dependabot-composer 0.89.0

data/lib/dependabot/composer/file_updater/manifest_updater.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "dependabot/composer/file_updater"
+
+module Dependabot
+  module Composer
+    class FileUpdater
+      class ManifestUpdater
+        def initialize(dependencies:, manifest:)
+          @dependencies = dependencies
+          @manifest = manifest
+        end
+
+        def updated_manifest_content
+          dependencies.reduce(manifest.content.dup) do |content, dep|
+            updated_content = content
+            updated_requirements(dep).each do |new_req|
+              old_req = old_requirement(dep, new_req).fetch(:requirement)
+              updated_req = new_req.fetch(:requirement)
+
+              regex =
+                /
+                  "#{Regexp.escape(dep.name)}"\s*:\s*
+                  "#{Regexp.escape(old_req)}"
+                /x
+
+              updated_content = content.gsub(regex) do |declaration|
+                declaration.gsub(%("#{old_req}"), %("#{updated_req}"))
+              end
+
+              raise "Expected content to change!" if content == updated_content
+            end
+
+            updated_content
+          end
+        end
+
+        private
+
+        attr_reader :dependencies, :manifest
+
+        def new_requirements(dependency)
+          dependency.requirements.select { |r| r[:file] == manifest.name }
+        end
+
+        def old_requirement(dependency, new_requirement)
+          dependency.previous_requirements.
+            select { |r| r[:file] == manifest.name }.
+            find { |r| r[:groups] == new_requirement[:groups] }
+        end
+
+        def updated_requirements(dependency)
+          new_requirements(dependency).
+            reject { |r| dependency.previous_requirements.include?(r) }
+        end
+
+        def requirement_changed?(file, dependency)
+          changed_requirements =
+            dependency.requirements - dependency.previous_requirements
+
+          changed_requirements.any? { |f| f[:file] == file.name }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/composer/metadata_finder.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+require "dependabot/composer/version"
+
+module Dependabot
+  module Composer
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      private
+
+      def look_up_source
+        source_from_dependency || look_up_source_from_packagist
+      end
+
+      def source_from_dependency
+        source_url =
+          dependency.requirements.
+          map { |r| r.fetch(:source) }.compact.
+          first&.fetch(:url, nil)
+
+        Source.from_url(source_url)
+      end
+
+      def look_up_source_from_packagist
+        return nil if packagist_listing&.fetch("packages", nil) == []
+        unless packagist_listing&.dig("packages", dependency.name.downcase)
+          return nil
+        end
+
+        version_listings =
+          packagist_listing["packages"][dependency.name.downcase].
+          select { |version, _| Composer::Version.correct?(version) }.
+          sort_by { |version, _| Composer::Version.new(version) }.
+          map { |_, listing| listing }.
+          reverse
+
+        potential_source_urls =
+          version_listings.
+          flat_map { |info| [info["homepage"], info.dig("source", "url")] }.
+          compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+
+        Source.from_url(source_url)
+      end
+
+      def packagist_listing
+        return @packagist_listing unless @packagist_listing.nil?
+
+        response = Excon.get(
+          "https://packagist.org/p/#{dependency.name.downcase}.json",
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        return nil unless response.status == 200
+
+        @packagist_listing = JSON.parse(response.body)
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("composer", Dependabot::Composer::MetadataFinder)

data/lib/dependabot/composer/native_helpers.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Composer
+    module NativeHelpers
+      def self.composer_helper_path
+        File.join(composer_helpers_dir, "bin/run.php")
+      end
+
+      def self.composer_helpers_dir
+        File.join(native_helpers_root, "composer/helpers")
+      end
+
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../..")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+    end
+  end
+end

data/lib/dependabot/composer/requirement.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+
+module Dependabot
+  module Composer
+    class Requirement < Gem::Requirement
+      AND_SEPARATOR =
+        /(?<=[a-zA-Z0-9*])(?<!\sas)[\s,]+(?![\s,]*[|-]|as)/.freeze
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/.freeze
+
+      def self.parse(obj)
+        new_obj = obj.gsub(/@\w+/, "").gsub(/[a-z0-9\-_\.]*\sas\s+/i, "")
+        super(new_obj)
+      end
+
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      def self.requirements_array(requirement_string)
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          new(req_string)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements =
+          requirements.flatten.
+          flat_map { |req_string| req_string.split(AND_SEPARATOR) }.
+          flat_map { |req| convert_php_constraint_to_ruby_constraint(req) }
+
+        super(requirements)
+      end
+
+      private
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      def convert_php_constraint_to_ruby_constraint(req_string)
+        req_string = req_string.gsub(/v(?=\d)/, "")
+
+        # Return an unlikely version if a dev requirement is specified. This
+        # ensures that the dev-requirement doesn't match anything.
+        return "0-dev-branch-match" if req_string.strip.start_with?("dev-")
+
+        if req_string.start_with?("*") then ">= 0"
+        elsif req_string.include?("*") then convert_wildcard_req(req_string)
+        elsif req_string.match?(/^~[^>]/) then convert_tilde_req(req_string)
+        elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.match?(/\s-\s/) then convert_hyphen_req(req_string)
+        else req_string
+        end
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      def convert_wildcard_req(req_string)
+        version = req_string.gsub(/^~/, "").gsub(/(?:\.|^)\*/, "")
+        "~> #{version}.0"
+      end
+
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~/, "")
+        "~> #{version}"
+      end
+
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^/, "")
+        parts = version.split(".")
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          else 0
+          end
+        end.join(".")
+
+        [">= #{version}", "< #{upper_bound}"]
+      end
+
+      def convert_hyphen_req(req_string)
+        req_string = req_string
+        lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+        if upper_bound.split(".").count < 3
+          upper_bound_parts = upper_bound.split(".")
+          upper_bound_parts[-1] = (upper_bound_parts[-1].to_i + 1).to_s
+          upper_bound = upper_bound_parts.join(".")
+
+          [">= #{lower_bound}", "< #{upper_bound}"]
+        else
+          [">= #{lower_bound}", "<= #{upper_bound}"]
+        end
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("composer", Dependabot::Composer::Requirement)

data/lib/dependabot/composer/update_checker.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+require "excon"
+require "json"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module Composer
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/version_resolver"
+
+      def latest_version
+        return nil if path_dependency?
+
+        # Fall back to latest_resolvable_version if no listings found
+        latest_version_from_registry || latest_resolvable_version
+      end
+
+      def latest_resolvable_version
+        return nil if path_dependency?
+
+        @latest_resolvable_version ||=
+          VersionResolver.new(
+            credentials: credentials,
+            dependency: dependency,
+            dependency_files: dependency_files,
+            latest_allowable_version: latest_version_from_registry,
+            requirements_to_unlock: :own
+          ).latest_resolvable_version
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        return nil if path_dependency?
+
+        @latest_resolvable_version_with_no_unlock ||=
+          VersionResolver.new(
+            credentials: credentials,
+            dependency: dependency,
+            dependency_files: dependency_files,
+            latest_allowable_version: latest_version_from_registry,
+            requirements_to_unlock: :none
+          ).latest_resolvable_version
+      end
+
+      def updated_requirements
+        RequirementsUpdater.new(
+          requirements: dependency.requirements,
+          latest_version: latest_version&.to_s,
+          latest_resolvable_version: latest_resolvable_version&.to_s,
+          update_strategy: requirements_update_strategy
+        ).updated_requirements
+      end
+
+      def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        if @requirements_update_strategy
+          return @requirements_update_strategy.to_sym
+        end
+
+        # Otherwise, widen ranges for libraries and bump versions for apps
+        library? ? :widen_ranges : :bump_versions_if_necessary
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        # Full unlock checks aren't implemented for Composer (yet)
+        false
+      end
+
+      def latest_version_from_registry
+        versions =
+          registry_versions.
+          select { |version| version_class.correct?(version.gsub(/^v/, "")) }.
+          map { |version| version_class.new(version.gsub(/^v/, "")) }
+
+        versions.reject!(&:prerelease?) unless wants_prerelease?
+        versions.reject! { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+        versions.max
+      end
+
+      def wants_prerelease?
+        current_version = dependency.version
+        if current_version && version_class.new(current_version).prerelease?
+          return true
+        end
+
+        dependency.requirements.any? do |req|
+          req[:requirement].match?(/\d-[A-Za-z]/)
+        end
+      end
+
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      def path_dependency?
+        dependency.requirements.any? { |r| r.dig(:source, :type) == "path" }
+      end
+
+      def composer_file
+        composer_file =
+          dependency_files.find { |f| f.name == "composer.json" }
+        raise "No composer.json!" unless composer_file
+
+        composer_file
+      end
+
+      def lockfile
+        dependency_files.find { |f| f.name == "composer.lock" }
+      end
+
+      def registry_versions
+        return @registry_versions unless @registry_versions.nil?
+
+        repositories =
+          JSON.parse(composer_file.content).
+          fetch("repositories", []).
+          select { |r| r.is_a?(Hash) }
+
+        urls = repositories.
+               select { |h| h["type"] == "composer" }.
+               map { |h| h["url"] }.compact.
+               map { |url| url.gsub(%r{\/$}, "") + "/packages.json" }
+
+        unless repositories.any? { |rep| rep["packagist.org"] == false }
+          urls << "https://packagist.org/p/#{dependency.name.downcase}.json"
+        end
+
+        @registry_versions = []
+        urls.each do |url|
+          @registry_versions += fetch_registry_versions_from_url(url)
+        end
+        @registry_versions.uniq
+      end
+
+      def fetch_registry_versions_from_url(url)
+        cred = registry_credentials.find { |c| url.include?(c["registry"]) }
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          user: cred&.fetch("username", nil),
+          password: cred&.fetch("password", nil),
+          **SharedHelpers.excon_defaults
+        )
+
+        return [] unless response.status == 200
+
+        listing = JSON.parse(response.body)
+        return [] if listing.nil?
+        return [] if listing.fetch("packages", []) == []
+        return [] unless listing.dig("packages", dependency.name.downcase)
+
+        listing.dig("packages", dependency.name.downcase).keys
+      rescue Excon::Error::Socket, Excon::Error::Timeout
+        []
+      end
+
+      def library?
+        JSON.parse(composer_file.content)["type"] == "library"
+      end
+
+      def registry_credentials
+        credentials.select { |cred| cred["type"] == "composer_repository" }
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.
+  register("composer", Dependabot::Composer::UpdateChecker)

data/lib/dependabot/composer/update_checker/requirements_updater.rb

@@ -0,0 +1,253 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on Composer version constraints, see:                       #
+# https://getcomposer.org/doc/articles/versions.md#writing-version-constraints #
+################################################################################
+
+require "dependabot/composer/update_checker"
+require "dependabot/composer/version"
+require "dependabot/composer/requirement"
+
+module Dependabot
+  module Composer
+    class UpdateChecker
+      class RequirementsUpdater
+        ALIAS_REGEX = /[a-z0-9\-_\.]*\sas\s+/.freeze
+        VERSION_REGEX =
+          /(?:#{ALIAS_REGEX})?[0-9]+(?:\.[a-zA-Z0-9*\-]+)*/.freeze
+        AND_SEPARATOR =
+          /(?<=[a-zA-Z0-9*])(?<!\sas)[\s,]+(?![\s,]*[|-]|as)/.freeze
+        OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/.freeze
+        SEPARATOR = /(?:#{AND_SEPARATOR})|(?:#{OR_SEPARATOR})/.freeze
+        ALLOWED_UPDATE_STRATEGIES =
+          %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+
+        def initialize(requirements:, update_strategy:,
+                       latest_version:, latest_resolvable_version:)
+          @requirements = requirements
+          @update_strategy = update_strategy
+
+          check_update_strategy
+
+          @latest_version = version_class.new(latest_version) if latest_version
+          return unless latest_resolvable_version
+
+          @latest_resolvable_version =
+            version_class.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          return requirements unless latest_resolvable_version
+
+          requirements.map { |req| updated_requirement(req) }
+        end
+
+        private
+
+        attr_reader :requirements, :update_strategy,
+                    :latest_version, :latest_resolvable_version
+
+        def check_update_strategy
+          return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+          raise "Unknown update strategy: #{update_strategy}"
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        # rubocop:disable Metrics/CyclomaticComplexity
+        def updated_requirement(req)
+          req_string = req[:requirement].strip
+          or_string_reqs = req_string.split(OR_SEPARATOR)
+          or_separator = req_string.match(OR_SEPARATOR)&.to_s || " || "
+          numeric_or_string_reqs = or_string_reqs.
+                                   reject { |r| r.start_with?("dev-") }
+          branch_or_string_reqs = or_string_reqs.
+                                  select { |r| r.start_with?("dev-") }
+
+          return req unless req_string.match?(/\d/)
+          return req if numeric_or_string_reqs.none?
+          return updated_alias(req) if req_string.match?(ALIAS_REGEX)
+          return req if req_satisfied_by_latest_resolvable?(req_string) &&
+                        update_strategy != :bump_versions
+
+          new_req =
+            case update_strategy
+            when :widen_ranges
+              widen_requirement(req, or_separator)
+            when :bump_versions, :bump_versions_if_necessary
+              update_requirement_version(req, or_separator)
+            end
+
+          new_req_string =
+            [new_req[:requirement], *branch_or_string_reqs].join(or_separator)
+          new_req.merge(requirement: new_req_string)
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+        # rubocop:enable Metrics/CyclomaticComplexity
+
+        def updated_alias(req)
+          req_string = req[:requirement]
+          real_version = req_string.split(/\sas\s/).first.strip
+
+          # If the version we're aliasing isn't a version then we don't know
+          # how to update it, so we just return the existing requirement.
+          return req unless version_class.correct?(real_version)
+
+          new_version_string = latest_resolvable_version.to_s
+          new_req = req_string.sub(real_version, new_version_string)
+          req.merge(requirement: new_req)
+        end
+
+        def widen_requirement(req, or_separator)
+          current_requirement = req[:requirement]
+          reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+
+          updated_requirement =
+            if reqs.any? { |r| r.start_with?("^") }
+              update_caret_requirement(current_requirement, or_separator)
+            elsif reqs.any? { |r| r.start_with?("~") }
+              update_tilda_requirement(current_requirement, or_separator)
+            elsif reqs.any? { |r| r.include?("*") }
+              update_wildcard_requirement(current_requirement, or_separator)
+            elsif reqs.any? { |r| r.match?(/<|(\s+-\s+)/) }
+              update_range_requirement(current_requirement, or_separator)
+            else
+              update_version_string(current_requirement)
+            end
+
+          req.merge(requirement: updated_requirement)
+        end
+
+        def update_requirement_version(req, or_separator)
+          current_requirement = req[:requirement]
+          reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+
+          updated_requirement =
+            if reqs.count > 1
+              "^#{latest_resolvable_version}"
+            elsif reqs.any? { |r| r.match?(/<|(\s+-\s+)/) }
+              update_range_requirement(current_requirement, or_separator)
+            elsif reqs.any? { |r| r.match?(/>[^=]/) }
+              current_requirement
+            else
+              update_version_string(current_requirement)
+            end
+
+          req.merge(requirement: updated_requirement)
+        end
+
+        def req_satisfied_by_latest_resolvable?(requirement_string)
+          ruby_requirements(requirement_string).
+            any? { |r| r.satisfied_by?(latest_resolvable_version) }
+        end
+
+        def update_version_string(req_string)
+          req_string.
+            sub(VERSION_REGEX) do |old_version|
+              unless req_string.match?(/[~*\^]/)
+                next latest_resolvable_version.to_s
+              end
+
+              old_parts = old_version.split(".")
+              new_parts = latest_resolvable_version.to_s.split(".").
+                          first(old_parts.count)
+              new_parts.map.with_index do |part, i|
+                old_parts[i] == "*" ? "*" : part
+              end.join(".")
+            end
+        end
+
+        def ruby_requirements(requirement_string)
+          Composer::Requirement.requirements_array(requirement_string)
+        end
+
+        def update_caret_requirement(req_string, or_separator)
+          caret_requirements =
+            req_string.split(SEPARATOR).select { |r| r.start_with?("^") }
+          version_parts = latest_resolvable_version.segments
+
+          min_existing_precision =
+            caret_requirements.map { |r| r.split(".").count }.min
+          first_non_zero_index =
+            version_parts.count.times.find { |i| version_parts[i] != 0 }
+
+          precision = [min_existing_precision, first_non_zero_index + 1].max
+          version = version_parts.first(precision).map.with_index do |part, i|
+            i <= first_non_zero_index ? part : 0
+          end.join(".")
+
+          req_string + "#{or_separator}^#{version}"
+        end
+
+        def update_tilda_requirement(req_string, or_separator)
+          tilda_requirements =
+            req_string.split(SEPARATOR).select { |r| r.start_with?("~") }
+          precision = tilda_requirements.map { |r| r.split(".").count }.min
+
+          version_parts = latest_resolvable_version.segments.first(precision)
+          version_parts[-1] = 0
+          version = version_parts.join(".")
+
+          req_string + "#{or_separator}~#{version}"
+        end
+
+        def update_wildcard_requirement(req_string, or_separator)
+          wildcard_requirements =
+            req_string.split(SEPARATOR).select { |r| r.include?("*") }
+          precision = wildcard_requirements.map do |r|
+            r.split(".").reject { |s| s == "*" }.count
+          end.min
+          wildcard_count = wildcard_requirements.map do |r|
+            r.split(".").select { |s| s == "*" }.count
+          end.min
+
+          version_parts = latest_resolvable_version.segments.first(precision)
+          version = version_parts.join(".")
+
+          req_string + "#{or_separator}#{version}#{'.*' * wildcard_count}"
+        end
+
+        def update_range_requirement(req_string, or_separator)
+          range_requirements =
+            req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
+
+          if range_requirements.count == 1
+            range_requirement = range_requirements.first
+            versions = range_requirement.scan(VERSION_REGEX)
+            upper_bound = versions.map { |v| version_class.new(v) }.max
+            new_upper_bound = update_greatest_version(
+              upper_bound,
+              latest_resolvable_version
+            )
+
+            req_string.sub(upper_bound.to_s, new_upper_bound.to_s)
+          else
+            req_string + "#{or_separator}^#{latest_resolvable_version}"
+          end
+        end
+
+        def update_greatest_version(old_version, version_to_be_permitted)
+          version = version_class.new(old_version)
+          version = version.release if version.prerelease?
+
+          index_to_update =
+            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+          version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else 0
+            end
+          end.join(".")
+        end
+
+        def version_class
+          Composer::Version
+        end
+      end
+    end
+  end
+end