dependabot-common 0.238.0 → 0.239.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 77312fe42bc6241de9c474fa2a1bab0dd3955bff4c2846bc057e52684f1b48bf
4
- data.tar.gz: 72fbe948d041e0d1e2fd717fa98a2358e32413408ed2d147d6cbd58107d8d5ba
3
+ metadata.gz: 05ce845694a06ef06ec108aada0ff902b7b08a7a8fc41c23531e00b2252436ae
4
+ data.tar.gz: 72cc39025cf3a411bed2f82d113474dae965e57c06b15d1abe78f93794562c8c
5
5
  SHA512:
6
- metadata.gz: f108dbeb6f04a42d5b5b4e30baecad3d376bd82615e067b3ca2696bbdcefd875c55c4dd18da926b597641691e47edb034244d4d170030cbf8055d3c29e9de3cf
7
- data.tar.gz: e14a429b7dadcd27eccd9e049fb6ebd4a405e8e86229eb683c47d1cb72e911a0da4ae3cab50a3a883000f49ef19e33716cfc2a1fd17181d89858da9644ff80e2
6
+ metadata.gz: ee1859d83b60cf7ddeab1b98c04666198da262a86c5875ed6ff586c9637c877075d9687b3657f38e0bcbf5669584d545a790a2c68e82e9499e5c30b4353d9890
7
+ data.tar.gz: c4f99509fbd5846a9d07caa227cc67152933da70bea50246c1d6fe20ab9fc67cbb6d141753b89a4b7ed08bf9a73e4520a3c738fa33f4169ea5a19225db9698c6
@@ -13,19 +13,19 @@ module Dependabot
13
13
  sig { returns(T::Array[T::Hash[Symbol, String]]) }
14
14
  attr_reader :updates
15
15
 
16
- sig { returns T::Array[T.untyped] }
16
+ sig { returns(T::Hash[Symbol, T::Hash[Symbol, String]]) }
17
17
  attr_reader :registries
18
18
 
19
19
  sig do
20
20
  params(
21
21
  updates: T.nilable(T::Array[T::Hash[Symbol, String]]),
22
- registries: T.nilable(T::Array[T.untyped])
22
+ registries: T.nilable(T::Hash[Symbol, T::Hash[Symbol, String]])
23
23
  )
24
24
  .void
25
25
  end
26
26
  def initialize(updates:, registries: nil)
27
27
  @updates = T.let(updates || [], T::Array[T::Hash[Symbol, String]])
28
- @registries = T.let(registries || [], T::Array[T.untyped])
28
+ @registries = T.let(registries || {}, T::Hash[Symbol, T::Hash[Symbol, String]])
29
29
  end
30
30
 
31
31
  sig do
@@ -1,11 +1,14 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
5
5
  require "dependabot/utils"
6
6
 
7
7
  module Dependabot
8
+ extend T::Sig
9
+
8
10
  # rubocop:disable Metrics/MethodLength
11
+ sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
9
12
  def self.fetcher_error_details(error)
10
13
  case error
11
14
  when Dependabot::ToolVersionNotSupported
@@ -70,12 +73,13 @@ module Dependabot
70
73
  {
71
74
  "error-type": "octokit_rate_limited",
72
75
  "error-detail": {
73
- "rate-limit-reset": error.response_headers["X-RateLimit-Reset"]
76
+ "rate-limit-reset": T.cast(error, Octokit::Error).response_headers["X-RateLimit-Reset"]
74
77
  }
75
78
  }
76
79
  end
77
80
  end
78
81
 
82
+ sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
79
83
  def self.parser_error_details(error)
80
84
  case error
81
85
  when Dependabot::DependencyFileNotEvaluatable
@@ -136,6 +140,7 @@ module Dependabot
136
140
  end
137
141
  end
138
142
 
143
+ sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
139
144
  def self.updater_error_details(error)
140
145
  case error
141
146
  when Dependabot::DependencyFileNotResolvable
@@ -207,7 +212,7 @@ module Dependabot
207
212
  {
208
213
  "error-type": "octokit_rate_limited",
209
214
  "error-detail": {
210
- "rate-limit-reset": error.response_headers["X-RateLimit-Reset"]
215
+ "rate-limit-reset": T.cast(error, Octokit::Error).response_headers["X-RateLimit-Reset"]
211
216
  }
212
217
  }
213
218
  end
@@ -376,23 +381,28 @@ module Dependabot
376
381
  class DependencyFileNotFound < DependabotError
377
382
  extend T::Sig
378
383
 
379
- sig { returns(String) }
384
+ sig { returns(T.nilable(String)) }
380
385
  attr_reader :file_path
381
386
 
387
+ sig { params(file_path: T.nilable(String), msg: T.nilable(String)).void }
382
388
  def initialize(file_path, msg = nil)
383
389
  @file_path = file_path
384
390
  super(msg || "#{file_path} not found")
385
391
  end
386
392
 
387
- sig { returns(String) }
393
+ sig { returns(T.nilable(String)) }
388
394
  def file_name
389
- T.must(file_path.split("/").last)
395
+ return unless file_path
396
+
397
+ T.must(file_path).split("/").last
390
398
  end
391
399
 
392
- sig { returns(String) }
400
+ sig { returns(T.nilable(String)) }
393
401
  def directory
394
402
  # Directory should always start with a `/`
395
- T.must(file_path.split("/")[0..-2]).join("/").sub(%r{^/*}, "/")
403
+ return unless file_path
404
+
405
+ T.must(T.must(file_path).split("/")[0..-2]).join("/").sub(%r{^/*}, "/")
396
406
  end
397
407
  end
398
408
 
@@ -434,8 +444,9 @@ module Dependabot
434
444
  sig { returns(String) }
435
445
  attr_reader :source
436
446
 
447
+ sig { params(source: T.nilable(String)).void }
437
448
  def initialize(source)
438
- @source = T.let(sanitize_source(source), String)
449
+ @source = T.let(sanitize_source(T.must(source)), String)
439
450
  msg = "The following source could not be reached as it requires " \
440
451
  "authentication (and any provided details were invalid or lacked " \
441
452
  "the required permissions): #{@source}"
@@ -1,18 +1,25 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  module Dependabot
5
7
  module Experiments
6
- @experiments = {}
8
+ extend T::Sig
9
+
10
+ @experiments = T.let({}, T::Hash[T.any(String, Symbol), T.untyped])
7
11
 
12
+ sig { returns(T::Hash[T.any(String, Symbol), T.untyped]) }
8
13
  def self.reset!
9
14
  @experiments = {}
10
15
  end
11
16
 
17
+ sig { params(name: T.any(String, Symbol), value: T.untyped).void }
12
18
  def self.register(name, value)
13
19
  @experiments[name.to_sym] = value
14
20
  end
15
21
 
22
+ sig { params(name: T.any(String, Symbol)).returns(T::Boolean) }
16
23
  def self.enabled?(name)
17
24
  !!@experiments[name.to_sym]
18
25
  end
@@ -1,10 +1,16 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+ require "dependabot/metadata_finders/base"
6
+
4
7
  module Dependabot
5
8
  module MetadataFinders
6
- @metadata_finders = {}
9
+ extend T::Sig
10
+
11
+ @metadata_finders = T.let({}, T::Hash[String, T.class_of(Dependabot::MetadataFinders::Base)])
7
12
 
13
+ sig { params(package_manager: String).returns(T.class_of(Dependabot::MetadataFinders::Base)) }
8
14
  def self.for_package_manager(package_manager)
9
15
  metadata_finder = @metadata_finders[package_manager]
10
16
  return metadata_finder if metadata_finder
@@ -12,6 +18,7 @@ module Dependabot
12
18
  raise "Unsupported package_manager #{package_manager}"
13
19
  end
14
20
 
21
+ sig { params(package_manager: String, metadata_finder: T.class_of(Dependabot::MetadataFinders::Base)).void }
15
22
  def self.register(package_manager, metadata_finder)
16
23
  @metadata_finders[package_manager] = metadata_finder
17
24
  end
@@ -1,12 +1,43 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  module Dependabot
5
7
  class PullRequestCreator
6
8
  class BranchNamer
7
9
  class Base
8
- attr_reader :dependencies, :files, :target_branch, :separator, :prefix, :max_length
10
+ extend T::Sig
11
+
12
+ sig { returns(T::Array[Dependency]) }
13
+ attr_reader :dependencies
14
+
15
+ sig { returns(T::Array[DependencyFile]) }
16
+ attr_reader :files
17
+
18
+ sig { returns(T.nilable(String)) }
19
+ attr_reader :target_branch
9
20
 
21
+ sig { returns(String) }
22
+ attr_reader :separator
23
+
24
+ sig { returns(String) }
25
+ attr_reader :prefix
26
+
27
+ sig { returns(T.nilable(Integer)) }
28
+ attr_reader :max_length
29
+
30
+ sig do
31
+ params(
32
+ dependencies: T::Array[Dependency],
33
+ files: T::Array[DependencyFile],
34
+ target_branch: T.nilable(String),
35
+ separator: String,
36
+ prefix: String,
37
+ max_length: T.nilable(Integer)
38
+ )
39
+ .void
40
+ end
10
41
  def initialize(dependencies:, files:, target_branch:, separator: "/",
11
42
  prefix: "dependabot", max_length: nil)
12
43
  @dependencies = dependencies
@@ -19,6 +50,7 @@ module Dependabot
19
50
 
20
51
  private
21
52
 
53
+ sig { params(ref_name: String).returns(String) }
22
54
  def sanitize_branch_name(ref_name)
23
55
  # General git ref validation
24
56
  sanitized_name = sanitize_ref(ref_name)
@@ -27,14 +59,15 @@ module Dependabot
27
59
  sanitized_name = sanitized_name.gsub("/", separator)
28
60
 
29
61
  # Shorten the ref in case users refs have length limits
30
- if max_length && (sanitized_name.length > max_length)
31
- sha = Digest::SHA1.hexdigest(sanitized_name)[0, max_length]
32
- sanitized_name[[max_length - sha.size, 0].max..] = sha
62
+ if max_length && (sanitized_name.length > T.must(max_length))
63
+ sha = T.must(Digest::SHA1.hexdigest(sanitized_name)[0, T.must(max_length)])
64
+ sanitized_name[[T.must(max_length) - sha.size, 0].max..] = sha
33
65
  end
34
66
 
35
67
  sanitized_name
36
68
  end
37
69
 
70
+ sig { params(ref: String).returns(String) }
38
71
  def sanitize_ref(ref)
39
72
  # This isn't a complete implementation of git's ref validation, but it
40
73
  # covers most cases that crop up. Its list of allowed characters is a
@@ -8,17 +8,18 @@ module Dependabot
8
8
  class BranchNamer
9
9
  class DependencyGroupStrategy < Base
10
10
  def initialize(dependencies:, files:, target_branch:, dependency_group:,
11
- separator: "/", prefix: "dependabot", max_length: nil)
11
+ separator: "/", prefix: "dependabot", max_length: nil, includes_security_fixes:)
12
12
  super(
13
13
  dependencies: dependencies,
14
14
  files: files,
15
15
  target_branch: target_branch,
16
16
  separator: separator,
17
17
  prefix: prefix,
18
- max_length: max_length
18
+ max_length: max_length,
19
19
  )
20
20
 
21
21
  @dependency_group = dependency_group
22
+ @includes_security_fixes = includes_security_fixes
22
23
  end
23
24
 
24
25
  def new_branch_name
@@ -45,7 +46,11 @@ module Dependabot
45
46
  # Let's append a short hash digest of the dependency changes so that we can
46
47
  # meet this guarantee.
47
48
  def group_name_with_dependency_digest
48
- "#{dependency_group.name}-#{dependency_digest}"
49
+ if @includes_security_fixes
50
+ "group-security-#{package_manager}-#{dependency_digest}"
51
+ else
52
+ "#{dependency_group.name}-#{dependency_digest}"
53
+ end
49
54
  end
50
55
 
51
56
  def dependency_digest
@@ -55,11 +60,11 @@ module Dependabot
55
60
  end
56
61
 
57
62
  def package_manager
58
- dependencies.first.package_manager
63
+ T.must(dependencies.first).package_manager
59
64
  end
60
65
 
61
66
  def directory
62
- files.first.directory.tr(" ", "-")
67
+ T.must(files.first).directory.tr(" ", "-")
63
68
  end
64
69
  end
65
70
  end
@@ -38,31 +38,31 @@ module Dependabot
38
38
  [
39
39
  prefix,
40
40
  package_manager,
41
- files.first.directory.tr(" ", "-"),
41
+ T.must(files.first).directory.tr(" ", "-"),
42
42
  target_branch
43
43
  ].compact
44
44
  end
45
45
 
46
46
  def package_manager
47
- dependencies.first.package_manager
47
+ T.must(dependencies.first).package_manager
48
48
  end
49
49
 
50
50
  def updating_a_property?
51
- dependencies.first
52
- .requirements
53
- .any? { |r| r.dig(:metadata, :property_name) }
51
+ T.must(dependencies.first)
52
+ .requirements
53
+ .any? { |r| r.dig(:metadata, :property_name) }
54
54
  end
55
55
 
56
56
  def updating_a_dependency_set?
57
- dependencies.first
58
- .requirements
59
- .any? { |r| r.dig(:metadata, :dependency_set) }
57
+ T.must(dependencies.first)
58
+ .requirements
59
+ .any? { |r| r.dig(:metadata, :dependency_set) }
60
60
  end
61
61
 
62
62
  def property_name
63
- @property_name ||= dependencies.first.requirements
64
- .find { |r| r.dig(:metadata, :property_name) }
65
- &.dig(:metadata, :property_name)
63
+ @property_name ||= T.must(dependencies.first).requirements
64
+ .find { |r| r.dig(:metadata, :property_name) }
65
+ &.dig(:metadata, :property_name)
66
66
 
67
67
  raise "No property name!" unless @property_name
68
68
 
@@ -70,9 +70,9 @@ module Dependabot
70
70
  end
71
71
 
72
72
  def dependency_set
73
- @dependency_set ||= dependencies.first.requirements
74
- .find { |r| r.dig(:metadata, :dependency_set) }
75
- &.dig(:metadata, :dependency_set)
73
+ @dependency_set ||= T.must(dependencies.first).requirements
74
+ .find { |r| r.dig(:metadata, :dependency_set) }
75
+ &.dig(:metadata, :dependency_set)
76
76
 
77
77
  raise "No dependency set!" unless @dependency_set
78
78
 
@@ -82,7 +82,7 @@ module Dependabot
82
82
  def branch_version_suffix
83
83
  dep = dependencies.first
84
84
 
85
- if dep.removed?
85
+ if T.must(dep).removed?
86
86
  "-removed"
87
87
  elsif library? && ref_changed?(dep) && new_ref(dep)
88
88
  new_ref(dep)
@@ -11,10 +11,11 @@ require "dependabot/pull_request_creator/branch_namer/dependency_group_strategy"
11
11
  module Dependabot
12
12
  class PullRequestCreator
13
13
  class BranchNamer
14
- attr_reader :dependencies, :files, :target_branch, :separator, :prefix, :max_length, :dependency_group
14
+ attr_reader :dependencies, :files, :target_branch, :separator, :prefix, :max_length, :dependency_group,
15
+ :includes_security_fixes
15
16
 
16
17
  def initialize(dependencies:, files:, target_branch:, dependency_group: nil,
17
- separator: "/", prefix: "dependabot", max_length: nil)
18
+ separator: "/", prefix: "dependabot", max_length: nil, includes_security_fixes: false)
18
19
  @dependencies = dependencies
19
20
  @files = files
20
21
  @target_branch = target_branch
@@ -22,6 +23,7 @@ module Dependabot
22
23
  @separator = separator
23
24
  @prefix = prefix
24
25
  @max_length = max_length
26
+ @includes_security_fixes = includes_security_fixes
25
27
  end
26
28
 
27
29
  def new_branch_name
@@ -49,7 +51,8 @@ module Dependabot
49
51
  dependency_group: dependency_group,
50
52
  separator: separator,
51
53
  prefix: prefix,
52
- max_length: max_length
54
+ max_length: max_length,
55
+ includes_security_fixes: includes_security_fixes
53
56
  )
54
57
  end
55
58
  end
@@ -210,7 +210,7 @@ module Dependabot
210
210
 
211
211
  {
212
212
  path: file.realpath,
213
- mode: (file.mode || Dependabot::DependencyFile::Mode::FILE),
213
+ mode: file.mode || Dependabot::DependencyFile::Mode::FILE,
214
214
  type: "blob"
215
215
  }.merge(content)
216
216
  end
@@ -148,7 +148,6 @@ module Dependabot
148
148
  end
149
149
 
150
150
  def build_details_tag(summary:, body:)
151
- # Azure DevOps does not support <details> tag (https://developercommunity.visualstudio.com/content/problem/608769/add-support-for-in-markdown.html)
152
151
  # Bitbucket does not support <details> tag (https://jira.atlassian.com/browse/BCLOUD-20231)
153
152
  # CodeCommit does not support the <details> tag (no url available)
154
153
  if source_provider_supports_html?
@@ -244,7 +243,7 @@ module Dependabot
244
243
  end
245
244
 
246
245
  def source_provider_supports_html?
247
- !%w(azure bitbucket codecommit).include?(source.provider)
246
+ !%w(bitbucket codecommit).include?(source.provider)
248
247
  end
249
248
 
250
249
  def sanitize_links_and_mentions(text, unsafe: false)
@@ -492,7 +492,7 @@ module Dependabot
492
492
  end
493
493
 
494
494
  def metadata_links
495
- return metadata_links_for_dep(dependencies.first) if dependencies.count == 1
495
+ return metadata_links_for_dep(dependencies.first) if dependencies.count == 1 && dependency_group.nil?
496
496
 
497
497
  dependencies.map do |dep|
498
498
  if dep.removed?
@@ -266,7 +266,8 @@ module Dependabot
266
266
  dependency_group: dependency_group,
267
267
  separator: branch_name_separator,
268
268
  prefix: branch_name_prefix,
269
- max_length: branch_name_max_length
269
+ max_length: branch_name_max_length,
270
+ includes_security_fixes: includes_security_fixes?
270
271
  )
271
272
  end
272
273
 
@@ -0,0 +1,20 @@
1
+ # typed: strong
2
+ # frozen_string_literal: true
3
+
4
+ require "sorbet-runtime"
5
+
6
+ module Dependabot
7
+ class Requirement < Gem::Requirement
8
+ extend T::Sig
9
+ extend T::Helpers
10
+
11
+ abstract!
12
+
13
+ sig do
14
+ abstract
15
+ .params(requirement_string: T.nilable(String))
16
+ .returns(T::Array[Requirement])
17
+ end
18
+ def self.requirements_array(requirement_string); end
19
+ end
20
+ end
@@ -4,6 +4,8 @@
4
4
  require "tmpdir"
5
5
  require "set"
6
6
  require "sorbet-runtime"
7
+
8
+ require "dependabot/requirement"
7
9
  require "dependabot/version"
8
10
  require "dependabot/config/file"
9
11
 
@@ -33,9 +35,9 @@ module Dependabot
33
35
  @version_classes[package_manager] = version_class
34
36
  end
35
37
 
36
- @requirement_classes = T.let({}, T::Hash[String, T.class_of(Gem::Requirement)])
38
+ @requirement_classes = T.let({}, T::Hash[String, T.class_of(Dependabot::Requirement)])
37
39
 
38
- sig { params(package_manager: String).returns(T.class_of(Gem::Requirement)) }
40
+ sig { params(package_manager: String).returns(T.class_of(Dependabot::Requirement)) }
39
41
  def self.requirement_class_for_package_manager(package_manager)
40
42
  requirement_class = @requirement_classes[package_manager]
41
43
  return requirement_class if requirement_class
@@ -43,7 +45,7 @@ module Dependabot
43
45
  raise "Unregistered package_manager #{package_manager}"
44
46
  end
45
47
 
46
- sig { params(package_manager: String, requirement_class: T.class_of(Gem::Requirement)).void }
48
+ sig { params(package_manager: String, requirement_class: T.class_of(Dependabot::Requirement)).void }
47
49
  def self.register_requirement_class(package_manager, requirement_class)
48
50
  validate_package_manager!(package_manager)
49
51
 
data/lib/dependabot.rb CHANGED
@@ -2,5 +2,5 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Dependabot
5
- VERSION = "0.238.0"
5
+ VERSION = "0.239.0"
6
6
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.238.0
4
+ version: 0.239.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-12-07 00:00:00.000000000 Z
11
+ date: 2023-12-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-codecommit
@@ -374,14 +374,14 @@ dependencies:
374
374
  requirements:
375
375
  - - "~>"
376
376
  - !ruby/object:Gem::Version
377
- version: 1.57.2
377
+ version: 1.58.0
378
378
  type: :development
379
379
  prerelease: false
380
380
  version_requirements: !ruby/object:Gem::Requirement
381
381
  requirements:
382
382
  - - "~>"
383
383
  - !ruby/object:Gem::Version
384
- version: 1.57.2
384
+ version: 1.58.0
385
385
  - !ruby/object:Gem::Dependency
386
386
  name: rubocop-performance
387
387
  requirement: !ruby/object:Gem::Requirement
@@ -537,6 +537,7 @@ files:
537
537
  - lib/dependabot/pull_request_updater/github.rb
538
538
  - lib/dependabot/pull_request_updater/gitlab.rb
539
539
  - lib/dependabot/registry_client.rb
540
+ - lib/dependabot/requirement.rb
540
541
  - lib/dependabot/security_advisory.rb
541
542
  - lib/dependabot/shared_helpers.rb
542
543
  - lib/dependabot/simple_instrumentor.rb
@@ -557,7 +558,7 @@ licenses:
557
558
  - Nonstandard
558
559
  metadata:
559
560
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
560
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
561
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
561
562
  post_install_message:
562
563
  rdoc_options: []
563
564
  require_paths: