dependabot-common 0.306.0 → 0.309.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b40fc48efa5a7a782c3817f5c1bf9bebdff9baf60d546245f18c0747eed4ec6b
-  data.tar.gz: a9850885d117e93cca47900df61e6900c4aa5475ebd49ad68c512f57f4c6c6c8
+  metadata.gz: 10f070d6c3b5e109381e3c56635049cc30bcebbdfec2958cf7f29121402a1ebd
+  data.tar.gz: 1973d67a820a16c8d3b645602ccc34ac852fc916aa618a4910c2c2d056aef67d
 SHA512:
-  metadata.gz: 96f3238aa188c4ee53aa3fc7c625f13c2828c9181cd8a165600b4b42799c688f00b7bc5c9778ae6495e54d6e92abc84a508487af3fdf55a87854ea31446492a8
-  data.tar.gz: 772caff8b8fd3b1f08c24bf19a3e6e4cd677a60f82521aba1a0f5d521d63a05dc908296917a114b7d7f658e1fe14f7755647090af428db031d783571a0a73fe5
+  metadata.gz: f4ba5d04950b7d0c9cf206a1f0e7f4922d6860cf4a60749a6559b74b2b96944785aa18c137592fe5e7cb1dd3bd2658f017966f7eb0c90e2deb9610a635dc4b32
+  data.tar.gz: 600b87611c5b30f1429a0bfa0de814b912579904d54f9d281659b41edc5d4abe03e8ff2c8b7971fb3aa46c259b62e8974fea16a6fa4fb7ce51fd0f62fbc547e6

data/lib/dependabot/package/package_latest_version_finder.rb

@@ -81,24 +81,24 @@ module Dependabot
       end
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
-          .returns(T.nilable(Gem::Version))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+          .returns(T.nilable(Dependabot::Version))
       end
       def latest_version(language_version: nil)
         @latest_version ||= fetch_latest_version(language_version: language_version)
       end
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
-          .returns(T.nilable(Gem::Version))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+          .returns(T.nilable(Dependabot::Version))
       end
       def latest_version_with_no_unlock(language_version: nil)
         @latest_version_with_no_unlock ||= fetch_latest_version_with_no_unlock(language_version: language_version)
       end
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
-          .returns(T.nilable(Gem::Version))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+          .returns(T.nilable(Dependabot::Version))
       end
       def lowest_security_fix_version(language_version: nil)
         @lowest_security_fix_version ||= fetch_lowest_security_fix_version(language_version: language_version)
@@ -117,71 +117,78 @@ module Dependabot
       protected
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
           .returns(T.nilable(Dependabot::Version))
       end
       def fetch_latest_version(language_version: nil)
-        version_hashes = available_versions
-        return unless version_hashes
-
-        version_hashes = filter_yanked_versions(version_hashes)
-        version_hashes = filter_by_cooldown(version_hashes)
-        versions = filter_unsupported_versions(version_hashes, language_version)
-        versions = filter_prerelease_versions(versions)
-        versions = filter_ignored_versions(versions)
-        versions = apply_post_fetch_latest_versions_filter(versions)
-        versions.max
-      end
+        releases = available_versions
+        return unless releases
 
-      sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
-      def apply_post_fetch_latest_versions_filter(versions)
-        versions
+        releases = filter_yanked_versions(releases)
+        releases = filter_by_cooldown(releases)
+        releases = filter_unsupported_versions(releases, language_version)
+        releases = filter_prerelease_versions(releases)
+        releases = filter_ignored_versions(releases)
+        releases = apply_post_fetch_latest_versions_filter(releases)
+        releases.max_by(&:version)&.version
       end
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
           .returns(T.nilable(Dependabot::Version))
       end
       def fetch_latest_version_with_no_unlock(language_version:)
-        version_hashes = available_versions
-        return unless version_hashes
+        releases = available_versions
+        return unless releases
 
-        version_hashes = filter_yanked_versions(version_hashes)
-        version_hashes = filter_by_cooldown(version_hashes)
-        versions = filter_unsupported_versions(version_hashes, language_version)
-        versions = filter_prerelease_versions(versions)
-        versions = filter_ignored_versions(versions)
-        versions = filter_out_of_range_versions(versions)
-        versions = apply_post_fetch_latest_versions_filter(versions)
-        versions.max
+        releases = filter_yanked_versions(releases)
+        releases = filter_by_cooldown(releases)
+        releases = filter_unsupported_versions(releases, language_version)
+        releases = filter_prerelease_versions(releases)
+        releases = filter_ignored_versions(releases)
+        releases = filter_out_of_range_versions(releases)
+        releases = apply_post_fetch_latest_versions_filter(releases)
+        releases.max_by(&:version)&.version
       end
 
       sig do
-        params(language_version: T.nilable(T.any(String, Version)))
+        params(language_version: T.nilable(T.any(String, Dependabot::Version)))
           .returns(T.nilable(Dependabot::Version))
       end
-      def fetch_lowest_security_fix_version(language_version:)
-        version_hashes = available_versions
-        return unless version_hashes
+      def fetch_lowest_security_fix_version(language_version: nil)
+        releases = available_versions
+        return unless releases
 
-        version_hashes = filter_yanked_versions(version_hashes)
-        version_hashes = filter_by_cooldown(version_hashes)
-        versions = filter_unsupported_versions(version_hashes, language_version)
+        releases = filter_yanked_versions(releases)
+        releases = filter_by_cooldown(releases)
+        releases = filter_unsupported_versions(releases, language_version)
         # versions = filter_prerelease_versions(versions)
-        versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(
-          versions,
-          security_advisories
-        )
-        versions = filter_ignored_versions(versions)
-        versions = filter_lower_versions(versions)
-        versions = apply_post_fetch_lowest_security_fix_versions_filter(versions)
+        releases = Dependabot::UpdateCheckers::VersionFilters
+                   .filter_vulnerable_versions(
+                     releases,
+                     security_advisories
+                   )
+        releases = filter_ignored_versions(releases)
+        releases = filter_lower_versions(releases)
+        releases = apply_post_fetch_lowest_security_fix_versions_filter(releases)
 
-        versions.min
+        releases.min_by(&:version)&.version
       end
 
-      sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
-      def apply_post_fetch_lowest_security_fix_versions_filter(versions)
-        versions
+      sig do
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
+      end
+      def apply_post_fetch_latest_versions_filter(releases)
+        releases
+      end
+
+      sig do
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
+      end
+      def apply_post_fetch_lowest_security_fix_versions_filter(releases)
+        releases
       end
 
       sig do
@@ -222,18 +229,18 @@ module Dependabot
       sig do
         params(
           releases: T::Array[Dependabot::Package::PackageRelease],
-          language_version: T.nilable(T.any(String, Version))
+          language_version: T.nilable(T.any(String, Dependabot::Version))
         )
-          .returns(T::Array[Dependabot::Version])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
       end
       def filter_unsupported_versions(releases, language_version)
         filtered = releases.filter_map do |release|
           language_requirement = release.language&.requirement
-          next release.version unless language_version
-          next release.version unless language_requirement
+          next release unless language_version
+          next release unless language_requirement
           next unless language_requirement.satisfied_by?(language_version)
 
-          release.version
+          release
         end
         if releases.count > filtered.count
           delta = releases.count - filtered.count
@@ -243,61 +250,69 @@ module Dependabot
       end
 
       sig do
-        params(versions_array: T::Array[Dependabot::Version])
-          .returns(T::Array[Dependabot::Version])
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
       end
-      def filter_prerelease_versions(versions_array)
-        return versions_array if wants_prerelease?
+      def filter_prerelease_versions(releases)
+        return releases if wants_prerelease?
 
-        filtered = versions_array.reject(&:prerelease?)
+        filtered = releases.reject { |release| release.version.prerelease? }
 
-        if versions_array.count > filtered.count
-          Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} pre-release versions")
+        if releases.count > filtered.count
+          Dependabot.logger.info("Filtered out #{releases.count - filtered.count} pre-release versions")
         end
 
         filtered
       end
 
       sig do
-        params(versions_array: T::Array[Dependabot::Version])
-          .returns(T::Array[Dependabot::Version])
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
       end
-      def filter_ignored_versions(versions_array)
-        filtered = versions_array
-                   .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
-        if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
+      def filter_ignored_versions(releases)
+        filtered = releases
+                   .reject do |release|
+          ignore_requirements.any? do |r|
+            r.satisfied_by?(release.version)
+          end
+        end
+        if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(releases).any?
           raise Dependabot::AllVersionsIgnored
         end
 
-        if versions_array.count > filtered.count
-          Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} ignored versions")
+        if releases.count > filtered.count
+          Dependabot.logger.info("Filtered out #{releases.count - filtered.count} ignored versions")
         end
         filtered
       end
 
       sig do
-        params(versions_array: T::Array[Dependabot::Version])
-          .returns(T::Array[Dependabot::Version])
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
       end
-      def filter_lower_versions(versions_array)
-        return versions_array unless dependency.numeric_version
+      def filter_lower_versions(releases)
+        return releases unless dependency.numeric_version
 
-        versions_array.select { |version| version > dependency.numeric_version }
+        releases.select { |release| release.version > dependency.numeric_version }
       end
 
       sig do
-        params(versions_array: T::Array[Dependabot::Version])
-          .returns(T::Array[Dependabot::Version])
+        params(releases: T::Array[Dependabot::Package::PackageRelease])
+          .returns(T::Array[Dependabot::Package::PackageRelease])
       end
-      def filter_out_of_range_versions(versions_array)
+      def filter_out_of_range_versions(releases)
         reqs = dependency.requirements.filter_map do |r|
           next if r.fetch(:requirement).nil?
 
           requirement_class.requirements_array(r.fetch(:requirement))
         end
 
-        versions_array
-          .select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
+        releases
+          .select do |release|
+          reqs.all? do |r|
+            r.any? { |o| o.satisfied_by?(release.version) }
+          end
+        end
       end
 
       sig { returns(T::Boolean) }
@@ -335,6 +350,7 @@ module Dependabot
 
         cooldown.default_days
       end
+
       sig { returns(T::Boolean) }
       def wants_prerelease?
         return version_class.new(dependency.version).prerelease? if dependency.version

data/lib/dependabot/package/package_release.rb

@@ -84,6 +84,18 @@ module Dependabot
       def yanked?
         @yanked
       end
+
+      sig { params(other: Object).returns(T::Boolean) }
+      def ==(other)
+        return false unless other.is_a?(PackageRelease)
+
+        version == other.version
+      end
+
+      sig { returns(String) }
+      def to_s
+        version.to_s
+      end
     end
   end
 end

data/lib/dependabot/update_checkers/version_filters.rb

@@ -1,6 +1,8 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "dependabot/security_advisory"
+require "dependabot/package/package_release"
 require "sorbet-runtime"
 
 module Dependabot
@@ -19,7 +21,8 @@ module Dependabot
             versions_array: T::Array[
               T.any(
                 T.all(T.type_parameter(:T), Gem::Version),
-                T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version])
+                T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version]),
+                T.all(T.type_parameter(:T), Dependabot::Package::PackageRelease)
               )],
             security_advisories: T::Array[SecurityAdvisory]
           )
@@ -30,6 +33,8 @@ module Dependabot
           security_advisories.any? do |a|
             if v.is_a?(Gem::Version)
               a.vulnerable?(v)
+            elsif v.is_a?(Dependabot::Package::PackageRelease)
+              a.vulnerable?(v.version)
             else
               a.vulnerable?(v.fetch(:version))
             end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.306.0"
+  VERSION = "0.309.0"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.306.0
+  version: 0.309.0
 platform: ruby
 authors:
 - Dependabot
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-10 00:00:00.000000000 Z
+date: 2025-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -628,8 +627,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.306.0
-post_install_message:
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.309.0
 rdoc_options: []
 require_paths:
 - lib
@@ -644,8 +642,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.3.7
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.3
 specification_version: 4
 summary: Shared code used across Dependabot Core
 test_files: []