dependabot-common 0.240.0 → 0.242.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5411b63b39f43e2f41b430d63a0c105d3c8db50e355d3e0fb7b95c37350acc0
-  data.tar.gz: 1dc6db6e42d21fd8626dd06b46b355230db571d061940b358be515804987dec9
+  metadata.gz: 8b85f6eea900488026cdee04e04dd5b51df99f8bafcff4c83ae83c5dfeb54c63
+  data.tar.gz: 30a4355a110f4be117fd9ece16d437f8a28704e75a7e0a62e4a5a5055c63e0cd
 SHA512:
-  metadata.gz: 52447502758cd700e913e169bfadb0ad92587e988b5a2086ae77fe01e4ae7a09a985ad2c07b91c6a8ac09f5b2016d15c256f67d698f32bbc45a9b9d271dee489
-  data.tar.gz: 325168ff256723e4d503dcba9818bdf11a969e778edccbbf28882cc560ea67f7eeeb68b5e54e843409abaa19d5f9010f027e929c4f1c827619ca8efd50257093
+  metadata.gz: c928acaa28bf821c081dd80afda5aa16551a09ab031a28ea60241742d23ffeb54186087fca915317d811b88881bbe6ce99f3b343f45d8efd538aee1c9b7524cd
+  data.tar.gz: a2a4d975f4010b24077d4b558f8d1e4806230411b0d98983c58c7df5be2dd41a2e39868c1a346132743de560fdf28a059cbbb5800bae3ac19333008db3504591

data/lib/dependabot/config/file.rb

@@ -61,6 +61,7 @@ module Dependabot
         "bundler" => "bundler",
         "cargo" => "cargo",
         "composer" => "composer",
+        "devcontainer" => "devcontainers",
         "docker" => "docker",
         "elm" => "elm",
         "github-actions" => "github_actions",

data/lib/dependabot/file_parsers/base.rb

@@ -1,12 +1,43 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module FileParsers
     class Base
-      attr_reader :dependency_files, :repo_contents_path, :credentials, :source, :options
+      extend T::Sig
+      extend T::Helpers
+
+      abstract!
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+
+      sig { returns(T::Array[T::Hash[String, String]]) }
+      attr_reader :credentials
 
-      def initialize(dependency_files:, repo_contents_path: nil, source:,
+      sig { returns(T.nilable(Dependabot::Source)) }
+      attr_reader :source
+
+      sig { returns(T::Hash[Symbol, T.untyped]) }
+      attr_reader :options
+
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          source: T.nilable(Dependabot::Source),
+          repo_contents_path: T.nilable(String),
+          credentials: T::Array[T::Hash[String, String]],
+          reject_external_code: T::Boolean,
+          options: T::Hash[Symbol, T.untyped]
+        )
+          .void
+      end
+      def initialize(dependency_files:, source:, repo_contents_path: nil,
                      credentials: [], reject_external_code: false, options: {})
         @dependency_files = dependency_files
         @repo_contents_path = repo_contents_path
@@ -18,16 +49,15 @@ module Dependabot
         check_required_files
       end
 
-      def parse
-        raise NotImplementedError
-      end
+      sig { abstract.returns(Dependabot::DependencyFile) }
+      def parse; end
 
       private
 
-      def check_required_files
-        raise NotImplementedError
-      end
+      sig { abstract.void }
+      def check_required_files; end
 
+      sig { params(filename: String).returns(T.nilable(Dependabot::DependencyFile)) }
       def get_original_file(filename)
         dependency_files.find { |f| f.name == filename }
       end

data/lib/dependabot/git_commit_checker.rb

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
 require "gitlab"
+require "sorbet-runtime"
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
 require "dependabot/clients/bitbucket_with_retries"
@@ -13,7 +14,10 @@ require "dependabot/source"
 require "dependabot/dependency"
 require "dependabot/git_metadata_fetcher"
 module Dependabot
+  # rubocop:disable Metrics/ClassLength
   class GitCommitChecker
+    extend T::Sig
+
     VERSION_REGEX = /
       (?<version>
         (?<=^v)[0-9]+(?:\-[a-z0-9]+)?
@@ -22,6 +26,17 @@ module Dependabot
       )$
     /ix
 
+    sig do
+      params(
+        dependency: Dependabot::Dependency,
+        credentials: T::Array[T::Hash[String, String]],
+        ignored_versions: T::Array[String],
+        raise_on_ignored: T::Boolean,
+        consider_version_branches_pinned: T::Boolean,
+        dependency_source_details: T.nilable(T::Hash[Symbol, String])
+      )
+        .void
+    end
     def initialize(dependency:, credentials:,
                    ignored_versions: [], raise_on_ignored: false,
                    consider_version_branches_pinned: false, dependency_source_details: nil)
@@ -33,58 +48,68 @@ module Dependabot
       @dependency_source_details = dependency_source_details
     end
 
+    sig { returns(T::Boolean) }
     def git_dependency?
       return false if dependency_source_details.nil?
 
-      dependency_source_details.fetch(:type) == "git"
+      dependency_source_details&.fetch(:type) == "git"
     end
 
+    # rubocop:disable Metrics/PerceivedComplexity
+    sig { returns(T::Boolean) }
     def pinned?
       raise "Not a git dependency!" unless git_dependency?
 
-      branch = dependency_source_details.fetch(:branch)
+      branch = dependency_source_details&.fetch(:branch)
 
       return false if ref.nil?
       return false if branch == ref
       return true if branch
-      return true if dependency.version&.start_with?(ref)
+      return true if dependency.version&.start_with?(T.must(ref))
 
       # If the specified `ref` is actually a tag, we're pinned
-      return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
+      return true if local_upload_pack&.match?(%r{ refs/tags/#{ref}$})
 
       # Assume we're pinned unless the specified `ref` is actually a branch
-      return true unless local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      return true unless local_upload_pack&.match?(%r{ refs/heads/#{ref}$})
 
       # TODO: Research whether considering branches that look like versions pinned makes sense for all ecosystems
-      @consider_version_branches_pinned && version_tag?(ref)
+      @consider_version_branches_pinned && version_tag?(T.must(ref))
     end
+    # rubocop:enable Metrics/PerceivedComplexity
 
+    sig { returns(T::Boolean) }
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      version_tag?(ref)
+      version_tag?(T.must(ref))
     end
 
+    sig { returns(T::Boolean) }
     def pinned_ref_looks_like_commit_sha?
-      return false unless ref && ref_looks_like_commit_sha?(ref)
+      return false unless ref && ref_looks_like_commit_sha?(T.must(ref))
 
       return false unless pinned?
 
-      local_repo_git_metadata_fetcher.head_commit_for_ref(ref).nil?
+      local_repo_git_metadata_fetcher.head_commit_for_ref(T.must(ref)).nil?
     end
 
+    sig { returns(T.nilable(String)) }
     def head_commit_for_pinned_ref
-      local_repo_git_metadata_fetcher.head_commit_for_ref_sha(ref)
+      local_repo_git_metadata_fetcher.head_commit_for_ref_sha(T.must(ref))
     end
 
+    sig { params(ref: String).returns(T::Boolean) }
     def ref_looks_like_commit_sha?(ref)
       ref.match?(/^[0-9a-f]{6,40}$/)
     end
 
+    sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
     def branch_or_ref_in_release?(version)
       pinned_ref_in_release?(version) || branch_behind_release?(version)
     end
 
+    sig { returns(T.nilable(String)) }
     def head_commit_for_current_branch
       ref = ref_or_branch || "HEAD"
 
@@ -94,42 +119,51 @@ module Dependabot
       raise Dependabot::GitDependencyReferenceNotFound, dependency.name
     end
 
+    sig { params(name: String).returns(T.nilable(String)) }
     def head_commit_for_local_branch(name)
       local_repo_git_metadata_fetcher.head_commit_for_ref(name)
     end
 
+    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def local_ref_for_latest_version_matching_existing_precision
       allowed_refs = local_tag_for_pinned_sha ? allowed_version_tags : allowed_version_refs
 
       max_local_tag_for_current_precision(allowed_refs)
     end
 
+    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def local_tag_for_latest_version
       max_local_tag(allowed_version_tags)
     end
 
+    sig { returns(T::Array[T.nilable(T::Hash[Symbol, T.untyped])]) }
     def local_tags_for_allowed_versions_matching_existing_precision
       select_matching_existing_precision(allowed_version_tags).map { |t| to_local_tag(t) }
     end
 
+    sig { returns(T::Array[T.nilable(T::Hash[Symbol, T.untyped])]) }
     def local_tags_for_allowed_versions
       allowed_version_tags.map { |t| to_local_tag(t) }
     end
 
+    sig { returns(T::Array[Dependabot::GitRef]) }
     def allowed_version_tags
       allowed_versions(local_tags)
     end
 
+    sig { returns(T::Array[Dependabot::GitRef]) }
     def allowed_version_refs
       allowed_versions(local_refs)
     end
 
+    sig { returns(T.nilable(Gem::Version)) }
     def current_version
-      return unless dependency.version && version_tag?(dependency.version)
+      return unless dependency.version && version_tag?(T.must(dependency.version))
 
-      version_from_ref(dependency.version)
+      version_from_ref(T.must(dependency.version))
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[T.any(Dependabot::GitRef, Gem::Version)]) }
     def filter_lower_versions(tags)
       return tags unless current_version
 
@@ -142,23 +176,30 @@ module Dependabot
       end
     end
 
+    sig { returns(T.nilable(String)) }
     def most_specific_tag_equivalent_to_pinned_ref
-      commit_sha = head_commit_for_local_branch(ref)
+      commit_sha = head_commit_for_local_branch(T.must(ref))
       most_specific_version_tag_for_sha(commit_sha)
     end
 
+    sig { returns(T.nilable(String)) }
     def local_tag_for_pinned_sha
-      return @local_tag_for_pinned_sha if defined?(@local_tag_for_pinned_sha)
+      return unless pinned_ref_looks_like_commit_sha?
 
-      @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
+      @local_tag_for_pinned_sha = T.let(
+        most_specific_version_tag_for_sha(ref),
+        T.nilable(String)
+      )
     end
 
+    sig { returns(T.nilable(Gem::Version)) }
     def version_for_pinned_sha
       return unless local_tag_for_pinned_sha && version_class.correct?(local_tag_for_pinned_sha)
 
       version_class.new(local_tag_for_pinned_sha)
     end
 
+    sig { returns(T::Boolean) }
     def git_repo_reachable?
       local_upload_pack
       true
@@ -166,26 +207,37 @@ module Dependabot
       false
     end
 
+    sig { returns(T.nilable(T::Hash[T.any(Symbol, String), T.untyped])) }
     def dependency_source_details
       @dependency_source_details || dependency.source_details(allowed_types: ["git"])
     end
 
+    sig { params(commit_sha: T.nilable(String)).returns(T.nilable(String)) }
     def most_specific_version_tag_for_sha(commit_sha)
       tags = local_tags.select { |t| t.commit_sha == commit_sha && version_class.correct?(t.name) }
                        .sort_by { |t| version_class.new(t.name) }
       return if tags.empty?
 
-      tags[-1].name
+      tags[-1]&.name
     end
 
     private
 
-    attr_reader :dependency, :credentials, :ignored_versions
+    sig { returns(Dependabot::Dependency) }
+    attr_reader :dependency
 
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
+
+    sig { returns(T::Array[String]) }
+    attr_reader :ignored_versions
+
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def max_local_tag_for_current_precision(tags)
       max_local_tag(select_matching_existing_precision(tags))
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def max_local_tag(tags)
       max_version_tag = tags.max_by { |t| version_from_tag(t) }
 
@@ -193,16 +245,19 @@ module Dependabot
     end
 
     # Find the latest version with the same precision as the pinned version.
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
     def select_matching_existing_precision(tags)
-      current_precision = precision(dependency.version)
+      current_precision = precision(T.must(dependency.version))
 
       tags.select { |tag| precision(scan_version(tag.name)) == current_precision }
     end
 
+    sig { params(version: String).returns(Integer) }
     def precision(version)
       version.split(".").length
     end
 
+    sig { params(local_tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
     def allowed_versions(local_tags)
       tags =
         local_tags
@@ -217,6 +272,7 @@ module Dependabot
         .reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
     end
 
+    sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
     def pinned_ref_in_release?(version)
       raise "Not a git dependency!" unless git_dependency?
 
@@ -227,12 +283,13 @@ module Dependabot
       return false unless tag
 
       commit_included_in_tag?(
-        commit: ref,
+        commit: T.must(ref),
         tag: tag,
         allow_identical: true
       )
     end
 
+    sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
     def branch_behind_release?(version)
       raise "Not a git dependency!" unless git_dependency?
 
@@ -245,24 +302,28 @@ module Dependabot
       # Check if behind, excluding the case where it's identical, because
       # we normally wouldn't switch you from tracking master to a release.
       commit_included_in_tag?(
-        commit: ref_or_branch,
+        commit: T.must(ref_or_branch),
         tag: tag,
         allow_identical: false
       )
     end
 
+    sig { returns(T.nilable(String)) }
     def local_upload_pack
       local_repo_git_metadata_fetcher.upload_pack
     end
 
+    sig { returns(T::Array[Dependabot::GitRef]) }
     def local_refs
       handle_tag_prefix(local_repo_git_metadata_fetcher.refs_for_upload_pack)
     end
 
+    sig { returns(T::Array[Dependabot::GitRef]) }
     def local_tags
       handle_tag_prefix(local_repo_git_metadata_fetcher.tags_for_upload_pack)
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
     def handle_tag_prefix(tags)
       if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
         tags = tags.map do |tag|
@@ -273,6 +334,14 @@ module Dependabot
       tags
     end
 
+    sig do
+      params(
+        tag: String,
+        commit: String,
+        allow_identical: T::Boolean
+      )
+        .returns(T::Boolean)
+    end
     def commit_included_in_tag?(tag:, commit:, allow_identical: false)
       status =
         case Source.from_url(listing_source_url)&.provider
@@ -292,6 +361,7 @@ module Dependabot
       false
     end
 
+    sig { params(ref1: String, ref2: String).returns(String) }
     def github_commit_comparison_status(ref1, ref2)
       client = Clients::GithubWithRetries
                .for_github_dot_com(credentials: credentials)
@@ -299,6 +369,7 @@ module Dependabot
       client.compare(listing_source_repo, ref1, ref2).status
     end
 
+    sig { params(ref1: String, ref2: String).returns(String) }
     def gitlab_commit_comparison_status(ref1, ref2)
       client = Clients::GitlabWithRetries
                .for_gitlab_dot_com(credentials: credentials)
@@ -312,6 +383,7 @@ module Dependabot
       end
     end
 
+    sig { params(ref1: String, ref2: String).returns(String) }
     def bitbucket_commit_comparison_status(ref1, ref2)
       url = "https://api.bitbucket.org/2.0/repositories/" \
             "#{listing_source_repo}/commits/?" \
@@ -330,33 +402,39 @@ module Dependabot
       end
     end
 
+    sig { returns(T.nilable(String)) }
     def ref_or_branch
-      ref || dependency_source_details.fetch(:branch)
+      ref || dependency_source_details&.fetch(:branch)
     end
 
+    sig { returns(T.nilable(String)) }
     def ref
-      dependency_source_details.fetch(:ref)
+      dependency_source_details&.fetch(:ref)
     end
 
+    sig { params(tag: String).returns(T::Boolean) }
     def version_tag?(tag)
       tag.match?(VERSION_REGEX)
     end
 
+    sig { params(tag: String).returns(T::Boolean) }
     def matches_existing_prefix?(tag)
       return true unless ref_or_branch
 
-      if version_tag?(ref_or_branch)
-        same_prefix?(ref_or_branch, tag)
+      if version_tag?(T.must(ref_or_branch))
+        same_prefix?(T.must(ref_or_branch), tag)
       else
-        local_tag_for_pinned_sha.nil? || same_prefix?(local_tag_for_pinned_sha, tag)
+        local_tag_for_pinned_sha.nil? || same_prefix?(T.must(local_tag_for_pinned_sha), tag)
       end
     end
 
+    sig { params(tag: String, other_tag: String).returns(T::Boolean) }
     def same_prefix?(tag, other_tag)
       tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "") ==
         other_tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
+    sig { params(tag: T.nilable(Dependabot::GitRef)).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def to_local_tag(tag)
       return unless tag
 
@@ -369,8 +447,9 @@ module Dependabot
       }
     end
 
+    sig { returns(T.nilable(String)) }
     def listing_source_url
-      @listing_source_url ||=
+      @listing_source_url ||= T.let(
         begin
           # Remove the git source, so the metadata finder looks on the
           # registry
@@ -385,100 +464,133 @@ module Dependabot
             .for_package_manager(dependency.package_manager)
             .new(dependency: candidate_dep, credentials: credentials)
             .source_url
-        end
+        end,
+        T.nilable(String)
+      )
     end
 
+    sig { returns(T.nilable(String)) }
     def listing_source_repo
       return unless listing_source_url
 
       Source.from_url(listing_source_url)&.repo
     end
 
+    sig { params(version: String).returns(T.nilable(String)) }
     def listing_tag_for_version(version)
       listing_tags
         .find { |t| t.name =~ /(?:[^0-9\.]|\A)#{Regexp.escape(version)}\z/ }
         &.name
     end
 
+    sig { returns(T::Array[Dependabot::GitRef]) }
     def listing_tags
       return [] unless listing_source_url
 
-      @listing_tags ||= begin
-        tags = listing_repo_git_metadata_fetcher.tags
+      @listing_tags ||= T.let(
+        begin
+          tags = listing_repo_git_metadata_fetcher.tags
 
-        if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
-          tags = tags.map do |tag|
-            tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+          if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
+            tags = tags.map do |tag|
+              tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
+            end
           end
-        end
 
-        tags
-      rescue GitDependenciesNotReachable
-        []
-      end
+          tags
+        rescue GitDependenciesNotReachable
+          []
+        end,
+        T.nilable(T::Array[Dependabot::GitRef])
+      )
     end
 
+    sig { returns(T.nilable(String)) }
     def listing_upload_pack
       return unless listing_source_url
 
       listing_repo_git_metadata_fetcher.upload_pack
     end
 
+    sig { returns(T::Array[Dependabot::Requirement]) }
     def ignore_requirements
       ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
     end
 
+    sig { returns(T::Boolean) }
     def wants_prerelease?
       return false unless dependency_source_details&.fetch(:ref, nil)
       return false unless pinned_ref_looks_like_version?
 
-      version = version_from_ref(ref)
+      version = version_from_ref(T.must(ref))
       version.prerelease?
     end
 
+    sig { params(tag: Dependabot::GitRef).returns(T::Boolean) }
     def tag_included_in_ignore_requirements?(tag)
       version = version_from_tag(tag)
       ignore_requirements.any? { |r| r.satisfied_by?(version) }
     end
 
+    sig { params(tag: Dependabot::GitRef).returns(T::Boolean) }
     def tag_is_prerelease?(tag)
       version_from_tag(tag).prerelease?
     end
 
+    sig { params(tag: Dependabot::GitRef).returns(Gem::Version) }
     def version_from_tag(tag)
       version_from_ref(tag.name)
     end
 
+    sig { params(name: String).returns(Gem::Version) }
     def version_from_ref(name)
       version_class.new(scan_version(name))
     end
 
+    sig { params(name: String).returns(String) }
     def scan_version(name)
-      name.match(VERSION_REGEX).named_captures.fetch("version")
+      T.must(T.must(name.match(VERSION_REGEX)).named_captures.fetch("version"))
     end
 
+    sig { returns(T.class_of(Gem::Version)) }
     def version_class
-      @version_class ||= dependency.version_class
+      @version_class ||= T.let(
+        dependency.version_class,
+        T.nilable(T.class_of(Gem::Version))
+      )
     end
 
+    sig { returns(T.class_of(Dependabot::Requirement)) }
     def requirement_class
-      @requirement_class ||= dependency.requirement_class
+      @requirement_class ||= T.let(
+        dependency.requirement_class,
+        T.nilable(T.class_of(Dependabot::Requirement))
+      )
     end
 
+    sig { returns(Dependabot::GitMetadataFetcher) }
     def local_repo_git_metadata_fetcher
       @local_repo_git_metadata_fetcher ||=
-        GitMetadataFetcher.new(
-          url: dependency_source_details.fetch(:url),
-          credentials: credentials
+        T.let(
+          GitMetadataFetcher.new(
+            url: dependency_source_details&.fetch(:url),
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::GitMetadataFetcher)
         )
     end
 
+    sig { returns(Dependabot::GitMetadataFetcher) }
     def listing_repo_git_metadata_fetcher
       @listing_repo_git_metadata_fetcher ||=
-        GitMetadataFetcher.new(
-          url: listing_source_url,
-          credentials: credentials
+        T.let(
+          GitMetadataFetcher.new(
+            url: T.must(listing_source_url),
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::GitMetadataFetcher)
         )
     end
   end
+  # rubocop:enable Metrics/ClassLength
 end