dependabot-composer 0.112.11 → 0.112.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/composer/file_parser.rb +43 -22
- data/lib/dependabot/composer/update_checker.rb +38 -3
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 41cfe027e0eb8b442af2db581d5be61b984aff3fc0161464c99edacba3674724
|
|
4
|
+
data.tar.gz: 7a0ea2b2b4d2ec07bd15b1bc5002d45244ac70feff9d494da4e5d711715403a0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9e767f6f2eca4e96776a3238cc7ca586152ed4af509350737a9529da4d3c5300e66c6716aa3fda3d805b3c0e986e3b5a0dc0fe03afcad3c5fd3e38e55d1979c8
|
|
7
|
+
data.tar.gz: cbbc724822d2208afa6641667ed3529833407db06c0b885b97d2dcd5fbd8a56fdfa614c73758b162c13a68fe80476c6897fd069e6df190da838e280eb138981b
|
|
@@ -46,33 +46,38 @@ module Dependabot
|
|
|
46
46
|
if lockfile
|
|
47
47
|
version = dependency_version(name: name, type: keys[:group])
|
|
48
48
|
|
|
49
|
-
# Ignore
|
|
50
|
-
#
|
|
51
|
-
next if version.nil?
|
|
52
|
-
|
|
53
|
-
# Ignore dependency versions which are non-numeric, since they
|
|
49
|
+
# Ignore dependency versions which don't appear in the
|
|
50
|
+
# composer.lock or are non-numeric and not a git SHA, since they
|
|
54
51
|
# can't be compared later in the process.
|
|
55
|
-
next unless version
|
|
52
|
+
next unless version&.match?(/^\d/) ||
|
|
53
|
+
version&.match?(/^[0-9a-f]{40}$/)
|
|
56
54
|
end
|
|
57
55
|
|
|
58
|
-
dependencies <<
|
|
59
|
-
Dependency.new(
|
|
60
|
-
name: name,
|
|
61
|
-
version: dependency_version(name: name, type: keys[:group]),
|
|
62
|
-
requirements: [{
|
|
63
|
-
requirement: req,
|
|
64
|
-
file: "composer.json",
|
|
65
|
-
source: dependency_source(name: name, type: keys[:group]),
|
|
66
|
-
groups: [keys[:group]]
|
|
67
|
-
}],
|
|
68
|
-
package_manager: "composer"
|
|
69
|
-
)
|
|
56
|
+
dependencies << build_manifest_dependency(name, req, keys)
|
|
70
57
|
end
|
|
71
58
|
end
|
|
72
59
|
|
|
73
60
|
dependencies
|
|
74
61
|
end
|
|
75
62
|
|
|
63
|
+
def build_manifest_dependency(name, req, keys)
|
|
64
|
+
Dependency.new(
|
|
65
|
+
name: name,
|
|
66
|
+
version: dependency_version(name: name, type: keys[:group]),
|
|
67
|
+
requirements: [{
|
|
68
|
+
requirement: req,
|
|
69
|
+
file: "composer.json",
|
|
70
|
+
source: dependency_source(
|
|
71
|
+
name: name,
|
|
72
|
+
type: keys[:group],
|
|
73
|
+
requirement: req
|
|
74
|
+
),
|
|
75
|
+
groups: [keys[:group]]
|
|
76
|
+
}],
|
|
77
|
+
package_manager: "composer"
|
|
78
|
+
)
|
|
79
|
+
end
|
|
80
|
+
|
|
76
81
|
def lockfile_dependencies
|
|
77
82
|
dependencies = DependencySet.new
|
|
78
83
|
|
|
@@ -88,7 +93,8 @@ module Dependabot
|
|
|
88
93
|
|
|
89
94
|
version = details["version"]&.to_s&.sub(/^v?/, "")
|
|
90
95
|
next if version.nil?
|
|
91
|
-
next unless version.match?(/^\d/)
|
|
96
|
+
next unless version.match?(/^\d/) ||
|
|
97
|
+
version.match?(/^[0-9a-f]{40}$/)
|
|
92
98
|
|
|
93
99
|
dependencies <<
|
|
94
100
|
Dependency.new(
|
|
@@ -111,13 +117,21 @@ module Dependabot
|
|
|
111
117
|
|
|
112
118
|
key = lockfile_key(type)
|
|
113
119
|
|
|
114
|
-
|
|
120
|
+
version =
|
|
121
|
+
parsed_lockfile.
|
|
115
122
|
fetch(key, []).
|
|
116
123
|
find { |d| d["name"] == name }&.
|
|
117
124
|
fetch("version")&.to_s&.sub(/^v?/, "")
|
|
125
|
+
|
|
126
|
+
return version unless version&.start_with?("dev-")
|
|
127
|
+
|
|
128
|
+
parsed_lockfile.
|
|
129
|
+
fetch(key, []).
|
|
130
|
+
find { |d| d["name"] == name }&.
|
|
131
|
+
dig("source", "reference")
|
|
118
132
|
end
|
|
119
133
|
|
|
120
|
-
def dependency_source(name:, type:)
|
|
134
|
+
def dependency_source(name:, type:, requirement:)
|
|
121
135
|
return unless lockfile
|
|
122
136
|
|
|
123
137
|
key = lockfile_key(type)
|
|
@@ -131,10 +145,17 @@ module Dependabot
|
|
|
131
145
|
|
|
132
146
|
return unless package.dig("source", "type") == "git"
|
|
133
147
|
|
|
134
|
-
{
|
|
148
|
+
details = {
|
|
135
149
|
type: "git",
|
|
136
150
|
url: package.dig("source", "url")
|
|
137
151
|
}
|
|
152
|
+
|
|
153
|
+
return details unless requirement.start_with?("dev-")
|
|
154
|
+
|
|
155
|
+
details.merge(
|
|
156
|
+
branch: requirement.sub(/^dev-/, "").split("#").first,
|
|
157
|
+
ref: nil
|
|
158
|
+
)
|
|
138
159
|
end
|
|
139
160
|
|
|
140
161
|
def lockfile_key(type)
|
|
@@ -15,13 +15,14 @@ module Dependabot
|
|
|
15
15
|
|
|
16
16
|
def latest_version
|
|
17
17
|
return nil if path_dependency?
|
|
18
|
+
return latest_version_for_git_dependency if git_dependency?
|
|
18
19
|
|
|
19
20
|
# Fall back to latest_resolvable_version if no listings found
|
|
20
21
|
latest_version_from_registry || latest_resolvable_version
|
|
21
22
|
end
|
|
22
23
|
|
|
23
24
|
def latest_resolvable_version
|
|
24
|
-
return nil if path_dependency?
|
|
25
|
+
return nil if path_dependency? || git_dependency?
|
|
25
26
|
|
|
26
27
|
@latest_resolvable_version ||=
|
|
27
28
|
VersionResolver.new(
|
|
@@ -45,7 +46,7 @@ module Dependabot
|
|
|
45
46
|
end
|
|
46
47
|
|
|
47
48
|
def latest_resolvable_version_with_no_unlock
|
|
48
|
-
return nil if path_dependency?
|
|
49
|
+
return nil if path_dependency? || git_dependency?
|
|
49
50
|
|
|
50
51
|
@latest_resolvable_version_with_no_unlock ||=
|
|
51
52
|
VersionResolver.new(
|
|
@@ -101,7 +102,7 @@ module Dependabot
|
|
|
101
102
|
end
|
|
102
103
|
|
|
103
104
|
def fetch_lowest_resolvable_security_fix_version
|
|
104
|
-
return nil if path_dependency?
|
|
105
|
+
return nil if path_dependency? || git_dependency?
|
|
105
106
|
|
|
106
107
|
fix_version = latest_version_finder.lowest_security_fix_version
|
|
107
108
|
return latest_resolvable_version if fix_version.nil?
|
|
@@ -123,6 +124,11 @@ module Dependabot
|
|
|
123
124
|
dependency.requirements.any? { |r| r.dig(:source, :type) == "path" }
|
|
124
125
|
end
|
|
125
126
|
|
|
127
|
+
def git_dependency?
|
|
128
|
+
dependency.requirements.
|
|
129
|
+
any? { |r| r.fetch(:requirement)&.start_with?("dev-") }
|
|
130
|
+
end
|
|
131
|
+
|
|
126
132
|
def composer_file
|
|
127
133
|
composer_file =
|
|
128
134
|
dependency_files.find { |f| f.name == "composer.json" }
|
|
@@ -134,6 +140,35 @@ module Dependabot
|
|
|
134
140
|
def library?
|
|
135
141
|
JSON.parse(composer_file.content)["type"] == "library"
|
|
136
142
|
end
|
|
143
|
+
|
|
144
|
+
def latest_version_for_git_dependency
|
|
145
|
+
# If the dependency isn't pinned then we just want to check that it
|
|
146
|
+
# points to the latest commit on the relevant branch.
|
|
147
|
+
unless git_commit_checker.pinned?
|
|
148
|
+
return git_commit_checker.head_commit_for_current_branch
|
|
149
|
+
end
|
|
150
|
+
|
|
151
|
+
# If the dependency is pinned to a tag that looks like a version then
|
|
152
|
+
# we want to update that tag. The latest version will then be the SHA
|
|
153
|
+
# of the latest tag that looks like a version.
|
|
154
|
+
if git_commit_checker.pinned_ref_looks_like_version? &&
|
|
155
|
+
git_commit_checker.local_tag_for_latest_version
|
|
156
|
+
latest_tag = git_commit_checker.local_tag_for_latest_version
|
|
157
|
+
return latest_tag.fetch(:commit_sha)
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
# If the dependency is pinned to a tag that doesn't look like a
|
|
161
|
+
# version then there's nothing we can do.
|
|
162
|
+
dependency.version
|
|
163
|
+
end
|
|
164
|
+
|
|
165
|
+
def git_commit_checker
|
|
166
|
+
@git_commit_checker ||= Dependabot::GitCommitChecker.new(
|
|
167
|
+
dependency: dependency,
|
|
168
|
+
credentials: credentials,
|
|
169
|
+
ignored_versions: ignored_versions
|
|
170
|
+
)
|
|
171
|
+
end
|
|
137
172
|
end
|
|
138
173
|
end
|
|
139
174
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-composer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.112.
|
|
4
|
+
version: 0.112.12
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-08-
|
|
11
|
+
date: 2019-08-26 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.112.
|
|
19
|
+
version: 0.112.12
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.112.
|
|
26
|
+
version: 0.112.12
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|