RubyGems - dependabot-common - Versions diffs - 0.244.0 → 0.246.0 - Mend

dependabot-common 0.244.0 → 0.246.0

Files changed (28) hide show

checksums.yaml +4 -4
data/lib/dependabot/clients/bitbucket.rb +113 -5
data/lib/dependabot/clients/bitbucket_with_retries.rb +34 -10
data/lib/dependabot/clients/codecommit.rb +107 -12
data/lib/dependabot/clients/github_with_retries.rb +61 -19
data/lib/dependabot/clients/gitlab_with_retries.rb +60 -7
data/lib/dependabot/dependency.rb +1 -1
data/lib/dependabot/errors.rb +8 -2
data/lib/dependabot/git_commit_checker.rb +4 -3
data/lib/dependabot/metadata_finders/base/changelog_finder.rb +1 -1
data/lib/dependabot/metadata_finders/base/commits_finder.rb +1 -1
data/lib/dependabot/metadata_finders/base/release_finder.rb +1 -1
data/lib/dependabot/pull_request_creator/azure.rb +80 -9
data/lib/dependabot/pull_request_creator/bitbucket.rb +73 -9
data/lib/dependabot/pull_request_creator/codecommit.rb +96 -25
data/lib/dependabot/pull_request_creator/github.rb +162 -49
data/lib/dependabot/pull_request_creator/gitlab.rb +109 -21
data/lib/dependabot/pull_request_creator/message_builder.rb +239 -89
data/lib/dependabot/pull_request_creator/pr_name_prefixer.rb +11 -9
data/lib/dependabot/pull_request_creator.rb +32 -27
data/lib/dependabot/pull_request_updater/azure.rb +75 -11
data/lib/dependabot/pull_request_updater/github.rb +89 -28
data/lib/dependabot/pull_request_updater/gitlab.rb +61 -12
data/lib/dependabot/pull_request_updater.rb +1 -1
data/lib/dependabot/shared_helpers.rb +19 -1
data/lib/dependabot/update_checkers/base.rb +121 -31
data/lib/dependabot.rb +1 -1
metadata +3 -3

data/lib/dependabot/pull_request_updater/gitlab.rb CHANGED Viewed

@@ -1,16 +1,51 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "gitlab"
+require "sorbet-runtime"
 require "dependabot/clients/gitlab_with_retries"
+require "dependabot/credential"
 require "dependabot/pull_request_creator"
-require "gitlab"
 module Dependabot
   class PullRequestUpdater
     class Gitlab
-      attr_reader :source, :files, :base_commit, :old_commit, :credentials,
-                  :pull_request_number, :target_project_id
+      extend T::Sig
+      sig { returns(Dependabot::Source) }
+      attr_reader :source
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :files
+      sig { returns(String) }
+      attr_reader :base_commit
+      sig { returns(String) }
+      attr_reader :old_commit
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(Integer) }
+      attr_reader :pull_request_number
+      sig { returns(T.nilable(Integer)) }
+      attr_reader :target_project_id
+      sig do
+        params(
+          source: Dependabot::Source,
+          base_commit: String,
+          old_commit: String,
+          files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          pull_request_number: Integer,
+          target_project_id: T.nilable(Integer)
+        )
+          .void
+      end
       def initialize(source:, base_commit:, old_commit:, files:,
                      credentials:, pull_request_number:, target_project_id:)
         @source              = source
@@ -22,6 +57,7 @@ module Dependabot
         @target_project_id   = target_project_id
       end
+      sig { returns(T.nilable(String)) }
       def update
         return unless merge_request_exists?
         return unless branch_exists?(merge_request.source_branch)
@@ -32,6 +68,7 @@ module Dependabot
       private
+      sig { returns(T::Boolean) }
       def merge_request_exists?
         merge_request
         true
@@ -39,31 +76,43 @@ module Dependabot
         false
       end
+      sig { returns(T.untyped) }
       def merge_request
-        @merge_request ||= gitlab_client_for_source.merge_request(
-          target_project_id || source.repo,
-          pull_request_number
+        @merge_request ||= T.let(
+          T.unsafe(gitlab_client_for_source).merge_request(
+            target_project_id || source.repo,
+            pull_request_number
+          ),
+          T.untyped
         )
       end
+      sig { returns(Dependabot::Clients::GitlabWithRetries) }
       def gitlab_client_for_source
         @gitlab_client_for_source ||=
-          Dependabot::Clients::GitlabWithRetries.for_source(
-            source: source,
-            credentials: credentials
+          T.let(
+            Dependabot::Clients::GitlabWithRetries.for_source(
+              source: source,
+              credentials: credentials
+            ),
+            T.nilable(Dependabot::Clients::GitlabWithRetries)
           )
       end
+      sig { params(name: String).returns(T::Boolean) }
       def branch_exists?(name)
-        gitlab_client_for_source.branch(source.repo, name)
+        !T.unsafe(gitlab_client_for_source).branch(source.repo, name).nil?
       rescue ::Gitlab::Error::NotFound
         false
       end
+      # TODO: This needs to be typed when the underlying client is
+      sig { returns(T.untyped) }
       def commit_being_updated
-        gitlab_client_for_source.commit(source.repo, old_commit)
+        T.unsafe(gitlab_client_for_source).commit(source.repo, old_commit)
       end
+      sig { void }
       def create_commit
         gitlab_client_for_source.create_commit(
           source.repo,

data/lib/dependabot/pull_request_updater.rb CHANGED Viewed

@@ -106,7 +106,7 @@ module Dependabot
         files: files,
         credentials: credentials,
         pull_request_number: pull_request_number,
-        target_project_id: provider_metadata[:target_project_id]
+        target_project_id: T.cast(provider_metadata[:target_project_id], T.nilable(Integer))
       )
     end

data/lib/dependabot/shared_helpers.rb CHANGED Viewed

@@ -405,7 +405,6 @@ module Dependabot
                                stderr_to_stdout: true)
       start = Time.now
       cmd = allow_unsafe_shell_command ? command : escape_command(command)
       if stderr_to_stdout
         stdout, process = Open3.capture2e(env || {}, cmd)
       else
@@ -425,12 +424,31 @@ module Dependabot
         process_exit_value: process.to_s
       }
+      check_out_of_disk_memory_error(stderr, error_context)
       raise SharedHelpers::HelperSubprocessFailed.new(
         message: stderr_to_stdout ? stdout : "#{stderr}\n#{stdout}",
         error_context: error_context
       )
     end
+    sig { params(stderr: T.nilable(String), error_context: T::Hash[Symbol, String]).void }
+    def self.check_out_of_disk_memory_error(stderr, error_context)
+      if stderr&.include?("No space left on device") || stderr&.include?("Out of diskspace")
+        raise HelperSubprocessFailed.new(
+          message: "No space left on device",
+          error_class: "Dependabot::OutOfDisk",
+          error_context: error_context
+        )
+      elsif stderr&.include?("MemoryError")
+        raise HelperSubprocessFailed.new(
+          message: "MemoryError",
+          error_class: "Dependabot::OutOfMemory",
+          error_context: error_context
+        )
+      end
+    end
     sig { params(command: String, stdin_data: String, env: T.nilable(T::Hash[String, String])).returns(String) }
     def self.helper_subprocess_bash_command(command:, stdin_data:, env:)
       escaped_stdin_data = stdin_data.gsub("\"", "\\\"")

data/lib/dependabot/update_checkers/base.rb CHANGED Viewed

@@ -1,20 +1,65 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "json"
+require "sorbet-runtime"
 require "dependabot/utils"
 require "dependabot/security_advisory"
 module Dependabot
   module UpdateCheckers
     class Base
-      attr_reader :dependency, :dependency_files, :repo_contents_path,
-                  :credentials, :ignored_versions, :raise_on_ignored,
-                  :security_advisories, :requirements_update_strategy,
-                  :dependency_group, :options
+      extend T::Sig
+      extend T::Helpers
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[String]) }
+      attr_reader :ignored_versions
+      sig { returns(T::Boolean) }
+      attr_reader :raise_on_ignored
+      sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+      attr_reader :security_advisories
+      sig { returns(T.nilable(Symbol)) }
+      attr_reader :requirements_update_strategy
+      sig { returns(T.nilable(Dependabot::DependencyGroup)) }
+      attr_reader :dependency_group
+      sig { returns(T::Hash[Symbol, T.untyped]) }
+      attr_reader :options
-      def initialize(dependency:, dependency_files:, repo_contents_path: nil,
-                     credentials:, ignored_versions: [],
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          repo_contents_path: T.nilable(String),
+          ignored_versions: T::Array[String],
+          raise_on_ignored: T::Boolean,
+          security_advisories: T::Array[Dependabot::SecurityAdvisory],
+          requirements_update_strategy: T.nilable(Symbol),
+          dependency_group: T.nilable(Dependabot::DependencyGroup),
+          options: T::Hash[Symbol, T.untyped]
+        )
+          .void
+      end
+      def initialize(dependency:, dependency_files:, credentials:,
+                     repo_contents_path: nil, ignored_versions: [],
                      raise_on_ignored: false, security_advisories: [],
                      requirements_update_strategy: nil, dependency_group: nil,
                      options: {})
@@ -30,6 +75,7 @@ module Dependabot
         @options = options
       end
+      sig { returns(T::Boolean) }
       def up_to_date?
         if dependency.version
           version_up_to_date?
@@ -38,6 +84,7 @@ module Dependabot
         end
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def can_update?(requirements_to_unlock:)
         # Can't update if all versions are being ignored
         return false if ignore_requirements.include?(requirement_class.new(">= 0"))
@@ -52,6 +99,7 @@ module Dependabot
         end
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies(requirements_to_unlock:)
         return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)
@@ -63,10 +111,12 @@ module Dependabot
         end
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_version"
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def preferred_resolvable_version
         # If this dependency is vulnerable, prefer trying to update to the
         # lowest_resolvable_security_fix_version. Otherwise update all the way
@@ -78,22 +128,26 @@ module Dependabot
         latest_resolvable_version
       end
+      sig { overridable.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_resolvable_version"
       end
       # Lowest available security fix version not checking resolvability
       # @return [Dependabot::<package manager>::Version, #to_s] version class
+      sig { overridable.returns(Dependabot::Version) }
       def lowest_security_fix_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #lowest_security_fix_version"
       end
+      sig { overridable.returns(String) }
       def lowest_resolvable_security_fix_version
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #lowest_resolvable_security_fix_version"
       end
+      sig { overridable.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_resolvable_version_with_no_unlock
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_resolvable_version_with_no_unlock"
       end
       # Finds any dependencies in the lockfile that have a subdependency on the
@@ -102,22 +156,27 @@ module Dependabot
       #   name [String] the blocking dependencies name
       #   version [String] the version of the blocking dependency
       #   requirement [String] the requirement on the target_dependency
+      sig { overridable.returns(T::Array[T::Hash[String, String]]) }
       def conflicting_dependencies
         [] # return an empty array for ecosystems that don't support this yet
       end
+      sig { params(_updated_version: String).returns(T.nilable(String)) }
       def latest_resolvable_previous_version(_updated_version)
         dependency.version
       end
+      sig { overridable.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         raise NotImplementedError
       end
+      sig { returns(T.class_of(Dependabot::Version)) }
       def version_class
         dependency.version_class
       end
+      sig { returns(T.class_of(Dependabot::Requirement)) }
       def requirement_class
         dependency.requirement_class
       end
@@ -125,10 +184,12 @@ module Dependabot
       # For some languages, the manifest file may be constructed such that
       # Dependabot has no way to update it (e.g., if it fetches its versions
       # from a web API). This method is overridden in those cases.
+      sig { returns(T::Boolean) }
       def requirements_unlocked_or_can_be?
         true
       end
+      sig { returns(T::Boolean) }
       def vulnerable?
         return false if security_advisories.none?
@@ -142,20 +203,24 @@ module Dependabot
         active_advisories.any?
       end
+      sig { returns(T::Array[Dependabot::Requirement]) }
       def ignore_requirements
         ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
       end
       private
+      sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
       def active_advisories
-        security_advisories.select { |a| a.vulnerable?(current_version) }
+        security_advisories.select { |a| a.vulnerable?(T.must(current_version)) }
       end
+      sig { overridable.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
-        raise NotImplementedError
+        raise NotImplementedError, "#{self.class} must implement #latest_version_resolvable_with_full_unlock?"
       end
+      sig { returns(Dependabot::Dependency) }
       def updated_dependency_without_unlock
         version = latest_resolvable_version_with_no_unlock.to_s
         previous_version = latest_resolvable_previous_version(version)&.to_s
@@ -172,6 +237,7 @@ module Dependabot
         )
       end
+      sig { returns(Dependabot::Dependency) }
       def updated_dependency_with_own_req_unlock
         version = preferred_resolvable_version.to_s
         previous_version = latest_resolvable_previous_version(version)&.to_s
@@ -188,16 +254,19 @@ module Dependabot
         )
       end
+      sig { overridable.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         raise NotImplementedError
       end
+      sig { returns(T::Boolean) }
       def version_up_to_date?
         return sha1_version_up_to_date? if existing_version_is_sha?
         numeric_version_up_to_date?
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def version_can_update?(requirements_to_unlock:)
         if existing_version_is_sha?
           return sha1_version_can_update?(
@@ -210,16 +279,19 @@ module Dependabot
         )
       end
+      sig { returns(T::Boolean) }
       def existing_version_is_sha?
         return false if version_class.correct?(dependency.version)
-        dependency.version.match?(/^[0-9a-f]{6,}$/)
+        T.must(dependency.version).match?(/^[0-9a-f]{6,}$/)
       end
+      sig { returns(T::Boolean) }
       def sha1_version_up_to_date?
-        latest_version&.to_s&.start_with?(dependency.version)
+        latest_version&.to_s&.start_with?(T.must(dependency.version)) || false
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def sha1_version_can_update?(requirements_to_unlock:)
         return false if sha1_version_up_to_date?
@@ -227,7 +299,7 @@ module Dependabot
         case requirements_to_unlock&.to_sym
         when :none
           new_version = latest_resolvable_version_with_no_unlock
-          new_version && !new_version.to_s.start_with?(dependency.version)
+          !new_version&.to_s&.start_with?(T.must(dependency.version))
         when :own
           preferred_version_resolvable_with_unlock?
         when :all
@@ -236,6 +308,7 @@ module Dependabot
         end
       end
+      sig { returns(T::Boolean) }
       def numeric_version_up_to_date?
         return false unless latest_version
@@ -244,16 +317,19 @@ module Dependabot
         # this case we treat the version as up-to-date so that it's ignored.
         return true if latest_version.to_s.match?(/^[0-9a-f]{40}$/)
-        latest_version <= current_version
+        T.must(latest_version) <= current_version
       end
+      sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
       def numeric_version_can_update?(requirements_to_unlock:)
         return false if numeric_version_up_to_date?
         case requirements_to_unlock&.to_sym
         when :none
           new_version = latest_resolvable_version_with_no_unlock
-          new_version && new_version > current_version
+          return false unless new_version
+          new_version > current_version
         when :own
           preferred_version_resolvable_with_unlock?
         when :all
@@ -262,12 +338,13 @@ module Dependabot
         end
       end
+      sig { returns(T::Boolean) }
       def preferred_version_resolvable_with_unlock?
         new_version = preferred_resolvable_version
         return false unless new_version
         if existing_version_is_sha?
-          return false if new_version.to_s.start_with?(dependency.version)
+          return false if new_version.to_s.start_with?(T.must(dependency.version))
         elsif new_version <= current_version
           return false
         end
@@ -275,39 +352,52 @@ module Dependabot
         updated_requirements.none? { |r| r[:requirement] == :unfixable }
       end
+      sig { returns(T::Boolean) }
       def requirements_up_to_date?
         if can_compare_requirements?
-          return (version_from_requirements >=
-                  version_class.new(latest_version.to_s))
+          return (T.must(version_from_requirements) >= version_class.new(latest_version.to_s))
         end
         changed_requirements.none?
       end
+      # TODO: Should this return Dependabot::Version?
+      sig { returns(T.nilable(Gem::Version)) }
       def current_version
-        @current_version ||= dependency.numeric_version
+        @current_version ||=
+          T.let(
+            dependency.numeric_version,
+            T.nilable(Dependabot::Version)
+          )
       end
+      sig { returns(T::Boolean) }
       def can_compare_requirements?
-        version_from_requirements &&
+        (version_from_requirements &&
           latest_version &&
-          version_class.correct?(latest_version.to_s)
+          version_class.correct?(latest_version.to_s)) || false
       end
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def changed_requirements
         (updated_requirements - dependency.requirements)
       end
+      sig { returns(T.nilable(T.any(String, Gem::Version))) }
       def version_from_requirements
         @version_from_requirements ||=
-          dependency.requirements.filter_map { |r| r.fetch(:requirement) }
-                    .flat_map { |req_str| requirement_class.requirements_array(req_str) }
-                    .flat_map(&:requirements)
-                    .reject { |req_array| req_array.first.start_with?("<") }
-                    .map(&:last)
-                    .max
+          T.let(
+            dependency.requirements.filter_map { |r| r.fetch(:requirement) }
+                      .flat_map { |req_str| requirement_class.requirements_array(req_str) }
+                      .flat_map(&:requirements)
+                      .reject { |req_array| req_array.first.start_with?("<") }
+                      .map(&:last)
+                      .max,
+            T.nilable(T.any(String, Gem::Version))
+          )
       end
+      sig { returns(T::Boolean) }
       def requirements_can_update?
         return false if changed_requirements.none?

data/lib/dependabot.rb CHANGED Viewed

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 module Dependabot
-  VERSION = "0.244.0"
+  VERSION = "0.246.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.244.0
+  version: 0.246.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -567,7 +567,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.244.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.246.0
 post_install_message:
 rdoc_options: []
 require_paths: