dependabot-composer 0.128.2 → 0.129.0

data/helpers/v2/phpstan.neon

@@ -0,0 +1,5 @@
+parameters:
+	inferPrivatePropertyTypeFromConstructor: true
+	level: 5
+	paths:
+		- src

data/helpers/v2/src/DependabotInstallationManager.php

@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\DependencyResolver\Operation\InstallOperation;
+use Composer\DependencyResolver\Operation\UninstallOperation;
+use Composer\DependencyResolver\Operation\UpdateOperation;
+use Composer\Installer\InstallationManager;
+use Composer\Package\PackageInterface;
+use Composer\Repository\RepositoryInterface;
+
+final class DependabotInstallationManager extends InstallationManager
+{
+    private array $installed = [];
+    private array $updated = [];
+    private array $uninstalled = [];
+
+    public function execute(RepositoryInterface $repo, array $operations, $devMode = true, $runScripts = true): void
+    {
+        foreach ($operations as $operation) {
+            $method = $operation->getOperationType();
+            // NOTE: skipping download() step
+            $this->$method($repo, $operation);
+        }
+    }
+
+    public function install(RepositoryInterface $repo, InstallOperation $operation): void
+    {
+        $this->installed[] = $operation->getPackage();
+    }
+
+    public function update(RepositoryInterface $repo, UpdateOperation $operation): void
+    {
+        $this->updated[] = [$operation->getInitialPackage(), $operation->getTargetPackage()];
+    }
+
+    public function uninstall(RepositoryInterface $repo, UninstallOperation $operation): void
+    {
+        $this->uninstalled[] = $operation->getPackage();
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getInstalledPackages(): array
+    {
+        return $this->installed;
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getUpdatedPackages(): array
+    {
+        return $this->updated;
+    }
+
+    /**
+     * @return PackageInterface[]
+     */
+    public function getUninstalledPackages(): array
+    {
+        return $this->uninstalled;
+    }
+}

data/helpers/v2/src/DependabotPluginManager.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\Package\PackageInterface;
+use Composer\Plugin\PluginManager;
+
+final class DependabotPluginManager extends PluginManager
+{
+    public function registerPackage(PackageInterface $package, $failOnMissingClasses = false, $isGlobalPlugin = false): void
+    {
+        // This package does some setup for PHP_CodeSniffer, but errors out the
+        // install if Symfony isn't installed (which it won't be for a lockfile
+        // only install run). Safe to ignore
+        if (strpos($package->getName(), 'phpcodesniffer') !== false) {
+            return;
+        }
+
+        parent::registerPackage($package, $failOnMissingClasses, $isGlobalPlugin);
+    }
+}

data/helpers/v2/src/ExceptionIO.php

@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\IO\NullIO;
+
+final class ExceptionIO extends NullIO
+{
+    private bool $raise_next_error = false;
+
+    public function writeError($messages, $newline = true, $verbosity = self::NORMAL): void
+    {
+        if (is_array($messages)) {
+            return;
+        }
+        if ($this->raise_next_error) {
+            throw new \RuntimeException('Your requirements could not be resolved to an installable set of packages.' . $messages);
+        }
+        if (strpos($messages, 'Your requirements could not be resolved') !== false) {
+            $this->raise_next_error = true;
+        }
+    }
+}

data/helpers/v2/src/Hasher.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\Package\Locker;
+
+final class Hasher
+{
+    /**
+     * @throws \RuntimeException
+     */
+    public static function getContentHash(array $args): string
+    {
+        [$workingDirectory] = $args;
+
+        $config = $workingDirectory . '/composer.json';
+
+        $contents = file_get_contents($config);
+
+        if (!is_string($contents)) {
+            throw new \RuntimeException(sprintf('Failed to load contents of "%s".', $config));
+        }
+
+        return Locker::getContentHash($contents);
+    }
+}

data/helpers/v2/src/UpdateChecker.php

@@ -0,0 +1,133 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\DependencyResolver\Request;
+use Composer\Factory;
+use Composer\Installer;
+use Composer\Package\PackageInterface;
+use Composer\Util\Filesystem;
+
+final class UpdateChecker
+{
+    public static function getLatestResolvableVersion(array $args): ?string
+    {
+        [$workingDirectory, $dependencyName, $gitCredentials, $registryCredentials] = $args;
+
+        $httpBasicCredentials = [];
+
+        foreach ($gitCredentials as $credentials) {
+            $httpBasicCredentials[$credentials['host']] = [
+                'username' => $credentials['username'],
+                'password' => $credentials['password'],
+            ];
+        }
+
+        foreach ($registryCredentials as $credentials) {
+            $httpBasicCredentials[$credentials['registry']] = [
+                'username' => $credentials['username'],
+                'password' => $credentials['password'],
+            ];
+        }
+
+        $io = new ExceptionIO();
+
+        $composer = Factory::create($io, $workingDirectory . '/composer.json');
+
+        $config = $composer->getConfig();
+
+        if (0 < count($httpBasicCredentials)) {
+            $config->merge([
+                'config' => [
+                    'http-basic' => $httpBasicCredentials,
+                ],
+            ]);
+
+            $io->loadConfiguration($config);
+        }
+
+        $installationManager = new DependabotInstallationManager($composer->getLoop(), $io);
+
+        $fs = new Filesystem(null);
+        $binaryInstaller = new Installer\BinaryInstaller($io, rtrim($composer->getConfig()->get('bin-dir'), '/'), $composer->getConfig()->get('bin-compat'), $fs);
+
+        $installationManager->addInstaller(new Installer\LibraryInstaller($io, $composer, null, $fs, $binaryInstaller));
+        $installationManager->addInstaller(new Installer\PluginInstaller($io, $composer, $fs, $binaryInstaller));
+        $installationManager->addInstaller(new Installer\MetapackageInstaller($io));
+
+        $install = new Installer(
+            $io,
+            $config,
+            $composer->getPackage(),
+            $composer->getDownloadManager(),
+            $composer->getRepositoryManager(),
+            $composer->getLocker(),
+            $installationManager,
+            $composer->getEventDispatcher(),
+            $composer->getAutoloadGenerator()
+        );
+
+        // For all potential options, see UpdateCommand in composer
+        $install
+            ->setUpdate(true)
+            ->setDevMode(true)
+            ->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
+            ->setDumpAutoloader(false)
+            ->setRunScripts(false)
+            ->setIgnorePlatformRequirements(false);
+
+        // if no lock is present, we do not do a partial update as
+        // this is not supported by the Installer
+        if ($composer->getLocker()->isLocked()) {
+            $install->setUpdateAllowList([$dependencyName]);
+        }
+
+        $install->run();
+
+        $installedPackages = $installationManager->getInstalledPackages();
+
+        $updatedPackage = current(array_filter($installedPackages, static function (PackageInterface $package) use ($dependencyName): bool {
+            return $package->getName() === $dependencyName;
+        }));
+
+        // We found the package in the list of updated packages. Return its version.
+        if ($updatedPackage instanceof PackageInterface) {
+            return preg_replace('/^([v])/', '', $updatedPackage->getPrettyVersion());
+        }
+
+        // We didn't find the package in the list of updated packages. Check if
+        // it was replaced by another package (in which case we can ignore).
+        foreach ($composer->getPackage()->getReplaces() as $link) {
+            if ($link->getTarget() === $dependencyName) {
+                return null;
+            }
+        }
+
+        foreach ($installedPackages as $package) {
+            foreach ($package->getReplaces() as $link) {
+                if ($link->getTarget() === $dependencyName) {
+                    return null;
+                }
+            }
+        }
+
+        // Similarly, check if the package was provided by any other package.
+        foreach ($composer->getPackage()->getProvides() as $link) {
+            if ($link->getTarget() === $dependencyName) {
+                return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
+            }
+        }
+
+        foreach ($installedPackages as $package) {
+            foreach ($package->getProvides() as $link) {
+                if ($link->getTarget() === $dependencyName) {
+                    return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
+                }
+            }
+        }
+
+        throw new \RuntimeException('Package not found in updated packages!');
+    }
+}

data/helpers/v2/src/Updater.php

@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Dependabot\Composer;
+
+use Composer\DependencyResolver\Request;
+use Composer\Factory;
+use Composer\Installer;
+
+final class Updater
+{
+    /**
+     * @throws \RuntimeException
+     */
+    public static function update(array $args): array
+    {
+        [$workingDirectory, $dependencyName, $dependencyVersion, $gitCredentials, $registryCredentials] = $args;
+
+        // Change working directory to the one provided, this ensures that we
+        // install dependencies into the working dir, rather than a vendor folder
+        // in the root of the project
+        $originalDir = getcwd();
+
+        if (!is_string($originalDir)) {
+            throw new \RuntimeException('Failed determining the current working directory.');
+        }
+
+        chdir($workingDirectory);
+
+        $io = new ExceptionIO();
+        $composer = Factory::create($io);
+        $config = $composer->getConfig();
+        $httpBasicCredentials = [];
+
+        $pm = new DependabotPluginManager($io, $composer, null, false);
+        $composer->setPluginManager($pm);
+        $pm->loadInstalledPlugins();
+
+        foreach ($gitCredentials as &$cred) {
+            $httpBasicCredentials[$cred['host']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        foreach ($registryCredentials as &$cred) {
+            $httpBasicCredentials[$cred['registry']] = [
+                'username' => $cred['username'],
+                'password' => $cred['password'],
+            ];
+        }
+
+        if ($httpBasicCredentials) {
+            $config->merge(
+                [
+                    'config' => [
+                        'http-basic' => $httpBasicCredentials,
+                    ],
+                ]
+            );
+            $io->loadConfiguration($config);
+        }
+
+        $install = new Installer(
+            $io,
+            $config,
+            $composer->getPackage(),
+            $composer->getDownloadManager(),
+            $composer->getRepositoryManager(),
+            $composer->getLocker(),
+            $composer->getInstallationManager(),
+            $composer->getEventDispatcher(),
+            $composer->getAutoloadGenerator()
+        );
+
+        // For all potential options, see UpdateCommand in composer
+        $install
+            ->setWriteLock(true)
+            ->setUpdate(true)
+            ->setDevMode(true)
+            ->setUpdateAllowList([$dependencyName])
+            ->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
+            ->setExecuteOperations(true)
+            ->setDumpAutoloader(false)
+            ->setRunScripts(false)
+            ->setIgnorePlatformRequirements(false);
+
+        $install->run();
+
+        $result = [
+            'composer.lock' => file_get_contents('composer.lock'),
+        ];
+
+        chdir($originalDir);
+
+        return $result;
+    }
+}

data/lib/dependabot/composer/file_updater/lockfile_updater.rb

@@ -34,6 +34,7 @@ module Dependabot
             (?<!with|for|by)\sext\-[^\s/]+\s.*?\s(?=->)|
             (?<=requires\s)php(?:\-[^\s/]+)?\s.*?\s(?=->)
           }x.freeze
+        MISSING_ENV_VAR_REGEX = /Environment variable '(?<env_var>.[^']+)' is not set/.freeze
 
         def initialize(dependencies:, dependency_files:, credentials:)
           @dependencies = dependencies
@@ -179,10 +180,21 @@ module Dependabot
             raise GitDependenciesNotReachable, dependency_url
           end
 
-          if error.message.start_with?("Could not find a key for ACF PRO")
+          # NOTE: This matches an error message from composer plugins used to install ACF PRO
+          # https://github.com/PhilippBaschke/acf-pro-installer/blob/772cec99c6ef8bc67ba6768419014cc60d141b27/src/ACFProInstaller/Exceptions/MissingKeyException.php#L14
+          # https://github.com/pivvenit/acf-pro-installer/blob/f2d4812839ee2c333709b0ad4c6c134e4c25fd6d/src/Exceptions/MissingKeyException.php#L25
+          if error.message.start_with?("Could not find a key for ACF PRO") ||
+             error.message.start_with?("Could not find a license key for ACF PRO")
             raise MissingEnvironmentVariable, "ACF_PRO_KEY"
           end
 
+          # NOTE: This matches error output from a composer plugin (private-composer-installer):
+          # https://github.com/ffraenz/private-composer-installer/blob/8655e3da4e8f99203f13ccca33b9ab953ad30a31/src/Exception/MissingEnvException.php#L22
+          if error.message.match?(MISSING_ENV_VAR_REGEX)
+            env_var = error.message.match(MISSING_ENV_VAR_REGEX).named_captures.fetch("env_var")
+            raise MissingEnvironmentVariable, env_var
+          end
+
           if error.message.start_with?("Unknown downloader type: npm-sign") ||
              error.message.include?("file could not be downloaded") ||
              error.message.include?("configuration does not allow connect")
@@ -197,6 +209,7 @@ module Dependabot
             raise PrivateSourceAuthenticationFailure, source
           end
 
+          # NOTE: This error is raised by composer v1
           if error.message.include?("Argument 1 passed to Composer")
             msg = "One of your Composer plugins is not compatible with the "\
                   "latest version of Composer. Please update Composer and "\
@@ -204,6 +217,12 @@ module Dependabot
             raise DependencyFileNotResolvable, msg
           end
 
+          # NOTE: This error is raised by composer v2 and includes helpful
+          # information about which plugins or dependencies are not compatible
+          if error.message.include?("Your requirements could not be resolved")
+            raise DependencyFileNotResolvable, error.message
+          end
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize
@@ -425,7 +444,17 @@ module Dependabot
         end
 
         def php_helper_path
-          NativeHelpers.composer_helper_path
+          NativeHelpers.composer_helper_path(composer_version: composer_version)
+        end
+
+        def composer_version
+          @composer_version ||=
+            begin
+              return "v2" unless parsed_lockfile["plugin-api-version"]
+
+              version = Version.new(parsed_lockfile["plugin-api-version"])
+              version.canonical_segments.first == 1 ? "v1" : "v2"
+            end
         end
 
         def credentials_env