dependabot-common 0.237.0 → 0.238.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e29557fff3ec856a4ebcb95a2b53dd70f91b5d7f2ea66cd6230e90dbcbbc2dc0
-  data.tar.gz: f6b2ce2a845422872e58b37681909fb4357bb1ebcac22c1085db113dc2429426
+  metadata.gz: 77312fe42bc6241de9c474fa2a1bab0dd3955bff4c2846bc057e52684f1b48bf
+  data.tar.gz: 72fbe948d041e0d1e2fd717fa98a2358e32413408ed2d147d6cbd58107d8d5ba
 SHA512:
-  metadata.gz: 367d715ab3cb1b0c2c498555419e2212e9986c8e824128ce56695c00cdc190371fa0b7b9115258146ff0573f2e4a8461e1c66651b9d84bb2fdb7b0fe00b901ff
-  data.tar.gz: 4e5b3e040476f17cb7cf268ccc0cae90f17178da6a5954b14ca2a2ce280cf0f067b1ce8b88ecc8da5c04ae919cc34b670258b1555f9bfb707fb061cc8439acb3
+  metadata.gz: f108dbeb6f04a42d5b5b4e30baecad3d376bd82615e067b3ca2696bbdcefd875c55c4dd18da926b597641691e47edb034244d4d170030cbf8055d3c29e9de3cf
+  data.tar.gz: e14a429b7dadcd27eccd9e049fb6ebd4a405e8e86229eb683c47d1cb72e911a0da4ae3cab50a3a883000f49ef19e33716cfc2a1fd17181d89858da9644ff80e2

data/lib/dependabot/clients/codecommit.rb

@@ -1,6 +1,7 @@
 # typed: true
 # frozen_string_literal: true
 
+require "aws-sdk-codecommit"
 require "dependabot/shared_helpers"
 
 module Dependabot

data/lib/dependabot/dependency.rb

@@ -1,14 +1,23 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
 require "dependabot/version"
 
 module Dependabot
   class Dependency
-    @production_checks = {}
-    @display_name_builders = {}
-    @name_normalisers = {}
+    extend T::Sig
 
+    @production_checks = T.let(
+      {},
+      T::Hash[String, T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean)]
+    )
+    @display_name_builders = T.let({}, T::Hash[String, T.proc.params(arg0: String).returns(String)])
+    @name_normalisers = T.let({}, T::Hash[String, T.proc.params(arg0: String).returns(String)])
+
+    sig do
+      params(package_manager: String).returns(T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean))
+    end
     def self.production_check_for_package_manager(package_manager)
       production_check = @production_checks[package_manager]
       return production_check if production_check
@@ -16,62 +25,128 @@ module Dependabot
       raise "Unsupported package_manager #{package_manager}"
     end
 
+    sig do
+      params(
+        package_manager: String,
+        production_check: T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean)
+      )
+        .returns(T.proc.params(arg0: T::Array[T.untyped]).returns(T::Boolean))
+    end
     def self.register_production_check(package_manager, production_check)
       @production_checks[package_manager] = production_check
     end
 
+    sig { params(package_manager: String).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
     def self.display_name_builder_for_package_manager(package_manager)
       @display_name_builders[package_manager]
     end
 
+    sig { params(package_manager: String, name_builder: T.proc.params(arg0: String).returns(String)).void }
     def self.register_display_name_builder(package_manager, name_builder)
       @display_name_builders[package_manager] = name_builder
     end
 
+    sig { params(package_manager: String).returns(T.nilable(T.proc.params(arg0: String).returns(String))) }
     def self.name_normaliser_for_package_manager(package_manager)
       @name_normalisers[package_manager] || ->(name) { name }
     end
 
+    sig do
+      params(
+        package_manager: String,
+        name_builder: T.proc.params(arg0: String).returns(String)
+      ).void
+    end
     def self.register_name_normaliser(package_manager, name_builder)
       @name_normalisers[package_manager] = name_builder
     end
 
-    attr_reader :name, :version, :requirements, :package_manager,
-                :previous_version, :previous_requirements,
-                :subdependency_metadata, :metadata
+    sig { returns(String) }
+    attr_reader :name
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :version
+
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+    attr_reader :requirements
+
+    sig { returns(String) }
+    attr_reader :package_manager
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :previous_version
 
+    sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+    attr_reader :previous_requirements
+
+    sig { returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+    attr_reader :subdependency_metadata
+
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    attr_reader :metadata
+
+    sig do
+      params(
+        name: String,
+        requirements: T::Array[T::Hash[String, String]],
+        package_manager: String,
+        # TODO: Make version a Dependabot::Version everywhere
+        version: T.nilable(T.any(String, Dependabot::Version)),
+        previous_version: T.nilable(String),
+        previous_requirements: T.nilable(T::Array[T::Hash[String, String]]),
+        subdependency_metadata: T.nilable(T::Array[T::Hash[String, String]]),
+        removed: T::Boolean,
+        metadata: T.nilable(T::Hash[String, String])
+      ).void
+    end
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil,
                    subdependency_metadata: [], removed: false, metadata: {})
       @name = name
-      @version = version
-      @requirements = requirements.map { |req| symbolize_keys(req) }
+      @version = T.let(
+        case version
+        when Dependabot::Version then version.to_s
+        when String then version
+        end,
+        T.nilable(String)
+      )
+      @requirements = T.let(requirements.map { |req| symbolize_keys(req) }, T::Array[T::Hash[Symbol, String]])
       @previous_version = previous_version
-      @previous_requirements =
-        previous_requirements&.map { |req| symbolize_keys(req) }
+      @previous_requirements = T.let(
+        previous_requirements&.map { |req| symbolize_keys(req) },
+        T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+      )
       @package_manager = package_manager
       unless top_level? || subdependency_metadata == []
-        @subdependency_metadata = subdependency_metadata
-                                  &.map { |h| symbolize_keys(h) }
+        @subdependency_metadata = T.let(
+          subdependency_metadata&.map { |h| symbolize_keys(h) },
+          T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+        )
       end
       @removed = removed
-      @metadata = symbolize_keys(metadata || {})
+      @metadata = T.let(symbolize_keys(metadata || {}), T::Hash[Symbol, T.untyped])
 
       check_values
     end
 
+    sig { returns(T::Boolean) }
     def top_level?
       requirements.any?
     end
 
+    sig { returns(T::Boolean) }
     def removed?
       @removed
     end
 
+    sig { returns(T.nilable(Dependabot::Version)) }
     def numeric_version
-      @numeric_version ||= version_class.new(version) if version && version_class.correct?(version)
+      return unless version && version_class.correct?(version)
+
+      @numeric_version ||= T.let(version_class.new(version), T.nilable(Dependabot::Version))
     end
 
+    sig { returns(T::Hash[String, T.untyped]) }
     def to_h
       {
         "name" => name,
@@ -85,10 +160,12 @@ module Dependabot
       }.compact
     end
 
+    sig { returns(T::Boolean) }
     def appears_in_lockfile?
-      previous_version || (version && previous_requirements.nil?)
+      !!(previous_version || (version && previous_requirements.nil?))
     end
 
+    sig { returns(T::Boolean) }
     def production?
       return subdependency_production_check unless top_level?
 
@@ -99,10 +176,12 @@ module Dependabot
           .call(groups)
     end
 
+    sig { returns(T::Boolean) }
     def subdependency_production_check
       !subdependency_metadata&.all? { |h| h[:production] == false }
     end
 
+    sig { returns(String) }
     def display_name
       display_name_builder =
         self.class.display_name_builder_for_package_manager(package_manager)
@@ -111,6 +190,7 @@ module Dependabot
       display_name_builder.call(name)
     end
 
+    sig { returns(T.nilable(String)) }
     def humanized_previous_version
       # If we don't have a previous version, we *may* still be able to figure
       # one out if a ref was provided and has been changed (in which case the
@@ -119,48 +199,52 @@ module Dependabot
         return ref_changed? ? previous_ref : nil
       end
 
-      if previous_version.match?(/^[0-9a-f]{40}/)
+      if T.must(previous_version).match?(/^[0-9a-f]{40}/)
         return previous_ref if ref_changed? && previous_ref
 
-        "`#{previous_version[0..6]}`"
+        "`#{T.must(previous_version)[0..6]}`"
       elsif version == previous_version &&
             package_manager == "docker"
-        digest = docker_digest_from_reqs(previous_requirements)
-        "`#{digest.split(':').last[0..6]}`"
+        digest = docker_digest_from_reqs(T.must(previous_requirements))
+        "`#{T.must(T.must(digest).split(':').last)[0..6]}`"
       else
         previous_version
       end
     end
 
+    sig { returns(T.nilable(String)) }
     def humanized_version
       return if removed?
 
-      if version.match?(/^[0-9a-f]{40}/)
+      if T.must(version).match?(/^[0-9a-f]{40}/)
         return new_ref if ref_changed? && new_ref
 
-        "`#{version[0..6]}`"
+        "`#{T.must(version)[0..6]}`"
       elsif version == previous_version &&
             package_manager == "docker"
         digest = docker_digest_from_reqs(requirements)
-        "`#{digest.split(':').last[0..6]}`"
+        "`#{T.must(T.must(digest).split(':').last)[0..6]}`"
       else
         version
       end
     end
 
+    sig { params(requirements: T::Array[T::Hash[Symbol, T.untyped]]).returns(T.nilable(String)) }
     def docker_digest_from_reqs(requirements)
       requirements
         .filter_map { |r| r.dig(:source, "digest") || r.dig(:source, :digest) }
         .first
     end
 
+    sig { returns(T.nilable(String)) }
     def previous_ref
-      previous_refs = previous_requirements.filter_map do |r|
+      previous_refs = T.must(previous_requirements).filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
       end.uniq
       previous_refs.first if previous_refs.count == 1
     end
 
+    sig { returns(T.nilable(String)) }
     def new_ref
       new_refs = requirements.filter_map do |r|
         r.dig(:source, "ref") || r.dig(:source, :ref)
@@ -168,12 +252,14 @@ module Dependabot
       new_refs.first if new_refs.count == 1
     end
 
+    sig { returns(T::Boolean) }
     def ref_changed?
       previous_ref != new_ref
     end
 
     # Returns all detected versions of the dependency. Only ecosystems that
     # support this feature will return more than the current version.
+    sig { returns(T::Array[T.nilable(String)]) }
     def all_versions
       all_versions = metadata[:all_versions]
       return [version].compact unless all_versions
@@ -184,34 +270,52 @@ module Dependabot
     # This dependency is being indirectly updated by an update to another
     # dependency. We don't need to try and update it ourselves but want to
     # surface it to the user in the PR.
+    sig { returns(T.nilable(T::Boolean)) }
     def informational_only?
       metadata[:information_only]
     end
 
+    sig { params(other: T.anything).returns(T::Boolean) }
     def ==(other)
-      other.instance_of?(self.class) && to_h == other.to_h
+      case other
+      when Dependency
+        to_h == other.to_h
+      else
+        false
+      end
     end
 
+    sig { returns(Integer) }
     def hash
       to_h.hash
     end
 
+    sig { params(other: T.anything).returns(T::Boolean) }
     def eql?(other)
       self == other
     end
 
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
     def specific_requirements
       requirements.select { |r| requirement_class.new(r[:requirement]).specific? }
     end
 
+    sig { returns(T.class_of(Gem::Requirement)) }
     def requirement_class
       Utils.requirement_class_for_package_manager(package_manager)
     end
 
+    sig { returns(T.class_of(Dependabot::Version)) }
     def version_class
       Utils.version_class_for_package_manager(package_manager)
     end
 
+    sig do
+      params(
+        allowed_types: T.nilable(T::Array[String])
+      )
+        .returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped]))
+    end
     def source_details(allowed_types: nil)
       sources = all_sources.uniq.compact
       sources.select! { |source| allowed_types.include?(source[:type].to_s) } if allowed_types
@@ -225,6 +329,7 @@ module Dependabot
       sources.first
     end
 
+    sig { returns(T.nilable(String)) }
     def source_type
       details = source_details
       return "default" if details.nil?
@@ -232,11 +337,12 @@ module Dependabot
       details[:type] || details.fetch("type")
     end
 
+    sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
     def all_sources
       if top_level?
         requirements.map { |requirement| requirement.fetch(:source) }
       elsif subdependency_metadata
-        subdependency_metadata.filter_map { |data| data[:source] }
+        T.must(subdependency_metadata).filter_map { |data| data[:source] }
       else
         []
       end
@@ -244,6 +350,7 @@ module Dependabot
 
     private
 
+    sig { void }
     def check_values
       raise ArgumentError, "blank strings must not be provided as versions" if [version, previous_version].any?("")
 
@@ -251,6 +358,7 @@ module Dependabot
       check_subdependency_metadata
     end
 
+    sig { void }
     def check_requirement_fields
       requirement_fields = [requirements, previous_requirements].compact
       unless requirement_fields.all?(Array) &&
@@ -273,15 +381,17 @@ module Dependabot
       raise ArgumentError, "blank strings must not be provided as requirements"
     end
 
+    sig { void }
     def check_subdependency_metadata
       return unless subdependency_metadata
 
       unless subdependency_metadata.is_a?(Array) &&
-             subdependency_metadata.all?(Hash)
+             T.must(subdependency_metadata).all?(Hash)
         raise ArgumentError, "subdependency_metadata must be an array of hashes"
       end
     end
 
+    sig { params(hash: T::Hash[String, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
     def symbolize_keys(hash)
       hash.keys.to_h { |k| [k.to_sym, hash[k]] }
     end

data/lib/dependabot/dependency_file.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "pathname"

data/lib/dependabot/errors.rb

@@ -5,6 +5,215 @@ require "sorbet-runtime"
 require "dependabot/utils"
 
 module Dependabot
+  # rubocop:disable Metrics/MethodLength
+  def self.fetcher_error_details(error)
+    case error
+    when Dependabot::ToolVersionNotSupported
+      {
+        "error-type": "tool_version_not_supported",
+        "error-detail": {
+          "tool-name": error.tool_name,
+          "detected-version": error.detected_version,
+          "supported-versions": error.supported_versions
+        }
+      }
+    when Dependabot::BranchNotFound
+      {
+        "error-type": "branch_not_found",
+        "error-detail": { "branch-name": error.branch_name }
+      }
+    when Dependabot::DirectoryNotFound
+      {
+        "error-type": "directory_not_found",
+        "error-detail": { "directory-name": error.directory_name }
+      }
+    when Dependabot::RepoNotFound
+      # This happens if the repo gets removed after a job gets kicked off.
+      # This also happens when a configured personal access token is not authz'd to fetch files from the job repo.
+      {
+        "error-type": "job_repo_not_found",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotParseable
+      {
+        "error-type": "dependency_file_not_parseable",
+        "error-detail": {
+          message: error.message,
+          "file-path": error.file_path
+        }
+      }
+    when Dependabot::DependencyFileNotFound
+      {
+        "error-type": "dependency_file_not_found",
+        "error-detail": { "file-path": error.file_path }
+      }
+    when Dependabot::OutOfDisk
+      {
+        "error-type": "out_of_disk",
+        "error-detail": {}
+      }
+    when Dependabot::PathDependenciesNotReachable
+      {
+        "error-type": "path_dependencies_not_reachable",
+        "error-detail": { dependencies: error.dependencies }
+      }
+    when Octokit::Unauthorized
+      { "error-type": "octokit_unauthorized" }
+    when Octokit::ServerError
+      # If we get a 500 from GitHub there's very little we can do about it,
+      # and responsibility for fixing it is on them, not us. As a result we
+      # quietly log these as errors
+      { "error-type": "server_error" }
+    when *Octokit::RATE_LIMITED_ERRORS
+      # If we get a rate-limited error we let dependabot-api handle the
+      # retry by re-enqueing the update job after the reset
+      {
+        "error-type": "octokit_rate_limited",
+        "error-detail": {
+          "rate-limit-reset": error.response_headers["X-RateLimit-Reset"]
+        }
+      }
+    end
+  end
+
+  def self.parser_error_details(error)
+    case error
+    when Dependabot::DependencyFileNotEvaluatable
+      {
+        "error-type": "dependency_file_not_evaluatable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotResolvable
+      {
+        "error-type": "dependency_file_not_resolvable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::BranchNotFound
+      {
+        "error-type": "branch_not_found",
+        "error-detail": { "branch-name": error.branch_name }
+      }
+    when Dependabot::DependencyFileNotParseable
+      {
+        "error-type": "dependency_file_not_parseable",
+        "error-detail": {
+          message: error.message,
+          "file-path": error.file_path
+        }
+      }
+    when Dependabot::DependencyFileNotFound
+      {
+        "error-type": "dependency_file_not_found",
+        "error-detail": { "file-path": error.file_path }
+      }
+    when Dependabot::PathDependenciesNotReachable
+      {
+        "error-type": "path_dependencies_not_reachable",
+        "error-detail": { dependencies: error.dependencies }
+      }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::GitDependenciesNotReachable
+      {
+        "error-type": "git_dependencies_not_reachable",
+        "error-detail": { "dependency-urls": error.dependency_urls }
+      }
+    when Dependabot::NotImplemented
+      {
+        "error-type": "not_implemented",
+        "error-detail": {
+          message: error.message
+        }
+      }
+    when Octokit::ServerError
+      # If we get a 500 from GitHub there's very little we can do about it,
+      # and responsibility for fixing it is on them, not us. As a result we
+      # quietly log these as errors
+      { "error-type": "server_error" }
+    end
+  end
+
+  def self.updater_error_details(error)
+    case error
+    when Dependabot::DependencyFileNotResolvable
+      {
+        "error-type": "dependency_file_not_resolvable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::DependencyFileNotEvaluatable
+      {
+        "error-type": "dependency_file_not_evaluatable",
+        "error-detail": { message: error.message }
+      }
+    when Dependabot::GitDependenciesNotReachable
+      {
+        "error-type": "git_dependencies_not_reachable",
+        "error-detail": { "dependency-urls": error.dependency_urls }
+      }
+    when Dependabot::MisconfiguredTooling
+      {
+        "error-type": "misconfigured_tooling",
+        "error-detail": { "tool-name": error.tool_name, message: error.tool_message }
+      }
+    when Dependabot::GitDependencyReferenceNotFound
+      {
+        "error-type": "git_dependency_reference_not_found",
+        "error-detail": { dependency: error.dependency }
+      }
+    when Dependabot::PrivateSourceAuthenticationFailure
+      {
+        "error-type": "private_source_authentication_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::PrivateSourceTimedOut
+      {
+        "error-type": "private_source_timed_out",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::PrivateSourceCertificateFailure
+      {
+        "error-type": "private_source_certificate_failure",
+        "error-detail": { source: error.source }
+      }
+    when Dependabot::MissingEnvironmentVariable
+      {
+        "error-type": "missing_environment_variable",
+        "error-detail": {
+          "environment-variable": error.environment_variable
+        }
+      }
+    when Dependabot::GoModulePathMismatch
+      {
+        "error-type": "go_module_path_mismatch",
+        "error-detail": {
+          "declared-path": error.declared_path,
+          "discovered-path": error.discovered_path,
+          "go-mod": error.go_mod
+        }
+      }
+    when Dependabot::NotImplemented
+      {
+        "error-type": "not_implemented",
+        "error-detail": {
+          message: error.message
+        }
+      }
+    when *Octokit::RATE_LIMITED_ERRORS
+      # If we get a rate-limited error we let dependabot-api handle the
+      # retry by re-enqueing the update job after the reset
+      {
+        "error-type": "octokit_rate_limited",
+        "error-detail": {
+          "rate-limit-reset": error.response_headers["X-RateLimit-Reset"]
+        }
+      }
+    end
+  end
+  # rubocop:enable Metrics/MethodLength
+
   class DependabotError < StandardError
     extend T::Sig
 
@@ -109,6 +318,31 @@ module Dependabot
   # File level errors #
   #####################
 
+  class MisconfiguredTooling < DependabotError
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_reader :tool_name
+
+    sig { returns(String) }
+    attr_reader :tool_message
+
+    sig do
+      params(
+        tool_name: String,
+        tool_message: String
+      ).void
+    end
+    def initialize(tool_name, tool_message)
+      @tool_name = tool_name
+      @tool_message = tool_message
+
+      msg = "Dependabot detected that #{tool_name} is misconfigured in this repository. " \
+            "Running `#{tool_name.downcase}` results in the following error: #{tool_message}"
+      super(msg)
+    end
+  end
+
   class ToolVersionNotSupported < DependabotError
     extend T::Sig
 

data/lib/dependabot/file_updaters/base.rb

@@ -73,7 +73,7 @@ module Dependabot
 
       sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def requirement_changed?(file, dependency)
-        changed_requirements = dependency.requirements - dependency.previous_requirements
+        changed_requirements = dependency.requirements - T.must(dependency.previous_requirements)
 
         changed_requirements.any? { |f| f[:file] == file.name }
       end

data/lib/dependabot/git_commit_checker.rb

@@ -153,6 +153,12 @@ module Dependabot
       @local_tag_for_pinned_sha = most_specific_version_tag_for_sha(ref) if pinned_ref_looks_like_commit_sha?
     end
 
+    def version_for_pinned_sha
+      return unless local_tag_for_pinned_sha && version_class.correct?(local_tag_for_pinned_sha)
+
+      version_class.new(local_tag_for_pinned_sha)
+    end
+
     def git_repo_reachable?
       local_upload_pack
       true

data/lib/dependabot/git_metadata_fetcher.rb

@@ -1,49 +1,73 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "excon"
 require "open3"
+require "sorbet-runtime"
+
 require "dependabot/errors"
+require "dependabot/git_ref"
 
 module Dependabot
   class GitMetadataFetcher
+    extend T::Sig
+
     KNOWN_HOSTS = /github\.com|bitbucket\.org|gitlab.com/i
 
+    sig do
+      params(
+        url: String,
+        credentials: T::Array[T::Hash[String, String]]
+      )
+        .void
+    end
     def initialize(url:, credentials:)
       @url = url
       @credentials = credentials
     end
 
+    sig { returns(T.nilable(String)) }
     def upload_pack
-      @upload_pack ||= fetch_upload_pack_for(url)
+      @upload_pack ||= T.let(fetch_upload_pack_for(url), T.nilable(String))
     rescue Octokit::ClientError
       raise Dependabot::GitDependenciesNotReachable, [url]
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags
       return [] unless upload_pack
 
-      @tags ||= tags_for_upload_pack.map do |ref|
-        OpenStruct.new(
-          name: ref.name,
-          tag_sha: ref.ref_sha,
-          commit_sha: ref.commit_sha
-        )
-      end
+      @tags ||= T.let(
+        tags_for_upload_pack.map do |ref|
+          GitRef.new(
+            name: ref.name,
+            tag_sha: ref.ref_sha,
+            commit_sha: ref.commit_sha
+          )
+        end,
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def tags_for_upload_pack
-      @tags_for_upload_pack ||= refs_for_upload_pack.select { |ref| ref.ref_type == :tag }
+      @tags_for_upload_pack ||= T.let(
+        refs_for_upload_pack.select { |ref| ref.ref_type == RefType::Tag },
+        T.nilable(T::Array[GitRef])
+      )
     end
 
+    sig { returns(T::Array[GitRef]) }
     def refs_for_upload_pack
-      @refs_for_upload_pack ||= parse_refs_for_upload_pack
+      @refs_for_upload_pack ||= T.let(parse_refs_for_upload_pack, T.nilable(T::Array[GitRef]))
     end
 
+    sig { returns(T::Array[String]) }
     def ref_names
       refs_for_upload_pack.map(&:name)
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref(ref)
       if ref == "HEAD"
         # Remove the opening clause of the upload pack as this isn't always
@@ -51,8 +75,8 @@ module Dependabot
         # causes problems for our `sha_for_update_pack_line` logic. The format
         # of this opening clause is documented at
         # https://git-scm.com/docs/http-protocol#_smart_server_response
-        line = upload_pack.gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
-                          .lines.find { |l| l.include?(" HEAD") }
+        line = T.must(upload_pack).gsub(/^[0-9a-f]{4}# service=git-upload-pack/, "")
+                .lines.find { |l| l.include?(" HEAD") }
         return sha_for_update_pack_line(line) if line
       end
 
@@ -61,6 +85,7 @@ module Dependabot
         &.commit_sha
     end
 
+    sig { params(ref: String).returns(T.nilable(String)) }
     def head_commit_for_ref_sha(ref)
       refs_for_upload_pack
         .find { |r| r.ref_sha == ref }
@@ -69,8 +94,13 @@ module Dependabot
 
     private
 
-    attr_reader :url, :credentials
+    sig { returns(String) }
+    attr_reader :url
+
+    sig { returns(T::Array[T::Hash[String, String]]) }
+    attr_reader :credentials
 
+    sig { params(uri: String).returns(String) }
     def fetch_upload_pack_for(uri)
       response = fetch_raw_upload_pack_for(uri)
       return response.body if response.status == 200
@@ -97,6 +127,7 @@ module Dependabot
       raise Dependabot::GitDependenciesNotReachable, [uri]
     end
 
+    sig { params(uri: String).returns(Excon::Response) }
     def fetch_raw_upload_pack_for(uri)
       url = service_pack_uri(uri)
       url = url.rpartition("@").tap { |a| a.first.gsub!("@", "%40") }.join
@@ -107,6 +138,7 @@ module Dependabot
       )
     end
 
+    sig { params(uri: String).returns(T.untyped) }
     def fetch_raw_upload_pack_with_git_for(uri)
       service_pack_uri = uri
       service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
@@ -129,11 +161,12 @@ module Dependabot
       end
     end
 
+    sig { returns(T::Array[GitRef]) }
     def parse_refs_for_upload_pack
       peeled_lines = []
 
-      result = upload_pack.lines.each_with_object({}) do |line, res|
-        full_ref_name = line.split.last
+      result = T.must(upload_pack).lines.each_with_object({}) do |line, res|
+        full_ref_name = T.must(line.split.last)
         next unless full_ref_name.start_with?("refs/tags", "refs/heads")
 
         (peeled_lines << line) && next if line.strip.end_with?("^{}")
@@ -141,10 +174,10 @@ module Dependabot
         ref_name = full_ref_name.sub(%r{^refs/(tags|heads)/}, "").strip
         sha = sha_for_update_pack_line(line)
 
-        res[ref_name] = OpenStruct.new(
+        res[ref_name] = GitRef.new(
           name: ref_name,
           ref_sha: sha,
-          ref_type: full_ref_name.start_with?("refs/tags") ? :tag : :head,
+          ref_type: full_ref_name.start_with?("refs/tags") ? RefType::Tag : RefType::Head,
           commit_sha: sha
         )
       end
@@ -162,6 +195,7 @@ module Dependabot
       result.values
     end
 
+    sig { params(uri: String).returns(String) }
     def service_pack_uri(uri)
       service_pack_uri = uri_with_auth(uri)
       service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
@@ -169,6 +203,7 @@ module Dependabot
       service_pack_uri + "/info/refs?service=git-upload-pack"
     end
 
+    sig { params(uri: String).returns(T::Boolean) }
     def skip_git_suffix(uri)
       # TODO: Unlike the other providers (GitHub, GitLab, BitBucket), as of 2023-01-18 Azure DevOps does not support the
       # ".git" suffix. It will return a 404.
@@ -188,6 +223,7 @@ module Dependabot
 
     # Add in username and password if present in credentials.
     # Credentials are never present for production Dependabot.
+    sig { params(uri: String).returns(String) }
     def uri_with_auth(uri)
       uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
@@ -196,7 +232,7 @@ module Dependabot
 
       uri.scheme = "https" if uri.scheme != "http"
 
-      if !uri.password && cred&.fetch("username", nil) && cred&.fetch("password", nil)
+      if !uri.password && cred && cred.fetch("username", nil) && cred.fetch("password", nil)
         # URI doesn't have authentication details, but we have credentials
         uri.user = URI.encode_www_form_component(cred["username"])
         uri.password = URI.encode_www_form_component(cred["password"])
@@ -205,10 +241,12 @@ module Dependabot
       uri.to_s
     end
 
+    sig { params(line: String).returns(String) }
     def sha_for_update_pack_line(line)
-      line.split.first.chars.last(40).join
+      T.must(line.split.first).chars.last(40).join
     end
 
+    sig { returns(T::Hash[Symbol, T.untyped]) }
     def excon_defaults
       # Some git hosts are slow when returning a large number of tags
       SharedHelpers.excon_defaults(read_timeout: 20)

data/lib/dependabot/git_ref.rb

@@ -0,0 +1,71 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  class GitRef
+    extend T::Sig
+
+    sig { returns(String) }
+    attr_accessor :name
+
+    sig { returns(String) }
+    attr_accessor :commit_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :tag_sha
+
+    sig { returns(T.nilable(String)) }
+    attr_reader :ref_sha
+
+    sig { returns(T.nilable(RefType)) }
+    attr_reader :ref_type
+
+    sig do
+      params(
+        name: String,
+        commit_sha: String,
+        tag_sha: T.nilable(String),
+        ref_sha: T.nilable(String),
+        ref_type: T.nilable(RefType)
+      )
+        .void
+    end
+    def initialize(name:, commit_sha:, tag_sha: nil, ref_sha: nil, ref_type: nil)
+      @name = name
+      @commit_sha = commit_sha
+      @ref_sha = ref_sha
+      @tag_sha = tag_sha
+      @ref_type = ref_type
+    end
+
+    sig { params(other: BasicObject).returns(T::Boolean) }
+    def ==(other)
+      case other
+      when GitRef
+        to_h == other.to_h
+      else
+        false
+      end
+    end
+
+    sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+    def to_h
+      {
+        name: name,
+        commit_sha: commit_sha,
+        tag_sha: tag_sha,
+        ref_sha: ref_sha,
+        ref_type: ref_type
+      }.compact
+    end
+  end
+
+  class RefType < T::Enum
+    enums do
+      Tag = new
+      Head = new
+    end
+  end
+end

data/lib/dependabot/pull_request_creator/message_builder.rb

@@ -85,7 +85,7 @@ module Dependabot
           msg = (msg[0..trunc_length] + tr_msg)
         end
         # if we used a custom encoding for calculating length, then we need to force back to UTF-8
-        msg.force_encoding(Encoding::UTF_8) unless pr_message_encoding.nil?
+        msg = msg.encode("utf-8", "binary", invalid: :replace, undef: :replace) unless pr_message_encoding.nil?
         msg
       end
 
@@ -162,7 +162,13 @@ module Dependabot
 
       def group_pr_name
         updates = dependencies.map(&:name).uniq.count
-        "bump the #{dependency_group.name} group#{pr_name_directory} with #{updates} update#{'s' if updates > 1}"
+
+        if source&.directories
+          "bump the #{dependency_group.name} across #{source.directories.count} directories " \
+            "with #{updates} update#{'s' if updates > 1}"
+        else
+          "bump the #{dependency_group.name} group#{pr_name_directory} with #{updates} update#{'s' if updates > 1}"
+        end
       end
 
       def pr_name_prefix
@@ -260,6 +266,8 @@ module Dependabot
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
       def version_commit_message_intro
+        return multi_directory_group_intro if dependency_group && source&.directories
+
         return group_intro if dependency_group
 
         return multidependency_property_intro if dependencies.count > 1 && updating_a_property?
@@ -346,6 +354,42 @@ module Dependabot
         msg
       end
 
+      def multi_directory_group_intro
+        msg = ""
+
+        source.directories.each do |directory|
+          dependencies_in_directory = dependencies.select { |dep| dep.metadata[:directory] == directory }
+          next unless dependencies_in_directory.any?
+
+          update_count = dependencies_in_directory.map(&:name).uniq.count
+
+          msg += "Bumps the #{dependency_group.name} " \
+                 "with #{update_count} update#{update_count > 1 ? 's' : ''} in the #{directory} directory:"
+
+          msg += if update_count >= 5
+                   header = %w(Package From To)
+                   rows = dependencies_in_directory.map do |dep|
+                     [
+                       dependency_link(dep),
+                       "`#{dep.humanized_previous_version}`",
+                       "`#{dep.humanized_version}`"
+                     ]
+                   end
+                   "\n\n#{table([header] + rows)}"
+                 elsif update_count > 1
+                   dependency_links_in_directory = dependency_links_for_directory(directory)
+                   " #{dependency_links_in_directory[0..-2].join(', ')} and #{dependency_links_in_directory[-1]}."
+                 else
+                   dependency_links_in_directory = dependency_links_for_directory(directory)
+                   " #{dependency_links_in_directory.first}."
+                 end
+
+          msg += "\n"
+        end
+
+        msg
+      end
+
       def group_intro
         update_count = dependencies.map(&:name).uniq.count
 
@@ -427,6 +471,12 @@ module Dependabot
         @dependency_links = uniq_deps.map { |dep| dependency_link(dep) }
       end
 
+      def dependency_links_for_directory(directory)
+        dependencies_in_directory = dependencies.select { |dep| dep.metadata[:directory] == directory }
+        uniq_deps = dependencies_in_directory.each_with_object({}) { |dep, memo| memo[dep.name] ||= dep }.values
+        @dependency_links = uniq_deps.map { |dep| dependency_link(dep) }
+      end
+
       def dependency_link(dependency)
         if source_url(dependency)
           "[#{dependency.display_name}](#{source_url(dependency)})"
@@ -483,8 +533,8 @@ module Dependabot
         "| #{row.join(' | ')} |"
       end
 
-      def metadata_cascades
-        return metadata_cascades_for_dep(dependencies.first) if dependencies.one?
+      def metadata_cascades # rubocop:disable Metrics/PerceivedComplexity
+        return metadata_cascades_for_dep(dependencies.first) if dependencies.one? && !dependency_group
 
         dependencies.map do |dep|
           msg = if dep.removed?

data/lib/dependabot/workspace/base.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "sorbet-runtime"

data/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.237.0"
+  VERSION = "0.238.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.237.0
+  version: 0.238.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-codecommit
@@ -154,6 +154,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 4.19.0
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -491,6 +505,7 @@ files:
 - lib/dependabot/file_updaters/vendor_updater.rb
 - lib/dependabot/git_commit_checker.rb
 - lib/dependabot/git_metadata_fetcher.rb
+- lib/dependabot/git_ref.rb
 - lib/dependabot/logger.rb
 - lib/dependabot/metadata_finders.rb
 - lib/dependabot/metadata_finders/README.md
@@ -542,7 +557,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
 post_install_message: 
 rdoc_options: []
 require_paths: