dependabot-composer 0.214.0 → 0.216.0

data/helpers/v2/src/UpdateChecker.php

@@ -6,6 +6,7 @@ namespace Dependabot\Composer;
 
 use Composer\DependencyResolver\Request;
 use Composer\Factory;
+use Composer\Filter\PlatformRequirementFilter\PlatformRequirementFilterFactory;
 use Composer\Installer;
 use Composer\Package\PackageInterface;
 
@@ -59,6 +60,8 @@ final class UpdateChecker
             $composer->getAutoloadGenerator()
         );
 
+        $composer->getEventDispatcher()->setRunScripts(false);
+
         // For all potential options, see UpdateCommand in composer
         $install
             ->setUpdate(true)
@@ -66,8 +69,8 @@ final class UpdateChecker
             ->setDevMode(true)
             ->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
             ->setDumpAutoloader(false)
-            ->setRunScripts(false)
-            ->setIgnorePlatformRequirements(false);
+            ->setPlatformRequirementFilter(PlatformRequirementFilterFactory::fromBoolOrList(false))
+            ->setAudit(false);
 
         // if no lock is present, we do not do a partial update as
         // this is not supported by the Installer

data/helpers/v2/src/Updater.php

@@ -6,6 +6,7 @@ namespace Dependabot\Composer;
 
 use Composer\DependencyResolver\Request;
 use Composer\Factory;
+use Composer\Filter\PlatformRequirementFilter\PlatformRequirementFilterFactory;
 use Composer\Installer;
 
 final class Updater
@@ -74,6 +75,8 @@ final class Updater
             $composer->getAutoloadGenerator()
         );
 
+        $composer->getEventDispatcher()->setRunScripts(false);
+
         // For all potential options, see UpdateCommand in composer
         $install
             ->setWriteLock(true)
@@ -84,8 +87,8 @@ final class Updater
             ->setUpdateAllowTransitiveDependencies(Request::UPDATE_LISTED_WITH_TRANSITIVE_DEPS)
             ->setExecuteOperations(true)
             ->setDumpAutoloader(false)
-            ->setRunScripts(false)
-            ->setIgnorePlatformRequirements(false);
+            ->setPlatformRequirementFilter(PlatformRequirementFilterFactory::fromBoolOrList(false))
+            ->setAudit(false);
 
         $install->run();
 

data/lib/dependabot/composer/metadata_finder.rb

@@ -28,27 +28,26 @@ module Dependabot
         return nil if packagist_listing&.fetch("packages", nil) == []
         return nil unless packagist_listing&.dig("packages", dependency.name.downcase)
 
-        version_listings =
-          packagist_listing["packages"][dependency.name.downcase].
-          select { |version, _| Composer::Version.correct?(version) }.
-          sort_by { |version, _| Composer::Version.new(version) }.
-          map { |_, listing| listing }.
-          reverse
-
-        potential_source_urls =
-          version_listings.
-          flat_map { |info| [info["homepage"], info.dig("source", "url")] }.
-          compact
-
-        source_url = potential_source_urls.find { |url| Source.from_url(url) }
-
-        Source.from_url(source_url)
+        version_listings = packagist_listing["packages"][dependency.name.downcase]
+        # Packagist returns an array of version listings sorted newest to oldest.
+        # So iterate until we find the first URL that appears to be a source URL.
+        #
+        # NOTE: Each listing may not have all fields because they are minified to remove duplicate elements:
+        # * https://github.com/composer/composer/blob/main/UPGRADE-2.0.md#for-composer-repository-implementors
+        # * https://github.com/composer/metadata-minifier
+        version_listings.each do |i|
+          [i["homepage"], i.dig("source", "url")].each do |url|
+            source_url = Source.from_url(url)
+            return source_url unless source_url.nil?
+          end
+        end
+        nil
       end
 
       def packagist_listing
         return @packagist_listing unless @packagist_listing.nil?
 
-        response = Dependabot::RegistryClient.get(url: "https://packagist.org/p/#{dependency.name.downcase}.json")
+        response = Dependabot::RegistryClient.get(url: "https://repo.packagist.org/p2/#{dependency.name.downcase}.json")
 
         return nil unless response.status == 200
 

data/lib/dependabot/composer/update_checker/latest_version_finder.rb

@@ -108,7 +108,7 @@ module Dependabot
                  map { |url| url.gsub(%r{\/$}, "") + "/packages.json" }
 
           unless repositories.any? { |rep| rep["packagist.org"] == false }
-            urls << "https://packagist.org/p/#{dependency.name.downcase}.json"
+            urls << "https://repo.packagist.org/p2/#{dependency.name.downcase}.json"
           end
 
           @registry_version_details = []
@@ -119,7 +119,8 @@ module Dependabot
         end
 
         def fetch_registry_versions_from_url(url)
-          cred = registry_credentials.find { |c| url.include?(c["registry"]) }
+          url_host = URI(url).host
+          cred = registry_credentials.find { |c| url_host == c["registry"] || url_host == URI(c["registry"]).host }
 
           response = Dependabot::RegistryClient.get(
             url: url,
@@ -142,7 +143,23 @@ module Dependabot
           return [] if listing.fetch("packages", []) == []
           return [] unless listing.dig("packages", dependency.name.downcase)
 
-          listing.dig("packages", dependency.name.downcase).keys
+          # Packagist's Metadata API format:
+          # v1: "packages": {<package name>: {<version_number>: {hash of metadata for a particular release version}}}
+          # v2: "packages": {<package name>: [{hash of metadata for a particular release version}]}
+          version_listings = listing.dig("packages", dependency.name.downcase)
+
+          if version_listings.is_a?(Hash) # some private registries are still using the v1 format
+            # Regardless of API version, composer always reads the version from the metadata hash. So for the v1 API,
+            # ignore the keys as repositories other than packagist.org could be using different keys. Instead, coerce
+            # to an array of metadata hashes to match v2 format.
+            version_listings = version_listings.values
+          end
+
+          if version_listings.is_a?(Array)
+            version_listings.map { |i| i.fetch("version") }
+          else
+            []
+          end
         rescue JSON::ParserError
           msg = "'#{url}' does not contain valid JSON"
           raise DependencyFileNotResolvable, msg

data/lib/dependabot/composer/update_checker/version_resolver.rb

@@ -240,8 +240,6 @@ module Dependabot
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/MethodLength
         def handle_composer_errors(error)
-          sanitized_message = remove_url_credentials(error.message)
-
           # Special case for Laravel Nova, which will fall back to attempting
           # to close a private repo if given invalid (or no) credentials
           if error.message.include?("github.com/laravel/nova.git")
@@ -255,7 +253,7 @@ module Dependabot
             dependency_url = error.message.match(FAILED_GIT_CLONE).named_captures.fetch("url")
             raise Dependabot::GitDependenciesNotReachable, clean_dependency_url(dependency_url)
           elsif unresolvable_error?(error)
-            raise Dependabot::DependencyFileNotResolvable, sanitized_message
+            raise Dependabot::DependencyFileNotResolvable, error.message
           elsif error.message.match?(MISSING_EXPLICIT_PLATFORM_REQ_REGEX)
             # These errors occur when platform requirements declared explicitly
             # in the composer.json aren't met.
@@ -520,10 +518,6 @@ module Dependabot
             select { |cred| cred["type"] == "composer_repository" }.
             select { |cred| cred["password"] }
         end
-
-        def remove_url_credentials(message)
-          message.gsub(%r{(?<=://)[^\s]*:[^\s]*(?=@)}, "****")
-        end
       end
     end
   end

data/lib/dependabot/composer/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # PHP pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
 # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
@@ -9,7 +9,7 @@ require "rubygems_version_patch"
 
 module Dependabot
   module Composer
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       def initialize(version)
         @version_string = version.to_s
         super

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.214.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-01 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.214.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-Composer provides support for bumping PHP (composer) libraries
+  via Dependabot. If you want support for multiple package managers, you probably
+  want the meta-gem dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -255,7 +256,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -271,8 +274,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
-summary: PHP (Composer) support for dependabot
+summary: Provides Dependabot support for PHP (composer)
 test_files: []