dependabot-common 0.236.0 → 0.238.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 945c135096f005a7d416b56d1e8f9e6b91e1a02b0590758887eba5a110fb5b19
-  data.tar.gz: 0cc101754418b3b1aa682c273e5c6ed2fa72b796d72a9b4d30b3c0f0aa41c39b
+  metadata.gz: 77312fe42bc6241de9c474fa2a1bab0dd3955bff4c2846bc057e52684f1b48bf
+  data.tar.gz: 72fbe948d041e0d1e2fd717fa98a2358e32413408ed2d147d6cbd58107d8d5ba
 SHA512:
-  metadata.gz: 76e41c5707a11e8a5b17df8fa71fc81a4ebbf1a3fd71469931d84cebe1573588afa6605751af2a65c849884bcdf0dd79b5bc4a1d63b9ac69d39466cf8a4b952e
-  data.tar.gz: 53204ad41f102502301e483b3175280673849b0ab0d530b8458aa77289251dfaf287f9ee051e90bd5b39722a7b25a2993e8a49aa15c03982e82990df475fd9dd
+  metadata.gz: f108dbeb6f04a42d5b5b4e30baecad3d376bd82615e067b3ca2696bbdcefd875c55c4dd18da926b597641691e47edb034244d4d170030cbf8055d3c29e9de3cf
+  data.tar.gz: e14a429b7dadcd27eccd9e049fb6ebd4a405e8e86229eb683c47d1cb72e911a0da4ae3cab50a3a883000f49ef19e33716cfc2a1fd17181d89858da9644ff80e2

data/lib/dependabot/clients/azure.rb

@@ -271,9 +271,9 @@ module Dependabot
             )
           )
 
-          raise InternalServerError if response&.status == 500
-          raise BadGateway if response&.status == 502
-          raise ServiceNotAvailable if response&.status == 503
+          raise InternalServerError if response.status == 500
+          raise BadGateway if response.status == 502
+          raise ServiceNotAvailable if response.status == 503
         end
 
         raise Unauthorized if response&.status == 401

data/lib/dependabot/clients/codecommit.rb

@@ -1,6 +1,7 @@
 # typed: true
 # frozen_string_literal: true
 
+require "aws-sdk-codecommit"
 require "dependabot/shared_helpers"
 
 module Dependabot

data/lib/dependabot/config/file.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/config/update_config"
@@ -10,11 +10,22 @@ module Dependabot
     class File
       extend T::Sig
 
-      attr_reader :updates, :registries
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
+      attr_reader :updates
 
+      sig { returns T::Array[T.untyped] }
+      attr_reader :registries
+
+      sig do
+        params(
+          updates: T.nilable(T::Array[T::Hash[Symbol, String]]),
+          registries: T.nilable(T::Array[T.untyped])
+        )
+          .void
+      end
       def initialize(updates:, registries: nil)
-        @updates = updates || []
-        @registries = registries || []
+        @updates = T.let(updates || [], T::Array[T::Hash[Symbol, String]])
+        @registries = T.let(registries || [], T::Array[T.untyped])
       end
 
       sig do
@@ -46,7 +57,7 @@ module Dependabot
 
       private
 
-      PACKAGE_MANAGER_LOOKUP = {
+      PACKAGE_MANAGER_LOOKUP = T.let({
         "bundler" => "bundler",
         "cargo" => "cargo",
         "composer" => "composer",
@@ -64,7 +75,7 @@ module Dependabot
         "pub" => "pub",
         "swift" => "swift",
         "terraform" => "terraform"
-      }.freeze
+      }.freeze, T::Hash[String, String])
 
       sig { params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Array[IgnoreCondition]) }
       def ignore_conditions(cfg)

data/lib/dependabot/config/update_config.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/config/ignore_condition"
@@ -23,17 +23,17 @@ module Dependabot
         ).void
       end
       def initialize(ignore_conditions: nil, commit_message_options: nil)
-        @ignore_conditions = ignore_conditions || []
+        @ignore_conditions = T.let(ignore_conditions || [], T::Array[IgnoreCondition])
         @commit_message_options = commit_message_options
       end
 
       sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }
       def ignored_versions_for(dependency, security_updates_only: false)
         normalizer = name_normaliser_for(dependency)
-        dep_name = normalizer.call(dependency.name)
+        dep_name = T.must(normalizer).call(dependency.name)
 
         @ignore_conditions
-          .select { |ic| self.class.wildcard_match?(normalizer.call(ic.dependency_name), dep_name) }
+          .select { |ic| self.class.wildcard_match?(T.must(normalizer).call(ic.dependency_name), dep_name) }
           .map { |ic| ic.ignored_versions(dependency, security_updates_only) }
           .flatten
           .compact
@@ -53,6 +53,7 @@ module Dependabot
 
       private
 
+      sig { params(dep: Dependency).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
       def name_normaliser_for(dep)
         name_normaliser ||= {}
         name_normaliser[dep] ||= Dependency.name_normaliser_for_package_manager(dep.package_manager)
@@ -61,18 +62,35 @@ module Dependabot
       class CommitMessageOptions
         extend T::Sig
 
-        attr_reader :prefix, :prefix_development, :include
+        sig { returns(T.nilable(String)) }
+        attr_reader :prefix
 
+        sig { returns(T.nilable(String)) }
+        attr_reader :prefix_development
+
+        sig { returns(T.nilable(String)) }
+        attr_reader :include
+
+        sig do
+          params(
+            prefix: T.nilable(String),
+            prefix_development: T.nilable(String),
+            include: T.nilable(String)
+          )
+            .void
+        end
         def initialize(prefix:, prefix_development:, include:)
           @prefix = prefix
           @prefix_development = prefix_development
           @include = include
         end
 
+        sig { returns(T::Boolean) }
         def include_scope?
           @include == "scope"
         end
 
+        sig { returns(T::Hash[Symbol, String]) }
         def to_h
           {
             prefix: @prefix,

data/lib/dependabot/dependency.rb

@@ -1,14 +1,23 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/version"
 
 module Dependabot
   class Dependency
-    @production_checks = {}
-    @display_name_builders = {}
-    @name_normalisers = {}
+    extend T::Sig
 
+    @production_checks = T.let(
+      {},
+      T::Hash[String, T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean)]
+    )
+    @display_name_builders = T.let({}, T::Hash[String, T.proc.params(arg0: String).returns(String)])
+    @name_normalisers = T.let({}, T::Hash[String, T.proc.params(arg0: String).returns(String)])
+
+    sig do
+      params(package_manager: String).returns(T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean))
+    end
     def self.production_check_for_package_manager(package_manager)
       production_check = @production_checks[package_manager]
       return production_check if production_check
@@ -16,62 +25,128 @@ module Dependabot
       raise "Unsupported package_manager #{package_manager}"
     end
 
+    sig do
+      params(
+        package_manager: String,
+        production_check: T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean)
+      )
+        .returns(T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean))
+    end
     def self.register_production_check(package_manager, production_check)
       @production_checks[package_manager] = production_check
     end
 
+    sig { params(package_manager: String).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
     def self.display_name_builder_for_package_manager(package_manager)
       @display_name_builders[package_manager]
     end
 
+    sig { params(package_manager: String, name_builder: T.proc.params(arg0: String).returns(String)).void }
     def self.register_display_name_builder(package_manager, name_builder)
       @display_name_builders[package_manager] = name_builder
     end
 
+    sig { params(package_manager: String).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
     def self.name_normaliser_for_package_manager(package_manager)
       @name_normalisers[package_manager] || ->(name) { name }
     end
 
+    sig do
+      params(
+        package_manager: String,
+        name_builder: T.proc.params(arg0: String).returns(String)
+      ).void
+    end
     def self.register_name_normaliser(package_manager, name_builder)
       @name_normalisers[package_manager] = name_builder
     end
 
-    attr_reader :name, :version, :requirements, :package_manager,
-                :previous_version, :previous_requirements,
-                :subdependency_metadata, :metadata
+    sig { returns(String) }
+    attr_reader :name
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :version
+
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    attr_reader :requirements
+
+    sig { returns(String) }
+    attr_reader :package_manager
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :previous_version
 
+    sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+    attr_reader :previous_requirements
+
+    sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+    attr_reader :subdependency_metadata
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    attr_reader :metadata
+
+    sig do
+      params(
+        name: String,
+        requirements: T::Array[T::Hash[String, String]],
+        package_manager: String,
+        # TODO: Make version a Dependabot::Version everywhere
+        version: T.nilable(T.any(String, Dependabot::Version)),
+        previous_version: T.nilable(String),
+        previous_requirements: T.nilable(T::Array[T::Hash[String, String]]),
+        subdependency_metadata: T.nilable(T::Array[T::Hash[String, String]]),
+        removed: T::Boolean,
+        metadata: T.nilable(T::Hash[String, String])
+      ).void
+    end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil,
                    subdependency_metadata: [], removed: false, metadata: {})
       @name = name
-      @version = version
-      @requirements = requirements.map { |req| symbolize_keys(req) }
+      @version = T.let(
+        case version
+        when Dependabot::Version then version.to_s
+        when String then version
+        end,
+        T.nilable(String)
+      )
+      @requirements = T.let(requirements.map { |req| symbolize_keys(req) }, T::Array[T::Hash[Symbol, String]])
       @previous_version = previous_version
-      @previous_requirements =
-        previous_requirements&.map { |req| symbolize_keys(req) }
+      @previous_requirements = T.let(
+        previous_requirements&.map { |req| symbolize_keys(req) },
+        T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+      )
       @package_manager = package_manager
       unless top_level? || subdependency_metadata == []
-        @subdependency_metadata = subdependency_metadata
-                                  &.map { |h| symbolize_keys(h) }
+        @subdependency_metadata = T.let(
+          subdependency_metadata&.map { |h| symbolize_keys(h) },
+          T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+        )
       end
       @removed = removed
-      @metadata = symbolize_keys(metadata || {})
+      @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
 
       check_values
     end
 
+    sig { returns(T::Boolean) }
     def top_level?
       requirements.any?
     end
 
+    sig { returns(T::Boolean) }
     def removed?
       @removed
     end
 
+    sig { returns(T.nilable(Dependabot::Version)) }
     def numeric_version
-      @numeric_version ||= version_class.new(version) if version && version_class.correct?(version)
+      return unless version && version_class.correct?(version)
+
+      @numeric_version ||= T.let(version_class.new(version), T.nilable(Dependabot::Version))
     end
 
+    sig { returns(T::Hash[String, T.untyped]) }
     def to_h
       {
         "name" => name,
@@ -85,10 +160,12 @@ module Dependabot
       }.compact
     end
 
+    sig { returns(T::Boolean) }
     def appears_in_lockfile?
-      previous_version || (version && previous_requirements.nil?)
+      !!(previous_version || (version && previous_requirements.nil?))
     end
 
+    sig { returns(T::Boolean) }
     def production?
       return subdependency_production_check unless top_level?
 
@@ -99,10 +176,12 @@ module Dependabot
           .call(groups)
     end
 
+    sig { returns(T::Boolean) }
     def subdependency_production_check
       !subdependency_metadata&.all? { |h| h[:production] == false }
     end
 
+    sig { returns(String) }
     def display_name
       display_name_builder =
         self.class.display_name_builder_for_package_manager(package_manager)
@@ -111,6 +190,7 @@ module Dependabot
       display_name_builder.call(name)
     end
 
+    sig { returns(T.nilable(String)) }
     def humanized_previous_version
       # If we don't have a previous version, we *may* still be able to figure
       # one out if a ref was provided and has been changed (in which case the
@@ -119,48 +199,52 @@ module Dependabot
         return ref_changed? ? previous_ref : nil
       end
 
-      if previous_version.match?(/^[0-9a-f]{40}/)
+      if T.must(previous_version).match?(/^[0-9a-f]{40}/)
         return previous_ref if ref_changed? && previous_ref
 
-        "`#{previous_version[0..6]}`"
+        "`#{T.must(previous_version)[0..6]}`"
       elsif version == previous_version &&
             package_manager == "docker"
-        digest = docker_digest_from_reqs(previous_requirements)
-        "`#{digest.split(':').last[0..6]}`"
+        digest = docker_digest_from_reqs(T.must(previous_requirements))
+        "`#{T.must(T.must(digest).split(':').last)[0..6]}`"
       else
         previous_version
       end
     end
 
+    sig { returns(T.nilable(String)) }
     def humanized_version
       return if removed?
 
-      if version.match?(/^[0-9a-f]{40}/)
+      if T.must(version).match?(/^[0-9a-f]{40}/)
         return new_ref if ref_changed? && new_ref
 
-        "`#{version[0..6]}`"
+        "`#{T.must(version)[0..6]}`"
       elsif version == previous_version &&
             package_manager == "docker"
         digest = docker_digest_from_reqs(requirements)
-        "`#{digest.split(':').last[0..6]}`"
+        "`#{T.must(T.must(digest).split(':').last)[0..6]}`"
       else
         version
       end
     end
 
+    sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T.nilable(String)) }
     def docker_digest_from_reqs(requirements)
       requirements
         .filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }
         .first
     end
 
+    sig { returns(T.nilable(String)) }
     def previous_ref
-      previous_refs = previous_requirements.filter_map do |r|
+      previous_refs = T.must(previous_requirements).filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
       previous_refs.first if previous_refs.count == 1
     end
 
+    sig { returns(T.nilable(String)) }
     def new_ref
       new_refs = requirements.filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
@@ -168,12 +252,14 @@ module Dependabot
       new_refs.first if new_refs.count == 1
     end
 
+    sig { returns(T::Boolean) }
     def ref_changed?
       previous_ref != new_ref
     end
 
     # Returns all detected versions of the dependency. Only ecosystems that
     # support this feature will return more than the current version.
+    sig { returns(T::Array[T.nilable(String)]) }
     def all_versions
       all_versions = metadata[:all_versions]
       return [version].compact unless all_versions
@@ -184,34 +270,52 @@ module Dependabot
     # This dependency is being indirectly updated by an update to another
     # dependency. We don't need to try and update it ourselves but want to
     # surface it to the user in the PR.
+    sig { returns(T.nilable(T::Boolean)) }
     def informational_only?
       metadata[:information_only]
     end
 
+    sig { params(other: T.anything).returns(T::Boolean) }
     def ==(other)
-      other.instance_of?(self.class) && to_h == other.to_h
+      case other
+      when Dependency
+        to_h == other.to_h
+      else
+        false
+      end
     end
 
+    sig { returns(Integer) }
     def hash
       to_h.hash
     end
 
+    sig { params(other: T.anything).returns(T::Boolean) }
     def eql?(other)
       self == other
     end
 
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
     def specific_requirements
       requirements.select { |r| requirement_class.new(r[:requirement]).specific? }
     end
 
+    sig { returns(T.class_of(Gem::Requirement)) }
     def requirement_class
       Utils.requirement_class_for_package_manager(package_manager)
     end
 
+    sig { returns(T.class_of(Dependabot::Version)) }
     def version_class
       Utils.version_class_for_package_manager(package_manager)
     end
 
+    sig do
+      params(
+        allowed_types: T.nilable(T::Array[String])
+      )
+        .returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped]))
+    end
     def source_details(allowed_types: nil)
       sources = all_sources.uniq.compact
       sources.select! { |source| allowed_types.include?(source[:type].to_s) } if allowed_types
@@ -225,6 +329,7 @@ module Dependabot
       sources.first
     end
 
+    sig { returns(T.nilable(String)) }
     def source_type
       details = source_details
       return "default" if details.nil?
@@ -232,11 +337,12 @@ module Dependabot
       details[:type] || details.fetch("type")
     end
 
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
     def all_sources
       if top_level?
         requirements.map { |requirement| requirement.fetch(:source) }
       elsif subdependency_metadata
-        subdependency_metadata.filter_map { |data| data[:source] }
+        T.must(subdependency_metadata).filter_map { |data| data[:source] }
       else
         []
       end
@@ -244,6 +350,7 @@ module Dependabot
 
     private
 
+    sig { void }
     def check_values
       raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
 
@@ -251,6 +358,7 @@ module Dependabot
       check_subdependency_metadata
     end
 
+    sig { void }
     def check_requirement_fields
       requirement_fields = [requirements, previous_requirements].compact
       unless requirement_fields.all?(Array) &&
@@ -273,15 +381,17 @@ module Dependabot
       raise ArgumentError, "blank strings must not be provided as requirements"
     end
 
+    sig { void }
     def check_subdependency_metadata
       return unless subdependency_metadata
 
       unless subdependency_metadata.is_a?(Array) &&
-             subdependency_metadata.all?(Hash)
+             T.must(subdependency_metadata).all?(Hash)
         raise ArgumentError, "subdependency_metadata must be an array of hashes"
       end
     end
 
+    sig { params(hash: T::Hash[String, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
     def symbolize_keys(hash)
       hash.keys.to_h { |k| [k.to_sym, hash[k]] }
     end