dependabot-composer 0.214.0 → 0.216.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/v1/composer.json +1 -1
- data/helpers/v1/composer.lock +6 -6
- data/helpers/v2/composer.json +1 -1
- data/helpers/v2/composer.lock +440 -245
- data/helpers/v2/src/UpdateChecker.php +5 -2
- data/helpers/v2/src/Updater.php +5 -2
- data/lib/dependabot/composer/metadata_finder.rb +15 -16
- data/lib/dependabot/composer/update_checker/latest_version_finder.rb +20 -3
- data/lib/dependabot/composer/update_checker/version_resolver.rb +1 -7
- data/lib/dependabot/composer/version.rb +2 -2
- metadata +35 -32
@@ -6,6 +6,7 @@ namespace Dependabot\Composer;
|
|
6
6
|
|
7
7
|
use Composer\DependencyResolver\Request;
|
8
8
|
use Composer\Factory;
|
9
|
+
use Composer\Filter\PlatformRequirementFilter\PlatformRequirementFilterFactory;
|
9
10
|
use Composer\Installer;
|
10
11
|
use Composer\Package\PackageInterface;
|
11
12
|
|
@@ -59,6 +60,8 @@ final class UpdateChecker
|
|
59
60
|
$composer->getAutoloadGenerator()
|
60
61
|
);
|
61
62
|
|
63
|
+
$composer->getEventDispatcher()->setRunScripts(false);
|
64
|
+
|
62
65
|
// For all potential options, see UpdateCommand in composer
|
63
66
|
$install
|
64
67
|
->setUpdate(true)
|
@@ -66,8 +69,8 @@ final class UpdateChecker
|
|
66
69
|
->setDevMode(true)
|
67
70
|
->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
|
68
71
|
->setDumpAutoloader(false)
|
69
|
-
->
|
70
|
-
->
|
72
|
+
->setPlatformRequirementFilter(PlatformRequirementFilterFactory::fromBoolOrList(false))
|
73
|
+
->setAudit(false);
|
71
74
|
|
72
75
|
// if no lock is present, we do not do a partial update as
|
73
76
|
// this is not supported by the Installer
|
data/helpers/v2/src/Updater.php
CHANGED
@@ -6,6 +6,7 @@ namespace Dependabot\Composer;
|
|
6
6
|
|
7
7
|
use Composer\DependencyResolver\Request;
|
8
8
|
use Composer\Factory;
|
9
|
+
use Composer\Filter\PlatformRequirementFilter\PlatformRequirementFilterFactory;
|
9
10
|
use Composer\Installer;
|
10
11
|
|
11
12
|
final class Updater
|
@@ -74,6 +75,8 @@ final class Updater
|
|
74
75
|
$composer->getAutoloadGenerator()
|
75
76
|
);
|
76
77
|
|
78
|
+
$composer->getEventDispatcher()->setRunScripts(false);
|
79
|
+
|
77
80
|
// For all potential options, see UpdateCommand in composer
|
78
81
|
$install
|
79
82
|
->setWriteLock(true)
|
@@ -84,8 +87,8 @@ final class Updater
|
|
84
87
|
->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
|
85
88
|
->setExecuteOperations(true)
|
86
89
|
->setDumpAutoloader(false)
|
87
|
-
->
|
88
|
-
->
|
90
|
+
->setPlatformRequirementFilter(PlatformRequirementFilterFactory::fromBoolOrList(false))
|
91
|
+
->setAudit(false);
|
89
92
|
|
90
93
|
$install->run();
|
91
94
|
|
@@ -28,27 +28,26 @@ module Dependabot
|
|
28
28
|
return nil if packagist_listing&.fetch("packages", nil) == []
|
29
29
|
return nil unless packagist_listing&.dig("packages", dependency.name.downcase)
|
30
30
|
|
31
|
-
version_listings =
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
Source.from_url(source_url)
|
31
|
+
version_listings = packagist_listing["packages"][dependency.name.downcase]
|
32
|
+
# Packagist returns an array of version listings sorted newest to oldest.
|
33
|
+
# So iterate until we find the first URL that appears to be a source URL.
|
34
|
+
#
|
35
|
+
# NOTE: Each listing may not have all fields because they are minified to remove duplicate elements:
|
36
|
+
# * https://github.com/composer/composer/blob/main/UPGRADE-2.0.md#for-composer-repository-implementors
|
37
|
+
# * https://github.com/composer/metadata-minifier
|
38
|
+
version_listings.each do |i|
|
39
|
+
[i["homepage"], i.dig("source", "url")].each do |url|
|
40
|
+
source_url = Source.from_url(url)
|
41
|
+
return source_url unless source_url.nil?
|
42
|
+
end
|
43
|
+
end
|
44
|
+
nil
|
46
45
|
end
|
47
46
|
|
48
47
|
def packagist_listing
|
49
48
|
return @packagist_listing unless @packagist_listing.nil?
|
50
49
|
|
51
|
-
response = Dependabot::RegistryClient.get(url: "https://packagist.org/
|
50
|
+
response = Dependabot::RegistryClient.get(url: "https://repo.packagist.org/p2/#{dependency.name.downcase}.json")
|
52
51
|
|
53
52
|
return nil unless response.status == 200
|
54
53
|
|
@@ -108,7 +108,7 @@ module Dependabot
|
|
108
108
|
map { |url| url.gsub(%r{\/$}, "") + "/packages.json" }
|
109
109
|
|
110
110
|
unless repositories.any? { |rep| rep["packagist.org"] == false }
|
111
|
-
urls << "https://packagist.org/
|
111
|
+
urls << "https://repo.packagist.org/p2/#{dependency.name.downcase}.json"
|
112
112
|
end
|
113
113
|
|
114
114
|
@registry_version_details = []
|
@@ -119,7 +119,8 @@ module Dependabot
|
|
119
119
|
end
|
120
120
|
|
121
121
|
def fetch_registry_versions_from_url(url)
|
122
|
-
|
122
|
+
url_host = URI(url).host
|
123
|
+
cred = registry_credentials.find { |c| url_host == c["registry"] || url_host == URI(c["registry"]).host }
|
123
124
|
|
124
125
|
response = Dependabot::RegistryClient.get(
|
125
126
|
url: url,
|
@@ -142,7 +143,23 @@ module Dependabot
|
|
142
143
|
return [] if listing.fetch("packages", []) == []
|
143
144
|
return [] unless listing.dig("packages", dependency.name.downcase)
|
144
145
|
|
145
|
-
|
146
|
+
# Packagist's Metadata API format:
|
147
|
+
# v1: "packages": {<package name>: {<version_number>: {hash of metadata for a particular release version}}}
|
148
|
+
# v2: "packages": {<package name>: [{hash of metadata for a particular release version}]}
|
149
|
+
version_listings = listing.dig("packages", dependency.name.downcase)
|
150
|
+
|
151
|
+
if version_listings.is_a?(Hash) # some private registries are still using the v1 format
|
152
|
+
# Regardless of API version, composer always reads the version from the metadata hash. So for the v1 API,
|
153
|
+
# ignore the keys as repositories other than packagist.org could be using different keys. Instead, coerce
|
154
|
+
# to an array of metadata hashes to match v2 format.
|
155
|
+
version_listings = version_listings.values
|
156
|
+
end
|
157
|
+
|
158
|
+
if version_listings.is_a?(Array)
|
159
|
+
version_listings.map { |i| i.fetch("version") }
|
160
|
+
else
|
161
|
+
[]
|
162
|
+
end
|
146
163
|
rescue JSON::ParserError
|
147
164
|
msg = "'#{url}' does not contain valid JSON"
|
148
165
|
raise DependencyFileNotResolvable, msg
|
@@ -240,8 +240,6 @@ module Dependabot
|
|
240
240
|
# rubocop:disable Metrics/CyclomaticComplexity
|
241
241
|
# rubocop:disable Metrics/MethodLength
|
242
242
|
def handle_composer_errors(error)
|
243
|
-
sanitized_message = remove_url_credentials(error.message)
|
244
|
-
|
245
243
|
# Special case for Laravel Nova, which will fall back to attempting
|
246
244
|
# to close a private repo if given invalid (or no) credentials
|
247
245
|
if error.message.include?("github.com/laravel/nova.git")
|
@@ -255,7 +253,7 @@ module Dependabot
|
|
255
253
|
dependency_url = error.message.match(FAILED_GIT_CLONE).named_captures.fetch("url")
|
256
254
|
raise Dependabot::GitDependenciesNotReachable, clean_dependency_url(dependency_url)
|
257
255
|
elsif unresolvable_error?(error)
|
258
|
-
raise Dependabot::DependencyFileNotResolvable,
|
256
|
+
raise Dependabot::DependencyFileNotResolvable, error.message
|
259
257
|
elsif error.message.match?(MISSING_EXPLICIT_PLATFORM_REQ_REGEX)
|
260
258
|
# These errors occur when platform requirements declared explicitly
|
261
259
|
# in the composer.json aren't met.
|
@@ -520,10 +518,6 @@ module Dependabot
|
|
520
518
|
select { |cred| cred["type"] == "composer_repository" }.
|
521
519
|
select { |cred| cred["password"] }
|
522
520
|
end
|
523
|
-
|
524
|
-
def remove_url_credentials(message)
|
525
|
-
message.gsub(%r{(?<=://)[^\s]*:[^\s]*(?=@)}, "****")
|
526
|
-
end
|
527
521
|
end
|
528
522
|
end
|
529
523
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require "dependabot/version"
|
3
4
|
require "dependabot/utils"
|
4
|
-
require "rubygems_version_patch"
|
5
5
|
|
6
6
|
# PHP pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
|
7
7
|
# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
|
@@ -9,7 +9,7 @@ require "rubygems_version_patch"
|
|
9
9
|
|
10
10
|
module Dependabot
|
11
11
|
module Composer
|
12
|
-
class Version <
|
12
|
+
class Version < Dependabot::Version
|
13
13
|
def initialize(version)
|
14
14
|
@version_string = version.to_s
|
15
15
|
super
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-composer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.216.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-04-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.216.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.216.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: 1.
|
33
|
+
version: 1.7.1
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: 1.
|
40
|
+
version: 1.7.1
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: gpgme
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -58,14 +58,14 @@ dependencies:
|
|
58
58
|
requirements:
|
59
59
|
- - "~>"
|
60
60
|
- !ruby/object:Gem::Version
|
61
|
-
version: 4.
|
61
|
+
version: 4.2.0
|
62
62
|
type: :development
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
66
|
- - "~>"
|
67
67
|
- !ruby/object:Gem::Version
|
68
|
-
version: 4.
|
68
|
+
version: 4.2.0
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: rake
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
@@ -86,70 +86,70 @@ dependencies:
|
|
86
86
|
requirements:
|
87
87
|
- - "~>"
|
88
88
|
- !ruby/object:Gem::Version
|
89
|
-
version: '3.
|
89
|
+
version: '3.12'
|
90
90
|
type: :development
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
94
|
- - "~>"
|
95
95
|
- !ruby/object:Gem::Version
|
96
|
-
version: '3.
|
96
|
+
version: '3.12'
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: rspec-its
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version: '1.
|
103
|
+
version: '1.3'
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version: '1.
|
110
|
+
version: '1.3'
|
111
111
|
- !ruby/object:Gem::Dependency
|
112
112
|
name: rubocop
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 1.
|
117
|
+
version: 1.48.0
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 1.
|
124
|
+
version: 1.48.0
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rubocop-performance
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
128
128
|
requirements:
|
129
129
|
- - "~>"
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 1.
|
131
|
+
version: 1.17.1
|
132
132
|
type: :development
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 1.
|
138
|
+
version: 1.17.1
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: simplecov
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
143
|
- - "~>"
|
144
144
|
- !ruby/object:Gem::Version
|
145
|
-
version: 0.
|
145
|
+
version: 0.22.0
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
150
|
- - "~>"
|
151
151
|
- !ruby/object:Gem::Version
|
152
|
-
version: 0.
|
152
|
+
version: 0.22.0
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: simplecov-console
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -182,33 +182,34 @@ dependencies:
|
|
182
182
|
name: vcr
|
183
183
|
requirement: !ruby/object:Gem::Requirement
|
184
184
|
requirements:
|
185
|
-
- -
|
185
|
+
- - "~>"
|
186
186
|
- !ruby/object:Gem::Version
|
187
|
-
version: 6.1
|
187
|
+
version: '6.1'
|
188
188
|
type: :development
|
189
189
|
prerelease: false
|
190
190
|
version_requirements: !ruby/object:Gem::Requirement
|
191
191
|
requirements:
|
192
|
-
- -
|
192
|
+
- - "~>"
|
193
193
|
- !ruby/object:Gem::Version
|
194
|
-
version: 6.1
|
194
|
+
version: '6.1'
|
195
195
|
- !ruby/object:Gem::Dependency
|
196
196
|
name: webmock
|
197
197
|
requirement: !ruby/object:Gem::Requirement
|
198
198
|
requirements:
|
199
199
|
- - "~>"
|
200
200
|
- !ruby/object:Gem::Version
|
201
|
-
version: '3.
|
201
|
+
version: '3.18'
|
202
202
|
type: :development
|
203
203
|
prerelease: false
|
204
204
|
version_requirements: !ruby/object:Gem::Requirement
|
205
205
|
requirements:
|
206
206
|
- - "~>"
|
207
207
|
- !ruby/object:Gem::Version
|
208
|
-
version: '3.
|
209
|
-
description:
|
210
|
-
|
211
|
-
|
208
|
+
version: '3.18'
|
209
|
+
description: Dependabot-Composer provides support for bumping PHP (composer) libraries
|
210
|
+
via Dependabot. If you want support for multiple package managers, you probably
|
211
|
+
want the meta-gem dependabot-omnibus.
|
212
|
+
email: opensource@github.com
|
212
213
|
executables: []
|
213
214
|
extensions: []
|
214
215
|
extra_rdoc_files: []
|
@@ -255,7 +256,9 @@ files:
|
|
255
256
|
homepage: https://github.com/dependabot/dependabot-core
|
256
257
|
licenses:
|
257
258
|
- Nonstandard
|
258
|
-
metadata:
|
259
|
+
metadata:
|
260
|
+
issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
261
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
|
259
262
|
post_install_message:
|
260
263
|
rdoc_options: []
|
261
264
|
require_paths:
|
@@ -271,8 +274,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
271
274
|
- !ruby/object:Gem::Version
|
272
275
|
version: 3.1.0
|
273
276
|
requirements: []
|
274
|
-
rubygems_version: 3.3.
|
277
|
+
rubygems_version: 3.3.26
|
275
278
|
signing_key:
|
276
279
|
specification_version: 4
|
277
|
-
summary:
|
280
|
+
summary: Provides Dependabot support for PHP (composer)
|
278
281
|
test_files: []
|