dependabot-common 0.246.0 → 0.248.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/errors.rb +12 -0
- data/lib/dependabot/file_fetchers/base.rb +8 -19
- data/lib/dependabot/file_updaters/base.rb +2 -0
- data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb +1 -1
- data/lib/dependabot/pull_request_creator/message_builder/issue_linker.rb +13 -4
- data/lib/dependabot/pull_request_creator/message_builder.rb +8 -1
- data/lib/dependabot/registry_client.rb +2 -2
- data/lib/dependabot/requirements_update_strategy.rb +13 -0
- data/lib/dependabot/update_checkers/base.rb +5 -4
- data/lib/dependabot/update_checkers/version_filters.rb +15 -5
- data/lib/dependabot/version.rb +6 -43
- data/lib/dependabot.rb +1 -1
- metadata +18 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '0416468eed1e5438af7e79bd0100cfc63ec42b84d87d36ba3640911c79801aa4'
|
4
|
+
data.tar.gz: d08694c51bd1c6f8c768f953c48d2924814a90b49574980e00b60ab4dd51915e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dcc419c9ec63f63d941fa34c9667b10e6e5c1bcbfc38351d9a87531a6cad5d343338a9e02dfb17403e3ff8a647478372567afbf6ff01b765ffdcdd9d8abf60ef
|
7
|
+
data.tar.gz: 7648c3ba8cba2e070e41e888c76bd3081b8a3798297c570c9e11eef441da874e678742a4563d7095cad18eeeeb16547d6540b22653fc200081d3214a9ad53365
|
data/lib/dependabot/errors.rb
CHANGED
@@ -7,6 +7,18 @@ require "dependabot/utils"
|
|
7
7
|
module Dependabot
|
8
8
|
extend T::Sig
|
9
9
|
|
10
|
+
module ErrorAttributes
|
11
|
+
BACKTRACE = "error-backtrace"
|
12
|
+
CLASS = "error-class"
|
13
|
+
DETAILS = "error-details"
|
14
|
+
FINGERPRINT = "fingerprint"
|
15
|
+
MESSAGE = "error-message"
|
16
|
+
DEPENDENCIES = "job-dependencies"
|
17
|
+
DEPENDENCY_GROUPS = "job-dependency-groups"
|
18
|
+
JOB_ID = "job-id"
|
19
|
+
PACKAGE_MANAGER = "package-manager"
|
20
|
+
end
|
21
|
+
|
10
22
|
# rubocop:disable Metrics/MethodLength
|
11
23
|
sig { params(error: StandardError).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
12
24
|
def self.fetcher_error_details(error)
|
@@ -354,11 +354,6 @@ module Dependabot
|
|
354
354
|
end
|
355
355
|
end
|
356
356
|
|
357
|
-
sig { returns(T::Boolean) }
|
358
|
-
def recurse_submodules_when_cloning?
|
359
|
-
false
|
360
|
-
end
|
361
|
-
|
362
357
|
sig do
|
363
358
|
returns(
|
364
359
|
T.any(
|
@@ -776,7 +771,6 @@ module Dependabot
|
|
776
771
|
# rubocop:disable Metrics/MethodLength
|
777
772
|
# rubocop:disable Metrics/PerceivedComplexity
|
778
773
|
# rubocop:disable Metrics/BlockLength
|
779
|
-
# rubocop:disable Metrics/CyclomaticComplexity
|
780
774
|
sig { params(target_directory: T.nilable(String)).returns(String) }
|
781
775
|
def _clone_repo_contents(target_directory:)
|
782
776
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
@@ -789,11 +783,7 @@ module Dependabot
|
|
789
783
|
|
790
784
|
clone_options = StringIO.new
|
791
785
|
clone_options << "--no-tags --depth 1"
|
792
|
-
clone_options <<
|
793
|
-
" --recurse-submodules --shallow-submodules"
|
794
|
-
else
|
795
|
-
" --no-recurse-submodules"
|
796
|
-
end
|
786
|
+
clone_options << " --recurse-submodules --shallow-submodules"
|
797
787
|
clone_options << " --branch #{source.branch} --single-branch" if source.branch
|
798
788
|
|
799
789
|
submodule_cloning_failed = false
|
@@ -805,7 +795,7 @@ module Dependabot
|
|
805
795
|
CMD
|
806
796
|
)
|
807
797
|
|
808
|
-
@submodules = find_submodules(path)
|
798
|
+
@submodules = find_submodules(path)
|
809
799
|
rescue SharedHelpers::HelperSubprocessFailed => e
|
810
800
|
if GIT_RETRYABLE_ERRORS.any? { |error| error.match?(e.message) } && retries < 5
|
811
801
|
retries += 1
|
@@ -835,20 +825,20 @@ module Dependabot
|
|
835
825
|
Dir.chdir(path) do
|
836
826
|
fetch_options = StringIO.new
|
837
827
|
fetch_options << "--depth 1"
|
838
|
-
fetch_options << if
|
839
|
-
" --recurse-submodules=on-demand"
|
840
|
-
else
|
828
|
+
fetch_options << if submodule_cloning_failed
|
841
829
|
" --no-recurse-submodules"
|
830
|
+
else
|
831
|
+
" --recurse-submodules=on-demand"
|
842
832
|
end
|
843
833
|
# Need to fetch the commit due to the --depth 1 above.
|
844
834
|
SharedHelpers.run_shell_command("git fetch #{fetch_options.string} origin #{source.commit}")
|
845
835
|
|
846
836
|
reset_options = StringIO.new
|
847
837
|
reset_options << "--hard"
|
848
|
-
reset_options << if
|
849
|
-
" --recurse-submodules"
|
850
|
-
else
|
838
|
+
reset_options << if submodule_cloning_failed
|
851
839
|
" --no-recurse-submodules"
|
840
|
+
else
|
841
|
+
" --recurse-submodules"
|
852
842
|
end
|
853
843
|
# Set HEAD to this commit so later calls so git reset HEAD will work.
|
854
844
|
SharedHelpers.run_shell_command("git reset #{reset_options.string} #{source.commit}")
|
@@ -862,7 +852,6 @@ module Dependabot
|
|
862
852
|
# rubocop:enable Metrics/MethodLength
|
863
853
|
# rubocop:enable Metrics/PerceivedComplexity
|
864
854
|
# rubocop:enable Metrics/BlockLength
|
865
|
-
# rubocop:enable Metrics/CyclomaticComplexity
|
866
855
|
|
867
856
|
sig { params(str: String).returns(String) }
|
868
857
|
def decode_binary_string(str)
|
@@ -2,6 +2,7 @@
|
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "sorbet-runtime"
|
5
|
+
|
5
6
|
require "dependabot/credential"
|
6
7
|
|
7
8
|
module Dependabot
|
@@ -9,6 +10,7 @@ module Dependabot
|
|
9
10
|
class Base
|
10
11
|
extend T::Sig
|
11
12
|
extend T::Helpers
|
13
|
+
|
12
14
|
abstract!
|
13
15
|
|
14
16
|
sig { returns(T::Array[Dependabot::Dependency]) }
|
@@ -21,10 +21,10 @@ module Dependabot
|
|
21
21
|
/\[(?<tag>(?:\#|GH-)?\d+)\]\(\)/i
|
22
22
|
].freeze, T::Array[Regexp])
|
23
23
|
|
24
|
-
sig { returns(String) }
|
24
|
+
sig { returns(T.nilable(String)) }
|
25
25
|
attr_reader :source_url
|
26
26
|
|
27
|
-
sig { params(source_url: String).void }
|
27
|
+
sig { params(source_url: T.nilable(String)).void }
|
28
28
|
def initialize(source_url:)
|
29
29
|
@source_url = source_url
|
30
30
|
end
|
@@ -46,9 +46,18 @@ module Dependabot
|
|
46
46
|
.match("#{REPO_REGEX}#{TAG_REGEX}")
|
47
47
|
&.named_captures
|
48
48
|
&.fetch("repo", nil)
|
49
|
-
source = repo ? "https://github.com/#{repo}" : source_url
|
50
49
|
|
51
|
-
|
50
|
+
source = if repo
|
51
|
+
"https://github.com/#{repo}"
|
52
|
+
elsif source_url
|
53
|
+
source_url
|
54
|
+
end
|
55
|
+
|
56
|
+
if source
|
57
|
+
"[#{repo ? (repo + tag) : tag}](#{source}/issues/#{number})"
|
58
|
+
else
|
59
|
+
issue_link
|
60
|
+
end
|
52
61
|
end
|
53
62
|
end
|
54
63
|
end
|
@@ -233,10 +233,17 @@ module Dependabot
|
|
233
233
|
|
234
234
|
sig { returns(String) }
|
235
235
|
def group_pr_name
|
236
|
+
directories_from_dependencies = dependencies.to_set { |dep| dep.metadata[:directory] }
|
237
|
+
|
238
|
+
directories_with_updates = source.directories&.filter do |directory|
|
239
|
+
directories_from_dependencies.include?(directory)
|
240
|
+
end
|
241
|
+
|
236
242
|
updates = dependencies.map(&:name).uniq.count
|
237
243
|
|
238
244
|
if source.directories
|
239
|
-
"bump the #{T.must(dependency_group).name} across #{T.must(
|
245
|
+
"bump the #{T.must(dependency_group).name} across #{T.must(directories_with_updates).count} " \
|
246
|
+
"#{T.must(directories_with_updates).count > 1 ? 'directories' : 'directory'} " \
|
240
247
|
"with #{updates} update#{'s' if updates > 1}"
|
241
248
|
else
|
242
249
|
"bump the #{T.must(dependency_group).name} group#{pr_name_directory} with #{updates} update#{if updates > 1
|
@@ -19,7 +19,7 @@ module Dependabot
|
|
19
19
|
sig do
|
20
20
|
params(
|
21
21
|
url: String,
|
22
|
-
headers: T::Hash[Symbol, T.untyped],
|
22
|
+
headers: T::Hash[T.any(String, Symbol), T.untyped],
|
23
23
|
options: T::Hash[Symbol, T.untyped]
|
24
24
|
)
|
25
25
|
.returns(Excon::Response)
|
@@ -40,7 +40,7 @@ module Dependabot
|
|
40
40
|
sig do
|
41
41
|
params(
|
42
42
|
url: String,
|
43
|
-
headers: T::Hash[Symbol, T.untyped],
|
43
|
+
headers: T::Hash[T.any(String, Symbol), T.untyped],
|
44
44
|
options: T::Hash[Symbol, T.untyped]
|
45
45
|
)
|
46
46
|
.returns(Excon::Response)
|
@@ -0,0 +1,13 @@
|
|
1
|
+
# typed: strong
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
module Dependabot
|
5
|
+
class RequirementsUpdateStrategy < T::Enum
|
6
|
+
enums do
|
7
|
+
BumpVersions = new("bump_versions")
|
8
|
+
BumpVersionsIfNecessary = new("bump_versions_if_necessary")
|
9
|
+
LockfileOnly = new("lockfile_only")
|
10
|
+
WidenRanges = new("widen_ranges")
|
11
|
+
end
|
12
|
+
end
|
13
|
+
end
|
@@ -4,8 +4,9 @@
|
|
4
4
|
require "json"
|
5
5
|
require "sorbet-runtime"
|
6
6
|
|
7
|
-
require "dependabot/
|
7
|
+
require "dependabot/requirements_update_strategy"
|
8
8
|
require "dependabot/security_advisory"
|
9
|
+
require "dependabot/utils"
|
9
10
|
|
10
11
|
module Dependabot
|
11
12
|
module UpdateCheckers
|
@@ -34,7 +35,7 @@ module Dependabot
|
|
34
35
|
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
35
36
|
attr_reader :security_advisories
|
36
37
|
|
37
|
-
sig { returns(T.nilable(
|
38
|
+
sig { returns(T.nilable(Dependabot::RequirementsUpdateStrategy)) }
|
38
39
|
attr_reader :requirements_update_strategy
|
39
40
|
|
40
41
|
sig { returns(T.nilable(Dependabot::DependencyGroup)) }
|
@@ -52,7 +53,7 @@ module Dependabot
|
|
52
53
|
ignored_versions: T::Array[String],
|
53
54
|
raise_on_ignored: T::Boolean,
|
54
55
|
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
55
|
-
requirements_update_strategy: T.nilable(
|
56
|
+
requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
|
56
57
|
dependency_group: T.nilable(Dependabot::DependencyGroup),
|
57
58
|
options: T::Hash[Symbol, T.untyped]
|
58
59
|
)
|
@@ -140,7 +141,7 @@ module Dependabot
|
|
140
141
|
raise NotImplementedError, "#{self.class} must implement #lowest_security_fix_version"
|
141
142
|
end
|
142
143
|
|
143
|
-
sig { overridable.returns(
|
144
|
+
sig { overridable.returns(T.nilable(Dependabot::Version)) }
|
144
145
|
def lowest_resolvable_security_fix_version
|
145
146
|
raise NotImplementedError, "#{self.class} must implement #lowest_resolvable_security_fix_version"
|
146
147
|
end
|
@@ -9,11 +9,21 @@ module Dependabot
|
|
9
9
|
extend T::Sig
|
10
10
|
|
11
11
|
sig do
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
12
|
+
# Tricky generics explanation:
|
13
|
+
# There's a type T that is either a Gem::Version or a Hash with a :version key
|
14
|
+
# The method returns an array of T
|
15
|
+
# So whichever is provided as input, the output will be an array of the same type.
|
16
|
+
# https://sorbet.org/docs/generics#placing-bounds-on-generic-methods
|
17
|
+
type_parameters(:T)
|
18
|
+
.params(
|
19
|
+
versions_array: T::Array[
|
20
|
+
T.any(
|
21
|
+
T.all(T.type_parameter(:T), Gem::Version),
|
22
|
+
T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version])
|
23
|
+
)],
|
24
|
+
security_advisories: T::Array[SecurityAdvisory]
|
25
|
+
)
|
26
|
+
.returns(T::Array[T.type_parameter(:T)])
|
17
27
|
end
|
18
28
|
def self.filter_vulnerable_versions(versions_array, security_advisories)
|
19
29
|
versions_array.reject do |v|
|
data/lib/dependabot/version.rb
CHANGED
@@ -10,59 +10,22 @@ module Dependabot
|
|
10
10
|
|
11
11
|
abstract!
|
12
12
|
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
.params(
|
17
|
-
version: T.any(
|
18
|
-
String,
|
19
|
-
Integer,
|
20
|
-
Float,
|
21
|
-
Gem::Version,
|
22
|
-
NilClass
|
23
|
-
)
|
24
|
-
)
|
25
|
-
.void
|
26
|
-
end
|
13
|
+
VersionParameter = T.type_alias { T.nilable(T.any(String, Integer, Gem::Version)) }
|
14
|
+
|
15
|
+
sig { override.overridable.params(version: VersionParameter).void }
|
27
16
|
def initialize(version)
|
28
17
|
@original_version = T.let(version.to_s, String)
|
29
18
|
|
30
|
-
|
19
|
+
super
|
31
20
|
end
|
32
21
|
|
33
|
-
sig
|
34
|
-
override
|
35
|
-
.overridable
|
36
|
-
.params(
|
37
|
-
version: T.any(
|
38
|
-
String,
|
39
|
-
Integer,
|
40
|
-
Float,
|
41
|
-
Gem::Version,
|
42
|
-
NilClass
|
43
|
-
)
|
44
|
-
)
|
45
|
-
.returns(Dependabot::Version)
|
46
|
-
end
|
22
|
+
sig { override.overridable.params(version: VersionParameter).returns(Dependabot::Version) }
|
47
23
|
def self.new(version)
|
48
24
|
T.cast(super, Dependabot::Version)
|
49
25
|
end
|
50
26
|
|
51
27
|
# Opt-in to Rubygems 4 behavior
|
52
|
-
sig
|
53
|
-
override
|
54
|
-
.overridable
|
55
|
-
.params(
|
56
|
-
version: T.any(
|
57
|
-
String,
|
58
|
-
Integer,
|
59
|
-
Float,
|
60
|
-
Gem::Version,
|
61
|
-
NilClass
|
62
|
-
)
|
63
|
-
)
|
64
|
-
.returns(T::Boolean)
|
65
|
-
end
|
28
|
+
sig { override.overridable.params(version: VersionParameter).returns(T::Boolean) }
|
66
29
|
def self.correct?(version)
|
67
30
|
return false if version.nil?
|
68
31
|
|
data/lib/dependabot.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-common
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.248.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-03-
|
11
|
+
date: 2024-03-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-codecommit
|
@@ -390,6 +390,20 @@ dependencies:
|
|
390
390
|
- - "~>"
|
391
391
|
- !ruby/object:Gem::Version
|
392
392
|
version: 1.19.0
|
393
|
+
- !ruby/object:Gem::Dependency
|
394
|
+
name: rubocop-rspec
|
395
|
+
requirement: !ruby/object:Gem::Requirement
|
396
|
+
requirements:
|
397
|
+
- - "~>"
|
398
|
+
- !ruby/object:Gem::Version
|
399
|
+
version: 2.27.1
|
400
|
+
type: :development
|
401
|
+
prerelease: false
|
402
|
+
version_requirements: !ruby/object:Gem::Requirement
|
403
|
+
requirements:
|
404
|
+
- - "~>"
|
405
|
+
- !ruby/object:Gem::Version
|
406
|
+
version: 2.27.1
|
393
407
|
- !ruby/object:Gem::Dependency
|
394
408
|
name: rubocop-sorbet
|
395
409
|
requirement: !ruby/object:Gem::Requirement
|
@@ -547,6 +561,7 @@ files:
|
|
547
561
|
- lib/dependabot/pull_request_updater/gitlab.rb
|
548
562
|
- lib/dependabot/registry_client.rb
|
549
563
|
- lib/dependabot/requirement.rb
|
564
|
+
- lib/dependabot/requirements_update_strategy.rb
|
550
565
|
- lib/dependabot/security_advisory.rb
|
551
566
|
- lib/dependabot/shared_helpers.rb
|
552
567
|
- lib/dependabot/simple_instrumentor.rb
|
@@ -567,7 +582,7 @@ licenses:
|
|
567
582
|
- Nonstandard
|
568
583
|
metadata:
|
569
584
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
570
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
585
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.248.0
|
571
586
|
post_install_message:
|
572
587
|
rdoc_options: []
|
573
588
|
require_paths:
|