dependabot-common 0.95.1 → 0.95.2

data/lib/dependabot/update_checkers.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module UpdateCheckers
+    @update_checkers = {}
+
+    def self.for_package_manager(package_manager)
+      update_checker = @update_checkers[package_manager]
+      return update_checker if update_checker
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register(package_manager, update_checker)
+      @update_checkers[package_manager] = update_checker
+    end
+  end
+end

data/lib/dependabot/update_checkers/README.md

@@ -0,0 +1,67 @@
+# Update checkers
+
+Update checkers check whether a given dependency is up-to-date. If it isn't,
+they augment it with details of the version to update to.
+
+There is a `Dependabot::UpdateCheckers` class for each language Dependabot
+supports.
+
+## Public API
+
+Each `Dependabot::UpdateCheckers` class implements the following methods:
+
+| Method                       | Description                                                                                   |
+|------------------------------|-----------------------------------------------------------------------------------------------|
+| `#up_to_date?`               | Returns a boolean for whether the dependency this instance was created with is currently at the latest version. |
+| `#can_update?`               | Returns a boolean for whether the dependency this instance was created with needs updating. This will be true if the dependency and/or its requirements can be updated to support a newer version whilst keeping the dependency files it came from resolvable. |
+| `#updated_dependencies`      | Returns an array of updated `Dependabot::Dependency` instance with updated `version` and `requirements` attributes. The previous valuse are stored on the instance as `previous_version` and `previous_requirements`. |
+| `#latest_version`            | See the "Writing an update checker" section. |
+| `#latest_resolvable_version` | See the "Writing an update checker" section. |
+| `#updated_requirements`      | See the "Writing an update checker" section. |
+
+An integration might look as follows:
+
+```ruby
+require 'dependabot/update_checkers'
+
+dependency = dependencies.first
+
+update_checker_class = Dependabot::UpdateCheckers::Ruby::Bundler
+update_checker = update_checker_class.new(
+  dependency: dependency,
+  dependency_files: files,
+  credentials: [{
+    "type" => "git_source",
+    "host" => "github.com",
+    "username" => "x-access-token",
+    "password" => "token"
+  }]
+)
+
+puts "Update needed for #{dependency.name}? "\
+     "#{update_checker.can_update?(requirements_to_update: :own)}"
+```
+
+## Writing an update checker for a new language
+
+All new update checkers should inherit from `Dependabot::UpdateCheckers::Base` and
+implement the following methods:
+
+| Method                       | Description                                                                                   |
+|------------------------------|-----------------------------------------------------------------------------------------------|
+| `#latest_version`            | The latest version of the dependency, ignoring resolvability. This is used to short-circuit update checking when the dependency is already at the latest version (since checking resolvability is typically slow). |
+| `#latest_resolvable_version` | The latest version of the dependency that will still allow the full dependency set to resolve. |
+| `#latest_resolvable_version_with_no_unlock` | The latest version of the dependency that satisfies the dependency's current version constraints and will still allow the full dependency set to resolve. |
+| `#updated_requirements`      | An updated set of requirements for the dependency that should replace the existing requirements in the manifest file. Use by the file updater class when updating the manifest file. |
+| `#latest_version_resolvable_with_full_unlock?` | A boolean for whether the latest version can be resolved if all other dependencies are unlocked in the manifest file. Can be set to always return `false` if multi-dependency updates aren't yet supported. |
+| `#updated_dependencies_after_full_unlock` | And updated set of dependencies after a full unlock and update has taken place. Not required if `latest_version_resolvable_with_full_unlock?` always returns false. |
+
+
+To ensure the above are implemented, you should include
+`it_behaves_like "a dependency update checker"` in your specs for the new update
+checker.
+
+Writing update checkers generally gets tricky when resolvability has to
+be taken into account. It is almost always easiest to do so in the language your
+update checker relates to, so you may wish to shell out to that language. See
+`UpdateCheckers::Php::Composer` for an example of how to do so.

data/lib/dependabot/update_checkers/base.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+require "json"
+require "dependabot/utils"
+
+module Dependabot
+  module UpdateCheckers
+    class Base
+      attr_reader :dependency, :dependency_files, :credentials,
+                  :ignored_versions, :requirements_update_strategy
+
+      def initialize(dependency:, dependency_files:, credentials:,
+                     ignored_versions: [], requirements_update_strategy: nil)
+        @dependency = dependency
+        @dependency_files = dependency_files
+        @credentials = credentials
+        @requirements_update_strategy = requirements_update_strategy
+        @ignored_versions = ignored_versions
+      end
+
+      def up_to_date?
+        if dependency.appears_in_lockfile?
+          version_up_to_date?
+        else
+          requirements_up_to_date?
+        end
+      end
+
+      def can_update?(requirements_to_unlock:)
+        if dependency.appears_in_lockfile?
+          version_can_update?(requirements_to_unlock: requirements_to_unlock)
+        else
+          # TODO: Handle full unlock updates for dependencies without a lockfile
+          return false if requirements_to_unlock == :none
+
+          requirements_can_update?
+        end
+      end
+
+      def updated_dependencies(requirements_to_unlock:)
+        unless can_update?(requirements_to_unlock: requirements_to_unlock)
+          return []
+        end
+
+        case requirements_to_unlock&.to_sym
+        when :none then [updated_dependency_without_unlock]
+        when :own then [updated_dependency_with_own_req_unlock]
+        when :all then updated_dependencies_after_full_unlock
+        else raise "Unknown unlock level '#{requirements_to_unlock}'"
+        end
+      end
+
+      def latest_version
+        raise NotImplementedError
+      end
+
+      def latest_resolvable_version
+        raise NotImplementedError
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        raise NotImplementedError
+      end
+
+      def updated_requirements
+        raise NotImplementedError
+      end
+
+      def version_class
+        Utils.version_class_for_package_manager(dependency.package_manager)
+      end
+
+      def requirement_class
+        Utils.requirement_class_for_package_manager(dependency.package_manager)
+      end
+
+      # For some langauges, the manifest file may be constructed such that
+      # Dependabot has no way to update it (e.g., if it fetches its versions
+      # from a web API). This method is overridden in those cases.
+      def requirements_unlocked_or_can_be?
+        true
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        raise NotImplementedError
+      end
+
+      def updated_dependency_without_unlock
+        Dependency.new(
+          name: dependency.name,
+          version: latest_resolvable_version_with_no_unlock.to_s,
+          requirements: dependency.requirements,
+          previous_version: dependency.version,
+          previous_requirements: dependency.requirements,
+          package_manager: dependency.package_manager
+        )
+      end
+
+      def updated_dependency_with_own_req_unlock
+        Dependency.new(
+          name: dependency.name,
+          version: latest_resolvable_version.to_s,
+          requirements: updated_requirements,
+          previous_version: dependency.version,
+          previous_requirements: dependency.requirements,
+          package_manager: dependency.package_manager
+        )
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def version_up_to_date?
+        return sha1_version_up_to_date? if existing_version_is_sha?
+
+        numeric_version_up_to_date?
+      end
+
+      def version_can_update?(requirements_to_unlock:)
+        if existing_version_is_sha?
+          return sha1_version_can_update?(
+            requirements_to_unlock: requirements_to_unlock
+          )
+        end
+
+        numeric_version_can_update?(
+          requirements_to_unlock: requirements_to_unlock
+        )
+      end
+
+      def existing_version_is_sha?
+        return false if version_class.correct?(dependency.version)
+
+        dependency.version.match?(/^[0-9a-f]{6,}$/)
+      end
+
+      def sha1_version_up_to_date?
+        latest_version&.to_s&.start_with?(dependency.version)
+      end
+
+      def sha1_version_can_update?(requirements_to_unlock:)
+        return false if sha1_version_up_to_date?
+
+        # All we can do with SHA-1 hashes is check for presence and equality
+        case requirements_to_unlock&.to_sym
+        when :none
+          new_version = latest_resolvable_version_with_no_unlock
+          new_version && !new_version.to_s.start_with?(dependency.version)
+        when :own
+          new_version = latest_resolvable_version
+          new_version && !new_version.to_s.start_with?(dependency.version)
+        when :all
+          latest_version_resolvable_with_full_unlock?
+        else raise "Unknown unlock level '#{requirements_to_unlock}'"
+        end
+      end
+
+      def numeric_version_up_to_date?
+        return false unless latest_version
+
+        # If a lockfile isn't out of date and the package has switched to a git
+        # source then we'll get a numeric version switching to a git SHA. In
+        # this case we treat the verison as up-to-date so that it's ignored.
+        return true if latest_version.to_s.match?(/^[0-9a-f]{40}$/)
+
+        latest_version <= version_class.new(dependency.version)
+      end
+
+      def numeric_version_can_update?(requirements_to_unlock:)
+        return false if numeric_version_up_to_date?
+
+        case requirements_to_unlock&.to_sym
+        when :none
+          new_version = latest_resolvable_version_with_no_unlock
+          new_version && new_version > version_class.new(dependency.version)
+        when :own
+          new_version = latest_resolvable_version
+          new_version && new_version > version_class.new(dependency.version)
+        when :all
+          latest_version_resolvable_with_full_unlock?
+        else raise "Unknown unlock level '#{requirements_to_unlock}'"
+        end
+      end
+
+      def requirements_up_to_date?
+        return true if (updated_requirements - dependency.requirements).none?
+        return false unless latest_version
+        return false unless version_class.correct?(latest_version.to_s)
+        return false unless version_from_requirements
+
+        version_from_requirements >= version_class.new(latest_version.to_s)
+      end
+
+      def version_from_requirements
+        @version_from_requirements ||=
+          dependency.requirements.map { |r| r.fetch(:requirement) }.compact.
+          flat_map { |req_str| requirement_class.requirements_array(req_str) }.
+          flat_map(&:requirements).
+          reject { |req_array| req_array.first.start_with?("<") }.
+          map(&:last).
+          max
+      end
+
+      def requirements_can_update?
+        changed_reqs = updated_requirements - dependency.requirements
+
+        return false if changed_reqs.none?
+
+        changed_reqs.none? { |r| r[:requirement] == :unfixable }
+      end
+
+      def ignore_reqs
+        ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+      end
+    end
+  end
+end

data/lib/dependabot/utils.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# TODO: in due course, these "registries" should live in a wrapper gem, not
+#       dependabot-core.
+module Dependabot
+  module Utils
+    @version_classes = {}
+
+    def self.version_class_for_package_manager(package_manager)
+      version_class = @version_classes[package_manager]
+      return version_class if version_class
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register_version_class(package_manager, version_class)
+      @version_classes[package_manager] = version_class
+    end
+
+    @requirement_classes = {}
+
+    def self.requirement_class_for_package_manager(package_manager)
+      requirement_class = @requirement_classes[package_manager]
+      return requirement_class if requirement_class
+
+      raise "Unsupported package_manager #{package_manager}"
+    end
+
+    def self.register_requirement_class(package_manager, requirement_class)
+      @requirement_classes[package_manager] = requirement_class
+    end
+  end
+end

data/lib/dependabot/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Dependabot
+  VERSION = "0.95.2"
+end

data/lib/rubygems_version_patch.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "rubygems/version"
+
+# Opt in to Rubygems 4 behaviour
+module Gem
+  class Version
+    def self.correct?(version)
+      return false if version.nil?
+
+      version.to_s.match?(ANCHORED_VERSION_PATTERN)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.95.1
+  version: 0.95.2
 platform: ruby
 authors:
 - Dependabot
@@ -294,7 +294,49 @@ email: support@dependabot.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files: []
+files:
+- lib/dependabot.rb
+- lib/dependabot/clients/bitbucket.rb
+- lib/dependabot/clients/github_with_retries.rb
+- lib/dependabot/clients/gitlab.rb
+- lib/dependabot/dependency.rb
+- lib/dependabot/dependency_file.rb
+- lib/dependabot/errors.rb
+- lib/dependabot/file_fetchers.rb
+- lib/dependabot/file_fetchers/README.md
+- lib/dependabot/file_fetchers/base.rb
+- lib/dependabot/file_parsers.rb
+- lib/dependabot/file_parsers/README.md
+- lib/dependabot/file_parsers/base.rb
+- lib/dependabot/file_parsers/base/dependency_set.rb
+- lib/dependabot/file_updaters.rb
+- lib/dependabot/file_updaters/README.md
+- lib/dependabot/file_updaters/base.rb
+- lib/dependabot/git_commit_checker.rb
+- lib/dependabot/metadata_finders.rb
+- lib/dependabot/metadata_finders/README.md
+- lib/dependabot/metadata_finders/base.rb
+- lib/dependabot/metadata_finders/base/changelog_finder.rb
+- lib/dependabot/metadata_finders/base/changelog_pruner.rb
+- lib/dependabot/metadata_finders/base/commits_finder.rb
+- lib/dependabot/metadata_finders/base/release_finder.rb
+- lib/dependabot/pull_request_creator.rb
+- lib/dependabot/pull_request_creator/branch_namer.rb
+- lib/dependabot/pull_request_creator/commit_signer.rb
+- lib/dependabot/pull_request_creator/github.rb
+- lib/dependabot/pull_request_creator/gitlab.rb
+- lib/dependabot/pull_request_creator/labeler.rb
+- lib/dependabot/pull_request_creator/message_builder.rb
+- lib/dependabot/pull_request_updater.rb
+- lib/dependabot/pull_request_updater/github.rb
+- lib/dependabot/shared_helpers.rb
+- lib/dependabot/source.rb
+- lib/dependabot/update_checkers.rb
+- lib/dependabot/update_checkers/README.md
+- lib/dependabot/update_checkers/base.rb
+- lib/dependabot/utils.rb
+- lib/dependabot/version.rb
+- lib/rubygems_version_patch.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard