dependabot-common 0.336.0 → 0.337.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6874d956be44fe350f122548152a4b6c294111a1cd0b79526836d76eabf4e4d1
-  data.tar.gz: 71fed0ab9fd538efed8d22c499b7f3ba136cb861c8d734f1e3a8e8faa5e0944a
+  metadata.gz: 5b0ffe5707059285fd1f9a5ec262e5bb5ee208edbc66bf448bab3bafb1777e2f
+  data.tar.gz: 8822c407c862de5043ac786b628a8640e977a2a806f5abc5b16cd2aebbcba0d1
 SHA512:
-  metadata.gz: 4fe1b1678e71b8ba9c53afecc2645718bed248166c4c522a1fbf57ea9071458225f832983360d3d75bace9bf958b941b50530faee228bc0697417593616877b2
-  data.tar.gz: 733d2e22f20673cc0ce3aa9cbf75f882aac2d939f1cb2586543d9c775794a1b5c3234acbaed3b0efa1cfccd5266fd9c08c37b23603df2d7656d026655a2f831c
+  metadata.gz: 101633a5e8ee69f8b9da421b78ef56d080fa128574038f9ead3e66611e9411e12ae9e12ca71e0511a7be2ece9a586a061733aec9188b723acae48bef0c3dc226
+  data.tar.gz: be0d92563c07aa54897bef06002c76e4c8ee262a48e6dde7298afb7aace9b0a14854600e99486d47d39eb3eb0d06b110c57f408cc9e662ae0b68f92a588289c6

data/lib/dependabot/dependency_graphers/base.rb

@@ -5,6 +5,21 @@ require "sorbet-runtime"
 
 module Dependabot
   module DependencyGraphers
+    # This is a small value class that specifies the information we expect to be returned for each
+    # dependency strictly.
+    class ResolvedDependency < T::ImmutableStruct
+      # A valid purl for the dependency, e.g. pkg:/npm/tunnel@0.0.6
+      const :package_url, String
+      # Is this a direct dependency?
+      const :direct, T::Boolean
+      # Is this a runtime dependency?
+      const :runtime, T::Boolean
+      # A list of packages this dependency itself depends on if direct is false. Note that:
+      # - a valid purl for the parent dependency is preferable
+      # - the package name is acceptable **unless the ecosystem allows multiple versions of a package to be used**
+      const :dependencies, T::Array[String]
+    end
+
     class Base
       extend T::Sig
       extend T::Helpers
@@ -41,18 +56,17 @@ module Dependabot
         @prepared = true
       end
 
-      sig { returns(T::Hash[String, T.untyped]) }
+      sig { returns(T::Hash[String, ResolvedDependency]) }
       def resolved_dependencies
         prepare! unless prepared
 
         @dependencies.each_with_object({}) do |dep, resolved|
-          resolved[dep.name] = {
+          resolved[dep.name] = ResolvedDependency.new(
             package_url: build_purl(dep),
-            relationship: relationship_for(dep),
-            scope: scope_for(dep),
-            dependencies: fetch_subdependencies(dep),
-            metadata: {}
-          }
+            direct: dep.top_level?,
+            runtime: dep.production?,
+            dependencies: fetch_subdependencies(dep)
+          )
         end
       end
 
@@ -106,24 +120,6 @@ module Dependabot
           version: purl_version_for(dependency)
         )
       end
-
-      sig { params(dep: Dependabot::Dependency).returns(String) }
-      def relationship_for(dep)
-        if dep.top_level?
-          "direct"
-        else
-          "indirect"
-        end
-      end
-
-      sig { params(dependency: Dependabot::Dependency).returns(String) }
-      def scope_for(dependency)
-        if dependency.production?
-          "runtime"
-        else
-          "development"
-        end
-      end
     end
   end
 end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.336.0"
+  VERSION = "0.337.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.336.0
+  version: 0.337.0
 platform: ruby
 authors:
 - Dependabot
@@ -630,7 +630,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.336.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.337.0
 rdoc_options: []
 require_paths:
 - lib