dependabot-common 0.308.0 → 0.310.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 618d4098b2362e8af62f7c1c095ecdbd8a1ef607f2b9331fc89b955bbcd418ab
|
|
4
|
+
data.tar.gz: d879b882612d81c2d337ede1049a93d9e249cf52b2d2dd9ebc64396805ab548e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 02af645b7369f659fd475c4b09b218e24fde7aba983ef43965aaccc2f329265901b62d2ad15b62163e385a6cbfc450202ccfe29c32a23ca9c67c3430f63de474
|
|
7
|
+
data.tar.gz: f6ac8fedec46a75ec2c0416977824f3d8be509494b8a64ace5c51292015b13b4ea33411d5b35c4ad76fe94d57dd9f917629191f78d39dc56cd248c0f2aaf31b0
|
|
@@ -19,6 +19,8 @@ module Dependabot
|
|
|
19
19
|
extend T::Sig
|
|
20
20
|
extend T::Helpers
|
|
21
21
|
|
|
22
|
+
DAY_IN_SECONDS = T.let(24 * 60 * 60, Integer)
|
|
23
|
+
|
|
22
24
|
abstract!
|
|
23
25
|
|
|
24
26
|
sig { returns(Dependabot::Dependency) }
|
|
@@ -81,24 +83,24 @@ module Dependabot
|
|
|
81
83
|
end
|
|
82
84
|
|
|
83
85
|
sig do
|
|
84
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
85
|
-
.returns(T.nilable(
|
|
86
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
87
|
+
.returns(T.nilable(Dependabot::Version))
|
|
86
88
|
end
|
|
87
89
|
def latest_version(language_version: nil)
|
|
88
90
|
@latest_version ||= fetch_latest_version(language_version: language_version)
|
|
89
91
|
end
|
|
90
92
|
|
|
91
93
|
sig do
|
|
92
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
93
|
-
.returns(T.nilable(
|
|
94
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
95
|
+
.returns(T.nilable(Dependabot::Version))
|
|
94
96
|
end
|
|
95
97
|
def latest_version_with_no_unlock(language_version: nil)
|
|
96
98
|
@latest_version_with_no_unlock ||= fetch_latest_version_with_no_unlock(language_version: language_version)
|
|
97
99
|
end
|
|
98
100
|
|
|
99
101
|
sig do
|
|
100
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
101
|
-
.returns(T.nilable(
|
|
102
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
103
|
+
.returns(T.nilable(Dependabot::Version))
|
|
102
104
|
end
|
|
103
105
|
def lowest_security_fix_version(language_version: nil)
|
|
104
106
|
@lowest_security_fix_version ||= fetch_lowest_security_fix_version(language_version: language_version)
|
|
@@ -117,71 +119,77 @@ module Dependabot
|
|
|
117
119
|
protected
|
|
118
120
|
|
|
119
121
|
sig do
|
|
120
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
122
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
121
123
|
.returns(T.nilable(Dependabot::Version))
|
|
122
124
|
end
|
|
123
125
|
def fetch_latest_version(language_version: nil)
|
|
124
|
-
|
|
125
|
-
return unless
|
|
126
|
-
|
|
127
|
-
version_hashes = filter_yanked_versions(version_hashes)
|
|
128
|
-
version_hashes = filter_by_cooldown(version_hashes)
|
|
129
|
-
versions = filter_unsupported_versions(version_hashes, language_version)
|
|
130
|
-
versions = filter_prerelease_versions(versions)
|
|
131
|
-
versions = filter_ignored_versions(versions)
|
|
132
|
-
versions = apply_post_fetch_latest_versions_filter(versions)
|
|
133
|
-
versions.max
|
|
134
|
-
end
|
|
126
|
+
releases = available_versions
|
|
127
|
+
return unless releases
|
|
135
128
|
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
129
|
+
releases = filter_yanked_versions(releases)
|
|
130
|
+
releases = filter_by_cooldown(releases)
|
|
131
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
132
|
+
releases = filter_prerelease_versions(releases)
|
|
133
|
+
releases = filter_ignored_versions(releases)
|
|
134
|
+
releases = apply_post_fetch_latest_versions_filter(releases)
|
|
135
|
+
releases.max_by(&:version)&.version
|
|
139
136
|
end
|
|
140
137
|
|
|
141
138
|
sig do
|
|
142
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
139
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
143
140
|
.returns(T.nilable(Dependabot::Version))
|
|
144
141
|
end
|
|
145
142
|
def fetch_latest_version_with_no_unlock(language_version:)
|
|
146
|
-
|
|
147
|
-
return unless
|
|
143
|
+
releases = available_versions
|
|
144
|
+
return unless releases
|
|
148
145
|
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
146
|
+
releases = filter_yanked_versions(releases)
|
|
147
|
+
releases = filter_by_cooldown(releases)
|
|
148
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
149
|
+
releases = filter_prerelease_versions(releases)
|
|
150
|
+
releases = filter_ignored_versions(releases)
|
|
151
|
+
releases = filter_out_of_range_versions(releases)
|
|
152
|
+
releases = apply_post_fetch_latest_versions_filter(releases)
|
|
153
|
+
releases.max_by(&:version)&.version
|
|
157
154
|
end
|
|
158
155
|
|
|
159
156
|
sig do
|
|
160
|
-
params(language_version: T.nilable(T.any(String, Version)))
|
|
157
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
161
158
|
.returns(T.nilable(Dependabot::Version))
|
|
162
159
|
end
|
|
163
|
-
def fetch_lowest_security_fix_version(language_version:)
|
|
164
|
-
|
|
165
|
-
return unless
|
|
160
|
+
def fetch_lowest_security_fix_version(language_version: nil)
|
|
161
|
+
releases = available_versions
|
|
162
|
+
return unless releases
|
|
166
163
|
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
versions = filter_unsupported_versions(version_hashes, language_version)
|
|
164
|
+
releases = filter_yanked_versions(releases)
|
|
165
|
+
releases = filter_unsupported_versions(releases, language_version)
|
|
170
166
|
# versions = filter_prerelease_versions(versions)
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
167
|
+
releases = Dependabot::UpdateCheckers::VersionFilters
|
|
168
|
+
.filter_vulnerable_versions(
|
|
169
|
+
releases,
|
|
170
|
+
security_advisories
|
|
171
|
+
)
|
|
172
|
+
releases = filter_ignored_versions(releases)
|
|
173
|
+
releases = filter_lower_versions(releases)
|
|
174
|
+
releases = apply_post_fetch_lowest_security_fix_versions_filter(releases)
|
|
178
175
|
|
|
179
|
-
|
|
176
|
+
releases.min_by(&:version)&.version
|
|
180
177
|
end
|
|
181
178
|
|
|
182
|
-
sig
|
|
183
|
-
|
|
184
|
-
|
|
179
|
+
sig do
|
|
180
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
181
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
182
|
+
end
|
|
183
|
+
def apply_post_fetch_latest_versions_filter(releases)
|
|
184
|
+
releases
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
sig do
|
|
188
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
189
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
190
|
+
end
|
|
191
|
+
def apply_post_fetch_lowest_security_fix_versions_filter(releases)
|
|
192
|
+
releases
|
|
185
193
|
end
|
|
186
194
|
|
|
187
195
|
sig do
|
|
@@ -204,14 +212,7 @@ module Dependabot
|
|
|
204
212
|
return releases unless cooldown_enabled?
|
|
205
213
|
return releases unless cooldown_options
|
|
206
214
|
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
filtered = releases.reject do |release|
|
|
210
|
-
next false unless release.released_at
|
|
211
|
-
|
|
212
|
-
days = cooldown_days_for(current_version, release.version)
|
|
213
|
-
(Time.now.to_i - release.released_at.to_i) < (days * 24 * 60 * 60)
|
|
214
|
-
end
|
|
215
|
+
filtered = releases.reject { |release| in_cooldown_period?(release) }
|
|
215
216
|
|
|
216
217
|
if releases.count > filtered.count
|
|
217
218
|
Dependabot.logger.info("Filtered out #{releases.count - filtered.count} versions due to cooldown")
|
|
@@ -219,21 +220,34 @@ module Dependabot
|
|
|
219
220
|
filtered
|
|
220
221
|
end
|
|
221
222
|
|
|
223
|
+
sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
|
|
224
|
+
def in_cooldown_period?(release)
|
|
225
|
+
return false unless release.released_at
|
|
226
|
+
|
|
227
|
+
current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
|
|
228
|
+
days = cooldown_days_for(current_version, release.version)
|
|
229
|
+
|
|
230
|
+
# Calculate the number of seconds passed since the release
|
|
231
|
+
passed_seconds = Time.now.to_i - release.released_at.to_i
|
|
232
|
+
# Check if the release is within the cooldown period
|
|
233
|
+
passed_seconds < days * DAY_IN_SECONDS
|
|
234
|
+
end
|
|
235
|
+
|
|
222
236
|
sig do
|
|
223
237
|
params(
|
|
224
238
|
releases: T::Array[Dependabot::Package::PackageRelease],
|
|
225
|
-
language_version: T.nilable(T.any(String, Version))
|
|
239
|
+
language_version: T.nilable(T.any(String, Dependabot::Version))
|
|
226
240
|
)
|
|
227
|
-
.returns(T::Array[Dependabot::
|
|
241
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
228
242
|
end
|
|
229
243
|
def filter_unsupported_versions(releases, language_version)
|
|
230
244
|
filtered = releases.filter_map do |release|
|
|
231
245
|
language_requirement = release.language&.requirement
|
|
232
|
-
next release
|
|
233
|
-
next release
|
|
246
|
+
next release unless language_version
|
|
247
|
+
next release unless language_requirement
|
|
234
248
|
next unless language_requirement.satisfied_by?(language_version)
|
|
235
249
|
|
|
236
|
-
release
|
|
250
|
+
release
|
|
237
251
|
end
|
|
238
252
|
if releases.count > filtered.count
|
|
239
253
|
delta = releases.count - filtered.count
|
|
@@ -243,61 +257,69 @@ module Dependabot
|
|
|
243
257
|
end
|
|
244
258
|
|
|
245
259
|
sig do
|
|
246
|
-
params(
|
|
247
|
-
.returns(T::Array[Dependabot::
|
|
260
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
261
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
248
262
|
end
|
|
249
|
-
def filter_prerelease_versions(
|
|
250
|
-
return
|
|
263
|
+
def filter_prerelease_versions(releases)
|
|
264
|
+
return releases if wants_prerelease?
|
|
251
265
|
|
|
252
|
-
filtered =
|
|
266
|
+
filtered = releases.reject { |release| release.version.prerelease? }
|
|
253
267
|
|
|
254
|
-
if
|
|
255
|
-
Dependabot.logger.info("Filtered out #{
|
|
268
|
+
if releases.count > filtered.count
|
|
269
|
+
Dependabot.logger.info("Filtered out #{releases.count - filtered.count} pre-release versions")
|
|
256
270
|
end
|
|
257
271
|
|
|
258
272
|
filtered
|
|
259
273
|
end
|
|
260
274
|
|
|
261
275
|
sig do
|
|
262
|
-
params(
|
|
263
|
-
.returns(T::Array[Dependabot::
|
|
276
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
277
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
264
278
|
end
|
|
265
|
-
def filter_ignored_versions(
|
|
266
|
-
filtered =
|
|
267
|
-
.reject
|
|
268
|
-
|
|
279
|
+
def filter_ignored_versions(releases)
|
|
280
|
+
filtered = releases
|
|
281
|
+
.reject do |release|
|
|
282
|
+
ignore_requirements.any? do |r|
|
|
283
|
+
r.satisfied_by?(release.version)
|
|
284
|
+
end
|
|
285
|
+
end
|
|
286
|
+
if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(releases).any?
|
|
269
287
|
raise Dependabot::AllVersionsIgnored
|
|
270
288
|
end
|
|
271
289
|
|
|
272
|
-
if
|
|
273
|
-
Dependabot.logger.info("Filtered out #{
|
|
290
|
+
if releases.count > filtered.count
|
|
291
|
+
Dependabot.logger.info("Filtered out #{releases.count - filtered.count} ignored versions")
|
|
274
292
|
end
|
|
275
293
|
filtered
|
|
276
294
|
end
|
|
277
295
|
|
|
278
296
|
sig do
|
|
279
|
-
params(
|
|
280
|
-
.returns(T::Array[Dependabot::
|
|
297
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
298
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
281
299
|
end
|
|
282
|
-
def filter_lower_versions(
|
|
283
|
-
return
|
|
300
|
+
def filter_lower_versions(releases)
|
|
301
|
+
return releases unless dependency.numeric_version
|
|
284
302
|
|
|
285
|
-
|
|
303
|
+
releases.select { |release| release.version > dependency.numeric_version }
|
|
286
304
|
end
|
|
287
305
|
|
|
288
306
|
sig do
|
|
289
|
-
params(
|
|
290
|
-
.returns(T::Array[Dependabot::
|
|
307
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
308
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
291
309
|
end
|
|
292
|
-
def filter_out_of_range_versions(
|
|
310
|
+
def filter_out_of_range_versions(releases)
|
|
293
311
|
reqs = dependency.requirements.filter_map do |r|
|
|
294
312
|
next if r.fetch(:requirement).nil?
|
|
295
313
|
|
|
296
314
|
requirement_class.requirements_array(r.fetch(:requirement))
|
|
297
315
|
end
|
|
298
316
|
|
|
299
|
-
|
|
300
|
-
.select
|
|
317
|
+
releases
|
|
318
|
+
.select do |release|
|
|
319
|
+
reqs.all? do |r|
|
|
320
|
+
r.any? { |o| o.satisfied_by?(release.version) }
|
|
321
|
+
end
|
|
322
|
+
end
|
|
301
323
|
end
|
|
302
324
|
|
|
303
325
|
sig { returns(T::Boolean) }
|
|
@@ -335,6 +357,7 @@ module Dependabot
|
|
|
335
357
|
|
|
336
358
|
cooldown.default_days
|
|
337
359
|
end
|
|
360
|
+
|
|
338
361
|
sig { returns(T::Boolean) }
|
|
339
362
|
def wants_prerelease?
|
|
340
363
|
return version_class.new(dependency.version).prerelease? if dependency.version
|
|
@@ -84,6 +84,18 @@ module Dependabot
|
|
|
84
84
|
def yanked?
|
|
85
85
|
@yanked
|
|
86
86
|
end
|
|
87
|
+
|
|
88
|
+
sig { params(other: Object).returns(T::Boolean) }
|
|
89
|
+
def ==(other)
|
|
90
|
+
return false unless other.is_a?(PackageRelease)
|
|
91
|
+
|
|
92
|
+
version == other.version
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
sig { returns(String) }
|
|
96
|
+
def to_s
|
|
97
|
+
version.to_s
|
|
98
|
+
end
|
|
87
99
|
end
|
|
88
100
|
end
|
|
89
101
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "dependabot/security_advisory"
|
|
5
|
+
require "dependabot/package/package_release"
|
|
4
6
|
require "sorbet-runtime"
|
|
5
7
|
|
|
6
8
|
module Dependabot
|
|
@@ -19,7 +21,8 @@ module Dependabot
|
|
|
19
21
|
versions_array: T::Array[
|
|
20
22
|
T.any(
|
|
21
23
|
T.all(T.type_parameter(:T), Gem::Version),
|
|
22
|
-
T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version])
|
|
24
|
+
T.all(T.type_parameter(:T), T::Hash[Symbol, Gem::Version]),
|
|
25
|
+
T.all(T.type_parameter(:T), Dependabot::Package::PackageRelease)
|
|
23
26
|
)],
|
|
24
27
|
security_advisories: T::Array[SecurityAdvisory]
|
|
25
28
|
)
|
|
@@ -30,6 +33,8 @@ module Dependabot
|
|
|
30
33
|
security_advisories.any? do |a|
|
|
31
34
|
if v.is_a?(Gem::Version)
|
|
32
35
|
a.vulnerable?(v)
|
|
36
|
+
elsif v.is_a?(Dependabot::Package::PackageRelease)
|
|
37
|
+
a.vulnerable?(v.version)
|
|
33
38
|
else
|
|
34
39
|
a.vulnerable?(v.fetch(:version))
|
|
35
40
|
end
|
data/lib/dependabot.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.310.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-04-
|
|
10
|
+
date: 2025-04-24 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: aws-sdk-codecommit
|
|
@@ -627,7 +627,7 @@ licenses:
|
|
|
627
627
|
- MIT
|
|
628
628
|
metadata:
|
|
629
629
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
630
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
630
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.310.0
|
|
631
631
|
rdoc_options: []
|
|
632
632
|
require_paths:
|
|
633
633
|
- lib
|