dependabot-common 0.325.1 → 0.326.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba085c2069cfc7b9437a7cbc49c548cf314245c119f8a1f298e3fba5de59fb7c
-  data.tar.gz: ad59447a4ce03bfacae2a04e9b2880fbfba0ce7ac825187c80e0b783949fc3fb
+  metadata.gz: af0660511361baf03f9ff425ee0bf50981ccc6cc31b352141b190d8aed14b3f1
+  data.tar.gz: d6ec33f6856d9e6bbcbada71e64b318f728485e8bdd9f1c9acb729eae6deb3ae
 SHA512:
-  metadata.gz: af5bc9099d1ebe204df3dd481a2f777d4debf52dde8a6eafcd4d4ecb1df0fc95ad02639f833aeaa76ba459b469df05ffcac44eed70a61996b3ee8956eda7196d
-  data.tar.gz: 6bf1193f09e83ed48a5505c3fb60a0855db365ab12c13f9a8b81e868aea8a1f664d74c8a2b8284f9a4f7e72135f3b41cec62dddab78042e08fa61f340f96091d
+  metadata.gz: ad74d68c2cce87d57b0315c8b7d1dc4623b5756d47173b6ab96e7d3006423c48c11ed077ee690633138006f922e483dba29fc2abd7de9f30cfd8849f675fcab1
+  data.tar.gz: d821725eb6b9ffcb436c27761bcbdabc10279610bbb10e8479595397e8ec9c38ab7ea4d5aadb61d74eb7666ee004e4f1dc558809cb26a2117a7871f79e286dcd

data/lib/dependabot/config/file.rb

@@ -34,14 +34,15 @@ module Dependabot
       end
       def update_config(package_manager, directory: nil, target_branch: nil)
         dir = directory || "/"
-        package_ecosystem = PACKAGE_MANAGER_LOOKUP.invert.fetch(package_manager)
+        package_ecosystem = REVERSE_PACKAGE_MANAGER_LOOKUP.fetch(package_manager, "dummy")
         cfg = updates.find do |u|
           u[:"package-ecosystem"] == package_ecosystem && u[:directory] == dir &&
             (target_branch.nil? || u[:"target-branch"] == target_branch)
         end
         UpdateConfig.new(
           ignore_conditions: ignore_conditions(cfg),
-          commit_message_options: commit_message_options(cfg)
+          commit_message_options: commit_message_options(cfg),
+          exclude_paths: exclude_paths(cfg)
         )
       end
 
@@ -86,6 +87,11 @@ module Dependabot
         "vcpkg" => "vcpkg"
       }.freeze, T::Hash[String, String])
 
+      REVERSE_PACKAGE_MANAGER_LOOKUP = T.let(
+        PACKAGE_MANAGER_LOOKUP.invert.freeze,
+        T::Hash[String, String]
+      )
+
       sig { params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Array[IgnoreCondition]) }
       def ignore_conditions(cfg)
         ignores = cfg&.dig(:ignore) || []
@@ -109,6 +115,11 @@ module Dependabot
           include: commit_message[:include]
         )
       end
+
+      sig { params(cfg: T.nilable(T::Hash[Symbol, T.untyped])).returns(T::Array[String]) }
+      def exclude_paths(cfg)
+        Array(cfg&.dig(:"exclude-paths") || [])
+      end
     end
   end
 end

data/lib/dependabot/config/update_config.rb

@@ -16,15 +16,20 @@ module Dependabot
       sig { returns(T::Array[IgnoreCondition]) }
       attr_reader :ignore_conditions
 
+      sig { returns(T.nilable(T::Array[String])) }
+      attr_reader :exclude_paths
+
       sig do
         params(
           ignore_conditions: T.nilable(T::Array[IgnoreCondition]),
-          commit_message_options: T.nilable(CommitMessageOptions)
+          commit_message_options: T.nilable(CommitMessageOptions),
+          exclude_paths: T.nilable(T::Array[String])
         ).void
       end
-      def initialize(ignore_conditions: nil, commit_message_options: nil)
+      def initialize(ignore_conditions: nil, commit_message_options: nil, exclude_paths: nil)
         @ignore_conditions = T.let(ignore_conditions || [], T::Array[IgnoreCondition])
         @commit_message_options = commit_message_options
+        @exclude_paths = exclude_paths
       end
 
       sig { params(dependency: Dependency, security_updates_only: T::Boolean).returns(T::Array[String]) }

data/lib/dependabot/dependency.rb

@@ -102,12 +102,13 @@ module Dependabot
         directory: T.nilable(String),
         subdependency_metadata: T.nilable(T::Array[T::Hash[T.any(Symbol, String), String]]),
         removed: T::Boolean,
-        metadata: T.nilable(T::Hash[T.any(Symbol, String), String])
+        metadata: T.nilable(T::Hash[T.any(Symbol, String), String]),
+        direct_relationship: T::Boolean
       ).void
     end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil, directory: nil,
-                   subdependency_metadata: [], removed: false, metadata: {})
+                   subdependency_metadata: [], removed: false, metadata: {}, direct_relationship: false)
       @name = name
       @version = T.let(
         case version
@@ -134,6 +135,7 @@ module Dependabot
       end
       @removed = removed
       @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
+      @direct_relationship = direct_relationship
 
       check_values
     end
@@ -145,6 +147,12 @@ module Dependabot
       requirements.any?
     end
 
+    # used to support lockfile parsing/DependencySubmission
+    sig { returns(T::Boolean) }
+    def direct?
+      top_level? || @direct_relationship
+    end
+
     sig { returns(T::Boolean) }
     def removed?
       @removed

data/lib/dependabot/dependency_file.rb

@@ -40,6 +40,9 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_accessor :mode
 
+    sig { returns(T::Set[T.untyped]) }
+    attr_accessor :dependencies
+
     class ContentEncoding
       UTF_8 = "utf-8"
       BASE64 = "base64"
@@ -92,6 +95,7 @@ module Dependabot
       @content_encoding = content_encoding
       @operation = operation
       @mode = mode
+      @dependencies = T.let(Set.new, T::Set[T.untyped])
       raise ArgumentError, "Invalid Git mode: #{mode}" if mode && !VALID_MODES.include?(mode)
 
       # Make deleted override the operation. Deleted is kept when operation

data/lib/dependabot/file_fetchers/base.rb

@@ -100,14 +100,16 @@ module Dependabot
             source: Dependabot::Source,
             credentials: T::Array[Dependabot::Credential],
             repo_contents_path: T.nilable(String),
-            options: T::Hash[String, String]
+            options: T::Hash[String, String],
+            update_config: T.nilable(Dependabot::Config::UpdateConfig)
           )
           .void
       end
-      def initialize(source:, credentials:, repo_contents_path: nil, options: {})
+      def initialize(source:, credentials:, repo_contents_path: nil, options: {}, update_config: nil)
         @source = source
         @credentials = credentials
         @repo_contents_path = repo_contents_path
+        @exclude_paths = T.let(update_config&.exclude_paths || [], T::Array[String])
         @linked_paths = T.let({}, T::Hash[T.untyped, T.untyped])
         @submodules = T.let([], T::Array[T.untyped])
         @options = options
@@ -115,6 +117,13 @@ module Dependabot
         @files = T.let([], T::Array[DependencyFile])
       end
 
+      # rubocop:disable Style/TrivialAccessors
+      sig { params(excludes: T::Array[String]).void }
+      def exclude_paths=(excludes)
+        @exclude_paths = excludes
+      end
+      # rubocop:enable Style/TrivialAccessors
+
       sig { returns(String) }
       def repo
         source.repo
@@ -453,14 +462,18 @@ module Dependabot
         params(path: String, fetch_submodules: T::Boolean, raise_errors: T::Boolean)
           .returns(T::Array[OpenStruct])
       end
-      def _fetch_repo_contents(path, fetch_submodules: false,
-                               raise_errors: true)
+      def _fetch_repo_contents(path, fetch_submodules: false, raise_errors: true) # rubocop:disable Metrics/PerceivedComplexity
         path = path.gsub(" ", "%20")
         provider, repo, tmp_path, commit =
           _full_specification_for(path, fetch_submodules: fetch_submodules)
           .values_at(:provider, :repo, :path, :commit)
 
-        _fetch_repo_contents_fully_specified(provider, repo, tmp_path, commit)
+        entries = _fetch_repo_contents_fully_specified(provider, repo, tmp_path, commit)
+        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+          filter_excluded(entries)
+        else
+          entries
+        end
       rescue *CLIENT_NOT_FOUND_ERRORS
         raise Dependabot::DirectoryNotFound, directory if path == directory.gsub(%r{^/*}, "")
 
@@ -522,7 +535,7 @@ module Dependabot
         repo_path = File.join(clone_repo_contents, relative_path)
         return [] unless Dir.exist?(repo_path)
 
-        Dir.entries(repo_path).sort.filter_map do |name|
+        entries = Dir.entries(repo_path).sort.filter_map do |name|
           next if name == "." || name == ".."
 
           absolute_path = File.join(repo_path, name)
@@ -541,6 +554,66 @@ module Dependabot
             size: 0 # NOTE: added for parity with github contents API
           )
         end
+        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+          filter_excluded(entries)
+        else
+          entries
+        end
+      end
+
+      # Filters out any entries whose paths match one of the exclude_paths globs.
+      sig { params(entries: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+      def filter_excluded(entries) # rubocop:disable Metrics/PerceivedComplexity,Metrics/MethodLength,Metrics/AbcSize
+        Dependabot.logger.info("DEBUG filter_excluded: entries=#{entries.length}, exclude_paths=#{@exclude_paths.inspect}") # rubocop:disable Layout/LineLength
+
+        return entries if @exclude_paths.empty?
+
+        filtered_entries = entries.reject do |entry|
+          full_entry_path = entry.path
+          Dependabot.logger.info("DEBUG: Checking entry path: #{full_entry_path}")
+
+          @exclude_paths.any? do |exclude_pattern|
+            Dependabot.logger.info("DEBUG: Testing pattern: #{exclude_pattern} against path: #{full_entry_path}")
+
+            # case 1: exact match
+            exclude_exact = full_entry_path == exclude_pattern
+
+            # case 2: Directory prefix matching: check if path is inside an excluded directory
+            exclude_deeper = full_entry_path.start_with?("#{exclude_pattern}#{File::SEPARATOR}",
+                                                         "#{exclude_pattern}/")
+
+            # case 3: Explicit recursive (patterns that end with /**)
+            exclude_recursive = false
+            if exclude_pattern.end_with?("/**")
+              base_pattern = exclude_pattern[0...-3]
+              exclude_recursive = full_entry_path == base_pattern ||
+                                  full_entry_path.start_with?("#{base_pattern}/") ||
+                                  full_entry_path.start_with?("#{base_pattern}#{File::SEPARATOR}")
+            end
+
+            # case 4: Glob pattern matching with enhanced flags
+            # Use multiple fnmatch attempts with different flag combinations
+            fnmatch_flags = [
+              File::FNM_EXTGLOB,
+              File::FNM_EXTGLOB | File::FNM_PATHNAME,
+              File::FNM_EXTGLOB | File::FNM_PATHNAME | File::FNM_DOTMATCH,
+              File::FNM_PATHNAME
+            ]
+            exclude_fnmatch_paths = fnmatch_flags.any? do |flag|
+              File.fnmatch?(exclude_pattern, full_entry_path, flag)
+            end
+
+            result = exclude_exact || exclude_deeper || exclude_recursive || exclude_fnmatch_paths
+            Dependabot.logger.info("DEBUG: Pattern #{exclude_pattern} vs #{full_entry_path} -> #{result ? 'EXCLUDED' : 'INCLUDED'}") # rubocop:disable Layout/LineLength
+            result
+          end
+        end
+
+        Dependabot.logger.info("DEBUG filter_excluded: Filtered from #{entries.length} to #{filtered_entries.length} entries") # rubocop:disable Layout/LineLength
+        filtered_entries
+      rescue StandardError => e
+        Dependabot.logger.warn("Error while filtering exclude paths patterns: #{e.message}")
+        entries
       end
 
       sig { params(file: Sawyer::Resource).returns(OpenStruct) }

data/lib/dependabot/utils.rb

@@ -56,7 +56,7 @@ module Dependabot
     sig { params(package_manager: String).void }
     def self.validate_package_manager!(package_manager)
       # Official package manager
-      return if Config::File::PACKAGE_MANAGER_LOOKUP.invert.key?(package_manager)
+      return if Config::File::REVERSE_PACKAGE_MANAGER_LOOKUP.key?(package_manager)
 
       # Used by specs
       return if package_manager == "dummy" || package_manager == "silent"

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.325.1"
+  VERSION = "0.326.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.325.1
+  version: 0.326.0
 platform: ruby
 authors:
 - Dependabot
@@ -625,7 +625,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.325.1
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.326.0
 rdoc_options: []
 require_paths:
 - lib