dependabot-core 0.76.1

data/lib/dependabot/file_updaters/elm/elm_package.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Elm
+      class ElmPackage < Base
+        require_relative "elm_package/elm_package_updater"
+        require_relative "elm_package/elm_json_updater"
+
+        def self.updated_files_regex
+          [
+            /^elm-package\.json$/,
+            /^elm\.json$/
+          ]
+        end
+
+        def updated_dependency_files
+          updated_files = []
+
+          elm_package_files.each do |file|
+            next unless file_changed?(file)
+
+            updated_files <<
+              updated_file(
+                file: file,
+                content: updated_elm_package_content(file)
+              )
+          end
+
+          elm_json_files.each do |file|
+            next unless file_changed?(file)
+
+            updated_files <<
+              updated_file(
+                file: file,
+                content: updated_elm_json_content(file)
+              )
+          end
+
+          raise "No files have changed!" if updated_files.none?
+
+          updated_files
+        end
+
+        private
+
+        def check_required_files
+          return if elm_json_files.any? || elm_package_files.any?
+
+          raise "No elm.json or elm-package.json!"
+        end
+
+        def updated_elm_package_content(file)
+          ElmPackageUpdater.new(
+            dependencies: dependencies,
+            elm_package_file: file
+          ).updated_elm_package_file_content
+        end
+
+        def updated_elm_json_content(file)
+          ElmJsonUpdater.new(
+            dependencies: dependencies,
+            elm_json_file: file
+          ).updated_content
+        end
+
+        def elm_package_files
+          dependency_files.select { |f| f.name.end_with?("elm-package.json") }
+        end
+
+        def elm_json_files
+          dependency_files.select { |f| f.name.end_with?("elm.json") }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/elm/elm_package/elm_json_updater.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/elm/elm_package"
+
+module Dependabot
+  module FileUpdaters
+    module Elm
+      class ElmPackage
+        class ElmJsonUpdater
+          def initialize(elm_json_file:, dependencies:)
+            @elm_json_file = elm_json_file
+            @dependencies = dependencies
+          end
+
+          def updated_content
+            dependencies.
+              select { |dep| requirement_changed?(elm_json_file, dep) }.
+              reduce(elm_json_file.content.dup) do |content, dep|
+                updated_content = content
+
+                updated_content = update_requirement(
+                  content: updated_content,
+                  filename: elm_json_file.name,
+                  dependency: dep
+                )
+
+                next updated_content unless content == updated_content
+
+                raise "Expected content to change!"
+              end
+          end
+
+          private
+
+          attr_reader :elm_json_file, :dependencies
+
+          def requirement_changed?(file, dependency)
+            changed_requirements =
+              dependency.requirements - dependency.previous_requirements
+
+            changed_requirements.any? { |f| f[:file] == file.name }
+          end
+
+          def update_requirement(content:, filename:, dependency:)
+            updated_req =
+              dependency.requirements.
+              find { |r| r.fetch(:file) == filename }.
+              fetch(:requirement)
+
+            old_req =
+              dependency.previous_requirements.
+              find { |r| r.fetch(:file) == filename }.
+              fetch(:requirement)
+
+            return content unless old_req
+
+            dep = dependency
+            regex =
+              /"#{Regexp.quote(dep.name)}"\s*:\s+"#{Regexp.quote(old_req)}"/
+
+            content.gsub(regex) do |declaration|
+              declaration.gsub(%("#{old_req}"), %("#{updated_req}"))
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/elm/elm_package/elm_package_updater.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/elm/elm_package"
+
+module Dependabot
+  module FileUpdaters
+    module Elm
+      class ElmPackage
+        class ElmPackageUpdater
+          def initialize(elm_package_file:, dependencies:)
+            @elm_package_file = elm_package_file
+            @dependencies = dependencies
+          end
+
+          def updated_elm_package_file_content
+            dependencies.
+              select { |dep| requirement_changed?(elm_package_file, dep) }.
+              reduce(elm_package_file.content.dup) do |content, dep|
+                updated_content = content
+
+                updated_content = update_requirement(
+                  content: updated_content,
+                  filename: elm_package_file.name,
+                  dependency: dep
+                )
+
+                next updated_content unless content == updated_content
+
+                raise "Expected content to change!"
+              end
+          end
+
+          private
+
+          attr_reader :elm_package_file, :dependencies
+
+          def requirement_changed?(file, dependency)
+            changed_requirements =
+              dependency.requirements - dependency.previous_requirements
+
+            changed_requirements.any? { |f| f[:file] == file.name }
+          end
+
+          def update_requirement(content:, filename:, dependency:)
+            updated_req =
+              dependency.requirements.
+              find { |r| r.fetch(:file) == filename }.
+              fetch(:requirement)
+
+            old_req =
+              dependency.previous_requirements.
+              find { |r| r.fetch(:file) == filename }.
+              fetch(:requirement)
+
+            return content unless old_req
+
+            dep = dependency
+            regex =
+              /"#{Regexp.quote(dep.name)}"\s*:\s+"#{Regexp.quote(old_req)}"/
+
+            content.gsub(regex) do |declaration|
+              declaration.gsub(%("#{old_req}"), %("#{updated_req}"))
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/git/submodules.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Git
+      class Submodules < Dependabot::FileUpdaters::Base
+        def self.updated_files_regex
+          []
+        end
+
+        def updated_dependency_files
+          [updated_file(file: submodule, content: dependency.version)]
+        end
+
+        private
+
+        def dependency
+          # Git submodules will only ever be updating a single dependency
+          dependencies.first
+        end
+
+        def check_required_files
+          %w(.gitmodules).each do |filename|
+            raise "No #{filename}!" unless get_original_file(filename)
+          end
+        end
+
+        def submodule
+          @submodule ||= dependency_files.find do |file|
+            file.name == dependency.name
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/go/dep.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Go
+      class Dep < Dependabot::FileUpdaters::Base
+        require_relative "dep/manifest_updater"
+        require_relative "dep/lockfile_updater"
+
+        def self.updated_files_regex
+          [
+            /^Gopkg\.toml$/,
+            /^Gopkg\.lock$/,
+            /^go\.mod$/,
+            /^go\.sum$/
+          ]
+        end
+
+        def updated_dependency_files
+          updated_files = []
+
+          if manifest && file_changed?(manifest)
+            updated_files <<
+              updated_file(
+                file: manifest,
+                content: updated_manifest_content
+              )
+          end
+
+          if lockfile
+            updated_files <<
+              updated_file(file: lockfile, content: updated_lockfile_content)
+          end
+
+          raise "No files changed!" if updated_files.none?
+
+          updated_files
+        end
+
+        private
+
+        def check_required_files
+          return if get_original_file("Gopkg.toml")
+          return if get_original_file("go.mod")
+
+          raise "No Gopkg.toml or go.mod!"
+        end
+
+        def manifest
+          @manifest ||= get_original_file("Gopkg.toml")
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Gopkg.lock")
+        end
+
+        def updated_manifest_content
+          ManifestUpdater.new(
+            dependencies: dependencies,
+            manifest: manifest
+          ).updated_manifest_content
+        end
+
+        def updated_lockfile_content
+          LockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).updated_lockfile_content
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/go/dep/lockfile_updater.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+
+require "dependabot/shared_helpers"
+require "dependabot/dependency_file"
+require "dependabot/file_updaters/go/dep"
+require "dependabot/file_parsers/go/dep"
+
+module Dependabot
+  module FileUpdaters
+    module Go
+      class Dep
+        class LockfileUpdater
+          def initialize(dependencies:, dependency_files:, credentials:)
+            @dependencies = dependencies
+            @dependency_files = dependency_files
+            @credentials = credentials
+          end
+
+          def updated_lockfile_content
+            deps = dependencies.select { |d| appears_in_lockfile(d) }
+            return lockfile.content if deps.none?
+
+            base_directory = File.join("src", "project",
+                                       dependency_files.first.directory)
+            base_parts = base_directory.split("/").length
+            updated_content =
+              SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
+                write_temporary_dependency_files
+
+                SharedHelpers.with_git_configured(credentials: credentials) do
+                  # Shell out to dep, which handles everything for us.
+                  # Note: We are currently doing a full install here (we're not
+                  # passing no-vendor) because dep needs to generate the digests
+                  # for each project.
+                  command = "dep ensure -update #{deps.map(&:name).join(' ')}"
+                  dir_parts = dir.realpath.to_s.split("/")
+                  gopath = File.join(dir_parts[0..-(base_parts + 1)])
+                  run_shell_command(command, "GOPATH" => gopath)
+                end
+
+                File.read("Gopkg.lock")
+              end
+
+            updated_content
+          end
+
+          private
+
+          attr_reader :dependencies, :dependency_files, :credentials
+
+          def run_shell_command(command, env = {})
+            raw_response = nil
+            IO.popen(env, command, err: %i(child out)) do |process|
+              raw_response = process.read
+            end
+
+            # Raise an error with the output from the shell session if dep
+            # returns a non-zero status
+            return if $CHILD_STATUS.success?
+
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              raw_response,
+              command
+            )
+          end
+
+          def write_temporary_dependency_files
+            File.write(lockfile.name, lockfile.content)
+
+            # Overwrite the manifest with our custom prepared one
+            File.write(prepared_manifest.name, prepared_manifest.content)
+
+            File.write("hello.go", dummy_app_content)
+          end
+
+          def prepared_manifest
+            DependencyFile.new(
+              name: manifest.name,
+              content: prepared_manifest_content
+            )
+          end
+
+          def prepared_manifest_content
+            parsed_manifest = TomlRB.parse(manifest.content)
+
+            parsed_manifest["override"] =
+              add_fsnotify_override(parsed_manifest["override"])
+
+            dependencies.each do |dep|
+              req = dep.requirements.find { |r| r[:file] == manifest.name }
+              next unless appears_in_lockfile(dep)
+
+              if req
+                update_constraint!(parsed_manifest, dep)
+              else
+                create_constraint!(parsed_manifest, dep)
+              end
+            end
+
+            TomlRB.dump(parsed_manifest)
+          end
+
+          # Used to lock the version when updating a top-level dependency
+          def update_constraint!(parsed_manifest, dep)
+            details =
+              parsed_manifest.
+              values_at(*FileParsers::Go::Dep::REQUIREMENT_TYPES).
+              flatten.compact.find { |d| d["name"] == dep.name }
+
+            req = dep.requirements.find { |r| r[:file] == manifest.name }
+
+            if req.fetch(:source).fetch(:type) == "git" && !details["branch"]
+              # Note: we don't try to update to a specific revision if the
+              # branch was previously specified because the change in
+              # specification type would be persisted in the lockfile
+              details["revision"] = dep.version if details["revision"]
+              details["version"] = dep.version if details["version"]
+            elsif req.fetch(:source).fetch(:type) == "default"
+              details.delete("branch")
+              details.delete("revision")
+              details["version"] = "=#{dep.version}"
+            end
+          end
+
+          # Used to lock the version when updating a subdependency
+          def create_constraint!(parsed_manifest, dep)
+            details = { "name" => dep.name }
+
+            # Fetch the details from the lockfile to check whether this
+            # sub-dependency needs a git revision or a version.
+            original_details =
+              parsed_file(lockfile).fetch("projects").
+              find { |p| p["name"] == dep.name }
+
+            if original_details["source"]
+              details["source"] = original_details["source"]
+            end
+
+            if original_details["version"]
+              details["version"] = dep.version
+            else
+              details["revision"] = dep.version
+            end
+
+            parsed_manifest["constraint"] ||= []
+            parsed_manifest["constraint"] << details
+          end
+
+          # Work around a dep bug that results in a panic
+          def add_fsnotify_override(overrides)
+            overrides ||= []
+            dep_name = "gopkg.in/fsnotify.v1"
+
+            override = overrides.find { |s| s["name"] == dep_name }
+            if override.nil?
+              override = { "name" => dep_name }
+              overrides << override
+            end
+
+            unless override["source"]
+              override["source"] = "gopkg.in/fsnotify/fsnotify.v1"
+            end
+
+            overrides
+          end
+
+          def dummy_app_content
+            base = "package main\n\n"\
+                   "import \"fmt\"\n\n"
+
+            packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
+
+            base + "func main() {\n  fmt.Printf(\"hello, world\\n\")\n}"
+          end
+
+          def packages_to_import
+            parsed_lockfile = TomlRB.parse(lockfile.content)
+
+            # If the lockfile was created using dep v0.5.0+ then it will tell us
+            # exactly which packages to import
+            if parsed_lockfile.dig("solve-meta", "input-imports")
+              return parsed_lockfile.dig("solve-meta", "input-imports")
+            end
+
+            # Otherwise we have no way of knowing, so import everything in the
+            # lockfile that isn't marked as internal
+            parsed_lockfile.fetch("projects").flat_map do |dep|
+              dep["packages"].map do |package|
+                next if package.start_with?("internal")
+
+                package == "." ? dep["name"] : File.join(dep["name"], package)
+              end.compact
+            end
+          end
+
+          def appears_in_lockfile(dep)
+            !parsed_file(lockfile)["projects"]&.
+              find { |p| p["name"] == dep.name }.nil?
+          end
+
+          def parsed_file(file)
+            @parsed_file ||= {}
+            @parsed_file[file.name] ||= TomlRB.parse(file.content)
+          end
+
+          def manifest
+            @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+          end
+
+          def lockfile
+            @lockfile ||= dependency_files.find { |f| f.name == "Gopkg.lock" }
+          end
+        end
+      end
+    end
+  end
+end