dependabot-common 0.382.0 → 0.383.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6b53185ee3c744622d14656ac582aaa779b5b9f3394497824d49561fe78fe2d8
-  data.tar.gz: cd5ce58e980459603217ea2693475a224691f67149215d1fb5031472bc065507
+  metadata.gz: 1fb1a4d6243812d664a20067d226c2eec111080d39e7337217744a58a9d8f0b6
+  data.tar.gz: 609737fc8b6040222a744d58ea03f8587fec15136cb835d319c31b798f7ebf32
 SHA512:
-  metadata.gz: 1216f4ef150d1c76b7180f780b1d67831359c9f327bf1a00cf885d3f9b3313ce354a694803de8ec91c1eebc138e922d65cde4f4e5ede88f6da7ceb23c6306026
-  data.tar.gz: 1377f5537d8d8e637945e35d59ba58dde50ec048f29abf6e9d50c4239ce2a7ca292aa379cfd7c28af7c9efe12723bdf71d55a007ad7e4839a177472f57f7a256
+  metadata.gz: 5e3042cb52f78e0396e75a3c6707a6706a1e2f4f1e12fc16310079eae0ae08336f688a75a92795cc6a8ba50ba62b9d0b9168b3ca4d5780439c7bccf574ab4179
+  data.tar.gz: a15d7f181d2d4afd8b5bf3e72f0450827d435f8e61e98f7863bfa0c254e8e2b983bb831901f1c95d27da8abfe791bf673d6c6e7fcc29b8d5e61c0e3c631ea9e6

data/lib/dependabot/dependency_group.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/experiments"
@@ -28,10 +28,23 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_reader :group_by
 
+    # The following readers are parsed once from the raw rules hash so callers
+    # get typed access instead of repeatedly casting rules["patterns"] and
+    # friends at every use site. A nil value means the rule is absent (which the
+    # matching logic treats differently from an empty list).
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :patterns
+
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :exclude_patterns
+
+    sig { returns(T.nilable(T::Array[String])) }
+    attr_reader :update_types
+
     sig do
       params(
         name: String,
-        rules: T::Hash[String, T.untyped],
+        rules: T::Hash[String, T.any(String, T::Array[String])],
         applies_to: T.nilable(String)
       )
         .void
@@ -41,7 +54,10 @@ module Dependabot
       # For backwards compatibility, if no applies_to is provided, default to "version-updates"
       @applies_to = T.let(applies_to || "version-updates", String)
       @rules = rules
-      @group_by = T.let(rules["group-by"], T.nilable(String))
+      @group_by = T.let(string_rule(rules, "group-by"), T.nilable(String))
+      @patterns = T.let(string_array_rule(rules, "patterns"), T.nilable(T::Array[String]))
+      @exclude_patterns = T.let(string_array_rule(rules, "exclude-patterns"), T.nilable(T::Array[String]))
+      @update_types = T.let(string_array_rule(rules, "update-types"), T.nilable(T::Array[String]))
       @dependencies = T.let([], T::Array[Dependabot::Dependency])
     end
 
@@ -75,16 +91,18 @@ module Dependabot
 
     sig { params(dependency_name: String).returns(T::Boolean) }
     def matches_pattern?(dependency_name)
-      return true unless rules.key?("patterns") # If no patterns are defined, we pass this check by default
+      patterns = self.patterns
+      return true if patterns.nil? # If no patterns are defined, we pass this check by default
 
-      T.unsafe(rules["patterns"]).any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
+      patterns.any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
     end
 
     sig { params(dependency_name: String).returns(T::Boolean) }
     def matches_excluded_pattern?(dependency_name)
-      return false unless rules.key?("exclude-patterns") # If there are no exclusions, fail by default
+      exclude_patterns = self.exclude_patterns
+      return false if exclude_patterns.nil? # If there are no exclusions, fail by default
 
-      T.unsafe(rules["exclude-patterns"]).any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
+      exclude_patterns.any? { |rule| WildcardMatcher.match?(rule, dependency_name) }
     end
 
     sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
@@ -102,5 +120,42 @@ module Dependabot
     def experimental_rules_enabled?
       Dependabot::Experiments.enabled?(:grouped_updates_experimental_rules)
     end
+
+    # Reads a rule whose value is expected to be a single string (e.g.
+    # "group-by"), returning nil when the key is absent or the value is not a
+    # string.
+    sig do
+      params(
+        rules: T::Hash[String, T.any(String, T::Array[String])],
+        key: String
+      )
+        .returns(T.nilable(String))
+    end
+    def string_rule(rules, key)
+      value = rules[key]
+      value.is_a?(String) ? value : nil
+    end
+
+    # Reads a rule whose value is expected to be a list of strings (e.g.
+    # "patterns", "exclude-patterns", "update-types"). Returns nil when the key
+    # is absent so callers can distinguish "rule not set" from "empty list", and
+    # coerces a lone string into a single-element list.
+    sig do
+      params(
+        rules: T::Hash[String, T.any(String, T::Array[String])],
+        key: String
+      )
+        .returns(T.nilable(T::Array[String]))
+    end
+    def string_array_rule(rules, key)
+      return nil unless rules.key?(key)
+
+      value = rules[key]
+      case value
+      when Array then value.grep(String)
+      when String then [value]
+      else []
+      end
+    end
   end
 end

data/lib/dependabot/errors.rb

@@ -97,6 +97,11 @@ module Dependabot
         "error-type": "path_dependencies_not_reachable",
         "error-detail": { dependencies: error.dependencies }
       }
+    when Dependabot::PrivateRegistryConfigNotFound
+      {
+        "error-type": "private_registry_config_not_found",
+        "error-detail": { source: error.source }
+      }
     when Dependabot::PrivateSourceAuthenticationFailure
       {
         "error-type": "private_source_authentication_failure",
@@ -238,6 +243,16 @@ module Dependabot
         "error-type": "dependency_file_not_resolvable",
         "error-detail": { message: error.message }
       }
+    when Dependabot::BlockedDependencyVersion
+      {
+        "error-type": "blocked_dependency_version",
+        "error-detail": {
+          "dependency-name": error.dependency_name,
+          "blocked-version": error.blocked_version,
+          "version-requirement": error.version_requirement,
+          reason: error.reason
+        }.compact
+      }
     when Dependabot::DependencyFileNotEvaluatable
       {
         "error-type": "dependency_file_not_evaluatable",
@@ -687,6 +702,22 @@ module Dependabot
   # Source level errors #
   #######################
 
+  class PrivateRegistryConfigNotFound < DependabotError
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_reader :source
+
+    sig { params(source: String).void }
+    def initialize(source)
+      @source = T.let(sanitize_source(source), String)
+      msg = "Private npm registries require either a .npmrc file in your repository, " \
+            "or explicit `scope`/`replaces-base` configuration in dependabot.yml. " \
+            "Registry: #{@source}"
+      super(msg)
+    end
+  end
+
   class PrivateSourceAuthenticationFailure < DependabotError
     extend T::Sig
 
@@ -709,10 +740,10 @@ module Dependabot
     sig { returns(String) }
     attr_reader :source
 
-    sig { params(source: T.nilable(String)).void }
-    def initialize(source)
+    sig { params(source: T.nilable(String), error_message: T.nilable(String)).void }
+    def initialize(source, error_message = nil)
       @source = T.let(sanitize_source(T.must(source)), String)
-      msg = "Bad response error while accessing source: #{@source}"
+      msg = error_message ? sanitize_source(error_message) : "Bad response error while accessing source: #{@source}"
       super(msg)
     end
   end
@@ -901,6 +932,46 @@ module Dependabot
   # Raised by UpdateChecker if all candidate updates are ignored
   class AllVersionsIgnored < DependabotError; end
 
+  # Raised when regenerating a lockfile would introduce or change a transitive
+  # (indirect) dependency to a version that matches a configured blocked version.
+  # The offending change is rejected so the blocked version is never shipped,
+  # while other dependencies are still allowed to update.
+  class BlockedDependencyVersion < DependabotError
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_reader :dependency_name
+
+    sig { returns(String) }
+    attr_reader :blocked_version
+
+    sig { returns(String) }
+    attr_reader :version_requirement
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :reason
+
+    sig do
+      params(
+        dependency_name: String,
+        blocked_version: String,
+        version_requirement: String,
+        reason: T.nilable(String)
+      ).void
+    end
+    def initialize(dependency_name:, blocked_version:, version_requirement:, reason: nil)
+      @dependency_name = dependency_name
+      @blocked_version = blocked_version
+      @version_requirement = version_requirement
+      @reason = reason
+
+      msg = "Update blocked: transitive dependency #{dependency_name} #{blocked_version} " \
+            "matches blocked version requirement '#{version_requirement}'"
+      msg += " (reason: #{reason})" if reason && !reason.empty?
+      super(msg)
+    end
+  end
+
   # Raised by FileParser if processing may execute external code in the update context
   class UnexpectedExternalCode < DependabotError; end
 

data/lib/dependabot/git_cooldown_date_resolver.rb

@@ -0,0 +1,114 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/clients/github_with_retries"
+require "dependabot/shared_helpers"
+require "dependabot/source"
+
+module Dependabot
+  # Shared logic for resolving release dates from git-based sources for cooldown
+  # purposes. Used by ecosystems that rely on git tags (pre-commit, GitHub Actions)
+  # rather than package registries.
+  #
+  # Priority: GitHub Release published_at > tag creation date (for-each-ref) > commit date.
+  #
+  # Including classes must implement:
+  #   - `cooldown_source_url` — returns the git source URL
+  #   - `cooldown_credentials` — returns the credentials array
+  module GitCooldownDateResolver
+    extend T::Sig
+    extend T::Helpers
+
+    abstract!
+
+    # The git source URL for the dependency (e.g. "https://github.com/owner/repo")
+    sig { abstract.returns(T.nilable(String)) }
+    def cooldown_source_url; end
+
+    # Credentials for GitHub API access
+    sig { abstract.returns(T::Array[Dependabot::Credential]) }
+    def cooldown_credentials; end
+
+    # Strips the `tags/` prefix that GitCommitChecker may add when the pinned
+    # ref starts with `tags/`, preventing construction of invalid refs like
+    # `refs/tags/tags/v1.0.0`.
+    sig { params(tag_name: String).returns(String) }
+    def normalize_tag_name(tag_name)
+      tag_name.delete_prefix("tags/")
+    end
+
+    # Resolves the best available date for a candidate tag.
+    # Priority: GitHub Release published_at > tag creation date > commit date.
+    sig { params(tag_name: String, commit_sha: String).returns(Time) }
+    def resolve_candidate_date(tag_name, commit_sha)
+      releases = cached_github_releases
+      unless releases.empty?
+        release = releases.find { |r| r.tag_name == tag_name }
+        return release.published_at if release&.published_at
+      end
+
+      tag_creation_date(tag_name, commit_sha)
+    end
+
+    # Looks up the GitHub Release published_at date for a given tag name.
+    # Returns nil if no release exists for this tag.
+    sig { params(tag_name: String).returns(T.nilable(Time)) }
+    def github_release_published_at(tag_name)
+      releases = cached_github_releases
+      return nil if releases.empty?
+
+      release = releases.find { |r| r.tag_name == tag_name }
+      return nil unless release&.published_at
+
+      release.published_at
+    rescue StandardError => e
+      Dependabot.logger.debug("Error fetching GitHub release date for #{tag_name}: #{e.message}")
+      nil
+    end
+
+    # Returns the tag creation date for cooldown purposes (used inside bare clone).
+    # Priority: tag creation date from for-each-ref > commit date fallback.
+    sig { params(tag_name: String, commit_sha: String).returns(Time) }
+    def tag_creation_date(tag_name, commit_sha)
+      tag_date_str = SharedHelpers.run_shell_command(
+        "git for-each-ref --format=\"%(creatordate:iso)\" \"refs/tags/#{tag_name}\"",
+        fingerprint: "git for-each-ref --format=\"%(creatordate:iso)\" \"refs/tags/<tag_name>\""
+      ).strip
+
+      if tag_date_str.empty?
+        tag_date_str = SharedHelpers.run_shell_command(
+          "git show --no-patch --format=\"%cd\" --date=iso #{commit_sha}",
+          fingerprint: "git show --no-patch --format=\"%cd\" --date=iso <commit_sha>"
+        ).strip
+      end
+
+      Time.parse(tag_date_str)
+    end
+
+    # Fetches and caches GitHub releases for the dependency source.
+    # Returns an empty array for non-GitHub sources.
+    sig { returns(T::Array[T.untyped]) } # rubocop:disable Sorbet/ForbidTUntyped
+    def cached_github_releases
+      @cached_github_releases ||= T.let(
+        begin
+          url = cooldown_source_url
+          source = Source.from_url(url)
+          if source&.provider == "github"
+            client = Dependabot::Clients::GithubWithRetries.for_source(
+              source: T.must(source),
+              credentials: cooldown_credentials
+            )
+            client.releases(T.must(source).repo, per_page: 100)
+          else
+            []
+          end
+        rescue StandardError => e
+          Dependabot.logger.debug("Error fetching GitHub releases: #{e.message}")
+          []
+        end,
+        T.nilable(T::Array[T.untyped]) # rubocop:disable Sorbet/ForbidTUntyped
+      )
+    end
+  end
+end

data/lib/dependabot/notices.rb

@@ -60,7 +60,7 @@ module Dependabot
     # Converts the Notice object to a hash.
     # @return [Hash] The hash representation of the notice.
     sig { returns(T::Hash[Symbol, T.any(String, T::Boolean)]) }
-    def to_hash
+    def to_h
       {
         mode: @mode,
         type: @type,

data/lib/dependabot/pull_request_creator/branch_namer/base.rb

@@ -1,6 +1,7 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "digest"
 require "sorbet-runtime"
 
 module Dependabot
@@ -70,9 +71,10 @@ module Dependabot
           sanitized_name = sanitized_name.gsub("/", separator)
 
           # Shorten the ref in case users refs have length limits
-          if max_length && (sanitized_name.length > T.must(max_length))
-            sha = T.must(Digest::SHA1.hexdigest(sanitized_name)[0, T.must(max_length)])
-            sanitized_name[[T.must(max_length) - sha.size, 0].max..] = sha
+          branch_name_max_length = max_length
+          if branch_name_max_length && (sanitized_name.length > branch_name_max_length)
+            sha = T.must(Digest::SHA1.hexdigest(sanitized_name)[0, branch_name_max_length])
+            sanitized_name[[branch_name_max_length - sha.size, 0].max..] = sha
           end
 
           sanitized_name

data/lib/dependabot/pull_request_creator.rb

@@ -197,7 +197,7 @@ module Dependabot
       milestone: nil,
       branch_name_separator: "/",
       branch_name_prefix: "dependabot",
-      branch_name_max_length: nil,
+      branch_name_max_length: 100,
       label_language: false,
       automerge_candidate: false,
       github_redirection_service: DEFAULT_GITHUB_REDIRECTION_SERVICE,

data/lib/dependabot/pull_request_updater.rb

@@ -40,7 +40,7 @@ module Dependabot
     sig { returns(T.nilable(String)) }
     attr_reader :commit_message
 
-    sig { returns(T::Hash[Symbol, T.untyped]) }
+    sig { returns(T::Hash[Symbol, Integer]) }
     attr_reader :provider_metadata
 
     sig do
@@ -54,7 +54,7 @@ module Dependabot
         author_details: T.nilable(T::Hash[Symbol, String]),
         signature_key: T.nilable(String),
         commit_message: T.nilable(String),
-        provider_metadata: T::Hash[Symbol, T.untyped]
+        provider_metadata: T::Hash[Symbol, Integer]
       )
         .void
     end
@@ -84,7 +84,7 @@ module Dependabot
 
     # TODO: Each implementation returns a client-specific type.
     #       We should standardise this to return a `Dependabot::Branch` type instead.
-    sig { returns(T.untyped) }
+    sig { returns(T.untyped) } # rubocop:disable Sorbet/ForbidTUntyped
     def update
       case source.provider
       when "github" then github_updater.update
@@ -120,7 +120,7 @@ module Dependabot
         files: files,
         credentials: credentials,
         pull_request_number: pull_request_number,
-        target_project_id: T.cast(provider_metadata[:target_project_id], T.nilable(Integer))
+        target_project_id: provider_metadata[:target_project_id]
       )
     end
 

data/lib/dependabot/requirements_updater/base.rb

@@ -3,6 +3,8 @@
 
 require "sorbet-runtime"
 
+require "dependabot/dependency_requirement"
+
 module Dependabot
   module RequirementsUpdater
     module Base
@@ -15,7 +17,7 @@ module Dependabot
 
       interface!
 
-      sig { abstract.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      sig { abstract.returns(T::Array[Dependabot::DependencyRequirement]) }
       def updated_requirements; end
 
       private

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.382.0"
+  VERSION = "0.383.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.382.0
+  version: 0.383.0
 platform: ruby
 authors:
 - Dependabot
@@ -552,6 +552,7 @@ files:
 - lib/dependabot/file_updaters/base.rb
 - lib/dependabot/file_updaters/vendor_updater.rb
 - lib/dependabot/git_commit_checker.rb
+- lib/dependabot/git_cooldown_date_resolver.rb
 - lib/dependabot/git_metadata_fetcher.rb
 - lib/dependabot/git_ref.rb
 - lib/dependabot/git_tag_details.rb
@@ -619,7 +620,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
 rdoc_options: []
 require_paths:
 - lib