dependabot-composer 0.112.11 → 0.112.12

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b4253e42c894aad96ef877a35e0267ee21f7aee2e15793f48759f31a53474cba
4
- data.tar.gz: 4993208ba3fd9e44d55194ce14780003f1eb21d0a20e79e5db32237fb6bae1d3
3
+ metadata.gz: 41cfe027e0eb8b442af2db581d5be61b984aff3fc0161464c99edacba3674724
4
+ data.tar.gz: 7a0ea2b2b4d2ec07bd15b1bc5002d45244ac70feff9d494da4e5d711715403a0
5
5
  SHA512:
6
- metadata.gz: 66d14d6b9d336c80579eecb4c2b0c6414e248a63490b74a3bd85488cbb8aa84b7ecb1b0e88b793bc12511d02339089123a66ae4df795ef7d81ab8c929d737216
7
- data.tar.gz: 1abeb64a7e2c7dcd129d19240d9d35f3ceca40d04d232109c128b9078952f6fb3a784e546c4d55be80ee81cf6060d150bdbf958750420ac44a321b73f4124f38
6
+ metadata.gz: 9e767f6f2eca4e96776a3238cc7ca586152ed4af509350737a9529da4d3c5300e66c6716aa3fda3d805b3c0e986e3b5a0dc0fe03afcad3c5fd3e38e55d1979c8
7
+ data.tar.gz: cbbc724822d2208afa6641667ed3529833407db06c0b885b97d2dcd5fbd8a56fdfa614c73758b162c13a68fe80476c6897fd069e6df190da838e280eb138981b
@@ -46,33 +46,38 @@ module Dependabot
46
46
  if lockfile
47
47
  version = dependency_version(name: name, type: keys[:group])
48
48
 
49
- # Ignore dependencies which appear in the composer.json but not
50
- # the composer.lock.
51
- next if version.nil?
52
-
53
- # Ignore dependency versions which are non-numeric, since they
49
+ # Ignore dependency versions which don't appear in the
50
+ # composer.lock or are non-numeric and not a git SHA, since they
54
51
  # can't be compared later in the process.
55
- next unless version.match?(/^\d/)
52
+ next unless version&.match?(/^\d/) ||
53
+ version&.match?(/^[0-9a-f]{40}$/)
56
54
  end
57
55
 
58
- dependencies <<
59
- Dependency.new(
60
- name: name,
61
- version: dependency_version(name: name, type: keys[:group]),
62
- requirements: [{
63
- requirement: req,
64
- file: "composer.json",
65
- source: dependency_source(name: name, type: keys[:group]),
66
- groups: [keys[:group]]
67
- }],
68
- package_manager: "composer"
69
- )
56
+ dependencies << build_manifest_dependency(name, req, keys)
70
57
  end
71
58
  end
72
59
 
73
60
  dependencies
74
61
  end
75
62
 
63
+ def build_manifest_dependency(name, req, keys)
64
+ Dependency.new(
65
+ name: name,
66
+ version: dependency_version(name: name, type: keys[:group]),
67
+ requirements: [{
68
+ requirement: req,
69
+ file: "composer.json",
70
+ source: dependency_source(
71
+ name: name,
72
+ type: keys[:group],
73
+ requirement: req
74
+ ),
75
+ groups: [keys[:group]]
76
+ }],
77
+ package_manager: "composer"
78
+ )
79
+ end
80
+
76
81
  def lockfile_dependencies
77
82
  dependencies = DependencySet.new
78
83
 
@@ -88,7 +93,8 @@ module Dependabot
88
93
 
89
94
  version = details["version"]&.to_s&.sub(/^v?/, "")
90
95
  next if version.nil?
91
- next unless version.match?(/^\d/)
96
+ next unless version.match?(/^\d/) ||
97
+ version.match?(/^[0-9a-f]{40}$/)
92
98
 
93
99
  dependencies <<
94
100
  Dependency.new(
@@ -111,13 +117,21 @@ module Dependabot
111
117
 
112
118
  key = lockfile_key(type)
113
119
 
114
- parsed_lockfile.
120
+ version =
121
+ parsed_lockfile.
115
122
  fetch(key, []).
116
123
  find { |d| d["name"] == name }&.
117
124
  fetch("version")&.to_s&.sub(/^v?/, "")
125
+
126
+ return version unless version&.start_with?("dev-")
127
+
128
+ parsed_lockfile.
129
+ fetch(key, []).
130
+ find { |d| d["name"] == name }&.
131
+ dig("source", "reference")
118
132
  end
119
133
 
120
- def dependency_source(name:, type:)
134
+ def dependency_source(name:, type:, requirement:)
121
135
  return unless lockfile
122
136
 
123
137
  key = lockfile_key(type)
@@ -131,10 +145,17 @@ module Dependabot
131
145
 
132
146
  return unless package.dig("source", "type") == "git"
133
147
 
134
- {
148
+ details = {
135
149
  type: "git",
136
150
  url: package.dig("source", "url")
137
151
  }
152
+
153
+ return details unless requirement.start_with?("dev-")
154
+
155
+ details.merge(
156
+ branch: requirement.sub(/^dev-/, "").split("#").first,
157
+ ref: nil
158
+ )
138
159
  end
139
160
 
140
161
  def lockfile_key(type)
@@ -15,13 +15,14 @@ module Dependabot
15
15
 
16
16
  def latest_version
17
17
  return nil if path_dependency?
18
+ return latest_version_for_git_dependency if git_dependency?
18
19
 
19
20
  # Fall back to latest_resolvable_version if no listings found
20
21
  latest_version_from_registry || latest_resolvable_version
21
22
  end
22
23
 
23
24
  def latest_resolvable_version
24
- return nil if path_dependency?
25
+ return nil if path_dependency? || git_dependency?
25
26
 
26
27
  @latest_resolvable_version ||=
27
28
  VersionResolver.new(
@@ -45,7 +46,7 @@ module Dependabot
45
46
  end
46
47
 
47
48
  def latest_resolvable_version_with_no_unlock
48
- return nil if path_dependency?
49
+ return nil if path_dependency? || git_dependency?
49
50
 
50
51
  @latest_resolvable_version_with_no_unlock ||=
51
52
  VersionResolver.new(
@@ -101,7 +102,7 @@ module Dependabot
101
102
  end
102
103
 
103
104
  def fetch_lowest_resolvable_security_fix_version
104
- return nil if path_dependency?
105
+ return nil if path_dependency? || git_dependency?
105
106
 
106
107
  fix_version = latest_version_finder.lowest_security_fix_version
107
108
  return latest_resolvable_version if fix_version.nil?
@@ -123,6 +124,11 @@ module Dependabot
123
124
  dependency.requirements.any? { |r| r.dig(:source, :type) == "path" }
124
125
  end
125
126
 
127
+ def git_dependency?
128
+ dependency.requirements.
129
+ any? { |r| r.fetch(:requirement)&.start_with?("dev-") }
130
+ end
131
+
126
132
  def composer_file
127
133
  composer_file =
128
134
  dependency_files.find { |f| f.name == "composer.json" }
@@ -134,6 +140,35 @@ module Dependabot
134
140
  def library?
135
141
  JSON.parse(composer_file.content)["type"] == "library"
136
142
  end
143
+
144
+ def latest_version_for_git_dependency
145
+ # If the dependency isn't pinned then we just want to check that it
146
+ # points to the latest commit on the relevant branch.
147
+ unless git_commit_checker.pinned?
148
+ return git_commit_checker.head_commit_for_current_branch
149
+ end
150
+
151
+ # If the dependency is pinned to a tag that looks like a version then
152
+ # we want to update that tag. The latest version will then be the SHA
153
+ # of the latest tag that looks like a version.
154
+ if git_commit_checker.pinned_ref_looks_like_version? &&
155
+ git_commit_checker.local_tag_for_latest_version
156
+ latest_tag = git_commit_checker.local_tag_for_latest_version
157
+ return latest_tag.fetch(:commit_sha)
158
+ end
159
+
160
+ # If the dependency is pinned to a tag that doesn't look like a
161
+ # version then there's nothing we can do.
162
+ dependency.version
163
+ end
164
+
165
+ def git_commit_checker
166
+ @git_commit_checker ||= Dependabot::GitCommitChecker.new(
167
+ dependency: dependency,
168
+ credentials: credentials,
169
+ ignored_versions: ignored_versions
170
+ )
171
+ end
137
172
  end
138
173
  end
139
174
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-composer
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.112.11
4
+ version: 0.112.12
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-08-22 00:00:00.000000000 Z
11
+ date: 2019-08-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.112.11
19
+ version: 0.112.12
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.112.11
26
+ version: 0.112.12
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement