dependabot-common 0.330.0 → 0.331.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e75354fcd97069450a7897bc3f0c4788fc502b6b7541c7bb1ef01f14779aaec3
-  data.tar.gz: c71e3cf39d50d4510f12d137e17ba63204aacedce829eb66f48c7da672cece39
+  metadata.gz: 368060e7dedf182e8c8b2ddf50b4db02fa3e5376af51f9e67c1463447afd34dc
+  data.tar.gz: b803b274fb307a702c06f8b84a97c461c9616c5513c344d75a089f35ceb08af7
 SHA512:
-  metadata.gz: 844f8f4ad3fb9b201791b0499fa8c733667ed792701d19fe0791aaad172170b1dfa399244b32477e440ba97d8f2f2862a882c41eb9ab40e029b96affc8c75a9a
-  data.tar.gz: dd31e1be979b0a984c896be9ba4bc5060175deb1feea9ac0278e03666034dbdc5b711314603c8b56089bd7e2aa93e2e8cbbaa9e552deb75e565d26a3e49129ae
+  metadata.gz: 583a5880a5600a7a358971da32c0ec6c50c26221239180daef53139c2d34f9307cc8bb8ef068f13644b01454077708a061a7425d557482e883deacb8c394f8fe
+  data.tar.gz: ed79678548ca61683a7f65860b7901ab7af465263e047cec0ffd6b44e74c4bbea7a0f2e1baf404fa530579e57ddc1e9952e40de089658052f98ed2b14df65cb2

data/lib/dependabot/dependency.rb

@@ -101,6 +101,9 @@ module Dependabot
     sig { returns(T.nilable(Time)) }
     attr_accessor :attribution_timestamp
 
+    sig { returns(T::Array[String]) }
+    attr_reader :origin_files
+
     # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
     sig do
@@ -116,12 +119,14 @@ module Dependabot
         subdependency_metadata: T.nilable(T::Array[T::Hash[T.any(Symbol, String), String]]),
         removed: T::Boolean,
         metadata: T.nilable(T::Hash[T.any(Symbol, String), String]),
-        direct_relationship: T::Boolean
+        direct_relationship: T::Boolean,
+        origin_files: T::Array[String]
       ).void
     end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil, directory: nil,
-                   subdependency_metadata: [], removed: false, metadata: {}, direct_relationship: false)
+                   subdependency_metadata: [], removed: false, metadata: {}, direct_relationship: false,
+                   origin_files: [])
       @name = name
       @version = T.let(
         case version
@@ -149,7 +154,7 @@ module Dependabot
       @removed = removed
       @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
       @direct_relationship = direct_relationship
-
+      @origin_files = origin_files
       check_values
     end
     # rubocop:enable Metrics/AbcSize

data/lib/dependabot/file_fetchers/base.rb

@@ -462,18 +462,14 @@ module Dependabot
         params(path: String, fetch_submodules: T::Boolean, raise_errors: T::Boolean)
           .returns(T::Array[OpenStruct])
       end
-      def _fetch_repo_contents(path, fetch_submodules: false, raise_errors: true) # rubocop:disable Metrics/PerceivedComplexity
+      def _fetch_repo_contents(path, fetch_submodules: false, raise_errors: true)
         path = path.gsub(" ", "%20")
         provider, repo, tmp_path, commit =
           _full_specification_for(path, fetch_submodules: fetch_submodules)
           .values_at(:provider, :repo, :path, :commit)
 
         entries = _fetch_repo_contents_fully_specified(provider, repo, tmp_path, commit)
-        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
-          filter_excluded(entries)
-        else
-          entries
-        end
+        entries
       rescue *CLIENT_NOT_FOUND_ERRORS
         raise Dependabot::DirectoryNotFound, directory if path == directory.gsub(%r{^/*}, "")
 
@@ -554,11 +550,7 @@ module Dependabot
             size: 0 # NOTE: added for parity with github contents API
           )
         end
-        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
-          filter_excluded(entries)
-        else
-          entries
-        end
+        entries
       end
 
       # Filters out any entries whose paths match one of the exclude_paths globs.

data/lib/dependabot/file_filtering.rb

@@ -0,0 +1,70 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module FileFiltering
+    extend T::Sig
+
+    # Returns true if the given path matches any of the exclude patterns
+    sig { params(path: String, exclude_patterns: T.nilable(T::Array[String])).returns(T::Boolean) }
+    def self.exclude_path?(path, exclude_patterns) # rubocop:disable Metrics/PerceivedComplexity
+      return false if exclude_patterns.nil? || exclude_patterns.empty?
+
+      # Normalize the path by removing leading slashes and resolving relative paths
+      normalized_path = normalize_path(path)
+
+      exclude_patterns.any? do |pattern|
+        normalized_pattern = normalize_path(pattern.chomp("/"))
+
+        # case 1: exact match
+        exclude_exact = normalized_path == pattern || normalized_path == normalized_pattern
+
+        # case 2: Directory prefix matching: check if path is inside an excluded directory
+        exclude_deeper = normalized_path.start_with?("#{pattern}#{File::SEPARATOR}",
+                                                     "#{normalized_pattern}#{File::SEPARATOR}")
+
+        # case 3: Explicit recursive (patterns that end with /**)
+        exclude_recursive = false
+        if pattern.end_with?("/**")
+          base_pattern_str = pattern[0...-3]
+          base_pattern = normalize_path(base_pattern_str) if base_pattern_str
+          exclude_recursive = base_pattern && (
+            normalized_path == base_pattern ||
+            normalized_path.start_with?("#{base_pattern}/") ||
+            normalized_path.start_with?("#{base_pattern}#{File::SEPARATOR}")
+          )
+        end
+
+        # case 4: Glob pattern matching with enhanced flags
+        # Use multiple fnmatch attempts with different flag combinations
+        fnmatch_flags = [
+          File::FNM_EXTGLOB,
+          File::FNM_EXTGLOB | File::FNM_PATHNAME,
+          File::FNM_EXTGLOB | File::FNM_PATHNAME | File::FNM_DOTMATCH,
+          File::FNM_PATHNAME
+        ]
+        exclude_fnmatch_paths = fnmatch_flags.any? do |flag|
+          File.fnmatch?(pattern, normalized_path, flag) || File.fnmatch?(normalized_pattern, normalized_path, flag)
+        end
+
+        result = exclude_exact || exclude_deeper || exclude_recursive || exclude_fnmatch_paths
+        result
+      end
+    end
+
+    # Normalize a file path for consistent comparison
+    # - Removes leading slashes
+    # - Resolves relative path components (., ..)
+    sig { params(path: String).returns(String) }
+    def self.normalize_path(path)
+      return path if path.empty?
+
+      pathname = Pathname.new(path)
+      normalized = pathname.cleanpath.to_s
+
+      # Remove leading slash for relative comparison
+      normalized = normalized.sub(%r{^/+}, "")
+      normalized
+    end
+  end
+end

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -150,6 +150,10 @@ module Dependabot
               (old_dep.subdependency_metadata || []) +
               (new_dep.subdependency_metadata || [])
             ).uniq
+            origin_files = (
+              old_dep.origin_files +
+              new_dep.origin_files
+            ).uniq
 
             Dependency.new(
               name: old_dep.name,
@@ -157,7 +161,8 @@ module Dependabot
               requirements: requirements,
               package_manager: old_dep.package_manager,
               metadata: old_dep.metadata,
-              subdependency_metadata: subdependency_metadata
+              subdependency_metadata: subdependency_metadata,
+              origin_files: origin_files
             )
           end
 

data/lib/dependabot/update_checkers/base.rb

@@ -8,6 +8,7 @@ require "dependabot/requirements_update_strategy"
 require "dependabot/security_advisory"
 require "dependabot/utils"
 require "dependabot/package/release_cooldown_options"
+require "dependabot/file_filtering"
 
 module Dependabot
   module UpdateCheckers
@@ -45,6 +46,9 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
       attr_reader :update_cooldown
 
+      sig { returns(T.nilable(T::Array[String])) }
+      attr_reader :exclude_paths
+
       sig { returns(T::Hash[Symbol, T.untyped]) }
       attr_reader :options
 
@@ -60,6 +64,7 @@ module Dependabot
           requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
           dependency_group: T.nilable(Dependabot::DependencyGroup),
           update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
+          exclude_paths: T.nilable(T::Array[String]),
           options: T::Hash[Symbol, T.untyped]
         )
           .void
@@ -68,7 +73,7 @@ module Dependabot
                      repo_contents_path: nil, ignored_versions: [],
                      raise_on_ignored: false, security_advisories: [],
                      requirements_update_strategy: nil, dependency_group: nil,
-                     update_cooldown: nil, options: {})
+                     update_cooldown: nil, exclude_paths: [], options: {})
         @dependency = dependency
         @dependency_files = dependency_files
         @repo_contents_path = repo_contents_path
@@ -79,6 +84,7 @@ module Dependabot
         @security_advisories = security_advisories
         @dependency_group = dependency_group
         @update_cooldown = update_cooldown
+        @exclude_paths = exclude_paths
         @options = options
       end
 
@@ -106,6 +112,37 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Boolean) }
+      def excluded? # rubocop:disable Metrics/PerceivedComplexity
+        return false unless Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files)
+
+        return false if exclude_paths.nil? || exclude_paths&.empty?
+
+        origin_files = @dependency.origin_files
+        if origin_files.length.positive?
+          excluded_files = []
+          non_excluded_files = []
+
+          origin_files.each do |origin_file|
+            if Dependabot::FileFiltering.exclude_path?(origin_file, exclude_paths)
+              excluded_files << origin_file
+            else
+              non_excluded_files << origin_file
+            end
+          end
+
+          # Only exclude if the dependency appears ONLY in excluded paths
+          # If it appears in any non-excluded path, we should process it
+          if non_excluded_files.empty? && excluded_files.any?
+            Dependabot.logger.info("Excluding dependency #{dependency.name} - only found in excluded paths " \
+                                   "#{excluded_files.join(', ')}")
+            return true
+          end
+        end
+
+        false
+      end
+
       sig { params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies(requirements_to_unlock:)
         return [] unless can_update?(requirements_to_unlock: requirements_to_unlock)

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.330.0"
+  VERSION = "0.331.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.330.0
+  version: 0.331.0
 platform: ruby
 authors:
 - Dependabot
@@ -550,6 +550,7 @@ files:
 - lib/dependabot/file_fetchers.rb
 - lib/dependabot/file_fetchers/README.md
 - lib/dependabot/file_fetchers/base.rb
+- lib/dependabot/file_filtering.rb
 - lib/dependabot/file_parsers.rb
 - lib/dependabot/file_parsers/README.md
 - lib/dependabot/file_parsers/base.rb
@@ -625,7 +626,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.330.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.331.0
 rdoc_options: []
 require_paths:
 - lib