dependabot-common 0.313.0 → 0.315.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7a5bf7bdeabf2957b9ecbe1efa5f27f9552b31db52d76970484c665e249e756
-  data.tar.gz: 32722bfd412044839d449b19b77469a3c4253802b63adc5c35aef80a9eb9b00e
+  metadata.gz: 68238b0440934d660fcb680bd94b21397bf3396c0e4467fbd88fd21a23453a6f
+  data.tar.gz: d263bcc8392bbad1168f031af2bdbf243190ab91ab1f019a7206c1af76f95652
 SHA512:
-  metadata.gz: 1752b119bf852196e0b870ec8d6a30473c898e0002c5467108e99447fdf88374dbeef037da2fa839fd685f9efa3bc229c7f4732b32cfd18fcdd151899c273066
-  data.tar.gz: 3e2da158a84b3717ba3f05c6e3cd673e26941889fc8716920bc877cc09db8d68454a02a915d10821229e44c82c545ed9fbf4d7e1550763d428d8f4468bbec95a
+  metadata.gz: 3165f873c2ff8492dc8f7ee6cfe0a136d664cf35653f9856ebc80f6c5c0fce35e287950be698263f62152affc82859d8808edb0bd2355d12f481193e9c463cb2
+  data.tar.gz: 5692d5ad262572fc9cc91095010ed4b2381335d98d1064ee078c845cb9b17a060be52dd48d0ff72dc82526fd9bd1ed8c5dcd1551822be4c1e5c7f763df46c69e

data/lib/dependabot/clients/bitbucket.rb

@@ -297,7 +297,7 @@ module Dependabot
       sig { params(url: String).returns(Excon::Response) }
       def get(url)
         response = Excon.get(
-          URI::DEFAULT_PARSER.escape(url),
+          URI::RFC2396_PARSER.escape(url),
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
           # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.

data/lib/dependabot/file_fetchers/base.rb

@@ -1,8 +1,10 @@
 # typed: strict
 # frozen_string_literal: true
 
-require "stringio"
+require "ostruct"
 require "sorbet-runtime"
+require "stringio"
+
 require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"

data/lib/dependabot/git_commit_checker.rb

@@ -2,8 +2,8 @@
 # frozen_string_literal: true
 
 require "excon"
-require "gitlab"
 require "sorbet-runtime"
+require "gitlab"
 require "dependabot/clients/github_with_retries"
 require "dependabot/clients/gitlab_with_retries"
 require "dependabot/clients/bitbucket_with_retries"
@@ -220,6 +220,11 @@ module Dependabot
       @dependency_source_details || dependency.source_details(allowed_types: ["git"])
     end
 
+    sig { returns(T::Array[Dependabot::GitTagWithDetail]) }
+    def refs_for_tag_with_detail
+      local_repo_git_metadata_fetcher.refs_for_tag_with_detail
+    end
+
     sig { params(commit_sha: T.nilable(String)).returns(T.nilable(String)) }
     def most_specific_version_tag_for_sha(commit_sha)
       tags = local_tags.select { |t| t.commit_sha == commit_sha && version_class.correct?(t.name) }
@@ -229,6 +234,13 @@ module Dependabot
       tags[-1]&.name
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    def max_local_tag(tags)
+      max_version_tag = tags.max_by { |t| version_from_tag(t) }
+
+      to_local_tag(max_version_tag)
+    end
+
     private
 
     sig { returns(Dependabot::Dependency) }
@@ -250,13 +262,6 @@ module Dependabot
       max_local_tag(select_lower_precision(tags))
     end
 
-    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-    def max_local_tag(tags)
-      max_version_tag = tags.max_by { |t| version_from_tag(t) }
-
-      to_local_tag(max_version_tag)
-    end
-
     # Find the latest version with the same precision as the pinned version.
     sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
     def select_matching_existing_precision(tags)

data/lib/dependabot/git_metadata_fetcher.rb

@@ -3,10 +3,12 @@
 
 require "excon"
 require "open3"
+require "ostruct"
 require "sorbet-runtime"
 
 require "dependabot/errors"
 require "dependabot/git_ref"
+require "dependabot/git_tag_with_detail"
 require "dependabot/credential"
 
 module Dependabot
@@ -93,6 +95,29 @@ module Dependabot
         &.commit_sha
     end
 
+    sig { returns(T::Array[GitTagWithDetail]) }
+    def refs_for_tag_with_detail
+      @refs_for_tag_with_detail ||= T.let(parse_refs_for_tag_with_detail,
+                                          T.nilable(T::Array[GitTagWithDetail]))
+    end
+
+    sig { returns(T::Array[GitTagWithDetail]) }
+    def parse_refs_for_tag_with_detail
+      result_lines = []
+      return result_lines if upload_tag_with_detail.nil?
+
+      T.must(upload_tag_with_detail).lines.each do |line|
+        tag, detail = line.split(/\s+/, 2)
+        next unless tag && detail
+
+        result_lines << GitTagWithDetail.new(
+          tag: tag.strip,
+          release_date: detail.strip
+        )
+      end
+      result_lines
+    end
+
     private
 
     sig { returns(String) }
@@ -260,5 +285,62 @@ module Dependabot
       # Some git hosts are slow when returning a large number of tags
       SharedHelpers.excon_defaults(read_timeout: 20)
     end
+
+    sig { returns(T.nilable(String)) }
+    def upload_tag_with_detail
+      @upload_tag_detail ||= T.let(fetch_tags_with_detail(url), T.nilable(String))
+    rescue Octokit::ClientError
+      raise Dependabot::GitDependenciesNotReachable, [url]
+    end
+
+    sig { params(uri: String).returns(String) }
+    def fetch_tags_with_detail(uri)
+      response = fetch_raw_upload_pack_for(uri)
+      return response.body if response.status == 200
+
+      response_with_git = fetch_tags_with_detail_from_git_for(uri)
+      return response_with_git.body if response_with_git.status == 200
+
+      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
+
+      raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
+
+      if uri.match?(/github\.com/i)
+        response = response.data
+        response[:response_headers] = response[:headers]
+        raise Octokit::Error.from_response(response)
+      end
+
+      raise "Server error at #{uri}: #{response.body}" if response.status >= 500
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    rescue Excon::Error::Socket, Excon::Error::Timeout
+      raise if uri.match?(KNOWN_HOSTS)
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    end
+
+    sig { params(uri: String).returns(T.untyped) }
+    def fetch_tags_with_detail_from_git_for(uri)
+      complete_uri = uri
+      complete_uri += ".git" unless complete_uri.end_with?(".git") || skip_git_suffix(uri)
+
+      env = { "PATH" => ENV.fetch("PATH", nil), "GIT_TERMINAL_PROMPT" => "0" }
+      command = "git for-each-ref --format=\"%(refname:short) %(creatordate:short)\" refs/tags #{complete_uri}"
+      command = SharedHelpers.escape_command(command)
+
+      begin
+        stdout, stderr, process = Open3.capture3(env, command)
+        # package the command response like a HTTP response so error handling remains unchanged
+      rescue Errno::ENOENT => e # thrown when `git` isn't installed...
+        OpenStruct.new(body: e.message, status: 500)
+      else
+        if process.success?
+          OpenStruct.new(body: stdout, status: 200)
+        else
+          OpenStruct.new(body: stderr, status: 500)
+        end
+      end
+    end
   end
 end

data/lib/dependabot/git_tag_with_detail.rb

@@ -0,0 +1,45 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  class GitTagWithDetail
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_accessor :tag
+
+    sig { returns(String) }
+    attr_accessor :release_date
+
+    sig do
+      params(
+        tag: String,
+        release_date: String
+      ).void
+    end
+    def initialize(tag:, release_date:)
+      @tag = tag
+      @release_date = release_date
+    end
+
+    sig { params(other: BasicObject).returns(T::Boolean) }
+    def ==(other)
+      case other
+      when GitTagWithDetail
+        to_h == other.to_h
+      else
+        false
+      end
+    end
+
+    sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+    def to_h
+      {
+        tag: tag,
+        release_date: release_date
+      }.compact
+    end
+  end
+end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "ostruct"
 require "sorbet-runtime"
 
 require "dependabot/clients/github_with_retries"

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -1,6 +1,7 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "ostruct"
 require "sorbet-runtime"
 
 require "dependabot/credential"

data/lib/dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy.rb

@@ -0,0 +1,80 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/pull_request_creator/branch_namer/base"
+
+module Dependabot
+  class PullRequestCreator
+    class BranchNamer
+      class MultiEcosystemStrategy < Base
+        extend T::Sig
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            files: T::Array[Dependabot::DependencyFile],
+            target_branch: T.nilable(String),
+            includes_security_fixes: T::Boolean,
+            multi_ecosystem_name: String,
+            separator: String,
+            prefix: String,
+            max_length: T.nilable(Integer)
+          )
+            .void
+        end
+        def initialize(dependencies:, files:, target_branch:, includes_security_fixes:, multi_ecosystem_name:,
+                       separator: "/", prefix: "dependabot", max_length: nil)
+          super(
+            dependencies: dependencies,
+            files: files,
+            target_branch: target_branch,
+            separator: separator,
+            prefix: prefix,
+            max_length: max_length,
+          )
+
+          @multi_ecosystem_name = multi_ecosystem_name
+          @includes_security_fixes = includes_security_fixes
+        end
+
+        sig { override.returns(String) }
+        def new_branch_name
+          sanitize_branch_name(File.join(prefixes, group_name_with_dependency_digest))
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :multi_ecosystem_name
+
+        sig { returns(T::Array[String]) }
+        def prefixes
+          [
+            prefix,
+            target_branch
+          ].compact
+        end
+
+        sig { returns(String) }
+        def group_name_with_dependency_digest
+          if @includes_security_fixes
+            "group-security-#{multi_ecosystem_name}-#{dependency_digest}"
+          else
+            "#{multi_ecosystem_name}-#{dependency_digest}"
+          end
+        end
+
+        sig { returns(T.nilable(String)) }
+        def dependency_digest
+          @dependency_digest ||= T.let(
+            Digest::MD5.hexdigest(dependencies.map do |dependency|
+                                    "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
+                                  end.sort.join(",")).slice(0, 10),
+            T.nilable(String)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -8,6 +8,7 @@ require "dependabot/metadata_finders"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/branch_namer/solo_strategy"
 require "dependabot/pull_request_creator/branch_namer/dependency_group_strategy"
+require "dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy"
 
 module Dependabot
   class PullRequestCreator
@@ -38,6 +39,9 @@ module Dependabot
       sig { returns(T::Boolean) }
       attr_reader :includes_security_fixes
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :multi_ecosystem_name
+
       sig do
         params(
           dependencies: T::Array[Dependabot::Dependency],
@@ -47,12 +51,13 @@ module Dependabot
           separator: String,
           prefix: String,
           max_length: T.nilable(Integer),
-          includes_security_fixes: T::Boolean
+          includes_security_fixes: T::Boolean,
+          multi_ecosystem_name: T.nilable(String)
         )
           .void
       end
       def initialize(dependencies:, files:, target_branch:, dependency_group: nil, separator: "/",
-                     prefix: "dependabot", max_length: nil, includes_security_fixes: false)
+                     prefix: "dependabot", max_length: nil, includes_security_fixes: false, multi_ecosystem_name: nil)
         @dependencies  = dependencies
         @files         = files
         @target_branch = target_branch
@@ -61,6 +66,7 @@ module Dependabot
         @prefix        = prefix
         @max_length    = max_length
         @includes_security_fixes = includes_security_fixes
+        @multi_ecosystem_name = multi_ecosystem_name
       end
 
       sig { returns(String) }
@@ -73,30 +79,56 @@ module Dependabot
       sig { returns(Dependabot::PullRequestCreator::BranchNamer::Base) }
       def strategy
         @strategy ||= T.let(
-          if dependency_group.nil?
-            SoloStrategy.new(
-              dependencies: dependencies,
-              files: files,
-              target_branch: target_branch,
-              separator: separator,
-              prefix: prefix,
-              max_length: max_length
-            )
+          if multi_ecosystem_name
+            build_multi_ecosystem_strategy
+          elsif dependency_group.nil?
+            build_solo_strategy
           else
-            DependencyGroupStrategy.new(
-              dependencies: dependencies,
-              files: files,
-              target_branch: target_branch,
-              dependency_group: T.must(dependency_group),
-              includes_security_fixes: includes_security_fixes,
-              separator: separator,
-              prefix: prefix,
-              max_length: max_length
-            )
+            build_dependency_group_strategy
           end,
           T.nilable(Dependabot::PullRequestCreator::BranchNamer::Base)
         )
       end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::MultiEcosystemStrategy) }
+      def build_multi_ecosystem_strategy
+        MultiEcosystemStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          includes_security_fixes: includes_security_fixes,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length,
+          multi_ecosystem_name: T.must(multi_ecosystem_name)
+        )
+      end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::SoloStrategy) }
+      def build_solo_strategy
+        SoloStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length
+        )
+      end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::DependencyGroupStrategy) }
+      def build_dependency_group_strategy
+        DependencyGroupStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          dependency_group: T.must(dependency_group),
+          includes_security_fixes: includes_security_fixes,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length
+        )
+      end
     end
   end
 end

data/lib/dependabot/utils.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require "tmpdir"
-require "set"
 require "sorbet-runtime"
 
 require "dependabot/requirement"

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.313.0"
+  VERSION = "0.315.0"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.313.0
+  version: 0.315.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-05-15 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -91,14 +91,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.109'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.109'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -225,6 +225,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: parser
   requirement: !ruby/object:Gem::Requirement
@@ -548,6 +562,7 @@ files:
 - lib/dependabot/git_commit_checker.rb
 - lib/dependabot/git_metadata_fetcher.rb
 - lib/dependabot/git_ref.rb
+- lib/dependabot/git_tag_with_detail.rb
 - lib/dependabot/logger.rb
 - lib/dependabot/metadata_finders.rb
 - lib/dependabot/metadata_finders/README.md
@@ -568,6 +583,7 @@ files:
 - lib/dependabot/pull_request_creator/branch_namer.rb
 - lib/dependabot/pull_request_creator/branch_namer/base.rb
 - lib/dependabot/pull_request_creator/branch_namer/dependency_group_strategy.rb
+- lib/dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy.rb
 - lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb
 - lib/dependabot/pull_request_creator/codecommit.rb
 - lib/dependabot/pull_request_creator/commit_signer.rb
@@ -609,7 +625,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.313.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.315.0
 rdoc_options: []
 require_paths:
 - lib
@@ -617,14 +633,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: 3.3.7
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Shared code used across Dependabot Core
 test_files: []