dependabot-common 0.213.0 → 0.214.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 23fa5c7ea872ca0849f22018af9b0811ad9044f03a4e7d59aa023b3dd80bd4e6
-  data.tar.gz: cea778ebef75ccec5afcd3e5932af78d9711c51c4c864ea02d65930fce8ca4dc
+  metadata.gz: 1fab7bc375e03e37b65e94e3e05e7c9ad945d982295b6c9a030083ed038dbaf3
+  data.tar.gz: 9924a1980357d1833988bd19a8119a05162a28cc20cbdf157626744ef93be0ba
 SHA512:
-  metadata.gz: b14ad55cbabd2a49bd35c7f8012f95972515eead80a71363353a8978286e9d756fd97da5442cb3013acdebfb1a77c7f8f7c450bac553a2d6f52b12687fcf2d43
-  data.tar.gz: 86cbba3afb724d1ee0b6c1fd0bb357a33c288263b3032e0ef029e099b5d7f7d8d5104526a8890d6233fdb8850b56ecd05cb0746bd8e6fe8fd84338db8caa28dd
+  metadata.gz: 88069b0acbe42180a064046ab55cba565da0f9a3e00d40582a3fb406aee9e3b357cf8e3bdf34dc84da959c931c1519a87e02022e994baf947193f7d6fb949be8
+  data.tar.gz: 785cddd10adbed3413e7fdfcbfcc9b5fa00fde7a55f6e171db0c62f4e4a9f17000dc06d7e4c75d312fda6c7801e9fa6428642ea2b3473dc1b4d7f14e0a660bff

data/lib/dependabot/clients/azure.rb

@@ -172,7 +172,8 @@ module Dependabot
 
       # rubocop:disable Metrics/ParameterLists
       def create_pull_request(pr_name, source_branch, target_branch,
-                              pr_description, labels, work_item = nil)
+                              pr_description, labels,
+                              reviewers = nil, assignees = nil, work_item = nil)
         pr_description = truncate_pr_description(pr_description)
 
         content = {
@@ -181,6 +182,7 @@ module Dependabot
           title: pr_name,
           description: pr_description,
           labels: labels.map { |label| { name: label } },
+          reviewers: pr_reviewers(reviewers, assignees),
           workItemRefs: [{ id: work_item }]
         }
 
@@ -324,6 +326,13 @@ module Dependabot
         message&.include?("TF401289")
       end
 
+      def pr_reviewers(reviewers, assignees)
+        return [] unless reviewers || assignees
+
+        pr_reviewers = reviewers&.map { |r_id| { id: r_id, isRequired: true } } || []
+        pr_reviewers + (assignees&.map { |r_id| { id: r_id, isRequired: false } } || [])
+      end
+
       attr_reader :auth_header
       attr_reader :credentials
       attr_reader :source

data/lib/dependabot/clients/bitbucket.rb

@@ -12,6 +12,8 @@ module Dependabot
 
       class Forbidden < StandardError; end
 
+      class TimedOut < StandardError; end
+
       #######################
       # Constructor methods #
       #######################
@@ -79,19 +81,24 @@ module Dependabot
         JSON.parse(response.body)
       end
 
-      def pull_requests(repo, source_branch, target_branch)
-        pr_path = "#{repo}/pullrequests"
-        # Get pull requests with any status
-        pr_path += "?status=OPEN&status=MERGED&status=DECLINED&status=SUPERSEDED"
+      def pull_requests(repo, source_branch, target_branch, status = %w(OPEN MERGED DECLINED SUPERSEDED))
+        pr_path = "#{repo}/pullrequests?"
+        # Get pull requests with given status
+        status.each { |n| pr_path += "status=#{n}&" }
         next_page_url = base_url + pr_path
         pull_requests = paginate({ "next" => next_page_url })
 
         pull_requests unless source_branch && target_branch
 
         pull_requests.select do |pr|
-          pr_source_branch = pr.fetch("source").fetch("branch").fetch("name")
+          if source_branch.nil?
+            source_branch_matches = true
+          else
+            pr_source_branch = pr.fetch("source").fetch("branch").fetch("name")
+            source_branch_matches = pr_source_branch == source_branch
+          end
           pr_target_branch = pr.fetch("destination").fetch("branch").fetch("name")
-          pr_source_branch == source_branch && pr_target_branch == target_branch
+          source_branch_matches && pr_target_branch == target_branch
         end
       end
 
@@ -106,8 +113,7 @@ module Dependabot
         }
 
         files.each do |file|
-          absolute_path = file.name.start_with?("/") ? file.name : "/" + file.name
-          parameters[absolute_path] = file.content
+          parameters[file.path] = file.content
         end
 
         body = encode_form_parameters(parameters)
@@ -144,6 +150,23 @@ module Dependabot
       end
       # rubocop:enable Metrics/ParameterLists
 
+      def decline_pull_request(repo, pr_id, comment = nil)
+        # https://developer.atlassian.com/cloud/bitbucket/rest/api-group-pullrequests/
+        decline_path = "#{repo}/pullrequests/#{pr_id}/decline"
+        post(base_url + decline_path, "")
+
+        comment = "Dependabot declined the pull request." if comment.nil?
+
+        content = {
+          content: {
+            raw: comment
+          }
+        }
+
+        comment_path = "#{repo}/pullrequests/#{pr_id}/comments"
+        post(base_url + comment_path, content.to_json)
+      end
+
       def current_user
         base_url = "https://api.bitbucket.org/2.0/user?fields=uuid"
         response = get(base_url)
@@ -205,6 +228,14 @@ module Dependabot
       end
 
       def post(url, body, content_type = "application/json")
+        headers = auth_header
+
+        headers = if body.empty?
+                    headers.merge({ "Accept" => "application/json" })
+                  else
+                    headers.merge({ "Content-Type" => content_type })
+                  end
+
         response = Excon.post(
           url,
           body: body,
@@ -212,16 +243,13 @@ module Dependabot
           password: credentials&.fetch("password", nil),
           idempotent: false,
           **SharedHelpers.excon_defaults(
-            headers: auth_header.merge(
-              {
-                "Content-Type" => content_type
-              }
-            )
+            headers: headers
           )
         )
         raise Unauthorized if response.status == 401
         raise Forbidden if response.status == 403
         raise NotFound if response.status == 404
+        raise TimedOut if response.status == 555
 
         response
       end

data/lib/dependabot/clients/github_with_retries.rb

@@ -84,7 +84,16 @@ module Dependabot
         access_tokens << nil if access_tokens.empty?
         access_tokens.uniq!
 
-        @max_retries = max_retries || 3
+        Octokit.middleware = Faraday::RackBuilder.new do |builder|
+          builder.use Faraday::Retry::Middleware, exceptions: RETRYABLE_ERRORS, max: max_retries || 3
+
+          Octokit::Default::MIDDLEWARE.handlers.each do |handler|
+            next if handler.klass == Faraday::Retry::Middleware
+
+            builder.use handler.klass
+          end
+        end
+
         @clients = access_tokens.map do |token|
           Octokit::Client.new(args.merge(access_token: token))
         end
@@ -95,13 +104,11 @@ module Dependabot
         client = untried_clients.pop
 
         begin
-          retry_connection_failures do
-            if client.respond_to?(method_name)
-              mutatable_args = args.map(&:dup)
-              client.public_send(method_name, *mutatable_args, &block)
-            else
-              super
-            end
+          if client.respond_to?(method_name)
+            mutatable_args = args.map(&:dup)
+            client.public_send(method_name, *mutatable_args, &block)
+          else
+            super
           end
         rescue Octokit::NotFound, Octokit::Unauthorized, Octokit::Forbidden
           raise unless (client = untried_clients.pop)
@@ -113,17 +120,6 @@ module Dependabot
       def respond_to_missing?(method_name, include_private = false)
         @clients.first.respond_to?(method_name) || super
       end
-
-      def retry_connection_failures
-        retry_attempt = 0
-
-        begin
-          yield
-        rescue *RETRYABLE_ERRORS
-          retry_attempt += 1
-          retry_attempt <= @max_retries ? retry : raise
-        end
-      end
     end
   end
 end

data/lib/dependabot/dependency.rb

@@ -67,6 +67,10 @@ module Dependabot
       @removed
     end
 
+    def numeric_version
+      @numeric_version ||= version_class.new(version) if version && version_class.correct?(version)
+    end
+
     def to_h
       {
         "name" => name,
@@ -136,6 +140,10 @@ module Dependabot
 
     private
 
+    def version_class
+      Utils.version_class_for_package_manager(package_manager)
+    end
+
     def check_values
       raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
 

data/lib/dependabot/dependency_file.rb

@@ -5,7 +5,7 @@ require "pathname"
 module Dependabot
   class DependencyFile
     attr_accessor :name, :content, :directory, :type, :support_file,
-                  :symlink_target, :content_encoding, :operation
+                  :symlink_target, :content_encoding, :operation, :mode
 
     class ContentEncoding
       UTF_8 = "utf-8"
@@ -20,7 +20,8 @@ module Dependabot
 
     def initialize(name:, content:, directory: "/", type: "file",
                    support_file: false, symlink_target: nil,
-                   content_encoding: ContentEncoding::UTF_8, deleted: false, operation: Operation::UPDATE)
+                   content_encoding: ContentEncoding::UTF_8, deleted: false,
+                   operation: Operation::UPDATE, mode: nil)
       @name = name
       @content = content
       @directory = clean_directory(directory)
@@ -40,6 +41,12 @@ module Dependabot
       # support_file flag instead)
       @type = type
 
+      begin
+        @mode = File.stat((symlink_target || path).sub(%r{^/}, "")).mode.to_s(8)
+      rescue StandardError
+        @mode = mode
+      end
+
       return unless (type == "symlink") ^ symlink_target
 
       raise "Symlinks must specify a target!" unless symlink_target
@@ -55,7 +62,8 @@ module Dependabot
         "support_file" => support_file,
         "content_encoding" => content_encoding,
         "deleted" => deleted,
-        "operation" => operation
+        "operation" => operation,
+        "mode" => mode
       }
 
       details["symlink_target"] = symlink_target if symlink_target

data/lib/dependabot/file_fetchers/base.rb

@@ -26,6 +26,12 @@ module Dependabot
         Dependabot::Clients::CodeCommit::NotFound
       ].freeze
 
+      GIT_SUBMODULE_INACCESSIBLE_ERROR =
+        /^fatal: unable to access '(?<url>.*)': The requested URL returned error: (?<code>\d+)$/
+      GIT_SUBMODULE_CLONE_ERROR =
+        /^fatal: clone of '(?<url>.*)' into submodule path '.*' failed$/
+      GIT_SUBMODULE_ERROR_REGEX = /(#{GIT_SUBMODULE_INACCESSIBLE_ERROR})|(#{GIT_SUBMODULE_CLONE_ERROR})/
+
       def self.required_files_in?(_filename_array)
         raise NotImplementedError
       end
@@ -592,11 +598,26 @@ module Dependabot
                              " --no-recurse-submodules"
                            end
           clone_options << " --branch #{source.branch} --single-branch" if source.branch
-          SharedHelpers.run_shell_command(
-            <<~CMD
-              git clone #{clone_options.string} #{source.url} #{path}
-            CMD
-          )
+
+          submodule_cloning_failed = false
+          begin
+            SharedHelpers.run_shell_command(
+              <<~CMD
+                git clone #{clone_options.string} #{source.url} #{path}
+              CMD
+            )
+          rescue SharedHelpers::HelperSubprocessFailed => e
+            raise unless GIT_SUBMODULE_ERROR_REGEX && e.message.downcase.include?("submodule")
+
+            submodule_cloning_failed = true
+            match = e.message.match(GIT_SUBMODULE_ERROR_REGEX)
+            url = match.named_captures["url"]
+            code = match.named_captures["code"]
+
+            # Submodules might be in the repo but unrelated to dependencies,
+            # so ignoring this error to try the update anyway since the base repo exists.
+            Dependabot.logger.error("Cloning of submodule failed: #{url} error: #{code || 'unknown'}")
+          end
 
           if source.commit
             # This code will only be called for testing. Production will never pass a commit
@@ -604,7 +625,7 @@ module Dependabot
             Dir.chdir(path) do
               fetch_options = StringIO.new
               fetch_options << "--depth 1"
-              fetch_options << if recurse_submodules_when_cloning?
+              fetch_options << if recurse_submodules_when_cloning? && !submodule_cloning_failed
                                  " --recurse-submodules=on-demand"
                                else
                                  " --no-recurse-submodules"
@@ -614,7 +635,7 @@ module Dependabot
 
               reset_options = StringIO.new
               reset_options << "--hard"
-              reset_options << if recurse_submodules_when_cloning?
+              reset_options << if recurse_submodules_when_cloning? && !submodule_cloning_failed
                                  " --recurse-submodules"
                                else
                                  " --no-recurse-submodules"

data/lib/dependabot/git_commit_checker.rb

@@ -23,13 +23,12 @@ module Dependabot
 
     def initialize(dependency:, credentials:,
                    ignored_versions: [], raise_on_ignored: false,
-                   requirement_class: nil, version_class: nil)
+                   consider_version_branches_pinned: false)
       @dependency = dependency
       @credentials = credentials
       @ignored_versions = ignored_versions
       @raise_on_ignored = raise_on_ignored
-      @requirement_class = requirement_class
-      @version_class = version_class
+      @consider_version_branches_pinned = consider_version_branches_pinned
     end
 
     def git_dependency?
@@ -52,17 +51,17 @@ module Dependabot
       # If the specified `ref` is actually a tag, we're pinned
       return true if local_upload_pack.match?(%r{ refs/tags/#{ref}$})
 
-      # If the specified `ref` is actually a branch, we're NOT pinned
-      return false if local_upload_pack.match?(%r{ refs/heads/#{ref}$})
+      # Assume we're pinned unless the specified `ref` is actually a branch
+      return true unless local_upload_pack.match?(%r{ refs/heads/#{ref}$})
 
-      # Otherwise, assume we're pinned
-      true
+      # TODO: Research whether considering branches that look like versions pinned makes sense for all ecosystems
+      @consider_version_branches_pinned && version_tag?(ref)
     end
 
     def pinned_ref_looks_like_version?
       return false unless pinned?
 
-      dependency_source_details.fetch(:ref).match?(VERSION_REGEX)
+      version_tag?(dependency_source_details.fetch(:ref))
     end
 
     def pinned_ref_looks_like_commit_sha?
@@ -70,6 +69,11 @@ module Dependabot
       ref_looks_like_commit_sha?(ref)
     end
 
+    def head_commit_for_pinned_ref
+      ref = dependency_source_details.fetch(:ref)
+      local_repo_git_metadata_fetcher.head_commit_for_ref_sha(ref)
+    end
+
     def ref_looks_like_commit_sha?(ref)
       return false unless ref&.match?(/^[0-9a-f]{6,40}$/)
 
@@ -85,13 +89,8 @@ module Dependabot
     def head_commit_for_current_branch
       ref = ref_or_branch || "HEAD"
 
-      if pinned?
-        return dependency.version ||
-               local_repo_git_metadata_fetcher.head_commit_for_ref(ref)
-      end
-
-      sha = local_repo_git_metadata_fetcher.head_commit_for_ref(ref)
-      return sha if sha
+      sha = head_commit_for_local_branch(ref)
+      return sha if pinned? || sha
 
       raise Dependabot::GitDependencyReferenceNotFound, dependency.name
     end
@@ -100,75 +99,45 @@ module Dependabot
       local_repo_git_metadata_fetcher.head_commit_for_ref(name)
     end
 
-    def local_tags_for_latest_version_commit_sha
-      tags = allowed_version_tags
-      max_tag = max_version_tag(tags)
-
-      return [] unless max_tag
+    def local_tag_for_latest_version_matching_existing_precision
+      max_local_tag_for_current_precision(allowed_version_tags)
+    end
 
-      tags.
-        select { |t| t.commit_sha == max_tag.commit_sha }.
-        map do |t|
-          version = t.name.match(VERSION_REGEX).named_captures.fetch("version")
-          {
-            tag: t.name,
-            version: version_class.new(version),
-            commit_sha: t.commit_sha,
-            tag_sha: t.tag_sha
-          }
-        end
+    def local_ref_for_latest_version_matching_existing_precision
+      max_local_tag_for_current_precision(allowed_version_refs)
     end
 
     def local_tag_for_latest_version
-      tag = max_version_tag(allowed_version_tags)
-
-      return unless tag
+      max_local_tag(allowed_version_tags)
+    end
 
-      version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
-      {
-        tag: tag.name,
-        version: version_class.new(version),
-        commit_sha: tag.commit_sha,
-        tag_sha: tag.tag_sha
-      }
+    def local_tags_for_allowed_versions_matching_existing_precision
+      select_matching_existing_precision(allowed_version_tags).map { |t| to_local_tag(t) }
     end
 
-    def max_version_tag(tags)
-      tags.
-        max_by do |t|
-        version = t.name.match(VERSION_REGEX).named_captures.
-                  fetch("version")
-        version_class.new(version)
-      end
+    def local_tags_for_allowed_versions
+      allowed_version_tags.map { |t| to_local_tag(t) }
     end
 
     def allowed_version_tags
-      tags =
-        local_tags.
-        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
-      filtered = tags.
-                 reject { |t| tag_included_in_ignore_requirements?(t) }
-      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
-        raise Dependabot::AllVersionsIgnored
-      end
+      allowed_versions(local_tags)
+    end
 
-      filtered.
-        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    def allowed_version_refs
+      allowed_versions(local_refs)
     end
 
     def current_version
       return unless dependency.version && version_tag?(dependency.version)
 
-      version = dependency.version.match(VERSION_REGEX).named_captures.fetch("version")
-      version_class.new(version)
+      version_from_ref(dependency.version)
     end
 
     def filter_lower_versions(tags)
       return tags unless current_version
 
       versions = tags.map do |t|
-        version = t.name.match(VERSION_REGEX).named_captures.fetch("version")
-        version_class.new(version)
+        version_from_tag(t)
       end
 
       versions.select do |version|
@@ -176,15 +145,14 @@ module Dependabot
       end
     end
 
-    def local_tag_for_pinned_version
-      return unless pinned?
-
-      ref = dependency_source_details.fetch(:ref)
-      tags = local_tags.select { |t| t.commit_sha == ref && version_class.correct?(t.name) }.
-             sort_by { |t| version_class.new(t.name) }
-      return if tags.empty?
+    def most_specific_tag_equivalent_to_pinned_ref
+      commit_sha = head_commit_for_local_branch(dependency_source_details.fetch(:ref))
+      most_specific_version_tag_for_sha(commit_sha)
+    end
 
-      tags[-1].name
+    def local_tag_for_pinned_sha
+      commit_sha = dependency_source_details.fetch(:ref)
+      most_specific_version_tag_for_sha(commit_sha)
     end
 
     def git_repo_reachable?
@@ -198,6 +166,49 @@ module Dependabot
 
     attr_reader :dependency, :credentials, :ignored_versions
 
+    def max_local_tag_for_current_precision(tags)
+      max_local_tag(select_matching_existing_precision(tags))
+    end
+
+    def max_local_tag(tags)
+      max_version_tag = tags.max_by { |t| version_from_tag(t) }
+
+      to_local_tag(max_version_tag)
+    end
+
+    # Find the latest version with the same precision as the pinned version.
+    def select_matching_existing_precision(tags)
+      current_precision = precision(dependency.version)
+
+      tags.select { |tag| precision(scan_version(tag.name)) == current_precision }
+    end
+
+    def precision(version)
+      version.split(".").length
+    end
+
+    def most_specific_version_tag_for_sha(commit_sha)
+      tags = local_tags.select { |t| t.commit_sha == commit_sha && version_class.correct?(t.name) }.
+             sort_by { |t| version_class.new(t.name) }
+      return if tags.empty?
+
+      tags[-1].name
+    end
+
+    def allowed_versions(local_tags)
+      tags =
+        local_tags.
+        select { |t| version_tag?(t.name) && matches_existing_prefix?(t.name) }
+      filtered = tags.
+                 reject { |t| tag_included_in_ignore_requirements?(t) }
+      if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(tags).any?
+        raise Dependabot::AllVersionsIgnored
+      end
+
+      filtered.
+        reject { |t| tag_is_prerelease?(t) && !wants_prerelease? }
+    end
+
     def pinned_ref_in_release?(version)
       raise "Not a git dependency!" unless git_dependency?
 
@@ -236,9 +247,15 @@ module Dependabot
       local_repo_git_metadata_fetcher.upload_pack
     end
 
+    def local_refs
+      handle_tag_prefix(local_repo_git_metadata_fetcher.refs_for_upload_pack)
+    end
+
     def local_tags
-      tags = local_repo_git_metadata_fetcher.tags
+      handle_tag_prefix(local_repo_git_metadata_fetcher.tags_for_upload_pack)
+    end
 
+    def handle_tag_prefix(tags)
       if dependency_source_details&.fetch(:ref, nil)&.start_with?("tags/")
         tags = tags.map do |tag|
           tag.dup.tap { |t| t.name = "tags/#{tag.name}" }
@@ -341,6 +358,18 @@ module Dependabot
         tag.gsub(VERSION_REGEX, "").gsub(/v$/i, "")
     end
 
+    def to_local_tag(tag)
+      return unless tag
+
+      version = version_from_tag(tag)
+      {
+        tag: tag.name,
+        version: version,
+        commit_sha: tag.commit_sha,
+        tag_sha: tag.ref_sha
+      }
+    end
+
     def listing_source_url
       @listing_source_url ||=
         begin
@@ -404,31 +433,37 @@ module Dependabot
       return false unless dependency_source_details&.fetch(:ref, nil)
       return false unless pinned_ref_looks_like_version?
 
-      version = dependency_source_details.fetch(:ref).match(VERSION_REGEX).
-                named_captures.fetch("version")
-      version_class.new(version).prerelease?
+      version = version_from_ref(dependency_source_details.fetch(:ref))
+      version.prerelease?
     end
 
     def tag_included_in_ignore_requirements?(tag)
-      version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
-      ignore_requirements.any? { |r| r.satisfied_by?(version_class.new(version)) }
+      version = version_from_tag(tag)
+      ignore_requirements.any? { |r| r.satisfied_by?(version) }
     end
 
     def tag_is_prerelease?(tag)
-      version = tag.name.match(VERSION_REGEX).named_captures.fetch("version")
-      version_class.new(version).prerelease?
+      version_from_tag(tag).prerelease?
     end
 
-    def version_class
-      return @version_class if @version_class
+    def version_from_tag(tag)
+      version_from_ref(tag.name)
+    end
 
-      Utils.version_class_for_package_manager(dependency.package_manager)
+    def version_from_ref(name)
+      version_class.new(scan_version(name))
     end
 
-    def requirement_class
-      return @requirement_class if @requirement_class
+    def scan_version(name)
+      name.match(VERSION_REGEX).named_captures.fetch("version")
+    end
 
-      Utils.requirement_class_for_package_manager(dependency.package_manager)
+    def version_class
+      @version_class ||= Utils.version_class_for_package_manager(dependency.package_manager)
+    end
+
+    def requirement_class
+      @requirement_class ||= Utils.requirement_class_for_package_manager(dependency.package_manager)
     end
 
     def local_repo_git_metadata_fetcher

data/lib/dependabot/git_metadata_fetcher.rb

@@ -22,7 +22,21 @@ module Dependabot
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack
+      @tags ||= tags_for_upload_pack.map do |ref|
+        OpenStruct.new(
+          name: ref.name,
+          tag_sha: ref.ref_sha,
+          commit_sha: ref.commit_sha
+        )
+      end
+    end
+
+    def tags_for_upload_pack
+      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+    end
+
+    def refs_for_upload_pack
+      @refs_for_upload_pack ||= parse_refs_for_upload_pack
     end
 
     def ref_names
@@ -44,6 +58,12 @@ module Dependabot
         commit_sha
     end
 
+    def head_commit_for_ref_sha(ref)
+      refs_for_upload_pack.
+        find { |r| r.ref_sha == ref }&.
+        commit_sha
+    end
+
     private
 
     attr_reader :url, :credentials
@@ -102,22 +122,6 @@ module Dependabot
       end
     end
 
-    def tags_for_upload_pack
-      refs_for_upload_pack.
-        select { |ref| ref.ref_type == :tag }.
-        map do |ref|
-          OpenStruct.new(
-            name: ref.name,
-            tag_sha: ref.ref_sha,
-            commit_sha: ref.commit_sha
-          )
-        end
-    end
-
-    def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
-    end
-
     def parse_refs_for_upload_pack
       peeled_lines = []
 

data/lib/dependabot/pull_request_creator/azure.rb

@@ -8,11 +8,11 @@ module Dependabot
     class Azure
       attr_reader :source, :branch_name, :base_commit, :credentials,
                   :files, :commit_message, :pr_description, :pr_name,
-                  :author_details, :labeler, :work_item
+                  :author_details, :labeler, :reviewers, :assignees, :work_item
 
       def initialize(source:, branch_name:, base_commit:, credentials:,
                      files:, commit_message:, pr_description:, pr_name:,
-                     author_details:, labeler:, work_item: nil)
+                     author_details:, labeler:, reviewers: nil, assignees: nil, work_item: nil)
         @source         = source
         @branch_name    = branch_name
         @base_commit    = base_commit
@@ -23,6 +23,8 @@ module Dependabot
         @pr_name        = pr_name
         @author_details = author_details
         @labeler        = labeler
+        @reviewers      = reviewers
+        @assignees      = assignees
         @work_item      = work_item
       end
 
@@ -79,6 +81,8 @@ module Dependabot
           source.branch || default_branch,
           pr_description,
           labeler.labels_for_pr,
+          reviewers,
+          assignees,
           work_item
         )
       end

data/lib/dependabot/pull_request_creator/github.rb

@@ -193,7 +193,7 @@ module Dependabot
             {
               path: (file.symlink_target ||
                      file.path).sub(%r{^/}, ""),
-              mode: "100644",
+              mode: (file.mode || "100644"),
               type: "blob"
             }.merge(content)
           end

data/lib/dependabot/pull_request_creator.rb

@@ -176,6 +176,8 @@ module Dependabot
         pr_name: message.pr_name,
         author_details: author_details,
         labeler: labeler,
+        reviewers: reviewers,
+        assignees: assignees,
         work_item: provider_metadata&.fetch(:work_item, nil)
       )
     end

data/lib/dependabot/update_checkers/base.rb

@@ -137,8 +137,7 @@ module Dependabot
         # Can't (currently) detect whether git dependencies are vulnerable
         return false if existing_version_is_sha?
 
-        version = version_class.new(dependency.version)
-        security_advisories.any? { |a| a.vulnerable?(version) }
+        active_advisories.any?
       end
 
       def ignore_requirements
@@ -147,6 +146,10 @@ module Dependabot
 
       private
 
+      def active_advisories
+        security_advisories.select { |a| a.vulnerable?(current_version) }
+      end
+
       def latest_version_resolvable_with_full_unlock?
         raise NotImplementedError
       end
@@ -235,7 +238,7 @@ module Dependabot
         # this case we treat the version as up-to-date so that it's ignored.
         return true if latest_version.to_s.match?(/^[0-9a-f]{40}$/)
 
-        latest_version <= version_class.new(dependency.version)
+        latest_version <= current_version
       end
 
       def numeric_version_can_update?(requirements_to_unlock:)
@@ -244,7 +247,7 @@ module Dependabot
         case requirements_to_unlock&.to_sym
         when :none
           new_version = latest_resolvable_version_with_no_unlock
-          new_version && new_version > version_class.new(dependency.version)
+          new_version && new_version > current_version
         when :own
           preferred_version_resolvable_with_unlock?
         when :all
@@ -259,7 +262,7 @@ module Dependabot
 
         if existing_version_is_sha?
           return false if new_version.to_s.start_with?(dependency.version)
-        elsif new_version <= version_class.new(dependency.version)
+        elsif new_version <= current_version
           return false
         end
 
@@ -275,6 +278,10 @@ module Dependabot
         changed_requirements.none?
       end
 
+      def current_version
+        @current_version ||= dependency.numeric_version
+      end
+
       def can_compare_requirements?
         version_from_requirements &&
           latest_version &&

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.213.0"
+  VERSION = "0.214.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -119,6 +119,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.75'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.94'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -126,6 +129,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.75'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.94'
 - !ruby/object:Gem::Dependency
   name: faraday
   requirement: !ruby/object:Gem::Requirement
@@ -140,6 +146,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.6.0
+- !ruby/object:Gem::Dependency
+  name: faraday-retry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: gitlab
   requirement: !ruby/object:Gem::Requirement
@@ -262,14 +282,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -318,14 +338,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -503,7 +523,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.3.22
+      version: 3.3.7
 requirements: []
 rubygems_version: 3.3.7
 signing_key: