dependabot-common 0.242.1 → 0.243.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e3dfe956941c85f2831b149fa443058ce3165f68890a9cc2f8a47f171cf76cf
-  data.tar.gz: 1e02a3d9fbcb515af27fe62656748dcf14394707a71d2d2ca78e2f4c5323142b
+  metadata.gz: 4c66b8233da2a6599d23a5c9a0db612e4225e7a1ef54aad500fd8861e9a98273
+  data.tar.gz: 682b44c5d4ec337dd4a29a80f029e1e84869b9434aea2619969b5079aecac51c
 SHA512:
-  metadata.gz: 1d14e15ab94001ea6a2aa5625b23a0db71b13a3f533aca335d6f4a6035fdb14fb1b1600bd38628b5f41919883a4fc20754ccd329e0167c936a4fc68bc7b1031e
-  data.tar.gz: d31623ce8db6226701b3a4c8c5a49c2b5805d0c9e8723decdf15d275c87f5d6c519ca2add01ea796a607345ceebe498dbe71f4ad80310e916ef04e394748c8ae
+  metadata.gz: 9e5c58e16b97382100d7b9b72dcc85ed38d48b8df82a9a1135d72ecda5deab0182a333a4e4ddbb1840b3d2b73c8cf36d3555c5a89af4bf780b76998fabc36404
+  data.tar.gz: 65b24a2eb7ab108af968ccfde8934e74e5a1bf584af8b517df75a369b48a515a3011c2c2e4392ffb57f6848b800d83c2eea82dac6d9820fa1bd45ec4b56af166

data/lib/dependabot/clients/azure.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
@@ -7,6 +7,7 @@ require "sorbet-runtime"
 
 module Dependabot
   module Clients
+    # rubocop:disable Metrics/ClassLength
     class Azure
       extend T::Sig
 
@@ -24,12 +25,16 @@ module Dependabot
 
       class TagsCreationForbidden < StandardError; end
 
-      RETRYABLE_ERRORS = [InternalServerError, BadGateway, ServiceNotAvailable].freeze
+      RETRYABLE_ERRORS = T.let(
+        [InternalServerError, BadGateway, ServiceNotAvailable].freeze,
+        T::Array[T.class_of(StandardError)]
+      )
 
       #######################
       # Constructor methods #
       #######################
 
+      sig { params(source: Dependabot::Source, credentials: T::Array[Dependabot::Credential]).returns(Azure) }
       def self.for_source(source:, credentials:)
         credential =
           credentials
@@ -43,15 +48,24 @@ module Dependabot
       # Client #
       ##########
 
+      sig do
+        params(
+          source: Dependabot::Source,
+          credentials: T.nilable(Dependabot::Credential),
+          max_retries: T.nilable(Integer)
+        )
+          .void
+      end
       def initialize(source, credentials, max_retries: 3)
         @source = source
         @credentials = credentials
-        @auth_header = auth_header_for(credentials&.fetch("token", nil))
-        @max_retries = max_retries || 3
+        @auth_header = T.let(auth_header_for(credentials&.fetch("token", nil)), T::Hash[String, String])
+        @max_retries = T.let(max_retries || 3, Integer)
       end
 
+      sig { params(_repo: T.nilable(String), branch: String).returns(String) }
       def fetch_commit(_repo, branch)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/stats/branches?name=" + branch)
@@ -61,18 +75,26 @@ module Dependabot
         JSON.parse(response.body).fetch("commit").fetch("commitId")
       end
 
+      sig { params(_repo: String).returns(String) }
       def fetch_default_branch(_repo)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo)
 
         JSON.parse(response.body).fetch("defaultBranch").gsub("refs/heads/", "")
       end
 
+      sig do
+        params(
+          commit: T.nilable(String),
+          path: T.nilable(String)
+        )
+          .returns(T::Array[T::Hash[String, T.untyped]])
+      end
       def fetch_repo_contents(commit = nil, path = nil)
         tree = fetch_repo_contents_treeroot(commit, path)
 
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/trees/" + tree + "?recursive=false")
@@ -80,18 +102,19 @@ module Dependabot
         JSON.parse(response.body).fetch("treeEntries")
       end
 
+      sig { params(commit: T.nilable(String), path: T.nilable(String)).returns(String) }
       def fetch_repo_contents_treeroot(commit = nil, path = nil)
         actual_path = path
         actual_path = "/" if path.to_s.empty?
 
-        tree_url = source.api_endpoint +
+        tree_url = T.must(source.api_endpoint) +
                    source.organization + "/" + source.project +
                    "/_apis/git/repositories/" + source.unscoped_repo +
-                   "/items?path=" + actual_path
+                   "/items?path=" + T.must(actual_path)
 
         unless commit.to_s.empty?
           tree_url += "&versionDescriptor.versionType=commit" \
-                      "&versionDescriptor.version=" + commit
+                      "&versionDescriptor.version=" + T.must(commit)
         end
 
         tree_response = get(tree_url)
@@ -99,8 +122,9 @@ module Dependabot
         JSON.parse(tree_response.body).fetch("objectId")
       end
 
+      sig { params(commit: String, path: String).returns(String) }
       def fetch_file_contents(commit, path)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/items?path=" + path +
@@ -110,21 +134,23 @@ module Dependabot
         response.body
       end
 
+      sig { params(branch_name: T.nilable(String)).returns(T::Array[T::Hash[String, T.untyped]]) }
       def commits(branch_name = nil)
-        commits_url = source.api_endpoint +
+        commits_url = T.must(source.api_endpoint) +
                       source.organization + "/" + source.project +
                       "/_apis/git/repositories/" + source.unscoped_repo +
                       "/commits"
 
-        commits_url += "?searchCriteria.itemVersion.version=" + branch_name unless branch_name.to_s.empty?
+        commits_url += "?searchCriteria.itemVersion.version=" + T.must(branch_name) unless branch_name.to_s.empty?
 
         response = get(commits_url)
 
         JSON.parse(response.body).fetch("value")
       end
 
+      sig { params(branch_name: String).returns(T.nilable(T::Hash[String, T.untyped])) }
       def branch(branch_name)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/refs?filter=heads/" + branch_name)
@@ -132,8 +158,9 @@ module Dependabot
         JSON.parse(response.body).fetch("value").first
       end
 
+      sig { params(source_branch: String, target_branch: String).returns(T::Array[T::Hash[String, T.untyped]]) }
       def pull_requests(source_branch, target_branch)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/pullrequests?searchCriteria.status=all" \
@@ -143,6 +170,16 @@ module Dependabot
         JSON.parse(response.body).fetch("value")
       end
 
+      sig do
+        params(
+          branch_name: String,
+          base_commit: String,
+          commit_message: String,
+          files: T::Array[Dependabot::DependencyFile],
+          author_details: T.nilable(T::Hash[String, String])
+        )
+          .returns(T.untyped)
+      end
       def create_commit(branch_name, base_commit, commit_message, files,
                         author_details)
         content = {
@@ -158,7 +195,7 @@ module Dependabot
                   changeType: "edit",
                   item: { path: file.path },
                   newContent: {
-                    content: Base64.encode64(file.content),
+                    content: Base64.encode64(T.must(file.content)),
                     contentType: "base64encoded"
                   }
                 }
@@ -167,12 +204,25 @@ module Dependabot
           ]
         }
 
-        post(source.api_endpoint + source.organization + "/" + source.project +
+        post(T.must(source.api_endpoint) + source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/pushes?api-version=5.0", content.to_json)
       end
 
       # rubocop:disable Metrics/ParameterLists
+      sig do
+        params(
+          pr_name: String,
+          source_branch: String,
+          target_branch: String,
+          pr_description: String,
+          labels: T::Array[String],
+          reviewers: T.nilable(T::Array[String]),
+          assignees: T.nilable(T::Array[String]),
+          work_item: T.nilable(Integer)
+        )
+          .returns(T.untyped)
+      end
       def create_pull_request(pr_name, source_branch, target_branch,
                               pr_description, labels,
                               reviewers = nil, assignees = nil, work_item = nil)
@@ -187,12 +237,25 @@ module Dependabot
           workItemRefs: [{ id: work_item }]
         }
 
-        post(source.api_endpoint +
+        post(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/repositories/" + source.unscoped_repo +
           "/pullrequests?api-version=5.0", content.to_json)
       end
 
+      sig do
+        params(
+          pull_request_id: Integer,
+          auto_complete_set_by: String,
+          merge_commit_message: String,
+          delete_source_branch: T::Boolean,
+          squash_merge: T::Boolean,
+          merge_strategy: String,
+          trans_work_items: T::Boolean,
+          ignore_config_ids: T::Array[String]
+        )
+          .returns(T.untyped)
+      end
       def autocomplete_pull_request(pull_request_id, auto_complete_set_by, merge_commit_message,
                                     delete_source_branch = true, squash_merge = true, merge_strategy = "squash",
                                     trans_work_items = true, ignore_config_ids = [])
@@ -211,7 +274,7 @@ module Dependabot
           }
         }
 
-        response = patch(source.api_endpoint +
+        response = patch(T.must(source.api_endpoint) +
                            source.organization + "/" + source.project +
                            "/_apis/git/repositories/" + source.unscoped_repo +
                            "/pullrequests/" + pull_request_id.to_s + "?api-version=5.1", content.to_json)
@@ -219,14 +282,16 @@ module Dependabot
         JSON.parse(response.body)
       end
 
+      sig { params(pull_request_id: String).returns(T::Hash[String, T.untyped]) }
       def pull_request(pull_request_id)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
           source.organization + "/" + source.project +
           "/_apis/git/pullrequests/" + pull_request_id)
 
         JSON.parse(response.body)
       end
 
+      sig { params(branch_name: String, old_commit: String, new_commit: String).returns(T::Hash[String, T.untyped]) }
       def update_ref(branch_name, old_commit, new_commit)
         content = [
           {
@@ -236,7 +301,7 @@ module Dependabot
           }
         ]
 
-        response = post(source.api_endpoint + source.organization + "/" + source.project +
+        response = post(T.must(source.api_endpoint) + source.organization + "/" + source.project +
                         "/_apis/git/repositories/" + source.unscoped_repo +
                         "/refs?api-version=5.0", content.to_json)
 
@@ -244,8 +309,15 @@ module Dependabot
       end
       # rubocop:enable Metrics/ParameterLists
 
+      sig do
+        params(
+          previous_tag: T.nilable(String), new_tag: T.nilable(String),
+          type: String
+        )
+          .returns(T::Array[T::Hash[String, T.untyped]])
+      end
       def compare(previous_tag, new_tag, type)
-        response = get(source.api_endpoint +
+        response = get(T.must(source.api_endpoint) +
                          source.organization + "/" + source.project +
                          "/_apis/git/repositories/" + source.unscoped_repo +
                          "/commits?searchCriteria.itemVersion.versionType=#{type}" \
@@ -311,7 +383,7 @@ module Dependabot
         raise Unauthorized if response&.status == 401
 
         if response&.status == 403
-          raise TagsCreationForbidden if tags_creation_forbidden?(response)
+          raise TagsCreationForbidden if tags_creation_forbidden?(T.must(response))
 
           raise Forbidden
         end
@@ -354,7 +426,8 @@ module Dependabot
 
       private
 
-      def retry_connection_failures
+      sig { params(blk: T.proc.void).void }
+      def retry_connection_failures(&blk) # rubocop:disable Lint/UnusedMethodArgument
         retry_attempt = 0
 
         begin
@@ -365,6 +438,7 @@ module Dependabot
         end
       end
 
+      sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
       def auth_header_for(token)
         return {} unless token
 
@@ -379,6 +453,7 @@ module Dependabot
         end
       end
 
+      sig { params(response: Excon::Response).returns(T::Boolean) }
       def tags_creation_forbidden?(response)
         return false if response.body.empty?
 
@@ -386,6 +461,13 @@ module Dependabot
         message&.include?("TF401289")
       end
 
+      sig do
+        params(
+          reviewers: T.nilable(T::Array[String]),
+          assignees: T.nilable(T::Array[String])
+        )
+          .returns(T::Array[T::Hash[Symbol, T.untyped]])
+      end
       def pr_reviewers(reviewers, assignees)
         return [] unless reviewers || assignees
 
@@ -393,9 +475,15 @@ module Dependabot
         pr_reviewers + (assignees&.map { |r_id| { id: r_id, isRequired: false } } || [])
       end
 
+      sig { returns(T::Hash[String, String]) }
       attr_reader :auth_header
+
+      sig { returns(T.nilable(Dependabot::Credential)) }
       attr_reader :credentials
+
+      sig { returns(Dependabot::Source) }
       attr_reader :source
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/dependabot/clients/bitbucket.rb

@@ -282,7 +282,7 @@ module Dependabot
       #
       # With POST (for endpoints that provide POST methods for long query parameters)
       #     response = post(url, body)
-      #     first_page = JSON.parse(repsonse.body)
+      #     first_page = JSON.parse(response.body)
       #     paginate(first_page)
       def paginate(page)
         Enumerator.new do |yielder|

data/lib/dependabot/credential.rb

@@ -0,0 +1,40 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  class Credential
+    extend T::Sig
+    extend Forwardable
+
+    def_delegators :@credential, :fetch, :keys, :[]=, :delete, :slice, :values, :entries
+
+    sig { params(credential: T::Hash[String, T.any(T::Boolean, String)]).void }
+    def initialize(credential)
+      @replaces_base = T.let(credential["replaces-base"] == true, T::Boolean)
+      credential.delete("replaces-base")
+      @credential = T.let(T.unsafe(credential), T::Hash[String, String])
+    end
+
+    sig { returns(T::Boolean) }
+    def replaces_base?
+      @replaces_base
+    end
+
+    sig { params(key: String).returns(T.nilable(String)) }
+    def [](key)
+      @credential[key]
+    end
+
+    sig { params(other: Credential).returns(Credential) }
+    def merge(other)
+      Credential.new(@credential.merge(other.to_h))
+    end
+
+    sig { returns(T::Hash[String, String]) }
+    def to_h
+      @credential
+    end
+  end
+end

data/lib/dependabot/dependency_group.rb

@@ -22,15 +22,21 @@ module Dependabot
     sig { returns(T::Array[Dependabot::Dependency]) }
     attr_reader :dependencies
 
+    sig { returns(String) }
+    attr_reader :applies_to
+
     sig do
       params(
         name: String,
-        rules: T::Hash[String, T.untyped]
+        rules: T::Hash[String, T.untyped],
+        applies_to: T.nilable(String)
       )
         .void
     end
-    def initialize(name:, rules:)
+    def initialize(name:, rules:, applies_to: "version-updates")
       @name = name
+      # For backwards compatibility, if no applies_to is provided, default to "version-updates"
+      @applies_to = T.let(applies_to || "version-updates", String)
       @rules = rules
       @dependencies = T.let([], T::Array[Dependabot::Dependency])
     end

data/lib/dependabot/file_fetchers/base.rb

@@ -7,6 +7,7 @@ require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"
 require "dependabot/errors"
+require "dependabot/credential"
 require "dependabot/clients/azure"
 require "dependabot/clients/codecommit"
 require "dependabot/clients/github_with_retries"
@@ -26,7 +27,7 @@ module Dependabot
       sig { returns(Dependabot::Source) }
       attr_reader :source
 
-      sig { returns(T::Array[T::Hash[String, String]]) }
+      sig { returns(T::Array[Dependabot::Credential]) }
       attr_reader :credentials
 
       sig { returns(T.nilable(String)) }
@@ -51,6 +52,24 @@ module Dependabot
       GIT_SUBMODULE_CLONE_ERROR =
         /^fatal: clone of '(?<url>.*)' into submodule path '.*' failed$/
       GIT_SUBMODULE_ERROR_REGEX = /(#{GIT_SUBMODULE_INACCESSIBLE_ERROR})|(#{GIT_SUBMODULE_CLONE_ERROR})/
+      GIT_RETRYABLE_ERRORS =
+        T.let(
+          [
+            /remote error: Internal Server Error/,
+            /fatal: Couldn\'t find remote ref/,
+            %r{git fetch_pack: expected ACK/NAK, got},
+            /protocol error: bad pack header/,
+            /The remote end hung up unexpectedly/,
+            /TLS packet with unexpected length was received/,
+            /RPC failed; result=\d+, HTTP code = \d+/,
+            /Connection timed out/,
+            /Connection reset by peer/,
+            /Unable to look up/,
+            /Couldn\'t resolve host/,
+            /The requested URL returned error: (429|5\d{2})/
+          ].freeze,
+          T::Array[Regexp]
+        )
 
       sig { overridable.params(filenames: T::Array[String]).returns(T::Boolean) }
       def self.required_files_in?(filenames)
@@ -76,7 +95,7 @@ module Dependabot
       sig do
         params(
           source: Dependabot::Source,
-          credentials: T::Array[T::Hash[String, String]],
+          credentials: T::Array[Dependabot::Credential],
           repo_contents_path: T.nilable(String),
           options: T::Hash[String, String]
         )
@@ -500,7 +519,7 @@ module Dependabot
         repo_path = File.join(clone_repo_contents, relative_path)
         return [] unless Dir.exist?(repo_path)
 
-        Dir.entries(repo_path).filter_map do |name|
+        Dir.entries(repo_path).sort.filter_map do |name|
           next if name == "." || name == ".."
 
           absolute_path = File.join(repo_path, name)
@@ -757,6 +776,7 @@ module Dependabot
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/BlockLength
+      # rubocop:disable Metrics/CyclomaticComplexity
       sig { params(target_directory: T.nilable(String)).returns(String) }
       def _clone_repo_contents(target_directory:)
         SharedHelpers.with_git_configured(credentials: credentials) do
@@ -777,6 +797,7 @@ module Dependabot
           clone_options << " --branch #{source.branch} --single-branch" if source.branch
 
           submodule_cloning_failed = false
+          retries = 0
           begin
             SharedHelpers.run_shell_command(
               <<~CMD
@@ -786,6 +807,16 @@ module Dependabot
 
             @submodules = find_submodules(path) if recurse_submodules_when_cloning?
           rescue SharedHelpers::HelperSubprocessFailed => e
+            if GIT_RETRYABLE_ERRORS.any? { |error| error.match?(e.message) } && retries < 5
+              retries += 1
+              # 3, 6, 12, 24, 48, ...
+              sleep_seconds = (2 ^ (retries - 1)) * 3
+              Dependabot.logger.warn(
+                "Failed to clone repo #{source.url} due to #{e.message}. Retrying in #{sleep_seconds} seconds..."
+              )
+              sleep(sleep_seconds)
+              retry
+            end
             raise unless e.message.match(GIT_SUBMODULE_ERROR_REGEX) && e.message.downcase.include?("submodule")
 
             submodule_cloning_failed = true
@@ -831,6 +862,7 @@ module Dependabot
       # rubocop:enable Metrics/MethodLength
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/BlockLength
+      # rubocop:enable Metrics/CyclomaticComplexity
 
       sig { params(str: String).returns(String) }
       def decode_binary_string(str)

data/lib/dependabot/file_parsers/base.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
+require "dependabot/credential"
 
 module Dependabot
   module FileParsers
@@ -17,7 +18,7 @@ module Dependabot
       sig { returns(T.nilable(String)) }
       attr_reader :repo_contents_path
 
-      sig { returns(T::Array[T::Hash[String, String]]) }
+      sig { returns(T::Array[Dependabot::Credential]) }
       attr_reader :credentials
 
       sig { returns(T.nilable(Dependabot::Source)) }
@@ -31,7 +32,7 @@ module Dependabot
           dependency_files: T::Array[Dependabot::DependencyFile],
           source: T.nilable(Dependabot::Source),
           repo_contents_path: T.nilable(String),
-          credentials: T::Array[T::Hash[String, String]],
+          credentials: T::Array[Dependabot::Credential],
           reject_external_code: T::Boolean,
           options: T::Hash[Symbol, T.untyped]
         )
@@ -49,7 +50,7 @@ module Dependabot
         check_required_files
       end
 
-      sig { abstract.returns(Dependabot::DependencyFile) }
+      sig { abstract.returns(T::Array[Dependabot::Dependency]) }
       def parse; end
 
       private

data/lib/dependabot/file_updaters/artifact_updater.rb

@@ -4,7 +4,7 @@
 require "sorbet-runtime"
 require "dependabot/dependency_file"
 
-# This class provides a utility to check for arbitary modified files within a
+# This class provides a utility to check for arbitrary modified files within a
 # git directory that need to be wrapped as Dependabot::DependencyFile object
 # and returned as along with anything managed by the FileUpdater itself.
 module Dependabot

data/lib/dependabot/file_updaters/base.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
+require "dependabot/credential"
 
 module Dependabot
   module FileUpdaters
@@ -19,13 +20,13 @@ module Dependabot
       sig { returns(T.nilable(String)) }
       attr_reader :repo_contents_path
 
-      sig { returns(T::Array[T::Hash[String, String]]) }
+      sig { returns(T::Array[Dependabot::Credential]) }
       attr_reader :credentials
 
       sig { returns(T::Hash[Symbol, T.untyped]) }
       attr_reader :options
 
-      sig { overridable.returns(String) }
+      sig { overridable.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         raise NotImplementedError
       end
@@ -34,7 +35,7 @@ module Dependabot
         params(
           dependencies: T::Array[Dependabot::Dependency],
           dependency_files: T::Array[Dependabot::DependencyFile],
-          credentials: T::Array[T::Hash[String, String]],
+          credentials: T::Array[Dependabot::Credential],
           repo_contents_path: T.nilable(String),
           options: T::Hash[Symbol, T.untyped]
         ).void

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -17,7 +17,7 @@ module Dependabot
       extend T::Sig
       extend T::Helpers
 
-      # This provides backwards compatability for anyone who used this class
+      # This provides backwards compatibility for anyone who used this class
       # before the base ArtifactUpdater class was introduced and aligns the
       # method's public signatures with it's special-case domain.
       sig { params(repo_contents_path: T.nilable(String), vendor_dir: T.nilable(String)).void }

data/lib/dependabot/git_commit_checker.rb

@@ -12,6 +12,7 @@ require "dependabot/errors"
 require "dependabot/utils"
 require "dependabot/source"
 require "dependabot/dependency"
+require "dependabot/credential"
 require "dependabot/git_metadata_fetcher"
 module Dependabot
   # rubocop:disable Metrics/ClassLength
@@ -29,7 +30,7 @@ module Dependabot
     sig do
       params(
         dependency: Dependabot::Dependency,
-        credentials: T::Array[T::Hash[String, String]],
+        credentials: T::Array[Dependabot::Credential],
         ignored_versions: T::Array[String],
         raise_on_ignored: T::Boolean,
         consider_version_branches_pinned: T::Boolean,
@@ -226,7 +227,7 @@ module Dependabot
     sig { returns(Dependabot::Dependency) }
     attr_reader :dependency
 
-    sig { returns(T::Array[T::Hash[String, String]]) }
+    sig { returns(T::Array[Dependabot::Credential]) }
     attr_reader :credentials
 
     sig { returns(T::Array[String]) }

data/lib/dependabot/git_metadata_fetcher.rb

@@ -7,6 +7,7 @@ require "sorbet-runtime"
 
 require "dependabot/errors"
 require "dependabot/git_ref"
+require "dependabot/credential"
 
 module Dependabot
   class GitMetadataFetcher
@@ -17,7 +18,7 @@ module Dependabot
     sig do
       params(
         url: String,
-        credentials: T::Array[T::Hash[String, String]]
+        credentials: T::Array[Dependabot::Credential]
       )
         .void
     end
@@ -97,7 +98,7 @@ module Dependabot
     sig { returns(String) }
     attr_reader :url
 
-    sig { returns(T::Array[T::Hash[String, String]]) }
+    sig { returns(T::Array[Dependabot::Credential]) }
     attr_reader :credentials
 
     sig { params(uri: String).returns(String) }