RubyGems - dependabot-common - Versions diffs - 0.244.0 → 0.246.0 - Mend

dependabot-common 0.244.0 → 0.246.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

checksums.yaml +4 -4
data/lib/dependabot/clients/bitbucket.rb +113 -5
data/lib/dependabot/clients/bitbucket_with_retries.rb +34 -10
data/lib/dependabot/clients/codecommit.rb +107 -12
data/lib/dependabot/clients/github_with_retries.rb +61 -19
data/lib/dependabot/clients/gitlab_with_retries.rb +60 -7
data/lib/dependabot/dependency.rb +1 -1
data/lib/dependabot/errors.rb +8 -2
data/lib/dependabot/git_commit_checker.rb +4 -3
data/lib/dependabot/metadata_finders/base/changelog_finder.rb +1 -1
data/lib/dependabot/metadata_finders/base/commits_finder.rb +1 -1
data/lib/dependabot/metadata_finders/base/release_finder.rb +1 -1
data/lib/dependabot/pull_request_creator/azure.rb +80 -9
data/lib/dependabot/pull_request_creator/bitbucket.rb +73 -9
data/lib/dependabot/pull_request_creator/codecommit.rb +96 -25
data/lib/dependabot/pull_request_creator/github.rb +162 -49
data/lib/dependabot/pull_request_creator/gitlab.rb +109 -21
data/lib/dependabot/pull_request_creator/message_builder.rb +239 -89
data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb +11 -9
data/lib/dependabot/pull_request_creator.rb +32 -27
data/lib/dependabot/pull_request_updater/azure.rb +75 -11
data/lib/dependabot/pull_request_updater/github.rb +89 -28
data/lib/dependabot/pull_request_updater/gitlab.rb +61 -12
data/lib/dependabot/pull_request_updater.rb +1 -1
data/lib/dependabot/shared_helpers.rb +19 -1
data/lib/dependabot/update_checkers/base.rb +121 -31
data/lib/dependabot.rb +1 -1
metadata +3 -3

data/lib/dependabot/pull_request_updater/gitlab.rb CHANGED Viewed

@@ -1,16 +1,51 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "gitlab"
+require "sorbet-runtime"
 require "dependabot/clients/gitlab_with_retries"
+require "dependabot/credential"
 require "dependabot/pull_request_creator"
-require "gitlab"
 module Dependabot
   class PullRequestUpdater
     class Gitlab
-      attr_reader :source, :files, :base_commit, :old_commit, :credentials,
-                  :pull_request_number, :target_project_id
+      extend T::Sig
+      sig { returns(Dependabot::Source) }
+      attr_reader :source
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :files
+      sig { returns(String) }
+      attr_reader :base_commit
+      sig { returns(String) }
+      attr_reader :old_commit
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(Integer) }
+      attr_reader :pull_request_number
+      sig { returns(T.nilable(Integer)) }
+      attr_reader :target_project_id
+      sig do
+        params(
+          source: Dependabot::Source,
+          base_commit: String,
+          old_commit: String,
+          files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          pull_request_number: Integer,
+          target_project_id: T.nilable(Integer)
+        )
+          .void
+      end
       def initialize(source:, base_commit:, old_commit:, files:,
                      credentials:, pull_request_number:, target_project_id:)
         @source              = source
@@ -22,6 +57,7 @@ module Dependabot
         @target_project_id   = target_project_id
       end
+      sig { returns(T.nilable(String)) }
       def update
         return unless merge_request_exists?
         return unless branch_exists?(merge_request.source_branch)
@@ -32,6 +68,7 @@ module Dependabot
       private
+      sig { returns(T::Boolean) }
       def merge_request_exists?
         merge_request
         true
@@ -39,31 +76,43 @@ module Dependabot
         false
       end
+      sig { returns(T.untyped) }
       def merge_request
-        @merge_request ||= gitlab_client_for_source.merge_request(
-          target_project_id || source.repo,
-          pull_request_number
+        @merge_request ||= T.let(
+          T.unsafe(gitlab_client_for_source).merge_request(
+            target_project_id || source.repo,
+            pull_request_number
+          ),
+          T.untyped
         )
       end
+      sig { returns(Dependabot::Clients::GitlabWithRetries) }
       def gitlab_client_for_source
         @gitlab_client_for_source ||=
-          Dependabot::Clients::GitlabWithRetries.for_source(
-            source: source,
-            credentials: credentials
+          T.let(
+            Dependabot::Clients::GitlabWithRetries.for_source(
+              source: source,
+              credentials: credentials
+            ),
+            T.nilable(Dependabot::Clients::GitlabWithRetries)
           )
       end
+      sig { params(name: String).returns(T::Boolean) }
       def branch_exists?(name)
-        gitlab_client_for_source.branch(source.repo, name)
+        !T.unsafe(gitlab_client_for_source).branch(source.repo, name).nil?
       rescue ::Gitlab::Error::NotFound
         false
       end
+      # TODO: This needs to be typed when the underlying client is
+      sig { returns(T.untyped) }
       def commit_being_updated
-        gitlab_client_for_source.commit(source.repo, old_commit)
+        T.unsafe(gitlab_client_for_source).commit(source.repo, old_commit)
       end
+      sig { void }
       def create_commit
         gitlab_client_for_source.create_commit(
           source.repo,

data/lib/dependabot/pull_request_updater.rb CHANGED Viewed

@@ -106,7 +106,7 @@ module Dependabot
         files: files,
         credentials: credentials,
         pull_request_number: pull_request_number,
-        target_project_id: provider_metadata[:target_project_id]
+        target_project_id: T.cast(provider_metadata[:target_project_id], T.nilable(Integer))
       )
     end

data/lib/dependabot/shared_helpers.rb CHANGED Viewed

@@ -405,7 +405,6 @@ module Dependabot
                                stderr_to_stdout: true)
       start = Time.now
       cmd = allow_unsafe_shell_command ? command : escape_command(command)
       if stderr_to_stdout
         stdout, process = Open3.capture2e(env || {}, cmd)
       else
@@ -425,12 +424,31 @@ module Dependabot
         process_exit_value: process.to_s
       }
+      check_out_of_disk_memory_error(stderr, error_context)
       raise SharedHelpers::HelperSubprocessFailed.new(
         message: stderr_to_stdout ? stdout : "#{stderr}\n#{stdout}",
         error_context: error_context
       )
     end
+    sig { params(stderr: T.nilable(String), error_context: T::Hash[Symbol, String]).void }
+    def self.check_out_of_disk_memory_error(stderr, error_context)
+      if stderr&.include?("No space left on device") || stderr&.include?("Out of diskspace")
+        raise HelperSubprocessFailed.new(
+          message: "No space left on device",
+          error_class: "Dependabot::OutOfDisk",
+          error_context: error_context
+        )
+      elsif stderr&.include?("MemoryError")
+        raise HelperSubprocessFailed.new(
+          message: "MemoryError",
+          error_class: "Dependabot::OutOfMemory",
+          error_context: error_context
+        )
+      end
+    end
     sig { params(command: String, stdin_data: String, env: T.nilable(T::Hash[String, String])).returns(String) }
     def self.helper_subprocess_bash_command(command:, stdin_data:, env:)
       escaped_stdin_data = stdin_data.gsub("\"", "\\\"")

data/lib/dependabot/update_checkers/base.rb CHANGED Viewed

@@ -1,20 +1,65 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "json"
+require "sorbet-runtime"
 require "dependabot/utils"
 require "dependabot/security_advisory"
 module Dependabot
   module UpdateCheckers
     class Base
-      attr_reader :dependency, :dependency_files, :repo_contents_path,
-                  :credentials, :ignored_versions, :raise_on_ignored,
-                  :security_advisories, :requirements_update_strategy,
-                  :dependency_group, :options
+      extend T::Sig
+      extend T::Helpers
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[String]) }
+      attr_reader :ignored_versions
+      sig { returns(T::Boolean) }
+      attr_reader :raise_on_ignored
+      sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+      attr_reader :security_advisories
+      sig { returns(T.nilable(Symbol)) }
+      attr_reader :requirements_update_strategy
+      sig { returns(T.nilable(Dependabot::DependencyGroup)) }
+      attr_reader :dependency_group
+      sig { returns(T::Hash[Symbol, T.untyped]) }
+      attr_reader :options
-      def initialize(dependency:, dependency_files:, repo_contents_path: nil,
-                     credentials:, ignored_versions: [],
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          repo_contents_path: T.nilable(String),
+          ignored_versions: T::Array[String],
+          raise_on_ignored: T::Boolean,
+          security_advisories: T::Array[Dependabot::SecurityAdvisory],
+          requirements_update_strategy: T.nilable(Symbol),
+          dependency_group: T.nilable(Dependabot::DependencyGroup),
+          options: T::Hash[Symbol, T.untyped]
+        )
+          .void
+      end
+      def initialize(dependency:, dependency_files:, credentials:,
+                     repo_contents_path: nil, ignored_versions: [],
                      raise_on_ignored: false, security_advisories: [],
                      requirements_update_strategy: nil, dependency_group: nil,
                      options: {})
@@ -30,6 +75,7 @@ module Dependabot
         @options = options
       end
+      sig { returns(T::Boolean) }
       def up_to_date?
         if dependency.version
           version_up_to_date?
@@ -38,6 +84,7 @@ module Dependabot
         end
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def can_update?(requirements_to_unlock:)
         # Can't update if all versions are being ignored
         return false if ignore_requirements.include?(requirement_class.new(">= 0"))
@@ -52,6 +99,7 @@ module Dependabot
         end
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies(requirements_to_unlock:)
         return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)
@@ -63,10 +111,12 @@ module Dependabot
         end
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_version"
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def preferred_resolvable_version
         # If this dependency is vulnerable, prefer trying to update to the
         # lowest_resolvable_security_fix_version. Otherwise update all the way
@@ -78,22 +128,26 @@ module Dependabot
         latest_resolvable_version
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_resolvable_version"
       end
       # Lowest available security fix version not checking resolvability
       # @return [Dependabot::<package manager>::Version, #to_s] version class
+      sig { overridable.returns(Dependabot::Version) }
       def lowest_security_fix_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #lowest_security_fix_version"
       end
+      sig { overridable.returns(String) }
       def lowest_resolvable_security_fix_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #lowest_resolvable_security_fix_version"
       end
+      sig { overridable.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_resolvable_version_with_no_unlock
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_resolvable_version_with_no_unlock"
       end
       # Finds any dependencies in the lockfile that have a subdependency on the
@@ -102,22 +156,27 @@ module Dependabot
       #   name [String] the blocking dependencies name
       #   version [String] the version of the blocking dependency
       #   requirement [String] the requirement on the target_dependency
+      sig { overridable.returns(T::Array[T::Hash[String, String]]) }
       def conflicting_dependencies
         [] # return an empty array for ecosystems that don't support this yet
       end
+      sig { params(_updated_version: String).returns(T.nilable(String)) }
       def latest_resolvable_previous_version(_updated_version)
         dependency.version
       end
+      sig { overridable.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         raise NotImplementedError
       end
+      sig { returns(T.class_of(Dependabot::Version)) }
       def version_class
         dependency.version_class
       end
+      sig { returns(T.class_of(Dependabot::Requirement)) }
       def requirement_class
         dependency.requirement_class
       end
@@ -125,10 +184,12 @@ module Dependabot
       # For some languages, the manifest file may be constructed such that
       # Dependabot has no way to update it (e.g., if it fetches its versions
       # from a web API). This method is overridden in those cases.
+      sig { returns(T::Boolean) }
       def requirements_unlocked_or_can_be?
         true
       end
+      sig { returns(T::Boolean) }
       def vulnerable?
         return false if security_advisories.none?
@@ -142,20 +203,24 @@ module Dependabot
         active_advisories.any?
       end
+      sig { returns(T::Array[Dependabot::Requirement]) }
       def ignore_requirements
         ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
       end
       private
+      sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
       def active_advisories
-        security_advisories.select { |a| a.vulnerable?(current_version) }
+        security_advisories.select { |a| a.vulnerable?(T.must(current_version)) }
       end
+      sig { overridable.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_version_resolvable_with_full_unlock?"
       end
+      sig { returns(Dependabot::Dependency) }
       def updated_dependency_without_unlock
         version = latest_resolvable_version_with_no_unlock.to_s
         previous_version = latest_resolvable_previous_version(version)&.to_s
@@ -172,6 +237,7 @@ module Dependabot
         )
       end
+      sig { returns(Dependabot::Dependency) }
       def updated_dependency_with_own_req_unlock
         version = preferred_resolvable_version.to_s
         previous_version = latest_resolvable_previous_version(version)&.to_s
@@ -188,16 +254,19 @@ module Dependabot
         )
       end
+      sig { overridable.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         raise NotImplementedError
       end
+      sig { returns(T::Boolean) }
       def version_up_to_date?
         return sha1_version_up_to_date? if existing_version_is_sha?
         numeric_version_up_to_date?
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def version_can_update?(requirements_to_unlock:)
         if existing_version_is_sha?
           return sha1_version_can_update?(
@@ -210,16 +279,19 @@ module Dependabot
         )
       end
+      sig { returns(T::Boolean) }
       def existing_version_is_sha?
         return false if version_class.correct?(dependency.version)
-        dependency.version.match?(/^[0-9a-f]{6,}$/)
+        T.must(dependency.version).match?(/^[0-9a-f]{6,}$/)
       end
+      sig { returns(T::Boolean) }
       def sha1_version_up_to_date?
-        latest_version&.to_s&.start_with?(dependency.version)
+        latest_version&.to_s&.start_with?(T.must(dependency.version)) || false
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def sha1_version_can_update?(requirements_to_unlock:)
         return false if sha1_version_up_to_date?
@@ -227,7 +299,7 @@ module Dependabot
         case requirements_to_unlock&.to_sym
         when :none
           new_version = latest_resolvable_version_with_no_unlock
-          new_version && !new_version.to_s.start_with?(dependency.version)
+          !new_version&.to_s&.start_with?(T.must(dependency.version))
         when :own
           preferred_version_resolvable_with_unlock?
         when :all
@@ -236,6 +308,7 @@ module Dependabot
         end
       end
+      sig { returns(T::Boolean) }
       def numeric_version_up_to_date?
         return false unless latest_version
@@ -244,16 +317,19 @@ module Dependabot
         # this case we treat the version as up-to-date so that it's ignored.
         return true if latest_version.to_s.match?(/^[0-9a-f]{40}$/)
-        latest_version <= current_version
+        T.must(latest_version) <= current_version
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def numeric_version_can_update?(requirements_to_unlock:)
         return false if numeric_version_up_to_date?
         case requirements_to_unlock&.to_sym
         when :none
           new_version = latest_resolvable_version_with_no_unlock
-          new_version && new_version > current_version
+          return false unless new_version
+          new_version > current_version
         when :own
           preferred_version_resolvable_with_unlock?
         when :all
@@ -262,12 +338,13 @@ module Dependabot
         end
       end
+      sig { returns(T::Boolean) }
       def preferred_version_resolvable_with_unlock?
         new_version = preferred_resolvable_version
         return false unless new_version
         if existing_version_is_sha?
-          return false if new_version.to_s.start_with?(dependency.version)
+          return false if new_version.to_s.start_with?(T.must(dependency.version))
         elsif new_version <= current_version
           return false
         end
@@ -275,39 +352,52 @@ module Dependabot
         updated_requirements.none? { |r| r[:requirement] == :unfixable }
       end
+      sig { returns(T::Boolean) }
       def requirements_up_to_date?
         if can_compare_requirements?
-          return (version_from_requirements >=
-                  version_class.new(latest_version.to_s))
+          return (T.must(version_from_requirements) >= version_class.new(latest_version.to_s))
         end
         changed_requirements.none?
       end
+      # TODO: Should this return Dependabot::Version?
+      sig { returns(T.nilable(Gem::Version)) }
       def current_version
-        @current_version ||= dependency.numeric_version
+        @current_version ||=
+          T.let(
+            dependency.numeric_version,
+            T.nilable(Dependabot::Version)
+          )
       end
+      sig { returns(T::Boolean) }
       def can_compare_requirements?
-        version_from_requirements &&
+        (version_from_requirements &&
           latest_version &&
-          version_class.correct?(latest_version.to_s)
+          version_class.correct?(latest_version.to_s)) || false
       end
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def changed_requirements
         (updated_requirements - dependency.requirements)
       end
+      sig { returns(T.nilable(T.any(String, Gem::Version))) }
       def version_from_requirements
         @version_from_requirements ||=
-          dependency.requirements.filter_map { |r| r.fetch(:requirement) }
-                    .flat_map { |req_str| requirement_class.requirements_array(req_str) }
-                    .flat_map(&:requirements)
-                    .reject { |req_array| req_array.first.start_with?("<") }
-                    .map(&:last)
-                    .max
+          T.let(
+            dependency.requirements.filter_map { |r| r.fetch(:requirement) }
+                      .flat_map { |req_str| requirement_class.requirements_array(req_str) }
+                      .flat_map(&:requirements)
+                      .reject { |req_array| req_array.first.start_with?("<") }
+                      .map(&:last)
+                      .max,
+            T.nilable(T.any(String, Gem::Version))
+          )
       end
+      sig { returns(T::Boolean) }
       def requirements_can_update?
         return false if changed_requirements.none?

data/lib/dependabot.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 module Dependabot
-  VERSION = "0.244.0"
+  VERSION = "0.246.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.244.0
+  version: 0.246.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -567,7 +567,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.244.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.246.0
 post_install_message:
 rdoc_options: []
 require_paths: