dependabot-core 0.76.1

data/lib/dependabot/file_updaters/python/pip/requirement_file_updater.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "python_requirement_parser"
+require "dependabot/file_updaters/python/pip"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module FileUpdaters
+    module Python
+      class Pip
+        class RequirementFileUpdater
+          attr_reader :dependencies, :dependency_files, :credentials
+
+          def initialize(dependencies:, dependency_files:, credentials:)
+            @dependencies = dependencies
+            @dependency_files = dependency_files
+            @credentials = credentials
+          end
+
+          def updated_dependency_files
+            return @updated_dependency_files if @update_already_attempted
+
+            @update_already_attempted = true
+            @updated_dependency_files ||= fetch_updated_dependency_files
+          end
+
+          private
+
+          def dependency
+            # For now, we'll only ever be updating a single dependency
+            dependencies.first
+          end
+
+          def fetch_updated_dependency_files
+            reqs = dependency.requirements.zip(dependency.previous_requirements)
+
+            reqs.map do |(new_req, old_req)|
+              next if new_req == old_req
+
+              file = get_original_file(new_req.fetch(:file)).dup
+              updated_content =
+                updated_requirement_or_setup_file_content(new_req, old_req)
+              next if updated_content == file.content
+
+              file.content = updated_content
+              file
+            end.compact
+          end
+
+          def updated_requirement_or_setup_file_content(new_req, old_req)
+            content = get_original_file(new_req.fetch(:file)).content
+
+            updated_content =
+              content.gsub(
+                original_declaration_replacement_regex(old_req),
+                updated_dependency_declaration_string(new_req, old_req)
+              )
+
+            raise "Expected content to change!" if content == updated_content
+
+            updated_content
+          end
+
+          def original_dependency_declaration_string(requirement)
+            regex = PythonRequirementParser::INSTALL_REQ_WITH_REQUIREMENT
+            matches = []
+
+            get_original_file(requirement.fetch(:file)).
+              content.scan(regex) { matches << Regexp.last_match }
+            dec = matches.
+                  select { |m| normalise(m[:name]) == dependency.name }.
+                  find do |m|
+                    # The FileParser can mess up a requirement's spacing so we
+                    # sanitize both requirements before comparing
+                    f_req = m[:requirements]&.gsub(/\s/, "")&.split(",")&.sort
+                    p_req = requirement.fetch(:requirement)&.
+                            gsub(/\s/, "")&.split(",")&.sort
+                    f_req == p_req
+                  end
+
+            raise "Declaration not found for #{dependency.name}!" unless dec
+
+            dec.to_s.strip
+          end
+
+          def updated_dependency_declaration_string(new_req, old_req)
+            updated_string =
+              original_dependency_declaration_string(old_req).sub(
+                PythonRequirementParser::REQUIREMENTS,
+                new_req.fetch(:requirement)
+              )
+            return updated_string unless requirement_includes_hashes?(old_req)
+
+            updated_string.sub(
+              PythonRequirementParser::HASHES,
+              package_hashes_for(
+                name: dependency.name,
+                version: dependency.version,
+                algorithm: hash_algorithm(old_req)
+              ).join(hash_separator(old_req))
+            )
+          end
+
+          def original_declaration_replacement_regex(requirement)
+            original_string =
+              original_dependency_declaration_string(requirement)
+            /(?<![\-\w])#{Regexp.escape(original_string)}(?![\-\w])/
+          end
+
+          def requirement_includes_hashes?(requirement)
+            original_dependency_declaration_string(requirement).
+              match?(PythonRequirementParser::HASHES)
+          end
+
+          def hash_algorithm(requirement)
+            return unless requirement_includes_hashes?(requirement)
+
+            original_dependency_declaration_string(requirement).
+              match(PythonRequirementParser::HASHES).
+              named_captures.fetch("algorithm")
+          end
+
+          def hash_separator(requirement)
+            return unless requirement_includes_hashes?(requirement)
+
+            hash_regex = PythonRequirementParser::HASH
+            current_separator =
+              original_dependency_declaration_string(requirement).
+              match(/#{hash_regex}((?<separator>\s*\\?\s*?)#{hash_regex})*/).
+              named_captures.fetch("separator")
+
+            default_separator =
+              original_dependency_declaration_string(requirement).
+              match(PythonRequirementParser::HASH).
+              pre_match.match(/(?<separator>\s*\\?\s*?)\z/).
+              named_captures.fetch("separator")
+
+            current_separator || default_separator
+          end
+
+          def package_hashes_for(name:, version:, algorithm:)
+            SharedHelpers.run_helper_subprocess(
+              command: "pyenv exec python #{python_helper_path}",
+              function: "get_dependency_hash",
+              args: [name, version, algorithm]
+            ).map { |h| "--hash=#{algorithm}:#{h['hash']}" }
+          end
+
+          def python_helper_path
+            project_root = File.join(File.dirname(__FILE__), "../../../../..")
+            File.join(project_root, "helpers/python/run.py")
+          end
+
+          # See https://www.python.org/dev/peps/pep-0503/#normalized-names
+          def normalise(name)
+            name.downcase.gsub(/[-_.]+/, "-")
+          end
+
+          def get_original_file(filename)
+            dependency_files.find { |f| f.name == filename }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/python/pip/requirement_replacer.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require "python_requirement_parser"
+require "dependabot/file_updaters/python/pip"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module FileUpdaters
+    module Python
+      class Pip
+        class RequirementReplacer
+          attr_reader :content, :dependency_name, :old_requirement,
+                      :new_requirement
+
+          def initialize(content:, dependency_name:, old_requirement:,
+                         new_requirement:)
+            @content         = content
+            @dependency_name = dependency_name
+            @old_requirement = old_requirement
+            @new_requirement = new_requirement
+          end
+
+          def updated_content
+            updated_content =
+              content.gsub(original_declaration_replacement_regex) do |mtch|
+                # If the "declaration" is setting an option (e.g., no-binary)
+                # ignore it, since it isn't actually a declaration
+                next mtch if Regexp.last_match.pre_match.match?(/--.*\z/)
+
+                updated_dependency_declaration_string(
+                  old_requirement,
+                  new_requirement
+                )
+              end
+
+            raise "Expected content to change!" if content == updated_content
+
+            updated_content
+          end
+
+          private
+
+          def original_dependency_declaration_string(old_req)
+            matches = []
+
+            dec =
+              if old_req.nil?
+                regex = PythonRequirementParser::INSTALL_REQ_WITHOUT_REQUIREMENT
+                content.scan(regex) { matches << Regexp.last_match }
+                matches.find { |m| normalise(m[:name]) == dependency_name }
+              else
+                regex = PythonRequirementParser::INSTALL_REQ_WITH_REQUIREMENT
+                content.scan(regex) { matches << Regexp.last_match }
+                matches.
+                  select { |m| normalise(m[:name]) == dependency_name }.
+                  find { |m| requirements_match(m[:requirements], old_req) }
+              end
+
+            raise "Declaration not found for #{dependency_name}!" unless dec
+
+            dec.to_s.strip
+          end
+
+          def updated_dependency_declaration_string(old_req, new_req)
+            if old_req
+              original_dependency_declaration_string(old_req).
+                sub(PythonRequirementParser::REQUIREMENTS, new_req)
+            else
+              original_dependency_declaration_string(old_req).
+                sub(PythonRequirementParser::NAME_WITH_EXTRAS) do |nm|
+                  nm + new_req
+                end
+            end
+          end
+
+          def original_declaration_replacement_regex
+            original_string =
+              original_dependency_declaration_string(old_requirement)
+            /(?<![\-\w\.])#{Regexp.escape(original_string)}(?![\-\w\.])/
+          end
+
+          # See https://www.python.org/dev/peps/pep-0503/#normalized-names
+          def normalise(name)
+            name.downcase.gsub(/[-_.]+/, "-")
+          end
+
+          def requirements_match(req1, req2)
+            req1&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort ==
+              req2&.split(",")&.map { |r| r.gsub(/\s/, "") }&.sort
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/python/pip/setup_file_sanitizer.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/python/pip"
+require "dependabot/file_parsers/python/pip/setup_file_parser"
+
+module Dependabot
+  module FileUpdaters
+    module Python
+      class Pip
+        # Take a setup.py, parses it (carefully!) and then create a new, clean
+        # setup.py using only the information which will appear in the lockfile.
+        class SetupFileSanitizer
+          def initialize(setup_file:, setup_cfg:)
+            @setup_file = setup_file
+            @setup_cfg = setup_cfg
+          end
+
+          def sanitized_content
+            # The part of the setup.py that Pipenv cares about appears to be the
+            # install_requires. A name and version are required by don't end up
+            # in the lockfile.
+            content =
+              "from setuptools import setup\n\n"\
+              "setup(name=\"sanitized-package\",version=\"0.0.1\","\
+              "install_requires=#{install_requires_array.to_json},"\
+              "extras_require=#{extras_require_hash.to_json}"
+
+            content += ',setup_requires=["pbr"],pbr=True' if include_pbr?
+            content + ")"
+          end
+
+          private
+
+          attr_reader :setup_file, :setup_cfg
+
+          def include_pbr?
+            setup_requires_array.any? { |d| d.start_with?("pbr") }
+          end
+
+          def install_requires_array
+            @install_requires_array ||=
+              parsed_setup_file.dependencies.map do |dep|
+                next unless dep.requirements.first[:groups].
+                            include?("install_requires")
+
+                dep.name + dep.requirements.first[:requirement].to_s
+              end.compact
+          end
+
+          def setup_requires_array
+            @setup_requires_array ||=
+              parsed_setup_file.dependencies.map do |dep|
+                next unless dep.requirements.first[:groups].
+                            include?("setup_requires")
+
+                dep.name + dep.requirements.first[:requirement].to_s
+              end.compact
+          end
+
+          def extras_require_hash
+            @extras_require_hash ||=
+              begin
+                hash = {}
+                parsed_setup_file.dependencies.each do |dep|
+                  dep.requirements.first[:groups].each do |group|
+                    next unless group.start_with?("extras_require:")
+
+                    hash[group.split(":").last] ||= []
+                    hash[group.split(":").last] <<
+                      dep.name + dep.requirements.first[:requirement].to_s
+                  end
+                end
+
+                hash
+              end
+          end
+
+          def parsed_setup_file
+            @parsed_setup_file ||=
+              FileParsers::Python::Pip::SetupFileParser.new(
+                dependency_files: [
+                  setup_file&.dup&.tap { |f| f.name = "setup.py" },
+                  setup_cfg&.dup&.tap { |f| f.name = "setup.cfg" }
+                ].compact
+              ).dependency_set
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/file_updaters/ruby/bundler.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module FileUpdaters
+    module Ruby
+      class Bundler < Dependabot::FileUpdaters::Base
+        require_relative "bundler/gemfile_updater"
+        require_relative "bundler/gemspec_updater"
+        require_relative "bundler/lockfile_updater"
+
+        def self.updated_files_regex
+          [
+            /^Gemfile$/,
+            /^Gemfile\.lock$/,
+            /^gems\.rb$/,
+            /^gems\.locked$/,
+            %r{^[^/]*\.gemspec$}
+          ]
+        end
+
+        def updated_dependency_files
+          updated_files = []
+
+          if gemfile && file_changed?(gemfile)
+            updated_files <<
+              updated_file(
+                file: gemfile,
+                content: updated_gemfile_content(gemfile)
+              )
+          end
+
+          if lockfile && dependencies.any?(&:appears_in_lockfile?)
+            updated_files <<
+              updated_file(file: lockfile, content: updated_lockfile_content)
+          end
+
+          top_level_gemspecs.each do |file|
+            next unless file_changed?(file)
+
+            updated_files <<
+              updated_file(file: file, content: updated_gemspec_content(file))
+          end
+
+          evaled_gemfiles.each do |file|
+            next unless file_changed?(file)
+
+            updated_files <<
+              updated_file(file: file, content: updated_gemfile_content(file))
+          end
+
+          updated_files
+        end
+
+        private
+
+        def check_required_files
+          file_names = dependency_files.map(&:name)
+
+          if lockfile && !gemfile
+            raise "A Gemfile must be provided if a lockfile is!"
+          end
+
+          return if file_names.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+          return if gemfile
+
+          raise "A gemspec or Gemfile must be provided!"
+        end
+
+        def gemfile
+          @gemfile ||= get_original_file("Gemfile") ||
+                       get_original_file("gems.rb")
+        end
+
+        def lockfile
+          @lockfile ||= get_original_file("Gemfile.lock") ||
+                        get_original_file("gems.locked")
+        end
+
+        def evaled_gemfiles
+          @evaled_gemfiles ||=
+            dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+
+        def updated_gemfile_content(file)
+          GemfileUpdater.new(
+            dependencies: dependencies,
+            gemfile: file
+          ).updated_gemfile_content
+        end
+
+        def updated_gemspec_content(gemspec)
+          GemspecUpdater.new(
+            dependencies: dependencies,
+            gemspec: gemspec
+          ).updated_gemspec_content
+        end
+
+        def updated_lockfile_content
+          @updated_lockfile_content ||=
+            LockfileUpdater.new(
+              dependencies: dependencies,
+              dependency_files: dependency_files,
+              credentials: credentials
+            ).updated_lockfile_content
+        end
+
+        def top_level_gemspecs
+          dependency_files.select { |f| f.name.match?(%r{^[^/]*\.gemspec$}) }
+        end
+      end
+    end
+  end
+end