dependabot-core 0.76.1

data/lib/dependabot/update_checkers/elm/elm_package.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Elm
+      class ElmPackage < Dependabot::UpdateCheckers::Base
+        require_relative "elm_package/requirements_updater"
+        require_relative "elm_package/elm_18_version_resolver"
+        require_relative "elm_package/elm_19_version_resolver"
+
+        def latest_version
+          @latest_version ||= candidate_versions.max
+        end
+
+        # Overwrite the base class to allow multi-dependency update PRs for
+        # dependencies for which we don't have a version.
+        def can_update?(requirements_to_unlock:)
+          if dependency.appears_in_lockfile?
+            version_can_update?(requirements_to_unlock: requirements_to_unlock)
+          elsif requirements_to_unlock == :none
+            false
+          elsif requirements_to_unlock == :own
+            requirements_can_update?
+          elsif requirements_to_unlock == :all
+            updated_dependencies_after_full_unlock.any?
+          end
+        end
+
+        def latest_resolvable_version
+          @latest_resolvable_version ||=
+            version_resolver.
+            latest_resolvable_version(unlock_requirement: :own)
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          # Irrelevant, since Elm has a single dependency file (well, there's
+          # also `exact-dependencies.json`, but it's not recommended that that
+          # is committed).
+          nil
+        end
+
+        def updated_requirements
+          RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            latest_resolvable_version: latest_resolvable_version
+          ).updated_requirements
+        end
+
+        private
+
+        def version_resolver
+          @version_resolver ||=
+            if dependency.requirements.any? { |r| r.fetch(:file) == "elm.json" }
+              Elm19VersionResolver.new(
+                dependency: dependency,
+                dependency_files: dependency_files
+              )
+            else
+              Elm18VersionResolver.new(
+                dependency: dependency,
+                dependency_files: dependency_files,
+                candidate_versions: candidate_versions
+              )
+            end
+        end
+
+        def updated_dependencies_after_full_unlock
+          version_resolver.updated_dependencies_after_full_unlock
+        end
+
+        def latest_version_resolvable_with_full_unlock?
+          latest_version == version_resolver.
+                            latest_resolvable_version(unlock_requirement: :all)
+        end
+
+        def candidate_versions
+          all_versions.
+            reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
+        end
+
+        def all_versions
+          return @all_versions if @version_lookup_attempted
+
+          @version_lookup_attempted = true
+
+          response = Excon.get(
+            "https://package.elm-lang.org/packages/#{dependency.name}/"\
+            "releases.json",
+            idempotent: true,
+            **Dependabot::SharedHelpers.excon_defaults
+          )
+
+          return @all_versions = [] unless response.status == 200
+
+          @all_versions =
+            JSON.parse(response.body).
+            keys.
+            map { |v| version_class.new(v) }.
+            sort
+        end
+
+        # Overwrite the base class's requirements_up_to_date? method to instead
+        # check whether the latest version is allowed
+        def requirements_up_to_date?
+          return false unless latest_version
+
+          dependency.requirements.
+            map { |r| r.fetch(:requirement) }.
+            map { |r| requirement_class.new(r) }.
+            all? { |r| r.satisfied_by?(latest_version) }
+        end
+
+        def ignore_reqs
+          # Note: we use Gem::Requirement here because ignore conditions will
+          # be passed as Ruby ranges
+          ignored_versions.map { |req| Gem::Requirement.new(req.split(",")) }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elm/elm_package/cli_parser.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "dependabot/utils/elm/version"
+require "dependabot/update_checkers/elm/elm_package"
+
+module Dependabot
+  module UpdateCheckers
+    module Elm
+      class ElmPackage
+        class CliParser
+          INSTALL_DEPENDENCY_REGEX =
+            %r{([^\s]+\/[^\s]+)\s+(\d+\.\d+\.\d+)}.freeze
+          UPGRADE_DEPENDENCY_REGEX =
+            %r{([^\s]+\/[^\s]+) \(\d+\.\d+\.\d+ => (\d+\.\d+\.\d+)\)}.freeze
+
+          def self.decode_install_preview(text)
+            installs = {}
+
+            # Parse new installs
+            text.scan(INSTALL_DEPENDENCY_REGEX).
+              each { |n, v| installs[n] = Utils::Elm::Version.new(v) }
+
+            # Parse upgrades
+            text.scan(UPGRADE_DEPENDENCY_REGEX).
+              each { |n, v| installs[n] = Utils::Elm::Version.new(v) }
+
+            installs
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elm/elm_package/elm_18_version_resolver.rb

@@ -0,0 +1,234 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/file_parsers/elm/elm_package"
+require "dependabot/update_checkers/elm/elm_package"
+require "dependabot/update_checkers/elm/elm_package/cli_parser"
+require "dependabot/update_checkers/elm/elm_package/requirements_updater"
+require "dependabot/utils/elm/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module Elm
+      class ElmPackage
+        class Elm18VersionResolver
+          class UnrecoverableState < StandardError; end
+
+          def initialize(dependency:, dependency_files:, candidate_versions:)
+            @dependency = dependency
+            @dependency_files = dependency_files
+            @candidate_versions = candidate_versions
+          end
+
+          def latest_resolvable_version(unlock_requirement:)
+            unless %i(none own all).include?(unlock_requirement)
+              raise "Invalid unlock setting: #{unlock_requirement}"
+            end
+
+            # Elm has no lockfile, so we will never create an update PR if
+            # unlock requirements are `none`. Just return the current version.
+            return current_version if unlock_requirement == :none
+
+            # Otherwise, we gotta check a few conditions to see if bumping
+            # wouldn't also bump other deps in elm-package.json
+            candidate_versions.sort.reverse_each do |version|
+              return version if can_update?(version, unlock_requirement)
+            end
+
+            # Fall back to returning the dependency's current version, which is
+            # presumed to be resolvable
+            current_version
+          end
+
+          def updated_dependencies_after_full_unlock
+            version = latest_resolvable_version(unlock_requirement: :all)
+            deps_after_install = fetch_install_metadata(target_version: version)
+
+            original_dependency_details.map do |original_dep|
+              new_version = deps_after_install.fetch(original_dep.name)
+
+              old_reqs = original_dep.requirements.map do |req|
+                requirement_class.new(req[:requirement])
+              end
+
+              next if old_reqs.all? { |req| req.satisfied_by?(new_version) }
+
+              new_requirements =
+                RequirementsUpdater.new(
+                  requirements: original_dep.requirements,
+                  latest_resolvable_version: new_version.to_s
+                ).updated_requirements
+
+              Dependency.new(
+                name: original_dep.name,
+                version: new_version.to_s,
+                requirements: new_requirements,
+                previous_version: original_dep.version,
+                previous_requirements: original_dep.requirements,
+                package_manager: original_dep.package_manager
+              )
+            end.compact
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :candidate_versions
+
+          def can_update?(version, unlock_requirement)
+            deps_after_install = fetch_install_metadata(target_version: version)
+
+            result = check_install_result(deps_after_install, version)
+
+            # If the install was clean then we can definitely update
+            return true if result == :clean_bump
+
+            # Otherwise, we can still update if the result was a forced full
+            # unlock and we're allowed to unlock other requirements
+            return false unless unlock_requirement == :all
+
+            result == :forced_full_unlock_bump
+          end
+
+          def check_install_result(deps_after_install, target_version)
+            # This can go one of 5 ways:
+            # 1) We bump our dep and no other dep is bumped
+            # 2) We bump our dep and another dep is bumped too
+            #    Scenario: NoRedInk/datetimepicker bump to 3.0.2 also
+            #              bumps elm-css to 14
+            # 3) We bump our dep but actually elm-package doesn't bump it
+            #    Scenario: elm-css bump to 14 but datetimepicker is at 3.0.1
+            # 4) We bump our dep but elm-package just says
+            #    "Packages configured successfully!"
+            #    Narrator: they weren't
+            #    Scenario: impossible dependency (i.e. elm-css 999.999.999)
+            #              a <= v < b where a is greater than latest version
+            # 5) We bump our dep but elm-package blows up (not handled here)
+            #    Scenario: rtfeldman/elm-css 14 && rtfeldman/hashed-class 1.0.0
+            #              I'm not sure what's different from this scenario
+            #              to 3), why it blows up instead of just rolling
+            #              elm-css back to version 9 which is what
+            #              hashed-class requires
+
+            # 4) We bump our dep but elm-package just says
+            #    "Packages configured successfully!"
+            return :empty_elm_stuff_bug if deps_after_install.empty?
+
+            version_after_install = deps_after_install.fetch(dependency.name)
+
+            # 3) We bump our dep but actually elm-package doesn't bump it
+            return :downgrade_bug if version_after_install < target_version
+
+            other_top_level_deps_bumped =
+              original_dependency_details.
+              reject { |dep| dep.name == dependency.name }.
+              select do |dep|
+                reqs = dep.requirements.map { |r| r.fetch(:requirement) }
+                reqs = reqs.map { |r| requirement_class.new(r) }
+                reqs.any? { |r| !r.satisfied_by?(deps_after_install[dep.name]) }
+              end
+
+            # 2) We bump our dep and another dep is bumped
+            return :forced_full_unlock_bump if other_top_level_deps_bumped.any?
+
+            # 1) We bump our dep and no other dep is bumped
+            :clean_bump
+          end
+
+          def fetch_install_metadata(target_version:)
+            @install_cache ||= {}
+            @install_cache[target_version.to_s] ||=
+              SharedHelpers.in_a_temporary_directory do
+                write_temporary_dependency_files(target_version: target_version)
+
+                # Elm package install outputs a preview of the actions to be
+                # performed. We can use this preview to calculate whether it
+                # would do anything funny
+                command = "yes n | elm-package install"
+                response = run_shell_command(command)
+
+                deps_after_install = CliParser.decode_install_preview(response)
+
+                deps_after_install
+              rescue SharedHelpers::HelperSubprocessFailed => error
+                # 5) We bump our dep but elm-package blows up
+                handle_elm_package_errors(error)
+              end
+          end
+
+          def run_shell_command(command)
+            raw_response = nil
+            IO.popen(command, err: %i(child out)) do |process|
+              raw_response = process.read
+            end
+
+            # Raise an error with the output from the shell session if Elm
+            # returns a non-zero status
+            return raw_response if $CHILD_STATUS.success?
+
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              raw_response,
+              command
+            )
+          end
+
+          def handle_elm_package_errors(error)
+            if error.message.include?("I cannot find a set of packages that " \
+                                      "works with your constraints")
+              raise Dependabot::DependencyFileNotResolvable, error.message
+            end
+
+            # I don't know any other errors
+            raise error
+          end
+
+          def write_temporary_dependency_files(target_version:)
+            dependency_files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+
+              File.write(
+                path,
+                updated_elm_package_content(file.content, target_version)
+              )
+            end
+          end
+
+          def updated_elm_package_content(content, version)
+            json = JSON.parse(content)
+
+            new_requirement = RequirementsUpdater.new(
+              requirements: dependency.requirements,
+              latest_resolvable_version: version.to_s
+            ).updated_requirements.first[:requirement]
+
+            json["dependencies"][dependency.name] = new_requirement
+            JSON.dump(json)
+          end
+
+          def original_dependency_details
+            @original_dependency_details ||=
+              FileParsers::Elm::ElmPackage.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse
+          end
+
+          def current_version
+            return unless dependency.version
+
+            version_class.new(dependency.version)
+          end
+
+          def version_class
+            Utils::Elm::Version
+          end
+
+          def requirement_class
+            Utils::Elm::Requirement
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/elm/elm_package/elm_19_version_resolver.rb

@@ -0,0 +1,198 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/file_parsers/elm/elm_package"
+require "dependabot/update_checkers/elm/elm_package"
+require "dependabot/update_checkers/elm/elm_package/cli_parser"
+require "dependabot/update_checkers/elm/elm_package/requirements_updater"
+require "dependabot/utils/elm/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module Elm
+      class ElmPackage
+        class Elm19VersionResolver
+          class UnrecoverableState < StandardError; end
+
+          def initialize(dependency:, dependency_files:)
+            @dependency = dependency
+            @dependency_files = dependency_files
+          end
+
+          def latest_resolvable_version(unlock_requirement:)
+            unless %i(none own all).include?(unlock_requirement)
+              raise "Invalid unlock setting: #{unlock_requirement}"
+            end
+
+            # Elm has no lockfile, so we will never create an update PR if
+            # unlock requirements are `none`. Just return the current version.
+            return current_version if unlock_requirement == :none
+
+            # Otherwise, we gotta check a few conditions to see if bumping
+            # wouldn't also bump other deps in elm-package.json
+            fetch_latest_resolvable_version(unlock_requirement)
+          end
+
+          def updated_dependencies_after_full_unlock
+            changed_deps = install_metadata
+
+            original_dependency_details.map do |original_dep|
+              new_version = changed_deps.fetch(original_dep.name, nil)
+              next unless new_version
+
+              old_reqs = original_dep.requirements.map do |req|
+                requirement_class.new(req[:requirement])
+              end
+
+              next if old_reqs.all? { |req| req.satisfied_by?(new_version) }
+
+              new_requirements =
+                RequirementsUpdater.new(
+                  requirements: original_dep.requirements,
+                  latest_resolvable_version: new_version.to_s
+                ).updated_requirements
+
+              Dependency.new(
+                name: original_dep.name,
+                version: new_version.to_s,
+                requirements: new_requirements,
+                previous_version: original_dep.version,
+                previous_requirements: original_dep.requirements,
+                package_manager: original_dep.package_manager
+              )
+            end.compact
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files
+
+          def fetch_latest_resolvable_version(unlock_requirement)
+            changed_deps = install_metadata
+
+            result = check_install_result(changed_deps)
+            version_after_install = changed_deps.fetch(dependency.name)
+
+            # If the install was clean then we can definitely update
+            return version_after_install if result == :clean_bump
+
+            # Otherwise, we can still update if the result was a forced full
+            # unlock and we're allowed to unlock other requirements
+            return version_after_install if unlock_requirement == :all
+
+            current_version
+          end
+
+          def check_install_result(changed_deps)
+            other_deps_bumped =
+              changed_deps.
+              keys.
+              reject { |name| name == dependency.name }
+
+            return :forced_full_unlock_bump if other_deps_bumped.any?
+
+            :clean_bump
+          end
+
+          def install_metadata
+            @install_metadata ||=
+              SharedHelpers.in_a_temporary_directory do
+                write_temporary_dependency_files
+
+                # Elm package install outputs a preview of the actions to be
+                # performed. We can use this preview to calculate whether it
+                # would do anything funny
+                command = "yes n | elm19 install #{dependency.name}"
+                response = run_shell_command(command)
+
+                CliParser.decode_install_preview(response)
+              rescue SharedHelpers::HelperSubprocessFailed => error
+                # 5) We bump our dep but elm blows up
+                handle_elm_errors(error)
+              end
+          end
+
+          def run_shell_command(command)
+            raw_response = nil
+            IO.popen(command, err: %i(child out)) do |process|
+              raw_response = process.read
+            end
+
+            # Raise an error with the output from the shell session if Elm
+            # returns a non-zero status
+            return raw_response if $CHILD_STATUS.success?
+
+            raise SharedHelpers::HelperSubprocessFailed.new(
+              raw_response,
+              command
+            )
+          end
+
+          def handle_elm_errors(error)
+            if error.message.include?("OLD DEPENDENCIES") ||
+               error.message.include?("BAD JSON")
+              raise Dependabot::DependencyFileNotResolvable, error.message
+            end
+
+            # Raise any unrecognised errors
+            raise error
+          end
+
+          def write_temporary_dependency_files
+            dependency_files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+
+              File.write(path, updated_elm_json_content(file.content))
+            end
+          end
+
+          def updated_elm_json_content(content)
+            json = JSON.parse(content)
+
+            # Delete the dependency from the elm.json, so that we can use
+            # `elm install <dependency_name>` to generate the install plan
+            %w(dependencies test-dependencies).each do |type|
+              if json.dig(type, dependency.name)
+                json[type].delete(dependency.name)
+              end
+
+              %w(direct indirect).each do |category|
+                if json.dig(type, category, dependency.name)
+                  json[type][category].delete(dependency.name)
+                end
+              end
+            end
+
+            json["source-directories"] = []
+
+            JSON.dump(json)
+          end
+
+          def original_dependency_details
+            @original_dependency_details ||=
+              FileParsers::Elm::ElmPackage.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse
+          end
+
+          def current_version
+            return unless dependency.version
+
+            version_class.new(dependency.version)
+          end
+
+          def version_class
+            Utils::Elm::Version
+          end
+
+          def requirement_class
+            Utils::Elm::Requirement
+          end
+        end
+      end
+    end
+  end
+end