dependabot-common 0.314.0 → 0.316.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 75665e6e5f16e2e104b7415ff2f557508d03f394e8f9de6a5f841f4352e1484e
-  data.tar.gz: 61f9095c642362351d1381f1f9d3f5a26c13d3b24fb1841046b3682c6a85aaa6
+  metadata.gz: 96bdb5c59d32f26540da409a5dc9052431575832324c353ecb5b6f385962ff8c
+  data.tar.gz: 17ee865c4fe6825bb6e01b3f42e7255e1a283b35bf495a55d570977f529970c8
 SHA512:
-  metadata.gz: bd09436156631884d91cd670497ca6d033ee4cb2927db598d0348f78af77f4d7bc1626ccd6ea36e051f900ad9b5ad4299f4c49e5cb4308a6203e99861c7cd458
-  data.tar.gz: f2a87eed835ec64c46769dadae2ec093fc8d6b9c8a004c40d3c65ed55a824ebdd2a402165d640d83dad757a0d34473f3b92d92d8ffd1aa99a2af0d734af9fdff
+  metadata.gz: 326849c6620a3a1c87c6f32005010ccfb4bb8dad03bce1edc5c1944f19630a5c2c10119d965055f5c94327dcfec3fab22a09968675c9c4889c38a1f67857c960
+  data.tar.gz: 445ea4329399825e8637a325f2e41e7515732a480a80dd4961c4571ef22469bc361c29c0720a9907a24d661da507eef24f0e515c511290e49386f8b144893dcb

data/lib/dependabot/clients/bitbucket.rb

@@ -297,7 +297,7 @@ module Dependabot
       sig { params(url: String).returns(Excon::Response) }
       def get(url)
         response = Excon.get(
-          URI::DEFAULT_PARSER.escape(url),
+          URI::RFC2396_PARSER.escape(url),
           user: credentials&.fetch("username", nil),
           password: credentials&.fetch("password", nil),
           # Setting to false to prevent Excon retries, use BitbucketWithRetries for retries.

data/lib/dependabot/file_fetchers/base.rb

@@ -1,8 +1,10 @@
 # typed: strict
 # frozen_string_literal: true
 
-require "stringio"
+require "ostruct"
 require "sorbet-runtime"
+require "stringio"
+
 require "dependabot/config"
 require "dependabot/dependency_file"
 require "dependabot/source"

data/lib/dependabot/git_commit_checker.rb

@@ -234,6 +234,13 @@ module Dependabot
       tags[-1]&.name
     end
 
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    def max_local_tag(tags)
+      max_version_tag = tags.max_by { |t| version_from_tag(t) }
+
+      to_local_tag(max_version_tag)
+    end
+
     private
 
     sig { returns(Dependabot::Dependency) }
@@ -255,13 +262,6 @@ module Dependabot
       max_local_tag(select_lower_precision(tags))
     end
 
-    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
-    def max_local_tag(tags)
-      max_version_tag = tags.max_by { |t| version_from_tag(t) }
-
-      to_local_tag(max_version_tag)
-    end
-
     # Find the latest version with the same precision as the pinned version.
     sig { params(tags: T::Array[Dependabot::GitRef]).returns(T::Array[Dependabot::GitRef]) }
     def select_matching_existing_precision(tags)

data/lib/dependabot/git_metadata_fetcher.rb

@@ -3,8 +3,9 @@
 
 require "excon"
 require "open3"
+require "ostruct"
 require "sorbet-runtime"
-
+require "tmpdir"
 require "dependabot/errors"
 require "dependabot/git_ref"
 require "dependabot/git_tag_with_detail"
@@ -117,6 +118,32 @@ module Dependabot
       result_lines
     end
 
+    sig { params(uri: String).returns(String) }
+    def fetch_tags_with_detail(uri)
+      response_with_git = fetch_tags_with_detail_from_git_for(uri)
+      return response_with_git.body if response_with_git.status == 200
+
+      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
+
+      if response_with_git.status < 400
+        raise "Unexpected response: #{response_with_git.status} - #{response_with_git.body}"
+      end
+
+      if uri.match?(/github\.com/i)
+        response = response_with_git.data
+        response[:response_headers] = response[:headers] unless response.nil?
+        raise Octokit::Error.from_response(response)
+      end
+
+      raise "Server error at #{uri}: #{response_with_git.body}" if response_with_git.status >= 500
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    rescue Excon::Error::Socket, Excon::Error::Timeout
+      raise if uri.match?(KNOWN_HOSTS)
+
+      raise Dependabot::GitDependenciesNotReachable, [uri]
+    end
+
     private
 
     sig { returns(String) }
@@ -292,54 +319,44 @@ module Dependabot
       raise Dependabot::GitDependenciesNotReachable, [url]
     end
 
-    sig { params(uri: String).returns(String) }
-    def fetch_tags_with_detail(uri)
-      response = fetch_raw_upload_pack_for(uri)
-      return response.body if response.status == 200
-
-      response_with_git = fetch_tags_with_detail_from_git_for(uri)
-      return response_with_git.body if response_with_git.status == 200
-
-      raise Dependabot::GitDependenciesNotReachable, [uri] unless uri.match?(KNOWN_HOSTS)
-
-      raise "Unexpected response: #{response.status} - #{response.body}" if response.status < 400
-
-      if uri.match?(/github\.com/i)
-        response = response.data
-        response[:response_headers] = response[:headers]
-        raise Octokit::Error.from_response(response)
-      end
-
-      raise "Server error at #{uri}: #{response.body}" if response.status >= 500
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
-    rescue Excon::Error::Socket, Excon::Error::Timeout
-      raise if uri.match?(KNOWN_HOSTS)
-
-      raise Dependabot::GitDependenciesNotReachable, [uri]
-    end
-
+    # Added method to fetch tags with their creation dates from a git repository. In case
+    # private registry is used, it will clone the repository and fetch tags with their creation dates.
     sig { params(uri: String).returns(T.untyped) }
     def fetch_tags_with_detail_from_git_for(uri)
-      complete_uri = uri
-      complete_uri += ".git" unless complete_uri.end_with?(".git") || skip_git_suffix(uri)
-
-      env = { "PATH" => ENV.fetch("PATH", nil), "GIT_TERMINAL_PROMPT" => "0" }
-      command = "git for-each-ref --format=\"%(refname:short) %(creatordate:short)\" refs/tags #{complete_uri}"
-      command = SharedHelpers.escape_command(command)
-
-      begin
-        stdout, stderr, process = Open3.capture3(env, command)
-        # package the command response like a HTTP response so error handling remains unchanged
-      rescue Errno::ENOENT => e # thrown when `git` isn't installed...
-        OpenStruct.new(body: e.message, status: 500)
-      else
-        if process.success?
-          OpenStruct.new(body: stdout, status: 200)
-        else
-          OpenStruct.new(body: stderr, status: 500)
+      uri_ending_with_git = uri
+      uri_ending_with_git += ".git" unless uri_ending_with_git.end_with?(".git") || skip_git_suffix(uri)
+
+      Dir.mktmpdir do |dir|
+        # Clone the repository into a temporary directory
+        clone_command = "git clone --bare #{uri_ending_with_git} #{dir}"
+        env = { "PATH" => ENV.fetch("PATH", nil), "GIT_TERMINAL_PROMPT" => "0" }
+        clone_command = SharedHelpers.escape_command(clone_command)
+
+        _stdout, stderr, process = Open3.capture3(env, clone_command)
+        return OpenStruct.new(body: stderr, status: 500) unless process.success?
+
+        # Change to the cloned repository directory
+        Dir.chdir(dir) do
+          # Fetch tags and their creation dates
+          tags_command = 'git for-each-ref --format="%(refname:short) %(creatordate:short)" refs/tags'
+          tags_stdout, stderr, process = Open3.capture3(env, tags_command)
+
+          return OpenStruct.new(body: stderr, status: 500) unless process.success?
+
+          # Parse and sort tags by creation date
+          tags = tags_stdout.lines.map do |line|
+            tag, date = line.strip.split(" ", 2)
+            { tag: tag, date: date }
+          end
+          sorted_tags = tags.sort_by { |tag| tag[:date] }
+
+          # Format the output as a string
+          formatted_output = sorted_tags.map { |tag| "#{tag[:tag]} #{tag[:date]}" }.join("\n")
+          return OpenStruct.new(body: formatted_output, status: 200)
         end
       end
+    rescue Errno::ENOENT => e # Thrown when `git` isn't installed
+      OpenStruct.new(body: e.message, status: 500)
     end
   end
 end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "excon"
+require "ostruct"
 require "sorbet-runtime"
 
 require "dependabot/clients/github_with_retries"

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -1,6 +1,7 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "ostruct"
 require "sorbet-runtime"
 
 require "dependabot/credential"

data/lib/dependabot/package/package_release.rb

@@ -23,6 +23,7 @@ module Dependabot
           url: T.nilable(String),
           package_type: T.nilable(String),
           language: T.nilable(Dependabot::Package::PackageLanguage),
+          tag: T.nilable(String),
           details: T::Hash[String, T.untyped]
         ).void
       end
@@ -36,6 +37,7 @@ module Dependabot
         url: nil,
         package_type: nil,
         language: nil,
+        tag: nil,
         details: {}
       )
         @version = T.let(version, Dependabot::Version)
@@ -47,6 +49,7 @@ module Dependabot
         @url = T.let(url, T.nilable(String))
         @package_type = T.let(package_type, T.nilable(String))
         @language = T.let(language, T.nilable(Dependabot::Package::PackageLanguage))
+        @tag = T.let(tag, T.nilable(String))
         @details = T.let(details, T::Hash[String, T.untyped])
       end
 
@@ -77,6 +80,9 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::Package::PackageLanguage)) }
       attr_reader :language
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :tag
+
       sig { returns(T::Hash[String, T.untyped]) }
       attr_reader :details
 

data/lib/dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy.rb

@@ -0,0 +1,80 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/pull_request_creator/branch_namer/base"
+
+module Dependabot
+  class PullRequestCreator
+    class BranchNamer
+      class MultiEcosystemStrategy < Base
+        extend T::Sig
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            files: T::Array[Dependabot::DependencyFile],
+            target_branch: T.nilable(String),
+            includes_security_fixes: T::Boolean,
+            multi_ecosystem_name: String,
+            separator: String,
+            prefix: String,
+            max_length: T.nilable(Integer)
+          )
+            .void
+        end
+        def initialize(dependencies:, files:, target_branch:, includes_security_fixes:, multi_ecosystem_name:,
+                       separator: "/", prefix: "dependabot", max_length: nil)
+          super(
+            dependencies: dependencies,
+            files: files,
+            target_branch: target_branch,
+            separator: separator,
+            prefix: prefix,
+            max_length: max_length,
+          )
+
+          @multi_ecosystem_name = multi_ecosystem_name
+          @includes_security_fixes = includes_security_fixes
+        end
+
+        sig { override.returns(String) }
+        def new_branch_name
+          sanitize_branch_name(File.join(prefixes, group_name_with_dependency_digest))
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :multi_ecosystem_name
+
+        sig { returns(T::Array[String]) }
+        def prefixes
+          [
+            prefix,
+            target_branch
+          ].compact
+        end
+
+        sig { returns(String) }
+        def group_name_with_dependency_digest
+          if @includes_security_fixes
+            "group-security-#{multi_ecosystem_name}-#{dependency_digest}"
+          else
+            "#{multi_ecosystem_name}-#{dependency_digest}"
+          end
+        end
+
+        sig { returns(T.nilable(String)) }
+        def dependency_digest
+          @dependency_digest ||= T.let(
+            Digest::MD5.hexdigest(dependencies.map do |dependency|
+                                    "#{dependency.name}-#{dependency.removed? ? 'removed' : dependency.version}"
+                                  end.sort.join(",")).slice(0, 10),
+            T.nilable(String)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/branch_namer.rb

@@ -8,6 +8,7 @@ require "dependabot/metadata_finders"
 require "dependabot/pull_request_creator"
 require "dependabot/pull_request_creator/branch_namer/solo_strategy"
 require "dependabot/pull_request_creator/branch_namer/dependency_group_strategy"
+require "dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy"
 
 module Dependabot
   class PullRequestCreator
@@ -38,6 +39,9 @@ module Dependabot
       sig { returns(T::Boolean) }
       attr_reader :includes_security_fixes
 
+      sig { returns(T.nilable(String)) }
+      attr_reader :multi_ecosystem_name
+
       sig do
         params(
           dependencies: T::Array[Dependabot::Dependency],
@@ -47,12 +51,13 @@ module Dependabot
           separator: String,
           prefix: String,
           max_length: T.nilable(Integer),
-          includes_security_fixes: T::Boolean
+          includes_security_fixes: T::Boolean,
+          multi_ecosystem_name: T.nilable(String)
         )
           .void
       end
       def initialize(dependencies:, files:, target_branch:, dependency_group: nil, separator: "/",
-                     prefix: "dependabot", max_length: nil, includes_security_fixes: false)
+                     prefix: "dependabot", max_length: nil, includes_security_fixes: false, multi_ecosystem_name: nil)
         @dependencies  = dependencies
         @files         = files
         @target_branch = target_branch
@@ -61,6 +66,7 @@ module Dependabot
         @prefix        = prefix
         @max_length    = max_length
         @includes_security_fixes = includes_security_fixes
+        @multi_ecosystem_name = multi_ecosystem_name
       end
 
       sig { returns(String) }
@@ -73,30 +79,56 @@ module Dependabot
       sig { returns(Dependabot::PullRequestCreator::BranchNamer::Base) }
       def strategy
         @strategy ||= T.let(
-          if dependency_group.nil?
-            SoloStrategy.new(
-              dependencies: dependencies,
-              files: files,
-              target_branch: target_branch,
-              separator: separator,
-              prefix: prefix,
-              max_length: max_length
-            )
+          if multi_ecosystem_name
+            build_multi_ecosystem_strategy
+          elsif dependency_group.nil?
+            build_solo_strategy
           else
-            DependencyGroupStrategy.new(
-              dependencies: dependencies,
-              files: files,
-              target_branch: target_branch,
-              dependency_group: T.must(dependency_group),
-              includes_security_fixes: includes_security_fixes,
-              separator: separator,
-              prefix: prefix,
-              max_length: max_length
-            )
+            build_dependency_group_strategy
           end,
           T.nilable(Dependabot::PullRequestCreator::BranchNamer::Base)
         )
       end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::MultiEcosystemStrategy) }
+      def build_multi_ecosystem_strategy
+        MultiEcosystemStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          includes_security_fixes: includes_security_fixes,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length,
+          multi_ecosystem_name: T.must(multi_ecosystem_name)
+        )
+      end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::SoloStrategy) }
+      def build_solo_strategy
+        SoloStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length
+        )
+      end
+
+      sig { returns(Dependabot::PullRequestCreator::BranchNamer::DependencyGroupStrategy) }
+      def build_dependency_group_strategy
+        DependencyGroupStrategy.new(
+          dependencies: dependencies,
+          files: files,
+          target_branch: target_branch,
+          dependency_group: T.must(dependency_group),
+          includes_security_fixes: includes_security_fixes,
+          separator: separator,
+          prefix: prefix,
+          max_length: max_length
+        )
+      end
     end
   end
 end

data/lib/dependabot/utils.rb

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 
 require "tmpdir"
-require "set"
 require "sorbet-runtime"
 
 require "dependabot/requirement"

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.314.0"
+  VERSION = "0.316.0"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.314.0
+  version: 0.316.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-05-22 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -91,14 +91,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.109'
+        version: '1.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.109'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -225,6 +225,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: parser
   requirement: !ruby/object:Gem::Requirement
@@ -569,6 +583,7 @@ files:
 - lib/dependabot/pull_request_creator/branch_namer.rb
 - lib/dependabot/pull_request_creator/branch_namer/base.rb
 - lib/dependabot/pull_request_creator/branch_namer/dependency_group_strategy.rb
+- lib/dependabot/pull_request_creator/branch_namer/multi_ecosystem_strategy.rb
 - lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb
 - lib/dependabot/pull_request_creator/codecommit.rb
 - lib/dependabot/pull_request_creator/commit_signer.rb
@@ -610,7 +625,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.314.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.316.0
 rdoc_options: []
 require_paths:
 - lib
@@ -618,14 +633,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: 3.3.7
 requirements: []
-rubygems_version: 3.6.3
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Shared code used across Dependabot Core
 test_files: []