dependabot-composer 0.110.17 → 0.111.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aba20dfcc6db0b26954d79062abb3f517c63926d96e40ef3f3ce11d7f9e3cd70
-  data.tar.gz: 8d60270c6815f0ed1b1946f49a1ba11213c6f93b16cdca8fd2f08df7db8c3a40
+  metadata.gz: f06dcecf2a4971c408e7350be98a990123a35f9fe33d512c697e9c3d6f21d0f5
+  data.tar.gz: 9d8f060c61d3238669906c3e86e18a575a2289eed7349c86a9809f7f1f7ed6d0
 SHA512:
-  metadata.gz: e95deb882e6f92bcc856858cdfce82ec4d71483c537964cce3c0372f120f7290732ae5e0d43f944abccb872bf55f796f9817e82d199d3bbb22bd9e812fb4c631
-  data.tar.gz: e0e54228ce0fba86f578a3e133f29f3aac2da562b4d0d690171d49ab1521b66403bf62439c9c947c41fc836906845fc93fd018c76f6d21911b438a26b2286c99
+  metadata.gz: 8aff8af7f6efcacb59b8902664a3c7bd7b276d4132a3f9575d54eb3402cb1b1a16cc1bbedb78902afb6da6d35d2b9cf45d53c4c70fa79a31b0abeb9db0d3520b
+  data.tar.gz: f0d31274fa5a099acd6aad2a45eebc6c6af8bba0bbb96b8f0bad745115f1f59cbe14de12ff16bc45b8760fc56030bb140b7ccf71d8927c80ffb8482a9ba71442

data/helpers/src/UpdateChecker.php

@@ -66,19 +66,8 @@ class UpdateChecker
             ->setWhitelistTransitiveDependencies(true)
             ->setExecuteOperations(false)
             ->setDumpAutoloader(false)
-            ->setRunScripts(false);
-
-        /*
-         * If a platform is set we assume people know what they are doing and
-         * we respect the setting.
-         * If no platform is set we ignore it so that the php we run as doesn't
-         * interfere with resolution.
-         */
-        if ($config->get('platform') === []) {
-            $install->setIgnorePlatformRequirements(true);
-        } else {
-            $install->setIgnorePlatformRequirements(false);
-        }
+            ->setRunScripts(false)
+            ->setIgnorePlatformRequirements(false);
 
         $install->run();
 

data/helpers/src/Updater.php

@@ -74,19 +74,8 @@ class Updater
             ->setWhitelistTransitiveDependencies(true)
             ->setExecuteOperations(false)
             ->setDumpAutoloader(false)
-            ->setRunScripts(false);
-
-        /*
-         * If a platform is set we assume people know what they are doing and
-         * we respect the setting.
-         * If no platform is set we ignore it so that the php we run as doesn't
-         * interfere with resolution.
-         */
-        if ($config->get('platform') === []) {
-            $install->setIgnorePlatformRequirements(true);
-        } else {
-            $install->setIgnorePlatformRequirements(false);
-        }
+            ->setRunScripts(false)
+            ->setIgnorePlatformRequirements(false);
 
         $install->run();
 

data/lib/dependabot/composer/file_updater/lockfile_updater.rb

@@ -4,35 +4,61 @@ require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/composer/file_updater"
 require "dependabot/composer/version"
+require "dependabot/composer/requirement"
 require "dependabot/composer/native_helpers"
 
+# rubocop:disable Metrics/ClassLength
 module Dependabot
   module Composer
     class FileUpdater
       class LockfileUpdater
         require_relative "manifest_updater"
 
+        class MissingExtensions < StandardError
+          attr_reader :extensions
+
+          def initialize(extensions)
+            @extensions = extensions
+            super
+          end
+        end
+
         def initialize(dependencies:, dependency_files:, credentials:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
+          @composer_platform_extensions = {}
         end
 
         def updated_lockfile_content
-          base_directory = dependency_files.first.directory
-          @updated_lockfile_content ||=
-            SharedHelpers.in_a_temporary_directory(base_directory) do
-              write_temporary_dependency_files
+          @updated_lockfile_content ||= generate_updated_lockfile_content
+        rescue MissingExtensions => e
+          previous_extensions = composer_platform_extensions.dup
+          update_required_extensions(e.extensions)
+          raise if previous_extensions == composer_platform_extensions
 
-              updated_content = run_update_helper.fetch("composer.lock")
+          retry
+        end
 
-              updated_content = post_process_lockfile(updated_content)
-              if lockfile.content == updated_content
-                raise "Expected content to change!"
-              end
+        private
+
+        attr_reader :dependencies, :dependency_files, :credentials,
+                    :composer_platform_extensions
+
+        def generate_updated_lockfile_content
+          base_directory = dependency_files.first.directory
+          SharedHelpers.in_a_temporary_directory(base_directory) do
+            write_temporary_dependency_files
+
+            updated_content = run_update_helper.fetch("composer.lock")
 
-              updated_content
+            updated_content = post_process_lockfile(updated_content)
+            if lockfile.content == updated_content
+              raise "Expected content to change!"
             end
+
+            updated_content
+          end
         rescue SharedHelpers::HelperSubprocessFailed => e
           retry_count ||= 0
           retry_count += 1
@@ -40,10 +66,6 @@ module Dependabot
           handle_composer_errors(e)
         end
 
-        private
-
-        attr_reader :dependencies, :dependency_files, :credentials
-
         def dependency
           # For now, we'll only ever be updating a single dependency for PHP
           dependencies.first
@@ -87,6 +109,17 @@ module Dependabot
         # rubocop:disable Metrics/MethodLength
         # rubocop:disable Metrics/PerceivedComplexity
         def handle_composer_errors(error)
+          if error.message.include?("package requires php") ||
+             error.message.include?("requested PHP extension")
+            missing_extensions =
+              error.message.scan(/\sext\-.*? .*?\s|(?<=requires )php .*?\s/).
+              map do |extension_string|
+                name, requirement = extension_string.strip.split(" ")
+                { name: name, requirement: requirement }
+              end
+            raise MissingExtensions, missing_extensions
+          end
+
           if error.message.start_with?("Failed to execute git checkout")
             raise git_dependency_reference_error(error)
           end
@@ -152,8 +185,8 @@ module Dependabot
         end
 
         def locked_composer_json_content
-          dependencies.
-            reduce(updated_composer_json_content) do |content, dep|
+          tmp_content =
+            dependencies.reduce(updated_composer_json_content) do |content, dep|
               updated_req = dep.version
               next content unless Composer::Version.correct?(updated_req)
 
@@ -174,6 +207,17 @@ module Dependabot
                 declaration.gsub(%("#{old_req}"), %("#{updated_req}"))
               end
             end
+
+          json = JSON.parse(tmp_content)
+
+          composer_platform_extensions.each do |extension, requirements|
+            json["config"] ||= {}
+            json["config"]["platform"] ||= {}
+            json["config"]["platform"][extension] =
+              version_for_reqs(requirements)
+          end
+
+          JSON.dump(json)
         end
 
         def git_dependency_reference_error(error)
@@ -192,7 +236,8 @@ module Dependabot
 
         def post_process_lockfile(content)
           content = replace_patches(content)
-          replace_content_hash(content)
+          content = replace_content_hash(content)
+          replace_platform_overrides(content)
         end
 
         def replace_patches(updated_content)
@@ -239,6 +284,52 @@ module Dependabot
           end
         end
 
+        def replace_platform_overrides(content)
+          original_object = JSON.parse(lockfile.content)
+          original_overrides = original_object.fetch("platform-overrides", nil)
+
+          updated_object = JSON.parse(content)
+
+          if original_object.key?("platform-overrides")
+            updated_object["platform-overrides"] = original_overrides
+          else
+            updated_object.delete("platform-overrides")
+          end
+
+          JSON.pretty_generate(updated_object, indent: "    ").
+            gsub(/\[\n\n\s*\]/, "[]").
+            gsub(/\}\z/, "}\n")
+        end
+
+        def version_for_reqs(requirements)
+          req_array = requirements.map { |str| Composer::Requirement.new(str) }
+          potential_versions =
+            req_array.map do |req|
+              op, version = req.requirements.first
+              case op
+              when ">" then version.bump
+              when "<" then Composer::Version.new("0.0.1")
+              else version
+              end
+            end
+
+          version = potential_versions.
+                    find { |v| req_array.all? { |r| r.satisfied_by?(v) } }
+          raise "No matching version for #{requirements}!" unless version
+
+          version.to_s
+        end
+
+        def update_required_extensions(additional_extensions)
+          additional_extensions.each do |ext|
+            composer_platform_extensions[ext.fetch(:name)] ||= []
+            composer_platform_extensions[ext.fetch(:name)] +=
+              [ext.fetch(:requirement)]
+            composer_platform_extensions[ext.fetch(:name)] =
+              composer_platform_extensions[ext.fetch(:name)].uniq
+          end
+        end
+
         def php_helper_path
           NativeHelpers.composer_helper_path
         end
@@ -284,3 +375,4 @@ module Dependabot
     end
   end
 end
+# rubocop:enable Metrics/ClassLength

data/lib/dependabot/composer/update_checker/version_resolver.rb

@@ -1,25 +1,38 @@
 # frozen_string_literal: true
 
+require "dependabot/errors"
+require "json"
 require "dependabot/shared_helpers"
 require "dependabot/composer/update_checker"
 require "dependabot/composer/version"
+require "dependabot/composer/requirement"
 require "dependabot/composer/native_helpers"
 
 module Dependabot
   module Composer
     class UpdateChecker
       class VersionResolver
+        class MissingExtensions < StandardError
+          attr_reader :extensions
+
+          def initialize(extensions)
+            @extensions = extensions
+            super
+          end
+        end
+
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
         SOURCE_TIMED_OUT_REGEX =
           /The "(?<url>[^"]+packages\.json)".*timed out/.freeze
 
         def initialize(credentials:, dependency:, dependency_files:,
                        requirements_to_unlock:, latest_allowable_version:)
-          @credentials              = credentials
-          @dependency               = dependency
-          @dependency_files         = dependency_files
-          @requirements_to_unlock   = requirements_to_unlock
-          @latest_allowable_version = latest_allowable_version
+          @credentials                  = credentials
+          @dependency                   = dependency
+          @dependency_files             = dependency_files
+          @requirements_to_unlock       = requirements_to_unlock
+          @latest_allowable_version     = latest_allowable_version
+          @composer_platform_extensions = {}
         end
 
         def latest_resolvable_version
@@ -29,7 +42,8 @@ module Dependabot
         private
 
         attr_reader :credentials, :dependency, :dependency_files,
-                    :requirements_to_unlock, :latest_allowable_version
+                    :requirements_to_unlock, :latest_allowable_version,
+                    :composer_platform_extensions
 
         def fetch_latest_resolvable_version
           version = fetch_latest_resolvable_version_string
@@ -37,6 +51,12 @@ module Dependabot
           return unless Composer::Version.correct?(version)
 
           Composer::Version.new(version)
+        rescue MissingExtensions => e
+          previous_extensions = composer_platform_extensions.dup
+          update_required_extensions(e.extensions)
+          raise if previous_extensions == composer_platform_extensions
+
+          retry
         end
 
         def fetch_latest_resolvable_version_string
@@ -82,10 +102,21 @@ module Dependabot
         def prepared_composer_json_content
           content = composer_file.content
 
-          content.gsub(
+          content = content.gsub(
             /"#{Regexp.escape(dependency.name)}"\s*:\s*".*"/,
             %("#{dependency.name}": "#{updated_version_requirement_string}")
           )
+
+          json = JSON.parse(content)
+
+          composer_platform_extensions.each do |extension, requirements|
+            json["config"] ||= {}
+            json["config"]["platform"] ||= {}
+            json["config"]["platform"][extension] =
+              version_for_reqs(requirements)
+          end
+
+          JSON.dump(json)
         end
 
         # rubocop:disable Metrics/AbcSize
@@ -145,17 +176,16 @@ module Dependabot
           elsif error.message.start_with?("Could not parse version") ||
                 error.message.include?("does not allow connections to http://")
             raise Dependabot::DependencyFileNotResolvable, sanitized_message
-          elsif error.message.include?("requested PHP extension")
-            extensions = error.message.scan(/\sext\-.*?\s/).map(&:strip).uniq
-            msg = "Dependabot's installed extensions didn't match those "\
-                  "required by your application.\n\n"\
-                  "Please add the following extensions to the platform "\
-                  "config in your composer.json to allow Dependabot to run: "\
-                  "#{extensions.join(', ')}.\n\n"\
-                  "The full error raised was:\n\n#{error.message}"
-            raise Dependabot::DependencyFileNotResolvable, msg
           elsif error.message.include?("package requires php") ||
-                error.message.include?("cannot require itself") ||
+                error.message.include?("requested PHP extension")
+            missing_extensions =
+              error.message.scan(/\sext\-.*? .*?\s|(?<=requires )php .*?\s/).
+              map do |extension_string|
+                name, requirement = extension_string.strip.split(" ")
+                { name: name, requirement: requirement }
+              end
+            raise MissingExtensions, missing_extensions
+          elsif error.message.include?("cannot require itself") ||
                 error.message.include?('packages.json" file could not be down')
             raise Dependabot::DependencyFileNotResolvable, error.message
           elsif error.message.include?("No driver found to handle VCS") &&
@@ -208,6 +238,35 @@ module Dependabot
         # rubocop:enable Metrics/CyclomaticComplexity
         # rubocop:enable Metrics/MethodLength
 
+        def version_for_reqs(requirements)
+          req_array = requirements.map { |str| Composer::Requirement.new(str) }
+          potential_versions =
+            req_array.map do |req|
+              op, version = req.requirements.first
+              case op
+              when ">" then version.bump
+              when "<" then Composer::Version.new("0.0.1")
+              else version
+              end
+            end
+
+          version = potential_versions.
+                    find { |v| req_array.all? { |r| r.satisfied_by?(v) } }
+          raise "No matching version for #{requirements}!" unless version
+
+          version.to_s
+        end
+
+        def update_required_extensions(additional_extensions)
+          additional_extensions.each do |ext|
+            composer_platform_extensions[ext.fetch(:name)] ||= []
+            composer_platform_extensions[ext.fetch(:name)] +=
+              [ext.fetch(:requirement)]
+            composer_platform_extensions[ext.fetch(:name)] =
+              composer_platform_extensions[ext.fetch(:name)].uniq
+          end
+        end
+
         def php_helper_path
           NativeHelpers.composer_helper_path
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.110.17
+  version: 0.111.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-04 00:00:00.000000000 Z
+date: 2019-07-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.110.17
+        version: 0.111.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.110.17
+        version: 0.111.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement