dependabot-core 0.88.3 → 0.89.0

data/helpers/php/setup.sh

@@ -1,4 +0,0 @@
-php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
-php -r "if (hash_file('SHA384', 'composer-setup.php') === '544e09ee996cdf60ece3804abc52599c22b1f40f4323403c44d44fdfdd586475ca9813a858088ffbc1f233e9b180f061') { echo 'Installer verified'; } else { echo hash_file('SHA384', 'composer-setup.php'); unlink('composer-setup.php'); } echo PHP_EOL;"
-php composer-setup.php
-php -r "unlink('composer-setup.php');"

data/helpers/php/src/DependabotInstallationManager.php

@@ -1,61 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\DependencyResolver\Operation\InstallOperation;
-use Composer\DependencyResolver\Operation\UninstallOperation;
-use Composer\DependencyResolver\Operation\UpdateOperation;
-use Composer\Installer\InstallationManager;
-use Composer\Package\PackageInterface;
-use Composer\Repository\RepositoryInterface;
-
-class DependabotInstallationManager extends InstallationManager
-{
-    private $installed = [];
-    private $updated = [];
-    private $uninstalled = [];
-
-    public function install(RepositoryInterface $repo, InstallOperation $operation): void
-    {
-        parent::install($repo, $operation);
-        $this->installed[] = $operation->getPackage();
-    }
-
-    public function update(RepositoryInterface $repo, UpdateOperation $operation): void
-    {
-        parent::update($repo, $operation);
-        $this->updated[] = [$operation->getInitialPackage(), $operation->getTargetPackage()];
-    }
-
-    public function uninstall(RepositoryInterface $repo, UninstallOperation $operation): void
-    {
-        parent::uninstall($repo, $operation);
-        $this->uninstalled[] = $operation->getPackage();
-    }
-
-    /**
-     * @return PackageInterface[]
-     */
-    public function getInstalledPackages(): array
-    {
-        return $this->installed;
-    }
-
-    /**
-     * @return PackageInterface[]
-     */
-    public function getUpdatedPackages(): array
-    {
-        return $this->updated;
-    }
-
-    /**
-     * @return PackageInterface[]
-     */
-    public function getUninstalledPackages(): array
-    {
-        return $this->uninstalled;
-    }
-}

data/helpers/php/src/DependabotPluginManager.php

@@ -1,23 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\Package\PackageInterface;
-use Composer\Plugin\PluginManager;
-
-class DependabotPluginManager extends PluginManager
-{
-    public function registerPackage(PackageInterface $package, $failOnMissingClasses = false): void
-    {
-        // This package does some setup for PHP_CodeSniffer, but errors out the
-        // install if Symfony isn't installed (which it won't be for a lockfile
-        // only install run). Safe to ignore
-        if (strpos($package->getName(), 'phpcodesniffer') !== false) {
-            return;
-        }
-
-        parent::registerPackage($package, $failOnMissingClasses);
-    }
-}

data/helpers/php/src/ExceptionIO.php

@@ -1,25 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\IO\NullIO;
-
-class ExceptionIO extends NullIO
-{
-    private $raise_next_error = false;
-
-    public function writeError($messages, $newline = true, $verbosity = self::NORMAL): void
-    {
-        if (is_array($messages)) {
-            return;
-        }
-        if ($this->raise_next_error) {
-            throw new \RuntimeException('Your requirements could not be resolved to an installable set of packages.' . $messages);
-        }
-        if (strpos($messages, 'Your requirements could not be resolved') !== false) {
-            $this->raise_next_error = true;
-        }
-    }
-}

data/helpers/php/src/Hasher.php

@@ -1,21 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\Factory;
-
-class Hasher
-{
-    public static function getContentHash(array $args): ?string
-    {
-        [$workingDirectory] = $args;
-
-        $io = new ExceptionIO();
-        $composer = Factory::create($io, $workingDirectory . '/composer.json');
-        $locker = $composer->getLocker();
-
-        return $locker->getContentHash(file_get_contents(Factory::getComposerFile()));
-    }
-}

data/helpers/php/src/UpdateChecker.php

@@ -1,123 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\Factory;
-use Composer\Installer;
-use Composer\Package\PackageInterface;
-
-class UpdateChecker
-{
-    public static function getLatestResolvableVersion(array $args): ?string
-    {
-        [$workingDirectory, $dependencyName, $gitCredentials, $registryCredentials] = $args;
-
-        $io = new ExceptionIO();
-        $composer = Factory::create($io, $workingDirectory . '/composer.json');
-        $config = $composer->getConfig();
-        $httpBasicCredentials = [];
-
-        foreach ($gitCredentials as &$cred) {
-            $httpBasicCredentials[$cred['host']] = [
-                'username' => $cred['username'],
-                'password' => $cred['password'],
-            ];
-        }
-
-        foreach ($registryCredentials as &$cred) {
-            $httpBasicCredentials[$cred['registry']] = [
-                'username' => $cred['username'],
-                'password' => $cred['password'],
-            ];
-        }
-
-        if ($httpBasicCredentials) {
-            $config->merge(
-                [
-                    'config' => [
-                        'http-basic' => $httpBasicCredentials,
-                    ],
-                ]
-            );
-            $io->loadConfiguration($config);
-        }
-
-        $installationManager = new DependabotInstallationManager();
-        $install = new Installer(
-            $io,
-            $config,
-            $composer->getPackage(),
-            $composer->getDownloadManager(),
-            $composer->getRepositoryManager(),
-            $composer->getLocker(),
-            $installationManager,
-            $composer->getEventDispatcher(),
-            $composer->getAutoloadGenerator()
-        );
-
-        // For all potential options, see UpdateCommand in composer
-        $install
-            ->setDryRun(true)
-            ->setUpdate(true)
-            ->setDevMode(true)
-            ->setUpdateWhitelist([$dependencyName])
-            ->setWhitelistTransitiveDependencies(true)
-            ->setExecuteOperations(false)
-            ->setDumpAutoloader(false)
-            ->setRunScripts(false);
-
-        /*
-         * If a platform is set we assume people know what they are doing and we respect the setting.
-         * If no platform is set we ignore it so that the php we run as doesn't interfere
-         */
-        if ($config->get('platform') === []) {
-            $install->setIgnorePlatformRequirements(true);
-        }
-
-        $install->run();
-
-        $installedPackages = $installationManager->getInstalledPackages();
-
-        $updatedPackage = current(array_filter($installedPackages, function (PackageInterface $package) use ($dependencyName) {
-            return $package->getName() == $dependencyName;
-        }));
-
-        // We found the package in the list of updated packages. Return its version.
-        if ($updatedPackage) {
-            return preg_replace('/^([v])/', '', $updatedPackage->getPrettyVersion());
-        }
-
-        // We didn't find the package in the list of updated packages. Check if
-        // it was replaced by another package (in which case we can ignore).
-        foreach ($composer->getPackage()->getReplaces() as $link) {
-            if ($link->getTarget() == $dependencyName) {
-                return null;
-            }
-        }
-        foreach ($installedPackages as $package) {
-            foreach ($package->getReplaces() as $link) {
-                if ($link->getTarget() == $dependencyName) {
-                    return null;
-                }
-            }
-        }
-
-        // Similarly, check if the package was provided by any other package.
-        foreach ($composer->getPackage()->getProvides() as $link) {
-            if ($link->getTarget() == $dependencyName) {
-                return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
-            }
-        }
-        foreach ($installedPackages as $package) {
-            foreach ($package->getProvides() as $link) {
-                if ($link->getTarget() == $dependencyName) {
-                    return preg_replace('/^([v])/', '', $link->getPrettyConstraint());
-                }
-            }
-        }
-
-        throw new \RuntimeException('Package not found in updated packages!');
-    }
-}

data/helpers/php/src/Updater.php

@@ -1,97 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-namespace Dependabot\PHP;
-
-use Composer\Factory;
-use Composer\Installer;
-
-class Updater
-{
-    public static function update(array $args): array
-    {
-        [$workingDirectory, $dependencyName, $dependencyVersion, $gitCredentials, $registryCredentials] = $args;
-
-        // Change working directory to the one provided, this ensures that we
-        // install dependencies into the working dir, rather than a vendor folder
-        // in the root of the project
-        $originalDir = getcwd();
-        chdir($workingDirectory);
-
-        $io = new ExceptionIO();
-        $composer = Factory::create($io);
-        $config = $composer->getConfig();
-        $httpBasicCredentials = [];
-
-        $pm = new DependabotPluginManager($io, $composer, null, false);
-        $composer->setPluginManager($pm);
-        $pm->loadInstalledPlugins();
-
-        foreach ($gitCredentials as &$cred) {
-            $httpBasicCredentials[$cred['host']] = [
-                'username' => $cred['username'],
-                'password' => $cred['password'],
-            ];
-        }
-
-        foreach ($registryCredentials as &$cred) {
-            $httpBasicCredentials[$cred['registry']] = [
-                'username' => $cred['username'],
-                'password' => $cred['password'],
-            ];
-        }
-
-        if ($httpBasicCredentials) {
-            $config->merge(
-                [
-                    'config' => [
-                        'http-basic' => $httpBasicCredentials,
-                    ],
-                ]
-            );
-            $io->loadConfiguration($config);
-        }
-
-        $install = new Installer(
-            $io,
-            $config,
-            $composer->getPackage(),
-            $composer->getDownloadManager(),
-            $composer->getRepositoryManager(),
-            $composer->getLocker(),
-            $composer->getInstallationManager(),
-            $composer->getEventDispatcher(),
-            $composer->getAutoloadGenerator()
-        );
-
-        // For all potential options, see UpdateCommand in composer
-        $install
-            ->setWriteLock(true)
-            ->setUpdate(true)
-            ->setDevMode(true)
-            ->setUpdateWhitelist([$dependencyName])
-            ->setWhitelistTransitiveDependencies(true)
-            ->setExecuteOperations(false)
-            ->setDumpAutoloader(false)
-            ->setRunScripts(false);
-
-        /*
-         * If a platform is set we assume people know what they are doing and we respect the setting.
-         * If no platform is set we ignore it so that the php we run as doesn't interfere
-         */
-        if ($config->get('platform') === []) {
-            $install->setIgnorePlatformRequirements(true);
-        }
-
-        $install->run();
-
-        $result = [
-            'composer.lock' => file_get_contents('composer.lock'),
-        ];
-
-        chdir($originalDir);
-
-        return $result;
-    }
-}

data/lib/dependabot/file_fetchers/php/composer.rb

@@ -1,131 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/file_fetchers/base"
-
-module Dependabot
-  module FileFetchers
-    module Php
-      class Composer < Dependabot::FileFetchers::Base
-        def self.required_files_in?(filenames)
-          filenames.include?("composer.json")
-        end
-
-        def self.required_files_message
-          "Repo must contain a composer.json."
-        end
-
-        private
-
-        def fetch_files
-          fetched_files = []
-          fetched_files << composer_json
-          fetched_files << composer_lock if composer_lock
-          fetched_files << auth_json if auth_json
-          fetched_files += path_dependencies
-          fetched_files
-        end
-
-        def composer_json
-          @composer_json ||= fetch_file_from_host("composer.json")
-        end
-
-        def composer_lock
-          return @composer_lock if @composer_lock_lookup_attempted
-
-          @composer_lock_lookup_attempted = true
-          @composer_lock ||= fetch_file_if_present("composer.lock")
-        end
-
-        # Note: This is fetched but currently unused
-        def auth_json
-          @auth_json ||= fetch_file_if_present("auth.json")&.
-                         tap { |f| f.support_file = true }
-        end
-
-        def path_dependencies
-          @path_dependencies ||=
-            begin
-              composer_json_files = []
-              unfetchable_deps = []
-
-              path_sources.each do |path|
-                directories = path.end_with?("*") ? expand_path(path) : [path]
-
-                directories.each do |dir|
-                  file = File.join(dir, "composer.json")
-
-                  begin
-                    composer_json_files << fetch_file_with_root_fallback(file)
-                  rescue Dependabot::DependencyFileNotFound
-                    # Collected, but currently ignored
-                    unfetchable_deps << file
-                  end
-                end
-              end
-
-              # Mark the path dependencies as support files - we don't currently
-              # parse or update them.
-              composer_json_files.tap do |files|
-                files.each { |f| f.support_file = true }
-              end
-            end
-        end
-
-        def path_sources
-          @path_sources ||=
-            JSON.parse(composer_json.content).
-            fetch("repositories", []).
-            select { |details| details["type"] == "path" }.
-            map { |details| details["url"] }
-        rescue JSON::ParserError
-          raise Dependabot::DependencyFileNotParseable, composer_json.path
-        end
-
-        def expand_path(path)
-          repo_contents(dir: path.gsub(/\*$/, "")).
-            select { |file| file.type == "dir" }.
-            map { |f| path.gsub(/\*$/, f.name) }
-        rescue Octokit::NotFound, Gitlab::Error::NotFound
-          # If there's no lockfile, or if none of the dependencies are path
-          # dependencies, then we can ignore failures to find path deps
-          return [] unless composer_lock&.content&.include?('"path"')
-
-          # Otherwise, we don't know what to do. For now, just raise. If we see
-          # this in the wild we can make a call on the correct handling
-          raise if directory == "/"
-
-          # If the directory isn't found at the full path, try looking for it
-          # at the root of the repository.
-          depth = directory.gsub(%r{^/}, "").gsub(%r{/$}, "").split("/").count
-          dir = "../" * depth + path.gsub(/\*$/, "")
-
-          repo_contents(dir: dir).
-            select { |file| file.type == "dir" }.
-            map { |f| path.gsub(/\*$/, f.name) }
-        end
-
-        def fetch_file_with_root_fallback(filename, type: "file")
-          path = Pathname.new(File.join(directory, filename)).cleanpath.to_path
-
-          begin
-            fetch_file_from_host(filename, type: type)
-          rescue Dependabot::DependencyFileNotFound
-            # If the file isn't found at the full path, try looking for it
-            # without considering the directory (i.e., check if the path should
-            # have been relevative to the root of the repository).
-            cleaned_filename = Pathname.new(filename).cleanpath.to_path
-
-            DependencyFile.new(
-              name: cleaned_filename,
-              content: fetch_file_content(cleaned_filename),
-              directory: directory,
-              type: type
-            )
-          end
-        rescue Octokit::NotFound, Gitlab::Error::NotFound
-          raise Dependabot::DependencyFileNotFound, path
-        end
-      end
-    end
-  end
-end