dependabot-common 0.380.0 → 0.382.0

data/lib/dependabot/git_commit_checker.rb

@@ -14,6 +14,7 @@ require "dependabot/source"
 require "dependabot/dependency"
 require "dependabot/credential"
 require "dependabot/git_metadata_fetcher"
+require "dependabot/git_tag_details"
 module Dependabot
   # rubocop:disable Metrics/ClassLength
   class GitCommitChecker
@@ -159,31 +160,31 @@ module Dependabot
       local_repo_git_metadata_fetcher.head_commit_for_ref(name)
     end
 
-    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { returns(T.nilable(Dependabot::GitTagDetails)) }
     def local_ref_for_latest_version_matching_existing_precision
       allowed_refs = local_tag_for_pinned_sha ? allowed_version_tags : allowed_version_refs
 
       max_local_tag_for_current_precision(allowed_refs)
     end
 
-    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { returns(T.nilable(Dependabot::GitTagDetails)) }
     def local_ref_for_latest_version_lower_precision
       allowed_refs = local_tag_for_pinned_sha ? allowed_version_tags : allowed_version_refs
 
       max_local_tag_for_lower_precision(allowed_refs)
     end
 
-    sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { returns(T.nilable(Dependabot::GitTagDetails)) }
     def local_tag_for_latest_version
       max_local_tag(allowed_version_tags)
     end
 
-    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    sig { returns(T::Array[Dependabot::GitTagDetails]) }
     def local_tags_for_allowed_versions_matching_existing_precision
       select_matching_existing_precision(allowed_version_tags).filter_map { |t| to_local_tag(t) }
     end
 
-    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    sig { returns(T::Array[Dependabot::GitTagDetails]) }
     def local_tags_for_allowed_versions
       allowed_version_tags.filter_map { |t| to_local_tag(t) }
     end
@@ -272,7 +273,7 @@ module Dependabot
       local_tags_matching_sha(commit_sha).map(&:name)
     end
 
-    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(Dependabot::GitTagDetails)) }
     def max_local_tag(tags)
       max_version_tag = tags.max_by { |t| version_from_tag(t) }
 
@@ -295,12 +296,12 @@ module Dependabot
     sig { returns(T::Array[String]) }
     attr_reader :ignored_versions
 
-    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(Dependabot::GitTagDetails)) }
     def max_local_tag_for_current_precision(tags)
       max_local_tag(select_matching_existing_precision(tags))
     end
 
-    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { params(tags: T::Array[Dependabot::GitRef]).returns(T.nilable(Dependabot::GitTagDetails)) }
     def max_local_tag_for_lower_precision(tags)
       max_local_tag(select_lower_precision(tags))
     end
@@ -463,7 +464,7 @@ module Dependabot
                .for_github_dot_com(credentials: credentials)
 
       # TODO: create this method instead of relying on method_missing
-      T.unsafe(client).compare(listing_source_repo, ref1, ref2).status
+      T.unsafe(client.compare(T.must(listing_source_repo), ref1, ref2)).status
     end
 
     sig { params(ref1: String, ref2: String).returns(String) }
@@ -471,10 +472,10 @@ module Dependabot
       client = Clients::GitlabWithRetries
                .for_gitlab_dot_com(credentials: credentials)
 
-      comparison = T.unsafe(client).compare(listing_source_repo, ref1, ref2)
+      comparison = client.compare(T.must(listing_source_repo), ref1, ref2)
 
-      if comparison.commits.none? then "behind"
-      elsif comparison.compare_same_ref then "identical"
+      if T.unsafe(comparison).commits.none? then "behind"
+      elsif T.unsafe(comparison).compare_same_ref then "identical"
       else
         "ahead"
       end
@@ -489,7 +490,7 @@ module Dependabot
       client = Clients::BitbucketWithRetries
                .for_bitbucket_dot_org(credentials: credentials)
 
-      response = T.unsafe(client).get(url)
+      response = client.get(url)
 
       # Conservatively assume that ref2 is ahead in the equality case, of
       # if we get an unexpected format (e.g., due to a 404)
@@ -553,17 +554,17 @@ module Dependabot
       prefix.length > 1 ? prefix.gsub(/v$/i, "") : prefix.gsub(/^v$/i, "")
     end
 
-    sig { params(tag: T.nilable(Dependabot::GitRef)).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+    sig { params(tag: T.nilable(Dependabot::GitRef)).returns(T.nilable(Dependabot::GitTagDetails)) }
     def to_local_tag(tag)
       return unless tag
 
       version = version_from_tag(tag)
-      {
+      GitTagDetails.new(
         tag: tag.name,
         version: version,
         commit_sha: tag.commit_sha,
         tag_sha: tag.ref_sha
-      }
+      )
     end
 
     sig { returns(T.nilable(String)) }
@@ -688,7 +689,7 @@ module Dependabot
             source: T.must(source),
             credentials: credentials
           )
-          T.unsafe(client).releases(T.must(source).repo, per_page: 100)
+          client.releases(T.must(source).repo, per_page: 100)
         rescue Octokit::Error
           []
         end,

data/lib/dependabot/git_tag_details.rb

@@ -0,0 +1,78 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  # A git tag (or ref) resolved to a version, as produced by GitCommitChecker's
+  # local_tag_for_* / local_ref_for_* methods, e.g.:
+  #
+  #   {
+  #     tag: "v1.2.0",
+  #     version: Dependabot::Version.new("1.2.0"),
+  #     commit_sha: "a1b2c3...",
+  #     tag_sha: "d4e5f6..." # nil for lightweight tags
+  #   }
+  #
+  # Distinct from Dependabot::GitTagWithDetail, which carries a tag name and
+  # release date for cooldown handling.
+  #
+  # Subclasses Hash so it is a drop-in replacement at the many call sites that
+  # read entries with [:key] / fetch and treat them as
+  # T::Hash[Symbol, T.untyped], while exposing typed readers for the well-known
+  # keys. Instances compare equal (Hash#==) to plain hashes with the same
+  # content, so existing comparisons and API payloads are unaffected.
+  class GitTagDetails < Hash
+    extend T::Sig
+    extend T::Generic
+
+    # The values are heterogeneous (strings and a version object), so this
+    # bridge class is necessarily untyped at the Hash level; the typed readers
+    # below are the migration path.
+    # rubocop:disable Sorbet/ForbidTUntyped
+    K = type_member { { fixed: Symbol } }
+    V = type_member { { fixed: T.untyped } }
+    Elem = type_member { { fixed: [Symbol, T.untyped] } }
+    # rubocop:enable Sorbet/ForbidTUntyped
+
+    sig do
+      params(
+        tag: String,
+        version: T.nilable(Gem::Version),
+        commit_sha: T.nilable(String),
+        tag_sha: T.nilable(String)
+      ).void
+    end
+    def initialize(tag:, version: nil, commit_sha: nil, tag_sha: nil)
+      super()
+      self[:tag] = tag
+      self[:version] = version
+      self[:commit_sha] = commit_sha
+      self[:tag_sha] = tag_sha
+    end
+
+    # The tag or ref name, e.g. "v1.2.0".
+    sig { returns(String) }
+    def tag
+      self[:tag]
+    end
+
+    # The version parsed from the tag name.
+    sig { returns(T.nilable(Gem::Version)) }
+    def version
+      self[:version]
+    end
+
+    # The SHA of the commit the tag points at.
+    sig { returns(T.nilable(String)) }
+    def commit_sha
+      self[:commit_sha]
+    end
+
+    # The SHA of the tag object itself (nil for lightweight tags).
+    sig { returns(T.nilable(String)) }
+    def tag_sha
+      self[:tag_sha]
+    end
+  end
+end

data/lib/dependabot/metadata_finders/base/changelog_finder.rb

@@ -102,7 +102,7 @@ module Dependabot
           @suggested_changelog_url = @suggested_changelog_url&.split("#")&.first
 
           @new_version = T.let(nil, T.nilable(String))
-          @changelog_from_suggested_url = T.let(nil, T.untyped)
+          @changelog_from_suggested_url = T.let(nil, T.nilable(Sawyer::Resource))
         end
 
         sig { returns(T.nilable(String)) }
@@ -172,7 +172,7 @@ module Dependabot
 
           opts = { path: suggested_source&.directory, ref: suggested_source&.branch }.compact
           suggested_source_client = github_client_for_source(T.must(suggested_source))
-          tmp_files = T.unsafe(suggested_source_client).contents(suggested_source&.repo, opts)
+          tmp_files = suggested_source_client.contents(T.must(suggested_source).repo, opts)
 
           filename = T.must(T.must(suggested_changelog_url).split("/").last)
           @changelog_from_suggested_url =
@@ -290,7 +290,7 @@ module Dependabot
         sig { params(file_source: Dependabot::Source, file: T.untyped).returns(String) }
         def fetch_github_file(file_source, file)
           # Hitting the download URL directly causes encoding problems
-          raw_content = T.unsafe(github_client_for_source(file_source)).get(file.url).content
+          raw_content = T.unsafe(github_client_for_source(file_source).get(file.url)).content
           Base64.decode64(raw_content).force_encoding("UTF-8").encode
         end
 
@@ -305,8 +305,8 @@ module Dependabot
 
         sig { params(file: T.untyped).returns(String) }
         def fetch_bitbucket_file(file)
-          T.unsafe(bitbucket_client).get(file.download_url).body
-           .force_encoding("UTF-8").encode
+          bitbucket_client.get(file.download_url).body
+                          .force_encoding("UTF-8").encode
         end
 
         sig { params(file: T.untyped).returns(String) }
@@ -349,37 +349,34 @@ module Dependabot
           end
         end
 
-        # rubocop:disable Metrics/AbcSize
         sig { params(ref: T.nilable(String)).returns(T::Array[T.untyped]) }
         def fetch_github_file_list(ref)
           files = []
 
           if T.must(source).directory
             opts = { path: T.must(source).directory, ref: ref }.compact
-            tmp_files = T.unsafe(github_client).contents(T.must(source).repo, opts)
+            tmp_files = github_client.contents(T.must(source).repo, opts)
             files += tmp_files if tmp_files.is_a?(Array)
           end
 
           opts = { ref: ref }.compact
-          files += T.unsafe(github_client).contents(T.must(source).repo, opts)
+          files += github_client.contents(T.must(source).repo, opts)
 
           files.uniq.each do |f|
             next unless f.type == "dir" && f.name.match?(/docs?/o)
 
             opts = { path: f.path, ref: ref }.compact
-            files += T.unsafe(github_client).contents(T.must(source).repo, opts)
+            files += github_client.contents(T.must(source).repo, opts)
           end
 
           files
         rescue Octokit::NotFound, Octokit::UnavailableForLegalReasons
           []
         end
-        # rubocop:enable Metrics/AbcSize
-
         sig { returns(T.untyped) }
         def fetch_bitbucket_file_list
           branch = default_bitbucket_branch
-          T.unsafe(bitbucket_client).fetch_repo_contents(T.must(source).repo).map do |file|
+          bitbucket_client.fetch_repo_contents(T.must(source).repo).map do |file|
             type = case file.fetch("type")
                    when "commit_file" then "file"
                    when "commit_directory" then "dir"
@@ -402,7 +399,7 @@ module Dependabot
         sig { returns(T.untyped) }
         def fetch_gitlab_file_list
           branch = default_gitlab_branch
-          T.unsafe(gitlab_client).repo_tree(T.must(source).repo).map do |file|
+          T.unsafe(gitlab_client.repo_tree(T.must(source).repo)).map do |file|
             type = case file.type
                    when "blob" then "file"
                    when "tree" then "dir"
@@ -544,7 +541,7 @@ module Dependabot
         def default_bitbucket_branch
           @default_bitbucket_branch ||=
             T.let(
-              T.unsafe(bitbucket_client).fetch_default_branch(T.must(source).repo),
+              bitbucket_client.fetch_default_branch(T.must(source).repo),
               T.nilable(String)
             )
         end

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -145,7 +145,7 @@ module Dependabot
         end
 
         # TODO: Refactor me so that Composer doesn't need to be special cased
-        sig { params(requirements: T.nilable(T::Array[T::Hash[Symbol, T.untyped]])).returns(T::Boolean) }
+        sig { params(requirements: T.nilable(T::Array[Dependabot::DependencyRequirement])).returns(T::Boolean) }
         def git_source?(requirements)
           # Special case Composer, which uses git as a source but handles tags
           # internally
@@ -282,13 +282,15 @@ module Dependabot
 
               args = { sha: previous_tag, path: path }.compact
               previous_commit_shas =
-                T.unsafe(github_client).commits(repo, **args).map(&:sha)
+                T.unsafe(github_client.commits(repo, **args)).map(&:sha)
 
               # NOTE: We reverse this so it's consistent with the array we get
               # from `github_client.compare(...)`
               args = { sha: new_tag, path: path }.compact
-              T.unsafe(github_client)
-               .commits(repo, **args)
+              T.unsafe(
+                github_client
+                               .commits(repo, **args)
+              )
                .reject { |c| previous_commit_shas.include?(c.sha) }.reverse
             end
           return [] unless commits
@@ -306,9 +308,9 @@ module Dependabot
 
         sig { returns(T::Array[T::Hash[Symbol, String]]) }
         def fetch_bitbucket_commits
-          T.unsafe(bitbucket_client)
-           .compare(T.must(source).repo, previous_tag, new_tag)
-           .map do |commit|
+          bitbucket_client
+            .compare(T.must(source).repo, T.must(previous_tag), T.must(new_tag))
+            .map do |commit|
             {
               message: commit.dig("summary", "raw"),
               sha: commit["hash"],
@@ -326,8 +328,10 @@ module Dependabot
 
         sig { returns(T::Array[T::Hash[Symbol, String]]) }
         def fetch_gitlab_commits
-          T.unsafe(gitlab_client)
-           .compare(T.must(source).repo, previous_tag, new_tag)
+          T.unsafe(
+            gitlab_client
+                       .compare(T.must(source).repo, T.must(previous_tag), T.must(new_tag))
+          )
            .commits
            .map do |commit|
             {

data/lib/dependabot/metadata_finders/base/release_finder.rb

@@ -281,21 +281,21 @@ module Dependabot
 
         sig { returns(T::Array[T.untyped]) }
         def fetch_github_releases
-          releases = T.unsafe(github_client).releases(T.must(source).repo, per_page: 100)
+          releases = github_client.releases(T.must(source).repo, per_page: 100)
 
           # Remove any releases without a tag name. These are draft releases and
           # aren't yet associated with a tag, so shouldn't be used.
-          releases = releases.reject { |r| r.tag_name.nil? }
+          releases = releases.reject { |r| T.unsafe(r).tag_name.nil? }
 
           clean_release_names =
-            releases.map { |r| r.tag_name.gsub(/^[^0-9\.]*/, "") }
+            releases.map { |r| T.unsafe(r).tag_name.gsub(/^[^0-9\.]*/, "") }
 
           if clean_release_names.all? { |nm| version_class.correct?(nm) }
             releases.sort_by do |r|
-              version_class.new(r.tag_name.gsub(/^[^0-9\.]*/, ""))
+              version_class.new(T.unsafe(r).tag_name.gsub(/^[^0-9\.]*/, ""))
             end.reverse
           else
-            releases.sort_by(&:id).reverse
+            releases.sort_by { |r| T.unsafe(r).id }.reverse
           end
         rescue Octokit::NotFound, Octokit::UnavailableForLegalReasons
           []
@@ -304,18 +304,20 @@ module Dependabot
         sig { returns(T::Array[T.untyped]) }
         def fetch_gitlab_releases
           releases =
-            T.unsafe(gitlab_client)
-             .tags(T.must(source).repo)
+            T.unsafe(
+              gitlab_client
+                           .tags(T.must(source).repo)
+            )
              .select(&:release)
-             .sort_by { |r| r.commit.authored_date }
+             .sort_by { |r| T.unsafe(r).commit.authored_date }
              .reverse
 
           releases.map do |tag|
             GitLabRelease.new(
-              name: tag.name,
-              tag_name: tag.release.tag_name,
-              body: tag.release.description,
-              html_url: "#{T.must(source).url}/tags/#{tag.name}"
+              name: T.unsafe(tag).name,
+              tag_name: T.unsafe(tag).release.tag_name,
+              body: T.unsafe(tag).release.description,
+              html_url: "#{T.must(source).url}/tags/#{T.unsafe(tag).name}"
             )
           end
         rescue Gitlab::Error::NotFound

data/lib/dependabot/notices.rb

@@ -59,7 +59,7 @@ module Dependabot
 
     # Converts the Notice object to a hash.
     # @return [Hash] The hash representation of the notice.
-    sig { returns(T::Hash[Symbol, T.untyped]) }
+    sig { returns(T::Hash[Symbol, T.any(String, T::Boolean)]) }
     def to_hash
       {
         mode: @mode,

data/lib/dependabot/package/package_latest_version_finder.rb

@@ -323,11 +323,16 @@ module Dependabot
 
       sig { returns(T::Boolean) }
       def wants_prerelease?
-        return version_class.new(dependency.version).prerelease? if dependency.version
+        return true if dependency.numeric_version&.prerelease?
 
         dependency.requirements.any? do |req|
-          reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
-          reqs.any? { |r| r.match?(/[A-Za-z]/) }
+          req_string = req.fetch(:requirement) || ""
+          req_string.split(",").map(&:strip).any? do |r|
+            version_str = r.gsub(/^\s*[!<>=~^]+\s*/, "").strip
+            next false unless version_class.correct?(version_str)
+
+            version_class.new(version_str).prerelease?
+          end
         end
       end
 

data/lib/dependabot/pull_request_creator/branch_namer/solo_strategy.rb

@@ -119,21 +119,21 @@ module Dependabot
 
         sig { params(dependency: Dependabot::Dependency).returns(String) }
         def sanitized_requirement(dependency)
-          new_library_requirement(dependency)
-            .delete(" ")
-            .gsub("!=", "neq-")
-            .gsub(">=", "gte-")
-            .gsub("<=", "lte-")
-            .gsub("~>", "tw-")
-            .gsub("^", "tw-")
-            .gsub("||", "or-")
-            .gsub("~", "approx-")
-            .gsub("~=", "tw-")
-            .gsub(/==*/, "eq-")
-            .gsub(">", "gt-")
-            .gsub("<", "lt-")
-            .gsub("*", "star")
-            .gsub(",", "-and-")
+          T.must(new_library_requirement(dependency))
+           .delete(" ")
+           .gsub("!=", "neq-")
+           .gsub(">=", "gte-")
+           .gsub("<=", "lte-")
+           .gsub("~>", "tw-")
+           .gsub("^", "tw-")
+           .gsub("||", "or-")
+           .gsub("~", "approx-")
+           .gsub("~=", "tw-")
+           .gsub(/==*/, "eq-")
+           .gsub(">", "gt-")
+           .gsub("<", "lt-")
+           .gsub("*", "star")
+           .gsub(",", "-and-")
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(T.nilable(String)) }
@@ -176,7 +176,7 @@ module Dependabot
           previous_ref(dependency) != new_ref(dependency)
         end
 
-        sig { params(dependency: Dependabot::Dependency).returns(T.untyped) }
+        sig { params(dependency: Dependabot::Dependency).returns(T.nilable(String)) }
         def new_library_requirement(dependency)
           updated_reqs =
             dependency.requirements - T.must(dependency.previous_requirements)

data/lib/dependabot/pull_request_creator/github.rb

@@ -196,7 +196,7 @@ module Dependabot
         @pull_requests_for_branch ||=
           T.let(
             begin
-              T.unsafe(github_client_for_source).pull_requests(
+              github_client_for_source.pull_requests(
                 source.repo,
                 head: "#{source.repo.split('/').first}:#{branch_name}",
                 state: "all"
@@ -204,13 +204,13 @@ module Dependabot
             rescue Octokit::InternalServerError
               # A GitHub bug sometimes means adding `state: all` causes problems.
               # In that case, fall back to making two separate requests.
-              open_prs = T.unsafe(github_client_for_source).pull_requests(
+              open_prs = github_client_for_source.pull_requests(
                 source.repo,
                 head: "#{source.repo.split('/').first}:#{branch_name}",
                 state: "open"
               )
 
-              closed_prs = T.unsafe(github_client_for_source).pull_requests(
+              closed_prs = github_client_for_source.pull_requests(
                 source.repo,
                 head: "#{source.repo.split('/').first}:#{branch_name}",
                 state: "closed"
@@ -254,7 +254,7 @@ module Dependabot
 
       sig { returns(T::Boolean) }
       def repo_exists?
-        T.unsafe(github_client_for_source).repo(source.repo)
+        github_client_for_source.repo(source.repo)
         true
       rescue Octokit::NotFound
         false
@@ -265,7 +265,7 @@ module Dependabot
         tree = create_tree
 
         begin
-          T.unsafe(github_client_for_source).create_commit(
+          github_client_for_source.create_commit(
             source.repo,
             commit_message,
             tree.sha,
@@ -317,8 +317,8 @@ module Dependabot
             content = if file.operation == Dependabot::DependencyFile::Operation::DELETE
                         { sha: nil }
                       elsif file.binary?
-                        sha = T.unsafe(github_client_for_source).create_blob(
-                          source.repo, file.content, "base64"
+                        sha = github_client_for_source.create_blob(
+                          source.repo, T.must(file.content), "base64"
                         )
                         { sha: sha }
                       else
@@ -333,7 +333,7 @@ module Dependabot
           end
         end
 
-        T.unsafe(github_client_for_source).create_tree(
+        github_client_for_source.create_tree(
           source.repo,
           file_trees,
           base_tree: base_commit
@@ -365,7 +365,7 @@ module Dependabot
 
         begin
           branch =
-            T.unsafe(github_client_for_source).create_ref(source.repo, ref, commit.sha)
+            github_client_for_source.create_ref(source.repo, ref, commit.sha)
           @branch_name = ref.gsub(%r{^refs/heads/}, "")
           branch
         rescue Octokit::UnprocessableEntity => e
@@ -385,7 +385,7 @@ module Dependabot
 
       sig { params(commit: T.untyped).void }
       def update_branch(commit)
-        T.unsafe(github_client_for_source).update_ref(
+        github_client_for_source.update_ref(
           source.repo,
           "heads/#{branch_name}",
           commit.sha,
@@ -406,7 +406,7 @@ module Dependabot
         reviewers_hash =
           T.must(reviewers).keys.to_h { |k| [k.to_sym, T.must(reviewers)[k]] }
 
-        T.unsafe(github_client_for_source).request_pull_request_review(
+        github_client_for_source.request_pull_request_review(
           source.repo,
           pull_request.number,
           reviewers: reviewers_hash[:reviewers] || [],
@@ -458,7 +458,7 @@ module Dependabot
                "#{message}\n" \
                "```"
 
-        T.unsafe(github_client_for_source).add_comment(
+        github_client_for_source.add_comment(
           source.repo,
           pull_request.number,
           msg
@@ -467,10 +467,10 @@ module Dependabot
 
       sig { params(pull_request: T.untyped).void }
       def add_assignees_to_pull_request(pull_request)
-        T.unsafe(github_client_for_source).add_assignees(
+        github_client_for_source.add_assignees(
           source.repo,
           pull_request.number,
-          assignees
+          T.must(assignees)
         )
       rescue Octokit::NotFound
         # This can happen if a passed assignee login is now an org account
@@ -482,7 +482,7 @@ module Dependabot
 
       sig { params(pull_request: T.untyped).void }
       def add_milestone_to_pull_request(pull_request)
-        T.unsafe(github_client_for_source).update_issue(
+        github_client_for_source.update_issue(
           source.repo,
           pull_request.number,
           milestone: milestone
@@ -493,7 +493,7 @@ module Dependabot
 
       sig { returns(T.untyped) }
       def create_pull_request
-        T.unsafe(github_client_for_source).create_pull_request(
+        github_client_for_source.create_pull_request(
           source.repo,
           target_branch,
           branch_name,
@@ -521,7 +521,7 @@ module Dependabot
       def default_branch
         @default_branch ||=
           T.let(
-            T.unsafe(github_client_for_source).repo(source.repo).default_branch,
+            T.unsafe(github_client_for_source.repo(source.repo)).default_branch,
             T.nilable(String)
           )
       end