dependabot-common 0.241.0 → 0.242.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/config/file.rb +1 -0
  3. data/lib/dependabot/pull_request_creator.rb +3 -3
  4. data/lib/dependabot/security_advisory.rb +48 -16
  5. data/lib/dependabot/update_checkers/version_filters.rb +2 -2
  6. data/lib/dependabot.rb +1 -1
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5b381e33a32a95b7956fbcff6abec4736f2f190b4c8ab0eece99a2181037f52e
4
- data.tar.gz: 5006821762970d60de1f3682cd1931f9e86cd0d44d8b9d5ec6eb7778a3bf329a
3
+ metadata.gz: 8b85f6eea900488026cdee04e04dd5b51df99f8bafcff4c83ae83c5dfeb54c63
4
+ data.tar.gz: 30a4355a110f4be117fd9ece16d437f8a28704e75a7e0a62e4a5a5055c63e0cd
5
5
  SHA512:
6
- metadata.gz: 4d8272f9614610836187d6a34fc20acd78b0326d8759d633afc7879492f9edffc3189d148e643750f0f47c1fec54071545ff7d2981499f82c8273addb527fc36
7
- data.tar.gz: 4248ef1d9c5dce4afad397af2b557e8414a673d48351924255be59d211a0538b6f98ac73ce4f75458168379301be42c0b9a03517266ac6de8d2205346e95a8d3
6
+ metadata.gz: c928acaa28bf821c081dd80afda5aa16551a09ab031a28ea60241742d23ffeb54186087fca915317d811b88881bbe6ce99f3b343f45d8efd538aee1c9b7524cd
7
+ data.tar.gz: a2a4d975f4010b24077d4b558f8d1e4806230411b0d98983c58c7df5be2dd41a2e39868c1a346132743de560fdf28a059cbbb5800bae3ac19333008db3504591
data/lib/dependabot/config/file.rb CHANGED
@@ -61,6 +61,7 @@ module Dependabot
61
61
  "bundler" => "bundler",
62
62
  "cargo" => "cargo",
63
63
  "composer" => "composer",
64
+ "devcontainer" => "devcontainers",
64
65
  "docker" => "docker",
65
66
  "elm" => "elm",
66
67
  "github-actions" => "github_actions",
data/lib/dependabot/pull_request_creator.rb CHANGED
@@ -103,7 +103,7 @@ module Dependabot
103
103
  sig { returns(T.nilable(T.any(T::Array[String], T::Hash[Symbol, T::Array[Integer]]))) }
104
104
  attr_reader :reviewers
105
105
 
106
- sig { returns(T.nilable(T::Array[String])) }
106
+ sig { returns(T.nilable(T.any(T::Array[String], T::Array[Integer]))) }
107
107
  attr_reader :assignees
108
108
 
109
109
  sig { returns(T.nilable(String)) }
@@ -150,8 +150,8 @@ module Dependabot
150
150
  signature_key: T.nilable(String),
151
151
  commit_message_options: T::Hash[Symbol, T.untyped],
152
152
  vulnerabilities_fixed: T::Hash[String, String],
153
- reviewers: T.nilable(T::Array[String]),
154
- assignees: T.nilable(T::Array[String]),
153
+ reviewers: T.nilable(T.any(T::Array[String], T::Hash[Symbol, T::Array[Integer]])),
154
+ assignees: T.nilable(T.any(T::Array[String], T::Array[Integer])),
155
155
  milestone: T.nilable(String),
156
156
  branch_name_separator: String,
157
157
  branch_name_prefix: String,
data/lib/dependabot/security_advisory.rb CHANGED
@@ -1,31 +1,51 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
4
5
  require "dependabot/version"
5
6
 
6
7
  module Dependabot
7
8
  class SecurityAdvisory
8
- attr_reader :dependency_name, :package_manager,
9
- :vulnerable_versions, :safe_versions,
10
- :vulnerable_version_strings
9
+ extend T::Sig
11
10
 
11
+ sig { returns(String) }
12
+ attr_reader :dependency_name
13
+
14
+ sig { returns(String) }
15
+ attr_reader :package_manager
16
+
17
+ sig { returns(T::Array[Dependabot::Requirement]) }
18
+ attr_reader :vulnerable_versions
19
+
20
+ sig { returns(T::Array[Dependabot::Requirement]) }
21
+ attr_reader :safe_versions
22
+
23
+ sig { returns(T::Array[T.any(String, Dependabot::Requirement)]) }
24
+ attr_reader :vulnerable_version_strings
25
+
26
+ sig do
27
+ params(
28
+ dependency_name: String,
29
+ package_manager: String,
30
+ vulnerable_versions: T.nilable(T::Array[Dependabot::Requirement]),
31
+ safe_versions: T.nilable(T::Array[T.any(String, Dependabot::Requirement)])
32
+ )
33
+ .void
34
+ end
12
35
  def initialize(dependency_name:, package_manager:,
13
36
  vulnerable_versions: [], safe_versions: [])
14
37
  @dependency_name = dependency_name
15
38
  @package_manager = package_manager
16
- @vulnerable_version_strings = vulnerable_versions || []
17
- @vulnerable_versions = []
18
- @safe_versions = safe_versions || []
39
+ @vulnerable_version_strings = T.let(vulnerable_versions || [], T::Array[T.any(String, Dependabot::Requirement)])
40
+ @vulnerable_versions = T.let([], T::Array[Dependabot::Requirement])
41
+ @safe_versions = T.let([], T::Array[Dependabot::Requirement])
19
42
 
20
- convert_string_version_requirements
43
+ convert_string_version_requirements(vulnerable_version_strings, safe_versions || [])
21
44
  check_version_requirements
22
45
  end
23
46
 
47
+ sig { params(version: Gem::Version).returns(T::Boolean) }
24
48
  def vulnerable?(version)
25
- unless version.is_a?(version_class) || version.instance_of?(Gem::Version)
26
- raise ArgumentError, "must be a #{version_class}"
27
- end
28
-
29
49
  in_safe_range = safe_versions
30
50
  .any? { |r| r.satisfied_by?(version) }
31
51
 
@@ -50,9 +70,10 @@ module Dependabot
50
70
  #
51
71
  # @param dependency [Dependabot::Dependency] Updated dependency
52
72
  # @return [Boolean]
73
+ sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
53
74
  def fixed_by?(dependency)
54
75
  # Handle case mismatch between the security advisory and parsed name
55
- return false unless dependency_name.casecmp(dependency.name).zero?
76
+ return false unless dependency_name.casecmp(dependency.name)&.zero?
56
77
  return false unless package_manager == dependency.package_manager
57
78
  # TODO: Support no previous version to the same level as dependency graph
58
79
  # and security alerts. We currently ignore dependency updates without a
@@ -61,19 +82,20 @@ module Dependabot
61
82
  return false unless version_class.correct?(dependency.previous_version)
62
83
 
63
84
  # Ignore deps that weren't previously vulnerable
64
- return false unless affects_version?(dependency.previous_version)
85
+ return false unless affects_version?(T.must(dependency.previous_version))
65
86
 
66
87
  # Removing a dependency is a way to fix the vulnerability
67
88
  return true if dependency.removed?
68
89
 
69
90
  # Select deps that are now fixed
70
- !affects_version?(dependency.version)
91
+ !affects_version?(T.must(dependency.version))
71
92
  end
72
93
 
73
94
  # Check if the version is affected by the advisory
74
95
  #
75
96
  # @param version [Dependabot::<Package Manager>::Version] version class
76
97
  # @return [Boolean]
98
+ sig { params(version: T.any(String, Gem::Version)).returns(T::Boolean) }
77
99
  def affects_version?(version)
78
100
  return false unless version_class.correct?(version)
79
101
  return false unless [*safe_versions, *vulnerable_versions].any?
@@ -96,7 +118,14 @@ module Dependabot
96
118
 
97
119
  private
98
120
 
99
- def convert_string_version_requirements
121
+ sig do
122
+ params(
123
+ vulnerable_version_strings: T::Array[T.any(String, Dependabot::Requirement)],
124
+ safe_versions: T::Array[T.any(String, Dependabot::Requirement)]
125
+ )
126
+ .void
127
+ end
128
+ def convert_string_version_requirements(vulnerable_version_strings, safe_versions)
100
129
  @vulnerable_versions = vulnerable_version_strings.flat_map do |vuln_str|
101
130
  next vuln_str unless vuln_str.is_a?(String)
102
131
 
@@ -110,6 +139,7 @@ module Dependabot
110
139
  end
111
140
  end
112
141
 
142
+ sig { void }
113
143
  def check_version_requirements
114
144
  unless vulnerable_versions.is_a?(Array) &&
115
145
  vulnerable_versions.all? { |i| requirement_class <= i.class }
@@ -124,10 +154,12 @@ module Dependabot
124
154
  end
125
155
  end
126
156
 
157
+ sig { returns(T.class_of(Gem::Version)) }
127
158
  def version_class
128
159
  Utils.version_class_for_package_manager(package_manager)
129
160
  end
130
161
 
162
+ sig { returns(T.class_of(Dependabot::Requirement)) }
131
163
  def requirement_class
132
164
  Utils.requirement_class_for_package_manager(package_manager)
133
165
  end
data/lib/dependabot/update_checkers/version_filters.rb CHANGED
@@ -10,10 +10,10 @@ module Dependabot
10
10
 
11
11
  sig do
12
12
  params(
13
- versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, String])],
13
+ versions_array: T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])],
14
14
  security_advisories: T::Array[SecurityAdvisory]
15
15
  )
16
- .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, String])])
16
+ .returns(T::Array[T.any(Gem::Version, T::Hash[Symbol, Gem::Version])])
17
17
  end
18
18
  def self.filter_vulnerable_versions(versions_array, security_advisories)
19
19
  versions_array.reject do |v|
data/lib/dependabot.rb CHANGED
@@ -2,5 +2,5 @@
2
2
  # frozen_string_literal: true
3
3
 
4
4
  module Dependabot
5
- VERSION = "0.241.0"
5
+ VERSION = "0.242.0"
6
6
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-common
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.241.0
4
+ version: 0.242.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-18 00:00:00.000000000 Z
11
+ date: 2024-01-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-codecommit
@@ -572,7 +572,7 @@ licenses:
572
572
  - Nonstandard
573
573
  metadata:
574
574
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
575
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.241.0
575
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.242.0
576
576
  post_install_message:
577
577
  rdoc_options: []
578
578
  require_paths: