first}`"
           else
             names = reviewers.map { |rv| "`@#{rv}`" }
-            "#{names[0..-2].join(', ')} and #{names[-1]}"
+            "#{T.must(names[0..-2]).join(', ')} and #{names[-1]}"
           end
 
         msg = "Dependabot tried to add #{reviewers_string} as "
@@ -371,7 +374,7 @@ module Dependabot
         # Sometimes PR creation fails with no details (presumably because the
         # details are internal). It doesn't hurt to retry in these cases, in
         # case the cause is a race.
-        retrying_pr_creation ||= false
+        retrying_pr_creation ||= T.let(false, T::Boolean)
         raise if retrying_pr_creation
 
         retrying_pr_creation = true

data/lib/dependabot/pull_request_creator/message.rb

@@ -1,12 +1,31 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class PullRequestCreator
     # Message is a static alternative to MessageBuilder
     class Message
-      attr_reader :commit_message, :pr_name, :pr_message
+      extend T::Sig
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :commit_message
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_name
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_message
+
+      sig do
+        params(
+          commit_message: T.nilable(String),
+          pr_name: T.nilable(String),
+          pr_message: T.nilable(String)
+        )
+          .void
+      end
       def initialize(commit_message: nil, pr_name: nil, pr_message: nil)
         @commit_message = commit_message
         @pr_name = pr_name

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: strong
 # frozen_string_literal: true
 
 require "commonmarker"
+require "sorbet-runtime"
 require "strscan"
 require "dependabot/pull_request_creator/message_builder"
 
@@ -9,6 +10,8 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class LinkAndMentionSanitizer
+        extend T::Sig
+
         GITHUB_USERNAME = /[a-z0-9]+(-[a-z0-9]+)*/i
         GITHUB_REF_REGEX = %r{
           (?:https?://)?
@@ -22,19 +25,24 @@ module Dependabot
         TEAM_MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@(?<org>#{GITHUB_USERNAME})/(?<team>#{GITHUB_USERNAME})/?}
         # End of string
         EOS_REGEX = /\z/
-        COMMONMARKER_OPTIONS = %i(
-          GITHUB_PRE_LANG FULL_INFO_STRING
-        ).freeze
-        COMMONMARKER_EXTENSIONS = %i(
-          table tasklist strikethrough autolink tagfilter
-        ).freeze
-
+        COMMONMARKER_OPTIONS = T.let(
+          %i(GITHUB_PRE_LANG FULL_INFO_STRING).freeze,
+          T::Array[Symbol]
+        )
+        COMMONMARKER_EXTENSIONS = T.let(
+          %i(table tasklist strikethrough autolink tagfilter).freeze,
+          T::Array[Symbol]
+        )
+
+        sig { returns(T.nilable(String)) }
         attr_reader :github_redirection_service
 
+        sig { params(github_redirection_service: T.nilable(String)).void }
         def initialize(github_redirection_service:)
           @github_redirection_service = github_redirection_service
         end
 
+        sig { params(text: String, unsafe: T::Boolean, format_html: T::Boolean).returns(String) }
         def sanitize_links_and_mentions(text:, unsafe: false, format_html: true)
           doc = CommonMarker.render_doc(
             text, :LIBERAL_HTML_TAG, COMMONMARKER_EXTENSIONS
@@ -53,6 +61,7 @@ module Dependabot
 
         private
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -77,6 +86,7 @@ module Dependabot
         # This is because there are ecosystems that have packages that follow the same pattern
         # (e.g. @angular/angular-cli), and we don't want to create an invalid link, since
         # team mentions link to `https://github.com/org/:organization_name/teams/:team_name`.
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_team_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -92,6 +102,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_links(doc)
           doc.walk do |node|
             if node.type == :link && node.url.match?(GITHUB_REF_REGEX)
@@ -101,7 +112,7 @@ module Dependabot
                   next
                 end
 
-                last_match = subnode.string_content.match(GITHUB_REF_REGEX)
+                last_match = T.must(subnode.string_content.match(GITHUB_REF_REGEX))
                 number = last_match.named_captures.fetch("number")
                 repo = last_match.named_captures.fetch("repo")
                 subnode.string_content = "#{repo}##{number}"
@@ -115,6 +126,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_nwo_text(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -125,8 +137,9 @@ module Dependabot
           end
         end
 
+        sig { params(node: CommonMarker::Node).void }
         def replace_nwo_node(node)
-          match = node.string_content.match(GITHUB_NWO_REGEX)
+          match = T.must(node.string_content.match(GITHUB_NWO_REGEX))
           repo = match.named_captures.fetch("repo")
           number = match.named_captures.fetch("number")
           new_node = build_nwo_text_node("#{repo}##{number}")
@@ -134,22 +147,24 @@ module Dependabot
           node.delete
         end
 
+        sig { params(text: String).returns(String) }
         def replace_github_host(text)
-          return text if !github_redirection_service.nil? && text.include?(github_redirection_service)
+          return text if !github_redirection_service.nil? && text.include?(T.must(github_redirection_service))
 
           text.gsub(
             /(www\.)?github.com/, github_redirection_service || "github.com"
           )
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
           scan = StringScanner.new(text)
 
           until scan.eos?
             line = scan.scan_until(MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(MENTION_REGEX)
+            line_match = T.must(line).match(MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -168,14 +183,15 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_team_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
 
           scan = StringScanner.new(text)
           until scan.eos?
             line = scan.scan_until(TEAM_MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(TEAM_MENTION_REGEX)
+            line_match = T.must(line).match(TEAM_MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -192,18 +208,21 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_link_text_nodes(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = insert_zero_width_space_in_mention(text)
           [code_node]
         end
 
+        sig { params(text: String).returns(CommonMarker::Node) }
         def build_nwo_text_node(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = text
           code_node
         end
 
+        sig { params(url: String, text: String).returns(CommonMarker::Node) }
         def create_link_node(url, text)
           link_node = CommonMarker::Node.new(:link)
           code_node = CommonMarker::Node.new(:code)
@@ -217,12 +236,14 @@ module Dependabot
         # email replies on dependabot pull requests triggering notifications to
         # users who've been mentioned in changelogs etc. PR email replies parse
         # the content of the pull request body in plain text.
+        sig { params(mention: String).returns(String) }
         def insert_zero_width_space_in_mention(mention)
           mention.sub("@", "@\u200B").encode("utf-8")
         end
 
+        sig { params(node: CommonMarker::Node).returns(T::Boolean) }
         def parent_node_link?(node)
-          node.type == :link || (node.parent && parent_node_link?(node.parent))
+          node.type == :link || (!node.parent.nil? && parent_node_link?(T.must(node.parent)))
         end
       end
     end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -1,12 +1,14 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/pull_request_creator/message_builder"
 
 module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class MetadataPresenter
+        extend T::Sig
         extend Forwardable
 
         attr_reader :dependency, :source, :metadata_finder,
@@ -192,7 +194,7 @@ module Dependabot
             unaffected_versions
             affected_versions
           ).each do |tp|
-            type = tp.split("_").first.capitalize
+            type = T.must(tp.split("_").first).capitalize
             next unless details[tp]
 
             versions_string = details[tp].any? ? details[tp].join("; ") : "none"

data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb

@@ -132,7 +132,7 @@ module Dependabot
         case last_dependabot_commit_style
         when :gitmoji then true
         when :conventional_prefix, :conventional_prefix_with_scope
-          last_dependabot_commit_message.match?(/: (\[[Ss]ecurity\] )?(B|U)/)
+          last_dependabot_commit_title.match?(/: (\[[Ss]ecurity\] )?(B|U)/)
         else raise "Unknown commit style #{last_dependabot_commit_style}"
         end
       end
@@ -152,7 +152,7 @@ module Dependabot
       end
 
       def last_dependabot_commit_style
-        return unless (msg = last_dependabot_commit_message)
+        return unless (msg = last_dependabot_commit_title)
 
         return :gitmoji if msg.start_with?("⬆️")
         return :conventional_prefix if msg.match?(/\A(chore|build|upgrade):/i)
@@ -162,7 +162,7 @@ module Dependabot
       end
 
       def last_dependabot_commit_prefix
-        last_dependabot_commit_message&.split(/[:(]/)&.first
+        last_dependabot_commit_title&.split(/[:(]/)&.first
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
@@ -245,7 +245,7 @@ module Dependabot
           ANGULAR_PREFIXES.any? { |pre| message.match?(/#{pre}[:(]/i) }
         end
 
-        return last_dependabot_commit_message&.start_with?(/[A-Z]/) if semantic_messages.none?
+        return last_dependabot_commit_title&.start_with?(/[A-Z]/) if semantic_messages.none?
 
         capitalized_msgs = semantic_messages
                            .select { |m| m.start_with?(/[A-Z]/) }
@@ -329,6 +329,12 @@ module Dependabot
                                           .map(&:strip)
       end
 
+      def last_dependabot_commit_title
+        return @last_dependabot_commit_title if defined?(@last_dependabot_commit_title)
+
+        @last_dependabot_commit_title = last_dependabot_commit_message&.split("\n")&.first
+      end
+
       def last_dependabot_commit_message
         @last_dependabot_commit_message ||=
           case source.provider