dependabot-composer 0.238.0 → 0.240.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b8037a1e1283d33035f449b4c622fea79ea2a08545cd79155baf6f8dbdb4e79
-  data.tar.gz: 1fe6a98682abde302f7c33dba4e7772c4f919b022e7fd8dc02d236ecaac3abf5
+  metadata.gz: 8bc4696ba6e7198423b6beb9781cb0af1bad9fd020dd85686af7ebf3a82ca62e
+  data.tar.gz: 7fb74904f6ce723a5ccefeeeb7c19bbdf394be8fd85cdbf14aa2ae6ed96f7534
 SHA512:
-  metadata.gz: f93a2b0223c2a611541d89ac0c13dae8608c9af250a28c3132a8b5c629af37d33fa2ca3eb9abe6d7753bddb65768e198f71c2128cdc4317565ee75d299390b16
-  data.tar.gz: 88dedd07728d42dc6e92617a2ccf6f4c791ae190e9528c66b3c392c2ad31363cfb210e506b2aa56dccd74212e20aba30a83c5a7ff0f848175687668bd6cb08d7
+  metadata.gz: 1b4c9e8fb979078e33fb5887fd9e09fd24e00f47ff89af6e9256427acbe03b964c2d6b234f021209e3e3588d8123c3020aa169280431325c16323562e1274b2a
+  data.tar.gz: 31d01dfb299ebfdd3fbd8f1657452c448c67ba7548945aa83288fcabb9ac547fd4764985f2761d88d0ce497f44cff364e57f69f976d69da6a8ca37acc9f2379a

data/helpers/v1/build

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -e
 

data/helpers/v2/build

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -e
 

data/lib/dependabot/composer/file_fetcher.rb

@@ -37,6 +37,7 @@ module Dependabot
         fetched_files << composer_json
         fetched_files << composer_lock if composer_lock
         fetched_files << auth_json if auth_json
+        fetched_files += artifact_dependencies
         fetched_files += path_dependencies
         fetched_files
       end
@@ -60,6 +61,41 @@ module Dependabot
         @auth_json = fetch_support_file("auth.json")
       end
 
+      def artifact_dependencies
+        return @artifact_dependencies if defined?(@artifact_dependencies)
+
+        # Find zip files in the artifact sources and download them.
+        @artifact_dependencies =
+          artifact_sources.map do |url|
+            repo_contents(dir: url)
+              .select { |file| file.type == "file" && file.name.end_with?(".zip") }
+              .map { |file| File.join(url, file.name) }
+              .map do |zip_file|
+              DependencyFile.new(
+                name: zip_file,
+                content: _fetch_file_content(zip_file),
+                directory: directory,
+                type: "file"
+              )
+            end
+          end.flatten
+
+        # Add .gitkeep to all directories in case they are empty. Composer isn't ok with empty directories.
+        @artifact_dependencies += artifact_sources.map do |url|
+          DependencyFile.new(
+            name: File.join(url, ".gitkeep"),
+            content: "",
+            directory: directory,
+            type: "file"
+          )
+        end
+
+        # Don't try to update these files, only used by composer for package resolution.
+        @artifact_dependencies.each { |f| f.support_file = true }
+
+        @artifact_dependencies
+      end
+
       def path_dependencies
         @path_dependencies ||=
           begin
@@ -90,8 +126,16 @@ module Dependabot
           end
       end
 
+      def artifact_sources
+        sources.select { |details| details["type"] == "artifact" }.map { |details| details["url"] }
+      end
+
       def path_sources
-        @path_sources ||=
+        sources.select { |details| details["type"] == "path" }.map { |details| details["url"] }
+      end
+
+      def sources
+        @sources ||=
           begin
             repos = parsed_composer_json.fetch("repositories", [])
             if repos.is_a?(Hash) || repos.is_a?(Array)
@@ -99,8 +143,7 @@ module Dependabot
               repos = repos.select { |r| r.is_a?(Hash) }
 
               repos
-                .select { |details| details["type"] == "path" }
-                .map { |details| details["url"] }
+                .select { |details| details["type"] == "path" || details["type"] == "artifact" }
             else
               []
             end

data/lib/dependabot/composer/file_updater/lockfile_updater.rb

@@ -242,6 +242,12 @@ module Dependabot
         end
 
         def write_temporary_dependency_files
+          artifact_dependencies.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, file.content)
+          end
+
           path_dependencies.each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
@@ -509,6 +515,11 @@ module Dependabot
           @auth_json ||= dependency_files.find { |f| f.name == "auth.json" }
         end
 
+        def artifact_dependencies
+          @artifact_dependencies ||=
+            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") }
+        end
+
         def path_dependencies
           @path_dependencies ||=
             dependency_files.select { |f| f.name.end_with?("/composer.json") }

data/lib/dependabot/composer/requirement.rb

@@ -1,11 +1,16 @@
 # typed: true
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
+require "dependabot/requirement"
 require "dependabot/utils"
 
 module Dependabot
   module Composer
-    class Requirement < Gem::Requirement
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+
       AND_SEPARATOR = /(?<=[a-zA-Z0-9*])(?<!\sas)[\s,]+(?![\s,]*[|-]|as)/
       OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/
 
@@ -18,8 +23,9 @@ module Dependabot
 
       # Returns an array of requirements. At least one requirement from the
       # returned array must be satisfied for a version to be valid.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
       def self.requirements_array(requirement_string)
-        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+        T.must(requirement_string).strip.split(OR_SEPARATOR).map do |req_string|
           new(req_string)
         end
       end

data/lib/dependabot/composer/update_checker/version_resolver.rb

@@ -91,10 +91,18 @@ module Dependabot
         def write_temporary_dependency_files(unlock_requirement: true)
           write_dependency_file(unlock_requirement: unlock_requirement)
           write_path_dependency_files
+          write_zipped_path_dependency_files
           write_lockfile
           write_auth_file
         end
 
+        def write_zipped_path_dependency_files
+          zipped_path_dependency_files.each do |file|
+            FileUtils.mkdir_p(Pathname.new(file.name).dirname)
+            File.write(file.name, file.content)
+          end
+        end
+
         def write_dependency_file(unlock_requirement:)
           File.write(
             "composer.json",
@@ -197,6 +205,7 @@ module Dependabot
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
+        # rubocop:disable Metrics/AbcSize
         def updated_version_requirement_string
           lower_bound =
             if requirements_to_unlock == :none
@@ -210,7 +219,7 @@ module Dependabot
                           .select { |req_string| req_string.match?(VERSION_REGEX) }
                           .map { |req_string| req_string.match(VERSION_REGEX) }
                           .select { |version| requirement_valid?(">= #{version}") }
-                          .max_by { |version| Composer::Version.new(version) }
+                          .max_by { |version| Composer::Version.new(version.to_s) }
 
               ">= #{version_for_requirement || 0}"
             end
@@ -231,6 +240,7 @@ module Dependabot
           lower_bound + ", <= #{latest_allowable_version}"
         end
         # rubocop:enable Metrics/PerceivedComplexity
+        # rubocop:enable Metrics/AbcSize
 
         # TODO: Extract error handling and share between the lockfile updater
         #
@@ -471,6 +481,11 @@ module Dependabot
             dependency_files.select { |f| f.name.end_with?("/composer.json") }
         end
 
+        def zipped_path_dependency_files
+          @zipped_path_dependency_files ||=
+            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") }
+        end
+
         def lockfile
           @lockfile ||=
             dependency_files.find { |f| f.name == "composer.lock" }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.238.0
+  version: 0.240.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-07 00:00:00.000000000 Z
+date: 2024-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.238.0
+        version: 0.240.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.238.0
+        version: 0.240.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +206,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.18'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
 description: Dependabot-Composer provides support for bumping PHP (composer) libraries
   via Dependabot. If you want support for multiple package managers, you probably
   want the meta-gem dependabot-omnibus.
@@ -258,7 +272,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.240.0
 post_install_message: 
 rdoc_options: []
 require_paths: