dependabot-common 0.119.4 → 0.119.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ac20c5d159264edb3113a4e495d02e6c32f5e6aadb5cda883587aeabae475dde
|
|
4
|
+
data.tar.gz: d5086bb6a7669add859859632b19b2d4e8ddddc9d637f63a2fb101bcb30d92ef
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5c1cfdfdba4439500593adc35ca3bca20f32d55c0cf4e7436f09caa1b443cca135eee7607ef8c7dc7e5d385b66556d8f1698b80568f2e6068888faa8a76acc79
|
|
7
|
+
data.tar.gz: bb518e222b1fd04d0bccd69951ac5d7b58220ef1ed6ed8c7ad29825138f39632b4f605ec314776b14bce59e51025048cdd965aebf33445a9e0419f32b399d2d2
|
|
@@ -10,6 +10,7 @@ require "dependabot/pull_request_creator"
|
|
|
10
10
|
module Dependabot
|
|
11
11
|
class PullRequestCreator
|
|
12
12
|
class MessageBuilder
|
|
13
|
+
require_relative "message_builder/metadata_presenter"
|
|
13
14
|
require_relative "message_builder/issue_linker"
|
|
14
15
|
require_relative "message_builder/link_and_mention_sanitizer"
|
|
15
16
|
require_relative "pr_name_prefixer"
|
|
@@ -312,242 +313,20 @@ module Dependabot
|
|
|
312
313
|
end.join
|
|
313
314
|
end
|
|
314
315
|
|
|
315
|
-
def metadata_cascades_for_dep(
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
msg += commits_cascade(dep)
|
|
324
|
-
msg += maintainer_changes_cascade(dep)
|
|
325
|
-
msg += break_tag unless msg == ""
|
|
326
|
-
"\n" + sanitize_links_and_mentions(msg, unsafe: true)
|
|
327
|
-
end
|
|
328
|
-
|
|
329
|
-
def vulnerabilities_cascade(dep)
|
|
330
|
-
fixed_vulns = vulnerabilities_fixed[dep.name]
|
|
331
|
-
return "" unless fixed_vulns&.any?
|
|
332
|
-
|
|
333
|
-
msg = ""
|
|
334
|
-
fixed_vulns.each { |v| msg += serialized_vulnerability_details(v) }
|
|
335
|
-
msg = sanitize_template_tags(msg)
|
|
336
|
-
msg = sanitize_links_and_mentions(msg)
|
|
337
|
-
|
|
338
|
-
build_details_tag(summary: "Vulnerabilities fixed", body: msg)
|
|
339
|
-
end
|
|
340
|
-
|
|
341
|
-
def release_cascade(dep)
|
|
342
|
-
return "" unless releases_text(dep) && releases_url(dep)
|
|
343
|
-
|
|
344
|
-
msg = "*Sourced from [#{dep.display_name}'s releases]"\
|
|
345
|
-
"(#{releases_url(dep)}).*\n\n"
|
|
346
|
-
msg +=
|
|
347
|
-
begin
|
|
348
|
-
release_note_lines = releases_text(dep).split("\n").first(50)
|
|
349
|
-
release_note_lines = release_note_lines.map { |line| "> #{line}\n" }
|
|
350
|
-
if release_note_lines.count == 50
|
|
351
|
-
release_note_lines << truncated_line
|
|
352
|
-
end
|
|
353
|
-
release_note_lines.join
|
|
354
|
-
end
|
|
355
|
-
msg = link_issues(text: msg, dependency: dep)
|
|
356
|
-
msg = fix_relative_links(
|
|
357
|
-
text: msg,
|
|
358
|
-
base_url: source_url(dep) + "/blob/HEAD/"
|
|
359
|
-
)
|
|
360
|
-
msg = sanitize_template_tags(msg)
|
|
361
|
-
msg = sanitize_links_and_mentions(msg)
|
|
362
|
-
|
|
363
|
-
build_details_tag(summary: "Release notes", body: msg)
|
|
364
|
-
end
|
|
365
|
-
|
|
366
|
-
def changelog_cascade(dep)
|
|
367
|
-
return "" unless changelog_url(dep) && changelog_text(dep)
|
|
368
|
-
|
|
369
|
-
msg = "*Sourced from "\
|
|
370
|
-
"[#{dep.display_name}'s changelog](#{changelog_url(dep)}).*\n\n"
|
|
371
|
-
msg +=
|
|
372
|
-
begin
|
|
373
|
-
changelog_lines = changelog_text(dep).split("\n").first(50)
|
|
374
|
-
changelog_lines = changelog_lines.map { |line| "> #{line}\n" }
|
|
375
|
-
changelog_lines << truncated_line if changelog_lines.count == 50
|
|
376
|
-
changelog_lines.join
|
|
377
|
-
end
|
|
378
|
-
msg = link_issues(text: msg, dependency: dep)
|
|
379
|
-
msg = fix_relative_links(text: msg, base_url: changelog_url(dep))
|
|
380
|
-
msg = sanitize_template_tags(msg)
|
|
381
|
-
msg = sanitize_links_and_mentions(msg)
|
|
382
|
-
|
|
383
|
-
build_details_tag(summary: "Changelog", body: msg)
|
|
384
|
-
end
|
|
385
|
-
|
|
386
|
-
def upgrade_guide_cascade(dep)
|
|
387
|
-
return "" unless upgrade_url(dep) && upgrade_text(dep)
|
|
388
|
-
|
|
389
|
-
msg = "*Sourced from "\
|
|
390
|
-
"[#{dep.display_name}'s upgrade guide]"\
|
|
391
|
-
"(#{upgrade_url(dep)}).*\n\n"
|
|
392
|
-
msg +=
|
|
393
|
-
begin
|
|
394
|
-
upgrade_lines = upgrade_text(dep).split("\n").first(50)
|
|
395
|
-
upgrade_lines = upgrade_lines.map { |line| "> #{line}\n" }
|
|
396
|
-
upgrade_lines << truncated_line if upgrade_lines.count == 50
|
|
397
|
-
upgrade_lines.join
|
|
398
|
-
end
|
|
399
|
-
msg = link_issues(text: msg, dependency: dep)
|
|
400
|
-
msg = fix_relative_links(text: msg, base_url: upgrade_url(dep))
|
|
401
|
-
msg = sanitize_template_tags(msg)
|
|
402
|
-
msg = sanitize_links_and_mentions(msg)
|
|
403
|
-
|
|
404
|
-
build_details_tag(summary: "Upgrade guide", body: msg)
|
|
405
|
-
end
|
|
406
|
-
|
|
407
|
-
def commits_cascade(dep)
|
|
408
|
-
return "" unless commits_url(dep) && commits(dep)
|
|
409
|
-
|
|
410
|
-
msg = ""
|
|
411
|
-
|
|
412
|
-
commits(dep).reverse.first(10).each do |commit|
|
|
413
|
-
title = commit[:message].strip.split("\n").first
|
|
414
|
-
title = title.slice(0..76) + "..." if title && title.length > 80
|
|
415
|
-
title = title&.gsub(/(?<=[^\w.-])([_*`~])/, '\\1')
|
|
416
|
-
sha = commit[:sha][0, 7]
|
|
417
|
-
msg += "- [`#{sha}`](#{commit[:html_url]}) #{title}\n"
|
|
418
|
-
end
|
|
419
|
-
|
|
420
|
-
msg = msg.gsub(/\<.*?\>/) { |tag| "\\#{tag}" }
|
|
421
|
-
|
|
422
|
-
msg +=
|
|
423
|
-
if commits(dep).count > 10
|
|
424
|
-
"- Additional commits viewable in "\
|
|
425
|
-
"[compare view](#{commits_url(dep)})\n"
|
|
426
|
-
else
|
|
427
|
-
"- See full diff in [compare view](#{commits_url(dep)})\n"
|
|
428
|
-
end
|
|
429
|
-
msg = link_issues(text: msg, dependency: dep)
|
|
430
|
-
msg = sanitize_links_and_mentions(msg)
|
|
431
|
-
|
|
432
|
-
build_details_tag(summary: "Commits", body: msg)
|
|
433
|
-
end
|
|
434
|
-
|
|
435
|
-
def maintainer_changes_cascade(dep)
|
|
436
|
-
return "" unless maintainer_changes(dep)
|
|
437
|
-
|
|
438
|
-
build_details_tag(
|
|
439
|
-
summary: "Maintainer changes",
|
|
440
|
-
body: sanitize_links_and_mentions(maintainer_changes(dep)) + "\n"
|
|
441
|
-
)
|
|
442
|
-
end
|
|
443
|
-
|
|
444
|
-
def build_details_tag(summary:, body:)
|
|
445
|
-
# Azure DevOps does not support <details> tag (https://developercommunity.visualstudio.com/content/problem/608769/add-support-for-in-markdown.html)
|
|
446
|
-
# CodeCommit does not support the <details> tag (no url available)
|
|
447
|
-
if source_provider_supports_html?
|
|
448
|
-
msg = "<details>\n<summary>#{summary}</summary>\n\n"
|
|
449
|
-
msg += body
|
|
450
|
-
msg + "</details>\n"
|
|
451
|
-
else
|
|
452
|
-
"\n\##{summary}\n\n#{body}"
|
|
453
|
-
end
|
|
454
|
-
end
|
|
455
|
-
|
|
456
|
-
def source_provider_supports_html?
|
|
457
|
-
!%w(azure codecommit).include?(source.provider)
|
|
458
|
-
end
|
|
459
|
-
|
|
460
|
-
def serialized_vulnerability_details(details)
|
|
461
|
-
msg = vulnerability_source_line(details)
|
|
462
|
-
|
|
463
|
-
if details["title"]
|
|
464
|
-
msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n"
|
|
465
|
-
end
|
|
466
|
-
|
|
467
|
-
if (description = details["description"])
|
|
468
|
-
description.strip.lines.first(20).each { |line| msg += "> #{line}" }
|
|
469
|
-
msg += truncated_line if description.strip.lines.count > 20
|
|
470
|
-
end
|
|
471
|
-
|
|
472
|
-
msg += "\n" unless msg.end_with?("\n")
|
|
473
|
-
msg += "> \n"
|
|
474
|
-
msg += vulnerability_version_range_lines(details)
|
|
475
|
-
msg + "\n"
|
|
476
|
-
end
|
|
477
|
-
|
|
478
|
-
def vulnerability_source_line(details)
|
|
479
|
-
if details["source_url"] && details["source_name"]
|
|
480
|
-
"*Sourced from [#{details['source_name']}]"\
|
|
481
|
-
"(#{details['source_url']}).*\n\n"
|
|
482
|
-
elsif details["source_name"]
|
|
483
|
-
"*Sourced from #{details['source_name']}.*\n\n"
|
|
484
|
-
else
|
|
485
|
-
""
|
|
486
|
-
end
|
|
487
|
-
end
|
|
488
|
-
|
|
489
|
-
def vulnerability_version_range_lines(details)
|
|
490
|
-
msg = ""
|
|
491
|
-
%w(patched_versions unaffected_versions affected_versions).each do |tp|
|
|
492
|
-
type = tp.split("_").first.capitalize
|
|
493
|
-
next unless details[tp]
|
|
494
|
-
|
|
495
|
-
versions_string = details[tp].any? ? details[tp].join("; ") : "none"
|
|
496
|
-
versions_string = versions_string.gsub(/(?<!\\)~/, '\~')
|
|
497
|
-
msg += "> #{type} versions: #{versions_string}\n"
|
|
498
|
-
end
|
|
499
|
-
msg
|
|
500
|
-
end
|
|
501
|
-
|
|
502
|
-
def truncated_line
|
|
503
|
-
# Tables can spill out of truncated details, so we close them
|
|
504
|
-
"></tr></table> ... (truncated)\n"
|
|
505
|
-
end
|
|
506
|
-
|
|
507
|
-
def releases_url(dependency)
|
|
508
|
-
metadata_finder(dependency).releases_url
|
|
509
|
-
end
|
|
510
|
-
|
|
511
|
-
def releases_text(dependency)
|
|
512
|
-
metadata_finder(dependency).releases_text
|
|
513
|
-
end
|
|
514
|
-
|
|
515
|
-
def changelog_url(dependency)
|
|
516
|
-
metadata_finder(dependency).changelog_url
|
|
517
|
-
end
|
|
518
|
-
|
|
519
|
-
def changelog_text(dependency)
|
|
520
|
-
metadata_finder(dependency).changelog_text
|
|
521
|
-
end
|
|
522
|
-
|
|
523
|
-
def upgrade_url(dependency)
|
|
524
|
-
metadata_finder(dependency).upgrade_guide_url
|
|
525
|
-
end
|
|
526
|
-
|
|
527
|
-
def upgrade_text(dependency)
|
|
528
|
-
metadata_finder(dependency).upgrade_guide_text
|
|
529
|
-
end
|
|
530
|
-
|
|
531
|
-
def commits_url(dependency)
|
|
532
|
-
metadata_finder(dependency).commits_url
|
|
533
|
-
end
|
|
534
|
-
|
|
535
|
-
def commits(dependency)
|
|
536
|
-
metadata_finder(dependency).commits
|
|
537
|
-
end
|
|
538
|
-
|
|
539
|
-
def maintainer_changes(dependency)
|
|
540
|
-
metadata_finder(dependency).maintainer_changes
|
|
316
|
+
def metadata_cascades_for_dep(dependency)
|
|
317
|
+
MetadataPresenter.new(
|
|
318
|
+
dependency: dependency,
|
|
319
|
+
source: source,
|
|
320
|
+
metadata_finder: metadata_finder(dependency),
|
|
321
|
+
vulnerabilities_fixed: vulnerabilities_fixed[dependency.name],
|
|
322
|
+
github_redirection_service: github_redirection_service
|
|
323
|
+
).to_s
|
|
541
324
|
end
|
|
542
325
|
|
|
543
326
|
def source_url(dependency)
|
|
544
327
|
metadata_finder(dependency).source_url
|
|
545
328
|
end
|
|
546
329
|
|
|
547
|
-
def homepage_url(dependency)
|
|
548
|
-
metadata_finder(dependency).homepage_url
|
|
549
|
-
end
|
|
550
|
-
|
|
551
330
|
def metadata_finder(dependency)
|
|
552
331
|
@metadata_finder ||= {}
|
|
553
332
|
@metadata_finder[dependency.name] ||=
|
|
@@ -656,48 +435,6 @@ module Dependabot
|
|
|
656
435
|
raise "No new requirement!"
|
|
657
436
|
end
|
|
658
437
|
|
|
659
|
-
def link_issues(text:, dependency:)
|
|
660
|
-
IssueLinker.
|
|
661
|
-
new(source_url: source_url(dependency)).
|
|
662
|
-
link_issues(text: text)
|
|
663
|
-
end
|
|
664
|
-
|
|
665
|
-
def fix_relative_links(text:, base_url:)
|
|
666
|
-
text.gsub(/\[.*?\]\([^)]+\)/) do |link|
|
|
667
|
-
next link if link.include?("://")
|
|
668
|
-
|
|
669
|
-
relative_path = link.match(/\((.*?)\)/).captures.last
|
|
670
|
-
base = base_url.split("://").last.gsub(%r{[^/]*$}, "")
|
|
671
|
-
path = File.join(base, relative_path)
|
|
672
|
-
absolute_path =
|
|
673
|
-
base_url.sub(
|
|
674
|
-
%r{(?<=://).*$},
|
|
675
|
-
Pathname.new(path).cleanpath.to_s
|
|
676
|
-
)
|
|
677
|
-
link.gsub(relative_path, absolute_path)
|
|
678
|
-
end
|
|
679
|
-
end
|
|
680
|
-
|
|
681
|
-
def sanitize_links_and_mentions(text, unsafe: false)
|
|
682
|
-
return text unless source.provider == "github"
|
|
683
|
-
|
|
684
|
-
LinkAndMentionSanitizer.
|
|
685
|
-
new(github_redirection_service: github_redirection_service).
|
|
686
|
-
sanitize_links_and_mentions(text: text, unsafe: unsafe)
|
|
687
|
-
end
|
|
688
|
-
|
|
689
|
-
def sanitize_template_tags(text)
|
|
690
|
-
text.gsub(/\<.*?\>/) do |tag|
|
|
691
|
-
tag_contents = tag.match(/\<(.*?)\>/).captures.first.strip
|
|
692
|
-
|
|
693
|
-
# Unclosed calls to template overflow out of the blockquote block,
|
|
694
|
-
# wrecking the rest of our PRs. Other tags don't share this problem.
|
|
695
|
-
next "\\#{tag}" if tag_contents.start_with?("template")
|
|
696
|
-
|
|
697
|
-
tag
|
|
698
|
-
end
|
|
699
|
-
end
|
|
700
|
-
|
|
701
438
|
def ref_changed?(dependency)
|
|
702
439
|
previous_ref(dependency) != new_ref(dependency)
|
|
703
440
|
end
|
|
@@ -0,0 +1,283 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dependabot/pull_request_creator/message_builder"
|
|
4
|
+
|
|
5
|
+
module Dependabot
|
|
6
|
+
class PullRequestCreator
|
|
7
|
+
class MessageBuilder
|
|
8
|
+
class MetadataPresenter
|
|
9
|
+
extend Forwardable
|
|
10
|
+
|
|
11
|
+
attr_reader :dependency, :source, :metadata_finder,
|
|
12
|
+
:vulnerabilities_fixed, :github_redirection_service
|
|
13
|
+
|
|
14
|
+
def_delegators :metadata_finder,
|
|
15
|
+
:changelog_url,
|
|
16
|
+
:changelog_text,
|
|
17
|
+
:commits_url,
|
|
18
|
+
:commits,
|
|
19
|
+
:maintainer_changes,
|
|
20
|
+
:releases_url,
|
|
21
|
+
:releases_text,
|
|
22
|
+
:source_url,
|
|
23
|
+
:upgrade_guide_url,
|
|
24
|
+
:upgrade_guide_text
|
|
25
|
+
|
|
26
|
+
def initialize(dependency:, source:, metadata_finder:,
|
|
27
|
+
vulnerabilities_fixed:, github_redirection_service:)
|
|
28
|
+
@dependency = dependency
|
|
29
|
+
@source = source
|
|
30
|
+
@metadata_finder = metadata_finder
|
|
31
|
+
@vulnerabilities_fixed = vulnerabilities_fixed
|
|
32
|
+
@github_redirection_service = github_redirection_service
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def to_s
|
|
36
|
+
msg = ""
|
|
37
|
+
msg += vulnerabilities_cascade
|
|
38
|
+
msg += release_cascade
|
|
39
|
+
msg += changelog_cascade
|
|
40
|
+
msg += upgrade_guide_cascade
|
|
41
|
+
msg += commits_cascade
|
|
42
|
+
msg += maintainer_changes_cascade
|
|
43
|
+
msg += break_tag unless msg == ""
|
|
44
|
+
"\n" + sanitize_links_and_mentions(msg, unsafe: true)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
private
|
|
48
|
+
|
|
49
|
+
def vulnerabilities_cascade
|
|
50
|
+
return "" unless vulnerabilities_fixed&.any?
|
|
51
|
+
|
|
52
|
+
msg = ""
|
|
53
|
+
vulnerabilities_fixed.each do |v|
|
|
54
|
+
msg += serialized_vulnerability_details(v)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
msg = sanitize_template_tags(msg)
|
|
58
|
+
msg = sanitize_links_and_mentions(msg)
|
|
59
|
+
|
|
60
|
+
build_details_tag(summary: "Vulnerabilities fixed", body: msg)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def release_cascade
|
|
64
|
+
return "" unless releases_text && releases_url
|
|
65
|
+
|
|
66
|
+
msg = "*Sourced from [#{dependency.display_name}'s releases]"\
|
|
67
|
+
"(#{releases_url}).*\n\n"
|
|
68
|
+
msg +=
|
|
69
|
+
begin
|
|
70
|
+
release_note_lines = releases_text.split("\n").first(50)
|
|
71
|
+
release_note_lines =
|
|
72
|
+
release_note_lines.map { |line| "> #{line}\n" }
|
|
73
|
+
if release_note_lines.count == 50
|
|
74
|
+
release_note_lines << truncated_line
|
|
75
|
+
end
|
|
76
|
+
release_note_lines.join
|
|
77
|
+
end
|
|
78
|
+
msg = link_issues(text: msg)
|
|
79
|
+
msg = fix_relative_links(
|
|
80
|
+
text: msg,
|
|
81
|
+
base_url: source_url + "/blob/HEAD/"
|
|
82
|
+
)
|
|
83
|
+
msg = sanitize_template_tags(msg)
|
|
84
|
+
msg = sanitize_links_and_mentions(msg)
|
|
85
|
+
|
|
86
|
+
build_details_tag(summary: "Release notes", body: msg)
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
def changelog_cascade
|
|
90
|
+
return "" unless changelog_url && changelog_text
|
|
91
|
+
|
|
92
|
+
msg = "*Sourced from "\
|
|
93
|
+
"[#{dependency.display_name}'s changelog]"\
|
|
94
|
+
"(#{changelog_url}).*\n\n"
|
|
95
|
+
msg +=
|
|
96
|
+
begin
|
|
97
|
+
changelog_lines = changelog_text.split("\n").first(50)
|
|
98
|
+
changelog_lines = changelog_lines.map { |line| "> #{line}\n" }
|
|
99
|
+
changelog_lines << truncated_line if changelog_lines.count == 50
|
|
100
|
+
changelog_lines.join
|
|
101
|
+
end
|
|
102
|
+
msg = link_issues(text: msg)
|
|
103
|
+
msg = fix_relative_links(text: msg, base_url: changelog_url)
|
|
104
|
+
msg = sanitize_template_tags(msg)
|
|
105
|
+
msg = sanitize_links_and_mentions(msg)
|
|
106
|
+
|
|
107
|
+
build_details_tag(summary: "Changelog", body: msg)
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
def upgrade_guide_cascade
|
|
111
|
+
return "" unless upgrade_guide_url && upgrade_guide_text
|
|
112
|
+
|
|
113
|
+
msg = "*Sourced from "\
|
|
114
|
+
"[#{dependency.display_name}'s upgrade guide]"\
|
|
115
|
+
"(#{upgrade_guide_url}).*\n\n"
|
|
116
|
+
msg +=
|
|
117
|
+
begin
|
|
118
|
+
upgrade_lines = upgrade_guide_text.split("\n").first(50)
|
|
119
|
+
upgrade_lines = upgrade_lines.map { |line| "> #{line}\n" }
|
|
120
|
+
upgrade_lines << truncated_line if upgrade_lines.count == 50
|
|
121
|
+
upgrade_lines.join
|
|
122
|
+
end
|
|
123
|
+
msg = link_issues(text: msg)
|
|
124
|
+
msg = fix_relative_links(text: msg, base_url: upgrade_guide_url)
|
|
125
|
+
msg = sanitize_template_tags(msg)
|
|
126
|
+
msg = sanitize_links_and_mentions(msg)
|
|
127
|
+
|
|
128
|
+
build_details_tag(summary: "Upgrade guide", body: msg)
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def commits_cascade
|
|
132
|
+
return "" unless commits_url && commits
|
|
133
|
+
|
|
134
|
+
msg = ""
|
|
135
|
+
|
|
136
|
+
commits.reverse.first(10).each do |commit|
|
|
137
|
+
title = commit[:message].strip.split("\n").first
|
|
138
|
+
title = title.slice(0..76) + "..." if title && title.length > 80
|
|
139
|
+
title = title&.gsub(/(?<=[^\w.-])([_*`~])/, '\\1')
|
|
140
|
+
sha = commit[:sha][0, 7]
|
|
141
|
+
msg += "- [`#{sha}`](#{commit[:html_url]}) #{title}\n"
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
msg = msg.gsub(/\<.*?\>/) { |tag| "\\#{tag}" }
|
|
145
|
+
|
|
146
|
+
msg +=
|
|
147
|
+
if commits.count > 10
|
|
148
|
+
"- Additional commits viewable in "\
|
|
149
|
+
"[compare view](#{commits_url})\n"
|
|
150
|
+
else
|
|
151
|
+
"- See full diff in [compare view](#{commits_url})\n"
|
|
152
|
+
end
|
|
153
|
+
msg = link_issues(text: msg)
|
|
154
|
+
msg = sanitize_links_and_mentions(msg)
|
|
155
|
+
|
|
156
|
+
build_details_tag(summary: "Commits", body: msg)
|
|
157
|
+
end
|
|
158
|
+
|
|
159
|
+
def maintainer_changes_cascade
|
|
160
|
+
return "" unless maintainer_changes
|
|
161
|
+
|
|
162
|
+
build_details_tag(
|
|
163
|
+
summary: "Maintainer changes",
|
|
164
|
+
body: sanitize_links_and_mentions(maintainer_changes) + "\n"
|
|
165
|
+
)
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
def build_details_tag(summary:, body:)
|
|
169
|
+
# Azure DevOps does not support <details> tag (https://developercommunity.visualstudio.com/content/problem/608769/add-support-for-in-markdown.html)
|
|
170
|
+
# CodeCommit does not support the <details> tag (no url available)
|
|
171
|
+
if source_provider_supports_html?
|
|
172
|
+
msg = "<details>\n<summary>#{summary}</summary>\n\n"
|
|
173
|
+
msg += body
|
|
174
|
+
msg + "</details>\n"
|
|
175
|
+
else
|
|
176
|
+
"\n\##{summary}\n\n#{body}"
|
|
177
|
+
end
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
def serialized_vulnerability_details(details)
|
|
181
|
+
msg = vulnerability_source_line(details)
|
|
182
|
+
|
|
183
|
+
if details["title"]
|
|
184
|
+
msg += "> **#{details['title'].lines.map(&:strip).join(' ')}**\n"
|
|
185
|
+
end
|
|
186
|
+
|
|
187
|
+
if (description = details["description"])
|
|
188
|
+
description.strip.lines.first(20).each { |line| msg += "> #{line}" }
|
|
189
|
+
msg += truncated_line if description.strip.lines.count > 20
|
|
190
|
+
end
|
|
191
|
+
|
|
192
|
+
msg += "\n" unless msg.end_with?("\n")
|
|
193
|
+
msg += "> \n"
|
|
194
|
+
msg += vulnerability_version_range_lines(details)
|
|
195
|
+
msg + "\n"
|
|
196
|
+
end
|
|
197
|
+
|
|
198
|
+
def vulnerability_source_line(details)
|
|
199
|
+
if details["source_url"] && details["source_name"]
|
|
200
|
+
"*Sourced from [#{details['source_name']}]"\
|
|
201
|
+
"(#{details['source_url']}).*\n\n"
|
|
202
|
+
elsif details["source_name"]
|
|
203
|
+
"*Sourced from #{details['source_name']}.*\n\n"
|
|
204
|
+
else
|
|
205
|
+
""
|
|
206
|
+
end
|
|
207
|
+
end
|
|
208
|
+
|
|
209
|
+
def vulnerability_version_range_lines(details)
|
|
210
|
+
msg = ""
|
|
211
|
+
%w(
|
|
212
|
+
patched_versions
|
|
213
|
+
unaffected_versions
|
|
214
|
+
affected_versions
|
|
215
|
+
).each do |tp|
|
|
216
|
+
type = tp.split("_").first.capitalize
|
|
217
|
+
next unless details[tp]
|
|
218
|
+
|
|
219
|
+
versions_string = details[tp].any? ? details[tp].join("; ") : "none"
|
|
220
|
+
versions_string = versions_string.gsub(/(?<!\\)~/, '\~')
|
|
221
|
+
msg += "> #{type} versions: #{versions_string}\n"
|
|
222
|
+
end
|
|
223
|
+
msg
|
|
224
|
+
end
|
|
225
|
+
|
|
226
|
+
def link_issues(text:)
|
|
227
|
+
IssueLinker.
|
|
228
|
+
new(source_url: source_url).
|
|
229
|
+
link_issues(text: text)
|
|
230
|
+
end
|
|
231
|
+
|
|
232
|
+
def fix_relative_links(text:, base_url:)
|
|
233
|
+
text.gsub(/\[.*?\]\([^)]+\)/) do |link|
|
|
234
|
+
next link if link.include?("://")
|
|
235
|
+
|
|
236
|
+
relative_path = link.match(/\((.*?)\)/).captures.last
|
|
237
|
+
base = base_url.split("://").last.gsub(%r{[^/]*$}, "")
|
|
238
|
+
path = File.join(base, relative_path)
|
|
239
|
+
absolute_path =
|
|
240
|
+
base_url.sub(
|
|
241
|
+
%r{(?<=://).*$},
|
|
242
|
+
Pathname.new(path).cleanpath.to_s
|
|
243
|
+
)
|
|
244
|
+
link.gsub(relative_path, absolute_path)
|
|
245
|
+
end
|
|
246
|
+
end
|
|
247
|
+
|
|
248
|
+
def truncated_line
|
|
249
|
+
# Tables can spill out of truncated details, so we close them
|
|
250
|
+
"></tr></table> \n ... (truncated)\n"
|
|
251
|
+
end
|
|
252
|
+
|
|
253
|
+
def break_tag
|
|
254
|
+
source_provider_supports_html? ? "\n<br />" : "\n\n"
|
|
255
|
+
end
|
|
256
|
+
|
|
257
|
+
def source_provider_supports_html?
|
|
258
|
+
!%w(azure codecommit).include?(source.provider)
|
|
259
|
+
end
|
|
260
|
+
|
|
261
|
+
def sanitize_links_and_mentions(text, unsafe: false)
|
|
262
|
+
return text unless source.provider == "github"
|
|
263
|
+
|
|
264
|
+
LinkAndMentionSanitizer.
|
|
265
|
+
new(github_redirection_service: github_redirection_service).
|
|
266
|
+
sanitize_links_and_mentions(text: text, unsafe: unsafe)
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
def sanitize_template_tags(text)
|
|
270
|
+
text.gsub(/\<.*?\>/) do |tag|
|
|
271
|
+
tag_contents = tag.match(/\<(.*?)\>/).captures.first.strip
|
|
272
|
+
|
|
273
|
+
# Unclosed calls to template overflow out of the blockquote block,
|
|
274
|
+
# wrecking the rest of our PRs. Other tags don't share this problem.
|
|
275
|
+
next "\\#{tag}" if tag_contents.start_with?("template")
|
|
276
|
+
|
|
277
|
+
tag
|
|
278
|
+
end
|
|
279
|
+
end
|
|
280
|
+
end
|
|
281
|
+
end
|
|
282
|
+
end
|
|
283
|
+
end
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-common
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.119.
|
|
4
|
+
version: 0.119.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-09-
|
|
11
|
+
date: 2020-09-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-codecommit
|
|
@@ -376,6 +376,7 @@ files:
|
|
|
376
376
|
- lib/dependabot/pull_request_creator/message_builder.rb
|
|
377
377
|
- lib/dependabot/pull_request_creator/message_builder/issue_linker.rb
|
|
378
378
|
- lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb
|
|
379
|
+
- lib/dependabot/pull_request_creator/message_builder/metadata_presenter.rb
|
|
379
380
|
- lib/dependabot/pull_request_creator/pr_name_prefixer.rb
|
|
380
381
|
- lib/dependabot/pull_request_updater.rb
|
|
381
382
|
- lib/dependabot/pull_request_updater/github.rb
|