dependabot-common 0.239.0 → 0.240.0

data/lib/dependabot/pull_request_creator.rb

@@ -1,10 +1,13 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/metadata_finders"
 
 module Dependabot
   class PullRequestCreator
+    extend T::Sig
+
     require "dependabot/pull_request_creator/azure"
     require "dependabot/pull_request_creator/bitbucket"
     require "dependabot/pull_request_creator/codecommit"
@@ -42,7 +45,18 @@ module Dependabot
 
     # AnnotationError is raised if a PR was created, but failed annotation
     class AnnotationError < StandardError
-      attr_reader :cause, :pull_request
+      extend T::Sig
+
+      sig { returns(StandardError) }
+      attr_reader :cause
+
+      # TODO: Currently, this error is only used by the GitHub PR creator.
+      #       An Octokit update will likely give this a proper type,
+      #       but we should consider a `Dependabot::PullRequest` type.
+      sig { returns(Sawyer::Resource) }
+      attr_reader :pull_request
+
+      sig { params(cause: StandardError, pull_request: Sawyer::Resource).void }
       def initialize(cause, pull_request)
         super(cause.message)
         @cause = cause
@@ -50,15 +64,113 @@ module Dependabot
       end
     end
 
-    attr_reader :source, :dependencies, :files, :base_commit,
-                :credentials, :pr_message_header, :pr_message_footer,
-                :custom_labels, :author_details, :signature_key,
-                :commit_message_options, :vulnerabilities_fixed,
-                :reviewers, :assignees, :milestone, :branch_name_separator,
-                :branch_name_prefix, :branch_name_max_length, :github_redirection_service,
-                :custom_headers, :provider_metadata, :dependency_group, :pr_message_max_length,
-                :pr_message_encoding
-
+    sig { returns(Dependabot::Source) }
+    attr_reader :source
+
+    sig { returns(T::Array[Dependabot::Dependency]) }
+    attr_reader :dependencies
+
+    sig { returns(T::Array[Dependabot::DependencyFile]) }
+    attr_reader :files
+
+    sig { returns(String) }
+    attr_reader :base_commit
+
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :pr_message_header
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :pr_message_footer
+
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :custom_labels
+
+    sig { returns(T.nilable(T::Hash[Symbol, String])) }
+    attr_reader :author_details
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :signature_key
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    attr_reader :commit_message_options
+
+    sig { returns(T::Hash[String, String]) }
+    attr_reader :vulnerabilities_fixed
+
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :reviewers
+
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :assignees
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :milestone
+
+    sig { returns(String) }
+    attr_reader :branch_name_separator
+
+    sig { returns(String) }
+    attr_reader :branch_name_prefix
+
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :branch_name_max_length
+
+    sig { returns(String) }
+    attr_reader :github_redirection_service
+
+    sig { returns(T.nilable(T::Hash[String, String])) }
+    attr_reader :custom_headers
+
+    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    attr_reader :provider_metadata
+
+    sig { returns(T.nilable(Dependabot::DependencyGroup)) }
+    attr_reader :dependency_group
+
+    sig { returns(T.nilable(Integer)) }
+    attr_reader :pr_message_max_length
+
+    sig { returns(T.nilable(Encoding)) }
+    attr_reader :pr_message_encoding
+
+    sig do
+      params(
+        source: Dependabot::Source,
+        base_commit: String,
+        dependencies: T::Array[Dependabot::Dependency],
+        files: T::Array[Dependabot::DependencyFile],
+        credentials: T::Array[T::Hash[String, String]],
+        pr_message_header: T.nilable(String),
+        pr_message_footer: T.nilable(String),
+        custom_labels: T.nilable(T::Array[String]),
+        author_details: T.nilable(T::Hash[Symbol, String]),
+        signature_key: T.nilable(String),
+        commit_message_options: T::Hash[Symbol, T.untyped],
+        vulnerabilities_fixed: T::Hash[String, String],
+        reviewers: T.nilable(T::Array[String]),
+        assignees: T.nilable(T::Array[String]),
+        milestone: T.nilable(String),
+        branch_name_separator: String,
+        branch_name_prefix: String,
+        branch_name_max_length: T.nilable(Integer),
+        label_language: T::Boolean,
+        automerge_candidate: T::Boolean,
+        github_redirection_service: String,
+        custom_headers: T.nilable(T::Hash[String, String]),
+        require_up_to_date_base: T::Boolean,
+        provider_metadata: T.nilable(T::Hash[Symbol, T.untyped]),
+        message: T.nilable(
+          T.any(Dependabot::PullRequestCreator::Message, Dependabot::PullRequestCreator::MessageBuilder)
+        ),
+        dependency_group: T.nilable(Dependabot::DependencyGroup),
+        pr_message_max_length: T.nilable(Integer),
+        pr_message_encoding: T.nilable(Encoding)
+      )
+        .void
+    end
     def initialize(source:, base_commit:, dependencies:, files:, credentials:,
                    pr_message_header: nil, pr_message_footer: nil,
                    custom_labels: nil, author_details: nil, signature_key: nil,
@@ -103,6 +215,7 @@ module Dependabot
       check_dependencies_have_previous_version
     end
 
+    sig { void }
     def check_dependencies_have_previous_version
       return if dependencies.all? { |d| requirements_changed?(d) }
       return if dependencies.all?(&:previous_version)
@@ -111,6 +224,10 @@ module Dependabot
             "requirement to have a pull request created for them!"
     end
 
+    # TODO: This returns client-specific objects.
+    # We should create a standard interface (`Dependabot::PullRequest`) and
+    # then convert to that
+    sig { returns(T.untyped) }
     def create
       case source.provider
       when "github" then github_creator.create
@@ -124,18 +241,22 @@ module Dependabot
 
     private
 
+    sig { returns(T::Boolean) }
     def label_language?
       @label_language
     end
 
+    sig { returns(T::Boolean) }
     def automerge_candidate?
       @automerge_candidate
     end
 
+    sig { returns(T::Boolean) }
     def require_up_to_date_base?
       @require_up_to_date_base
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Github) }
     def github_creator
       Github.new(
         source: source,
@@ -157,6 +278,7 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Gitlab) }
     def gitlab_creator
       Gitlab.new(
         source: source,
@@ -172,10 +294,11 @@ module Dependabot
         approvers: reviewers,
         assignees: assignees,
         milestone: milestone,
-        target_project_id: provider_metadata[:target_project_id]
+        target_project_id: provider_metadata&.fetch(:target_project_id)
       )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Azure) }
     def azure_creator
       Azure.new(
         source: source,
@@ -194,6 +317,7 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Bitbucket) }
     def bitbucket_creator
       Bitbucket.new(
         source: source,
@@ -210,6 +334,7 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Codecommit) }
     def codecommit_creator
       Codecommit.new(
         source: source,
@@ -226,6 +351,7 @@ module Dependabot
       )
     end
 
+    sig { returns(T.any(Dependabot::PullRequestCreator::Message, Dependabot::PullRequestCreator::MessageBuilder)) }
     def message
       return @message unless @message.nil?
 
@@ -257,8 +383,9 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::BranchNamer) }
     def branch_namer
-      @branch_namer ||=
+      @branch_namer ||= T.let(
         BranchNamer.new(
           dependencies: dependencies,
           files: files,
@@ -268,11 +395,14 @@ module Dependabot
           prefix: branch_name_prefix,
           max_length: branch_name_max_length,
           includes_security_fixes: includes_security_fixes?
-        )
+        ),
+        T.nilable(Dependabot::PullRequestCreator::BranchNamer)
+      )
     end
 
+    sig { returns(Dependabot::PullRequestCreator::Labeler) }
     def labeler
-      @labeler ||=
+      @labeler ||= T.let(
         Labeler.new(
           source: source,
           custom_labels: custom_labels,
@@ -281,15 +411,19 @@ module Dependabot
           dependencies: dependencies,
           label_language: label_language?,
           automerge_candidate: automerge_candidate?
-        )
+        ),
+        T.nilable(Dependabot::PullRequestCreator::Labeler)
+      )
     end
 
+    sig { returns(T::Boolean) }
     def includes_security_fixes?
       vulnerabilities_fixed.values.flatten.any?
     end
 
+    sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
     def requirements_changed?(dependency)
-      (dependency.requirements - dependency.previous_requirements).any?
+      (dependency.requirements - T.must(dependency.previous_requirements)).any?
     end
   end
 end

data/lib/dependabot/pull_request_updater.rb

@@ -1,17 +1,58 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/pull_request_updater/github"
 require "dependabot/pull_request_updater/gitlab"
 require "dependabot/pull_request_updater/azure"
 
 module Dependabot
   class PullRequestUpdater
+    extend T::Sig
+
     class BranchProtected < StandardError; end
 
-    attr_reader :source, :files, :base_commit, :old_commit, :credentials,
-                :pull_request_number, :author_details, :signature_key, :provider_metadata
+    sig { returns(Dependabot::Source) }
+    attr_reader :source
+
+    sig { returns(T::Array[Dependabot::DependencyFile]) }
+    attr_reader :files
+
+    sig { returns(String) }
+    attr_reader :base_commit
+
+    sig { returns(String) }
+    attr_reader :old_commit
+
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
+
+    sig { returns(Integer) }
+    attr_reader :pull_request_number
 
+    sig { returns(T.nilable(T::Hash[Symbol, String])) }
+    attr_reader :author_details
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :signature_key
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    attr_reader :provider_metadata
+
+    sig do
+      params(
+        source: Dependabot::Source,
+        base_commit: String,
+        old_commit: String,
+        files: T::Array[Dependabot::DependencyFile],
+        credentials: T::Array[T::Hash[String, String]],
+        pull_request_number: Integer,
+        author_details: T.nilable(T::Hash[Symbol, String]),
+        signature_key: T.nilable(String),
+        provider_metadata: T::Hash[Symbol, T.untyped]
+      )
+        .void
+    end
     def initialize(source:, base_commit:, old_commit:, files:,
                    credentials:, pull_request_number:,
                    author_details: nil, signature_key: nil,
@@ -27,6 +68,9 @@ module Dependabot
       @provider_metadata   = provider_metadata
     end
 
+    # TODO: Each implementation returns a client-specific type.
+    #       We should standardise this to return a `Dependabot::Branch` type instead.
+    sig { returns(T.untyped) }
     def update
       case source.provider
       when "github" then github_updater.update
@@ -38,6 +82,7 @@ module Dependabot
 
     private
 
+    sig { returns(Dependabot::PullRequestUpdater::Github) }
     def github_updater
       Github.new(
         source: source,
@@ -51,6 +96,7 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestUpdater::Gitlab) }
     def gitlab_updater
       Gitlab.new(
         source: source,
@@ -63,6 +109,7 @@ module Dependabot
       )
     end
 
+    sig { returns(Dependabot::PullRequestUpdater::Azure) }
     def azure_updater
       Azure.new(
         source: source,

data/lib/dependabot/registry_client.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/shared_helpers"
 
 # This class provides a thin wrapper around our normal usage of Excon as a simple HTTP client in order to
@@ -11,10 +12,20 @@ require "dependabot/shared_helpers"
 # read-timeouts as some jobs tend to be sensitive to exceeding our overall 45 minute timeout.
 module Dependabot
   class RegistryClient
-    @cached_errors = {}
+    extend T::Sig
 
+    @cached_errors = T.let({}, T::Hash[T.nilable(String), Excon::Error::Timeout])
+
+    sig do
+      params(
+        url: String,
+        headers: T::Hash[Symbol, T.untyped],
+        options: T::Hash[Symbol, T.untyped]
+      )
+        .returns(Excon::Response)
+    end
     def self.get(url:, headers: {}, options: {})
-      raise cached_error_for(url) if cached_error_for(url)
+      raise T.must(cached_error_for(url)) if cached_error_for(url)
 
       Excon.get(
         url,
@@ -26,8 +37,16 @@ module Dependabot
       raise e
     end
 
+    sig do
+      params(
+        url: String,
+        headers: T::Hash[Symbol, T.untyped],
+        options: T::Hash[Symbol, T.untyped]
+      )
+        .returns(Excon::Response)
+    end
     def self.head(url:, headers: {}, options: {})
-      raise cached_error_for(url) if cached_error_for(url)
+      raise T.must(cached_error_for(url)) if cached_error_for(url)
 
       Excon.head(
         url,
@@ -39,15 +58,18 @@ module Dependabot
       raise e
     end
 
+    sig { void }
     def self.clear_cache!
       @cached_errors = {}
     end
 
+    sig { params(url: String, error: Excon::Error::Timeout).void }
     private_class_method def self.cache_error(url, error)
       host = URI(url).host
       @cached_errors[host] = error
     end
 
+    sig { params(url: String).returns(T.nilable(Excon::Error::Timeout)) }
     private_class_method def self.cached_error_for(url)
       host = URI(url).host
       @cached_errors.fetch(host, nil)

data/lib/dependabot/version.rb

@@ -1,21 +1,75 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   class Version < Gem::Version
+    extend T::Sig
+    extend T::Helpers
+
+    abstract!
+
+    sig do
+      override
+        .overridable
+        .params(
+          version: T.any(
+            String,
+            Integer,
+            Float,
+            Gem::Version,
+            NilClass
+          )
+        )
+        .void
+    end
     def initialize(version)
-      @original_version = version
+      @original_version = T.let(version.to_s, String)
 
-      super
+      T.unsafe(super(version))
+    end
+
+    sig do
+      override
+        .overridable
+        .params(
+          version: T.any(
+            String,
+            Integer,
+            Float,
+            Gem::Version,
+            NilClass
+          )
+        )
+        .returns(Dependabot::Version)
+    end
+    def self.new(version)
+      T.cast(super, Dependabot::Version)
     end
 
     # Opt-in to Rubygems 4 behavior
+    sig do
+      override
+        .overridable
+        .params(
+          version: T.any(
+            String,
+            Integer,
+            Float,
+            Gem::Version,
+            NilClass
+          )
+        )
+        .returns(T::Boolean)
+    end
     def self.correct?(version)
       return false if version.nil?
 
       version.to_s.match?(ANCHORED_VERSION_PATTERN)
     end
 
+    sig { overridable.returns(String) }
     def to_semver
       @original_version
     end

data/lib/dependabot/workspace/git.rb

@@ -31,7 +31,10 @@ module Dependabot
 
       sig { override.returns(String) }
       def to_patch
-        run_shell_command("git diff --patch #{@initial_head_sha}.. .")
+        run_shell_command(
+          "git diff --patch #{@initial_head_sha}.. .",
+          fingerprint: "git diff --path <initial_head_sha>.. ."
+        )
       end
 
       sig { override.returns(NilClass) }
@@ -103,17 +106,27 @@ module Dependabot
 
       sig { params(ignored_mode: String).returns(String) }
       def changed_files(ignored_mode: "traditional")
-        run_shell_command("git status --untracked-files=all --ignored=#{ignored_mode} --short .").strip
+        run_shell_command(
+          "git status --untracked-files=all --ignored=#{ignored_mode} --short .",
+          fingerprint: "git status --untracked-files=all --ignored=<ignored_mode> --short ."
+        ).strip
       end
 
       sig { params(memo: T.nilable(String)).returns([String, String]) }
       def stash(memo = nil)
         msg = memo || "workspace change attempt"
         run_shell_command("git add --all --force .")
-        run_shell_command(%(git stash push --all -m "#{msg}"), allow_unsafe_shell_command: true)
+        run_shell_command(
+          %(git stash push --all -m "#{msg}"),
+          fingerprint: "git stash push --all -m \"<msg>\"",
+          allow_unsafe_shell_command: true
+        )
 
         sha = last_stash_sha
-        diff = run_shell_command("git stash show --patch #{sha}")
+        diff = run_shell_command(
+          "git stash show --patch #{sha}",
+          fingerprint: "git stash show --patch <sha>"
+        )
 
         [sha, diff]
       end
@@ -124,14 +137,21 @@ module Dependabot
         diff = run_shell_command("git diff --cached .")
 
         msg = memo || "workspace change"
-        run_shell_command(%(git commit -m "#{msg}"), allow_unsafe_shell_command: true)
+        run_shell_command(
+          %(git commit -m "#{msg}"),
+          fingerprint: "git commit -m \"<msg>\"",
+          allow_unsafe_shell_command: true
+        )
 
         [head_sha, diff]
       end
 
       sig { params(sha: String).returns(String) }
       def reset(sha)
-        run_shell_command("git reset --hard #{sha}")
+        run_shell_command(
+          "git reset --hard #{sha}",
+          fingerprint: "git reset --hard <sha>"
+        )
       end
 
       sig { override.returns(String) }
@@ -139,7 +159,7 @@ module Dependabot
         run_shell_command("git clean -fx .")
       end
 
-      sig { params(args: String, kwargs: T::Boolean).returns(String) }
+      sig { params(args: String, kwargs: T.any(T::Boolean, String)).returns(String) }
       def run_shell_command(*args, **kwargs)
         Dir.chdir(path) { T.unsafe(SharedHelpers).run_shell_command(*args, **kwargs) }
       end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.239.0"
+  VERSION = "0.240.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.239.0
+  version: 0.240.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-28 00:00:00.000000000 Z
+date: 2024-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -256,14 +256,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.11026
+        version: 0.5.11178
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.5.11026
+        version: 0.5.11178
 - !ruby/object:Gem::Dependency
   name: toml-rb
   requirement: !ruby/object:Gem::Requirement
@@ -466,6 +466,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.18'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
 description: Dependabot-Common provides the shared code used across Dependabot. If
   you want support for multiple package managers, you probably want the meta-gem dependabot-omnibus.
 email: opensource@github.com
@@ -558,7 +572,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.240.0
 post_install_message: 
 rdoc_options: []
 require_paths: