RubyGems - dependabot-composer - Versions diffs - 0.105.8 → 0.106.0 - Mend

dependabot-composer 0.105.8 → 0.106.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/composer/update_checker.rb +13 -84
data/lib/dependabot/composer/update_checker/latest_version_finder.rb +172 -0
data/lib/dependabot/composer/update_checker/requirements_updater.rb +2 -3
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be28bd77a9cda4096d77edf0b2b46cb754945675fcf94ff5116ddf2990bac0df
-  data.tar.gz: 2cd021107559f066f1dad3e907be59d977845590ea6afe171649920affb38a9f
+  metadata.gz: 3ef9fd7de0b59eb9fe8816348a9e61fc7f0749a2c7c813b670f99d9e1905f0b5
+  data.tar.gz: 2f6efd24e91c16c8606c9f7bf0149fdce654507d46ed88fecd32cee7bef2b495
 SHA512:
-  metadata.gz: c5d00e5f824b536a3a7ff91290fe70f210a15779d9440fa80afcf10e7b4418b7dcb1ef77ac8ce0fc7431b45e7be171985a618c3720b11193d106606b98254210
-  data.tar.gz: 19fee1537ada8208738122bfb2f539466dc39d9369ae884adb42850fc1469667bbbe1f4b62ea1cfa0441c1963d97cf6e96e213a971cae1e69096b784d3db429e
+  metadata.gz: e69c5f676e953f3bb32a1f73c2c9b5c34bcfb27c7febcd1bdd5d0be1d2eb7f0e9b368a5c593753c862751fc422d4ef4c4d5c662ce548b32ce9a4f2fd1df3789e
+  data.tar.gz: e44e14d4a09c29121540359cf454f85400a658baf3eb4a435f6f94b77ae6d55e03dfbfd3e83cf1cc1594c26f662c08cca7285190a74466f0df81e76eb9a29e90

data/lib/dependabot/composer/update_checker.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
-require "excon"
 require "json"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
@@ -12,6 +11,7 @@ module Dependabot
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/version_resolver"
+      require_relative "update_checker/latest_version_finder"
       def latest_version
         return nil if path_dependency?
@@ -49,7 +49,6 @@ module Dependabot
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
-          latest_version: latest_version&.to_s,
           latest_resolvable_version: latest_resolvable_version&.to_s,
           update_strategy: requirements_update_strategy
         ).updated_requirements
@@ -72,30 +71,22 @@ module Dependabot
         false
       end
-      def latest_version_from_registry
-        versions =
-          registry_versions.
-          select { |version| version_class.correct?(version.gsub(/^v/, "")) }.
-          map { |version| version_class.new(version.gsub(/^v/, "")) }
-        versions.reject!(&:prerelease?) unless wants_prerelease?
-        versions.reject! { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
-        versions.max
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
       end
-      def wants_prerelease?
-        current_version = dependency.version
-        if current_version && version_class.new(current_version).prerelease?
-          return true
-        end
-        dependency.requirements.any? do |req|
-          req[:requirement].match?(/\d-[A-Za-z]/)
-        end
+      def latest_version_from_registry
+        latest_version_finder.latest_version
       end
-      def updated_dependencies_after_full_unlock
-        raise NotImplementedError
+      def latest_version_finder
+        @latest_version_finder ||= LatestVersionFinder.new(
+          dependency: dependency,
+          dependency_files: dependency_files,
+          credentials: credentials,
+          ignored_versions: ignored_versions,
+          security_advisories: security_advisories
+        )
       end
       def path_dependency?
@@ -110,71 +101,9 @@ module Dependabot
         composer_file
       end
-      def lockfile
-        dependency_files.find { |f| f.name == "composer.lock" }
-      end
-      def registry_versions
-        return @registry_versions unless @registry_versions.nil?
-        repositories =
-          JSON.parse(composer_file.content).
-          fetch("repositories", []).
-          select { |r| r.is_a?(Hash) }
-        urls = repositories.
-               select { |h| h["type"] == "composer" }.
-               map { |h| h["url"] }.compact.
-               map { |url| url.gsub(%r{\/$}, "") + "/packages.json" }
-        unless repositories.any? { |rep| rep["packagist.org"] == false }
-          urls << "https://packagist.org/p/#{dependency.name.downcase}.json"
-        end
-        @registry_versions = []
-        urls.each do |url|
-          @registry_versions += fetch_registry_versions_from_url(url)
-        end
-        @registry_versions.uniq
-      end
-      def fetch_registry_versions_from_url(url)
-        cred = registry_credentials.find { |c| url.include?(c["registry"]) }
-        response = Excon.get(
-          url,
-          idempotent: true,
-          user: cred&.fetch("username", nil),
-          password: cred&.fetch("password", nil),
-          **SharedHelpers.excon_defaults
-        )
-        parse_registry_response(response, url)
-      rescue Excon::Error::Socket, Excon::Error::Timeout
-        []
-      end
-      def parse_registry_response(response, url)
-        return [] unless response.status == 200
-        listing = JSON.parse(response.body)
-        return [] if listing.nil?
-        return [] if listing.fetch("packages", []) == []
-        return [] unless listing.dig("packages", dependency.name.downcase)
-        listing.dig("packages", dependency.name.downcase).keys
-      rescue JSON::ParserError
-        msg = "'#{url}' does not contain valid JSON"
-        raise DependencyFileNotResolvable, msg
-      end
       def library?
         JSON.parse(composer_file.content)["type"] == "library"
       end
-      def registry_credentials
-        credentials.select { |cred| cred["type"] == "composer_repository" }
-      end
     end
   end
 end

data/lib/dependabot/composer/update_checker/latest_version_finder.rb ADDED Viewed

@@ -0,0 +1,172 @@
+# frozen_string_literal: true
+require "excon"
+require "json"
+require "dependabot/composer/update_checker"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+module Dependabot
+  module Composer
+    class UpdateChecker
+      class LatestVersionFinder
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions:, security_advisories:)
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @credentials         = credentials
+          @ignored_versions    = ignored_versions
+          @security_advisories = security_advisories
+        end
+        def latest_version
+          @latest_version ||= fetch_latest_version
+        end
+        def lowest_security_fix_version
+          @lowest_security_fix_version ||= fetch_lowest_security_fix_version
+        end
+        private
+        attr_reader :dependency, :dependency_files, :credentials,
+                    :ignored_versions, :security_advisories
+        def fetch_latest_version
+          versions = available_versions
+          versions = filter_prerelease_versions(versions)
+          versions = filter_ignored_versions(versions)
+          versions.max
+        end
+        def fetch_lowest_security_fix_version
+          versions = available_versions
+          versions = filter_prerelease_versions(versions)
+          versions = filter_ignored_versions(versions)
+          versions = filter_vulnerable_versions(versions)
+          versions = filter_lower_versions(versions)
+          versions.min
+        end
+        def filter_prerelease_versions(versions_array)
+          return versions_array if wants_prerelease?
+          versions_array.reject(&:prerelease?)
+        end
+        def filter_ignored_versions(versions_array)
+          versions_array.
+            reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+        end
+        def filter_vulnerable_versions(versions_array)
+          versions_array.
+            reject { |v| security_advisories.any? { |a| a.vulnerable?(v) } }
+        end
+        def filter_lower_versions(versions_array)
+          versions_array.
+            select { |version| version > version_class.new(dependency.version) }
+        end
+        def wants_prerelease?
+          current_version = dependency.version
+          if current_version && version_class.new(current_version).prerelease?
+            return true
+          end
+          dependency.requirements.any? do |req|
+            req[:requirement].match?(/\d-[A-Za-z]/)
+          end
+        end
+        def available_versions
+          registry_version_details.
+            select { |version| version_class.correct?(version.gsub(/^v/, "")) }.
+            map { |version| version_class.new(version.gsub(/^v/, "")) }
+        end
+        def registry_version_details
+          return @registry_version_details unless @registry_version_details.nil?
+          repositories =
+            JSON.parse(composer_file.content).
+            fetch("repositories", []).
+            select { |r| r.is_a?(Hash) }
+          urls = repositories.
+                 select { |h| h["type"] == "composer" }.
+                 map { |h| h["url"] }.compact.
+                 map { |url| url.gsub(%r{\/$}, "") + "/packages.json" }
+          unless repositories.any? { |rep| rep["packagist.org"] == false }
+            urls << "https://packagist.org/p/#{dependency.name.downcase}.json"
+          end
+          @registry_version_details = []
+          urls.each do |url|
+            @registry_version_details += fetch_registry_versions_from_url(url)
+          end
+          @registry_version_details.uniq
+        end
+        def fetch_registry_versions_from_url(url)
+          cred = registry_credentials.find { |c| url.include?(c["registry"]) }
+          response = Excon.get(
+            url,
+            idempotent: true,
+            user: cred&.fetch("username", nil),
+            password: cred&.fetch("password", nil),
+            **SharedHelpers.excon_defaults
+          )
+          parse_registry_response(response, url)
+        rescue Excon::Error::Socket, Excon::Error::Timeout
+          []
+        end
+        def parse_registry_response(response, url)
+          return [] unless response.status == 200
+          listing = JSON.parse(response.body)
+          return [] if listing.nil?
+          return [] if listing.fetch("packages", []) == []
+          return [] unless listing.dig("packages", dependency.name.downcase)
+          listing.dig("packages", dependency.name.downcase).keys
+        rescue JSON::ParserError
+          msg = "'#{url}' does not contain valid JSON"
+          raise DependencyFileNotResolvable, msg
+        end
+        def registry_credentials
+          credentials.select { |cred| cred["type"] == "composer_repository" }
+        end
+        def composer_file
+          composer_file =
+            dependency_files.find { |f| f.name == "composer.json" }
+          raise "No composer.json!" unless composer_file
+          composer_file
+        end
+        def ignore_reqs
+          ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+        end
+        def version_class
+          Utils.version_class_for_package_manager(dependency.package_manager)
+        end
+        def requirement_class
+          Utils.requirement_class_for_package_manager(
+            dependency.package_manager
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/composer/update_checker/requirements_updater.rb CHANGED Viewed

@@ -24,13 +24,12 @@ module Dependabot
           %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
         def initialize(requirements:, update_strategy:,
-                       latest_version:, latest_resolvable_version:)
+                       latest_resolvable_version:)
           @requirements = requirements
           @update_strategy = update_strategy
           check_update_strategy
-          @latest_version = version_class.new(latest_version) if latest_version
           return unless latest_resolvable_version
           @latest_resolvable_version =
@@ -46,7 +45,7 @@ module Dependabot
         private
         attr_reader :requirements, :update_strategy,
-                    :latest_version, :latest_resolvable_version
+                    :latest_resolvable_version
         def check_update_strategy
           return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.105.8
+  version: 0.106.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-04-19 00:00:00.000000000 Z
+date: 2019-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.105.8
+        version: 0.106.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.105.8
+        version: 0.106.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -166,6 +166,7 @@ files:
 - lib/dependabot/composer/native_helpers.rb
 - lib/dependabot/composer/requirement.rb
 - lib/dependabot/composer/update_checker.rb
+- lib/dependabot/composer/update_checker/latest_version_finder.rb
 - lib/dependabot/composer/update_checker/requirements_updater.rb
 - lib/dependabot/composer/update_checker/version_resolver.rb
 - lib/dependabot/composer/version.rb