dependabot-common 0.308.0 → 0.309.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10f070d6c3b5e109381e3c56635049cc30bcebbdfec2958cf7f29121402a1ebd
|
|
4
|
+
data.tar.gz: 1973d67a820a16c8d3b645602ccc34ac852fc916aa618a4910c2c2d056aef67d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f4ba5d04950b7d0c9cf206a1f0e7f4922d6860cf4a60749a6559b74b2b96944785aa18c137592fe5e7cb1dd3bd2658f017966f7eb0c90e2deb9610a635dc4b32
|
|
7
|
+
data.tar.gz: 600b87611c5b30f1429a0bfa0de814b912579904d54f9d281659b41edc5d4abe03e8ff2c8b7971fb3aa46c259b62e8974fea16a6fa4fb7ce51fd0f62fbc547e6
|
|
@@ -81,24 +81,24 @@ module Dependabot
|
|
|
81
81
|
end
|
|
82
82
|
|
|
83
83
|
sig do
|
|
84
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
85
|
-
.returns(T.nilable(
|
|
84
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
85
|
+
.returns(T.nilable(Dependabot::Version))
|
|
86
86
|
end
|
|
87
87
|
def latest_version(language_version: nil)
|
|
88
88
|
@latest_version ||= fetch_latest_version(language_version: language_version)
|
|
89
89
|
end
|
|
90
90
|
|
|
91
91
|
sig do
|
|
92
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
93
|
-
.returns(T.nilable(
|
|
92
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
93
|
+
.returns(T.nilable(Dependabot::Version))
|
|
94
94
|
end
|
|
95
95
|
def latest_version_with_no_unlock(language_version: nil)
|
|
96
96
|
@latest_version_with_no_unlock ||= fetch_latest_version_with_no_unlock(language_version: language_version)
|
|
97
97
|
end
|
|
98
98
|
|
|
99
99
|
sig do
|
|
100
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
101
|
-
.returns(T.nilable(
|
|
100
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
101
|
+
.returns(T.nilable(Dependabot::Version))
|
|
102
102
|
end
|
|
103
103
|
def lowest_security_fix_version(language_version: nil)
|
|
104
104
|
@lowest_security_fix_version ||= fetch_lowest_security_fix_version(language_version: language_version)
|
|
@@ -117,71 +117,78 @@ module Dependabot
|
|
|
117
117
|
protected
|
|
118
118
|
|
|
119
119
|
sig do
|
|
120
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
120
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
121
121
|
.returns(T.nilable(Dependabot::Version))
|
|
122
122
|
end
|
|
123
123
|
def fetch_latest_version(language_version: nil)
|
|
124
|
-
|
|
125
|
-
return unless
|
|
126
|
-
|
|
127
|
-
version_hashes = filter_yanked_versions(version_hashes)
|
|
128
|
-
version_hashes = filter_by_cooldown(version_hashes)
|
|
129
|
-
versions = filter_unsupported_versions(version_hashes, language_version)
|
|
130
|
-
versions = filter_prerelease_versions(versions)
|
|
131
|
-
versions = filter_ignored_versions(versions)
|
|
132
|
-
versions = apply_post_fetch_latest_versions_filter(versions)
|
|
133
|
-
versions.max
|
|
134
|
-
end
|
|
124
|
+
releases = available_versions
|
|
125
|
+
return unless releases
|
|
135
126
|
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
127
|
+
releases = filter_yanked_versions(releases)
|
|
128
|
+
releases = filter_by_cooldown(releases)
|
|
129
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
130
|
+
releases = filter_prerelease_versions(releases)
|
|
131
|
+
releases = filter_ignored_versions(releases)
|
|
132
|
+
releases = apply_post_fetch_latest_versions_filter(releases)
|
|
133
|
+
releases.max_by(&:version)&.version
|
|
139
134
|
end
|
|
140
135
|
|
|
141
136
|
sig do
|
|
142
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
137
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
143
138
|
.returns(T.nilable(Dependabot::Version))
|
|
144
139
|
end
|
|
145
140
|
def fetch_latest_version_with_no_unlock(language_version:)
|
|
146
|
-
|
|
147
|
-
return unless
|
|
141
|
+
releases = available_versions
|
|
142
|
+
return unless releases
|
|
148
143
|
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
144
|
+
releases = filter_yanked_versions(releases)
|
|
145
|
+
releases = filter_by_cooldown(releases)
|
|
146
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
147
|
+
releases = filter_prerelease_versions(releases)
|
|
148
|
+
releases = filter_ignored_versions(releases)
|
|
149
|
+
releases = filter_out_of_range_versions(releases)
|
|
150
|
+
releases = apply_post_fetch_latest_versions_filter(releases)
|
|
151
|
+
releases.max_by(&:version)&.version
|
|
157
152
|
end
|
|
158
153
|
|
|
159
154
|
sig do
|
|
160
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
155
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
161
156
|
.returns(T.nilable(Dependabot::Version))
|
|
162
157
|
end
|
|
163
|
-
def fetch_lowest_security_fix_version(language_version:)
|
|
164
|
-
|
|
165
|
-
return unless
|
|
158
|
+
def fetch_lowest_security_fix_version(language_version: nil)
|
|
159
|
+
releases = available_versions
|
|
160
|
+
return unless releases
|
|
166
161
|
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
162
|
+
releases = filter_yanked_versions(releases)
|
|
163
|
+
releases = filter_by_cooldown(releases)
|
|
164
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
170
165
|
# versions = filter_prerelease_versions(versions)
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
166
|
+
releases = Dependabot::UpdateCheckers::VersionFilters
|
|
167
|
+
.filter_vulnerable_versions(
|
|
168
|
+
releases,
|
|
169
|
+
security_advisories
|
|
170
|
+
)
|
|
171
|
+
releases = filter_ignored_versions(releases)
|
|
172
|
+
releases = filter_lower_versions(releases)
|
|
173
|
+
releases = apply_post_fetch_lowest_security_fix_versions_filter(releases)
|
|
178
174
|
|
|
179
|
-
|
|
175
|
+
releases.min_by(&:version)&.version
|
|
180
176
|
end
|
|
181
177
|
|
|
182
|
-
sig
|
|
183
|
-
|
|
184
|
-
|
|
178
|
+
sig do
|
|
179
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
180
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
181
|
+
end
|
|
182
|
+
def apply_post_fetch_latest_versions_filter(releases)
|
|
183
|
+
releases
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
sig do
|
|
187
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
188
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
189
|
+
end
|
|
190
|
+
def apply_post_fetch_lowest_security_fix_versions_filter(releases)
|
|
191
|
+
releases
|
|
185
192
|
end
|
|
186
193
|
|
|
187
194
|
sig do
|
|
@@ -222,18 +229,18 @@ module Dependabot
|
|
|
222
229
|
sig do
|
|
223
230
|
params(
|
|
224
231
|
releases: T::Array[Dependabot::Package::PackageRelease],
|
|
225
|
-
language_version: T.nilable(T.any(String, Version))
|
|
232
|
+
language_version: T.nilable(T.any(String, Dependabot::Version))
|
|
226
233
|
)
|
|
227
|
-
.returns(T::Array[Dependabot::
|
|
234
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
228
235
|
end
|
|
229
236
|
def filter_unsupported_versions(releases, language_version)
|
|
230
237
|
filtered = releases.filter_map do |release|
|
|
231
238
|
language_requirement = release.language&.requirement
|
|
232
|
-
next release
|
|
233
|
-
next release
|
|
239
|
+
next release unless language_version
|
|
240
|
+
next release unless language_requirement
|
|
234
241
|
next unless language_requirement.satisfied_by?(language_version)
|
|
235
242
|
|
|
236
|
-
release
|
|
243
|
+
release
|
|
237
244
|
end
|
|
238
245
|
if releases.count > filtered.count
|
|
239
246
|
delta = releases.count - filtered.count
|
|
@@ -243,61 +250,69 @@ module Dependabot
|
|
|
243
250
|
end
|
|
244
251
|
|
|
245
252
|
sig do
|
|
246
|
-
params(
|
|
247
|
-
.returns(T::Array[Dependabot::
|
|
253
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
254
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
248
255
|
end
|
|
249
|
-
def filter_prerelease_versions(
|
|
250
|
-
return
|
|
256
|
+
def filter_prerelease_versions(releases)
|
|
257
|
+
return releases if wants_prerelease?
|
|
251
258
|
|
|
252
|
-
filtered =
|
|
259
|
+
filtered = releases.reject { |release| release.version.prerelease? }
|
|
253
260
|
|
|
254
|
-
if
|
|
255
|
-
Dependabot.logger.info("Filtered out #{
|
|
261
|
+
if releases.count > filtered.count
|
|
262
|
+
Dependabot.logger.info("Filtered out #{releases.count - filtered.count} pre-release versions")
|
|
256
263
|
end
|
|
257
264
|
|
|
258
265
|
filtered
|
|
259
266
|
end
|
|
260
267
|
|
|
261
268
|
sig do
|
|
262
|
-
params(
|
|
263
|
-
.returns(T::Array[Dependabot::
|
|
269
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
270
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
264
271
|
end
|
|
265
|
-
def filter_ignored_versions(
|
|
266
|
-
filtered =
|
|
267
|
-
.reject
|
|
268
|
-
|
|
272
|
+
def filter_ignored_versions(releases)
|
|
273
|
+
filtered = releases
|
|
274
|
+
.reject do |release|
|
|
275
|
+
ignore_requirements.any? do |r|
|
|
276
|
+
r.satisfied_by?(release.version)
|
|
277
|
+
end
|
|
278
|
+
end
|
|
279
|
+
if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(releases).any?
|
|
269
280
|
raise Dependabot::AllVersionsIgnored
|
|
270
281
|
end
|
|
271
282
|
|
|
272
|
-
if
|
|
273
|
-
Dependabot.logger.info("Filtered out #{
|
|
283
|
+
if releases.count > filtered.count
|
|
284
|
+
Dependabot.logger.info("Filtered out #{releases.count - filtered.count} ignored versions")
|
|
274
285
|
end
|
|
275
286
|
filtered
|
|
276
287
|
end
|
|
277
288
|
|
|
278
289
|
sig do
|
|
279
|
-
params(
|
|
280
|
-
.returns(T::Array[Dependabot::
|
|
290
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
291
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
281
292
|
end
|
|
282
|
-
def filter_lower_versions(
|
|
283
|
-
return
|
|
293
|
+
def filter_lower_versions(releases)
|
|
294
|
+
return releases unless dependency.numeric_version
|
|
284
295
|
|
|
285
|
-
|
|
296
|
+
releases.select { |release| release.version > dependency.numeric_version }
|
|
286
297
|
end
|
|
287
298
|
|
|
288
299
|
sig do
|
|
289
|
-
params(
|
|
290
|
-
.returns(T::Array[Dependabot::
|
|
300
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
301
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
291
302
|
end
|
|
292
|
-
def filter_out_of_range_versions(
|
|
303
|
+
def filter_out_of_range_versions(releases)
|
|
293
304
|
reqs = dependency.requirements.filter_map do |r|
|
|
294
305
|
next if r.fetch(:requirement).nil?
|
|
295
306
|
|
|
296
307
|
requirement_class.requirements_array(r.fetch(:requirement))
|
|
297
308
|
end
|
|
298
309
|
|
|
299
|
-
|
|
300
|
-
.select
|
|
310
|
+
releases
|
|
311
|
+
.select do |release|
|
|
312
|
+
reqs.all? do |r|
|
|
313
|
+
r.any? { |o| o.satisfied_by?(release.version) }
|
|
314
|
+
end
|
|
315
|
+
end
|
|
301
316
|
end
|
|
302
317
|
|
|
303
318
|
sig { returns(T::Boolean) }
|
|
@@ -335,6 +350,7 @@ module Dependabot
|
|
|
335
350
|
|
|
336
351
|
cooldown.default_days
|
|
337
352
|
end
|
|
353
|
+
|
|
338
354
|
sig { returns(T::Boolean) }
|
|
339
355
|
def wants_prerelease?
|
|
340
356
|
return version_class.new(dependency.version).prerelease? if dependency.version
|
|
@@ -84,6 +84,18 @@ module Dependabot
|
|
|
84
84
|
def yanked?
|
|
85
85
|
@yanked
|
|
86
86
|
end
|
|
87
|
+
|
|
88
|
+
sig { params(other: Object).returns(T::Boolean) }
|
|
89
|
+
def ==(other)
|
|
90
|
+
return false unless other.is_a?(PackageRelease)
|
|
91
|
+
|
|
92
|
+
version == other.version
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
sig { returns(String) }
|
|
96
|
+
def to_s
|
|
97
|
+
version.to_s
|
|
98
|
+
end
|
|
87
99
|
end
|
|
88
100
|
end
|
|
89
101
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "dependabot/security_advisory"
|
|
5
|
+
require "dependabot/package/package_release"
|
|
4
6
|
require "sorbet-runtime"
|
|
5
7
|
|
|
6
8
|
module Dependabot
|
|
@@ -19,7 +21,8 @@ module Dependabot
|
|
|
19
21
|
versions_array: T::Array[
|
|
20
22
|
T.any(
|
|
21
23
|
T.all(T.type_parameter(:T), Gem::Version),
|
|
22
|
-
T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version])
|
|
24
|
+
T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version]),
|
|
25
|
+
T.all(T.type_parameter(:T), Dependabot::Package::PackageRelease)
|
|
23
26
|
)],
|
|
24
27
|
security_advisories: T::Array[SecurityAdvisory]
|
|
25
28
|
)
|
|
@@ -30,6 +33,8 @@ module Dependabot
|
|
|
30
33
|
security_advisories.any? do |a|
|
|
31
34
|
if v.is_a?(Gem::Version)
|
|
32
35
|
a.vulnerable?(v)
|
|
36
|
+
elsif v.is_a?(Dependabot::Package::PackageRelease)
|
|
37
|
+
a.vulnerable?(v.version)
|
|
33
38
|
else
|
|
34
39
|
a.vulnerable?(v.fetch(:version))
|
|
35
40
|
end
|
data/lib/dependabot.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.309.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-04-
|
|
10
|
+
date: 2025-04-17 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: aws-sdk-codecommit
|
|
@@ -627,7 +627,7 @@ licenses:
|
|
|
627
627
|
- MIT
|
|
628
628
|
metadata:
|
|
629
629
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
630
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
630
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.309.0
|
|
631
631
|
rdoc_options: []
|
|
632
632
|
require_paths:
|
|
633
633
|
- lib
|