dependabot-common 0.114.1 → 0.115.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f6786a3445f21e8a86ef16db1574ec3d909ae56104e46e2bee6ef25f5e24381c
-  data.tar.gz: dc23a768919a58b9957f6a0ca5c92083854abc9eb2e9d289df31491537bc1757
+  metadata.gz: 0ca4c300e6913173c89d9d025b5bcd1e78c0b68fed9fe9471ab0d2c7dc730b60
+  data.tar.gz: 7b071b023ae3be15e218dccbc723e5dd3b302859818117faa1ed5be43bbdfee3
 SHA512:
-  metadata.gz: d4ecf080f83638c4ad66e4b5ce0e5c180aceefc519325faf8bba0d412507eff3a34415f2dd0282cc3081c3927274bed3265d4e53b083ac4f23575f07fe41e27e
-  data.tar.gz: 65d6b88a6060b0b9a8662d1139e0e395c1d928794d2addb14d9872603362f3e0be6c4fe66db312e06f2c3230a2693f070f75564239e76dc8dead770a207b4197
+  metadata.gz: 00f07caa0d24f1418c94449654b9c9e51f535297db7c38cf4d65a9163d9fd205780a0976bdb92aa14c8e7790f9c5e2c5f75936880f29b16e421c256e9484a454
+  data.tar.gz: b90acfa364d72c9e6892fdbc7203b6c1e2003929efb89428c21482bd395ed187e92e24efdef09c7e360667191ce2dbb1ba6cb6c90106f302e33f2a504c9dd988

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -292,7 +292,7 @@ module Dependabot
         end
 
         dependencies.map do |dep|
-          msg = "\n\nUpdates `#{dep.display_name}` from "\
+          msg = "\nUpdates `#{dep.display_name}` from "\
                 "#{previous_version(dep)} to #{new_version(dep)}"
 
           if vulnerabilities_fixed[dep.name]&.one?
@@ -314,7 +314,7 @@ module Dependabot
         msg += commits_cascade(dep)
         msg += maintainer_changes_cascade(dep)
         msg += "\n<br />" unless msg == ""
-        sanitize_links_and_mentions(msg)
+        "\n" + sanitize_links_and_mentions(msg)
       end
 
       def vulnerabilities_cascade(dep)
@@ -438,9 +438,9 @@ module Dependabot
         if source.provider == ("azure" || "codecommit")
           "\n\##{summary}\n\n#{body}"
         else
-          msg = "\n<details>\n<summary>#{summary}</summary>\n\n"
+          msg = "<details>\n<summary>#{summary}</summary>\n\n"
           msg += body
-          msg + "</details>"
+          msg + "</details>\n"
         end
       end
 

data/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "commonmarker"
 require "strscan"
 require "dependabot/pull_request_creator/message_builder"
 
@@ -46,11 +47,11 @@ module Dependabot
             delimiter = line.match(CODEBLOCK_REGEX)&.to_s
             unless delimiter && lines.count { |l| l.include?(delimiter) }.odd?
               line = sanitize_mentions(line)
-              line = sanitize_links(line)
             end
             lines << line
           end
-          lines.join
+
+          sanitize_links(lines.join)
         end
 
         private
@@ -60,8 +61,8 @@ module Dependabot
             next mention if mention.end_with?("/")
 
             last_match = Regexp.last_match
-
             sanitized_mention = mention.gsub("@", "@&#8203;")
+
             if last_match.pre_match.chars.last == "[" &&
                last_match.post_match.chars.first == "]"
               sanitized_mention
@@ -73,23 +74,30 @@ module Dependabot
         end
 
         def sanitize_links(text)
-          text.gsub(GITHUB_REF_REGEX) do |ref|
-            last_match = Regexp.last_match
-            previous_char = last_match.pre_match.chars.last
-            next_char = last_match.post_match.chars.first
-
-            sanitized_url =
-              ref.gsub("github.com", github_redirection_service || "github.com")
-            if (previous_char.nil? || previous_char.match?(/\s/)) &&
-               (next_char.nil? || next_char.match?(/\s/))
-              number = last_match.named_captures.fetch("number")
-              repo = last_match.named_captures.fetch("repo")
-              "[#{repo}##{number}]"\
-              "(#{sanitized_url})"
-            else
-              sanitized_url
+          # We rely on GitHub to do the HTML sanitization
+          options = %i(UNSAFE GITHUB_PRE_LANG FULL_INFO_STRING)
+          extensions = %i(table tasklist strikethrough autolink tagfilter)
+
+          doc = CommonMarker.render_doc(text, :LIBERAL_HTML_TAG, extensions)
+
+          doc.walk do |node|
+            if node.type == :link && node.url.match?(GITHUB_REF_REGEX)
+              node.each do |subnode|
+                last_match = subnode.string_content.match(GITHUB_REF_REGEX)
+                next unless subnode.type == :text && last_match
+
+                number = last_match.named_captures.fetch("number")
+                repo = last_match.named_captures.fetch("repo")
+                subnode.string_content = "#{repo}##{number}"
+              end
+
+              node.url = node.url.gsub(
+                "github.com", github_redirection_service || "github.com"
+              )
             end
           end
+
+          doc.to_html(options, extensions)
         end
       end
     end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.114.1"
+  VERSION = "0.115.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.114.1
+  version: 0.115.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-17 00:00:00.000000000 Z
+date: 2019-12-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -58,6 +58,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: commonmarker
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.20.1
 - !ruby/object:Gem::Dependency
   name: docker_registry2
   requirement: !ruby/object:Gem::Requirement