dependabot-core 0.76.1

data/lib/dependabot/update_checkers/ruby/bundler/force_updater.rb

@@ -0,0 +1,261 @@
+# frozen_string_literal: true
+
+require "bundler_definition_ruby_version_patch"
+require "bundler_definition_bundler_version_patch"
+require "bundler_git_source_patch"
+
+require "dependabot/update_checkers/ruby/bundler"
+require "dependabot/update_checkers/ruby/bundler/requirements_updater"
+require "dependabot/file_updaters/ruby/bundler/lockfile_updater"
+require "dependabot/file_parsers/ruby/bundler"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Ruby
+      class Bundler
+        class ForceUpdater
+          def initialize(dependency:, dependency_files:, credentials:,
+                         target_version:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @credentials      = credentials
+            @target_version   = target_version
+          end
+
+          def updated_dependencies
+            @updated_dependencies ||= force_update
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :credentials,
+                      :target_version
+
+          def force_update
+            in_a_temporary_bundler_context do
+              other_updates = []
+
+              begin
+                definition = build_definition(other_updates: other_updates)
+                definition.resolve_remotely!
+                specs = definition.resolve
+                dependencies_from([dependency] + other_updates, specs)
+              rescue ::Bundler::VersionConflict => error
+                # TODO: Not sure this won't unlock way too many things...
+                new_dependencies_to_unlock =
+                  new_dependencies_to_unlock_from(
+                    error: error,
+                    already_unlocked: other_updates
+                  )
+
+                raise if new_dependencies_to_unlock.none?
+
+                other_updates += new_dependencies_to_unlock
+                retry
+              end
+            end
+          rescue SharedHelpers::ChildProcessFailed => error
+            raise_unresolvable_error(error)
+          end
+
+          #########################
+          # Bundler context setup #
+          #########################
+
+          def in_a_temporary_bundler_context
+            SharedHelpers.in_a_temporary_directory do
+              write_temporary_dependency_files
+
+              SharedHelpers.in_a_forked_process do
+                # Remove installed gems from the default Rubygems index
+                ::Gem::Specification.all = []
+
+                # Set auth details
+                relevant_credentials.each do |cred|
+                  ::Bundler.settings.set_command_option(
+                    cred.fetch("host"),
+                    cred["token"] || "#{cred['username']}:#{cred['password']}"
+                  )
+                end
+
+                # Only allow upgrades. Othewise it's unlikely that this
+                # resolution will be found by the FileUpdater
+                ::Bundler.settings.set_command_option(
+                  "only_update_to_newer_versions",
+                  true
+                )
+
+                yield
+              end
+            end
+          end
+
+          def new_dependencies_to_unlock_from(error:, already_unlocked:)
+            potentials_deps =
+              error.cause.conflicts.values.
+              flat_map(&:requirement_trees).
+              reject do |tree|
+                next true unless tree.last.requirement.specific?
+                next false unless tree.last.name == dependency.name
+
+                tree.last.requirement.satisfied_by?(
+                  Gem::Version.new(target_version)
+                )
+              end.map(&:first)
+
+            potentials_deps.
+              reject { |dep| already_unlocked.map(&:name).include?(dep.name) }.
+              reject { |dep| [dependency.name, "ruby\0"].include?(dep.name) }.
+              uniq
+          end
+
+          def raise_unresolvable_error(error)
+            msg = error.error_class + " with message: " + error.error_message
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          def build_definition(other_updates:)
+            gems_to_unlock = other_updates.map(&:name) + [dependency.name]
+            definition = ::Bundler::Definition.build(
+              gemfile.name,
+              lockfile&.name,
+              gems: gems_to_unlock + subdependencies,
+              lock_shared_dependencies: true
+            )
+
+            # Remove the Gemfile / gemspec requirements on the gems we're
+            # unlocking (i.e., completely unlock them)
+            gems_to_unlock.each do |gem_name|
+              unlock_gem(definition: definition, gem_name: gem_name)
+            end
+
+            # Set the requirement for the gem we're forcing an update of
+            new_req = Gem::Requirement.create("= #{target_version}")
+            definition.dependencies.
+              find { |d| d.name == dependency.name }.
+              instance_variable_set(:@requirement, new_req)
+
+            definition
+          end
+
+          def subdependencies
+            # If there's no lockfile we don't need to worry about
+            # subdependencies
+            return [] unless lockfile
+
+            all_deps =  ::Bundler::LockfileParser.new(sanitized_lockfile_body).
+                        specs.map(&:name).map(&:to_s)
+            top_level = ::Bundler::Definition.
+                        build(gemfile.name, lockfile.name, {}).
+                        dependencies.map(&:name).map(&:to_s)
+
+            all_deps - top_level
+          end
+
+          def unlock_gem(definition:, gem_name:)
+            dep = definition.dependencies.find { |d| d.name == gem_name }
+            version = definition.locked_gems.specs.
+                      find { |d| d.name == gem_name }.version
+
+            dep&.instance_variable_set(
+              :@requirement,
+              Gem::Requirement.create(">= #{version}")
+            )
+          end
+
+          def original_dependencies
+            @original_dependencies ||=
+              FileParsers::Ruby::Bundler.new(
+                dependency_files: dependency_files,
+                credentials: credentials,
+                source: nil
+              ).parse
+          end
+
+          def dependencies_from(updated_deps, specs)
+            # You might think we'd want to remove dependencies whose version
+            # hadn't changed from this array. We don't. We still need to unlock
+            # them to get Bundler to resolve, because unlocking them is what
+            # updates their subdependencies.
+            #
+            # This is kind of a bug in Bundler, and we should try to fix it,
+            # but resolving it won't necessarily be easy.
+            updated_deps.map do |dep|
+              original_dep =
+                original_dependencies.find { |d| d.name == dep.name }
+              spec = specs.find { |d| d.name == dep.name }
+
+              next if spec.version.to_s == original_dep.version
+
+              build_dependency(original_dep, spec)
+            end.compact
+          end
+
+          def build_dependency(original_dep, updated_spec)
+            Dependency.new(
+              name: updated_spec.name,
+              version: updated_spec.version.to_s,
+              requirements:
+                RequirementsUpdater.new(
+                  requirements: original_dep.requirements,
+                  library: library?,
+                  updated_source: source_for(original_dep),
+                  latest_version: updated_spec.version.to_s,
+                  latest_resolvable_version: updated_spec.version.to_s
+                ).updated_requirements,
+              previous_version: original_dep.version,
+              previous_requirements: original_dep.requirements,
+              package_manager: original_dep.package_manager
+            )
+          end
+
+          def source_for(dependency)
+            dependency.requirements.
+              find { |r| r.fetch(:source) }&.
+              fetch(:source)
+          end
+
+          def gemfile
+            dependency_files.find { |f| f.name == "Gemfile" } ||
+              dependency_files.find { |f| f.name == "gems.rb" }
+          end
+
+          def lockfile
+            dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+              dependency_files.find { |f| f.name == "gems.locked" }
+          end
+
+          def sanitized_lockfile_body
+            re = FileUpdaters::Ruby::Bundler::LockfileUpdater::LOCKFILE_ENDING
+            lockfile.content.gsub(re, "")
+          end
+
+          def library?
+            dependency.version.nil?
+          end
+
+          def write_temporary_dependency_files
+            dependency_files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+              File.write(path, file.content)
+            end
+
+            File.write(lockfile.name, sanitized_lockfile_body) if lockfile
+          end
+
+          def relevant_credentials
+            credentials.select do |cred|
+              next true if cred["type"] == "git_source"
+              next true if cred["type"] == "rubygems_server"
+
+              false
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/ruby/bundler/latest_version_finder.rb

@@ -0,0 +1,169 @@
+# frozen_string_literal: true
+
+require "bundler_definition_ruby_version_patch"
+require "bundler_definition_bundler_version_patch"
+require "bundler_git_source_patch"
+
+require "excon"
+
+require "dependabot/update_checkers/ruby/bundler"
+require "dependabot/utils/ruby/requirement"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module UpdateCheckers
+    module Ruby
+      class Bundler
+        class LatestVersionFinder
+          require_relative "shared_bundler_helpers"
+          include SharedBundlerHelpers
+
+          def initialize(dependency:, dependency_files:, credentials:,
+                         ignored_versions:)
+            @dependency       = dependency
+            @dependency_files = dependency_files
+            @credentials      = credentials
+            @ignored_versions = ignored_versions
+          end
+
+          def latest_version_details
+            @latest_version_details ||= fetch_latest_version_details
+          end
+
+          private
+
+          attr_reader :dependency, :dependency_files, :credentials,
+                      :ignored_versions
+
+          def fetch_latest_version_details
+            if dependency.name == "bundler"
+              return latest_rubygems_version_details
+            end
+
+            case dependency_source
+            when NilClass then latest_rubygems_version_details
+            when ::Bundler::Source::Rubygems
+              if dependency_source.remotes.none? ||
+                 dependency_source.remotes.first.to_s == "https://rubygems.org/"
+                latest_rubygems_version_details
+              else
+                latest_private_version_details
+              end
+            when ::Bundler::Source::Git then latest_git_version_details
+            end
+          end
+
+          def latest_rubygems_version_details
+            response = Excon.get(
+              "https://rubygems.org/api/v1/versions/#{dependency.name}.json",
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+
+            relevant_versions =
+              JSON.parse(response.body).
+              reject do |d|
+                version = Gem::Version.new(d["number"])
+                next true if version.prerelease? && !wants_prerelease?
+                next true if ignore_reqs.any? { |r| r.satisfied_by?(version) }
+
+                false
+              end
+
+            dep = relevant_versions.max_by { |d| Gem::Version.new(d["number"]) }
+            return unless dep
+
+            {
+              version: Gem::Version.new(dep["number"]),
+              sha: dep["sha"]
+            }
+          rescue JSON::ParserError, Excon::Error::Timeout
+            nil
+          end
+
+          def latest_private_version_details
+            in_a_temporary_bundler_context do
+              spec =
+                dependency_source.
+                fetchers.flat_map do |fetcher|
+                  fetcher.
+                    specs_with_retry([dependency.name], dependency_source).
+                    search_all(dependency.name).
+                    reject { |s| s.version.prerelease? && !wants_prerelease? }.
+                    reject do |s|
+                      ignore_reqs.any? { |r| r.satisfied_by?(s.version) }
+                    end
+                end.
+                max_by(&:version)
+              spec.nil? ? nil : { version: spec.version }
+            end
+          end
+
+          def latest_git_version_details
+            dependency_source_details =
+              dependency.requirements.map { |r| r.fetch(:source) }.
+              uniq.compact.first
+
+            in_a_temporary_bundler_context do
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                # Note: we don't set `ref`, as we want to unpin the dependency
+                source = ::Bundler::Source::Git.new(
+                  "uri" => dependency_source_details[:url],
+                  "branch" => dependency_source_details[:branch],
+                  "name" => dependency.name,
+                  "submodules" => true
+                )
+
+                # Tell Bundler we're fine with fetching the source remotely
+                source.instance_variable_set(:@allow_remote, true)
+
+                spec = source.specs.first
+                { version: spec.version, commit_sha: spec.source.revision }
+              end
+            end
+          end
+
+          def wants_prerelease?
+            @wants_prerelease ||=
+              begin
+                current_version = dependency.version
+                if current_version && Gem::Version.correct?(current_version) &&
+                   Gem::Version.new(current_version).prerelease?
+                  return true
+                end
+
+                dependency.requirements.any? do |req|
+                  req[:requirement].match?(/[a-z]/i)
+                end
+              end
+          end
+
+          def dependency_source
+            return nil unless gemfile
+
+            @dependency_source ||=
+              in_a_temporary_bundler_context do
+                definition = ::Bundler::Definition.build(gemfile.name, nil, {})
+
+                specified_source =
+                  definition.dependencies.
+                  find { |dep| dep.name == dependency.name }&.source
+
+                specified_source || definition.send(:sources).default_source
+              end
+          end
+
+          def ignore_reqs
+            ignored_versions.map { |req| Gem::Requirement.new(req.split(",")) }
+          end
+
+          def gemfile
+            dependency_files.find { |f| f.name == "Gemfile" } ||
+              dependency_files.find { |f| f.name == "gems.rb" }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/ruby/bundler/requirements_updater.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+require "dependabot/update_checkers/ruby/bundler"
+
+module Dependabot
+  module UpdateCheckers
+    module Ruby
+      class Bundler
+        class RequirementsUpdater
+          class UnfixableRequirement < StandardError; end
+
+          def initialize(requirements:, library:, updated_source:,
+                         latest_version:, latest_resolvable_version:)
+            @requirements = requirements
+
+            @library = library
+
+            @latest_version = Gem::Version.new(latest_version) if latest_version
+            @updated_source = updated_source
+
+            return unless latest_resolvable_version
+
+            @latest_resolvable_version =
+              Gem::Version.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            requirements.map do |req|
+              if req[:file].match?(/\.gemspec/)
+                updated_gemspec_requirement(req)
+              else
+                # If a requirement doesn't come from a gemspec, it must be from
+                # a Gemfile.
+                updated_gemfile_requirement(req)
+              end
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :updated_source,
+                      :latest_version, :latest_resolvable_version
+
+          def library?
+            @library
+          end
+
+          def updated_gemfile_requirement(req)
+            req = req.merge(source: updated_source)
+            return req unless latest_resolvable_version
+            return req if library? && new_version_satisfies?(req)
+
+            requirements =
+              req[:requirement].split(",").map { |r| Gem::Requirement.new(r) }
+
+            new_requirement =
+              if requirements.any?(&:exact?) then latest_resolvable_version.to_s
+              elsif requirements.any? { |r| r.to_s.start_with?("~>") }
+                tw_req = requirements.find { |r| r.to_s.start_with?("~>") }
+                update_twiddle_version(tw_req, latest_resolvable_version).to_s
+              else
+                update_gemfile_range(requirements).map(&:to_s).join(", ")
+              end
+
+            req.merge(requirement: new_requirement)
+          end
+
+          def new_version_satisfies?(req)
+            original_req = Gem::Requirement.new(req[:requirement].split(","))
+            original_req.satisfied_by?(latest_resolvable_version)
+          end
+
+          def update_gemfile_range(requirements)
+            updated_requirements =
+              requirements.flat_map do |r|
+                next r if r.satisfied_by?(latest_resolvable_version)
+
+                case op = r.requirements.first.first
+                when "<", "<="
+                  [update_greatest_version(r, latest_resolvable_version)]
+                when "!="
+                  []
+                else
+                  raise "Unexpected operation for unsatisfied Gemfile "\
+                        "requirement: #{op}"
+                end
+              end
+
+            binding_requirements(updated_requirements)
+          end
+
+          def at_same_precision(new_version, old_version)
+            release_precision =
+              old_version.to_s.split(".").select { |i| i.match?(/^\d+$/) }.count
+            prerelease_precision =
+              old_version.to_s.split(".").count - release_precision
+
+            new_release =
+              new_version.to_s.split(".").first(release_precision)
+            new_prerelease =
+              new_version.to_s.split(".").
+              drop_while { |i| i.match?(/^\d+$/) }.
+              first([prerelease_precision, 1].max)
+
+            [*new_release, *new_prerelease].join(".")
+          end
+
+          # rubocop:disable Metrics/PerceivedComplexity
+          def updated_gemspec_requirement(req)
+            return req unless latest_version && latest_resolvable_version
+
+            requirements =
+              req[:requirement].split(",").map { |r| Gem::Requirement.new(r) }
+
+            return req if requirements.all? do |r|
+              requirement_satisfied?(r, req[:groups])
+            end
+
+            updated_requirements =
+              requirements.flat_map do |r|
+                next r if requirement_satisfied?(r, req[:groups])
+
+                if req[:groups] == ["development"]
+                  fixed_development_requirements(r)
+                else
+                  fixed_requirements(r)
+                end
+              end
+
+            updated_requirements = binding_requirements(updated_requirements)
+            req.merge(requirement: updated_requirements.map(&:to_s).join(", "))
+          rescue UnfixableRequirement
+            req.merge(requirement: :unfixable)
+          end
+          # rubocop:enable Metrics/PerceivedComplexity
+
+          def requirement_satisfied?(req, groups)
+            if groups == ["development"]
+              req.satisfied_by?(latest_resolvable_version)
+            else
+              req.satisfied_by?(latest_version)
+            end
+          end
+
+          def binding_requirements(requirements)
+            grouped_by_operator =
+              requirements.group_by { |r| r.requirements.first.first }
+
+            binding_reqs = grouped_by_operator.flat_map do |operator, reqs|
+              case operator
+              when "<", "<=" then reqs.min_by { |r| r.requirements.first.last }
+              when ">", ">=" then reqs.max_by { |r| r.requirements.first.last }
+              else requirements
+              end
+            end.uniq
+
+            binding_reqs << Gem::Requirement.new if binding_reqs.empty?
+            binding_reqs.sort_by { |r| r.requirements.first.last }
+          end
+
+          def fixed_requirements(req)
+            op, version = req.requirements.first
+
+            case op
+            when "=", nil
+              if version < latest_resolvable_version
+                [Gem::Requirement.new("#{op} #{latest_resolvable_version}")]
+              else
+                req
+              end
+            when "<", "<=" then [update_greatest_version(req, latest_version)]
+            when "~>" then convert_twidle_to_range(req, latest_version)
+            when "!=" then []
+            when ">", ">=" then raise UnfixableRequirement
+            else raise "Unexpected operation for requirement: #{op}"
+            end
+          end
+
+          def fixed_development_requirements(req)
+            op, version = req.requirements.first
+
+            case op
+            when "=", nil
+              if version < latest_resolvable_version
+                [Gem::Requirement.new("#{op} #{latest_resolvable_version}")]
+              else
+                req
+              end
+            when "~>"
+              [update_twiddle_version(req, latest_resolvable_version)]
+            when "<", "<=" then [update_greatest_version(req, latest_version)]
+            when "!=" then []
+            when ">", ">=" then raise UnfixableRequirement
+            else raise "Unexpected operation for requirement: #{op}"
+            end
+          end
+
+          # rubocop:disable Metrics/AbcSize
+          def convert_twidle_to_range(requirement, version_to_be_permitted)
+            version = requirement.requirements.first.last
+            version = version.release if version.prerelease?
+
+            index_to_update = [version.segments.count - 2, 0].max
+
+            ub_segments = version_to_be_permitted.segments
+            ub_segments << 0 while ub_segments.count <= index_to_update
+            ub_segments = ub_segments[0..index_to_update]
+            ub_segments[index_to_update] += 1
+
+            lb_segments = version.segments
+            lb_segments.pop while lb_segments.any? && lb_segments.last.zero?
+
+            if lb_segments.none?
+              return [Gem::Requirement.new("< #{ub_segments.join('.')}")]
+            end
+
+            # Ensure versions have the same length as each other (cosmetic)
+            length = [lb_segments.count, ub_segments.count].max
+            lb_segments.fill(0, lb_segments.count...length)
+            ub_segments.fill(0, ub_segments.count...length)
+
+            [
+              Gem::Requirement.new(">= #{lb_segments.join('.')}"),
+              Gem::Requirement.new("< #{ub_segments.join('.')}")
+            ]
+          end
+          # rubocop:enable Metrics/AbcSize
+
+          # Updates the version in a "~>" constraint to allow the given version
+          def update_twiddle_version(requirement, version_to_be_permitted)
+            old_version = requirement.requirements.first.last
+            updated_v = at_same_precision(version_to_be_permitted, old_version)
+            Gem::Requirement.new("~> #{updated_v}")
+          end
+
+          # Updates the version in a "<" or "<=" constraint to allow the given
+          # version
+          def update_greatest_version(requirement, version_to_be_permitted)
+            if version_to_be_permitted.is_a?(String)
+              version_to_be_permitted =
+                Gem::Version.new(version_to_be_permitted)
+            end
+            op, version = requirement.requirements.first
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            new_segments = version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else 0
+              end
+            end
+
+            Gem::Requirement.new("#{op} #{new_segments.join('.')}")
+          end
+        end
+      end
+    end
+  end
+end