dependabot-common 0.336.0 → 0.340.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6874d956be44fe350f122548152a4b6c294111a1cd0b79526836d76eabf4e4d1
-  data.tar.gz: 71fed0ab9fd538efed8d22c499b7f3ba136cb861c8d734f1e3a8e8faa5e0944a
+  metadata.gz: a42fa3649c95847180e885763acdb76be2d164445b50285c1f61c67bf393681d
+  data.tar.gz: d4f4f83a7463a702039d4c05342ac7a2a0c4fcc9dd6efe28c85e0601332ac9d7
 SHA512:
-  metadata.gz: 4fe1b1678e71b8ba9c53afecc2645718bed248166c4c522a1fbf57ea9071458225f832983360d3d75bace9bf958b941b50530faee228bc0697417593616877b2
-  data.tar.gz: 733d2e22f20673cc0ce3aa9cbf75f882aac2d939f1cb2586543d9c775794a1b5c3234acbaed3b0efa1cfccd5266fd9c08c37b23603df2d7656d026655a2f831c
+  metadata.gz: aad8110867da8be56ca052747ab4eda787232ef67f27e7735411f6fdba956ca08f2996d6213286f44367cc75e52be8f2d1658808feda994a93d9a3b235219ec7
+  data.tar.gz: 607952ee6921687caf9f80dd15f70d1ef1cc1da3aca65548a39abf2ab0de391636ba9ad01903999bb302ccc133cd473c101b0bbcb7ebd9e71d56a6c4497c6179

data/lib/dependabot/dependency_graphers/base.rb

@@ -5,6 +5,21 @@ require "sorbet-runtime"
 
 module Dependabot
   module DependencyGraphers
+    # This is a small value class that specifies the information we expect to be returned for each
+    # dependency strictly.
+    class ResolvedDependency < T::ImmutableStruct
+      # A valid purl for the dependency, e.g. pkg:/npm/tunnel@0.0.6
+      const :package_url, String
+      # Is this a direct dependency?
+      const :direct, T::Boolean
+      # Is this a runtime dependency?
+      const :runtime, T::Boolean
+      # A list of packages this dependency itself depends on if direct is false. Note that:
+      # - a valid purl for the parent dependency is preferable
+      # - the package name is acceptable **unless the ecosystem allows multiple versions of a package to be used**
+      const :dependencies, T::Array[String]
+    end
+
     class Base
       extend T::Sig
       extend T::Helpers
@@ -41,18 +56,17 @@ module Dependabot
         @prepared = true
       end
 
-      sig { returns(T::Hash[String, T.untyped]) }
+      sig { returns(T::Hash[String, ResolvedDependency]) }
       def resolved_dependencies
         prepare! unless prepared
 
         @dependencies.each_with_object({}) do |dep, resolved|
-          resolved[dep.name] = {
+          resolved[dep.name] = ResolvedDependency.new(
             package_url: build_purl(dep),
-            relationship: relationship_for(dep),
-            scope: scope_for(dep),
-            dependencies: fetch_subdependencies(dep),
-            metadata: {}
-          }
+            direct: dep.top_level?,
+            runtime: dep.production?,
+            dependencies: fetch_subdependencies(dep)
+          )
         end
       end
 
@@ -106,24 +120,6 @@ module Dependabot
           version: purl_version_for(dependency)
         )
       end
-
-      sig { params(dep: Dependabot::Dependency).returns(String) }
-      def relationship_for(dep)
-        if dep.top_level?
-          "direct"
-        else
-          "indirect"
-        end
-      end
-
-      sig { params(dependency: Dependabot::Dependency).returns(String) }
-      def scope_for(dependency)
-        if dependency.production?
-          "runtime"
-        else
-          "development"
-        end
-      end
     end
   end
 end

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.336.0"
+  VERSION = "0.340.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.336.0
+  version: 0.340.0
 platform: ruby
 authors:
 - Dependabot
@@ -630,7 +630,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.336.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.340.0
 rdoc_options: []
 require_paths:
 - lib