dependabot-common 0.380.0 → 0.382.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a6875517541de554dabb2e9256474b7b063b2af8a82bbf6579eb86e729e917e
-  data.tar.gz: c29581ace26310f39fb0b24c44702c943c01ab49bcc7787d9dfe4e5dd6093a5c
+  metadata.gz: 6b53185ee3c744622d14656ac582aaa779b5b9f3394497824d49561fe78fe2d8
+  data.tar.gz: cd5ce58e980459603217ea2693475a224691f67149215d1fb5031472bc065507
 SHA512:
-  metadata.gz: 8f33816f8f94a02f956f067923cd79f44783dec54c23745a713cfc3fc51f6e27b55294ba31fa6f3640626988ad4a8d89f4a68b7971fe5ea14ff6886828b4d718
-  data.tar.gz: 7a24d2dd23e16b58f8eadc9b975146983c8693e99d0a473401ca392438bc5c81ed7e2b2c1a79e070c6e40189b955783000bac75b59811583a3d4a6fde8ce43b8
+  metadata.gz: 1216f4ef150d1c76b7180f780b1d67831359c9f327bf1a00cf885d3f9b3313ce354a694803de8ec91c1eebc138e922d65cde4f4e5ede88f6da7ceb23c6306026
+  data.tar.gz: 1377f5537d8d8e637945e35d59ba58dde50ec048f29abf6e9d50c4239ce2a7ca292aa379cfd7c28af7c9efe12723bdf71d55a007ad7e4839a177472f57f7a256

data/lib/dependabot/clients/github_with_retries.rb

@@ -88,7 +88,7 @@ module Dependabot
 
       sig { params(repo: String, branch: String).returns(String) }
       def fetch_commit(repo, branch)
-        response = T.unsafe(self).ref(repo, "heads/#{branch}")
+        response = T.unsafe(ref(repo, "heads/#{branch}"))
 
         raise Octokit::NotFound if response.is_a?(Array)
 
@@ -97,7 +97,7 @@ module Dependabot
 
       sig { params(repo: String).returns(String) }
       def fetch_default_branch(repo)
-        T.unsafe(self).repository(repo).default_branch
+        T.unsafe(repository(repo)).default_branch
       end
 
       ############

data/lib/dependabot/clients/gitlab_with_retries.rb

@@ -67,12 +67,12 @@ module Dependabot
 
       sig { params(repo: String, branch: String).returns(String) }
       def fetch_commit(repo, branch)
-        T.unsafe(self).branch(repo, branch).commit.id
+        T.unsafe(branch(repo, branch)).commit.id
       end
 
       sig { params(repo: String).returns(String) }
       def fetch_default_branch(repo)
-        T.unsafe(self).project(repo).default_branch
+        T.unsafe(project(repo)).default_branch
       end
 
       ############

data/lib/dependabot/command_helpers.rb

@@ -96,7 +96,7 @@ module Dependabot
       stdout = T.let("", String)
       stderr = T.let("", String)
       status = T.let(nil, T.nilable(ProcessStatus))
-      pid = T.let(nil, T.untyped)
+      pid = T.let(nil, T.nilable(Integer))
       start_time = Time.now
 
       begin

data/lib/dependabot/config/ignore_condition.rb

@@ -52,7 +52,7 @@ module Dependabot
         update_types.map(&:downcase).filter_map(&:strip)
       end
 
-      sig { params(dependency: Dependency).returns(T::Array[T.untyped]) }
+      sig { params(dependency: Dependency).returns(T::Array[String]) }
       def versions_by_type(dependency)
         version = correct_version_for(dependency)
         return [] unless version

data/lib/dependabot/credential.rb

@@ -11,10 +11,20 @@ module Dependabot
 
     def_delegators :@credential, :fetch, :keys, :[]=, :delete, :slice, :values, :entries
 
-    sig { params(credential: T::Hash[String, T.any(T::Boolean, String)]).void }
+    sig { params(credential: T::Hash[String, T.any(T::Boolean, String, T::Array[String])]).void }
     def initialize(credential)
       @replaces_base = T.let(credential["replaces-base"] == true, T::Boolean)
       credential.delete("replaces-base")
+
+      raw_scope = credential.delete("scope")
+      @scope = T.let(
+        case raw_scope
+        when String then [raw_scope]
+        when Array then raw_scope
+        end,
+        T.nilable(T::Array[String])
+      )
+
       @credential = T.let(T.unsafe(credential), T::Hash[String, String])
     end
 
@@ -23,6 +33,9 @@ module Dependabot
       @replaces_base
     end
 
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :scope
+
     sig { params(key: String).returns(T.nilable(String)) }
     def [](key)
       @credential[key]

data/lib/dependabot/dependency.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "sorbet-runtime"
+require "dependabot/dependency_requirement"
 require "dependabot/version"
 
 module Dependabot
@@ -90,7 +91,7 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_reader :version
 
-    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    sig { returns(T::Array[Dependabot::DependencyRequirement]) }
     attr_reader :requirements
 
     sig { returns(String) }
@@ -99,7 +100,7 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_reader :previous_version
 
-    sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+    sig { returns(T.nilable(T::Array[Dependabot::DependencyRequirement])) }
     attr_reader :previous_requirements
 
     sig { returns(T.nilable(String)) }
@@ -124,7 +125,6 @@ module Dependabot
     sig { returns(T.nilable(Time)) }
     attr_accessor :attribution_timestamp
 
-    # rubocop:disable Metrics/AbcSize
     # rubocop:disable Metrics/PerceivedComplexity
     sig do
       params(
@@ -162,12 +162,15 @@ module Dependabot
         T.nilable(String)
       )
       @version = nil if @version == ""
-      @requirements = T.let(requirements.map { |req| symbolize_keys(req) }, T::Array[T::Hash[Symbol, T.untyped]])
+      @requirements = T.let(
+        requirements.map { |req| DependencyRequirement.create(req) },
+        T::Array[Dependabot::DependencyRequirement]
+      )
       @previous_version = previous_version
       @previous_version = nil if @previous_version == ""
       @previous_requirements = T.let(
-        previous_requirements&.map { |req| symbolize_keys(req) },
-        T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+        previous_requirements&.map { |req| DependencyRequirement.create(req) },
+        T.nilable(T::Array[Dependabot::DependencyRequirement])
       )
       @package_manager = package_manager
       @directory = directory
@@ -181,7 +184,6 @@ module Dependabot
       @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
       check_values
     end
-    # rubocop:enable Metrics/AbcSize
     # rubocop:enable Metrics/PerceivedComplexity
 
     sig { returns(T::Boolean) }
@@ -272,7 +274,7 @@ module Dependabot
       end
     end
 
-    sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T.nilable(String)) }
+    sig { params(requirements: T::Array[Dependabot::DependencyRequirement]).returns(T.nilable(String)) }
     def docker_digest_from_reqs(requirements)
       requirements
         .filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }
@@ -340,9 +342,9 @@ module Dependabot
       self == other
     end
 
-    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    sig { returns(T::Array[Dependabot::DependencyRequirement]) }
     def specific_requirements
-      requirements.select { |r| requirement_class.new(r[:requirement]).specific? }
+      requirements.select { |r| requirement_class.new(r.requirement).specific? }
     end
 
     sig { returns(T.class_of(Dependabot::Requirement)) }

data/lib/dependabot/dependency_file.rb

@@ -123,7 +123,7 @@ module Dependabot
       raise "Only symlinked files must specify a target!" if symlink_target
     end
 
-    sig { returns(T::Hash[String, T.untyped]) }
+    sig { returns(T::Hash[String, T.nilable(T.any(String, T::Boolean))]) }
     def to_h
       details = {
         "name" => name,

data/lib/dependabot/dependency_requirement.rb

@@ -0,0 +1,94 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  # A single requirement entry within Dependency#requirements, e.g.:
+  #
+  #   {
+  #     requirement: ">= 1.0, < 2.0",
+  #     file: "Gemfile",
+  #     groups: [:default],
+  #     source: { type: "rubygems", url: "https://rubygems.org" },
+  #     metadata: { property_name: "rails.version" } # optional
+  #   }
+  #
+  # Subclasses Hash so it is a drop-in replacement at call sites (and in
+  # type annotations) that treat requirement entries as
+  # T::Hash[Symbol, T.untyped], while exposing typed readers for the
+  # well-known keys. New code should prefer the typed readers; hash-style
+  # access remains supported while call sites are migrated gradually.
+  #
+  # Wire compatibility: instances serialise to JSON exactly like the plain
+  # hash they were created from, and compare equal (==/eql?/#hash) to plain
+  # hashes with the same content, so existing comparisons, Array/Set
+  # operations, and API payloads are unaffected.
+  #
+  # Note on Hash methods: in Ruby 3+, #merge, #dup and #compact preserve
+  # this class, while #select, #reject, #except, #transform_values and
+  # #to_h return plain Hash instances. Dependency#initialize re-wraps
+  # whatever it is given, so both styles remain safe.
+  class DependencyRequirement < Hash
+    extend T::Sig
+    extend T::Generic
+
+    # The values of a requirement entry are heterogeneous and
+    # ecosystem-specific, so this bridge class is necessarily untyped at
+    # the Hash level; the typed readers below are the migration path.
+    # rubocop:disable Sorbet/ForbidTUntyped
+    K = type_member { { fixed: Symbol } }
+    V = type_member { { fixed: T.untyped } }
+    Elem = type_member { { fixed: [Symbol, T.untyped] } }
+
+    # Builds a DependencyRequirement from a requirement hash, symbolising
+    # top-level keys. Accepts both plain hashes and existing
+    # DependencyRequirement instances and always returns a new instance.
+    sig { params(hash: T::Hash[T.any(Symbol, String), T.untyped]).returns(DependencyRequirement) }
+    def self.create(hash)
+      requirement = new
+      requirement.replace(hash.keys.to_h { |k| [k.to_sym, hash[k]] })
+      requirement
+    end
+
+    # The version constraint string, e.g. ">= 1.0, < 2.0". Nil when the
+    # dependency is pinned by a lockfile rather than a manifest constraint.
+    sig { returns(T.nilable(String)) }
+    def requirement
+      self[:requirement]
+    end
+
+    # The manifest file this requirement was declared in, e.g. "Gemfile".
+    sig { returns(T.nilable(String)) }
+    def file
+      self[:file]
+    end
+
+    # The dependency groups this requirement belongs to, e.g. ["dev"] or
+    # [:default]. Element types vary by ecosystem (strings or symbols).
+    # Nilable because some requirement entries are constructed with
+    # groups: nil, and the reader must reflect that to stay a drop-in for
+    # the underlying hash access under sorbet-runtime.
+    sig { returns(T.nilable(T::Array[T.untyped])) }
+    def groups
+      self[:groups]
+    end
+
+    # The source details for the dependency, e.g.
+    # { type: "git", url: "https://github.com/..." }. Keys may be symbols
+    # or strings depending on whether the requirement was built by a file
+    # parser or deserialised from a job definition.
+    sig { returns(T.nilable(T::Hash[T.any(Symbol, String), T.untyped])) }
+    def source
+      self[:source]
+    end
+
+    # Optional ecosystem-specific metadata about the requirement, e.g.
+    # { property_name: "rails.version" }.
+    sig { returns(T.nilable(T::Hash[T.any(Symbol, String), T.untyped])) }
+    def metadata
+      self[:metadata]
+    end
+    # rubocop:enable Sorbet/ForbidTUntyped
+  end
+end

data/lib/dependabot/errors.rb

@@ -393,6 +393,18 @@ module Dependabot
   # rubocop:enable Lint/RedundantCopDisableDirective
   # rubocop:enable Metrics/AbcSize
 
+  # Interface for error classes that provide Sentry context (e.g. fingerprint).
+  # Include this module in any error class that defines #sentry_context.
+  module HasSentryContext
+    extend T::Sig
+    extend T::Helpers
+
+    interface!
+
+    sig { abstract.returns(T::Hash[Symbol, T.untyped]) }
+    def sentry_context; end
+  end
+
   class DependabotError < StandardError
     extend T::Sig
 

data/lib/dependabot/file_fetchers/base.rb

@@ -393,19 +393,19 @@ module Dependabot
           .returns(T.nilable(T::Hash[String, T.untyped]))
       end
       def update_linked_paths(repo, path, commit, github_response)
-        case T.unsafe(github_response).type
+        case github_response[:type]
         when "submodule"
-          sub_source = Source.from_url(T.unsafe(github_response).submodule_git_url)
+          sub_source = Source.from_url(github_response[:submodule_git_url])
           return unless sub_source
 
           @linked_paths[path] = {
             repo: sub_source.repo,
             provider: sub_source.provider,
-            commit: T.unsafe(github_response).sha,
+            commit: github_response[:sha],
             path: "/"
           }
         when "symlink"
-          updated_path = File.join(File.dirname(path), T.unsafe(github_response).target)
+          updated_path = File.join(File.dirname(path), github_response[:target])
           @linked_paths[path] = {
             repo: repo,
             provider: "github",
@@ -564,10 +564,10 @@ module Dependabot
       sig { params(repo: String, path: String, commit: String).returns(T::Array[RepositoryContent]) }
       def _github_repo_contents(repo, path, commit)
         path = path.gsub(" ", "%20")
-        github_response = T.unsafe(github_client).contents(repo, path: path, ref: commit)
+        github_response = github_client.contents(repo, path: path, ref: commit)
 
         if github_response.respond_to?(:type)
-          update_linked_paths(repo, path, commit, github_response)
+          update_linked_paths(repo, path, commit, T.unsafe(github_response))
           raise Octokit::NotFound
         end
 
@@ -629,18 +629,20 @@ module Dependabot
       sig { params(file: Sawyer::Resource).returns(RepositoryContent) }
       def _build_github_file_struct(file)
         RepositoryContent.new(
-          name: T.unsafe(file).name,
-          path: T.unsafe(file).path,
-          type: T.unsafe(file).type,
-          sha: T.unsafe(file).sha,
-          size: T.unsafe(file).size
+          name: file[:name],
+          path: file[:path],
+          type: file[:type],
+          sha: file[:sha],
+          size: file[:size]
         )
       end
 
       sig { params(repo: String, path: String, commit: String).returns(T::Array[RepositoryContent]) }
       def _gitlab_repo_contents(repo, path, commit)
-        T.unsafe(gitlab_client)
-         .repo_tree(repo, path: path, ref: commit, per_page: 100)
+        T.unsafe(
+          gitlab_client
+                   .repo_tree(repo, path: path, ref: commit, per_page: 100)
+        )
          .map do |file|
           # GitLab API essentially returns the output from `git ls-tree`
           type = case file.type
@@ -681,12 +683,12 @@ module Dependabot
 
       sig { params(repo: String, path: String, commit: String).returns(T::Array[RepositoryContent]) }
       def _bitbucket_repo_contents(repo, path, commit)
-        response = T.unsafe(bitbucket_client)
-                    .fetch_repo_contents(
-                      repo,
-                      commit,
-                      path
-                    )
+        response = bitbucket_client
+                   .fetch_repo_contents(
+                     repo,
+                     commit,
+                     path
+                   )
 
         response.map do |file|
           type = case file.fetch("type")
@@ -775,12 +777,12 @@ module Dependabot
         when "github"
           _fetch_file_content_from_github(path, repo, commit)
         when "gitlab"
-          tmp = T.unsafe(gitlab_client).get_file(repo, path, commit).content
+          tmp = T.unsafe(gitlab_client.get_file(repo, path, commit)).content
           decode_binary_string(tmp)
         when "azure"
           azure_client.fetch_file_contents(commit, path)
         when "bitbucket"
-          T.unsafe(bitbucket_client).fetch_file_contents(repo, commit, path)
+          bitbucket_client.fetch_file_contents(repo, commit, path)
         when "codecommit"
           codecommit_client.fetch_file_contents(repo, commit, path)
         else raise "Unsupported provider '#{source.provider}'."
@@ -790,30 +792,30 @@ module Dependabot
       # rubocop:disable Metrics/AbcSize
       sig { params(path: String, repo: String, commit: String).returns(String) }
       def _fetch_file_content_from_github(path, repo, commit)
-        tmp = T.unsafe(github_client).contents(repo, path: path, ref: commit)
+        tmp = github_client.contents(repo, path: path, ref: commit)
 
         raise Octokit::NotFound if tmp.is_a?(Array)
 
-        if tmp.type == "symlink"
+        if T.unsafe(tmp).type == "symlink"
           @linked_paths[path] = {
             repo: repo,
             provider: "github",
             commit: commit,
-            path: Pathname.new(tmp.target).cleanpath.to_path
+            path: Pathname.new(T.unsafe(tmp).target).cleanpath.to_path
           }
-          tmp = T.unsafe(github_client).contents(
+          tmp = github_client.contents(
             repo,
-            path: Pathname.new(tmp.target).cleanpath.to_path,
+            path: Pathname.new(T.unsafe(tmp).target).cleanpath.to_path,
             ref: commit
           )
         end
 
-        if tmp.content == ""
+        if T.unsafe(tmp).content == ""
           # The file may have exceeded the 1MB limit
           # see https://github.blog/changelog/2022-05-03-increased-file-size-limit-when-retrieving-file-contents-via-rest-api/
-          T.unsafe(github_client).contents(repo, path: path, ref: commit, accept: "application/vnd.github.v3.raw")
+          T.unsafe(github_client.contents(repo, path: path, ref: commit, accept: "application/vnd.github.v3.raw"))
         else
-          decode_binary_string(tmp.content)
+          decode_binary_string(T.unsafe(tmp).content)
         end
       rescue Octokit::Forbidden => e
         raise unless e.message.include?("too_large")
@@ -825,10 +827,10 @@ module Dependabot
         file_details = repo_contents(dir: dir).find { |f| f.name == basename }
         raise unless file_details
 
-        tmp = T.unsafe(github_client).blob(repo, file_details.sha)
-        return tmp.content if tmp.encoding == "utf-8"
+        tmp = github_client.blob(repo, file_details.sha)
+        return T.unsafe(tmp).content if T.unsafe(tmp).encoding == "utf-8"
 
-        decode_binary_string(tmp.content)
+        decode_binary_string(T.unsafe(tmp).content)
       end
       # rubocop:enable Metrics/AbcSize
 

data/lib/dependabot/file_parsers/base/dependency_set.rb

@@ -33,7 +33,7 @@ module Dependabot
           @dependencies.values.filter_map(&:combined)
         end
 
-        sig { params(dep: Dependabot::Dependency).returns(T.untyped) }
+        sig { params(dep: Dependabot::Dependency).returns(T.self_type) }
         def <<(dep)
           T.must(@dependencies[key_for_dependency(dep)]) << dep
           self

data/lib/dependabot/file_parsers/base.rb

@@ -28,6 +28,11 @@ module Dependabot
       sig { returns(T::Hash[Symbol, T.untyped]) }
       attr_reader :options
 
+      sig { returns(T::Boolean) }
+      def reject_external_code?
+        @reject_external_code
+      end
+
       sig do
         params(
           dependency_files: T::Array[Dependabot::DependencyFile],

data/lib/dependabot/file_updaters/artifact_updater.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -120,11 +120,47 @@ module Dependabot
 
       sig do
         overridable
-          .params(parameters: T::Hash[Symbol, T.untyped])
+          .params(
+            name: String,
+            content: T.nilable(String),
+            directory: String,
+            type: String,
+            support_file: T::Boolean,
+            vendored_file: T::Boolean,
+            symlink_target: T.nilable(String),
+            content_encoding: String,
+            deleted: T::Boolean,
+            operation: String,
+            mode: T.nilable(String)
+          )
           .returns(Dependabot::DependencyFile)
       end
-      def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**T.unsafe(parameters))
+      def create_dependency_file(
+        name:,
+        content: nil,
+        directory: "/",
+        type: "file",
+        support_file: false,
+        vendored_file: false,
+        symlink_target: nil,
+        content_encoding: Dependabot::DependencyFile::ContentEncoding::UTF_8,
+        deleted: false,
+        operation: Dependabot::DependencyFile::Operation::UPDATE,
+        mode: nil
+      )
+        Dependabot::DependencyFile.new(
+          name: name,
+          content: content,
+          directory: directory,
+          type: type,
+          support_file: support_file,
+          vendored_file: vendored_file,
+          symlink_target: symlink_target,
+          content_encoding: content_encoding,
+          deleted: deleted,
+          operation: operation,
+          mode: mode
+        )
       end
     end
   end

data/lib/dependabot/file_updaters/vendor_updater.rb

@@ -31,13 +31,52 @@ module Dependabot
 
       private
 
+      # VendorUpdater always flags files as vendored, so it accepts but ignores
+      # the vendored_file argument. The parameter must stay to keep the override
+      # signature compatible with ArtifactUpdater#create_dependency_file.
       sig do
         override
-          .params(parameters: T::Hash[Symbol, T.untyped])
+          .params(
+            name: String,
+            content: T.nilable(String),
+            directory: String,
+            type: String,
+            support_file: T::Boolean,
+            vendored_file: T::Boolean,
+            symlink_target: T.nilable(String),
+            content_encoding: String,
+            deleted: T::Boolean,
+            operation: String,
+            mode: T.nilable(String)
+          )
           .returns(Dependabot::DependencyFile)
       end
-      def create_dependency_file(parameters)
-        Dependabot::DependencyFile.new(**T.unsafe({ **parameters, vendored_file: true }))
+      def create_dependency_file(
+        name:,
+        content: nil,
+        directory: "/",
+        type: "file",
+        support_file: false,
+        vendored_file: false, # rubocop:disable Lint/UnusedMethodArgument
+        symlink_target: nil,
+        content_encoding: Dependabot::DependencyFile::ContentEncoding::UTF_8,
+        deleted: false,
+        operation: Dependabot::DependencyFile::Operation::UPDATE,
+        mode: nil
+      )
+        super(
+          name: name,
+          content: content,
+          directory: directory,
+          type: type,
+          support_file: support_file,
+          vendored_file: true,
+          symlink_target: symlink_target,
+          content_encoding: content_encoding,
+          deleted: deleted,
+          operation: operation,
+          mode: mode
+        )
       end
     end
   end