dependabot-common 0.290.0 → 0.292.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d33a6634dcde9e6c86689c31358cf2ee6c0cfc12ba8e7668940b3fd33710348
-  data.tar.gz: c472e1fe6402e2300d12be7664c2d89433cf6b7e3f103d25a1cd82e52c03965b
+  metadata.gz: bc0d7a7acc0f4dcb2e25a622e816fd82a11a1553eecf85e6ae1e442ce5750ffb
+  data.tar.gz: 29e3f86968cb122e49a26f2866ee3554cb07ddbbda305e17d02ee4cb10099282
 SHA512:
-  metadata.gz: fb9557f02c4bbe7fa7b447862205f49fd04a8c029b7d643163f9707ea3a3c166b1f62fcc190c94a63d03012d271b0010bf7fc8f28b4429c9ed496d79d24c4e64
-  data.tar.gz: 16c278fbada2c58f30ae4068c05d5b0ba441cac4f655ddee16cc12b862176f714b6b7eceab0e4cd9679b150843fec0725a76b4cd31d613ec8647547fccd0e116
+  metadata.gz: 14e6659eaa880f07f1d2562d89ba71a5f581bcf431edcc49983bf7b6819be8567e0bd252606daa744e0c7d3523d2fd1970e22699b1053179f648009517ca332f
+  data.tar.gz: 47e39f274165302b4a2da440f242ffb7fd2e635c535666d3c09dc968090fbf7187c614ce1ed642f3ea472093820918675bb7ae465d4cad48a8c644d7ef5d6db8

data/lib/dependabot/command_helpers.rb

@@ -0,0 +1,226 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "open3"
+require "timeout"
+require "sorbet-runtime"
+require "shellwords"
+
+module Dependabot
+  module CommandHelpers
+    extend T::Sig
+
+    module TIMEOUTS
+      NO_TIME_OUT = -1 # No timeout
+      LOCAL = 30 # 30 seconds
+      NETWORK = 120 # 2 minutes
+      LONG_RUNNING = 300 # 5 minutes
+      DEFAULT = 900 # 15 minutes
+    end
+
+    class ProcessStatus
+      extend T::Sig
+
+      sig { params(process_status: Process::Status, custom_exitstatus: T.nilable(Integer)).void }
+      def initialize(process_status, custom_exitstatus = nil)
+        @process_status = process_status
+        @custom_exitstatus = custom_exitstatus
+      end
+
+      # Return the exit status, either from the process status or the custom one
+      sig { returns(Integer) }
+      def exitstatus
+        @custom_exitstatus || @process_status.exitstatus || 0
+      end
+
+      # Determine if the process was successful
+      sig { returns(T::Boolean) }
+      def success?
+        @custom_exitstatus.nil? ? @process_status.success? || false : @custom_exitstatus.zero?
+      end
+
+      # Return the PID of the process (if available)
+      sig { returns(T.nilable(Integer)) }
+      def pid
+        @process_status.pid
+      end
+
+      sig { returns(T.nilable(Integer)) }
+      def termsig
+        @process_status.termsig
+      end
+
+      # String representation of the status
+      sig { returns(String) }
+      def to_s
+        if @custom_exitstatus
+          "pid #{pid || 'unknown'}: exit #{@custom_exitstatus} (custom status)"
+        else
+          @process_status.to_s
+        end
+      end
+    end
+
+    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/MethodLength
+    # rubocop:disable Metrics/PerceivedComplexity
+    # rubocop:disable Metrics/CyclomaticComplexity
+    sig do
+      params(
+        env_cmd: T::Array[T.any(T::Hash[String, String], String)],
+        stdin_data: T.nilable(String),
+        stderr_to_stdout: T::Boolean,
+        timeout: Integer
+      ).returns([T.nilable(String), T.nilable(String), T.nilable(ProcessStatus), Float])
+    end
+    def self.capture3_with_timeout(
+      env_cmd,
+      stdin_data: nil,
+      stderr_to_stdout: false,
+      timeout: TIMEOUTS::DEFAULT
+    )
+
+      stdout = T.let("", String)
+      stderr = T.let("", String)
+      status = T.let(nil, T.nilable(ProcessStatus))
+      pid = T.let(nil, T.untyped)
+      start_time = Time.now
+
+      begin
+        T.unsafe(Open3).popen3(*env_cmd) do |stdin, stdout_io, stderr_io, wait_thr| # rubocop:disable Metrics/BlockLength
+          pid = wait_thr.pid
+          Dependabot.logger.info("Started process PID: #{pid} with command: #{env_cmd.join(' ')}")
+
+          # Write to stdin if input data is provided
+          stdin&.write(stdin_data) if stdin_data
+          stdin&.close
+
+          stdout_io.sync = true
+          stderr_io.sync = true
+
+          # Array to monitor both stdout and stderr
+          ios = [stdout_io, stderr_io]
+
+          last_output_time = Time.now # Track the last time output was received
+
+          until ios.empty?
+            if timeout.positive?
+              # Calculate remaining timeout dynamically
+              remaining_timeout = timeout - (Time.now - last_output_time)
+
+              # Raise an error if timeout is exceeded
+              if remaining_timeout <= 0
+                Dependabot.logger.warn("Process PID: #{pid} timed out after #{timeout}s. Terminating...")
+                terminate_process(pid)
+                status = ProcessStatus.new(wait_thr.value, 124)
+                raise Timeout::Error, "Timed out due to inactivity after #{timeout} seconds"
+              end
+            end
+
+            # Use IO.select with a dynamically calculated short timeout
+            ready_ios = IO.select(ios, nil, nil, 0)
+
+            # Process ready IO streams
+            ready_ios&.first&.each do |io|
+              # 1. Read data from the stream
+              io.set_encoding("BINARY")
+              data = io.read_nonblock(1024)
+
+              # 2. Force encoding to UTF-8 (for proper conversion)
+              data.force_encoding("UTF-8")
+
+              # 3. Convert to UTF-8 safely, handling invalid/undefined bytes
+              data = data.encode("UTF-8", invalid: :replace, undef: :replace, replace: "?")
+
+              # Reset the timeout if data is received
+              last_output_time = Time.now unless data.empty?
+
+              # 4. Append data to the appropriate stream
+              if io == stdout_io
+                stdout += data
+              else
+                stderr += data unless stderr_to_stdout
+                stdout += data if stderr_to_stdout
+              end
+                                                    rescue EOFError
+                                                      # Remove the stream when EOF is reached
+                                                      ios.delete(io)
+                                                    rescue IO::WaitReadable
+                                                      # Continue when IO is not ready yet
+                                                      next
+            end
+          end
+
+          status = ProcessStatus.new(wait_thr.value)
+          Dependabot.logger.info("Process PID: #{pid} completed with status: #{status}")
+        end
+      rescue Timeout::Error => e
+        Dependabot.logger.error("Process PID: #{pid} failed due to timeout: #{e.message}")
+        terminate_process(pid)
+
+        # Append timeout message only to stderr without interfering with stdout
+        stderr += "\n#{e.message}" unless stderr_to_stdout
+        stdout += "\n#{e.message}" if stderr_to_stdout
+      rescue Errno::ENOENT => e
+        Dependabot.logger.error("Command failed: #{e.message}")
+        stderr += e.message unless stderr_to_stdout
+        stdout += e.message if stderr_to_stdout
+      end
+
+      elapsed_time = Time.now - start_time
+      Dependabot.logger.info("Total execution time: #{elapsed_time.round(2)} seconds")
+      [stdout, stderr, status, elapsed_time]
+    end
+    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/MethodLength
+    # rubocop:enable Metrics/PerceivedComplexity
+    # rubocop:enable Metrics/CyclomaticComplexity
+
+    # Terminate a process by PID
+    sig { params(pid: T.nilable(Integer)).void }
+    def self.terminate_process(pid)
+      return unless pid
+
+      begin
+        if process_alive?(pid)
+          Process.kill("TERM", pid) # Attempt graceful termination
+          sleep(0.5) # Allow process to terminate
+        end
+        if process_alive?(pid)
+          Process.kill("KILL", pid) # Forcefully kill if still running
+        end
+      rescue Errno::EPERM
+        Dependabot.logger.error("Insufficient permissions to terminate process: #{pid}")
+      ensure
+        begin
+          Process.waitpid(pid)
+        rescue Errno::ESRCH, Errno::ECHILD
+          # Process has already exited
+        end
+      end
+    end
+
+    # Check if the process is still alive
+    sig { params(pid: T.nilable(Integer)).returns(T::Boolean) }
+    def self.process_alive?(pid)
+      return false if pid.nil?
+
+      begin
+        Process.kill(0, pid) # Check if the process exists
+        true
+      rescue Errno::ESRCH
+        false
+      rescue Errno::EPERM
+        Dependabot.logger.error("Insufficient permissions to check process: #{pid}")
+        false
+      end
+    end
+
+    # Escape shell commands to ensure safe execution
+    sig { params(command: String).returns(String) }
+    def self.escape_command(command)
+      command_parts = command.split.map(&:strip).reject(&:empty?)
+      Shellwords.join(command_parts)
+    end
+  end
+end

data/lib/dependabot/config/update_config.rb

@@ -32,6 +32,10 @@ module Dependabot
         normalizer = name_normaliser_for(dependency)
         dep_name = T.must(normalizer).call(dependency.name)
 
+        if dependency.version.nil? && dependency.requirements.any?
+          dependency = extract_base_version_from_requirement(dependency)
+        end
+
         @ignore_conditions
           .select { |ic| self.class.wildcard_match?(T.must(normalizer).call(ic.dependency_name), dep_name) }
           .map { |ic| ic.ignored_versions(dependency, security_updates_only) }
@@ -40,6 +44,19 @@ module Dependabot
           .uniq
       end
 
+      sig { params(dependency: Dependency).returns(Dependency) }
+      def extract_base_version_from_requirement(dependency)
+        requirements = dependency.requirements
+        requirement = T.must(requirements.first)[:requirement]
+        version = requirement&.match(/\d+\.\d+\.\d+/)&.to_s
+        Dependabot::Dependency.new(
+          name: dependency.name,
+          version: version,
+          requirements: dependency.requirements,
+          package_manager: dependency.package_manager
+        )
+      end
+
       sig { params(wildcard_string: T.nilable(String), candidate_string: T.nilable(String)).returns(T::Boolean) }
       def self.wildcard_match?(wildcard_string, candidate_string)
         return false unless wildcard_string && candidate_string

data/lib/dependabot/ecosystem.rb

@@ -17,30 +17,38 @@ module Dependabot
       abstract!
       # Initialize version information for a package manager or language.
       # @param name [String] the name of the package manager or language (e.g., "bundler", "ruby").
-      # @param version [Dependabot::Version] the parsed current version.
+      # @param detected_version [Dependabot::Version] the detected version of the package manager or language.
+      # @param version [Dependabot::Version] the version dependabots run on.
       # @param deprecated_versions [Array<Dependabot::Version>] an array of deprecated versions.
       # @param supported_versions [Array<Dependabot::Version>] an array of supported versions.
       # @param requirement [Dependabot::Requirement] an array of requirements.
       # @example
-      #   VersionManager.new("bundler", "2.1.4", nil)
+      #   VersionManager.new(
+      #   name: "bundler",
+      #   version: Version.new("2.1.4"),
+      #   requirement: nil
+      # )
       sig do
         params(
           name: String,
-          version: Dependabot::Version,
+          detected_version: T.nilable(Dependabot::Version),
+          version: T.nilable(Dependabot::Version),
           deprecated_versions: T::Array[Dependabot::Version],
           supported_versions: T::Array[Dependabot::Version],
           requirement: T.nilable(Dependabot::Requirement)
         ).void
       end
       def initialize(
-        name,
-        version,
-        deprecated_versions = [],
-        supported_versions = [],
-        requirement = nil
+        name:,
+        detected_version: nil,
+        version: nil,
+        deprecated_versions: [],
+        supported_versions: [],
+        requirement: nil
       )
         @name = T.let(name, String)
-        @version = T.let(version, Dependabot::Version)
+        @detected_version = T.let(detected_version || version, T.nilable(Dependabot::Version))
+        @version = T.let(version, T.nilable(Dependabot::Version))
         @deprecated_versions = T.let(deprecated_versions, T::Array[Dependabot::Version])
         @supported_versions = T.let(supported_versions, T::Array[Dependabot::Version])
         @requirement = T.let(requirement, T.nilable(Dependabot::Requirement))
@@ -52,10 +60,16 @@ module Dependabot
       sig { returns(String) }
       attr_reader :name
 
+      # The current version of the package manager or language.
+      # @example
+      #   detected_version #=> Dependabot::Version.new("2")
+      sig { returns(T.nilable(Dependabot::Version)) }
+      attr_reader :detected_version
+
       # The current version of the package manager or language.
       # @example
       #   version #=> Dependabot::Version.new("2.1.4")
-      sig { returns(Dependabot::Version) }
+      sig { returns(T.nilable(Dependabot::Version)) }
       attr_reader :version
 
       # Returns an array of deprecated versions of the package manager.
@@ -76,16 +90,34 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::Requirement)) }
       attr_reader :requirement
 
+      # The version of the package manager or language as a string.
+      # @example
+      # version_to_s #=> "2.1"
+      sig { returns(String) }
+      def version_to_s
+        version.to_s
+      end
+
+      # The raw version of the package manager or language.
+      # @example
+      #  raw_version #=> "2.1.4"
+      sig { returns(String) }
+      def version_to_raw_s
+        version&.to_semver.to_s
+      end
+
       # Checks if the current version is deprecated.
       # Returns true if the version is in the deprecated_versions array; false otherwise.
       # @example
       #   deprecated? #=> true
       sig { returns(T::Boolean) }
       def deprecated?
+        return false unless detected_version
+
         # If the version is unsupported, the unsupported error is getting raised separately.
         return false if unsupported?
 
-        deprecated_versions.include?(version)
+        deprecated_versions.include?(detected_version)
       end
 
       # Checks if the current version is unsupported.
@@ -93,16 +125,20 @@ module Dependabot
       #   unsupported? #=> false
       sig { returns(T::Boolean) }
       def unsupported?
+        return false unless detected_version
+
         return false if supported_versions.empty?
 
         # Check if the version is not supported
-        supported_versions.all? { |supported| supported > version }
+        supported_versions.all? { |supported| supported > detected_version }
       end
 
       # Raises an error if the current package manager or language version is unsupported.
       # If the version is unsupported, it raises a ToolVersionNotSupported error.
       sig { void }
       def raise_if_unsupported!
+        return unless detected_version
+
         return unless unsupported?
 
         # Example: v2.*, v3.*
@@ -110,7 +146,7 @@ module Dependabot
 
         raise ToolVersionNotSupported.new(
           name,
-          version.to_s,
+          detected_version.to_s,
           supported_versions_message
         )
       end

data/lib/dependabot/errors.rb

@@ -83,6 +83,11 @@ module Dependabot
       # and responsibility for fixing it is on them, not us. As a result we
       # quietly log these as errors
       { "error-type": "server_error" }
+    when BadRequirementError
+      {
+        "error-type": "illformed_requirement",
+        "error-detail": { message: error.message }
+      }
     when *Octokit::RATE_LIMITED_ERRORS
       # If we get a rate-limited error we let dependabot-api handle the
       # retry by re-enqueing the update job after the reset
@@ -144,6 +149,11 @@ module Dependabot
         "error-type": "git_dependencies_not_reachable",
         "error-detail": { "dependency-urls": error.dependency_urls }
       }
+    when Dependabot::UnresolvableVersionError
+      {
+        "error-type": "unresolvable_version",
+        "error-detail": { dependencies: error.dependencies }
+      }
     when Dependabot::NotImplemented
       {
         "error-type": "not_implemented",
@@ -661,6 +671,23 @@ module Dependabot
     end
   end
 
+  class UnresolvableVersionError < DependabotError
+    extend T::Sig
+
+    sig { returns(T::Array[String]) }
+    attr_reader :dependencies
+
+    sig { params(dependencies: T::Array[String]).void }
+    def initialize(dependencies)
+      @dependencies = dependencies
+
+      msg = "Unable to determine semantic version from tags or commits for dependencies. " \
+            "Dependencies must have a tag or commit that references a semantic version. " \
+            "Affected dependencies: #{@dependencies.join(', ')}"
+      super(msg)
+    end
+  end
+
   class GitDependenciesNotReachable < DependabotError
     extend T::Sig
 

data/lib/dependabot/file_fetchers/base.rb

@@ -311,7 +311,7 @@ module Dependabot
 
         SharedHelpers.with_git_configured(credentials: credentials) do
           Dir.chdir(T.must(repo_contents_path)) do
-            return SharedHelpers.run_shell_command("git rev-parse HEAD").strip
+            return SharedHelpers.run_shell_command("git rev-parse HEAD", stderr_to_stdout: false).strip
           end
         end
       end

data/lib/dependabot/notices.rb

@@ -71,15 +71,20 @@ module Dependabot
     # Generates a description for supported versions.
     # @param supported_versions [Array<Dependabot::Version>, nil] The supported versions of the package manager.
     # @param support_later_versions [Boolean] Whether later versions are supported.
+    # @param version_manager_type [Symbol] The type of entity being deprecated i.e. :language or :package_manager
     # @return [String, nil] The generated description or nil if no supported versions are provided.
     sig do
       params(
         supported_versions: T.nilable(T::Array[Dependabot::Version]),
-        support_later_versions: T::Boolean
+        support_later_versions: T::Boolean,
+        version_manager_type: Symbol
       ).returns(String)
     end
-    def self.generate_supported_versions_description(supported_versions, support_later_versions)
-      return "Please upgrade your package manager version" unless supported_versions&.any?
+    def self.generate_supported_versions_description(
+      supported_versions, support_later_versions, version_manager_type = :package_manager
+    )
+      entity_text = version_manager_type == :language ? "language" : "package manager"
+      return "Please upgrade your #{entity_text} version" unless supported_versions&.any?
 
       versions_string = supported_versions.map { |version| "`v#{version}`" }
 
@@ -94,25 +99,28 @@ module Dependabot
       "Please upgrade to one of the following versions: #{versions_string}#{later_description}."
     end
 
-    # Generates a deprecation notice for the given package manager.
-    # @param package_manager [VersionManager] The package manager object.
-    # @return [Notice, nil] The generated deprecation notice or nil if the package manager is not deprecated.
+    # Generates a deprecation notice for the given version manager.
+    # @param version_manager [VersionManager] The version manager object.
+    # @param version_manager_type [Symbol] The version manager type e.g. :language or :package_manager
+    # @return [Notice, nil] The generated deprecation notice or nil if the version manager is not deprecated.
     sig do
       params(
-        package_manager: Ecosystem::VersionManager
+        version_manager: Ecosystem::VersionManager,
+        version_manager_type: Symbol
       ).returns(T.nilable(Notice))
     end
-    def self.generate_pm_deprecation_notice(package_manager)
-      return nil unless package_manager.deprecated?
+    def self.generate_deprecation_notice(version_manager, version_manager_type = :package_manager)
+      return nil unless version_manager.deprecated?
 
       mode = NoticeMode::WARN
       supported_versions_description = generate_supported_versions_description(
-        package_manager.supported_versions,
-        package_manager.support_later_versions?
+        version_manager.supported_versions,
+        version_manager.support_later_versions?,
+        version_manager_type
       )
-      notice_type = "#{package_manager.name}_deprecated_warn"
-      title = "Package manager deprecation notice"
-      description = "Dependabot will stop supporting `#{package_manager.name} v#{package_manager.version}`!"
+      notice_type = "#{version_manager.name}_deprecated_warn"
+      title = version_manager_type == :language ? "Language deprecation notice" : "Package manager deprecation notice"
+      description = "Dependabot will stop supporting `#{version_manager.name} v#{version_manager.detected_version}`!"
 
       ## Add the supported versions to the description
       description += "\n\n#{supported_versions_description}\n" unless supported_versions_description.empty?
@@ -120,7 +128,7 @@ module Dependabot
       Notice.new(
         mode: mode,
         type: notice_type,
-        package_manager_name: package_manager.name,
+        package_manager_name: version_manager.name,
         title: title,
         description: description,
         show_in_pr: true,

data/lib/dependabot/shared_helpers.rb

@@ -7,7 +7,6 @@ require "excon"
 require "fileutils"
 require "json"
 require "open3"
-require "shellwords"
 require "sorbet-runtime"
 require "tmpdir"
 
@@ -17,9 +16,10 @@ require "dependabot/utils"
 require "dependabot/errors"
 require "dependabot/workspace"
 require "dependabot"
+require "dependabot/command_helpers"
 
 module Dependabot
-  module SharedHelpers
+  module SharedHelpers # rubocop:disable Metrics/ModuleLength
     extend T::Sig
 
     GIT_CONFIG_GLOBAL_PATH = T.let(File.expand_path(".gitconfig", Utils::BUMP_TMP_DIR_PATH), String)
@@ -121,8 +121,7 @@ module Dependabot
     # Escapes all special characters, e.g. = & | <>
     sig { params(command: String).returns(String) }
     def self.escape_command(command)
-      command_parts = command.split.map(&:strip).reject(&:empty?)
-      Shellwords.join(command_parts)
+      CommandHelpers.escape_command(command)
     end
 
     # rubocop:disable Metrics/MethodLength
@@ -135,14 +134,16 @@ module Dependabot
         env: T.nilable(T::Hash[String, String]),
         stderr_to_stdout: T::Boolean,
         allow_unsafe_shell_command: T::Boolean,
-        error_class: T.class_of(HelperSubprocessFailed)
+        error_class: T.class_of(HelperSubprocessFailed),
+        timeout: Integer
       )
         .returns(T.nilable(T.any(String, T::Hash[String, T.untyped], T::Array[T::Hash[String, T.untyped]])))
     end
     def self.run_helper_subprocess(command:, function:, args:, env: nil,
                                    stderr_to_stdout: false,
                                    allow_unsafe_shell_command: false,
-                                   error_class: HelperSubprocessFailed)
+                                   error_class: HelperSubprocessFailed,
+                                   timeout: CommandHelpers::TIMEOUTS::DEFAULT)
       start = Time.now
       stdin_data = JSON.dump(function: function, args: args)
       cmd = allow_unsafe_shell_command ? command : escape_command(command)
@@ -157,7 +158,15 @@ module Dependabot
       end
 
       env_cmd = [env, cmd].compact
-      stdout, stderr, process = T.unsafe(Open3).capture3(*env_cmd, stdin_data: stdin_data)
+      if Experiments.enabled?(:enable_shared_helpers_command_timeout)
+        stdout, stderr, process = CommandHelpers.capture3_with_timeout(
+          env_cmd,
+          stdin_data: stdin_data,
+          timeout: timeout
+        )
+      else
+        stdout, stderr, process = T.unsafe(Open3).capture3(*env_cmd, stdin_data: stdin_data)
+      end
       time_taken = Time.now - start
 
       if ENV["DEBUG_HELPERS"] == "true"
@@ -177,16 +186,16 @@ module Dependabot
         function: function,
         args: args,
         time_taken: time_taken,
-        stderr_output: stderr ? stderr[0..50_000] : "", # Truncate to ~100kb
+        stderr_output: stderr[0..50_000], # Truncate to ~100kb
         process_exit_value: process.to_s,
-        process_termsig: process.termsig
+        process_termsig: process&.termsig
       }
 
       check_out_of_memory_error(stderr, error_context, error_class)
 
       begin
         response = JSON.parse(stdout)
-        return response["result"] if process.success?
+        return response["result"] if process&.success?
 
         raise error_class.new(
           message: response["error"],
@@ -415,6 +424,7 @@ module Dependabot
       safe_directories
     end
 
+    # rubocop:disable Metrics/PerceivedComplexity
     sig do
       params(
         command: String,
@@ -422,7 +432,8 @@ module Dependabot
         cwd: T.nilable(String),
         env: T.nilable(T::Hash[String, String]),
         fingerprint: T.nilable(String),
-        stderr_to_stdout: T::Boolean
+        stderr_to_stdout: T::Boolean,
+        timeout: Integer
       ).returns(String)
     end
     def self.run_shell_command(command,
@@ -430,7 +441,8 @@ module Dependabot
                                cwd: nil,
                                env: {},
                                fingerprint: nil,
-                               stderr_to_stdout: true)
+                               stderr_to_stdout: true,
+                               timeout: CommandHelpers::TIMEOUTS::DEFAULT)
       start = Time.now
       cmd = allow_unsafe_shell_command ? command : escape_command(command)
 
@@ -439,7 +451,14 @@ module Dependabot
       opts = {}
       opts[:chdir] = cwd if cwd
 
-      if stderr_to_stdout
+      env_cmd = [env || {}, cmd, opts].compact
+      if Experiments.enabled?(:enable_shared_helpers_command_timeout)
+        stdout, stderr, process = CommandHelpers.capture3_with_timeout(
+          env_cmd,
+          stderr_to_stdout: stderr_to_stdout,
+          timeout: timeout
+        )
+      elsif stderr_to_stdout
         stdout, process = Open3.capture2e(env || {}, cmd, opts)
       else
         stdout, stderr, process = Open3.capture3(env || {}, cmd, opts)
@@ -449,7 +468,7 @@ module Dependabot
 
       # Raise an error with the output from the shell session if the
       # command returns a non-zero status
-      return stdout if process.success?
+      return stdout || "" if process&.success?
 
       error_context = {
         command: cmd,
@@ -461,10 +480,11 @@ module Dependabot
       check_out_of_disk_memory_error(stderr, error_context)
 
       raise SharedHelpers::HelperSubprocessFailed.new(
-        message: stderr_to_stdout ? stdout : "#{stderr}\n#{stdout}",
+        message: stderr_to_stdout ? (stdout || "") : "#{stderr}\n#{stdout}",
         error_context: error_context
       )
     end
+    # rubocop:enable Metrics/PerceivedComplexity
 
     sig { params(stderr: T.nilable(String), error_context: T::Hash[Symbol, String]).void }
     def self.check_out_of_disk_memory_error(stderr, error_context)

data/lib/dependabot/workspace/git.rb

@@ -87,7 +87,7 @@ module Dependabot
 
       sig { returns(String) }
       def head_sha
-        run_shell_command("git rev-parse HEAD").strip
+        run_shell_command("git rev-parse HEAD", stderr_to_stdout: false).strip
       end
 
       sig { returns(String) }

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.290.0"
+  VERSION = "0.292.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.290.0
+  version: 0.292.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-12 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -531,6 +531,7 @@ files:
 - lib/dependabot/clients/codecommit.rb
 - lib/dependabot/clients/github_with_retries.rb
 - lib/dependabot/clients/gitlab_with_retries.rb
+- lib/dependabot/command_helpers.rb
 - lib/dependabot/config.rb
 - lib/dependabot/config/file.rb
 - lib/dependabot/config/file_fetcher.rb
@@ -614,7 +615,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.290.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.292.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -630,7 +631,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.7
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Shared code used across Dependabot Core