dependabot-composer 0.112.11 → 0.112.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/composer/file_parser.rb +43 -22
- data/lib/dependabot/composer/update_checker.rb +38 -3
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 41cfe027e0eb8b442af2db581d5be61b984aff3fc0161464c99edacba3674724
|
4
|
+
data.tar.gz: 7a0ea2b2b4d2ec07bd15b1bc5002d45244ac70feff9d494da4e5d711715403a0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9e767f6f2eca4e96776a3238cc7ca586152ed4af509350737a9529da4d3c5300e66c6716aa3fda3d805b3c0e986e3b5a0dc0fe03afcad3c5fd3e38e55d1979c8
|
7
|
+
data.tar.gz: cbbc724822d2208afa6641667ed3529833407db06c0b885b97d2dcd5fbd8a56fdfa614c73758b162c13a68fe80476c6897fd069e6df190da838e280eb138981b
|
@@ -46,33 +46,38 @@ module Dependabot
|
|
46
46
|
if lockfile
|
47
47
|
version = dependency_version(name: name, type: keys[:group])
|
48
48
|
|
49
|
-
# Ignore
|
50
|
-
#
|
51
|
-
next if version.nil?
|
52
|
-
|
53
|
-
# Ignore dependency versions which are non-numeric, since they
|
49
|
+
# Ignore dependency versions which don't appear in the
|
50
|
+
# composer.lock or are non-numeric and not a git SHA, since they
|
54
51
|
# can't be compared later in the process.
|
55
|
-
next unless version
|
52
|
+
next unless version&.match?(/^\d/) ||
|
53
|
+
version&.match?(/^[0-9a-f]{40}$/)
|
56
54
|
end
|
57
55
|
|
58
|
-
dependencies <<
|
59
|
-
Dependency.new(
|
60
|
-
name: name,
|
61
|
-
version: dependency_version(name: name, type: keys[:group]),
|
62
|
-
requirements: [{
|
63
|
-
requirement: req,
|
64
|
-
file: "composer.json",
|
65
|
-
source: dependency_source(name: name, type: keys[:group]),
|
66
|
-
groups: [keys[:group]]
|
67
|
-
}],
|
68
|
-
package_manager: "composer"
|
69
|
-
)
|
56
|
+
dependencies << build_manifest_dependency(name, req, keys)
|
70
57
|
end
|
71
58
|
end
|
72
59
|
|
73
60
|
dependencies
|
74
61
|
end
|
75
62
|
|
63
|
+
def build_manifest_dependency(name, req, keys)
|
64
|
+
Dependency.new(
|
65
|
+
name: name,
|
66
|
+
version: dependency_version(name: name, type: keys[:group]),
|
67
|
+
requirements: [{
|
68
|
+
requirement: req,
|
69
|
+
file: "composer.json",
|
70
|
+
source: dependency_source(
|
71
|
+
name: name,
|
72
|
+
type: keys[:group],
|
73
|
+
requirement: req
|
74
|
+
),
|
75
|
+
groups: [keys[:group]]
|
76
|
+
}],
|
77
|
+
package_manager: "composer"
|
78
|
+
)
|
79
|
+
end
|
80
|
+
|
76
81
|
def lockfile_dependencies
|
77
82
|
dependencies = DependencySet.new
|
78
83
|
|
@@ -88,7 +93,8 @@ module Dependabot
|
|
88
93
|
|
89
94
|
version = details["version"]&.to_s&.sub(/^v?/, "")
|
90
95
|
next if version.nil?
|
91
|
-
next unless version.match?(/^\d/)
|
96
|
+
next unless version.match?(/^\d/) ||
|
97
|
+
version.match?(/^[0-9a-f]{40}$/)
|
92
98
|
|
93
99
|
dependencies <<
|
94
100
|
Dependency.new(
|
@@ -111,13 +117,21 @@ module Dependabot
|
|
111
117
|
|
112
118
|
key = lockfile_key(type)
|
113
119
|
|
114
|
-
|
120
|
+
version =
|
121
|
+
parsed_lockfile.
|
115
122
|
fetch(key, []).
|
116
123
|
find { |d| d["name"] == name }&.
|
117
124
|
fetch("version")&.to_s&.sub(/^v?/, "")
|
125
|
+
|
126
|
+
return version unless version&.start_with?("dev-")
|
127
|
+
|
128
|
+
parsed_lockfile.
|
129
|
+
fetch(key, []).
|
130
|
+
find { |d| d["name"] == name }&.
|
131
|
+
dig("source", "reference")
|
118
132
|
end
|
119
133
|
|
120
|
-
def dependency_source(name:, type:)
|
134
|
+
def dependency_source(name:, type:, requirement:)
|
121
135
|
return unless lockfile
|
122
136
|
|
123
137
|
key = lockfile_key(type)
|
@@ -131,10 +145,17 @@ module Dependabot
|
|
131
145
|
|
132
146
|
return unless package.dig("source", "type") == "git"
|
133
147
|
|
134
|
-
{
|
148
|
+
details = {
|
135
149
|
type: "git",
|
136
150
|
url: package.dig("source", "url")
|
137
151
|
}
|
152
|
+
|
153
|
+
return details unless requirement.start_with?("dev-")
|
154
|
+
|
155
|
+
details.merge(
|
156
|
+
branch: requirement.sub(/^dev-/, "").split("#").first,
|
157
|
+
ref: nil
|
158
|
+
)
|
138
159
|
end
|
139
160
|
|
140
161
|
def lockfile_key(type)
|
@@ -15,13 +15,14 @@ module Dependabot
|
|
15
15
|
|
16
16
|
def latest_version
|
17
17
|
return nil if path_dependency?
|
18
|
+
return latest_version_for_git_dependency if git_dependency?
|
18
19
|
|
19
20
|
# Fall back to latest_resolvable_version if no listings found
|
20
21
|
latest_version_from_registry || latest_resolvable_version
|
21
22
|
end
|
22
23
|
|
23
24
|
def latest_resolvable_version
|
24
|
-
return nil if path_dependency?
|
25
|
+
return nil if path_dependency? || git_dependency?
|
25
26
|
|
26
27
|
@latest_resolvable_version ||=
|
27
28
|
VersionResolver.new(
|
@@ -45,7 +46,7 @@ module Dependabot
|
|
45
46
|
end
|
46
47
|
|
47
48
|
def latest_resolvable_version_with_no_unlock
|
48
|
-
return nil if path_dependency?
|
49
|
+
return nil if path_dependency? || git_dependency?
|
49
50
|
|
50
51
|
@latest_resolvable_version_with_no_unlock ||=
|
51
52
|
VersionResolver.new(
|
@@ -101,7 +102,7 @@ module Dependabot
|
|
101
102
|
end
|
102
103
|
|
103
104
|
def fetch_lowest_resolvable_security_fix_version
|
104
|
-
return nil if path_dependency?
|
105
|
+
return nil if path_dependency? || git_dependency?
|
105
106
|
|
106
107
|
fix_version = latest_version_finder.lowest_security_fix_version
|
107
108
|
return latest_resolvable_version if fix_version.nil?
|
@@ -123,6 +124,11 @@ module Dependabot
|
|
123
124
|
dependency.requirements.any? { |r| r.dig(:source, :type) == "path" }
|
124
125
|
end
|
125
126
|
|
127
|
+
def git_dependency?
|
128
|
+
dependency.requirements.
|
129
|
+
any? { |r| r.fetch(:requirement)&.start_with?("dev-") }
|
130
|
+
end
|
131
|
+
|
126
132
|
def composer_file
|
127
133
|
composer_file =
|
128
134
|
dependency_files.find { |f| f.name == "composer.json" }
|
@@ -134,6 +140,35 @@ module Dependabot
|
|
134
140
|
def library?
|
135
141
|
JSON.parse(composer_file.content)["type"] == "library"
|
136
142
|
end
|
143
|
+
|
144
|
+
def latest_version_for_git_dependency
|
145
|
+
# If the dependency isn't pinned then we just want to check that it
|
146
|
+
# points to the latest commit on the relevant branch.
|
147
|
+
unless git_commit_checker.pinned?
|
148
|
+
return git_commit_checker.head_commit_for_current_branch
|
149
|
+
end
|
150
|
+
|
151
|
+
# If the dependency is pinned to a tag that looks like a version then
|
152
|
+
# we want to update that tag. The latest version will then be the SHA
|
153
|
+
# of the latest tag that looks like a version.
|
154
|
+
if git_commit_checker.pinned_ref_looks_like_version? &&
|
155
|
+
git_commit_checker.local_tag_for_latest_version
|
156
|
+
latest_tag = git_commit_checker.local_tag_for_latest_version
|
157
|
+
return latest_tag.fetch(:commit_sha)
|
158
|
+
end
|
159
|
+
|
160
|
+
# If the dependency is pinned to a tag that doesn't look like a
|
161
|
+
# version then there's nothing we can do.
|
162
|
+
dependency.version
|
163
|
+
end
|
164
|
+
|
165
|
+
def git_commit_checker
|
166
|
+
@git_commit_checker ||= Dependabot::GitCommitChecker.new(
|
167
|
+
dependency: dependency,
|
168
|
+
credentials: credentials,
|
169
|
+
ignored_versions: ignored_versions
|
170
|
+
)
|
171
|
+
end
|
137
172
|
end
|
138
173
|
end
|
139
174
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-composer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.112.
|
4
|
+
version: 0.112.12
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-08-
|
11
|
+
date: 2019-08-26 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.112.
|
19
|
+
version: 0.112.12
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.112.
|
26
|
+
version: 0.112.12
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|