dependabot-core 0.76.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +6408 -0
- data/LICENSE +37 -0
- data/README.md +115 -0
- data/helpers/elixir/bin/check_update.exs +92 -0
- data/helpers/elixir/bin/do_update.exs +39 -0
- data/helpers/elixir/bin/parse_deps.exs +103 -0
- data/helpers/elixir/bin/run.exs +76 -0
- data/helpers/elixir/mix.exs +21 -0
- data/helpers/elixir/mix.lock +3 -0
- data/helpers/go/Makefile +9 -0
- data/helpers/go/go.mod +9 -0
- data/helpers/go/go.sum +5 -0
- data/helpers/go/importresolver/main.go +34 -0
- data/helpers/go/main.go +77 -0
- data/helpers/go/updatechecker/main.go +107 -0
- data/helpers/go/updater/go.mod +3 -0
- data/helpers/go/updater/go.sum +2 -0
- data/helpers/go/updater/helpers.go +57 -0
- data/helpers/go/updater/main.go +48 -0
- data/helpers/npm/.agignore +1 -0
- data/helpers/npm/.envrc +2 -0
- data/helpers/npm/.eslintrc +14 -0
- data/helpers/npm/.nvimrc +7 -0
- data/helpers/npm/bin/run.js +34 -0
- data/helpers/npm/lib/helpers.js +25 -0
- data/helpers/npm/lib/peer-dependency-checker.js +102 -0
- data/helpers/npm/lib/subdependency-updater.js +48 -0
- data/helpers/npm/lib/updater.js +95 -0
- data/helpers/npm/package.json +17 -0
- data/helpers/npm/test/fixtures/npm-left-pad.json +1 -0
- data/helpers/npm/test/fixtures/updater/original/package-lock.json +16 -0
- data/helpers/npm/test/fixtures/updater/original/package.json +9 -0
- data/helpers/npm/test/fixtures/updater/updated/package-lock.json +16 -0
- data/helpers/npm/test/helpers.js +7 -0
- data/helpers/npm/test/updater.test.js +50 -0
- data/helpers/npm/yarn.lock +6120 -0
- data/helpers/php/.php_cs +34 -0
- data/helpers/php/bin/run.php +57 -0
- data/helpers/php/composer.json +14 -0
- data/helpers/php/composer.lock +1521 -0
- data/helpers/php/composer.phar +0 -0
- data/helpers/php/setup.sh +4 -0
- data/helpers/php/src/DependabotInstallationManager.php +61 -0
- data/helpers/php/src/DependabotPluginManager.php +23 -0
- data/helpers/php/src/ExceptionIO.php +25 -0
- data/helpers/php/src/Hasher.php +21 -0
- data/helpers/php/src/UpdateChecker.php +123 -0
- data/helpers/php/src/Updater.php +97 -0
- data/helpers/python/lib/__init__.py +0 -0
- data/helpers/python/lib/hasher.py +23 -0
- data/helpers/python/lib/parser.py +130 -0
- data/helpers/python/requirements.txt +9 -0
- data/helpers/python/run.py +18 -0
- data/helpers/test/run.rb +15 -0
- data/helpers/utils/git-credential-store-immutable +10 -0
- data/helpers/yarn/.agignore +1 -0
- data/helpers/yarn/.envrc +2 -0
- data/helpers/yarn/.eslintrc +14 -0
- data/helpers/yarn/.nvimrc +7 -0
- data/helpers/yarn/bin/run.js +36 -0
- data/helpers/yarn/lib/fix-duplicates.js +53 -0
- data/helpers/yarn/lib/helpers.js +5 -0
- data/helpers/yarn/lib/lockfile-parser.js +21 -0
- data/helpers/yarn/lib/peer-dependency-checker.js +130 -0
- data/helpers/yarn/lib/replace-lockfile-declaration.js +45 -0
- data/helpers/yarn/lib/subdependency-updater.js +69 -0
- data/helpers/yarn/lib/updater.js +254 -0
- data/helpers/yarn/package.json +17 -0
- data/helpers/yarn/test/fixtures/updater/original/package.json +6 -0
- data/helpers/yarn/test/fixtures/updater/original/yarn.lock +11 -0
- data/helpers/yarn/test/fixtures/updater/updated/yarn.lock +12 -0
- data/helpers/yarn/test/fixtures/updater/with-version-comments/package.json +5 -0
- data/helpers/yarn/test/fixtures/updater/with-version-comments/yarn.lock +13 -0
- data/helpers/yarn/test/fixtures/yarnpkg-is-positive.json +1 -0
- data/helpers/yarn/test/fixtures/yarnpkg-left-pad.json +1 -0
- data/helpers/yarn/test/helpers.js +7 -0
- data/helpers/yarn/test/updater.test.js +93 -0
- data/helpers/yarn/yarn.lock +4912 -0
- data/lib/bundler_definition_bundler_version_patch.rb +15 -0
- data/lib/bundler_definition_ruby_version_patch.rb +14 -0
- data/lib/bundler_git_source_patch.rb +27 -0
- data/lib/dependabot.rb +4 -0
- data/lib/dependabot/clients/bitbucket.rb +101 -0
- data/lib/dependabot/clients/github_with_retries.rb +117 -0
- data/lib/dependabot/clients/gitlab.rb +72 -0
- data/lib/dependabot/dependency.rb +118 -0
- data/lib/dependabot/dependency_file.rb +54 -0
- data/lib/dependabot/errors.rb +179 -0
- data/lib/dependabot/file_fetchers.rb +48 -0
- data/lib/dependabot/file_fetchers/README.md +65 -0
- data/lib/dependabot/file_fetchers/base.rb +302 -0
- data/lib/dependabot/file_fetchers/docker/docker.rb +40 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget.rb +215 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget/import_paths_finder.rb +51 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget/sln_project_paths_finder.rb +55 -0
- data/lib/dependabot/file_fetchers/elixir/hex.rb +78 -0
- data/lib/dependabot/file_fetchers/elm/elm_package.rb +52 -0
- data/lib/dependabot/file_fetchers/git/submodules.rb +73 -0
- data/lib/dependabot/file_fetchers/go/dep.rb +69 -0
- data/lib/dependabot/file_fetchers/go/modules.rb +64 -0
- data/lib/dependabot/file_fetchers/java/gradle.rb +56 -0
- data/lib/dependabot/file_fetchers/java/gradle/settings_file_parser.rb +66 -0
- data/lib/dependabot/file_fetchers/java/maven.rb +127 -0
- data/lib/dependabot/file_fetchers/java_script/npm_and_yarn.rb +330 -0
- data/lib/dependabot/file_fetchers/java_script/npm_and_yarn/path_dependency_builder.rb +107 -0
- data/lib/dependabot/file_fetchers/php/composer.rb +131 -0
- data/lib/dependabot/file_fetchers/python/pip.rb +305 -0
- data/lib/dependabot/file_fetchers/ruby/bundler.rb +185 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb +70 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/path_gemspec_finder.rb +114 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/require_relative_finder.rb +67 -0
- data/lib/dependabot/file_fetchers/rust/cargo.rb +240 -0
- data/lib/dependabot/file_parsers.rb +48 -0
- data/lib/dependabot/file_parsers/README.md +45 -0
- data/lib/dependabot/file_parsers/base.rb +31 -0
- data/lib/dependabot/file_parsers/base/dependency_set.rb +77 -0
- data/lib/dependabot/file_parsers/docker/docker.rb +164 -0
- data/lib/dependabot/file_parsers/dotnet/nuget.rb +85 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/packages_config_parser.rb +65 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/project_file_parser.rb +156 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/property_value_finder.rb +131 -0
- data/lib/dependabot/file_parsers/elixir/hex.rb +134 -0
- data/lib/dependabot/file_parsers/elm/elm_package.rb +136 -0
- data/lib/dependabot/file_parsers/git/submodules.rb +69 -0
- data/lib/dependabot/file_parsers/go/dep.rb +163 -0
- data/lib/dependabot/file_parsers/go/modules.rb +34 -0
- data/lib/dependabot/file_parsers/go/modules/go_mod_parser.rb +134 -0
- data/lib/dependabot/file_parsers/java/gradle.rb +236 -0
- data/lib/dependabot/file_parsers/java/gradle/property_value_finder.rb +90 -0
- data/lib/dependabot/file_parsers/java/gradle/repositories_finder.rb +145 -0
- data/lib/dependabot/file_parsers/java/maven.rb +252 -0
- data/lib/dependabot/file_parsers/java/maven/property_value_finder.rb +166 -0
- data/lib/dependabot/file_parsers/java/maven/repositories_finder.rb +188 -0
- data/lib/dependabot/file_parsers/java_script/npm_and_yarn.rb +394 -0
- data/lib/dependabot/file_parsers/php/composer.rb +177 -0
- data/lib/dependabot/file_parsers/python/pip.rb +223 -0
- data/lib/dependabot/file_parsers/python/pip/pipfile_files_parser.rb +154 -0
- data/lib/dependabot/file_parsers/python/pip/poetry_files_parser.rb +141 -0
- data/lib/dependabot/file_parsers/python/pip/setup_file_parser.rb +160 -0
- data/lib/dependabot/file_parsers/ruby/bundler.rb +295 -0
- data/lib/dependabot/file_parsers/ruby/bundler/file_preparer.rb +85 -0
- data/lib/dependabot/file_parsers/ruby/bundler/gemfile_checker.rb +48 -0
- data/lib/dependabot/file_parsers/rust/cargo.rb +213 -0
- data/lib/dependabot/file_updaters.rb +48 -0
- data/lib/dependabot/file_updaters/README.md +58 -0
- data/lib/dependabot/file_updaters/base.rb +52 -0
- data/lib/dependabot/file_updaters/docker/docker.rb +133 -0
- data/lib/dependabot/file_updaters/dotnet/nuget.rb +151 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/packages_config_declaration_finder.rb +69 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/project_file_declaration_finder.rb +78 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/property_value_updater.rb +64 -0
- data/lib/dependabot/file_updaters/elixir/hex.rb +71 -0
- data/lib/dependabot/file_updaters/elixir/hex/lockfile_updater.rb +147 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_git_pin_updater.rb +53 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_requirement_updater.rb +74 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_sanitizer.rb +28 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_updater.rb +98 -0
- data/lib/dependabot/file_updaters/elm/elm_package.rb +79 -0
- data/lib/dependabot/file_updaters/elm/elm_package/elm_json_updater.rb +69 -0
- data/lib/dependabot/file_updaters/elm/elm_package/elm_package_updater.rb +69 -0
- data/lib/dependabot/file_updaters/git/submodules.rb +38 -0
- data/lib/dependabot/file_updaters/go/dep.rb +77 -0
- data/lib/dependabot/file_updaters/go/dep/lockfile_updater.rb +219 -0
- data/lib/dependabot/file_updaters/go/dep/manifest_updater.rb +155 -0
- data/lib/dependabot/file_updaters/go/modules.rb +71 -0
- data/lib/dependabot/file_updaters/go/modules/go_mod_updater.rb +81 -0
- data/lib/dependabot/file_updaters/java/gradle.rb +176 -0
- data/lib/dependabot/file_updaters/java/gradle/dependency_set_updater.rb +66 -0
- data/lib/dependabot/file_updaters/java/gradle/property_value_updater.rb +58 -0
- data/lib/dependabot/file_updaters/java/maven.rb +155 -0
- data/lib/dependabot/file_updaters/java/maven/declaration_finder.rb +132 -0
- data/lib/dependabot/file_updaters/java/maven/property_value_updater.rb +61 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn.rb +159 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb +532 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npmrc_builder.rb +191 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_preparer.rb +91 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_updater.rb +220 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/yarn_lockfile_updater.rb +475 -0
- data/lib/dependabot/file_updaters/php/composer.rb +78 -0
- data/lib/dependabot/file_updaters/php/composer/lockfile_updater.rb +264 -0
- data/lib/dependabot/file_updaters/php/composer/manifest_updater.rb +70 -0
- data/lib/dependabot/file_updaters/python/pip.rb +147 -0
- data/lib/dependabot/file_updaters/python/pip/pip_compile_file_updater.rb +363 -0
- data/lib/dependabot/file_updaters/python/pip/pipfile_file_updater.rb +397 -0
- data/lib/dependabot/file_updaters/python/pip/pipfile_preparer.rb +125 -0
- data/lib/dependabot/file_updaters/python/pip/poetry_file_updater.rb +289 -0
- data/lib/dependabot/file_updaters/python/pip/pyproject_preparer.rb +105 -0
- data/lib/dependabot/file_updaters/python/pip/requirement_file_updater.rb +166 -0
- data/lib/dependabot/file_updaters/python/pip/requirement_replacer.rb +95 -0
- data/lib/dependabot/file_updaters/python/pip/setup_file_sanitizer.rb +91 -0
- data/lib/dependabot/file_updaters/ruby/bundler.rb +121 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb +116 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb +52 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_sanitizer.rb +298 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_updater.rb +64 -0
- data/lib/dependabot/file_updaters/ruby/bundler/git_pin_replacer.rb +80 -0
- data/lib/dependabot/file_updaters/ruby/bundler/git_source_remover.rb +102 -0
- data/lib/dependabot/file_updaters/ruby/bundler/lockfile_updater.rb +384 -0
- data/lib/dependabot/file_updaters/ruby/bundler/requirement_replacer.rb +188 -0
- data/lib/dependabot/file_updaters/rust/cargo.rb +83 -0
- data/lib/dependabot/file_updaters/rust/cargo/lockfile_updater.rb +251 -0
- data/lib/dependabot/file_updaters/rust/cargo/manifest_updater.rb +162 -0
- data/lib/dependabot/git_commit_checker.rb +412 -0
- data/lib/dependabot/metadata_finders.rb +46 -0
- data/lib/dependabot/metadata_finders/README.md +53 -0
- data/lib/dependabot/metadata_finders/base.rb +117 -0
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +317 -0
- data/lib/dependabot/metadata_finders/base/changelog_pruner.rb +177 -0
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +217 -0
- data/lib/dependabot/metadata_finders/base/release_finder.rb +251 -0
- data/lib/dependabot/metadata_finders/docker/docker.rb +18 -0
- data/lib/dependabot/metadata_finders/dotnet/nuget.rb +116 -0
- data/lib/dependabot/metadata_finders/elixir/hex.rb +69 -0
- data/lib/dependabot/metadata_finders/elm/elm_package.rb +22 -0
- data/lib/dependabot/metadata_finders/git/submodules.rb +20 -0
- data/lib/dependabot/metadata_finders/go/dep.rb +56 -0
- data/lib/dependabot/metadata_finders/java/maven.rb +173 -0
- data/lib/dependabot/metadata_finders/java_script/npm_and_yarn.rb +215 -0
- data/lib/dependabot/metadata_finders/php/composer.rb +66 -0
- data/lib/dependabot/metadata_finders/python/pip.rb +120 -0
- data/lib/dependabot/metadata_finders/ruby/bundler.rb +150 -0
- data/lib/dependabot/metadata_finders/rust/cargo.rb +64 -0
- data/lib/dependabot/pull_request_creator.rb +151 -0
- data/lib/dependabot/pull_request_creator/branch_namer.rb +170 -0
- data/lib/dependabot/pull_request_creator/commit_signer.rb +63 -0
- data/lib/dependabot/pull_request_creator/github.rb +233 -0
- data/lib/dependabot/pull_request_creator/gitlab.rb +122 -0
- data/lib/dependabot/pull_request_creator/labeler.rb +361 -0
- data/lib/dependabot/pull_request_creator/message_builder.rb +888 -0
- data/lib/dependabot/pull_request_updater.rb +43 -0
- data/lib/dependabot/pull_request_updater/github.rb +151 -0
- data/lib/dependabot/shared_helpers.rb +201 -0
- data/lib/dependabot/source.rb +120 -0
- data/lib/dependabot/update_checkers.rb +48 -0
- data/lib/dependabot/update_checkers/README.md +67 -0
- data/lib/dependabot/update_checkers/base.rb +220 -0
- data/lib/dependabot/update_checkers/docker/docker.rb +290 -0
- data/lib/dependabot/update_checkers/dotnet/nuget.rb +127 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/property_updater.rb +97 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/repository_finder.rb +232 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/requirements_updater.rb +81 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/version_finder.rb +231 -0
- data/lib/dependabot/update_checkers/elixir/hex.rb +274 -0
- data/lib/dependabot/update_checkers/elixir/hex/file_preparer.rb +193 -0
- data/lib/dependabot/update_checkers/elixir/hex/requirements_updater.rb +177 -0
- data/lib/dependabot/update_checkers/elixir/hex/version_resolver.rb +175 -0
- data/lib/dependabot/update_checkers/elm/elm_package.rb +126 -0
- data/lib/dependabot/update_checkers/elm/elm_package/cli_parser.rb +33 -0
- data/lib/dependabot/update_checkers/elm/elm_package/elm_18_version_resolver.rb +234 -0
- data/lib/dependabot/update_checkers/elm/elm_package/elm_19_version_resolver.rb +198 -0
- data/lib/dependabot/update_checkers/elm/elm_package/requirements_updater.rb +75 -0
- data/lib/dependabot/update_checkers/git/submodules.rb +52 -0
- data/lib/dependabot/update_checkers/go/dep.rb +311 -0
- data/lib/dependabot/update_checkers/go/dep/file_preparer.rb +221 -0
- data/lib/dependabot/update_checkers/go/dep/latest_version_finder.rb +169 -0
- data/lib/dependabot/update_checkers/go/dep/requirements_updater.rb +223 -0
- data/lib/dependabot/update_checkers/go/dep/version_resolver.rb +164 -0
- data/lib/dependabot/update_checkers/go/modules.rb +112 -0
- data/lib/dependabot/update_checkers/java/gradle.rb +148 -0
- data/lib/dependabot/update_checkers/java/gradle/multi_dependency_updater.rb +105 -0
- data/lib/dependabot/update_checkers/java/gradle/version_finder.rb +183 -0
- data/lib/dependabot/update_checkers/java/maven.rb +159 -0
- data/lib/dependabot/update_checkers/java/maven/property_updater.rb +127 -0
- data/lib/dependabot/update_checkers/java/maven/requirements_updater.rb +92 -0
- data/lib/dependabot/update_checkers/java/maven/version_finder.rb +225 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn.rb +280 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/latest_version_finder.rb +342 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/library_detector.rb +69 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/registry_finder.rb +226 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/requirements_updater.rb +197 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/subdependency_version_resolver.rb +228 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/version_resolver.rb +452 -0
- data/lib/dependabot/update_checkers/php/composer.rb +165 -0
- data/lib/dependabot/update_checkers/php/composer/requirements_updater.rb +243 -0
- data/lib/dependabot/update_checkers/php/composer/version_resolver.rb +203 -0
- data/lib/dependabot/update_checkers/python/pip.rb +227 -0
- data/lib/dependabot/update_checkers/python/pip/latest_version_finder.rb +252 -0
- data/lib/dependabot/update_checkers/python/pip/pip_compile_version_resolver.rb +380 -0
- data/lib/dependabot/update_checkers/python/pip/pipfile_version_resolver.rb +559 -0
- data/lib/dependabot/update_checkers/python/pip/poetry_version_resolver.rb +300 -0
- data/lib/dependabot/update_checkers/python/pip/requirements_updater.rb +367 -0
- data/lib/dependabot/update_checkers/ruby/bundler.rb +324 -0
- data/lib/dependabot/update_checkers/ruby/bundler/file_preparer.rb +278 -0
- data/lib/dependabot/update_checkers/ruby/bundler/force_updater.rb +261 -0
- data/lib/dependabot/update_checkers/ruby/bundler/latest_version_finder.rb +169 -0
- data/lib/dependabot/update_checkers/ruby/bundler/requirements_updater.rb +264 -0
- data/lib/dependabot/update_checkers/ruby/bundler/ruby_requirement_setter.rb +115 -0
- data/lib/dependabot/update_checkers/ruby/bundler/shared_bundler_helpers.rb +243 -0
- data/lib/dependabot/update_checkers/ruby/bundler/version_resolver.rb +255 -0
- data/lib/dependabot/update_checkers/rust/cargo.rb +282 -0
- data/lib/dependabot/update_checkers/rust/cargo/file_preparer.rb +202 -0
- data/lib/dependabot/update_checkers/rust/cargo/requirements_updater.rb +175 -0
- data/lib/dependabot/update_checkers/rust/cargo/version_resolver.rb +242 -0
- data/lib/dependabot/utils.rb +84 -0
- data/lib/dependabot/utils/docker/credentials_finder.rb +65 -0
- data/lib/dependabot/utils/dotnet/requirement.rb +90 -0
- data/lib/dependabot/utils/dotnet/version.rb +22 -0
- data/lib/dependabot/utils/elixir/requirement.rb +53 -0
- data/lib/dependabot/utils/elixir/version.rb +59 -0
- data/lib/dependabot/utils/elm/requirement.rb +92 -0
- data/lib/dependabot/utils/elm/version.rb +19 -0
- data/lib/dependabot/utils/go/path_converter.rb +74 -0
- data/lib/dependabot/utils/go/requirement.rb +152 -0
- data/lib/dependabot/utils/go/shared_helper.rb +20 -0
- data/lib/dependabot/utils/go/version.rb +40 -0
- data/lib/dependabot/utils/java/requirement.rb +110 -0
- data/lib/dependabot/utils/java/version.rb +179 -0
- data/lib/dependabot/utils/java_script/requirement.rb +117 -0
- data/lib/dependabot/utils/java_script/version.rb +30 -0
- data/lib/dependabot/utils/php/requirement.rb +97 -0
- data/lib/dependabot/utils/php/version.rb +22 -0
- data/lib/dependabot/utils/python/requirement.rb +130 -0
- data/lib/dependabot/utils/python/version.rb +88 -0
- data/lib/dependabot/utils/ruby/requirement.rb +26 -0
- data/lib/dependabot/utils/rust/requirement.rb +108 -0
- data/lib/dependabot/utils/rust/version.rb +32 -0
- data/lib/dependabot/version.rb +5 -0
- data/lib/python_requirement_parser.rb +33 -0
- data/lib/python_versions.rb +21 -0
- metadata +641 -0
data/LICENSE
ADDED
@@ -0,0 +1,37 @@
|
|
1
|
+
The Prosperity Public License 1.0.1
|
2
|
+
|
3
|
+
Copyright Notice: {Licensor Name}
|
4
|
+
|
5
|
+
Source Notice: {https://example.com/project}
|
6
|
+
|
7
|
+
This license lets you use and share this software for free,
|
8
|
+
with a trial-length time limit on commercial use. Specifically:
|
9
|
+
|
10
|
+
If you follow the rules below, you may do everything with this
|
11
|
+
software that would otherwise infringe my copyright in it or any
|
12
|
+
patent claim I can license that covers this software as of my
|
13
|
+
latest contribution.
|
14
|
+
|
15
|
+
1. You must limit use of this software in any manner primarily
|
16
|
+
intended for or directed toward commercial advantage or
|
17
|
+
private monetary compensation to a trial period of 32
|
18
|
+
consecutive calendar days. This limit does not apply to use in
|
19
|
+
developing feedback, modifications, or extensions that you
|
20
|
+
contribute back to those giving this license.
|
21
|
+
|
22
|
+
2. Ensure everyone who gets a copy of this software from you,
|
23
|
+
in source code or any other form, gets the text of this
|
24
|
+
license and the copyright and source notices above.
|
25
|
+
|
26
|
+
3. Do not make any legal claim against anyone for infringing
|
27
|
+
any patent claim they would infringe by using this software
|
28
|
+
alone, accusing this software, with or without changes,
|
29
|
+
alone or as part of a larger program.
|
30
|
+
|
31
|
+
You are excused for unknowingly breaking rule 1 if you stop
|
32
|
+
doing anything requiring this license within 30 days of
|
33
|
+
learning you broke the rule.
|
34
|
+
|
35
|
+
**This software comes as is, without any warranty at all. As far
|
36
|
+
as the law allows, I will not be liable for any damages related
|
37
|
+
to this software or this license, for any kind of legal claim.**
|
data/README.md
ADDED
@@ -0,0 +1,115 @@
|
|
1
|
+
<p align="center">
|
2
|
+
<img src="https://s3.eu-west-2.amazonaws.com/dependabot-images/logo-with-name-horizontal.svg" alt="Dependabot" width="300">
|
3
|
+
</p>
|
4
|
+
|
5
|
+
# Dependabot Core [![Dependabot Status][dependabot-status]][dependabot]
|
6
|
+
|
7
|
+
Dependabot Core is the heart of [Dependabot][dependabot]. It handles the logic
|
8
|
+
for updating dependencies on GitHub (including GitHub Enterprise) and GitLab. We
|
9
|
+
plan to add support for Bitbucket in future, too.
|
10
|
+
|
11
|
+
If you want to host your own automated dependency update bot then this repo
|
12
|
+
should give you the tools you need. A reference implementation is available
|
13
|
+
[here][dependabot-script].
|
14
|
+
|
15
|
+
## What's in this repo?
|
16
|
+
|
17
|
+
Dependabot Core is a collection of helper classes for automating dependency
|
18
|
+
updating in Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java and
|
19
|
+
.NET. It can also update git submodules, Docker files and Terraform files.
|
20
|
+
Highlights include:
|
21
|
+
|
22
|
+
- Logic to check for the latest version of a dependency *that's resolvable given
|
23
|
+
a project's other dependencies*
|
24
|
+
- Logic to generate updated manifest and lockfiles for a new dependency version
|
25
|
+
- Logic to find changelogs, release notes, and commits for a dependency update
|
26
|
+
|
27
|
+
## Other Dependabot resources
|
28
|
+
|
29
|
+
In addition to this library, you may be interested in:
|
30
|
+
|
31
|
+
- The [dependabot-script][dependabot-script] repo, which provides a collection
|
32
|
+
of scripts that use this library to update dependencies on GitHub Enterprise
|
33
|
+
or GitLab
|
34
|
+
- The [API docs][api-docs] for Dependabot's hosted instance (dependabot.com)
|
35
|
+
|
36
|
+
## Setup
|
37
|
+
|
38
|
+
To run all of Dependabot Core, you'll need Ruby, Python, PHP, Elixir, Node, Go,
|
39
|
+
Elm and Rust installed. However, if you just wish to run it for a single
|
40
|
+
language you can get away with just having that language and Ruby.
|
41
|
+
|
42
|
+
The main library is written in Ruby, while JavaScript, Python, PHP, Elm,
|
43
|
+
Elixir, Go and Rust are required for dealing with updates for their respective
|
44
|
+
languages.
|
45
|
+
|
46
|
+
Before running Dependabot Core, install dependencies for the core library and
|
47
|
+
the helpers:
|
48
|
+
|
49
|
+
1. `bundle install`
|
50
|
+
2. `cd helpers/yarn && yarn install && cd -`
|
51
|
+
3. `cd helpers/npm && yarn install && cd -`
|
52
|
+
4. `cd helpers/php && composer install && cd -`
|
53
|
+
5. `cd helpers/python && pyenv exec pip install -r requirements.txt && cd -`
|
54
|
+
6. `cd helpers/elixir && mix deps.get && cd -`
|
55
|
+
|
56
|
+
## Architecture
|
57
|
+
|
58
|
+
Dependabot Core has helper classes for seven concerns. Where relevant, each
|
59
|
+
concern will have a language-specific class.
|
60
|
+
|
61
|
+
| Service | Description |
|
62
|
+
|----------------------------------|-----------------------------------------------------------------------------------------------|
|
63
|
+
| `Dependabot::FileFetchers` | Fetches the relevant dependency files for a project (e.g., the `Gemfile` and `Gemfile.lock`). See the [file fetchers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_fetchers) for more details. |
|
64
|
+
| `Dependabot::FileParsers` | Parses a dependency file and extracts a list of dependencies for a project. See the [file parsers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_parsers) for more details. |
|
65
|
+
| `Dependabot::UpdateCheckers` | Checks whether a given dependency is up-to-date. See the [update checkers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/update_checkers) for more details. |
|
66
|
+
| `Dependabot::FileUpdaters` | Updates a dependency file to use the latest version of a given dependency. See the [file updaters](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_updaters) for more details. |
|
67
|
+
| `Dependabot::MetadataFinders` | Looks up metadata about a dependency, such as its GitHub URL. See the [metadata finders](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/metadata_finders) for more details. |
|
68
|
+
| `Dependabot::PullRequestCreator` | Creates a Pull Request to the original repo with the updated dependency file. |
|
69
|
+
| `Dependabot::PullRequestUpdater` | Updates an existing Pull Request with new dependency files (e.g., to resolve conflicts). |
|
70
|
+
|
71
|
+
## Why is this public?
|
72
|
+
|
73
|
+
As the name suggests, Dependabot Core is the core of Dependabot (the rest of the
|
74
|
+
app is pretty much just a UI and database). If we were paranoid about someone
|
75
|
+
stealing our business then we'd be keeping it under lock and key.
|
76
|
+
|
77
|
+
Dependabot Core is public because we're more interested in it having an
|
78
|
+
impact than we are in making a buck from it. We'd love you to use
|
79
|
+
[Dependabot][dependabot], so that we can continue to develop it, but if you want
|
80
|
+
to build and host your own version then this library should make doing so a
|
81
|
+
*lot* easier.
|
82
|
+
|
83
|
+
If you use Dependabot Core then we'd love to hear what you build!
|
84
|
+
|
85
|
+
## License
|
86
|
+
|
87
|
+
We use the License Zero Prosperity Public License, which essentially enshrines
|
88
|
+
the following:
|
89
|
+
- If you would like to use Dependabot Core for non-commerical purposes, such as
|
90
|
+
to host a bot at your workplace, then we give you full permission to do so. In
|
91
|
+
fact, we'd love you to, and will help and support you however we can.
|
92
|
+
- If you would like to add Dependabot's functionality to your for-profit
|
93
|
+
company's offering then we DO NOT give you permission to use Dependabot Core
|
94
|
+
to do so. Please contact us directly to discuss a partnership or licensing
|
95
|
+
arrangement.
|
96
|
+
|
97
|
+
If you make a significant contribution to Dependabot Core then you will be asked
|
98
|
+
to transfer the IP of that contribution to Dependabot Ltd so that it can be
|
99
|
+
licensed in the same way as the above.
|
100
|
+
|
101
|
+
## History
|
102
|
+
|
103
|
+
Dependabot and Dependabot Core started life as [Bump][bump] and
|
104
|
+
[Bump Core][bump-core], back when Harry and Grey were working at
|
105
|
+
[GoCardless][gocardless]. We remain grateful for the help and support of
|
106
|
+
GoCardless in helping make Dependabot possible - if you need to collect
|
107
|
+
recurring payments from Europe, check them out.
|
108
|
+
|
109
|
+
[dependabot]: https://dependabot.com
|
110
|
+
[dependabot-status]: https://api.dependabot.com/badges/status?host=github&identifier=93163073
|
111
|
+
[dependabot-script]: https://github.com/dependabot/dependabot-script
|
112
|
+
[api-docs]: https://github.com/dependabot/api-docs
|
113
|
+
[bump]: https://github.com/gocardless/bump
|
114
|
+
[bump-core]: https://github.com/gocardless/bump-core
|
115
|
+
[gocardless]: https://gocardless.com
|
@@ -0,0 +1,92 @@
|
|
1
|
+
defmodule UpdateChecker do
|
2
|
+
def run(dependency_name, credentials) do
|
3
|
+
set_credentials(credentials)
|
4
|
+
|
5
|
+
# Update the lockfile in a session that we can time out
|
6
|
+
task = Task.async(fn -> do_resolution(dependency_name) end)
|
7
|
+
case Task.yield(task, 30000) || Task.shutdown(task) do
|
8
|
+
{:ok, {:ok, :resolution_successful}} ->
|
9
|
+
# Read the new lock
|
10
|
+
{updated_lock, _updated_rest_lock} =
|
11
|
+
Map.split(Mix.Dep.Lock.read(), [String.to_atom(dependency_name)])
|
12
|
+
|
13
|
+
# Get the new dependency version
|
14
|
+
version =
|
15
|
+
updated_lock
|
16
|
+
|> Map.get(String.to_atom(dependency_name))
|
17
|
+
|> elem(2)
|
18
|
+
{:ok, version}
|
19
|
+
|
20
|
+
{:ok, {:error, error}} -> {:error, error}
|
21
|
+
|
22
|
+
nil -> {:error, :dependency_resolution_timed_out}
|
23
|
+
|
24
|
+
{:exit, reason} -> {:error, reason}
|
25
|
+
end
|
26
|
+
end
|
27
|
+
|
28
|
+
defp set_credentials(credentials) do
|
29
|
+
credentials
|
30
|
+
|> Enum.reduce([], fn cred, acc ->
|
31
|
+
if List.last(acc) == nil || List.last(acc)[:token] do
|
32
|
+
List.insert_at(acc, -1, %{organization: cred})
|
33
|
+
else
|
34
|
+
{item, acc} = List.pop_at(acc, -1)
|
35
|
+
item = Map.put(item, :token, cred)
|
36
|
+
List.insert_at(acc, -1, item)
|
37
|
+
end
|
38
|
+
end)
|
39
|
+
|> Enum.each(fn cred ->
|
40
|
+
hexpm = Hex.Repo.get_repo("hexpm")
|
41
|
+
|
42
|
+
repo = %{
|
43
|
+
url: hexpm.url <> "/repos/#{cred.organization}",
|
44
|
+
public_key: nil,
|
45
|
+
auth_key: cred.token
|
46
|
+
}
|
47
|
+
|
48
|
+
Hex.Config.read()
|
49
|
+
|> Hex.Config.read_repos()
|
50
|
+
|> Map.put("hexpm:#{cred.organization}", repo)
|
51
|
+
|> Hex.Config.update_repos()
|
52
|
+
end)
|
53
|
+
end
|
54
|
+
|
55
|
+
defp do_resolution(dependency_name) do
|
56
|
+
# Fetch dependencies that needs updating
|
57
|
+
{dependency_lock, rest_lock} =
|
58
|
+
Map.split(Mix.Dep.Lock.read(), [String.to_atom(dependency_name)])
|
59
|
+
|
60
|
+
try do
|
61
|
+
Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
|
62
|
+
{:ok, :resolution_successful}
|
63
|
+
rescue
|
64
|
+
error -> {:error, error}
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
[dependency_name | credentials] = System.argv()
|
70
|
+
|
71
|
+
|
72
|
+
case UpdateChecker.run(dependency_name, credentials) do
|
73
|
+
{:ok, version} ->
|
74
|
+
version = :erlang.term_to_binary({:ok, version})
|
75
|
+
IO.write(:stdio, version)
|
76
|
+
|
77
|
+
{:error, %Hex.Version.InvalidRequirementError{} = error} ->
|
78
|
+
result = :erlang.term_to_binary({:error, "Invalid requirement: #{error.requirement}"})
|
79
|
+
IO.write(:stdio, result)
|
80
|
+
|
81
|
+
{:error, %Mix.Error{} = error} ->
|
82
|
+
result = :erlang.term_to_binary({:error, "Dependency resolution failed: #{error.message}"})
|
83
|
+
IO.write(:stdio, result)
|
84
|
+
|
85
|
+
{:error, :dependency_resolution_timed_out} ->
|
86
|
+
# We do nothing here because Hex is already printing out a message in stdout
|
87
|
+
nil
|
88
|
+
|
89
|
+
{:error, error} ->
|
90
|
+
result = :erlang.term_to_binary({:error, "Unknown error in check_update: #{inspect(error)}"})
|
91
|
+
IO.write(:stdio, result)
|
92
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
[dependency_name | credentials] = System.argv()
|
2
|
+
|
3
|
+
grouped_creds = Enum.reduce credentials, [], fn cred, acc ->
|
4
|
+
if List.last(acc) == nil || List.last(acc)[:token] do
|
5
|
+
List.insert_at(acc, -1, %{ organization: cred })
|
6
|
+
else
|
7
|
+
{ item, acc } = List.pop_at(acc, -1)
|
8
|
+
item = Map.put(item, :token, cred)
|
9
|
+
List.insert_at(acc, -1, item)
|
10
|
+
end
|
11
|
+
end
|
12
|
+
|
13
|
+
Enum.each grouped_creds, fn cred ->
|
14
|
+
hexpm = Hex.Repo.get_repo("hexpm")
|
15
|
+
repo = %{
|
16
|
+
url: hexpm.url <> "/repos/#{cred.organization}",
|
17
|
+
public_key: nil,
|
18
|
+
auth_key: cred.token
|
19
|
+
}
|
20
|
+
|
21
|
+
Hex.Config.read()
|
22
|
+
|> Hex.Config.read_repos()
|
23
|
+
|> Map.put("hexpm:#{cred.organization}", repo)
|
24
|
+
|> Hex.Config.update_repos()
|
25
|
+
end
|
26
|
+
|
27
|
+
# dependency atom
|
28
|
+
dependency = String.to_atom(dependency_name)
|
29
|
+
|
30
|
+
# Fetch dependencies that needs updating
|
31
|
+
{dependency_lock, rest_lock} = Map.split(Mix.Dep.Lock.read(), [dependency])
|
32
|
+
Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
|
33
|
+
|
34
|
+
lockfile_content =
|
35
|
+
"mix.lock"
|
36
|
+
|> File.read()
|
37
|
+
|> :erlang.term_to_binary()
|
38
|
+
|
39
|
+
IO.write(:stdio, lockfile_content)
|
@@ -0,0 +1,103 @@
|
|
1
|
+
defmodule Parser do
|
2
|
+
def run do
|
3
|
+
Mix.Dep.load_on_environment([])
|
4
|
+
|> Enum.flat_map(&parse_dep/1)
|
5
|
+
|> Enum.map(&build_dependency(&1.opts[:lock], &1))
|
6
|
+
end
|
7
|
+
|
8
|
+
defp build_dependency(nil, dep) do
|
9
|
+
%{
|
10
|
+
name: dep.app,
|
11
|
+
from: Path.relative_to_cwd(dep.from),
|
12
|
+
groups: [],
|
13
|
+
requirement: normalise_requirement(dep.requirement),
|
14
|
+
top_level: dep.top_level || umbrella_top_level_dep?(dep)
|
15
|
+
}
|
16
|
+
end
|
17
|
+
|
18
|
+
defp build_dependency(lock, dep) do
|
19
|
+
{version, checksum, source} = parse_lock(lock)
|
20
|
+
groups = parse_groups(dep.opts[:only])
|
21
|
+
|
22
|
+
%{
|
23
|
+
name: dep.app,
|
24
|
+
from: Path.relative_to_cwd(dep.from),
|
25
|
+
version: version,
|
26
|
+
groups: groups,
|
27
|
+
checksum: checksum,
|
28
|
+
requirement: normalise_requirement(dep.requirement),
|
29
|
+
source: source,
|
30
|
+
top_level: dep.top_level || umbrella_top_level_dep?(dep)
|
31
|
+
}
|
32
|
+
end
|
33
|
+
|
34
|
+
defp parse_groups(nil), do: []
|
35
|
+
defp parse_groups(only) when is_list(only), do: only
|
36
|
+
defp parse_groups(only), do: [only]
|
37
|
+
|
38
|
+
# path dependency
|
39
|
+
defp parse_dep(%{scm: Mix.SCM.Path, opts: opts} = dep) do
|
40
|
+
cond do
|
41
|
+
# umbrella dependency - ignore
|
42
|
+
opts[:in_umbrella] ->
|
43
|
+
[]
|
44
|
+
|
45
|
+
# umbrella application
|
46
|
+
opts[:from_umbrella] ->
|
47
|
+
Enum.reject(dep.deps, fn dep -> dep.opts[:in_umbrella] end)
|
48
|
+
|
49
|
+
true ->
|
50
|
+
[]
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
# hex, git dependency
|
55
|
+
defp parse_dep(%{scm: scm} = dep) when scm in [Hex.SCM, Mix.SCM.Git], do: [dep]
|
56
|
+
|
57
|
+
# unsupported
|
58
|
+
defp parse_dep(_dep), do: []
|
59
|
+
|
60
|
+
defp umbrella_top_level_dep?(dep) do
|
61
|
+
if Mix.Project.umbrella?() do
|
62
|
+
apps_paths = Path.expand(Mix.Project.config()[:apps_path], File.cwd!())
|
63
|
+
String.contains?(Path.dirname(Path.dirname(dep.from)), apps_paths)
|
64
|
+
else
|
65
|
+
false
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
defp parse_lock({:git, repo_url, checksum, opts}),
|
70
|
+
do: {nil, checksum, git_source(repo_url, opts)}
|
71
|
+
|
72
|
+
defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies, _source}),
|
73
|
+
do: {version, checksum, nil}
|
74
|
+
|
75
|
+
defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies}),
|
76
|
+
do: {version, checksum, nil}
|
77
|
+
|
78
|
+
defp normalise_requirement(req) do
|
79
|
+
req
|
80
|
+
|> maybe_regex_to_str()
|
81
|
+
|> empty_str_to_nil()
|
82
|
+
end
|
83
|
+
|
84
|
+
defp maybe_regex_to_str(s), do: if Regex.regex?(s), do: Regex.source(s), else: s
|
85
|
+
defp empty_str_to_nil(""), do: nil
|
86
|
+
defp empty_str_to_nil(s), do: s
|
87
|
+
|
88
|
+
def git_source(repo_url, opts) do
|
89
|
+
ref = opts[:ref] || opts[:tag]
|
90
|
+
ref = if is_list(ref), do: to_string(ref), else: ref
|
91
|
+
|
92
|
+
%{
|
93
|
+
type: "git",
|
94
|
+
url: repo_url,
|
95
|
+
branch: opts[:branch] || "master",
|
96
|
+
ref: ref
|
97
|
+
}
|
98
|
+
end
|
99
|
+
end
|
100
|
+
|
101
|
+
dependencies = :erlang.term_to_binary({:ok, Parser.run()})
|
102
|
+
|
103
|
+
IO.write(:stdio, dependencies)
|
@@ -0,0 +1,76 @@
|
|
1
|
+
defmodule DependencyHelper do
|
2
|
+
def main() do
|
3
|
+
IO.read(:stdio, :all)
|
4
|
+
|> Jason.decode!()
|
5
|
+
|> run()
|
6
|
+
|> case do
|
7
|
+
{output, 0} ->
|
8
|
+
if output =~ "No authenticated organization found" do
|
9
|
+
{:error, output}
|
10
|
+
else
|
11
|
+
{:ok, :erlang.binary_to_term(output)}
|
12
|
+
end
|
13
|
+
|
14
|
+
{error, 1} -> {:error, error}
|
15
|
+
end
|
16
|
+
|> handle_result()
|
17
|
+
end
|
18
|
+
|
19
|
+
defp handle_result({:ok, {:ok, result}}) do
|
20
|
+
encode_and_write(%{"result" => result})
|
21
|
+
end
|
22
|
+
|
23
|
+
defp handle_result({:ok, {:error, reason}}) do
|
24
|
+
encode_and_write(%{"error" => reason})
|
25
|
+
System.halt(1)
|
26
|
+
end
|
27
|
+
|
28
|
+
defp handle_result({:error, reason}) do
|
29
|
+
encode_and_write(%{"error" => reason})
|
30
|
+
System.halt(1)
|
31
|
+
end
|
32
|
+
|
33
|
+
defp encode_and_write(content) do
|
34
|
+
content
|
35
|
+
|> Jason.encode!()
|
36
|
+
|> IO.write()
|
37
|
+
end
|
38
|
+
|
39
|
+
defp run(%{"function" => "parse", "args" => [dir]}) do
|
40
|
+
run_script("parse_deps.exs", dir)
|
41
|
+
end
|
42
|
+
|
43
|
+
defp run(%{"function" => "get_latest_resolvable_version", "args" => [dir, dependency_name, credentials]}) do
|
44
|
+
run_script("check_update.exs", dir, [dependency_name] ++ credentials)
|
45
|
+
end
|
46
|
+
|
47
|
+
defp run(%{"function" => "get_updated_lockfile", "args" => [dir, dependency_name, credentials]}) do
|
48
|
+
run_script("do_update.exs", dir, [dependency_name] ++ credentials)
|
49
|
+
end
|
50
|
+
|
51
|
+
defp run_script(script, dir, args \\ []) do
|
52
|
+
args = [
|
53
|
+
"run",
|
54
|
+
"--no-deps-check",
|
55
|
+
"--no-start",
|
56
|
+
"--no-compile",
|
57
|
+
"--no-elixir-version-check",
|
58
|
+
script
|
59
|
+
] ++ args
|
60
|
+
|
61
|
+
System.cmd(
|
62
|
+
"mix",
|
63
|
+
args,
|
64
|
+
[
|
65
|
+
cd: dir,
|
66
|
+
env: %{
|
67
|
+
"MIX_EXS" => nil,
|
68
|
+
"MIX_LOCK" => nil,
|
69
|
+
"MIX_DEPS" => nil
|
70
|
+
}
|
71
|
+
]
|
72
|
+
)
|
73
|
+
end
|
74
|
+
end
|
75
|
+
|
76
|
+
DependencyHelper.main()
|