dependabot-common 0.335.0 → 0.336.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/dependency_graphers/README.md +10 -3
  3. data/lib/dependabot/dependency_graphers/base.rb +27 -16
  4. data/lib/dependabot/dependency_graphers/generic.rb +1 -1
  5. data/lib/dependabot.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ca29ec928a5e569aa377708755f29f998ca87ddb68ed2722a5171386427e3f87
4
- data.tar.gz: 206f507ef450d40f3a002187a7890dc5b5abc88c7d8df5e53a87a27a14aa9f71
3
+ metadata.gz: 6874d956be44fe350f122548152a4b6c294111a1cd0b79526836d76eabf4e4d1
4
+ data.tar.gz: 71fed0ab9fd538efed8d22c499b7f3ba136cb861c8d734f1e3a8e8faa5e0944a
5
5
  SHA512:
6
- metadata.gz: 3a3baf81472a1b7528fb6f95f9c5ed76f79186fd4aa442e073b2f0bc60e676186f592ab16a18f1f6bb747e652e522d0f1af2a7ac077a3dbce0d89001c001fc93
7
- data.tar.gz: 26a4aaa04570ec094267b7e2739a394fe4d279807ad03453ac6cec8c766d18cb3b13e73665923cf8e58ca64ab6fad7b8b8a20656a0feaa93b80bcdaed6119503
6
+ metadata.gz: 4fe1b1678e71b8ba9c53afecc2645718bed248166c4c522a1fbf57ea9071458225f832983360d3d75bace9bf958b941b50530faee228bc0697417593616877b2
7
+ data.tar.gz: 733d2e22f20673cc0ce3aa9cbf75f882aac2d939f1cb2586543d9c775794a1b5c3234acbaed3b0efa1cfccd5266fd9c08c37b23603df2d7656d026655a2f831c
data/lib/dependabot/dependency_graphers/README.md CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  Dependency graphers are used to convert a set of parsed dependencies into a data structure we can use to output the dependency graph of a project in a generic data structure based on GitHub's [Dependency submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission).
4
4
 
5
- We will expect each language Dependabot supports to implement a `Dependabot::DependencyGraphers` class in future, but for now any modules that do not implement a specific class fail over to a 'best effort' generic implementation that works in most cases.
5
+ We will expect each language Dependabot supports to implement a `Dependabot::DependencyGraphers` class in future, but for now any modules that do not implement a specific class fail over to a 'best effort' generic implementation.
6
6
 
7
7
  ## Public API
8
8
 
@@ -39,9 +39,9 @@ An example of a `.resolved_dependencies` hash for a Bundler project:
39
39
  }
40
40
  ```
41
41
 
42
- ## Writing a file fetcher for a new language
42
+ ## Writing a dependency grapher for a new language
43
43
 
44
- All new file fetchers should inherit from `Dependabot::DependencyGraphers::Base` and
44
+ All new dependency graphers should inherit from `Dependabot::DependencyGraphers::Base` and
45
45
  implement the following methods:
46
46
 
47
47
  | Method | Description |
@@ -52,3 +52,10 @@ implement the following methods:
52
52
 
53
53
  > [!WARNING]
54
54
  > While PURLs are preferred in all languages for `.fetch_subdependencies`, for languages where multiple versions of a single dependency are permitted they _must_ be provided to be precise.
55
+
56
+ ## Overriding file parser behaviour
57
+
58
+ In most cases, an ecosystem's file parser should provide us the dependency data we need to build the graph, but in some cases we may need to tweak this behaviour or experiment with alternative parsing strategies.
59
+
60
+ The `Dependabot::DependencyGraphers::Base` class provides the `prepare!` method as the hook that is called to generate the dependency list - if required this method can be redefined for a specific ecosystem to make
61
+ additional or alternative calls.
data/lib/dependabot/dependency_graphers/base.rb CHANGED
@@ -13,23 +13,16 @@ module Dependabot
13
13
 
14
14
  abstract!
15
15
 
16
- # TODO(brrygrdn): Inject the Dependency parser instead of pre-parsed `dependencies`
17
- #
18
- # Semantically it makes sense for the grapher to wrap the parser as a higher order function, but we already know
19
- # that some package managers will require extra native commands before, after or during the parse - in extreme
20
- # cases it may make sense to use an alternative parser that is more optimal.
21
- #
22
- # By injecting the parser, this allows the ecosystem to encapsulate the package manager specifics without the
23
- # executor needing to manage parser modes / feature flags.
16
+ sig { returns(T::Boolean) }
17
+ attr_reader :prepared
18
+
24
19
  sig do
25
- params(
26
- dependency_files: T::Array[Dependabot::DependencyFile],
27
- dependencies: T::Array[Dependabot::Dependency]
28
- ).void
20
+ params(file_parser: Dependabot::FileParsers::Base).void
29
21
  end
30
- def initialize(dependency_files:, dependencies:)
31
- @dependency_files = dependency_files
32
- @dependencies = dependencies
22
+ def initialize(file_parser:)
23
+ @file_parser = file_parser
24
+ @dependencies = T.let([], T::Array[Dependabot::Dependency])
25
+ @prepared = T.let(false, T::Boolean)
33
26
  end
34
27
 
35
28
  # Each grapher must implement a heuristic to determine which dependency file should be used as the owner
@@ -40,8 +33,18 @@ module Dependabot
40
33
  sig { abstract.returns(Dependabot::DependencyFile) }
41
34
  def relevant_dependency_file; end
42
35
 
43
- sig { returns(T::Hash[Symbol, T.untyped]) }
36
+ # A grapher may override this method if it needs to perform extra steps around the normal file parser for
37
+ # the ecosystem.
38
+ sig { void }
39
+ def prepare!
40
+ @dependencies = @file_parser.parse
41
+ @prepared = true
42
+ end
43
+
44
+ sig { returns(T::Hash[String, T.untyped]) }
44
45
  def resolved_dependencies
46
+ prepare! unless prepared
47
+
45
48
  @dependencies.each_with_object({}) do |dep, resolved|
46
49
  resolved[dep.name] = {
47
50
  package_url: build_purl(dep),
@@ -55,6 +58,14 @@ module Dependabot
55
58
 
56
59
  private
57
60
 
61
+ sig { returns(Dependabot::FileParsers::Base) }
62
+ attr_reader :file_parser
63
+
64
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
65
+ def dependency_files
66
+ file_parser.dependency_files
67
+ end
68
+
58
69
  # Each grapher is expected to implement a method to look up the parents of a given dependency.
59
70
  #
60
71
  # The strategy that should be used is highly dependent on the ecosystem, in some cases the parser
data/lib/dependabot/dependency_graphers/generic.rb CHANGED
@@ -25,7 +25,7 @@ module Dependabot
25
25
 
26
26
  sig { returns(T::Array[Dependabot::DependencyFile]) }
27
27
  def filtered_dependency_files
28
- @dependency_files.reject { |f| f.support_file? || f.vendored_file? }
28
+ dependency_files.reject { |f| f.support_file? || f.vendored_file? }
29
29
  end
30
30
 
31
31
  # Our generic strategy is to check if the parser has attached a `depends_on` key to the Dependency's
data/lib/dependabot.rb CHANGED
@@ -2,5 +2,5 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Dependabot
5
- VERSION = "0.335.0"
5
+ VERSION = "0.336.0"
6
6
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.335.0
4
+ version: 0.336.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -630,7 +630,7 @@ licenses:
630
630
  - MIT
631
631
  metadata:
632
632
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
633
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.335.0
633
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.336.0
634
634
  rdoc_options: []
635
635
  require_paths:
636
636
  - lib