dependabot-composer 0.124.7 → 0.125.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/composer/file_updater/lockfile_updater.rb +5 -13
- data/lib/dependabot/composer/metadata_finder.rb +1 -3
- data/lib/dependabot/composer/update_checker.rb +3 -9
- data/lib/dependabot/composer/update_checker/latest_version_finder.rb +2 -6
- data/lib/dependabot/composer/update_checker/requirements_updater.rb +1 -3
- data/lib/dependabot/composer/update_checker/version_resolver.rb +4 -10
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 135a5f7d49020cb96d6ec31cdb1cac9ccee9b3bbca0d505bd669404d506555cd
|
|
4
|
+
data.tar.gz: 26eb03973de655de94afcac3581317f9e331222da7bff09fd8c462011a6296d1
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 83679402888978c2ac3cf99cb03242ed8e2367ef3ea98a8cc48aac00066ca2e383d77f1c212bb8309709977491891d61d83eb11821123987261286c4bd31a1d8
|
|
7
|
+
data.tar.gz: 0b53d43ec73f1ca3936da9b4b3f720826668a5824eaa2d427fee00f822e67bd996e8ef90d3b87305dc32be8c43ad3811e17bf035f5b4835d42293ecc916ed359
|
|
@@ -65,9 +65,7 @@ module Dependabot
|
|
|
65
65
|
updated_content = run_update_helper.fetch("composer.lock")
|
|
66
66
|
|
|
67
67
|
updated_content = post_process_lockfile(updated_content)
|
|
68
|
-
if lockfile.content == updated_content
|
|
69
|
-
raise "Expected content to change!"
|
|
70
|
-
end
|
|
68
|
+
raise "Expected content to change!" if lockfile.content == updated_content
|
|
71
69
|
|
|
72
70
|
updated_content
|
|
73
71
|
end
|
|
@@ -92,7 +90,7 @@ module Dependabot
|
|
|
92
90
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
93
91
|
SharedHelpers.run_helper_subprocess(
|
|
94
92
|
command: "php -d memory_limit=-1 #{php_helper_path}",
|
|
95
|
-
|
|
93
|
+
allow_unsafe_shell_command: true,
|
|
96
94
|
function: "update",
|
|
97
95
|
env: credentials_env,
|
|
98
96
|
args: [
|
|
@@ -159,9 +157,7 @@ module Dependabot
|
|
|
159
157
|
raise MissingExtensions, [missing_extension]
|
|
160
158
|
end
|
|
161
159
|
|
|
162
|
-
if error.message.start_with?("Failed to execute git checkout")
|
|
163
|
-
raise git_dependency_reference_error(error)
|
|
164
|
-
end
|
|
160
|
+
raise git_dependency_reference_error(error) if error.message.start_with?("Failed to execute git checkout")
|
|
165
161
|
|
|
166
162
|
# Special case for Laravel Nova, which will fall back to attempting
|
|
167
163
|
# to close a private repo if given invalid (or no) credentials
|
|
@@ -193,9 +189,7 @@ module Dependabot
|
|
|
193
189
|
raise DependencyFileNotResolvable, error.message
|
|
194
190
|
end
|
|
195
191
|
|
|
196
|
-
if error.message.start_with?("Allowed memory size")
|
|
197
|
-
raise Dependabot::OutOfMemory
|
|
198
|
-
end
|
|
192
|
+
raise Dependabot::OutOfMemory if error.message.start_with?("Allowed memory size")
|
|
199
193
|
|
|
200
194
|
if error.message.include?("403 Forbidden")
|
|
201
195
|
source = error.message.match(%r{https?://(?<source>[^/]+)/}).
|
|
@@ -457,9 +451,7 @@ module Dependabot
|
|
|
457
451
|
platform_php = parsed_composer_json.dig("config", "platform", "php")
|
|
458
452
|
|
|
459
453
|
platform = {}
|
|
460
|
-
if platform_php.is_a?(String) && requirement_valid?(platform_php)
|
|
461
|
-
platform["php"] = [platform_php]
|
|
462
|
-
end
|
|
454
|
+
platform["php"] = [platform_php] if platform_php.is_a?(String) && requirement_valid?(platform_php)
|
|
463
455
|
|
|
464
456
|
# Note: We *don't* include the require-dev PHP version in our initial
|
|
465
457
|
# platform. If we fail to resolve with the PHP version specified in
|
|
@@ -26,9 +26,7 @@ module Dependabot
|
|
|
26
26
|
|
|
27
27
|
def look_up_source_from_packagist
|
|
28
28
|
return nil if packagist_listing&.fetch("packages", nil) == []
|
|
29
|
-
unless packagist_listing&.dig("packages", dependency.name.downcase)
|
|
30
|
-
return nil
|
|
31
|
-
end
|
|
29
|
+
return nil unless packagist_listing&.dig("packages", dependency.name.downcase)
|
|
32
30
|
|
|
33
31
|
version_listings =
|
|
34
32
|
packagist_listing["packages"][dependency.name.downcase].
|
|
@@ -41,9 +41,7 @@ module Dependabot
|
|
|
41
41
|
def lowest_resolvable_security_fix_version
|
|
42
42
|
raise "Dependency not vulnerable!" unless vulnerable?
|
|
43
43
|
|
|
44
|
-
if defined?(@lowest_resolvable_security_fix_version)
|
|
45
|
-
return @lowest_resolvable_security_fix_version
|
|
46
|
-
end
|
|
44
|
+
return @lowest_resolvable_security_fix_version if defined?(@lowest_resolvable_security_fix_version)
|
|
47
45
|
|
|
48
46
|
@lowest_resolvable_security_fix_version =
|
|
49
47
|
fetch_lowest_resolvable_security_fix_version
|
|
@@ -72,9 +70,7 @@ module Dependabot
|
|
|
72
70
|
|
|
73
71
|
def requirements_update_strategy
|
|
74
72
|
# If passed in as an option (in the base class) honour that option
|
|
75
|
-
if @requirements_update_strategy
|
|
76
|
-
return @requirements_update_strategy.to_sym
|
|
77
|
-
end
|
|
73
|
+
return @requirements_update_strategy.to_sym if @requirements_update_strategy
|
|
78
74
|
|
|
79
75
|
# Otherwise, widen ranges for libraries and bump versions for apps
|
|
80
76
|
library? ? :widen_ranges : :bump_versions_if_necessary
|
|
@@ -149,9 +145,7 @@ module Dependabot
|
|
|
149
145
|
def latest_version_for_git_dependency
|
|
150
146
|
# If the dependency isn't pinned then we just want to check that it
|
|
151
147
|
# points to the latest commit on the relevant branch.
|
|
152
|
-
unless git_commit_checker.pinned?
|
|
153
|
-
return git_commit_checker.head_commit_for_current_branch
|
|
154
|
-
end
|
|
148
|
+
return git_commit_checker.head_commit_for_current_branch unless git_commit_checker.pinned?
|
|
155
149
|
|
|
156
150
|
# If the dependency is pinned to a tag that looks like a version then
|
|
157
151
|
# we want to update that tag. The latest version will then be the SHA
|
|
@@ -62,9 +62,7 @@ module Dependabot
|
|
|
62
62
|
versions_array.
|
|
63
63
|
reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
|
|
64
64
|
|
|
65
|
-
if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
66
|
-
raise AllVersionsIgnored
|
|
67
|
-
end
|
|
65
|
+
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
68
66
|
|
|
69
67
|
filtered
|
|
70
68
|
end
|
|
@@ -81,9 +79,7 @@ module Dependabot
|
|
|
81
79
|
|
|
82
80
|
def wants_prerelease?
|
|
83
81
|
current_version = dependency.version
|
|
84
|
-
if current_version && version_class.new(current_version).prerelease?
|
|
85
|
-
return true
|
|
86
|
-
end
|
|
82
|
+
return true if current_version && version_class.new(current_version).prerelease?
|
|
87
83
|
|
|
88
84
|
dependency.requirements.any? do |req|
|
|
89
85
|
req[:requirement].match?(/\d-[A-Za-z]/)
|
|
@@ -144,9 +144,7 @@ module Dependabot
|
|
|
144
144
|
def update_version_string(req_string)
|
|
145
145
|
req_string.
|
|
146
146
|
sub(VERSION_REGEX) do |old_version|
|
|
147
|
-
unless req_string.match?(/[~*\^]/)
|
|
148
|
-
next latest_resolvable_version.to_s
|
|
149
|
-
end
|
|
147
|
+
next latest_resolvable_version.to_s unless req_string.match?(/[~*\^]/)
|
|
150
148
|
|
|
151
149
|
old_parts = old_version.split(".")
|
|
152
150
|
new_parts = latest_resolvable_version.to_s.split(".").
|
|
@@ -125,7 +125,7 @@ module Dependabot
|
|
|
125
125
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
126
126
|
SharedHelpers.run_helper_subprocess(
|
|
127
127
|
command: "php -d memory_limit=-1 #{php_helper_path}",
|
|
128
|
-
|
|
128
|
+
allow_unsafe_shell_command: true,
|
|
129
129
|
function: "get_latest_resolvable_version",
|
|
130
130
|
args: [
|
|
131
131
|
Dir.pwd,
|
|
@@ -156,9 +156,7 @@ module Dependabot
|
|
|
156
156
|
json = JSON.parse(content)
|
|
157
157
|
|
|
158
158
|
composer_platform_extensions.each do |extension, requirements|
|
|
159
|
-
unless version_for_reqs(requirements)
|
|
160
|
-
raise "No matching version for #{requirements}!"
|
|
161
|
-
end
|
|
159
|
+
raise "No matching version for #{requirements}!" unless version_for_reqs(requirements)
|
|
162
160
|
|
|
163
161
|
json["config"] ||= {}
|
|
164
162
|
json["config"]["platform"] ||= {}
|
|
@@ -223,9 +221,7 @@ module Dependabot
|
|
|
223
221
|
|
|
224
222
|
# If the original requirement is just a stability flag we append that
|
|
225
223
|
# flag to the requirement
|
|
226
|
-
if lower_bound.strip.start_with?("@")
|
|
227
|
-
return "<=#{latest_allowable_version}#{lower_bound.strip}"
|
|
228
|
-
end
|
|
224
|
+
return "<=#{latest_allowable_version}#{lower_bound.strip}" if lower_bound.strip.start_with?("@")
|
|
229
225
|
|
|
230
226
|
lower_bound + ", <= #{latest_allowable_version}"
|
|
231
227
|
end
|
|
@@ -439,9 +435,7 @@ module Dependabot
|
|
|
439
435
|
platform_php = parsed_composer_file.dig("config", "platform", "php")
|
|
440
436
|
|
|
441
437
|
platform = {}
|
|
442
|
-
if platform_php.is_a?(String) && requirement_valid?(platform_php)
|
|
443
|
-
platform["php"] = [platform_php]
|
|
444
|
-
end
|
|
438
|
+
platform["php"] = [platform_php] if platform_php.is_a?(String) && requirement_valid?(platform_php)
|
|
445
439
|
|
|
446
440
|
# Note: We *don't* include the require-dev PHP version in our initial
|
|
447
441
|
# platform. If we fail to resolve with the PHP version specified in
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-composer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.125.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-11-
|
|
11
|
+
date: 2020-11-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.125.3
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.125.3
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -128,14 +128,14 @@ dependencies:
|
|
|
128
128
|
requirements:
|
|
129
129
|
- - "~>"
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 0.
|
|
131
|
+
version: 0.8.0
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - "~>"
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 0.
|
|
138
|
+
version: 0.8.0
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: vcr
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|