dependabot-composer 0.279.0 → 0.280.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c22cabf7b08405e201bd5f15c7336f512317349573e19acfd5d3fc9c68b82c4
-  data.tar.gz: 4ad19b03443097f64680c10479df514ba38bf522292068de7d11dee00d89e5d8
+  metadata.gz: 153db9225b35887e37d54abbbe02bd0b0411c7583d1299e81c0dcbd8d8e4c580
+  data.tar.gz: a8c5bcf77d7dfd6a7bfe47eec1fa2d57472c397bace27803b5c7c2d59f7e4827
 SHA512:
-  metadata.gz: 3e059ba992147dfebbf4ebad0afe9887463655248c9a029a86d0877d59fa060d0e7ac4766f03c6314e8a330a70c2a1e6bf0feb80973801ffe0b71c5dea653345
-  data.tar.gz: 63e2110b166ef6dc05e42aaf9621eec90296b8bf53472a32e3357e89e86a4b5d7cd4f3d61a612204eb98d9d87d6c474c684df8c091f2e7f910fd69462b78ed73
+  metadata.gz: baa6fef6857fd718bab1b4a6b8bada9780a854a79f878887c683e438b279f2bcc52e5756772b9da6a002e712cc99394ec45a82b30c47225714c04510751642bc
+  data.tar.gz: 560d052941b5ba14565a3d2cc9270250ad9989fae4f09bd7745c3e5a48cfc60edf6cb75406569afb465c404e91690ece5f5f6c9ef494fb6ce83d6baba5349f3f

data/lib/dependabot/composer/file_fetcher.rb

@@ -26,7 +26,7 @@ module Dependabot
       def ecosystem_versions
         {
           package_managers: {
-            "composer" => Helpers.composer_version(parsed_composer_json, parsed_lockfile) || "unknown"
+            "composer" => Helpers.composer_version(parsed_composer_json, parsed_lockfile)
           }
         }
       end

data/lib/dependabot/composer/file_parser.rb

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "dependabot/composer"
 require "dependabot/dependency"
 require "dependabot/composer/version"
 require "dependabot/file_parsers"
@@ -13,7 +14,7 @@ module Dependabot
     class FileParser < Dependabot::FileParsers::Base
       require "dependabot/file_parsers/base/dependency_set"
 
-      DEPENDENCY_GROUP_KEYS = [
+      DEPENDENCY_GROUP_KEYS = T.let([
         {
           manifest: "require",
           lockfile: "packages",
@@ -24,28 +25,41 @@ module Dependabot
           lockfile: "packages-dev",
           group: "development"
         }
-      ].freeze
+      ].freeze, T::Array[T::Hash[Symbol, String]])
 
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
-        dependency_set = DependencySet.new
+        dependency_set = T.let(DependencySet.new, DependencySet)
         dependency_set += manifest_dependencies
         dependency_set += lockfile_dependencies
         dependency_set.dependencies
       end
 
+      sig { returns(PackageManagerBase) }
+      def package_manager
+        PackageManager.new(composer_version)
+      end
+
       private
 
-      def manifest_dependencies
-        dependencies = DependencySet.new
+      sig { returns(DependencySet) }
+      def manifest_dependencies # rubocop:disable Metrics/PerceivedComplexity
+        dependencies = T.let(DependencySet.new, DependencySet)
 
         DEPENDENCY_GROUP_KEYS.each do |keys|
-          next unless parsed_composer_json[keys[:manifest]].is_a?(Hash)
+          manifest = keys[:manifest]
+          next unless manifest.is_a?(String)
 
-          parsed_composer_json[keys[:manifest]].each do |name, req|
+          next unless parsed_composer_json[manifest].is_a?(Hash)
+
+          parsed_composer_json[manifest].each do |name, req|
             next unless package?(name)
 
             if lockfile
-              version = dependency_version(name: name, type: keys[:group])
+              group = keys[:group]
+              next unless group.is_a?(String)
+
+              version = dependency_version(name: name, type: group)
 
               # Ignore dependency versions which don't appear in the
               # composer.lock or are non-numeric and not a git SHA, since they
@@ -61,35 +75,39 @@ module Dependabot
         dependencies
       end
 
+      sig { params(name: String, req: String, keys: T::Hash[Symbol, String]).returns(Dependabot::Dependency) }
       def build_manifest_dependency(name, req, keys)
-        Dependency.new(
+        group = T.must(keys[:group])
+
+        Dependabot::Dependency.new(
           name: name,
-          version: dependency_version(name: name, type: keys[:group]),
+          version: dependency_version(name: name, type: group),
           requirements: [{
             requirement: req,
             file: "composer.json",
             source: dependency_source(
               name: name,
-              type: keys[:group],
+              type: group,
               requirement: req
             ),
-            groups: [keys[:group]]
+            groups: [group]
           }],
           package_manager: "composer"
         )
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(DependencySet) }
       def lockfile_dependencies
-        dependencies = DependencySet.new
+        dependencies = T.let(DependencySet.new, DependencySet)
 
         return dependencies unless lockfile
 
         DEPENDENCY_GROUP_KEYS.each do |keys|
           key = keys.fetch(:lockfile)
-          next unless parsed_lockfile[key].is_a?(Array)
+          next unless parsed_lockfile&.[](key).is_a?(Array)
 
-          parsed_lockfile[key].each do |details|
+          parsed_lockfile&.[](key)&.each do |details|
             name = details["name"]
             next unless name.is_a?(String) && package?(name)
 
@@ -104,11 +122,11 @@ module Dependabot
 
         dependencies
       end
-
       # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(name: String, version: String, keys: T::Hash[Symbol, String]).returns(Dependabot::Dependency) }
       def build_lockfile_dependency(name, version, keys)
-        Dependency.new(
+        Dependabot::Dependency.new(
           name: name,
           version: version,
           requirements: [],
@@ -119,6 +137,7 @@ module Dependabot
         )
       end
 
+      sig { params(name: String, type: String).returns(T.nilable(String)) }
       def dependency_version(name:, type:)
         return unless lockfile
 
@@ -131,6 +150,9 @@ module Dependabot
         package.dig("source", "reference")
       end
 
+      sig do
+        params(name: String, type: String, requirement: String).returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
       def dependency_source(name:, type:, requirement:)
         return unless lockfile
 
@@ -145,6 +167,10 @@ module Dependabot
         git_dependency_details(package_details, requirement)
       end
 
+      sig do
+        params(package_details: T::Hash[String, T.untyped],
+               requirement: String).returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
       def git_dependency_details(package_details, requirement)
         return unless package_details.dig("source", "type") == "git"
 
@@ -164,11 +190,13 @@ module Dependabot
         details.merge(branch: branch, ref: nil)
       end
 
+      sig { params(name: String, type: String).returns(T.nilable(T::Hash[String, T.untyped])) }
       def lockfile_details(name:, type:)
         key = lockfile_key(type)
-        parsed_lockfile.fetch(key, [])&.find { |d| d["name"] == name }
+        parsed_lockfile&.fetch(key, [])&.find { |d| d["name"] == name }
       end
 
+      sig { params(type: String).returns(String) }
       def lockfile_key(type)
         case type
         when "runtime" then "packages"
@@ -177,36 +205,53 @@ module Dependabot
         end
       end
 
+      sig { params(name: String).returns(T::Boolean) }
       def package?(name)
-        # Filter out php, ext-, composer-plugin-api, and other special
-        # packages which don't behave as normal
         name.split("/").count == 2
       end
 
+      sig { override.void }
       def check_required_files
         raise "No composer.json!" unless get_original_file("composer.json")
       end
 
-      def parsed_lockfile
+      sig { returns(T.nilable(T::Hash[String, T.untyped])) }
+      def parsed_lockfile # rubocop:disable Metrics/PerceivedComplexity
         return unless lockfile
 
-        @parsed_lockfile ||= JSON.parse(lockfile.content)
+        content = lockfile&.content
+
+        raise Dependabot::DependencyFileNotParseable, lockfile&.path || "" if content.nil? || content.strip.empty?
+
+        @parsed_lockfile ||= T.let(JSON.parse(content), T.nilable(T::Hash[String, T.untyped]))
       rescue JSON::ParserError
-        raise Dependabot::DependencyFileNotParseable, lockfile.path
+        raise Dependabot::DependencyFileNotParseable, lockfile&.path || ""
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def parsed_composer_json
-        @parsed_composer_json ||= JSON.parse(composer_json.content)
+        content = composer_json&.content
+
+        raise Dependabot::DependencyFileNotParseable, composer_json&.path || "" if content.nil? || content.strip.empty?
+
+        @parsed_composer_json ||= T.let(JSON.parse(content), T.nilable(T::Hash[String, T.untyped]))
       rescue JSON::ParserError
-        raise Dependabot::DependencyFileNotParseable, composer_json.path
+        raise Dependabot::DependencyFileNotParseable, composer_json&.path || ""
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def composer_json
-        @composer_json ||= get_original_file("composer.json")
+        @composer_json ||= T.let(get_original_file("composer.json"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def lockfile
-        @lockfile ||= get_original_file("composer.lock")
+        @lockfile ||= T.let(get_original_file("composer.lock"), T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(String) }
+      def composer_version
+        @composer_version ||= T.let(Helpers.composer_version(parsed_composer_json, parsed_lockfile), T.nilable(String))
       end
     end
   end

data/lib/dependabot/composer/helpers.rb

@@ -1,48 +1,99 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/composer/version"
+require "sorbet-runtime"
 
 module Dependabot
   module Composer
     module Helpers
+      extend T::Sig
+
+      V1 = T.let("1", String)
+      V2 = T.let("2", String)
+      # If we are updating a project with no lock file then the default should be the newest version
+      DEFAULT = T.let(V2, String)
+
       # From composers json-schema: https://getcomposer.org/schema.json
-      COMPOSER_V2_NAME_REGEX = %r{^[a-z0-9]([_.-]?[a-z0-9]+)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]+)*$}
+      COMPOSER_V2_NAME_REGEX = T.let(
+        %r{^[a-z0-9]([_.-]?[a-z0-9]++)*/[a-z0-9](([_.]?|-{0,2})[a-z0-9]++)*$},
+        Regexp
+      )
+
       # From https://github.com/composer/composer/blob/b7d770659b4e3ef21423bd67ade935572913a4c1/src/Composer/Repository/PlatformRepository.php#L33
-      PLATFORM_PACKAGE_REGEX = /
+      PLATFORM_PACKAGE_REGEX = T.let(
+        /
         ^(?:php(?:-64bit|-ipv6|-zts|-debug)?|hhvm|(?:ext|lib)-[a-z0-9](?:[_.-]?[a-z0-9]+)*
         |composer-(?:plugin|runtime)-api)$
-      /x
+        /x,
+        Regexp
+      )
 
-      FAILED_GIT_CLONE_WITH_MIRROR = /^Failed to execute git clone --(mirror|checkout)[^']*'(?<url>[^']*?)'/
-      FAILED_GIT_CLONE = /^Failed to clone (?<url>.*?)/
+      FAILED_GIT_CLONE_WITH_MIRROR = T.let(
+        /^Failed to execute git clone --(mirror|checkout)[^']*'(?<url>[^']*?)'/,
+        Regexp
+      )
+      FAILED_GIT_CLONE = T.let(/^Failed to clone (?<url>.*?)/, Regexp)
 
+      sig do
+        params(
+          composer_json: T::Hash[String, T.untyped],
+          parsed_lockfile: T.nilable(T::Hash[String, T.untyped])
+        )
+          .returns(String)
+      end
       def self.composer_version(composer_json, parsed_lockfile = nil)
+        v1_unsupported = Dependabot::Experiments.enabled?(:composer_v1_unsupported_error)
+
+        # If the parsed lockfile has a plugin API version, we return either V1 or V2
+        # based on the major version of the lockfile.
         if parsed_lockfile && parsed_lockfile["plugin-api-version"]
           version = Composer::Version.new(parsed_lockfile["plugin-api-version"])
-          return version.canonical_segments.first == 1 ? "1" : "2"
-        else
-          return "1" if composer_json["name"] && composer_json["name"] !~ COMPOSER_V2_NAME_REGEX
-          return "1" if invalid_v2_requirement?(composer_json)
+          return version.canonical_segments.first == 1 ? V1 : V2
+        end
+
+        # Check if the composer name does not follow the Composer V2 naming conventions.
+        # This happens if "name" is present in composer.json but doesn't match the required pattern.
+        composer_name_invalid = composer_json["name"] && composer_json["name"] !~ COMPOSER_V2_NAME_REGEX
+
+        # If the name is invalid returns the fallback version.
+        if composer_name_invalid
+          return v1_unsupported ? V2 : V1
+        end
+
+        # Check if the composer.json file contains "require" entries that don't follow
+        # either the platform package naming conventions or the Composer V2 name conventions.
+        invalid_v2 = invalid_v2_requirement?(composer_json)
+
+        # If there are invalid requirements returns fallback version.
+        if invalid_v2
+          return v1_unsupported ? V2 : V1
         end
 
-        "2"
+        # If no conditions are met return V2 by default.
+        V2
       end
 
+      sig { params(message: String).returns(T.nilable(String)) }
       def self.dependency_url_from_git_clone_error(message)
-        if message.match?(FAILED_GIT_CLONE_WITH_MIRROR)
-          dependency_url = message.match(FAILED_GIT_CLONE_WITH_MIRROR).named_captures.fetch("url")
-          raise "Could not parse dependency_url from git clone error: #{message}" if dependency_url.empty?
+        extract_and_clean_dependency_url(message, FAILED_GIT_CLONE_WITH_MIRROR) ||
+          extract_and_clean_dependency_url(message, FAILED_GIT_CLONE)
+      end
 
-          clean_dependency_url(dependency_url)
-        elsif message.match?(FAILED_GIT_CLONE)
-          dependency_url = message.match(FAILED_GIT_CLONE).named_captures.fetch("url")
-          raise "Could not parse dependency_url from git clone error: #{message}" if dependency_url.empty?
+      sig { params(message: String, regex: Regexp).returns(T.nilable(String)) }
+      def self.extract_and_clean_dependency_url(message, regex)
+        if (match_data = message.match(regex))
+          dependency_url = match_data.named_captures.fetch("url")
+          if dependency_url.nil? || dependency_url.empty?
+            raise "Could not parse dependency_url from git clone error: #{message}"
+          end
 
-          clean_dependency_url(dependency_url)
+          return clean_dependency_url(dependency_url)
         end
+        nil
       end
 
+      sig { params(composer_json: T::Hash[String, T.untyped]).returns(T::Boolean) }
       def self.invalid_v2_requirement?(composer_json)
         return false unless composer_json.key?("require")
 
@@ -52,6 +103,7 @@ module Dependabot
       end
       private_class_method :invalid_v2_requirement?
 
+      sig { params(dependency_url: String).returns(String) }
       def self.clean_dependency_url(dependency_url)
         return dependency_url unless URI::DEFAULT_PARSER.regexp[:ABS_URI].match?(dependency_url)
 

data/lib/dependabot/composer/package_manager.rb

@@ -0,0 +1,61 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/package_manager"
+require "dependabot/composer/version"
+
+module Dependabot
+  module Composer
+    PACKAGE_MANAGER = "composer"
+
+    # Keep versions in ascending order
+    SUPPORTED_COMPOSER_VERSIONS = T.let([Version.new("2")].freeze, T::Array[Dependabot::Version])
+
+    DEPRECATED_COMPOSER_VERSIONS = T.let([
+      Version.new("1")
+    ].freeze, T::Array[Dependabot::Version])
+
+    class PackageManager < PackageManagerBase
+      extend T::Sig
+
+      sig { params(version: T.any(String, Dependabot::Version)).void }
+      def initialize(version)
+        @version = T.let(Version.new(version), Dependabot::Version)
+        @name = T.let(PACKAGE_MANAGER, String)
+        @deprecated_versions = T.let(DEPRECATED_COMPOSER_VERSIONS, T::Array[Dependabot::Version])
+        @supported_versions = T.let(SUPPORTED_COMPOSER_VERSIONS, T::Array[Dependabot::Version])
+      end
+
+      sig { override.returns(String) }
+      attr_reader :name
+
+      sig { override.returns(Dependabot::Version) }
+      attr_reader :version
+
+      sig { override.returns(T::Array[Dependabot::Version]) }
+      attr_reader :deprecated_versions
+
+      sig { override.returns(T::Array[Dependabot::Version]) }
+      attr_reader :supported_versions
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        return false if unsupported?
+
+        # Check if the feature flag for Composer v1 deprecation warning is enabled.
+        return false unless Dependabot::Experiments.enabled?(:composer_v1_deprecation_warning)
+
+        deprecated_versions.include?(version)
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        # Check if the feature flag for Composer v1 unsupported error is enabled.
+        return false unless Dependabot::Experiments.enabled?(:composer_v1_unsupported_error)
+
+        supported_versions.all? { |supported| supported > version }
+      end
+    end
+  end
+end

data/lib/dependabot/composer.rb

@@ -10,6 +10,8 @@ require "dependabot/composer/file_updater"
 require "dependabot/composer/metadata_finder"
 require "dependabot/composer/requirement"
 require "dependabot/composer/version"
+require "dependabot/composer/helpers"
+require "dependabot/composer/package_manager"
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-composer
 version: !ruby/object:Gem::Version
-  version: 0.279.0
+  version: 0.280.0
 platform: ruby
 authors:
 - Dependabot
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-03 00:00:00.000000000 Z
+date: 2024-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.279.0
+        version: 0.280.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.279.0
+        version: 0.280.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.8.5
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.1
+        version: 0.8.5
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -275,6 +275,7 @@ files:
 - lib/dependabot/composer/helpers.rb
 - lib/dependabot/composer/metadata_finder.rb
 - lib/dependabot/composer/native_helpers.rb
+- lib/dependabot/composer/package_manager.rb
 - lib/dependabot/composer/requirement.rb
 - lib/dependabot/composer/update_checker.rb
 - lib/dependabot/composer/update_checker/latest_version_finder.rb
@@ -286,8 +287,8 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.279.0
-post_install_message: 
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.280.0
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -303,7 +304,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 3.1.0
 requirements: []
 rubygems_version: 3.5.9
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Provides Dependabot support for PHP (composer)
 test_files: []