dependabot-core 0.76.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/CHANGELOG.md +6408 -0
- data/LICENSE +37 -0
- data/README.md +115 -0
- data/helpers/elixir/bin/check_update.exs +92 -0
- data/helpers/elixir/bin/do_update.exs +39 -0
- data/helpers/elixir/bin/parse_deps.exs +103 -0
- data/helpers/elixir/bin/run.exs +76 -0
- data/helpers/elixir/mix.exs +21 -0
- data/helpers/elixir/mix.lock +3 -0
- data/helpers/go/Makefile +9 -0
- data/helpers/go/go.mod +9 -0
- data/helpers/go/go.sum +5 -0
- data/helpers/go/importresolver/main.go +34 -0
- data/helpers/go/main.go +77 -0
- data/helpers/go/updatechecker/main.go +107 -0
- data/helpers/go/updater/go.mod +3 -0
- data/helpers/go/updater/go.sum +2 -0
- data/helpers/go/updater/helpers.go +57 -0
- data/helpers/go/updater/main.go +48 -0
- data/helpers/npm/.agignore +1 -0
- data/helpers/npm/.envrc +2 -0
- data/helpers/npm/.eslintrc +14 -0
- data/helpers/npm/.nvimrc +7 -0
- data/helpers/npm/bin/run.js +34 -0
- data/helpers/npm/lib/helpers.js +25 -0
- data/helpers/npm/lib/peer-dependency-checker.js +102 -0
- data/helpers/npm/lib/subdependency-updater.js +48 -0
- data/helpers/npm/lib/updater.js +95 -0
- data/helpers/npm/package.json +17 -0
- data/helpers/npm/test/fixtures/npm-left-pad.json +1 -0
- data/helpers/npm/test/fixtures/updater/original/package-lock.json +16 -0
- data/helpers/npm/test/fixtures/updater/original/package.json +9 -0
- data/helpers/npm/test/fixtures/updater/updated/package-lock.json +16 -0
- data/helpers/npm/test/helpers.js +7 -0
- data/helpers/npm/test/updater.test.js +50 -0
- data/helpers/npm/yarn.lock +6120 -0
- data/helpers/php/.php_cs +34 -0
- data/helpers/php/bin/run.php +57 -0
- data/helpers/php/composer.json +14 -0
- data/helpers/php/composer.lock +1521 -0
- data/helpers/php/composer.phar +0 -0
- data/helpers/php/setup.sh +4 -0
- data/helpers/php/src/DependabotInstallationManager.php +61 -0
- data/helpers/php/src/DependabotPluginManager.php +23 -0
- data/helpers/php/src/ExceptionIO.php +25 -0
- data/helpers/php/src/Hasher.php +21 -0
- data/helpers/php/src/UpdateChecker.php +123 -0
- data/helpers/php/src/Updater.php +97 -0
- data/helpers/python/lib/__init__.py +0 -0
- data/helpers/python/lib/hasher.py +23 -0
- data/helpers/python/lib/parser.py +130 -0
- data/helpers/python/requirements.txt +9 -0
- data/helpers/python/run.py +18 -0
- data/helpers/test/run.rb +15 -0
- data/helpers/utils/git-credential-store-immutable +10 -0
- data/helpers/yarn/.agignore +1 -0
- data/helpers/yarn/.envrc +2 -0
- data/helpers/yarn/.eslintrc +14 -0
- data/helpers/yarn/.nvimrc +7 -0
- data/helpers/yarn/bin/run.js +36 -0
- data/helpers/yarn/lib/fix-duplicates.js +53 -0
- data/helpers/yarn/lib/helpers.js +5 -0
- data/helpers/yarn/lib/lockfile-parser.js +21 -0
- data/helpers/yarn/lib/peer-dependency-checker.js +130 -0
- data/helpers/yarn/lib/replace-lockfile-declaration.js +45 -0
- data/helpers/yarn/lib/subdependency-updater.js +69 -0
- data/helpers/yarn/lib/updater.js +254 -0
- data/helpers/yarn/package.json +17 -0
- data/helpers/yarn/test/fixtures/updater/original/package.json +6 -0
- data/helpers/yarn/test/fixtures/updater/original/yarn.lock +11 -0
- data/helpers/yarn/test/fixtures/updater/updated/yarn.lock +12 -0
- data/helpers/yarn/test/fixtures/updater/with-version-comments/package.json +5 -0
- data/helpers/yarn/test/fixtures/updater/with-version-comments/yarn.lock +13 -0
- data/helpers/yarn/test/fixtures/yarnpkg-is-positive.json +1 -0
- data/helpers/yarn/test/fixtures/yarnpkg-left-pad.json +1 -0
- data/helpers/yarn/test/helpers.js +7 -0
- data/helpers/yarn/test/updater.test.js +93 -0
- data/helpers/yarn/yarn.lock +4912 -0
- data/lib/bundler_definition_bundler_version_patch.rb +15 -0
- data/lib/bundler_definition_ruby_version_patch.rb +14 -0
- data/lib/bundler_git_source_patch.rb +27 -0
- data/lib/dependabot.rb +4 -0
- data/lib/dependabot/clients/bitbucket.rb +101 -0
- data/lib/dependabot/clients/github_with_retries.rb +117 -0
- data/lib/dependabot/clients/gitlab.rb +72 -0
- data/lib/dependabot/dependency.rb +118 -0
- data/lib/dependabot/dependency_file.rb +54 -0
- data/lib/dependabot/errors.rb +179 -0
- data/lib/dependabot/file_fetchers.rb +48 -0
- data/lib/dependabot/file_fetchers/README.md +65 -0
- data/lib/dependabot/file_fetchers/base.rb +302 -0
- data/lib/dependabot/file_fetchers/docker/docker.rb +40 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget.rb +215 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget/import_paths_finder.rb +51 -0
- data/lib/dependabot/file_fetchers/dotnet/nuget/sln_project_paths_finder.rb +55 -0
- data/lib/dependabot/file_fetchers/elixir/hex.rb +78 -0
- data/lib/dependabot/file_fetchers/elm/elm_package.rb +52 -0
- data/lib/dependabot/file_fetchers/git/submodules.rb +73 -0
- data/lib/dependabot/file_fetchers/go/dep.rb +69 -0
- data/lib/dependabot/file_fetchers/go/modules.rb +64 -0
- data/lib/dependabot/file_fetchers/java/gradle.rb +56 -0
- data/lib/dependabot/file_fetchers/java/gradle/settings_file_parser.rb +66 -0
- data/lib/dependabot/file_fetchers/java/maven.rb +127 -0
- data/lib/dependabot/file_fetchers/java_script/npm_and_yarn.rb +330 -0
- data/lib/dependabot/file_fetchers/java_script/npm_and_yarn/path_dependency_builder.rb +107 -0
- data/lib/dependabot/file_fetchers/php/composer.rb +131 -0
- data/lib/dependabot/file_fetchers/python/pip.rb +305 -0
- data/lib/dependabot/file_fetchers/ruby/bundler.rb +185 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb +70 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/path_gemspec_finder.rb +114 -0
- data/lib/dependabot/file_fetchers/ruby/bundler/require_relative_finder.rb +67 -0
- data/lib/dependabot/file_fetchers/rust/cargo.rb +240 -0
- data/lib/dependabot/file_parsers.rb +48 -0
- data/lib/dependabot/file_parsers/README.md +45 -0
- data/lib/dependabot/file_parsers/base.rb +31 -0
- data/lib/dependabot/file_parsers/base/dependency_set.rb +77 -0
- data/lib/dependabot/file_parsers/docker/docker.rb +164 -0
- data/lib/dependabot/file_parsers/dotnet/nuget.rb +85 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/packages_config_parser.rb +65 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/project_file_parser.rb +156 -0
- data/lib/dependabot/file_parsers/dotnet/nuget/property_value_finder.rb +131 -0
- data/lib/dependabot/file_parsers/elixir/hex.rb +134 -0
- data/lib/dependabot/file_parsers/elm/elm_package.rb +136 -0
- data/lib/dependabot/file_parsers/git/submodules.rb +69 -0
- data/lib/dependabot/file_parsers/go/dep.rb +163 -0
- data/lib/dependabot/file_parsers/go/modules.rb +34 -0
- data/lib/dependabot/file_parsers/go/modules/go_mod_parser.rb +134 -0
- data/lib/dependabot/file_parsers/java/gradle.rb +236 -0
- data/lib/dependabot/file_parsers/java/gradle/property_value_finder.rb +90 -0
- data/lib/dependabot/file_parsers/java/gradle/repositories_finder.rb +145 -0
- data/lib/dependabot/file_parsers/java/maven.rb +252 -0
- data/lib/dependabot/file_parsers/java/maven/property_value_finder.rb +166 -0
- data/lib/dependabot/file_parsers/java/maven/repositories_finder.rb +188 -0
- data/lib/dependabot/file_parsers/java_script/npm_and_yarn.rb +394 -0
- data/lib/dependabot/file_parsers/php/composer.rb +177 -0
- data/lib/dependabot/file_parsers/python/pip.rb +223 -0
- data/lib/dependabot/file_parsers/python/pip/pipfile_files_parser.rb +154 -0
- data/lib/dependabot/file_parsers/python/pip/poetry_files_parser.rb +141 -0
- data/lib/dependabot/file_parsers/python/pip/setup_file_parser.rb +160 -0
- data/lib/dependabot/file_parsers/ruby/bundler.rb +295 -0
- data/lib/dependabot/file_parsers/ruby/bundler/file_preparer.rb +85 -0
- data/lib/dependabot/file_parsers/ruby/bundler/gemfile_checker.rb +48 -0
- data/lib/dependabot/file_parsers/rust/cargo.rb +213 -0
- data/lib/dependabot/file_updaters.rb +48 -0
- data/lib/dependabot/file_updaters/README.md +58 -0
- data/lib/dependabot/file_updaters/base.rb +52 -0
- data/lib/dependabot/file_updaters/docker/docker.rb +133 -0
- data/lib/dependabot/file_updaters/dotnet/nuget.rb +151 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/packages_config_declaration_finder.rb +69 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/project_file_declaration_finder.rb +78 -0
- data/lib/dependabot/file_updaters/dotnet/nuget/property_value_updater.rb +64 -0
- data/lib/dependabot/file_updaters/elixir/hex.rb +71 -0
- data/lib/dependabot/file_updaters/elixir/hex/lockfile_updater.rb +147 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_git_pin_updater.rb +53 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_requirement_updater.rb +74 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_sanitizer.rb +28 -0
- data/lib/dependabot/file_updaters/elixir/hex/mixfile_updater.rb +98 -0
- data/lib/dependabot/file_updaters/elm/elm_package.rb +79 -0
- data/lib/dependabot/file_updaters/elm/elm_package/elm_json_updater.rb +69 -0
- data/lib/dependabot/file_updaters/elm/elm_package/elm_package_updater.rb +69 -0
- data/lib/dependabot/file_updaters/git/submodules.rb +38 -0
- data/lib/dependabot/file_updaters/go/dep.rb +77 -0
- data/lib/dependabot/file_updaters/go/dep/lockfile_updater.rb +219 -0
- data/lib/dependabot/file_updaters/go/dep/manifest_updater.rb +155 -0
- data/lib/dependabot/file_updaters/go/modules.rb +71 -0
- data/lib/dependabot/file_updaters/go/modules/go_mod_updater.rb +81 -0
- data/lib/dependabot/file_updaters/java/gradle.rb +176 -0
- data/lib/dependabot/file_updaters/java/gradle/dependency_set_updater.rb +66 -0
- data/lib/dependabot/file_updaters/java/gradle/property_value_updater.rb +58 -0
- data/lib/dependabot/file_updaters/java/maven.rb +155 -0
- data/lib/dependabot/file_updaters/java/maven/declaration_finder.rb +132 -0
- data/lib/dependabot/file_updaters/java/maven/property_value_updater.rb +61 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn.rb +159 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb +532 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npmrc_builder.rb +191 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_preparer.rb +91 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_updater.rb +220 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/yarn_lockfile_updater.rb +475 -0
- data/lib/dependabot/file_updaters/php/composer.rb +78 -0
- data/lib/dependabot/file_updaters/php/composer/lockfile_updater.rb +264 -0
- data/lib/dependabot/file_updaters/php/composer/manifest_updater.rb +70 -0
- data/lib/dependabot/file_updaters/python/pip.rb +147 -0
- data/lib/dependabot/file_updaters/python/pip/pip_compile_file_updater.rb +363 -0
- data/lib/dependabot/file_updaters/python/pip/pipfile_file_updater.rb +397 -0
- data/lib/dependabot/file_updaters/python/pip/pipfile_preparer.rb +125 -0
- data/lib/dependabot/file_updaters/python/pip/poetry_file_updater.rb +289 -0
- data/lib/dependabot/file_updaters/python/pip/pyproject_preparer.rb +105 -0
- data/lib/dependabot/file_updaters/python/pip/requirement_file_updater.rb +166 -0
- data/lib/dependabot/file_updaters/python/pip/requirement_replacer.rb +95 -0
- data/lib/dependabot/file_updaters/python/pip/setup_file_sanitizer.rb +91 -0
- data/lib/dependabot/file_updaters/ruby/bundler.rb +121 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb +116 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb +52 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_sanitizer.rb +298 -0
- data/lib/dependabot/file_updaters/ruby/bundler/gemspec_updater.rb +64 -0
- data/lib/dependabot/file_updaters/ruby/bundler/git_pin_replacer.rb +80 -0
- data/lib/dependabot/file_updaters/ruby/bundler/git_source_remover.rb +102 -0
- data/lib/dependabot/file_updaters/ruby/bundler/lockfile_updater.rb +384 -0
- data/lib/dependabot/file_updaters/ruby/bundler/requirement_replacer.rb +188 -0
- data/lib/dependabot/file_updaters/rust/cargo.rb +83 -0
- data/lib/dependabot/file_updaters/rust/cargo/lockfile_updater.rb +251 -0
- data/lib/dependabot/file_updaters/rust/cargo/manifest_updater.rb +162 -0
- data/lib/dependabot/git_commit_checker.rb +412 -0
- data/lib/dependabot/metadata_finders.rb +46 -0
- data/lib/dependabot/metadata_finders/README.md +53 -0
- data/lib/dependabot/metadata_finders/base.rb +117 -0
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +317 -0
- data/lib/dependabot/metadata_finders/base/changelog_pruner.rb +177 -0
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +217 -0
- data/lib/dependabot/metadata_finders/base/release_finder.rb +251 -0
- data/lib/dependabot/metadata_finders/docker/docker.rb +18 -0
- data/lib/dependabot/metadata_finders/dotnet/nuget.rb +116 -0
- data/lib/dependabot/metadata_finders/elixir/hex.rb +69 -0
- data/lib/dependabot/metadata_finders/elm/elm_package.rb +22 -0
- data/lib/dependabot/metadata_finders/git/submodules.rb +20 -0
- data/lib/dependabot/metadata_finders/go/dep.rb +56 -0
- data/lib/dependabot/metadata_finders/java/maven.rb +173 -0
- data/lib/dependabot/metadata_finders/java_script/npm_and_yarn.rb +215 -0
- data/lib/dependabot/metadata_finders/php/composer.rb +66 -0
- data/lib/dependabot/metadata_finders/python/pip.rb +120 -0
- data/lib/dependabot/metadata_finders/ruby/bundler.rb +150 -0
- data/lib/dependabot/metadata_finders/rust/cargo.rb +64 -0
- data/lib/dependabot/pull_request_creator.rb +151 -0
- data/lib/dependabot/pull_request_creator/branch_namer.rb +170 -0
- data/lib/dependabot/pull_request_creator/commit_signer.rb +63 -0
- data/lib/dependabot/pull_request_creator/github.rb +233 -0
- data/lib/dependabot/pull_request_creator/gitlab.rb +122 -0
- data/lib/dependabot/pull_request_creator/labeler.rb +361 -0
- data/lib/dependabot/pull_request_creator/message_builder.rb +888 -0
- data/lib/dependabot/pull_request_updater.rb +43 -0
- data/lib/dependabot/pull_request_updater/github.rb +151 -0
- data/lib/dependabot/shared_helpers.rb +201 -0
- data/lib/dependabot/source.rb +120 -0
- data/lib/dependabot/update_checkers.rb +48 -0
- data/lib/dependabot/update_checkers/README.md +67 -0
- data/lib/dependabot/update_checkers/base.rb +220 -0
- data/lib/dependabot/update_checkers/docker/docker.rb +290 -0
- data/lib/dependabot/update_checkers/dotnet/nuget.rb +127 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/property_updater.rb +97 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/repository_finder.rb +232 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/requirements_updater.rb +81 -0
- data/lib/dependabot/update_checkers/dotnet/nuget/version_finder.rb +231 -0
- data/lib/dependabot/update_checkers/elixir/hex.rb +274 -0
- data/lib/dependabot/update_checkers/elixir/hex/file_preparer.rb +193 -0
- data/lib/dependabot/update_checkers/elixir/hex/requirements_updater.rb +177 -0
- data/lib/dependabot/update_checkers/elixir/hex/version_resolver.rb +175 -0
- data/lib/dependabot/update_checkers/elm/elm_package.rb +126 -0
- data/lib/dependabot/update_checkers/elm/elm_package/cli_parser.rb +33 -0
- data/lib/dependabot/update_checkers/elm/elm_package/elm_18_version_resolver.rb +234 -0
- data/lib/dependabot/update_checkers/elm/elm_package/elm_19_version_resolver.rb +198 -0
- data/lib/dependabot/update_checkers/elm/elm_package/requirements_updater.rb +75 -0
- data/lib/dependabot/update_checkers/git/submodules.rb +52 -0
- data/lib/dependabot/update_checkers/go/dep.rb +311 -0
- data/lib/dependabot/update_checkers/go/dep/file_preparer.rb +221 -0
- data/lib/dependabot/update_checkers/go/dep/latest_version_finder.rb +169 -0
- data/lib/dependabot/update_checkers/go/dep/requirements_updater.rb +223 -0
- data/lib/dependabot/update_checkers/go/dep/version_resolver.rb +164 -0
- data/lib/dependabot/update_checkers/go/modules.rb +112 -0
- data/lib/dependabot/update_checkers/java/gradle.rb +148 -0
- data/lib/dependabot/update_checkers/java/gradle/multi_dependency_updater.rb +105 -0
- data/lib/dependabot/update_checkers/java/gradle/version_finder.rb +183 -0
- data/lib/dependabot/update_checkers/java/maven.rb +159 -0
- data/lib/dependabot/update_checkers/java/maven/property_updater.rb +127 -0
- data/lib/dependabot/update_checkers/java/maven/requirements_updater.rb +92 -0
- data/lib/dependabot/update_checkers/java/maven/version_finder.rb +225 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn.rb +280 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/latest_version_finder.rb +342 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/library_detector.rb +69 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/registry_finder.rb +226 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/requirements_updater.rb +197 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/subdependency_version_resolver.rb +228 -0
- data/lib/dependabot/update_checkers/java_script/npm_and_yarn/version_resolver.rb +452 -0
- data/lib/dependabot/update_checkers/php/composer.rb +165 -0
- data/lib/dependabot/update_checkers/php/composer/requirements_updater.rb +243 -0
- data/lib/dependabot/update_checkers/php/composer/version_resolver.rb +203 -0
- data/lib/dependabot/update_checkers/python/pip.rb +227 -0
- data/lib/dependabot/update_checkers/python/pip/latest_version_finder.rb +252 -0
- data/lib/dependabot/update_checkers/python/pip/pip_compile_version_resolver.rb +380 -0
- data/lib/dependabot/update_checkers/python/pip/pipfile_version_resolver.rb +559 -0
- data/lib/dependabot/update_checkers/python/pip/poetry_version_resolver.rb +300 -0
- data/lib/dependabot/update_checkers/python/pip/requirements_updater.rb +367 -0
- data/lib/dependabot/update_checkers/ruby/bundler.rb +324 -0
- data/lib/dependabot/update_checkers/ruby/bundler/file_preparer.rb +278 -0
- data/lib/dependabot/update_checkers/ruby/bundler/force_updater.rb +261 -0
- data/lib/dependabot/update_checkers/ruby/bundler/latest_version_finder.rb +169 -0
- data/lib/dependabot/update_checkers/ruby/bundler/requirements_updater.rb +264 -0
- data/lib/dependabot/update_checkers/ruby/bundler/ruby_requirement_setter.rb +115 -0
- data/lib/dependabot/update_checkers/ruby/bundler/shared_bundler_helpers.rb +243 -0
- data/lib/dependabot/update_checkers/ruby/bundler/version_resolver.rb +255 -0
- data/lib/dependabot/update_checkers/rust/cargo.rb +282 -0
- data/lib/dependabot/update_checkers/rust/cargo/file_preparer.rb +202 -0
- data/lib/dependabot/update_checkers/rust/cargo/requirements_updater.rb +175 -0
- data/lib/dependabot/update_checkers/rust/cargo/version_resolver.rb +242 -0
- data/lib/dependabot/utils.rb +84 -0
- data/lib/dependabot/utils/docker/credentials_finder.rb +65 -0
- data/lib/dependabot/utils/dotnet/requirement.rb +90 -0
- data/lib/dependabot/utils/dotnet/version.rb +22 -0
- data/lib/dependabot/utils/elixir/requirement.rb +53 -0
- data/lib/dependabot/utils/elixir/version.rb +59 -0
- data/lib/dependabot/utils/elm/requirement.rb +92 -0
- data/lib/dependabot/utils/elm/version.rb +19 -0
- data/lib/dependabot/utils/go/path_converter.rb +74 -0
- data/lib/dependabot/utils/go/requirement.rb +152 -0
- data/lib/dependabot/utils/go/shared_helper.rb +20 -0
- data/lib/dependabot/utils/go/version.rb +40 -0
- data/lib/dependabot/utils/java/requirement.rb +110 -0
- data/lib/dependabot/utils/java/version.rb +179 -0
- data/lib/dependabot/utils/java_script/requirement.rb +117 -0
- data/lib/dependabot/utils/java_script/version.rb +30 -0
- data/lib/dependabot/utils/php/requirement.rb +97 -0
- data/lib/dependabot/utils/php/version.rb +22 -0
- data/lib/dependabot/utils/python/requirement.rb +130 -0
- data/lib/dependabot/utils/python/version.rb +88 -0
- data/lib/dependabot/utils/ruby/requirement.rb +26 -0
- data/lib/dependabot/utils/rust/requirement.rb +108 -0
- data/lib/dependabot/utils/rust/version.rb +32 -0
- data/lib/dependabot/version.rb +5 -0
- data/lib/python_requirement_parser.rb +33 -0
- data/lib/python_versions.rb +21 -0
- metadata +641 -0
|
@@ -0,0 +1,394 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
# See https://docs.npmjs.com/files/package.json for package.json format docs.
|
|
4
|
+
|
|
5
|
+
require "dependabot/dependency"
|
|
6
|
+
require "dependabot/file_parsers/base"
|
|
7
|
+
require "dependabot/shared_helpers"
|
|
8
|
+
require "dependabot/errors"
|
|
9
|
+
|
|
10
|
+
# rubocop:disable Metrics/ClassLength
|
|
11
|
+
module Dependabot
|
|
12
|
+
module FileParsers
|
|
13
|
+
module JavaScript
|
|
14
|
+
class NpmAndYarn < Dependabot::FileParsers::Base
|
|
15
|
+
require "dependabot/file_parsers/base/dependency_set"
|
|
16
|
+
|
|
17
|
+
DEPENDENCY_TYPES =
|
|
18
|
+
%w(dependencies devDependencies optionalDependencies).freeze
|
|
19
|
+
CENTRAL_REGISTRIES = %w(
|
|
20
|
+
https://registry.npmjs.org
|
|
21
|
+
http://registry.npmjs.org
|
|
22
|
+
https://registry.yarnpkg.com
|
|
23
|
+
).freeze
|
|
24
|
+
GIT_URL_REGEX = %r{
|
|
25
|
+
(?:^|^git.*?|^github:|^bitbucket:|^gitlab:|github\.com/)
|
|
26
|
+
(?<username>[a-z0-9-]+)/
|
|
27
|
+
(?<repo>[a-z0-9_.-]+)
|
|
28
|
+
(
|
|
29
|
+
(?:\#semver:(?<semver>.+))|
|
|
30
|
+
(?:\#(?<ref>.+))
|
|
31
|
+
)?$
|
|
32
|
+
}ix.freeze
|
|
33
|
+
|
|
34
|
+
def parse
|
|
35
|
+
dependency_set = DependencySet.new
|
|
36
|
+
dependency_set += manifest_dependencies
|
|
37
|
+
dependency_set += yarn_lock_dependencies if yarn_locks.any?
|
|
38
|
+
dependency_set += package_lock_dependencies if package_locks.any?
|
|
39
|
+
dependency_set += shrinkwrap_dependencies if shrinkwraps.any?
|
|
40
|
+
dependencies = dependency_set.dependencies
|
|
41
|
+
|
|
42
|
+
# TODO: Currently, Dependabot can't handle dependencies that have both
|
|
43
|
+
# a git source *and* a non-git source. Fix that!
|
|
44
|
+
dependencies.reject do |dep|
|
|
45
|
+
dep.requirements.any? { |r| r.dig(:source, :type) == "git" } &&
|
|
46
|
+
dep.requirements.any? { |r| r.dig(:source, :type) != "git" }
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
private
|
|
51
|
+
|
|
52
|
+
def manifest_dependencies
|
|
53
|
+
dependency_set = DependencySet.new
|
|
54
|
+
|
|
55
|
+
package_files.each do |file|
|
|
56
|
+
# TODO: Currently, Dependabot can't handle flat dependency files
|
|
57
|
+
# (and will error at the FileUpdater stage, because the
|
|
58
|
+
# UpdateChecker doesn't take account of flat resolution).
|
|
59
|
+
next if JSON.parse(file.content)["flat"]
|
|
60
|
+
|
|
61
|
+
DEPENDENCY_TYPES.each do |type|
|
|
62
|
+
deps = JSON.parse(file.content)[type] || {}
|
|
63
|
+
deps.each do |name, requirement|
|
|
64
|
+
requirement = "*" if requirement == ""
|
|
65
|
+
dep = build_dependency(
|
|
66
|
+
file: file, type: type, name: name, requirement: requirement
|
|
67
|
+
)
|
|
68
|
+
dependency_set << dep if dep
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
dependency_set
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
def yarn_lock_dependencies
|
|
77
|
+
dependency_set = DependencySet.new
|
|
78
|
+
|
|
79
|
+
yarn_locks.each do |yarn_lock|
|
|
80
|
+
parse_yarn_lock(yarn_lock).each do |req, details|
|
|
81
|
+
next unless details["version"] && details["version"] != ""
|
|
82
|
+
|
|
83
|
+
# Note: The DependencySet will de-dupe our dependencies, so they
|
|
84
|
+
# end up unique by name. That's not a perfect representation of
|
|
85
|
+
# the nested nature of JS resolution, but it makes everything work
|
|
86
|
+
# comparably to other flat-resolution strategies
|
|
87
|
+
dependency_set << Dependency.new(
|
|
88
|
+
name: req.split(/(?<=\w)\@/).first,
|
|
89
|
+
version: details["version"],
|
|
90
|
+
package_manager: "npm_and_yarn",
|
|
91
|
+
requirements: []
|
|
92
|
+
)
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
dependency_set
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def package_lock_dependencies
|
|
100
|
+
dependency_set = DependencySet.new
|
|
101
|
+
|
|
102
|
+
# Note: The DependencySet will de-dupe our dependencies, so they
|
|
103
|
+
# end up unique by name. That's not a perfect representation of
|
|
104
|
+
# the nested nature of JS resolution, but it makes everything work
|
|
105
|
+
# comparably to other flat-resolution strategies
|
|
106
|
+
package_locks.each do |package_lock|
|
|
107
|
+
parsed_lockfile = parse_package_lock(package_lock)
|
|
108
|
+
deps = recursively_fetch_npm_lock_dependencies(parsed_lockfile)
|
|
109
|
+
dependency_set += deps
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
dependency_set
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
def shrinkwrap_dependencies
|
|
116
|
+
dependency_set = DependencySet.new
|
|
117
|
+
|
|
118
|
+
# Note: The DependencySet will de-dupe our dependencies, so they
|
|
119
|
+
# end up unique by name. That's not a perfect representation of
|
|
120
|
+
# the nested nature of JS resolution, but it makes everything work
|
|
121
|
+
# comparably to other flat-resolution strategies
|
|
122
|
+
shrinkwraps.each do |shrinkwrap|
|
|
123
|
+
parsed_lockfile = parse_shrinkwrap(shrinkwrap)
|
|
124
|
+
deps = recursively_fetch_npm_lock_dependencies(parsed_lockfile)
|
|
125
|
+
dependency_set += deps
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
dependency_set
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def recursively_fetch_npm_lock_dependencies(object_with_dependencies)
|
|
132
|
+
dependency_set = DependencySet.new
|
|
133
|
+
|
|
134
|
+
object_with_dependencies.
|
|
135
|
+
fetch("dependencies", {}).each do |name, details|
|
|
136
|
+
next unless details["version"] && details["version"] != ""
|
|
137
|
+
|
|
138
|
+
dependency_set << Dependency.new(
|
|
139
|
+
name: name,
|
|
140
|
+
version: details["version"],
|
|
141
|
+
package_manager: "npm_and_yarn",
|
|
142
|
+
requirements: []
|
|
143
|
+
)
|
|
144
|
+
|
|
145
|
+
dependency_set += recursively_fetch_npm_lock_dependencies(details)
|
|
146
|
+
end
|
|
147
|
+
|
|
148
|
+
dependency_set
|
|
149
|
+
end
|
|
150
|
+
|
|
151
|
+
def build_dependency(file:, type:, name:, requirement:)
|
|
152
|
+
return if lockfile_details(name, requirement) &&
|
|
153
|
+
!version_for(name, requirement)
|
|
154
|
+
return if ignore_requirement?(requirement)
|
|
155
|
+
return if workspace_package_names.include?(name)
|
|
156
|
+
|
|
157
|
+
Dependency.new(
|
|
158
|
+
name: name,
|
|
159
|
+
version: version_for(name, requirement),
|
|
160
|
+
package_manager: "npm_and_yarn",
|
|
161
|
+
requirements: [{
|
|
162
|
+
requirement: requirement_for(requirement),
|
|
163
|
+
file: file.name,
|
|
164
|
+
groups: [type],
|
|
165
|
+
source: source_for(name, requirement)
|
|
166
|
+
}]
|
|
167
|
+
)
|
|
168
|
+
end
|
|
169
|
+
|
|
170
|
+
def check_required_files
|
|
171
|
+
raise "No package.json!" unless get_original_file("package.json")
|
|
172
|
+
end
|
|
173
|
+
|
|
174
|
+
def ignore_requirement?(requirement)
|
|
175
|
+
return true if local_path?(requirement)
|
|
176
|
+
return true if non_git_url?(requirement)
|
|
177
|
+
|
|
178
|
+
# TODO: Handle aliased packages
|
|
179
|
+
alias_package?(requirement)
|
|
180
|
+
end
|
|
181
|
+
|
|
182
|
+
def local_path?(requirement)
|
|
183
|
+
requirement.start_with?("link:", "file:", "/", "./", "../", "~/")
|
|
184
|
+
end
|
|
185
|
+
|
|
186
|
+
def alias_package?(requirement)
|
|
187
|
+
requirement.start_with?("npm:")
|
|
188
|
+
end
|
|
189
|
+
|
|
190
|
+
def non_git_url?(requirement)
|
|
191
|
+
requirement.include?("://") && !git_url?(requirement)
|
|
192
|
+
end
|
|
193
|
+
|
|
194
|
+
def git_url?(requirement)
|
|
195
|
+
requirement.match?(GIT_URL_REGEX)
|
|
196
|
+
end
|
|
197
|
+
|
|
198
|
+
def workspace_package_names
|
|
199
|
+
@workspace_package_names ||=
|
|
200
|
+
package_files.map { |f| JSON.parse(f.content)["name"] }.compact
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
# rubocop:disable Metrics/CyclomaticComplexity
|
|
204
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
205
|
+
def version_for(name, requirement)
|
|
206
|
+
lock_version = lockfile_details(name, requirement)&.
|
|
207
|
+
fetch("version", nil)
|
|
208
|
+
lock_res = lockfile_details(name, requirement)&.
|
|
209
|
+
fetch("resolved", nil)
|
|
210
|
+
|
|
211
|
+
if git_url?(requirement)
|
|
212
|
+
return lock_version.split("#").last if lock_version&.include?("#")
|
|
213
|
+
return lock_res.split("#").last if lock_res&.include?("#")
|
|
214
|
+
|
|
215
|
+
if lock_res && lock_res.split("/").last.match?(/^[0-9a-f]{40}$/)
|
|
216
|
+
return lock_res.split("/").last
|
|
217
|
+
end
|
|
218
|
+
|
|
219
|
+
return nil
|
|
220
|
+
end
|
|
221
|
+
|
|
222
|
+
return unless lock_version
|
|
223
|
+
return if lock_version.include?("://")
|
|
224
|
+
return if lock_version.include?("file:")
|
|
225
|
+
return if lock_version.include?("link:")
|
|
226
|
+
return if lock_version.include?("#")
|
|
227
|
+
|
|
228
|
+
lock_version
|
|
229
|
+
end
|
|
230
|
+
# rubocop:enable Metrics/CyclomaticComplexity
|
|
231
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
232
|
+
|
|
233
|
+
def source_for(name, requirement)
|
|
234
|
+
return git_source_for(requirement) if git_url?(requirement)
|
|
235
|
+
|
|
236
|
+
resolved_url = lockfile_details(name, requirement)&.
|
|
237
|
+
fetch("resolved", nil)
|
|
238
|
+
|
|
239
|
+
return unless resolved_url
|
|
240
|
+
return if CENTRAL_REGISTRIES.any? { |u| resolved_url.start_with?(u) }
|
|
241
|
+
return if resolved_url.include?("github")
|
|
242
|
+
|
|
243
|
+
private_registry_source_for(resolved_url, name)
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
def requirement_for(requirement)
|
|
247
|
+
return requirement unless git_url?(requirement)
|
|
248
|
+
|
|
249
|
+
details = requirement.match(GIT_URL_REGEX).named_captures
|
|
250
|
+
details["semver"]
|
|
251
|
+
end
|
|
252
|
+
|
|
253
|
+
def git_source_for(requirement)
|
|
254
|
+
details = requirement.match(GIT_URL_REGEX).named_captures
|
|
255
|
+
{
|
|
256
|
+
type: "git",
|
|
257
|
+
url: "https://github.com/#{details['username']}/#{details['repo']}",
|
|
258
|
+
branch: nil,
|
|
259
|
+
ref: details["ref"] || "master"
|
|
260
|
+
}
|
|
261
|
+
end
|
|
262
|
+
|
|
263
|
+
def private_registry_source_for(resolved_url, name)
|
|
264
|
+
url =
|
|
265
|
+
if resolved_url.include?("/~/")
|
|
266
|
+
# Gemfury format
|
|
267
|
+
resolved_url.split("/~/").first
|
|
268
|
+
elsif resolved_url.include?("/#{name}/-/#{name}")
|
|
269
|
+
# Sonatype Nexus / Artifactory JFrog format
|
|
270
|
+
resolved_url.split("/#{name}/-/#{name}").first
|
|
271
|
+
elsif (cred_url = credential_url(resolved_url)) then cred_url
|
|
272
|
+
else resolved_url.split("/")[0..2].join("/")
|
|
273
|
+
end
|
|
274
|
+
|
|
275
|
+
{ type: "private_registry", url: url }
|
|
276
|
+
end
|
|
277
|
+
|
|
278
|
+
def credential_url(resolved_url)
|
|
279
|
+
registries = credentials.
|
|
280
|
+
select { |cred| cred["type"] == "npm_registry" }
|
|
281
|
+
|
|
282
|
+
registries.each do |details|
|
|
283
|
+
reg = details["registry"]
|
|
284
|
+
next unless resolved_url.include?(reg)
|
|
285
|
+
|
|
286
|
+
return resolved_url.gsub(/#{Regexp.quote(reg)}.*/, "") + reg
|
|
287
|
+
end
|
|
288
|
+
|
|
289
|
+
false
|
|
290
|
+
end
|
|
291
|
+
|
|
292
|
+
def lockfile_details(name, requirement)
|
|
293
|
+
[*package_locks, *shrinkwraps].each do |package_lock|
|
|
294
|
+
parsed_package_lock_json = parse_package_lock(package_lock)
|
|
295
|
+
next unless parsed_package_lock_json.dig("dependencies", name)
|
|
296
|
+
|
|
297
|
+
return parsed_package_lock_json.dig("dependencies", name)
|
|
298
|
+
end
|
|
299
|
+
|
|
300
|
+
req = requirement
|
|
301
|
+
yarn_locks.each do |yarn_lock|
|
|
302
|
+
parsed_yarn_lock = parse_yarn_lock(yarn_lock)
|
|
303
|
+
|
|
304
|
+
details_candidates =
|
|
305
|
+
parsed_yarn_lock.
|
|
306
|
+
select { |k, _| k.split(/(?<=\w)\@/).first == name }
|
|
307
|
+
|
|
308
|
+
# If there's only one entry for this dependency, use it, even if
|
|
309
|
+
# the requirement in the lockfile doesn't match
|
|
310
|
+
details = details_candidates.first.last if details_candidates.one?
|
|
311
|
+
|
|
312
|
+
details ||=
|
|
313
|
+
details_candidates.
|
|
314
|
+
find { |k, _| k.split(/(?<=\w)\@/)[1..-1].join("@") == req }&.
|
|
315
|
+
last
|
|
316
|
+
|
|
317
|
+
return details if details
|
|
318
|
+
end
|
|
319
|
+
|
|
320
|
+
nil
|
|
321
|
+
end
|
|
322
|
+
|
|
323
|
+
def parse_package_lock(package_lock)
|
|
324
|
+
JSON.parse(package_lock.content)
|
|
325
|
+
rescue JSON::ParserError
|
|
326
|
+
raise Dependabot::DependencyFileNotParseable, package_lock.path
|
|
327
|
+
end
|
|
328
|
+
|
|
329
|
+
def parse_shrinkwrap(shrinkwrap)
|
|
330
|
+
JSON.parse(shrinkwrap.content)
|
|
331
|
+
rescue JSON::ParserError
|
|
332
|
+
raise Dependabot::DependencyFileNotParseable, shrinkwrap.path
|
|
333
|
+
end
|
|
334
|
+
|
|
335
|
+
def parse_yarn_lock(yarn_lock)
|
|
336
|
+
@parsed_yarn_lock ||= {}
|
|
337
|
+
@parsed_yarn_lock[yarn_lock.name] ||=
|
|
338
|
+
SharedHelpers.in_a_temporary_directory do
|
|
339
|
+
File.write("yarn.lock", yarn_lock.content)
|
|
340
|
+
|
|
341
|
+
SharedHelpers.run_helper_subprocess(
|
|
342
|
+
command: "node #{yarn_helper_path}",
|
|
343
|
+
function: "parseLockfile",
|
|
344
|
+
args: [Dir.pwd]
|
|
345
|
+
)
|
|
346
|
+
rescue SharedHelpers::HelperSubprocessFailed
|
|
347
|
+
raise Dependabot::DependencyFileNotParseable, yarn_lock.path
|
|
348
|
+
end
|
|
349
|
+
end
|
|
350
|
+
|
|
351
|
+
def yarn_helper_path
|
|
352
|
+
project_root = File.join(File.dirname(__FILE__), "../../../..")
|
|
353
|
+
File.join(project_root, "helpers/yarn/bin/run.js")
|
|
354
|
+
end
|
|
355
|
+
|
|
356
|
+
def package_files
|
|
357
|
+
sub_packages =
|
|
358
|
+
dependency_files.
|
|
359
|
+
select { |f| f.name.end_with?("package.json") }.
|
|
360
|
+
reject { |f| f.name == "package.json" }.
|
|
361
|
+
reject { |f| f.type == "path_dependency" }
|
|
362
|
+
|
|
363
|
+
[
|
|
364
|
+
dependency_files.find { |f| f.name == "package.json" },
|
|
365
|
+
*sub_packages
|
|
366
|
+
].compact
|
|
367
|
+
end
|
|
368
|
+
|
|
369
|
+
def lockfile?
|
|
370
|
+
package_locks.any? || yarn_locks.any?
|
|
371
|
+
end
|
|
372
|
+
|
|
373
|
+
def package_locks
|
|
374
|
+
@package_locks ||=
|
|
375
|
+
dependency_files.
|
|
376
|
+
select { |f| f.name.end_with?("package-lock.json") }
|
|
377
|
+
end
|
|
378
|
+
|
|
379
|
+
def yarn_locks
|
|
380
|
+
@yarn_locks ||=
|
|
381
|
+
dependency_files.
|
|
382
|
+
select { |f| f.name.end_with?("yarn.lock") }
|
|
383
|
+
end
|
|
384
|
+
|
|
385
|
+
def shrinkwraps
|
|
386
|
+
@shrinkwraps ||=
|
|
387
|
+
dependency_files.
|
|
388
|
+
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
|
389
|
+
end
|
|
390
|
+
end
|
|
391
|
+
end
|
|
392
|
+
end
|
|
393
|
+
end
|
|
394
|
+
# rubocop:enable Metrics/ClassLength
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dependabot/dependency"
|
|
4
|
+
require "dependabot/file_parsers/base"
|
|
5
|
+
require "dependabot/shared_helpers"
|
|
6
|
+
require "dependabot/errors"
|
|
7
|
+
|
|
8
|
+
module Dependabot
|
|
9
|
+
module FileParsers
|
|
10
|
+
module Php
|
|
11
|
+
class Composer < Dependabot::FileParsers::Base
|
|
12
|
+
require "dependabot/file_parsers/base/dependency_set"
|
|
13
|
+
|
|
14
|
+
DEPENDENCY_GROUP_KEYS = [
|
|
15
|
+
{
|
|
16
|
+
manifest: "require",
|
|
17
|
+
lockfile: "packages",
|
|
18
|
+
group: "runtime"
|
|
19
|
+
},
|
|
20
|
+
{
|
|
21
|
+
manifest: "require-dev",
|
|
22
|
+
lockfile: "packages-dev",
|
|
23
|
+
group: "development"
|
|
24
|
+
}
|
|
25
|
+
].freeze
|
|
26
|
+
|
|
27
|
+
def parse
|
|
28
|
+
dependency_set = DependencySet.new
|
|
29
|
+
dependency_set += manifest_dependencies
|
|
30
|
+
dependency_set += lockfile_dependencies
|
|
31
|
+
dependency_set.dependencies
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
|
|
36
|
+
def manifest_dependencies
|
|
37
|
+
dependencies = DependencySet.new
|
|
38
|
+
|
|
39
|
+
DEPENDENCY_GROUP_KEYS.each do |keys|
|
|
40
|
+
next unless parsed_composer_json[keys[:manifest]]
|
|
41
|
+
|
|
42
|
+
parsed_composer_json[keys[:manifest]].each do |name, req|
|
|
43
|
+
next unless package?(name)
|
|
44
|
+
|
|
45
|
+
if lockfile
|
|
46
|
+
version = dependency_version(name: name, type: keys[:group])
|
|
47
|
+
|
|
48
|
+
# Ignore dependencies which appear in the composer.json but not
|
|
49
|
+
# the composer.lock.
|
|
50
|
+
next if version.nil?
|
|
51
|
+
|
|
52
|
+
# Ignore dependency versions which are non-numeric, since they
|
|
53
|
+
# can't be compared later in the process.
|
|
54
|
+
next unless version.match?(/^\d/)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
dependencies <<
|
|
58
|
+
Dependency.new(
|
|
59
|
+
name: name,
|
|
60
|
+
version: dependency_version(name: name, type: keys[:group]),
|
|
61
|
+
requirements: [{
|
|
62
|
+
requirement: req,
|
|
63
|
+
file: "composer.json",
|
|
64
|
+
source: dependency_source(name: name, type: keys[:group]),
|
|
65
|
+
groups: [keys[:group]]
|
|
66
|
+
}],
|
|
67
|
+
package_manager: "composer"
|
|
68
|
+
)
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
dependencies
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
def lockfile_dependencies
|
|
76
|
+
dependencies = DependencySet.new
|
|
77
|
+
|
|
78
|
+
return dependencies unless lockfile
|
|
79
|
+
|
|
80
|
+
DEPENDENCY_GROUP_KEYS.map { |h| h.fetch(:lockfile) }.each do |key|
|
|
81
|
+
next unless parsed_lockfile[key]
|
|
82
|
+
|
|
83
|
+
parsed_lockfile[key].each do |details|
|
|
84
|
+
name = details["name"]
|
|
85
|
+
next unless package?(name)
|
|
86
|
+
|
|
87
|
+
version = details["version"]&.sub(/^v?/, "")
|
|
88
|
+
next if version.nil?
|
|
89
|
+
next unless version.match?(/^\d/)
|
|
90
|
+
|
|
91
|
+
dependencies <<
|
|
92
|
+
Dependency.new(
|
|
93
|
+
name: name,
|
|
94
|
+
version: version,
|
|
95
|
+
requirements: [],
|
|
96
|
+
package_manager: "composer"
|
|
97
|
+
)
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
dependencies
|
|
102
|
+
end
|
|
103
|
+
|
|
104
|
+
def dependency_version(name:, type:)
|
|
105
|
+
return unless lockfile
|
|
106
|
+
|
|
107
|
+
key = lockfile_key(type)
|
|
108
|
+
|
|
109
|
+
parsed_lockfile.
|
|
110
|
+
fetch(key, []).
|
|
111
|
+
find { |d| d["name"] == name }&.
|
|
112
|
+
fetch("version")&.sub(/^v?/, "")
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
def dependency_source(name:, type:)
|
|
116
|
+
return unless lockfile
|
|
117
|
+
|
|
118
|
+
key = lockfile_key(type)
|
|
119
|
+
package = parsed_lockfile.fetch(key).find { |d| d["name"] == name }
|
|
120
|
+
|
|
121
|
+
return unless package
|
|
122
|
+
|
|
123
|
+
if package["source"].nil? && package.dig("dist", "type") == "path"
|
|
124
|
+
return { type: "path" }
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
return unless package.dig("source", "type") == "git"
|
|
128
|
+
|
|
129
|
+
{
|
|
130
|
+
type: "git",
|
|
131
|
+
url: package.dig("source", "url")
|
|
132
|
+
}
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
def lockfile_key(type)
|
|
136
|
+
case type
|
|
137
|
+
when "runtime" then "packages"
|
|
138
|
+
when "development" then "packages-dev"
|
|
139
|
+
else raise "unknown type #{type}"
|
|
140
|
+
end
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
def package?(name)
|
|
144
|
+
# Filter out php, ext-, composer-plugin-api, and other special
|
|
145
|
+
# packages which don't behave as normal
|
|
146
|
+
name.split("/").count == 2
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
def check_required_files
|
|
150
|
+
raise "No composer.json!" unless get_original_file("composer.json")
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
def parsed_lockfile
|
|
154
|
+
return unless lockfile
|
|
155
|
+
|
|
156
|
+
@parsed_lockfile ||= JSON.parse(lockfile.content)
|
|
157
|
+
rescue JSON::ParserError
|
|
158
|
+
raise Dependabot::DependencyFileNotParseable, lockfile.path
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
def parsed_composer_json
|
|
162
|
+
@parsed_composer_json ||= JSON.parse(composer_json.content)
|
|
163
|
+
rescue JSON::ParserError
|
|
164
|
+
raise Dependabot::DependencyFileNotParseable, composer_json.path
|
|
165
|
+
end
|
|
166
|
+
|
|
167
|
+
def composer_json
|
|
168
|
+
@composer_json ||= get_original_file("composer.json")
|
|
169
|
+
end
|
|
170
|
+
|
|
171
|
+
def lockfile
|
|
172
|
+
@lockfile ||= get_original_file("composer.lock")
|
|
173
|
+
end
|
|
174
|
+
end
|
|
175
|
+
end
|
|
176
|
+
end
|
|
177
|
+
end
|