dependabot-common 0.236.0 → 0.238.0

data/lib/dependabot/git_metadata_fetcher.rb

@@ -1,49 +1,73 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
 require "open3"
+require "sorbet-runtime"
+
 require "dependabot/errors"
+require "dependabot/git_ref"
 
 module Dependabot
   class GitMetadataFetcher
+    extend T::Sig
+
     KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i
 
+    sig do
+      params(
+        url: String,
+        credentials: T::Array[T::Hash[String, String]]
+      )
+        .void
+    end
     def initialize(url:, credentials:)
       @url = url
       @credentials = credentials
     end
 
+    sig { returns(T.nilable(String)) }
     def upload_pack
-      @upload_pack ||= fetch_upload_pack_for(url)
+      @upload_pack ||= T.let(fetch_upload_pack_for(url), T.nilable(String))
     rescue Octokit::ClientError
       raise Dependabot::GitDependenciesNotReachable, [url]
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack.map do |ref|
-        OpenStruct.new(
-          name: ref.name,
-          tag_sha: ref.ref_sha,
-          commit_sha: ref.commit_sha
-        )
-      end
+      @tags ||= T.let(
+        tags_for_upload_pack.map do |ref|
+          GitRef.new(
+            name: ref.name,
+            tag_sha: ref.ref_sha,
+            commit_sha: ref.commit_sha
+          )
+        end,
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags_for_upload_pack
-      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+      @tags_for_upload_pack ||= T.let(
+        refs_for_upload_pack.select { |ref| ref.ref_type == RefType::Tag },
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
+      @refs_for_upload_pack ||= T.let(parse_refs_for_upload_pack, T.nilable(T::Array[GitRef]))
     end
 
+    sig { returns(T::Array[String]) }
     def ref_names
       refs_for_upload_pack.map(&:name)
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref(ref)
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
@@ -51,8 +75,8 @@ module Dependabot
         # causes problems for our `sha_for_update_pack_line` logic. The format
         # of this opening clause is documented at
         # https://git-scm.com/docs/http-protocol#_smart_server_response
-        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
-                          .lines.find { |l| l.include?(" HEAD") }
+        line = T.must(upload_pack).gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
+                .lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end
 
@@ -61,6 +85,7 @@ module Dependabot
         &.commit_sha
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref_sha(ref)
       refs_for_upload_pack
         .find { |r| r.ref_sha == ref }
@@ -69,8 +94,13 @@ module Dependabot
 
     private
 
-    attr_reader :url, :credentials
+    sig { returns(String) }
+    attr_reader :url
+
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
 
+    sig { params(uri: String).returns(String) }
     def fetch_upload_pack_for(uri)
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
@@ -97,6 +127,7 @@ module Dependabot
       raise Dependabot::GitDependenciesNotReachable, [uri]
     end
 
+    sig { params(uri: String).returns(Excon::Response) }
     def fetch_raw_upload_pack_for(uri)
       url = service_pack_uri(uri)
       url = url.rpartition("@").tap { |a| a.first.gsub!("@", "%40") }.join
@@ -107,6 +138,7 @@ module Dependabot
       )
     end
 
+    sig { params(uri: String).returns(T.untyped) }
     def fetch_raw_upload_pack_with_git_for(uri)
       service_pack_uri = uri
       service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
@@ -129,11 +161,12 @@ module Dependabot
       end
     end
 
+    sig { returns(T::Array[GitRef]) }
     def parse_refs_for_upload_pack
       peeled_lines = []
 
-      result = upload_pack.lines.each_with_object({}) do |line, res|
-        full_ref_name = line.split.last
+      result = T.must(upload_pack).lines.each_with_object({}) do |line, res|
+        full_ref_name = T.must(line.split.last)
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
         (peeled_lines << line) && next if line.strip.end_with?("^{}")
@@ -141,10 +174,10 @@ module Dependabot
         ref_name = full_ref_name.sub(%r{^refs/(tags|heads)/}, "").strip
         sha = sha_for_update_pack_line(line)
 
-        res[ref_name] = OpenStruct.new(
+        res[ref_name] = GitRef.new(
           name: ref_name,
           ref_sha: sha,
-          ref_type: full_ref_name.start_with?("refs/tags") ? :tag : :head,
+          ref_type: full_ref_name.start_with?("refs/tags") ? RefType::Tag : RefType::Head,
           commit_sha: sha
         )
       end
@@ -162,6 +195,7 @@ module Dependabot
       result.values
     end
 
+    sig { params(uri: String).returns(String) }
     def service_pack_uri(uri)
       service_pack_uri = uri_with_auth(uri)
       service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
@@ -169,6 +203,7 @@ module Dependabot
       service_pack_uri + "/info/refs?service=git-upload-pack"
     end
 
+    sig { params(uri: String).returns(T::Boolean) }
     def skip_git_suffix(uri)
       # TODO: Unlike the other providers (GitHub, GitLab, BitBucket), as of 2023-01-18 Azure DevOps does not support the
       # ".git" suffix. It will return a 404.
@@ -188,6 +223,7 @@ module Dependabot
 
     # Add in username and password if present in credentials.
     # Credentials are never present for production Dependabot.
+    sig { params(uri: String).returns(String) }
     def uri_with_auth(uri)
       uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
@@ -196,7 +232,7 @@ module Dependabot
 
       uri.scheme = "https" if uri.scheme != "http"
 
-      if !uri.password && cred&.fetch("username", nil) && cred&.fetch("password", nil)
+      if !uri.password && cred && cred.fetch("username", nil) && cred.fetch("password", nil)
         # URI doesn't have authentication details, but we have credentials
         uri.user = URI.encode_www_form_component(cred["username"])
         uri.password = URI.encode_www_form_component(cred["password"])
@@ -205,10 +241,12 @@ module Dependabot
       uri.to_s
     end
 
+    sig { params(line: String).returns(String) }
     def sha_for_update_pack_line(line)
-      line.split.first.chars.last(40).join
+      T.must(line.split.first).chars.last(40).join
     end
 
+    sig { returns(T::Hash[Symbol, T.untyped]) }
     def excon_defaults
       # Some git hosts are slow when returning a large number of tags
       SharedHelpers.excon_defaults(read_timeout: 20)

data/lib/dependabot/git_ref.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  class GitRef
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_accessor :name
+
+    sig { returns(String) }
+    attr_accessor :commit_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :tag_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :ref_sha
+
+    sig { returns(T.nilable(RefType)) }
+    attr_reader :ref_type
+
+    sig do
+      params(
+        name: String,
+        commit_sha: String,
+        tag_sha: T.nilable(String),
+        ref_sha: T.nilable(String),
+        ref_type: T.nilable(RefType)
+      )
+        .void
+    end
+    def initialize(name:, commit_sha:, tag_sha: nil, ref_sha: nil, ref_type: nil)
+      @name = name
+      @commit_sha = commit_sha
+      @ref_sha = ref_sha
+      @tag_sha = tag_sha
+      @ref_type = ref_type
+    end
+
+    sig { params(other: BasicObject).returns(T::Boolean) }
+    def ==(other)
+      case other
+      when GitRef
+        to_h == other.to_h
+      else
+        false
+      end
+    end
+
+    sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+    def to_h
+      {
+        name: name,
+        commit_sha: commit_sha,
+        tag_sha: tag_sha,
+        ref_sha: ref_sha,
+        ref_type: ref_type
+      }.compact
+    end
+  end
+
+  class RefType < T::Enum
+    enums do
+      Tag = new
+      Head = new
+    end
+  end
+end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "excon"
+require "sorbet-runtime"
 
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
@@ -12,6 +13,8 @@ module Dependabot
   module MetadataFinders
     class Base
       class ChangelogFinder
+        extend T::Sig
+
         require_relative "changelog_pruner"
         require_relative "commits_finder"
 
@@ -86,9 +89,9 @@ module Dependabot
           suggested_source = Source.from_url(suggested_changelog_url)
           return unless suggested_source&.provider == "github"
 
-          opts = { path: suggested_source.directory, ref: suggested_source.branch }.compact
+          opts = { path: suggested_source&.directory, ref: suggested_source&.branch }.compact
           suggested_source_client = github_client_for_source(suggested_source)
-          tmp_files = suggested_source_client.contents(suggested_source.repo, opts)
+          tmp_files = suggested_source_client.contents(suggested_source&.repo, opts)
 
           filename = suggested_changelog_url.split("/").last.split("#").first
           @changelog_from_suggested_url =
@@ -128,7 +131,10 @@ module Dependabot
             file = candidates.first if candidates.one?
             file ||=
               candidates.find do |f|
-                candidates -= [f] && next if fetch_file_text(f).nil?
+                if fetch_file_text(f).nil?
+                  candidates -= [f]
+                  next
+                end
                 pruner = ChangelogPruner.new(
                   dependency: dependency,
                   changelog_text: fetch_file_text(f)
@@ -159,11 +165,12 @@ module Dependabot
           fetch_file_text(changelog)
         end
 
+        sig { params(file: T.untyped).returns(T.nilable(String)) }
         def fetch_file_text(file)
           @file_text ||= {}
 
           unless @file_text.key?(file.download_url)
-            file_source = Source.from_url(file.html_url)
+            file_source = T.must(Source.from_url(file.html_url))
             @file_text[file.download_url] =
               case file_source.provider
               when "github" then fetch_github_file(file_source, file)
@@ -171,7 +178,7 @@ module Dependabot
               when "bitbucket" then fetch_bitbucket_file(file)
               when "azure" then fetch_azure_file(file)
               when "codecommit" then nil # TODO: git file from codecommit
-              else raise "Unsupported provider '#{provider}'"
+              else raise "Unsupported provider '#{file_source.provider}'"
               end
           end
 

data/lib/dependabot/pull_request_creator/github.rb

@@ -1,8 +1,9 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 require "octokit"
 require "securerandom"
+require "sorbet-runtime"
 require "dependabot/clients/github_with_retries"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/commit_signer"
@@ -10,6 +11,8 @@ module Dependabot
   class PullRequestCreator
     # rubocop:disable Metrics/ClassLength
     class Github
+      extend T::Sig
+
       # GitHub limits PR descriptions to a max of 65,536 characters:
       # https://github.com/orgs/community/discussions/27190#discussioncomment-3726017
       PR_DESCRIPTION_MAX_LENGTH = 65_535 # 0 based count
@@ -65,11 +68,11 @@ module Dependabot
       def branch_exists?(name)
         git_metadata_fetcher.ref_names.include?(name)
       rescue Dependabot::GitDependenciesNotReachable => e
-        raise e.cause if e.cause&.message&.include?("is disabled")
-        raise e.cause if e.cause.is_a?(Octokit::Unauthorized)
+        raise T.must(e.cause) if e.cause&.message&.include?("is disabled")
+        raise T.must(e.cause) if e.cause.is_a?(Octokit::Unauthorized)
         raise(RepoNotFound, source.url) unless repo_exists?
 
-        retrying ||= false
+        retrying ||= T.let(false, T::Boolean)
 
         msg = "Unexpected git error!\n\n#{e.cause&.class}: #{e.cause&.message}"
         raise msg if retrying
@@ -249,14 +252,14 @@ module Dependabot
         rescue Octokit::UnprocessableEntity => e
           raise if e.message.match?(/Reference already exists/i)
 
-          retrying_branch_creation ||= false
+          retrying_branch_creation ||= T.let(false, T::Boolean)
           raise if retrying_branch_creation
 
           retrying_branch_creation = true
 
           # Branch creation will fail if a branch called `dependabot` already
           # exists, since git won't be able to create a dir with the same name
-          ref = "refs/heads/#{SecureRandom.hex[0..3] + branch_name}"
+          ref = "refs/heads/#{T.must(SecureRandom.hex[0..3]) + branch_name}"
           retry
         end
       end
@@ -320,7 +323,7 @@ module Dependabot
             "`@#{reviewers.first}`"
           else
             names = reviewers.map { |rv| "`@#{rv}`" }
-            "#{names[0..-2].join(', ')} and #{names[-1]}"
+            "#{T.must(names[0..-2]).join(', ')} and #{names[-1]}"
           end
 
         msg = "Dependabot tried to add #{reviewers_string} as "
@@ -371,7 +374,7 @@ module Dependabot
         # Sometimes PR creation fails with no details (presumably because the
         # details are internal). It doesn't hurt to retry in these cases, in
         # case the cause is a race.
-        retrying_pr_creation ||= false
+        retrying_pr_creation ||= T.let(false, T::Boolean)
         raise if retrying_pr_creation
 
         retrying_pr_creation = true

data/lib/dependabot/pull_request_creator/message.rb

@@ -1,12 +1,31 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class PullRequestCreator
     # Message is a static alternative to MessageBuilder
     class Message
-      attr_reader :commit_message, :pr_name, :pr_message
+      extend T::Sig
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :commit_message
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_name
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :pr_message
+
+      sig do
+        params(
+          commit_message: T.nilable(String),
+          pr_name: T.nilable(String),
+          pr_message: T.nilable(String)
+        )
+          .void
+      end
       def initialize(commit_message: nil, pr_name: nil, pr_message: nil)
         @commit_message = commit_message
         @pr_name = pr_name

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -1,7 +1,8 @@
-# typed: false
+# typed: strong
 # frozen_string_literal: true
 
 require "commonmarker"
+require "sorbet-runtime"
 require "strscan"
 require "dependabot/pull_request_creator/message_builder"
 
@@ -9,6 +10,8 @@ module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class LinkAndMentionSanitizer
+        extend T::Sig
+
         GITHUB_USERNAME = /[a-z0-9]+(-[a-z0-9]+)*/i
         GITHUB_REF_REGEX = %r{
           (?:https?://)?
@@ -22,19 +25,24 @@ module Dependabot
         TEAM_MENTION_REGEX = %r{(?<![A-Za-z0-9`~])@(?<org>#{GITHUB_USERNAME})/(?<team>#{GITHUB_USERNAME})/?}
         # End of string
         EOS_REGEX = /\z/
-        COMMONMARKER_OPTIONS = %i(
-          GITHUB_PRE_LANG FULL_INFO_STRING
-        ).freeze
-        COMMONMARKER_EXTENSIONS = %i(
-          table tasklist strikethrough autolink tagfilter
-        ).freeze
-
+        COMMONMARKER_OPTIONS = T.let(
+          %i(GITHUB_PRE_LANG FULL_INFO_STRING).freeze,
+          T::Array[Symbol]
+        )
+        COMMONMARKER_EXTENSIONS = T.let(
+          %i(table tasklist strikethrough autolink tagfilter).freeze,
+          T::Array[Symbol]
+        )
+
+        sig { returns(T.nilable(String)) }
         attr_reader :github_redirection_service
 
+        sig { params(github_redirection_service: T.nilable(String)).void }
         def initialize(github_redirection_service:)
           @github_redirection_service = github_redirection_service
         end
 
+        sig { params(text: String, unsafe: T::Boolean, format_html: T::Boolean).returns(String) }
         def sanitize_links_and_mentions(text:, unsafe: false, format_html: true)
           doc = CommonMarker.render_doc(
             text, :LIBERAL_HTML_TAG, COMMONMARKER_EXTENSIONS
@@ -53,6 +61,7 @@ module Dependabot
 
         private
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -77,6 +86,7 @@ module Dependabot
         # This is because there are ecosystems that have packages that follow the same pattern
         # (e.g. @angular/angular-cli), and we don't want to create an invalid link, since
         # team mentions link to `https://github.com/org/:organization_name/teams/:team_name`.
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_team_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -92,6 +102,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_links(doc)
           doc.walk do |node|
             if node.type == :link && node.url.match?(GITHUB_REF_REGEX)
@@ -101,7 +112,7 @@ module Dependabot
                   next
                 end
 
-                last_match = subnode.string_content.match(GITHUB_REF_REGEX)
+                last_match = T.must(subnode.string_content.match(GITHUB_REF_REGEX))
                 number = last_match.named_captures.fetch("number")
                 repo = last_match.named_captures.fetch("repo")
                 subnode.string_content = "#{repo}##{number}"
@@ -115,6 +126,7 @@ module Dependabot
           end
         end
 
+        sig { params(doc: CommonMarker::Node).void }
         def sanitize_nwo_text(doc)
           doc.walk do |node|
             if node.type == :text &&
@@ -125,8 +137,9 @@ module Dependabot
           end
         end
 
+        sig { params(node: CommonMarker::Node).void }
         def replace_nwo_node(node)
-          match = node.string_content.match(GITHUB_NWO_REGEX)
+          match = T.must(node.string_content.match(GITHUB_NWO_REGEX))
           repo = match.named_captures.fetch("repo")
           number = match.named_captures.fetch("number")
           new_node = build_nwo_text_node("#{repo}##{number}")
@@ -134,22 +147,24 @@ module Dependabot
           node.delete
         end
 
+        sig { params(text: String).returns(String) }
         def replace_github_host(text)
-          return text if !github_redirection_service.nil? && text.include?(github_redirection_service)
+          return text if !github_redirection_service.nil? && text.include?(T.must(github_redirection_service))
 
           text.gsub(
             /(www\.)?github.com/, github_redirection_service || "github.com"
           )
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
           scan = StringScanner.new(text)
 
           until scan.eos?
             line = scan.scan_until(MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(MENTION_REGEX)
+            line_match = T.must(line).match(MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -168,14 +183,15 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_team_mention_nodes(text)
-          nodes = []
+          nodes = T.let([], T::Array[CommonMarker::Node])
 
           scan = StringScanner.new(text)
           until scan.eos?
             line = scan.scan_until(TEAM_MENTION_REGEX) ||
                    scan.scan_until(EOS_REGEX)
-            line_match = line.match(TEAM_MENTION_REGEX)
+            line_match = T.must(line).match(TEAM_MENTION_REGEX)
             mention = line_match&.to_s
             text_node = CommonMarker::Node.new(:text)
 
@@ -192,18 +208,21 @@ module Dependabot
           nodes
         end
 
+        sig { params(text: String).returns(T::Array[CommonMarker::Node]) }
         def build_mention_link_text_nodes(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = insert_zero_width_space_in_mention(text)
           [code_node]
         end
 
+        sig { params(text: String).returns(CommonMarker::Node) }
         def build_nwo_text_node(text)
           code_node = CommonMarker::Node.new(:code)
           code_node.string_content = text
           code_node
         end
 
+        sig { params(url: String, text: String).returns(CommonMarker::Node) }
         def create_link_node(url, text)
           link_node = CommonMarker::Node.new(:link)
           code_node = CommonMarker::Node.new(:code)
@@ -217,12 +236,14 @@ module Dependabot
         # email replies on dependabot pull requests triggering notifications to
         # users who've been mentioned in changelogs etc. PR email replies parse
         # the content of the pull request body in plain text.
+        sig { params(mention: String).returns(String) }
         def insert_zero_width_space_in_mention(mention)
           mention.sub("@", "@\u200B").encode("utf-8")
         end
 
+        sig { params(node: CommonMarker::Node).returns(T::Boolean) }
         def parent_node_link?(node)
-          node.type == :link || (node.parent && parent_node_link?(node.parent))
+          node.type == :link || (!node.parent.nil? && parent_node_link?(T.must(node.parent)))
         end
       end
     end

data/lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb

@@ -1,12 +1,14 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/pull_request_creator/message_builder"
 
 module Dependabot
   class PullRequestCreator
     class MessageBuilder
       class MetadataPresenter
+        extend T::Sig
         extend Forwardable
 
         attr_reader :dependency, :source, :metadata_finder,
@@ -192,7 +194,7 @@ module Dependabot
             unaffected_versions
             affected_versions
           ).each do |tp|
-            type = tp.split("_").first.capitalize
+            type = T.must(tp.split("_").first).capitalize
             next unless details[tp]
 
             versions_string = details[tp].any? ? details[tp].join("; ") : "none"