RubyGems - dependabot-common - Versions diffs - 0.240.0 → 0.242.0 - Mend

dependabot-common 0.240.0 → 0.242.0

Files changed (15) hide show

checksums.yaml +4 -4
data/lib/dependabot/config/file.rb +1 -0
data/lib/dependabot/file_parsers/base.rb +39 -9
data/lib/dependabot/git_commit_checker.rb +160 -48
data/lib/dependabot/metadata_finders/base.rb +94 -40
data/lib/dependabot/pull_request_creator/branch_namer/base.rb +5 -0
data/lib/dependabot/pull_request_creator/branch_namer/dependency_group_strategy.rb +2 -2
data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb +59 -31
data/lib/dependabot/pull_request_creator/branch_namer.rb +47 -6
data/lib/dependabot/pull_request_creator/gitlab.rb +1 -1
data/lib/dependabot/pull_request_creator.rb +5 -5
data/lib/dependabot/security_advisory.rb +48 -16
data/lib/dependabot/update_checkers/version_filters.rb +2 -2
data/lib/dependabot.rb +1 -1
metadata +3 -3

data/lib/dependabot/security_advisory.rb CHANGED Viewed

@@ -1,31 +1,51 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/version"
 module Dependabot
   class SecurityAdvisory
-    attr_reader :dependency_name, :package_manager,
-                :vulnerable_versions, :safe_versions,
-                :vulnerable_version_strings
+    extend T::Sig
+    sig { returns(String) }
+    attr_reader :dependency_name
+    sig { returns(String) }
+    attr_reader :package_manager
+    sig { returns(T::Array[Dependabot::Requirement]) }
+    attr_reader :vulnerable_versions
+    sig { returns(T::Array[Dependabot::Requirement]) }
+    attr_reader :safe_versions
+    sig { returns(T::Array[T.any(String, Dependabot::Requirement)]) }
+    attr_reader :vulnerable_version_strings
+    sig do
+      params(
+        dependency_name: String,
+        package_manager: String,
+        vulnerable_versions: T.nilable(T::Array[Dependabot::Requirement]),
+        safe_versions: T.nilable(T::Array[T.any(String, Dependabot::Requirement)])
+      )
+        .void
+    end
     def initialize(dependency_name:, package_manager:,
                    vulnerable_versions: [], safe_versions: [])
       @dependency_name = dependency_name
       @package_manager = package_manager
-      @vulnerable_version_strings = vulnerable_versions || []
-      @vulnerable_versions = []
-      @safe_versions = safe_versions || []
+      @vulnerable_version_strings = T.let(vulnerable_versions || [], T::Array[T.any(String, Dependabot::Requirement)])
+      @vulnerable_versions = T.let([], T::Array[Dependabot::Requirement])
+      @safe_versions = T.let([], T::Array[Dependabot::Requirement])
-      convert_string_version_requirements
+      convert_string_version_requirements(vulnerable_version_strings, safe_versions || [])
       check_version_requirements
     end
+    sig { params(version: Gem::Version).returns(T::Boolean) }
     def vulnerable?(version)
-      unless version.is_a?(version_class) || version.instance_of?(Gem::Version)
-        raise ArgumentError, "must be a #{version_class}"
-      end
       in_safe_range = safe_versions
                       .any? { |r| r.satisfied_by?(version) }
@@ -50,9 +70,10 @@ module Dependabot
     #
     # @param dependency [Dependabot::Dependency] Updated dependency
     # @return [Boolean]
+    sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
     def fixed_by?(dependency)
       # Handle case mismatch between the security advisory and parsed name
-      return false unless dependency_name.casecmp(dependency.name).zero?
+      return false unless dependency_name.casecmp(dependency.name)&.zero?
       return false unless package_manager == dependency.package_manager
       # TODO: Support no previous version to the same level as dependency graph
       # and security alerts. We currently ignore dependency updates without a
@@ -61,19 +82,20 @@ module Dependabot
       return false unless version_class.correct?(dependency.previous_version)
       # Ignore deps that weren't previously vulnerable
-      return false unless affects_version?(dependency.previous_version)
+      return false unless affects_version?(T.must(dependency.previous_version))
       # Removing a dependency is a way to fix the vulnerability
       return true if dependency.removed?
       # Select deps that are now fixed
-      !affects_version?(dependency.version)
+      !affects_version?(T.must(dependency.version))
     end
     # Check if the version is affected by the advisory
     #
     # @param version [Dependabot::<Package Manager>::Version] version class
     # @return [Boolean]
+    sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
     def affects_version?(version)
       return false unless version_class.correct?(version)
       return false unless [*safe_versions, *vulnerable_versions].any?
@@ -96,7 +118,14 @@ module Dependabot
     private
-    def convert_string_version_requirements
+    sig do
+      params(
+        vulnerable_version_strings: T::Array[T.any(String, Dependabot::Requirement)],
+        safe_versions: T::Array[T.any(String, Dependabot::Requirement)]
+      )
+        .void
+    end
+    def convert_string_version_requirements(vulnerable_version_strings, safe_versions)
       @vulnerable_versions = vulnerable_version_strings.flat_map do |vuln_str|
         next vuln_str unless vuln_str.is_a?(String)
@@ -110,6 +139,7 @@ module Dependabot
       end
     end
+    sig { void }
     def check_version_requirements
       unless vulnerable_versions.is_a?(Array) &&
              vulnerable_versions.all? { |i| requirement_class <= i.class }
@@ -124,10 +154,12 @@ module Dependabot
       end
     end
+    sig { returns(T.class_of(Gem::Version)) }
     def version_class
       Utils.version_class_for_package_manager(package_manager)
     end
+    sig { returns(T.class_of(Dependabot::Requirement)) }
     def requirement_class
       Utils.requirement_class_for_package_manager(package_manager)
     end

data/lib/dependabot/update_checkers/version_filters.rb CHANGED Viewed

@@ -10,10 +10,10 @@ module Dependabot
       sig do
         params(
-          versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, String])],
+          versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])],
           security_advisories: T::Array[SecurityAdvisory]
         )
-          .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, String])])
+          .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])])
       end
       def self.filter_vulnerable_versions(versions_array, security_advisories)
         versions_array.reject do |v|

data/lib/dependabot.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 module Dependabot
-  VERSION = "0.240.0"
+  VERSION = "0.242.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.240.0
+  version: 0.242.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-12 00:00:00.000000000 Z
+date: 2024-01-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -572,7 +572,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.240.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.242.0
 post_install_message:
 rdoc_options: []
 require_paths: