dependabot-core 0.88.3 → 0.89.0

data/lib/dependabot/update_checkers/php/composer/version_resolver.rb

@@ -1,216 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/shared_helpers"
-require "dependabot/update_checkers/php/composer"
-require "dependabot/utils/php/version"
-
-module Dependabot
-  module UpdateCheckers
-    module Php
-      class Composer
-        class VersionResolver
-          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
-          SOURCE_TIMED_OUT_REGEX =
-            /The "(?<url>[^"]+packages\.json)".*timed out/.freeze
-
-          def initialize(credentials:, dependency:, dependency_files:,
-                         requirements_to_unlock:, latest_allowable_version:)
-            @credentials              = credentials
-            @dependency               = dependency
-            @dependency_files         = dependency_files
-            @requirements_to_unlock   = requirements_to_unlock
-            @latest_allowable_version = latest_allowable_version
-          end
-
-          def latest_resolvable_version
-            @latest_resolvable_version ||= fetch_latest_resolvable_version
-          end
-
-          private
-
-          attr_reader :credentials, :dependency, :dependency_files,
-                      :requirements_to_unlock, :latest_allowable_version
-
-          def fetch_latest_resolvable_version
-            version = fetch_latest_resolvable_version_string
-            return if version.nil?
-            return unless Utils::Php::Version.correct?(version)
-
-            Utils::Php::Version.new(version)
-          end
-
-          def fetch_latest_resolvable_version_string
-            base_directory = dependency_files.first.directory
-            SharedHelpers.in_a_temporary_directory(base_directory) do
-              File.write("composer.json", prepared_composer_json_content)
-              File.write("composer.lock", lockfile.content) if lockfile
-
-              run_update_checker
-            end
-          rescue SharedHelpers::HelperSubprocessFailed => error
-            retry_count ||= 0
-            retry_count += 1
-            retry if retry_count < 2 && error.message.include?("404 Not Found")
-            retry if retry_count < 2 && error.message.include?("timed out")
-            handle_composer_errors(error)
-          end
-
-          def run_update_checker
-            SharedHelpers.with_git_configured(credentials: credentials) do
-              SharedHelpers.run_helper_subprocess(
-                command: "php -d memory_limit=-1 #{php_helper_path}",
-                function: "get_latest_resolvable_version",
-                args: [
-                  Dir.pwd,
-                  dependency.name.downcase,
-                  git_credentials,
-                  registry_credentials
-                ]
-              )
-            end
-          end
-
-          def prepared_composer_json_content
-            content = composer_file.content
-
-            content.gsub(
-              /"#{Regexp.escape(dependency.name)}"\s*:\s*".*"/,
-              %("#{dependency.name}": "#{updated_version_requirement_string}")
-            )
-          end
-
-          def updated_version_requirement_string
-            lower_bound =
-              if requirements_to_unlock == :none
-                dependency.requirements.first&.fetch(:requirement) || ">= 0"
-              elsif dependency.version
-                ">= #{dependency.version}"
-              else
-                version_for_requirement =
-                  dependency.requirements.map { |r| r[:requirement] }.compact.
-                  reject { |req_string| req_string.start_with?("<") }.
-                  select { |req_string| req_string.match?(VERSION_REGEX) }.
-                  map { |req_string| req_string.match(VERSION_REGEX) }.
-                  select { |version| Gem::Version.correct?(version) }.
-                  max_by { |version| Gem::Version.new(version) }
-
-                ">= #{version_for_requirement || 0}"
-              end
-
-            # Add the latest_allowable_version as an upper bound. This means
-            # ignore conditions are considered when checking for the latest
-            # resolvable version.
-            #
-            # NOTE: This isn't perfect. If v2.x is ignored and v3 is out but
-            # unresolvable then the `latest_allowable_version` will be v3, and
-            # we won't be ignoring v2.x releases like we should be.
-            return lower_bound unless latest_allowable_version
-
-            lower_bound + ", <= #{latest_allowable_version}"
-          end
-
-          # rubocop:disable Metrics/PerceivedComplexity
-          # rubocop:disable Metrics/AbcSize
-          # rubocop:disable Metrics/CyclomaticComplexity
-          # rubocop:disable Metrics/MethodLength
-          def handle_composer_errors(error)
-            if error.message.start_with?("Failed to execute git clone")
-              dependency_url =
-                error.message.match(/--mirror '(?<url>.*?)'/).
-                named_captures.fetch("url")
-              raise Dependabot::GitDependenciesNotReachable, dependency_url
-            elsif error.message.start_with?("Failed to clone")
-              dependency_url =
-                error.message.match(/Failed to clone (?<url>.*?) via/).
-                named_captures.fetch("url")
-              raise Dependabot::GitDependenciesNotReachable, dependency_url
-            elsif error.message.start_with?("Could not parse version")
-              raise Dependabot::DependencyFileNotResolvable, error.message
-            elsif error.message.include?("requested PHP extension")
-              extensions = error.message.scan(/\sext\-.*?\s/).map(&:strip).uniq
-              msg = "Dependabot's installed extensions didn't match those "\
-                    "required by your application.\n\n"\
-                    "Please add the following extensions to the platform "\
-                    "config in your composer.json to allow Dependabot to run: "\
-                    "#{extensions.join(', ')}.\n\n"\
-                    "The full error raised was:\n\n#{error.message}"
-              raise Dependabot::DependencyFileNotResolvable, msg
-            elsif error.message.include?("package requires php") ||
-                  error.message.include?("cannot require itself")
-              raise Dependabot::DependencyFileNotResolvable, error.message
-            elsif error.message.include?("No driver found to handle VCS") &&
-                  !error.message.include?("@") && !error.message.include?("://")
-              msg = "Dependabot detected a VCS requirement with a local path, "\
-                    "rather than a URL. Dependabot does not support this "\
-                    "setup.\n\nThe underlying error was:\n\n#{error.message}"
-              raise Dependabot::DependencyFileNotResolvable, msg
-            elsif error.message.include?("requirements could not be resolved")
-              # We should raise a Dependabot::DependencyFileNotResolvable error
-              # here, but can't confidently distinguish between cases where we
-              # can't install and cases where we can't update. For now, we
-              # therefore just ignore the dependency.
-              nil
-            elsif error.message.include?("URL required authentication") ||
-                  error.message.include?("403 Forbidden")
-              source =
-                error.message.match(%r{https?://(?<source>[^/]+)/}).
-                named_captures.fetch("source")
-              raise Dependabot::PrivateSourceAuthenticationFailure, source
-            elsif error.message.match?(SOURCE_TIMED_OUT_REGEX)
-              url = error.message.match(SOURCE_TIMED_OUT_REGEX).
-                    named_captures.fetch("url")
-              raise if url.include?("packagist.org")
-
-              source = url.gsub(%r{/packages.json$}, "")
-              raise Dependabot::PrivateSourceTimedOut, source
-            elsif error.message.start_with?("Allowed memory size")
-              raise Dependabot::OutOfMemory
-            elsif error.message.start_with?("Package not found in updated") &&
-                  !dependency.top_level?
-              # If we can't find the dependency in the composer.lock after an
-              # update, but it was originally a sub-dependency, it's because the
-              # dependency is no longer required and is just cruft in the
-              # composer.json. In this case we just ignore the dependency.
-              nil
-            elsif error.message.include?("stefandoorn/sitemap-plugin-1.0.0.0")
-              # We get a recurring error when attempting to update this repo
-              # which doesn't recur locally and we can't figure out how to fix!
-              #
-              # Package is not installed: stefandoorn/sitemap-plugin-1.0.0.0
-              nil
-            else
-              raise error
-            end
-          end
-          # rubocop:enable Metrics/PerceivedComplexity
-          # rubocop:enable Metrics/AbcSize
-          # rubocop:enable Metrics/CyclomaticComplexity
-          # rubocop:enable Metrics/MethodLength
-
-          def php_helper_path
-            project_root = File.join(File.dirname(__FILE__), "../../../../..")
-            File.join(project_root, "helpers/php/bin/run.php")
-          end
-
-          def composer_file
-            @composer_file ||=
-              dependency_files.find { |f| f.name == "composer.json" }
-          end
-
-          def lockfile
-            @lockfile ||=
-              dependency_files.find { |f| f.name == "composer.lock" }
-          end
-
-          def git_credentials
-            credentials.select { |cred| cred["type"] == "git_source" }
-          end
-
-          def registry_credentials
-            credentials.select { |cred| cred["type"] == "composer_repository" }
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/utils/php/requirement.rb

@@ -1,97 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/utils/php/version"
-
-module Dependabot
-  module Utils
-    module Php
-      class Requirement < Gem::Requirement
-        AND_SEPARATOR =
-          /(?<=[a-zA-Z0-9*])(?<!\sas)[\s,]+(?![\s,]*[|-]|as)/.freeze
-        OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/.freeze
-
-        def self.parse(obj)
-          new_obj = obj.gsub(/@\w+/, "").gsub(/[a-z0-9\-_\.]*\sas\s+/i, "")
-          super(new_obj)
-        end
-
-        # Returns an array of requirements. At least one requirement from the
-        # returned array must be satisfied for a version to be valid.
-        def self.requirements_array(requirement_string)
-          requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
-            new(req_string)
-          end
-        end
-
-        def initialize(*requirements)
-          requirements =
-            requirements.flatten.
-            flat_map { |req_string| req_string.split(AND_SEPARATOR) }.
-            flat_map { |req| convert_php_constraint_to_ruby_constraint(req) }
-
-          super(requirements)
-        end
-
-        private
-
-        # rubocop:disable Metrics/PerceivedComplexity
-        def convert_php_constraint_to_ruby_constraint(req_string)
-          req_string = req_string.gsub(/v(?=\d)/, "")
-
-          # Return an unlikely version if a dev requirement is specified. This
-          # ensures that the dev-requirement doesn't match anything.
-          return "0-dev-branch-match" if req_string.strip.start_with?("dev-")
-
-          if req_string.start_with?("*") then ">= 0"
-          elsif req_string.include?("*") then convert_wildcard_req(req_string)
-          elsif req_string.match?(/^~[^>]/) then convert_tilde_req(req_string)
-          elsif req_string.start_with?("^") then convert_caret_req(req_string)
-          elsif req_string.match?(/\s-\s/) then convert_hyphen_req(req_string)
-          else req_string
-          end
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-
-        def convert_wildcard_req(req_string)
-          version = req_string.gsub(/^~/, "").gsub(/(?:\.|^)\*/, "")
-          "~> #{version}.0"
-        end
-
-        def convert_tilde_req(req_string)
-          version = req_string.gsub(/^~/, "")
-          "~> #{version}"
-        end
-
-        def convert_caret_req(req_string)
-          version = req_string.gsub(/^\^/, "")
-          parts = version.split(".")
-          first_non_zero = parts.find { |d| d != "0" }
-          first_non_zero_index =
-            first_non_zero ? parts.index(first_non_zero) : parts.count - 1
-          upper_bound = parts.map.with_index do |part, i|
-            if i < first_non_zero_index then part
-            elsif i == first_non_zero_index then (part.to_i + 1).to_s
-            else 0
-            end
-          end.join(".")
-
-          [">= #{version}", "< #{upper_bound}"]
-        end
-
-        def convert_hyphen_req(req_string)
-          req_string = req_string
-          lower_bound, upper_bound = req_string.split(/\s+-\s+/)
-          if upper_bound.split(".").count < 3
-            upper_bound_parts = upper_bound.split(".")
-            upper_bound_parts[-1] = (upper_bound_parts[-1].to_i + 1).to_s
-            upper_bound = upper_bound_parts.join(".")
-
-            [">= #{lower_bound}", "< #{upper_bound}"]
-          else
-            [">= #{lower_bound}", "<= #{upper_bound}"]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/utils/php/version.rb

@@ -1,24 +0,0 @@
-# frozen_string_literal: true
-
-require "rubygems_version_patch"
-
-# PHP pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
-# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
-# alteration.
-
-module Dependabot
-  module Utils
-    module Php
-      class Version < Gem::Version
-        def initialize(version)
-          @version_string = version.to_s
-          super
-        end
-
-        def to_s
-          @version_string
-        end
-      end
-    end
-  end
-end