dependabot-core 0.89.5 → 0.90.0

data/lib/dependabot/update_checkers/go/dep/latest_version_finder.rb

@@ -1,169 +0,0 @@
-# frozen_string_literal: true
-
-require "excon"
-require "toml-rb"
-
-require "dependabot/source"
-require "dependabot/update_checkers/go/dep"
-require "dependabot/git_commit_checker"
-require "dependabot/utils/go/path_converter"
-
-module Dependabot
-  module UpdateCheckers
-    module Go
-      class Dep
-        class LatestVersionFinder
-          def initialize(dependency:, dependency_files:, credentials:,
-                         ignored_versions:)
-            @dependency       = dependency
-            @dependency_files = dependency_files
-            @credentials      = credentials
-            @ignored_versions = ignored_versions
-          end
-
-          def latest_version
-            @latest_version ||=
-              if git_dependency? then latest_version_for_git_dependency
-              else latest_release_tag_version
-              end
-          end
-
-          private
-
-          attr_reader :dependency, :dependency_files, :credentials,
-                      :ignored_versions
-
-          def latest_release_tag_version
-            if @latest_release_tag_lookup_attempted
-              return @latest_release_tag_version
-            end
-
-            @latest_release_tag_lookup_attempted = true
-
-            latest_release_str = fetch_latest_release_tag&.sub(/^v?/, "")
-            return unless latest_release_str
-            return unless version_class.correct?(latest_release_str)
-
-            @latest_release_tag_version =
-              version_class.new(latest_release_str)
-          end
-
-          def fetch_latest_release_tag
-            # If this is a git dependency then getting the latest tag is trivial
-            if git_dependency?
-              return git_commit_checker.
-                     local_tag_for_latest_version&.fetch(:tag)
-            end
-
-            # If not, we need to find the URL for the source code.
-            path = dependency.requirements.
-                   map { |r| r.dig(:source, :source) }.compact.first
-            path ||= dependency.name
-
-            source_url = git_source(path)
-            return unless source_url
-
-            # Given a source, we want to find the latest tag. Piggy-back off the
-            # logic in GitCommitChecker to do so.
-            git_dep = Dependency.new(
-              name: dependency.name,
-              version: dependency.version,
-              requirements: [{
-                file: "Gopkg.toml",
-                groups: [],
-                requirement: nil,
-                source: { type: "git", url: source_url }
-              }],
-              package_manager: dependency.package_manager
-            )
-
-            GitCommitChecker.
-              new(dependency: git_dep, credentials: credentials).
-              local_tag_for_latest_version&.fetch(:tag)
-          end
-
-          def latest_version_for_git_dependency
-            latest_release = latest_release_tag_version
-
-            # If there's been a release that includes the current pinned ref or
-            # that the current branch is behind, we switch to that release.
-            return latest_release if branch_or_ref_in_release?(latest_release)
-
-            # Otherwise, if the gem isn't pinned, the latest version is just the
-            # latest commit for the specified branch.
-            unless git_commit_checker.pinned?
-              return git_commit_checker.head_commit_for_current_branch
-            end
-
-            # If the dependency is pinned to a tag that looks like a version
-            # then we want to update that tag.
-            if git_commit_checker.pinned_ref_looks_like_version?
-              latest_tag = git_commit_checker.local_tag_for_latest_version
-              return version_from_tag(latest_tag)
-            end
-
-            # If the dependency is pinned to a tag that doesn't look like a
-            # version then there's nothing we can do.
-            nil
-          end
-
-          def git_source(path)
-            Dependabot::Utils::Go::PathConverter.git_url_for_path(path)
-          end
-
-          def version_from_tag(tag)
-            # To compare with the current version we either use the commit SHA
-            # (if that's what the parser picked up) of the tag name.
-            if dependency.version&.match?(/^[0-9a-f]{40}$/)
-              return tag&.fetch(:commit_sha)
-            end
-
-            tag&.fetch(:tag)
-          end
-
-          def branch_or_ref_in_release?(release)
-            return false unless release
-
-            git_commit_checker.branch_or_ref_in_release?(release)
-          end
-
-          def git_dependency?
-            git_commit_checker.git_dependency?
-          end
-
-          def git_commit_checker
-            @git_commit_checker ||=
-              GitCommitChecker.new(
-                dependency: dependency,
-                credentials: credentials,
-                ignored_versions: ignored_versions
-              )
-          end
-
-          def parsed_file(file)
-            @parsed_file ||= {}
-            @parsed_file[file.name] ||= TomlRB.parse(file.content)
-          end
-
-          def version_class
-            Utils.version_class_for_package_manager(dependency.package_manager)
-          end
-
-          def manifest
-            @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
-            raise "No Gopkg.lock!" unless @manifest
-
-            @manifest
-          end
-
-          def lockfile
-            @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
-            raise "No Gopkg.lock!" unless @lockfile
-
-            @lockfile
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/update_checkers/go/dep/requirements_updater.rb

@@ -1,223 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/update_checkers/go/dep"
-require "dependabot/utils/go/requirement"
-require "dependabot/utils/go/version"
-
-module Dependabot
-  module UpdateCheckers
-    module Go
-      class Dep
-        class RequirementsUpdater
-          class UnfixableRequirement < StandardError; end
-
-          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/.freeze
-          ALLOWED_UPDATE_STRATEGIES = %i(widen_ranges bump_versions).freeze
-
-          def initialize(requirements:, updated_source:, update_strategy:,
-                         latest_version:, latest_resolvable_version:)
-            @requirements = requirements
-            @updated_source = updated_source
-            @update_strategy = update_strategy
-
-            check_update_strategy
-
-            if latest_version && version_class.correct?(latest_version)
-              @latest_version = version_class.new(latest_version)
-            end
-
-            return unless latest_resolvable_version
-            return unless version_class.correct?(latest_resolvable_version)
-
-            @latest_resolvable_version =
-              version_class.new(latest_resolvable_version)
-          end
-
-          def updated_requirements
-            requirements.map do |req|
-              req = req.merge(source: updated_source)
-              next req unless latest_resolvable_version
-              next initial_req_after_source_change(req) unless req[:requirement]
-
-              case update_strategy
-              when :widen_ranges then widen_requirement(req)
-              when :bump_versions then update_version(req)
-              else raise "Unexpected update strategy: #{update_strategy}"
-              end
-            end
-          end
-
-          private
-
-          attr_reader :requirements, :updated_source, :update_strategy,
-                      :latest_version, :latest_resolvable_version
-
-          def check_update_strategy
-            return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
-
-            raise "Unknown update strategy: #{update_strategy}"
-          end
-
-          def updating_from_git_to_version?
-            return false unless updated_source&.fetch(:type) == "default"
-
-            original_source = requirements.map { |r| r[:source] }.compact.first
-            original_source&.fetch(:type) == "git"
-          end
-
-          def initial_req_after_source_change(req)
-            return req unless updating_from_git_to_version?
-            return req unless req.fetch(:requirement).nil?
-
-            new_req =
-              if req.fetch(:file) == "go.mod"
-                "v#{latest_resolvable_version.to_s.gsub(/^v/, '')}"
-              else
-                "^#{latest_resolvable_version}"
-              end
-            req.merge(requirement: new_req)
-          end
-
-          def widen_requirement(req)
-            current_requirement = req[:requirement]
-            version = latest_resolvable_version
-
-            ruby_reqs = ruby_requirements(current_requirement)
-            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
-
-            reqs = current_requirement.strip.split(",").map(&:strip)
-
-            updated_requirement =
-              if current_requirement.include?("||")
-                # Further widen the range by adding another OR condition
-                current_requirement + " || ^#{version}"
-              elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
-                # Further widen the range by updating the upper bound
-                update_range_requirement(current_requirement)
-              else
-                # Convert existing requirement to a range
-                create_new_range_requirement(reqs)
-              end
-
-            req.merge(requirement: updated_requirement)
-          end
-
-          def update_version(req)
-            current_requirement = req[:requirement]
-            version = latest_resolvable_version
-
-            ruby_reqs = ruby_requirements(current_requirement)
-            reqs = current_requirement.strip.split(",").map(&:strip)
-
-            if ruby_reqs.any? { |r| r.satisfied_by?(version) } &&
-               current_requirement.match?(/(<|-\s|\|\|)/)
-              return req
-            end
-
-            updated_requirement =
-              if current_requirement.include?("||")
-                # Further widen the range by adding another OR condition
-                current_requirement + " || ^#{version}"
-              elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
-                # Further widen the range by updating the upper bound
-                update_range_requirement(current_requirement)
-              else
-                update_version_requirement(reqs)
-              end
-
-            req.merge(requirement: updated_requirement)
-          end
-
-          def ruby_requirements(requirement_string)
-            requirement_class.requirements_array(requirement_string)
-          end
-
-          def update_range_requirement(req_string)
-            range_requirement = req_string.split(",").
-                                find { |r| r.match?(/<|(\s+-\s+)/) }
-
-            versions = range_requirement.scan(VERSION_REGEX)
-            upper_bound = versions.map { |v| version_class.new(v) }.max
-            new_upper_bound = update_greatest_version(
-              upper_bound,
-              latest_resolvable_version
-            )
-
-            req_string.sub(
-              upper_bound.to_s,
-              new_upper_bound.to_s
-            )
-          end
-
-          def create_new_range_requirement(string_reqs)
-            version = latest_resolvable_version
-
-            lower_bound =
-              string_reqs.
-              map { |req| requirement_class.new(req) }.
-              flat_map { |req| req.requirements.map(&:last) }.
-              min.to_s
-
-            upper_bound =
-              if string_reqs.first.start_with?("~") &&
-                 version.to_s.split(".").count > 1
-                create_upper_bound_for_tilda_req(string_reqs.first)
-              else
-                upper_bound_parts = [version.to_s.split(".").first.to_i + 1]
-                upper_bound_parts.
-                  fill("0", 1..(lower_bound.split(".").count - 1)).
-                  join(".")
-              end
-
-            ">= #{lower_bound}, < #{upper_bound}"
-          end
-
-          def update_version_requirement(string_reqs)
-            version = latest_resolvable_version.to_s.gsub(/^v/, "")
-            current_req = string_reqs.first
-
-            current_req.gsub(VERSION_REGEX, version)
-          end
-
-          def create_upper_bound_for_tilda_req(string_req)
-            tilda_version = requirement_class.new(string_req).
-                            requirements.map(&:last).
-                            min.to_s
-
-            upper_bound_parts = latest_resolvable_version.to_s.split(".")
-            upper_bound_parts.slice(0, tilda_version.to_s.split(".").count)
-            upper_bound_parts[-1] = "0"
-            upper_bound_parts[-2] = (upper_bound_parts[-2].to_i + 1).to_s
-
-            upper_bound_parts.join(".")
-          end
-
-          def update_greatest_version(old_version, version_to_be_permitted)
-            version = version_class.new(old_version)
-            version = version.release if version.prerelease?
-
-            index_to_update =
-              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
-
-            version.segments.map.with_index do |_, index|
-              if index < index_to_update
-                version_to_be_permitted.segments[index]
-              elsif index == index_to_update
-                version_to_be_permitted.segments[index] + 1
-              else 0
-              end
-            end.join(".")
-          end
-
-          def version_class
-            Utils::Go::Version
-          end
-
-          def requirement_class
-            Utils::Go::Requirement
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/update_checkers/go/dep/version_resolver.rb

@@ -1,168 +0,0 @@
-# frozen_string_literal: true
-
-require "toml-rb"
-require "open3"
-require "dependabot/shared_helpers"
-require "dependabot/update_checkers/go/dep"
-require "dependabot/errors"
-
-module Dependabot
-  module UpdateCheckers
-    module Go
-      class Dep
-        class VersionResolver
-          NOT_FOUND_REGEX =
-            /failed to list versions for (?<repo_url>.*?):\s+/.freeze
-          INDEX_OUT_OF_RANGE_REGEX =
-            /panic: runtime error: index out of range.*findValidVersion/m.freeze
-
-          def initialize(dependency:, dependency_files:, credentials:)
-            @dependency = dependency
-            @dependency_files = dependency_files
-            @credentials = credentials
-          end
-
-          def latest_resolvable_version
-            if defined?(@latest_resolvable_version)
-              return @latest_resolvable_version
-            end
-
-            @latest_resolvable_version = fetch_latest_resolvable_version
-          end
-
-          private
-
-          attr_reader :dependency, :dependency_files, :credentials
-
-          def fetch_latest_resolvable_version
-            base_directory = File.join("src", "project",
-                                       dependency_files.first.directory)
-            base_parts = base_directory.split("/").length
-            updated_version =
-              SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
-                write_temporary_dependency_files
-
-                SharedHelpers.with_git_configured(credentials: credentials) do
-                  # Shell out to dep, which handles everything for us, and does
-                  # so without doing an install (so it's fast).
-                  command = "dep ensure -update --no-vendor #{dependency.name}"
-                  dir_parts = dir.realpath.to_s.split("/")
-                  gopath = File.join(dir_parts[0..-(base_parts + 1)])
-                  run_shell_command(command, "GOPATH" => gopath)
-                end
-
-                new_lockfile_content = File.read("Gopkg.lock")
-
-                get_version_from_lockfile(new_lockfile_content)
-              end
-
-            updated_version
-          rescue SharedHelpers::HelperSubprocessFailed => error
-            handle_dep_errors(error)
-          end
-
-          def get_version_from_lockfile(lockfile_content)
-            package = TomlRB.parse(lockfile_content).fetch("projects").
-                      find { |p| p["name"] == dependency.name }
-
-            version = package["version"]
-
-            if version && version_class.correct?(version.sub(/^v?/, ""))
-              version_class.new(version.sub(/^v?/, ""))
-            elsif version
-              version
-            else
-              package.fetch("revision")
-            end
-          end
-
-          def handle_dep_errors(error)
-            if error.message.match?(NOT_FOUND_REGEX)
-              url = error.message.match(NOT_FOUND_REGEX).
-                    named_captures.fetch("repo_url")
-
-              raise Dependabot::GitDependenciesNotReachable, url
-            end
-
-            # A dep bug that probably isn't going to be fixed any time soon :-(
-            # - https://github.com/golang/dep/issues/1437
-            # - https://github.com/golang/dep/issues/649
-            # - https://github.com/golang/dep/issues/2041
-            # - https://twitter.com/miekg/status/996682296739745792
-            return if error.message.match?(INDEX_OUT_OF_RANGE_REGEX)
-
-            raise
-          end
-
-          def run_shell_command(command, env = {})
-            start = Time.now
-            stdout, process = Open3.capture2e(env, command)
-            time_taken = start - Time.now
-
-            # Raise an error with the output from the shell session if dep
-            # returns a non-zero status
-            return if process.success?
-
-            raise SharedHelpers::HelperSubprocessFailed.new(
-              message: stdout,
-              error_context: {
-                command: command,
-                time_taken: time_taken,
-                process_exit_value: process.to_s
-              }
-            )
-          end
-
-          def write_temporary_dependency_files
-            dependency_files.each do |file|
-              path = file.name
-              FileUtils.mkdir_p(Pathname.new(path).dirname)
-              File.write(file.name, file.content)
-            end
-
-            File.write("hello.go", dummy_app_content)
-          end
-
-          def dummy_app_content
-            base = "package main\n\n"\
-                   "import \"fmt\"\n\n"
-
-            packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
-
-            base + "func main() {\n  fmt.Printf(\"hello, world\\n\")\n}"
-          end
-
-          def packages_to_import
-            return [] unless lockfile
-
-            parsed_lockfile = TomlRB.parse(lockfile.content)
-
-            # If the lockfile was created using dep v0.5.0+ then it will tell us
-            # exactly which packages to import
-            if parsed_lockfile.dig("solve-meta", "input-imports")
-              return parsed_lockfile.dig("solve-meta", "input-imports")
-            end
-
-            # Otherwise we have no way of knowing, so import everything in the
-            # lockfile that isn't marked as internal
-            parsed_lockfile.fetch("projects").flat_map do |dep|
-              dep["packages"].map do |package|
-                next if package.start_with?("internal")
-
-                package == "." ? dep["name"] : File.join(dep["name"], package)
-              end.compact
-            end
-          end
-
-          def lockfile
-            @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
-          end
-
-          def version_class
-            Utils.version_class_for_package_manager(dependency.package_manager)
-          end
-        end
-      end
-    end
-  end
-end