dependabot-common 0.95.39 → 0.95.40

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 44d06df1394265d2a9fa85b48d9264f9c8bf8a822f7b34cb77eceeb92eb87928
-  data.tar.gz: 417c0679c13fd9132156a7c5cc7b387fd7ee4064b4b4a1f73392c57d39ee1dc1
+  metadata.gz: 057043eb334d6bcab76bd43dded0ec14c45d73ca404ce828e71f66dead73a12b
+  data.tar.gz: 446809f0636d2493dbfb1c65db018da6b3862eaa958bd3878a07647ec8be204a
 SHA512:
-  metadata.gz: a8610f48f89482581aa44a556eb5dbfe6977575f73817cb80847437839353bbe7fe11cfe338be800a2d122b8636af5be45ef3c4b071b86133c3d553ed800cc4f
-  data.tar.gz: 4de4b5e865d2cc1b15f0e9ff5a0a0eb14f2886337f4575c44491f07883c0724906241eb16ddde7c9cd772c61fcc60462edce52bff7e21f2ec3d4f28080bd4a7f
+  metadata.gz: 6f5b862b611f07429c82c39e5b6d027d56577f9b878b60dd0ca4ed7eea994d7160076eb64dbc934a6b6ff12aeba46de7656ac7261bb875765d8e7717385a1e21
+  data.tar.gz: 402019c43f2351f1d05525db9f4d5bada85c4811a04a6f7089085e200513abe6b37a81c0ff4e61bbf2faf01d786c6e032c69fa2cefa794942dfa1fef725f48ff

data/lib/dependabot/metadata_finders/base/commits_finder.rb

@@ -52,12 +52,14 @@ module Dependabot
         def new_tag
           new_version = dependency.version
 
-          if git_source?(dependency.requirements) then new_version
-          else
-            tags = dependency_tags.
-                   select { |t| t =~ version_regex(new_version) }
-            tags.find { |t| t.include?(dependency.name) } || tags.first
-          end
+          return new_version if git_source?(dependency.requirements)
+
+          tags = dependency_tags.
+                 select { |t| t =~ version_regex(new_version) }
+
+          tags.find { |t| t.include?("#{dependency.name}@") } ||
+            tags.find { |t| t.include?(dependency.name) } ||
+            tags.first
         end
 
         private
@@ -70,7 +72,9 @@ module Dependabot
           elsif previous_version
             tags = dependency_tags.
                    select { |t| t =~ version_regex(previous_version) }
-            tags.find { |t| t.include?(dependency.name) } || tags.first
+            tags.find { |t| t.include?("#{dependency.name}@") } ||
+              tags.find { |t| t.include?(dependency.name) } ||
+              tags.first
           else
             lowest_tag_satisfying_previous_requirements
           end
@@ -82,7 +86,9 @@ module Dependabot
                  select { |t| satisfies_previous_reqs?(version_from_tag(t)) }.
                  sort_by { |t| version_from_tag(t) }
 
-          tags.find { |t| t.include?(dependency.name) } || tags.first
+          tags.find { |t| t.include?("#{dependency.name}@") } ||
+            tags.find { |t| t.include?(dependency.name) } ||
+            tags.first
         end
 
         def version_from_tag(tag)
@@ -148,18 +154,17 @@ module Dependabot
         end
 
         def github_compare_path(new_tag, previous_tag)
-          if new_tag && previous_tag
-            return "compare/#{previous_tag}...#{new_tag}"
-          end
-
-          unless reliable_source_directory? &&
-                 ![nil, ".", "/"].include?(source.directory)
-            return new_tag ? "commits/#{new_tag}" : "commits"
+          if part_of_monorepo?
+            # If part of a monorepo then we're better off linking to the commits
+            # for that directory than trying to put together a compare URL
+            Pathname.
+              new(File.join("commits/#{new_tag || 'HEAD'}", source.directory)).
+              cleanpath.to_path
+          elsif new_tag && previous_tag
+            "compare/#{previous_tag}...#{new_tag}"
+          else
+            new_tag ? "commits/#{new_tag}" : "commits"
           end
-
-          Pathname.
-            new(File.join("commits/#{new_tag || 'HEAD'}", source.directory)).
-            cleanpath.to_path
         end
 
         def bitbucket_compare_path(new_tag, previous_tag)
@@ -184,7 +189,22 @@ module Dependabot
 
         def fetch_github_commits
           commits =
-            github_client.compare(source.repo, previous_tag, new_tag).commits
+            if part_of_monorepo?
+              # If part of a monorepo we make two requests in order to get only
+              # the commits relevant to the given path
+              path = source.directory.gsub(%r{^[./]+}, "")
+              repo = source.repo
+
+              previous_commit_shas =
+                github_client.commits(repo, sha: previous_tag, path: path).
+                map(&:sha)
+
+              github_client.
+                commits(repo, sha: new_tag, path: path).
+                reject { |c| previous_commit_shas.include?(c.sha) }
+            else
+              github_client.compare(source.repo, previous_tag, new_tag).commits
+            end
           return [] unless commits
 
           commits.map do |commit|
@@ -244,6 +264,12 @@ module Dependabot
                                 for_bitbucket_dot_org(credentials: credentials)
         end
 
+        def part_of_monorepo?
+          return false unless reliable_source_directory?
+
+          ![nil, ".", "/"].include?(source.directory)
+        end
+
         def version_class
           Utils.version_class_for_package_manager(dependency.package_manager)
         end

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.95.39"
+  VERSION = "0.95.40"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-common
 version: !ruby/object:Gem::Version
-  version: 0.95.39
+  version: 0.95.40
 platform: ruby
 authors:
 - Dependabot
@@ -266,14 +266,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.61'
+        version: 0.64.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.61'
+        version: 0.64.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement