dependabot-core 0.76.1

data/lib/dependabot/update_checkers/elm/elm_package/requirements_updater.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "dependabot/utils/elm/version"
+require "dependabot/utils/elm/requirement"
+require "dependabot/update_checkers/elm/elm_package"
+
+module Dependabot
+  module UpdateCheckers
+    module Elm
+      class ElmPackage
+        class RequirementsUpdater
+          RANGE_REQUIREMENT_REGEX =
+            /(\d+\.\d+\.\d+) <= v < (\d+\.\d+\.\d+)/.freeze
+          SINGLE_VERSION_REGEX = /\A(\d+\.\d+\.\d+)\z/.freeze
+
+          def initialize(requirements:, latest_resolvable_version:)
+            @requirements = requirements
+
+            return unless latest_resolvable_version
+            return unless version_class.correct?(latest_resolvable_version)
+
+            @latest_resolvable_version =
+              version_class.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            return requirements unless latest_resolvable_version
+
+            requirements.map do |req|
+              updated_req_string = update_requirement(
+                req[:requirement],
+                latest_resolvable_version
+              )
+
+              req.merge(requirement: updated_req_string)
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :latest_resolvable_version
+
+          def update_requirement(old_req, new_version)
+            if requirement_class.new(old_req).satisfied_by?(new_version)
+              old_req
+            elsif (match = RANGE_REQUIREMENT_REGEX.match(old_req))
+              require_range(match[1], new_version)
+            elsif SINGLE_VERSION_REGEX.match?(old_req)
+              new_version.to_s
+            else
+              require_exactly(new_version)
+            end
+          end
+
+          def require_range(minimum, version)
+            major, _minor, _patch = version.to_s.split(".").map(&:to_i)
+            "#{minimum} <= v < #{major + 1}.0.0"
+          end
+
+          def require_exactly(version)
+            "#{version} <= v <= #{version}"
+          end
+
+          def version_class
+            Utils::Elm::Version
+          end
+
+          def requirement_class
+            Utils::Elm::Requirement
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/git/submodules.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/base"
+require "dependabot/git_commit_checker"
+
+module Dependabot
+  module UpdateCheckers
+    module Git
+      class Submodules < Dependabot::UpdateCheckers::Base
+        def latest_version
+          @latest_version ||= fetch_latest_version
+        end
+
+        def latest_resolvable_version
+          # Resolvability isn't an issue for submodules.
+          latest_version
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          # No concept of "unlocking" for submodules
+          latest_version
+        end
+
+        def updated_requirements
+          # Submodule requirements are the URL and branch to use for the
+          # submodule. We never want to update either.
+          dependency.requirements
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          # Full unlock checks aren't relevant for submodules
+          false
+        end
+
+        def updated_dependencies_after_full_unlock
+          raise NotImplementedError
+        end
+
+        def fetch_latest_version
+          git_commit_checker = GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          )
+
+          git_commit_checker.head_commit_for_current_branch
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/go/dep.rb

@@ -0,0 +1,311 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/update_checkers/base"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Dep < Dependabot::UpdateCheckers::Base
+        require_relative "dep/file_preparer"
+        require_relative "dep/latest_version_finder"
+        require_relative "dep/requirements_updater"
+        require_relative "dep/version_resolver"
+
+        def latest_version
+          @latest_version ||=
+            LatestVersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            ).latest_version
+        end
+
+        def latest_resolvable_version
+          @latest_resolvable_version ||=
+            if modules_dependency?
+              latest_version
+            elsif git_dependency?
+              latest_resolvable_version_for_git_dependency
+            else
+              latest_resolvable_released_version(unlock_requirement: true)
+            end
+        end
+
+        def latest_resolvable_version_with_no_unlock
+          @latest_resolvable_version_with_no_unlock ||=
+            if git_dependency?
+              latest_resolvable_commit_with_unchanged_git_source
+            else
+              latest_resolvable_released_version(unlock_requirement: false)
+            end
+        end
+
+        def updated_requirements
+          @updated_requirements ||=
+            RequirementsUpdater.new(
+              requirements: dependency.requirements,
+              updated_source: updated_source,
+              update_strategy: requirements_update_strategy,
+              latest_version: latest_version&.to_s,
+              latest_resolvable_version: latest_resolvable_version&.to_s
+            ).updated_requirements
+        end
+
+        def requirements_update_strategy
+          # If passed in as an option (in the base class) honour that option
+          if @requirements_update_strategy
+            return @requirements_update_strategy.to_sym
+          end
+
+          # Otherwise, widen ranges for libraries and bump versions for apps
+          library? ? :widen_ranges : :bump_versions
+        end
+
+        private
+
+        def latest_version_resolvable_with_full_unlock?
+          # Full unlock checks aren't implemented for Go (yet)
+          false
+        end
+
+        def updated_dependencies_after_full_unlock
+          raise NotImplementedError
+        end
+
+        # Override the base class's check for whether this is a git dependency,
+        # since not all dep git dependencies have a SHA version (sometimes their
+        # version is the tag)
+        def existing_version_is_sha?
+          git_dependency?
+        end
+
+        def library?
+          dependency_files.none? { |f| f.type == "package_main" }
+        end
+
+        # rubocop:disable Metrics/CyclomaticComplexity
+        # rubocop:disable Metrics/PerceivedComplexity
+        def latest_resolvable_version_for_git_dependency
+          return latest_version if modules_dependency?
+
+          latest_release =
+            begin
+              latest_resolvable_released_version(unlock_requirement: true)
+            rescue SharedHelpers::HelperSubprocessFailed => error
+              raise unless error.message.include?("Solving failure")
+            end
+
+          # If there's a resolvable release that includes the current pinned
+          # ref or that the current branch is behind, we switch to that release.
+          return latest_release if git_branch_or_ref_in_release?(latest_release)
+
+          # Otherwise, if the gem isn't pinned, the latest version is just the
+          # latest commit for the specified branch.
+          unless git_commit_checker.pinned?
+            return latest_resolvable_commit_with_unchanged_git_source
+          end
+
+          # If the dependency is pinned to a tag that looks like a version then
+          # we want to update that tag.
+          if git_commit_checker.pinned_ref_looks_like_version? &&
+             latest_git_tag_is_resolvable?
+            new_tag = git_commit_checker.local_tag_for_latest_version
+            return version_from_tag(new_tag)
+          end
+
+          # If the dependency is pinned to a tag that doesn't look like a
+          # version then there's nothing we can do.
+          nil
+        end
+        # rubocop:enable Metrics/CyclomaticComplexity
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def version_from_tag(tag)
+          # To compare with the current version we either use the commit SHA
+          # (if that's what the parser picked up) of the tag name.
+          if dependency.version&.match?(/^[0-9a-f]{40}$/)
+            return tag&.fetch(:commit_sha)
+          end
+
+          tag&.fetch(:tag)
+        end
+
+        def latest_resolvable_commit_with_unchanged_git_source
+          if @commit_lookup_attempted
+            return @latest_resolvable_commit_with_unchanged_git_source
+          end
+
+          @commit_lookup_attempted = true
+          @latest_resolvable_commit_with_unchanged_git_source ||=
+            begin
+              prepared_files = FilePreparer.new(
+                dependency_files: dependency_files,
+                dependency: dependency,
+                unlock_requirement: false,
+                remove_git_source: false,
+                latest_allowable_version: latest_version
+              ).prepared_dependency_files
+
+              VersionResolver.new(
+                dependency: dependency,
+                dependency_files: prepared_files,
+                credentials: credentials
+              ).latest_resolvable_version
+            end
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          # This should rescue resolvability errors in future
+          raise unless error.message.include?("Solving failure")
+        end
+
+        def latest_resolvable_released_version(unlock_requirement:)
+          @latest_resolvable_released_version ||= {}
+          @latest_resolvable_released_version[unlock_requirement] ||=
+            begin
+              prepared_files = FilePreparer.new(
+                dependency_files: dependency_files,
+                dependency: dependency,
+                unlock_requirement: unlock_requirement,
+                remove_git_source: git_dependency?,
+                latest_allowable_version: latest_version
+              ).prepared_dependency_files
+
+              VersionResolver.new(
+                dependency: dependency,
+                dependency_files: prepared_files,
+                credentials: credentials
+              ).latest_resolvable_version
+            end
+        end
+
+        def latest_git_tag_is_resolvable?
+          return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
+
+          @latest_git_tag_is_resolvable_checked = true
+
+          return false if git_commit_checker.local_tag_for_latest_version.nil?
+
+          replacement_tag = git_commit_checker.local_tag_for_latest_version
+
+          prepared_files = FilePreparer.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            unlock_requirement: false,
+            remove_git_source: false,
+            replacement_git_pin: replacement_tag.fetch(:tag)
+          ).prepared_dependency_files
+
+          VersionResolver.new(
+            dependency: dependency,
+            dependency_files: prepared_files,
+            credentials: credentials
+          ).latest_resolvable_version
+
+          @git_tag_resolvable = true
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          # This should rescue resolvability errors in future
+          raise unless error.message.include?("Solving failure")
+
+          @git_tag_resolvable = false
+        end
+
+        def updated_source
+          # Never need to update source, unless a git_dependency
+          return dependency_source_details unless git_dependency?
+
+          # Source becomes `nil` if switching to default rubygems
+          return default_source if should_switch_source_from_ref_to_release?
+
+          # Update the git tag if updating a pinned version
+          if git_commit_checker.pinned_ref_looks_like_version? &&
+             latest_git_tag_is_resolvable?
+            new_tag = git_commit_checker.local_tag_for_latest_version
+            return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+          end
+
+          # Otherwise return the original source
+          dependency_source_details
+        end
+
+        def dependency_source_details
+          sources =
+            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+          sources.first
+        end
+
+        def should_switch_source_from_ref_to_release?
+          return false unless git_dependency?
+          return false if latest_resolvable_version_for_git_dependency.nil?
+
+          Gem::Version.correct?(latest_resolvable_version_for_git_dependency)
+        end
+
+        def modules_dependency?
+          # If dep is being used then we use that to determine the latest
+          # version we can update to (since it will have resolvability
+          # requirements, whereas Go modules won't)
+          !dependency_in_gopkg_lock?
+        end
+
+        def dependency_in_gopkg_lock?
+          lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+          return false unless lockfile
+
+          parsed_file(lockfile).fetch("projects", []).any? do |details|
+            details.fetch("name") == dependency.name
+          end
+        end
+
+        def git_dependency?
+          git_commit_checker.git_dependency?
+        end
+
+        def default_source
+          if modules_dependency?
+            return { type: "default", source: dependency.name }
+          end
+
+          original_declaration =
+            parsed_file(manifest).
+            values_at(*FileParsers::Go::Dep::REQUIREMENT_TYPES).
+            flatten.compact.
+            find { |d| d["name"] == dependency.name }
+
+          {
+            type: "default",
+            source:
+              original_declaration&.fetch("source", nil) || dependency.name
+          }
+        end
+
+        def git_branch_or_ref_in_release?(release)
+          return false unless release
+
+          git_commit_checker.branch_or_ref_in_release?(release)
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        end
+
+        def manifest
+          @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+        end
+
+        def git_commit_checker
+          @git_commit_checker ||=
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/go/dep/file_preparer.rb

@@ -0,0 +1,221 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/file_parsers/go/dep"
+require "dependabot/update_checkers/go/dep"
+
+module Dependabot
+  module UpdateCheckers
+    module Go
+      class Dep
+        # This class takes a set of dependency files and prepares them for use
+        # in UpdateCheckers::Go::Dep.
+        class FilePreparer
+          def initialize(dependency_files:, dependency:,
+                         remove_git_source: false,
+                         unlock_requirement: true,
+                         replacement_git_pin: nil,
+                         latest_allowable_version: nil)
+            @dependency_files         = dependency_files
+            @dependency               = dependency
+            @unlock_requirement       = unlock_requirement
+            @remove_git_source        = remove_git_source
+            @replacement_git_pin      = replacement_git_pin
+            @latest_allowable_version = latest_allowable_version
+          end
+
+          def prepared_dependency_files
+            files = []
+
+            files << manifest_for_update_check
+            files << lockfile if lockfile
+
+            files
+          end
+
+          private
+
+          attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                      :latest_allowable_version
+
+          def unlock_requirement?
+            @unlock_requirement
+          end
+
+          def remove_git_source?
+            @remove_git_source
+          end
+
+          def replace_git_pin?
+            !replacement_git_pin.nil?
+          end
+
+          def manifest_for_update_check
+            DependencyFile.new(
+              name: manifest.name,
+              content: manifest_content_for_update_check(manifest),
+              directory: manifest.directory
+            )
+          end
+
+          def manifest_content_for_update_check(file)
+            content = file.content
+
+            content = remove_git_source(content) if remove_git_source?
+            content = replace_git_pin(content) if replace_git_pin?
+            content = replace_version_constraint(content, file.name)
+            content = add_fsnotify_override(content)
+
+            content
+          end
+
+          def remove_git_source(content)
+            parsed_manifest = TomlRB.parse(content)
+
+            FileParsers::Go::Dep::REQUIREMENT_TYPES.each do |type|
+              (parsed_manifest[type] || []).each do |details|
+                next unless details["name"] == dependency.name
+
+                details.delete("revision")
+                details.delete("branch")
+              end
+            end
+
+            TomlRB.dump(parsed_manifest)
+          end
+
+          def replace_git_pin(content)
+            parsed_manifest = TomlRB.parse(content)
+
+            FileParsers::Go::Dep::REQUIREMENT_TYPES.each do |type|
+              (parsed_manifest[type] || []).each do |details|
+                next unless details["name"] == dependency.name
+
+                raise "Invalid details! #{details}" if details["branch"]
+
+                if details["version"]
+                  details["version"] = replacement_git_pin
+                else
+                  details["revision"] = replacement_git_pin
+                end
+              end
+            end
+
+            TomlRB.dump(parsed_manifest)
+          end
+
+          # Note: We don't need to care about formatting in this method, since
+          # we're only using the manifest to find the latest resolvable version
+          def replace_version_constraint(content, filename)
+            parsed_manifest = TomlRB.parse(content)
+
+            FileParsers::Go::Dep::REQUIREMENT_TYPES.each do |type|
+              (parsed_manifest[type] || []).each do |details|
+                next unless details["name"] == dependency.name
+                next if details["revision"] || details["branch"]
+                next if replacement_git_pin
+
+                updated_req = temporary_requirement_for_resolution(filename)
+
+                details["version"] = updated_req
+              end
+            end
+
+            TomlRB.dump(parsed_manifest)
+          end
+
+          # A dep bug means we have to specify a source for gopkg.in/fsnotify.v1
+          # or we get `panic: version queue is empty` errors
+          def add_fsnotify_override(content)
+            parsed_manifest = TomlRB.parse(content)
+
+            overrides = parsed_manifest.fetch("override", [])
+            dep_name = "gopkg.in/fsnotify.v1"
+
+            override = overrides.find { |s| s["name"] == dep_name }
+            if override.nil?
+              override = { "name" => dep_name }
+              overrides << override
+            end
+
+            unless override["source"]
+              override["source"] = "gopkg.in/fsnotify/fsnotify.v1"
+            end
+
+            parsed_manifest["override"] = overrides
+            TomlRB.dump(parsed_manifest)
+          end
+
+          def temporary_requirement_for_resolution(filename)
+            original_req = dependency.requirements.
+                           find { |r| r.fetch(:file) == filename }&.
+                           fetch(:requirement)
+
+            lower_bound_req =
+              if original_req && !unlock_requirement?
+                original_req
+              else
+                ">= #{lower_bound_version}"
+              end
+
+            unless latest_allowable_version &&
+                   version_class.correct?(latest_allowable_version) &&
+                   version_class.new(latest_allowable_version) >=
+                   version_class.new(lower_bound_version)
+              return lower_bound_req
+            end
+
+            lower_bound_req + ", <= #{latest_allowable_version}"
+          end
+
+          def lower_bound_version
+            @lower_bound_version ||=
+              if version_from_lockfile
+                version_from_lockfile
+              else
+                version_from_requirement =
+                  dependency.requirements.map { |r| r.fetch(:requirement) }.
+                  compact.
+                  flat_map { |req_str| requirement_class.new(req_str) }.
+                  flat_map(&:requirements).
+                  reject { |req_array| req_array.first.start_with?("<") }.
+                  map(&:last).
+                  max&.to_s
+
+                version_from_requirement || 0
+              end
+          end
+
+          def version_from_lockfile
+            return unless lockfile
+
+            TomlRB.parse(lockfile.content).
+              fetch("projects", []).
+              find { |p| p["name"] == dependency.name }&.
+              fetch("version", nil)&.
+              sub(/^v?/, "")
+          end
+
+          def version_class
+            Utils.version_class_for_package_manager(dependency.package_manager)
+          end
+
+          def requirement_class
+            Utils.requirement_class_for_package_manager(
+              dependency.package_manager
+            )
+          end
+
+          def manifest
+            @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+          end
+
+          def lockfile
+            @lockfile ||= dependency_files.find { |f| f.name == "Gopkg.lock" }
+          end
+        end
+      end
+    end
+  end
+end