RubyGems - dependabot-composer - Versions diffs - 0.238.0 → 0.239.0 - Mend

dependabot-composer 0.238.0 → 0.239.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/helpers/v1/build +1 -1
data/helpers/v2/build +1 -1
data/lib/dependabot/composer/file_fetcher.rb +46 -3
data/lib/dependabot/composer/file_updater/lockfile_updater.rb +11 -0
data/lib/dependabot/composer/requirement.rb +8 -2
data/lib/dependabot/composer/update_checker/version_resolver.rb +13 -0
metadata +7 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b8037a1e1283d33035f449b4c622fea79ea2a08545cd79155baf6f8dbdb4e79
-  data.tar.gz: 1fe6a98682abde302f7c33dba4e7772c4f919b022e7fd8dc02d236ecaac3abf5
+  metadata.gz: 243823ddde365951ade479a3f1342dc58d8167e1a435ac8c802d602c996143c6
+  data.tar.gz: 75877dc0ab7ca581ce37863806997c08b9fce38355ec73444d8d691a874de4ce
 SHA512:
-  metadata.gz: f93a2b0223c2a611541d89ac0c13dae8608c9af250a28c3132a8b5c629af37d33fa2ca3eb9abe6d7753bddb65768e198f71c2128cdc4317565ee75d299390b16
-  data.tar.gz: 88dedd07728d42dc6e92617a2ccf6f4c791ae190e9528c66b3c392c2ad31363cfb210e506b2aa56dccd74212e20aba30a83c5a7ff0f848175687668bd6cb08d7
+  metadata.gz: 59d83d007f9422e557ebb0be3ad674eb419b23c93397363b1d1a17f9a731834ab6b7be4da751f790d6a4febc87d29ce33209e408ff60c20d3d635355682cc0bd
+  data.tar.gz: fd0d699b8b885e0247a36307fdd3762c33f3837b9575949ccd301ba449416af24efac36028bd07cd79298dbc9b1766d23fc5a52ec2524d81d38506abcf55f2c6

data/helpers/v1/build CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

data/helpers/v2/build CHANGED Viewed

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -e

data/lib/dependabot/composer/file_fetcher.rb CHANGED Viewed

@@ -37,6 +37,7 @@ module Dependabot
         fetched_files << composer_json
         fetched_files << composer_lock if composer_lock
         fetched_files << auth_json if auth_json
+        fetched_files += artifact_dependencies
         fetched_files += path_dependencies
         fetched_files
       end
@@ -60,6 +61,41 @@ module Dependabot
         @auth_json = fetch_support_file("auth.json")
       end
+      def artifact_dependencies
+        return @artifact_dependencies if defined?(@artifact_dependencies)
+        # Find zip files in the artifact sources and download them.
+        @artifact_dependencies =
+          artifact_sources.map do |url|
+            repo_contents(dir: url)
+              .select { |file| file.type == "file" && file.name.end_with?(".zip") }
+              .map { |file| File.join(url, file.name) }
+              .map do |zip_file|
+              DependencyFile.new(
+                name: zip_file,
+                content: _fetch_file_content(zip_file),
+                directory: directory,
+                type: "file"
+              )
+            end
+          end.flatten
+        # Add .gitkeep to all directories in case they are empty. Composer isn't ok with empty directories.
+        @artifact_dependencies += artifact_sources.map do |url|
+          DependencyFile.new(
+            name: File.join(url, ".gitkeep"),
+            content: "",
+            directory: directory,
+            type: "file"
+          )
+        end
+        # Don't try to update these files, only used by composer for package resolution.
+        @artifact_dependencies.each { |f| f.support_file = true }
+        @artifact_dependencies
+      end
       def path_dependencies
         @path_dependencies ||=
           begin
@@ -90,8 +126,16 @@ module Dependabot
           end
       end
+      def artifact_sources
+        sources.select { |details| details["type"] == "artifact" }.map { |details| details["url"] }
+      end
       def path_sources
-        @path_sources ||=
+        sources.select { |details| details["type"] == "path" }.map { |details| details["url"] }
+      end
+      def sources
+        @sources ||=
           begin
             repos = parsed_composer_json.fetch("repositories", [])
             if repos.is_a?(Hash) || repos.is_a?(Array)
@@ -99,8 +143,7 @@ module Dependabot
               repos = repos.select { |r| r.is_a?(Hash) }
               repos
-                .select { |details| details["type"] == "path" }
-                .map { |details| details["url"] }
+                .select { |details| details["type"] == "path" || details["type"] == "artifact" }
             else
               []
             end

data/lib/dependabot/composer/file_updater/lockfile_updater.rb CHANGED Viewed

@@ -242,6 +242,12 @@ module Dependabot
         end
         def write_temporary_dependency_files
+          artifact_dependencies.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, file.content)
+          end
           path_dependencies.each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
@@ -509,6 +515,11 @@ module Dependabot
           @auth_json ||= dependency_files.find { |f| f.name == "auth.json" }
         end
+        def artifact_dependencies
+          @artifact_dependencies ||=
+            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") }
+        end
         def path_dependencies
           @path_dependencies ||=
             dependency_files.select { |f| f.name.end_with?("/composer.json") }

data/lib/dependabot/composer/requirement.rb CHANGED Viewed

@@ -1,11 +1,16 @@
 # typed: true
 # frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/requirement"
 require "dependabot/utils"
 module Dependabot
   module Composer
-    class Requirement < Gem::Requirement
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
       AND_SEPARATOR = /(?<=[a-zA-Z0-9*])(?<!\sas)[\s,]+(?![\s,]*[|-]|as)/
       OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/
@@ -18,8 +23,9 @@ module Dependabot
       # Returns an array of requirements. At least one requirement from the
       # returned array must be satisfied for a version to be valid.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
       def self.requirements_array(requirement_string)
-        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+        T.must(requirement_string).strip.split(OR_SEPARATOR).map do |req_string|
           new(req_string)
         end
       end

data/lib/dependabot/composer/update_checker/version_resolver.rb CHANGED Viewed

@@ -91,10 +91,18 @@ module Dependabot
         def write_temporary_dependency_files(unlock_requirement: true)
           write_dependency_file(unlock_requirement: unlock_requirement)
           write_path_dependency_files
+          write_zipped_path_dependency_files
           write_lockfile
           write_auth_file
         end
+        def write_zipped_path_dependency_files
+          zipped_path_dependency_files.each do |file|
+            FileUtils.mkdir_p(Pathname.new(file.name).dirname)
+            File.write(file.name, file.content)
+          end
+        end
         def write_dependency_file(unlock_requirement:)
           File.write(
             "composer.json",
@@ -471,6 +479,11 @@ module Dependabot
             dependency_files.select { |f| f.name.end_with?("/composer.json") }
         end
+        def zipped_path_dependency_files
+          @zipped_path_dependency_files ||=
+            dependency_files.select { |f| f.name.end_with?(".zip", ".gitkeep") }
+        end
         def lockfile
           @lockfile ||=
             dependency_files.find { |f| f.name == "composer.lock" }

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.238.0
+  version: 0.239.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-07 00:00:00.000000000 Z
+date: 2023-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.238.0
+        version: 0.239.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.238.0
+        version: 0.239.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.57.2
+        version: 1.58.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -258,7 +258,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
 post_install_message:
 rdoc_options: []
 require_paths: