dependabot-common 0.251.0 → 0.253.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a434c5c00b5a51f18a1999a4a120d28c8e2cd8b52efb44146cb01e4165b2421
-  data.tar.gz: f4c755156b9f6d3b66e6ff57d7d7c0ba417627ab74cd9aab34c28a1f9c397bbf
+  metadata.gz: e33e7c4c1aa5bd36b0efa81b3a427012da0bfe76036df7d3ab232f7ef22ad6fa
+  data.tar.gz: 73d202071035da3cc4c3b81dd69b740dc10ee1acb0f03d47daca39f8a483d07a
 SHA512:
-  metadata.gz: 53daea6535edab5620dc074b2563858b26c27defe804cb10d8e2cc39579affd42c1993998ee65c063ec375bae2a3211770a43f126589c96ce7c1b3d95f3e66db
-  data.tar.gz: a11371492f650794ec47e29f13db7a22b400c751d2bf6d00831f1c4c0efce11e66b3110fa38303c681570af6fc336a0510242fa20f8e5bf352fbae71b9e0ed16
+  metadata.gz: ae1bd08cf3fb1a9a2cbcfee3128655310a114aa4f1525716efcf330aea9ddcc3ae6d25186e1129a4ce3f399827accad03c8ce1848d8bf137c390f1c53d1ff947
+  data.tar.gz: ee68112308238c31e141af0eca5097df87d957e7f733f76034cb407aab6589c79e1f2fa2575a4798dbbcf7f0878128bb5dd6853e7998603589c449a77347663a

data/lib/dependabot/dependency.rb

@@ -85,6 +85,8 @@ module Dependabot
     sig { returns(T::Hash[Symbol, T.untyped]) }
     attr_reader :metadata
 
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/PerceivedComplexity
     sig do
       params(
         name: String,
@@ -110,8 +112,10 @@ module Dependabot
         end,
         T.nilable(String)
       )
+      @version = nil if @version == ""
       @requirements = T.let(requirements.map { |req| symbolize_keys(req) }, T::Array[T::Hash[Symbol, T.untyped]])
       @previous_version = previous_version
+      @previous_version = nil if @previous_version == ""
       @previous_requirements = T.let(
         previous_requirements&.map { |req| symbolize_keys(req) },
         T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
@@ -128,6 +132,8 @@ module Dependabot
 
       check_values
     end
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/PerceivedComplexity
 
     sig { returns(T::Boolean) }
     def top_level?
@@ -354,8 +360,6 @@ module Dependabot
 
     sig { void }
     def check_values
-      raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
-
       check_requirement_fields
       check_subdependency_metadata
     end

data/lib/dependabot/git_commit_checker.rb

@@ -132,6 +132,13 @@ module Dependabot
       max_local_tag_for_current_precision(allowed_refs)
     end
 
+    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    def local_ref_for_latest_version_lower_precision
+      allowed_refs = local_tag_for_pinned_sha ? allowed_version_tags : allowed_version_refs
+
+      max_local_tag_for_lower_precision(allowed_refs)
+    end
+
     sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def local_tag_for_latest_version
       max_local_tag(allowed_version_tags)
@@ -238,6 +245,11 @@ module Dependabot
       max_local_tag(select_matching_existing_precision(tags))
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    def max_local_tag_for_lower_precision(tags)
+      max_local_tag(select_lower_precision(tags))
+    end
+
     sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
     def max_local_tag(tags)
       max_version_tag = tags.max_by { |t| version_from_tag(t) }
@@ -253,6 +265,14 @@ module Dependabot
       tags.select { |tag| precision(scan_version(tag.name)) == current_precision }
     end
 
+    # Find the latest version with a lower precision as the pinned version.
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
+    def select_lower_precision(tags)
+      current_precision = precision(T.must(dependency.version))
+
+      tags.select { |tag| precision(scan_version(tag.name)) <= current_precision }
+    end
+
     sig { params(version: String).returns(Integer) }
     def precision(version)
       version.split(".").length

data/lib/dependabot/pull_request_creator/gitlab.rb

@@ -172,11 +172,16 @@ module Dependabot
       def create_commit
         return create_submodule_update_commit if files.count == 1 && T.must(files.first).type == "submodule"
 
+        options = {}
+        options[:author_email] = author_details&.fetch(:email) if author_details&.key?(:email)
+        options[:author_name] = author_details&.fetch(:name) if author_details&.key?(:name)
+
         gitlab_client_for_source.create_commit(
           source.repo,
           branch_name,
           commit_message,
-          files
+          files,
+          **options
         )
       end
 

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -516,14 +516,16 @@ module Dependabot
 
       sig { returns(String) }
       def group_intro
-        update_count = dependencies.map(&:name).uniq.count
+        # Ensure dependencies are unique by name, from and to versions
+        unique_dependencies = dependencies.uniq { |dep| [dep.name, dep.previous_version, dep.version] }
+        update_count = unique_dependencies.count
 
         msg = "Bumps the #{T.must(dependency_group).name} group#{pr_name_directory} " \
               "with #{update_count} update#{update_count > 1 ? 's' : ''}:"
 
         msg += if update_count >= 5
                  header = %w(Package From To)
-                 rows = dependencies.map do |dep|
+                 rows = unique_dependencies.map do |dep|
                    [
                      dependency_link(dep),
                      "`#{dep.humanized_previous_version}`",

data/lib/dependabot/pull_request_updater/github.rb

@@ -213,6 +213,21 @@ module Dependabot
         )
       end
 
+      BRANCH_PROTECTION_ERROR_MESSAGES = T.let(
+        [
+          /protected branch/i,
+          /not authorized to push/i,
+          /must not contain merge commits/i,
+          /required status check/i,
+          /cannot force-push to this branch/i,
+          /pull request for this branch has been added to a merge queue/i,
+          # Unverified commits can be present when PR contains commits from other authors
+          /commits must have verified signatures/i,
+          /changes must be made through a pull request/i
+        ].freeze,
+        T::Array[Regexp]
+      )
+
       sig { params(commit: T.untyped).returns(T.untyped) }
       def update_branch(commit)
         T.unsafe(github_client_for_source).update_ref(
@@ -226,13 +241,7 @@ module Dependabot
         return nil if e.message.match?(/Reference does not exist/i)
         return nil if e.message.match?(/Reference cannot be updated/i)
 
-        if e.message.match?(/protected branch/i) ||
-           e.message.match?(/not authorized to push/i) ||
-           e.message.include?("must not contain merge commits") ||
-           e.message.match?(/required status check/i) ||
-           e.message.match?(/cannot force-push to this branch/i)
-          raise BranchProtected
-        end
+        raise BranchProtected, e.message if BRANCH_PROTECTION_ERROR_MESSAGES.any? { |msg| e.message.match?(msg) }
 
         raise
       end

data/lib/dependabot/update_checkers/base.rb

@@ -224,7 +224,7 @@ module Dependabot
       sig { returns(Dependabot::Dependency) }
       def updated_dependency_without_unlock
         version = latest_resolvable_version_with_no_unlock.to_s
-        previous_version = latest_resolvable_previous_version(version)&.to_s
+        previous_version = latest_resolvable_previous_version(version)
 
         Dependency.new(
           name: dependency.name,
@@ -241,7 +241,7 @@ module Dependabot
       sig { returns(Dependabot::Dependency) }
       def updated_dependency_with_own_req_unlock
         version = preferred_resolvable_version.to_s
-        previous_version = latest_resolvable_previous_version(version)&.to_s
+        previous_version = latest_resolvable_previous_version(version)
 
         Dependency.new(
           name: dependency.name,

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.251.0"
+  VERSION = "0.253.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.251.0
+  version: 0.253.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-04-05 00:00:00.000000000 Z
+date: 2024-04-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -258,6 +258,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.5.11178
+- !ruby/object:Gem::Dependency
+  name: stackprof
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.16
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.16
 - !ruby/object:Gem::Dependency
   name: toml-rb
   requirement: !ruby/object:Gem::Requirement
@@ -418,20 +432,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.7.3
-- !ruby/object:Gem::Dependency
-  name: stackprof
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.2.16
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.2.16
 - !ruby/object:Gem::Dependency
   name: turbo_tests
   requirement: !ruby/object:Gem::Requirement
@@ -583,7 +583,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.251.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.253.0
 post_install_message: 
 rdoc_options: []
 require_paths: