dependabot-core 0.93.17 → 0.94.0

data/lib/dependabot/file_updaters/ruby/bundler/requirement_replacer.rb

@@ -1,223 +0,0 @@
-# frozen_string_literal: true
-
-require "parser/current"
-require "dependabot/file_updaters/ruby/bundler"
-
-module Dependabot
-  module FileUpdaters
-    module Ruby
-      class Bundler
-        class RequirementReplacer
-          attr_reader :dependency, :file_type, :updated_requirement,
-                      :previous_requirement
-
-          def initialize(dependency:, file_type:, updated_requirement:,
-                         previous_requirement: nil, insert_if_bare: false)
-            @dependency           = dependency
-            @file_type            = file_type
-            @updated_requirement  = updated_requirement
-            @previous_requirement = previous_requirement
-            @insert_if_bare       = insert_if_bare
-          end
-
-          def rewrite(content)
-            buffer = Parser::Source::Buffer.new("(gemfile_content)")
-            buffer.source = content
-            ast = Parser::CurrentRuby.new.parse(buffer)
-
-            updated_content = Rewriter.new(
-              dependency: dependency,
-              file_type: file_type,
-              updated_requirement: updated_requirement,
-              insert_if_bare: insert_if_bare?
-            ).rewrite(buffer, ast)
-
-            update_comment_spacing_if_required(content, updated_content)
-          end
-
-          private
-
-          def insert_if_bare?
-            @insert_if_bare
-          end
-
-          def update_comment_spacing_if_required(content, updated_content)
-            return updated_content unless previous_requirement
-
-            return updated_content if updated_content == content
-            return updated_content if length_change.zero?
-
-            updated_lines = updated_content.lines
-            updated_line_index =
-              updated_lines.length.
-              times.find { |i| content.lines[i] != updated_content.lines[i] }
-            updated_line = updated_lines[updated_line_index]
-
-            updated_line =
-              if length_change.positive?
-                updated_line.sub(/(?<=\s)\s{#{length_change}}#/, "#")
-              elsif length_change.negative?
-                updated_line.sub(/(?<=\s{2})#/, " " * length_change.abs + "#")
-              end
-
-            updated_lines[updated_line_index] = updated_line
-            updated_lines.join
-          end
-
-          def length_change
-            unless previous_requirement.start_with?("=")
-              return updated_requirement.length - previous_requirement.length
-            end
-
-            updated_requirement.length -
-              previous_requirement.gsub(/^=/, "").strip.length
-          end
-
-          class Rewriter < Parser::TreeRewriter
-            # TODO: Ideally we wouldn't have to ignore all of these, but
-            # implementing each one will be tricky.
-            SKIPPED_TYPES = %i(send lvar dstr begin if splat const).freeze
-
-            def initialize(dependency:, file_type:, updated_requirement:,
-                           insert_if_bare:)
-              @dependency          = dependency
-              @file_type           = file_type
-              @updated_requirement = updated_requirement
-              @insert_if_bare      = insert_if_bare
-
-              return if %i(gemfile gemspec).include?(file_type)
-
-              raise "File type must be :gemfile or :gemspec. Got #{file_type}."
-            end
-
-            def on_send(node)
-              return unless declares_targeted_gem?(node)
-
-              req_nodes = node.children[3..-1]
-              req_nodes = req_nodes.reject { |child| child.type == :hash }
-
-              return if req_nodes.none? && !insert_if_bare?
-              return if req_nodes.any? { |n| SKIPPED_TYPES.include?(n.type) }
-
-              quote_characters = extract_quote_characters_from(req_nodes)
-              space_after_specifier = space_after_specifier?(req_nodes)
-              use_equality_operator = use_equality_operator?(req_nodes)
-
-              new_req = new_requirement_string(
-                quote_characters: quote_characters,
-                space_after_specifier: space_after_specifier,
-                use_equality_operator: use_equality_operator
-              )
-              if req_nodes.any?
-                replace(range_for(req_nodes), new_req)
-              else
-                insert_after(range_for(node.children[2..2]), ", #{new_req}")
-              end
-            end
-
-            private
-
-            attr_reader :dependency, :file_type, :updated_requirement
-
-            def insert_if_bare?
-              @insert_if_bare
-            end
-
-            def declaration_methods
-              return %i(gem) if file_type == :gemfile
-
-              %i(add_dependency add_runtime_dependency
-                 add_development_dependency)
-            end
-
-            def declares_targeted_gem?(node)
-              return false unless declaration_methods.include?(node.children[1])
-
-              node.children[2].children.first == dependency.name
-            end
-
-            def extract_quote_characters_from(requirement_nodes)
-              return ['"', '"'] if requirement_nodes.none?
-
-              case requirement_nodes.first.type
-              when :str, :dstr
-                [
-                  requirement_nodes.first.loc.begin.source,
-                  requirement_nodes.first.loc.end.source
-                ]
-              else
-                [
-                  requirement_nodes.first.children.first.loc.begin.source,
-                  requirement_nodes.first.children.first.loc.end.source
-                ]
-              end
-            end
-
-            def space_after_specifier?(requirement_nodes)
-              return true if requirement_nodes.none?
-
-              req_string =
-                case requirement_nodes.first.type
-                when :str, :dstr
-                  requirement_nodes.first.loc.expression.source
-                else
-                  requirement_nodes.first.children.first.loc.expression.source
-                end
-
-              ops = Gem::Requirement::OPS.keys
-              return true if ops.none? { |op| req_string.include?(op) }
-
-              req_string.include?(" ")
-            end
-
-            def use_equality_operator?(requirement_nodes)
-              return true if requirement_nodes.none?
-
-              req_string =
-                case requirement_nodes.first.type
-                when :str, :dstr
-                  requirement_nodes.first.loc.expression.source
-                else
-                  requirement_nodes.first.children.first.loc.expression.source
-                end
-
-              req_string.match?(/(?<![<>])=/)
-            end
-
-            def new_requirement_string(quote_characters:,
-                                       space_after_specifier:,
-                                       use_equality_operator:)
-              open_quote, close_quote = quote_characters
-              new_requirement_string =
-                updated_requirement.split(",").
-                map do |r|
-                  req_string = serialized_req(r, use_equality_operator)
-                  %(#{open_quote}#{req_string}#{close_quote})
-                end.join(", ")
-
-              new_requirement_string.delete!(" ") unless space_after_specifier
-              new_requirement_string
-            end
-
-            def serialized_req(req, use_equality_operator)
-              tmp_req = req
-
-              # Gem::Requirement serializes exact matches as a string starting
-              # with `=`. We may need to remove that equality operator if it
-              # wasn't used originally.
-              unless use_equality_operator
-                tmp_req = tmp_req.gsub(/(?<![<>])=/, "")
-              end
-
-              tmp_req.strip
-            end
-
-            def range_for(nodes)
-              nodes.first.loc.begin.begin.join(nodes.last.loc.expression)
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/metadata_finders/ruby/bundler.rb

@@ -1,202 +0,0 @@
-# frozen_string_literal: true
-
-require "excon"
-require "dependabot/metadata_finders/base"
-
-module Dependabot
-  module MetadataFinders
-    module Ruby
-      class Bundler < Dependabot::MetadataFinders::Base
-        SOURCE_KEYS = %w(
-          source_code_uri
-          homepage_uri
-          wiki_uri
-          bug_tracker_uri
-          documentation_uri
-          changelog_uri
-          mailing_list_uri
-          download_uri
-        ).freeze
-
-        def homepage_url
-          return super unless %w(default rubygems).include?(new_source_type)
-          return super unless rubygems_api_response["homepage_uri"]
-
-          rubygems_api_response["homepage_uri"]
-        end
-
-        private
-
-        def look_up_source
-          case new_source_type
-          when "git" then find_source_from_git_url
-          when "default", "rubygems" then find_source_from_rubygems
-          else raise "Unexpected source type: #{new_source_type}"
-          end
-        end
-
-        def new_source_type
-          sources =
-            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-          return "default" if sources.empty?
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-          sources.first[:type] || sources.first.fetch("type")
-        end
-
-        def find_source_from_rubygems
-          api_source = find_source_from_rubygems_api_response
-          return api_source if api_source || new_source_type == "default"
-
-          find_source_from_gemspec_download
-        end
-
-        def find_source_from_rubygems_api_response
-          source_url = rubygems_api_response.
-                       values_at(*SOURCE_KEYS).
-                       compact.
-                       find { |url| Source.from_url(url) }
-
-          Source.from_url(source_url)
-        end
-
-        def find_source_from_git_url
-          info = dependency.requirements.map { |r| r[:source] }.compact.first
-
-          url = info[:url] || info.fetch("url")
-          Source.from_url(url)
-        end
-
-        def find_source_from_gemspec_download
-          github_urls = []
-          return unless rubygems_marshalled_gemspec_response
-
-          rubygems_marshalled_gemspec_response.scan(Source::SOURCE_REGEX) do
-            github_urls << Regexp.last_match.to_s
-          end
-
-          source_url = github_urls.find do |url|
-            repo = Source.from_url(url).repo
-            repo.downcase.end_with?(dependency.name)
-          end
-          return unless source_url
-
-          Source.from_url(source_url)
-        end
-
-        # Note: This response MUST NOT be unmarshalled
-        # (as calling Marshal.load is unsafe)
-        def rubygems_marshalled_gemspec_response
-          if defined?(@rubygems_marshalled_gemspec_response)
-            return @rubygems_marshalled_gemspec_response
-          end
-
-          gemspec_uri =
-            "#{registry_url}quick/Marshal.4.8/"\
-            "#{dependency.name}-#{dependency.version}.gemspec.rz"
-
-          response =
-            Excon.get(
-              gemspec_uri,
-              headers: registry_auth_headers,
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
-
-          if response.status >= 400
-            return @rubygems_marshalled_gemspec_response = nil
-          end
-
-          @rubygems_marshalled_gemspec_response =
-            Zlib::Inflate.inflate(response.body)
-        rescue Zlib::DataError
-          @rubygems_marshalled_gemspec_response = nil
-        end
-
-        def rubygems_api_response
-          return @rubygems_api_response if defined?(@rubygems_api_response)
-
-          response =
-            Excon.get(
-              "#{registry_url}api/v1/gems/#{dependency.name}.json",
-              headers: registry_auth_headers,
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
-          return @rubygems_api_response = {} if response.status >= 400
-
-          response_body = response.body
-          response_body = augment_private_response_if_appropriate(response_body)
-
-          @rubygems_api_response = JSON.parse(response_body)
-          append_slash_to_source_code_uri(@rubygems_api_response)
-        rescue JSON::ParserError, Excon::Error::Timeout
-          @rubygems_api_response = {}
-        end
-
-        def append_slash_to_source_code_uri(listing)
-          # We have to do this so that `Source.from_url(...)` doesn't prune the
-          # last line off of the directory.
-          return listing unless listing&.fetch("source_code_uri", nil)
-          return listing if listing.fetch("source_code_uri").end_with?("/")
-
-          listing["source_code_uri"] = listing["source_code_uri"] + "/"
-          listing
-        end
-
-        def augment_private_response_if_appropriate(response_body)
-          return response_body if new_source_type == "default"
-
-          parsed_body = JSON.parse(response_body)
-          return response_body if (SOURCE_KEYS - parsed_body.keys).none?
-
-          digest = parsed_body.values_at("version", "authors", "info").hash
-
-          source_url = parsed_body.
-                       values_at(*SOURCE_KEYS).
-                       compact.
-                       find { |url| Source.from_url(url) }
-          return response_body if source_url
-
-          rubygems_response =
-            Excon.get(
-              "https://rubygems.org/api/v1/gems/#{dependency.name}.json",
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
-          parsed_rubygems_body = JSON.parse(rubygems_response.body)
-          rubygems_digest =
-            parsed_rubygems_body.values_at("version", "authors", "info").hash
-
-          digest == rubygems_digest ? rubygems_response.body : response_body
-        rescue JSON::ParserError, Excon::Error::Socket, Excon::Error::Timeout
-          response_body
-        end
-
-        def registry_url
-          return "https://rubygems.org/" if new_source_type == "default"
-
-          info = dependency.requirements.map { |r| r[:source] }.compact.first
-          info[:url] || info.fetch("url")
-        end
-
-        def registry_auth_headers
-          return {} unless new_source_type == "rubygems"
-
-          token =
-            credentials.
-            select { |cred| cred["type"] == "rubygems_server" }.
-            find { |cred| registry_url.include?(cred["host"]) }&.
-            fetch("token")
-
-          return {} unless token
-
-          token += ":" unless token.include?(":")
-          encoded_token = Base64.encode64(token).delete("\n")
-          { "Authorization" => "Basic #{encoded_token}" }
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/update_checkers/ruby/bundler.rb

@@ -1,331 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/update_checkers/base"
-require "dependabot/file_updaters/ruby/bundler/requirement_replacer"
-require "dependabot/git_commit_checker"
-
-module Dependabot
-  module UpdateCheckers
-    module Ruby
-      class Bundler < Dependabot::UpdateCheckers::Base
-        require_relative "bundler/force_updater"
-        require_relative "bundler/file_preparer"
-        require_relative "bundler/requirements_updater"
-        require_relative "bundler/version_resolver"
-        require_relative "bundler/latest_version_finder"
-
-        def latest_version
-          return latest_version_for_git_dependency if git_dependency?
-
-          latest_version_details&.fetch(:version)
-        end
-
-        def latest_resolvable_version
-          return latest_resolvable_version_for_git_dependency if git_dependency?
-
-          latest_resolvable_version_details&.fetch(:version)
-        end
-
-        def latest_resolvable_version_with_no_unlock
-          current_ver = dependency.version
-          return current_ver if git_dependency? && git_commit_checker.pinned?
-
-          @latest_resolvable_version_detail_with_no_unlock ||=
-            version_resolver(
-              remove_git_source: false,
-              unlock_requirement: false
-            ).latest_resolvable_version_details
-
-          if git_dependency?
-            @latest_resolvable_version_detail_with_no_unlock&.fetch(:commit_sha)
-          else
-            @latest_resolvable_version_detail_with_no_unlock&.fetch(:version)
-          end
-        end
-
-        def updated_requirements
-          RequirementsUpdater.new(
-            requirements: dependency.requirements,
-            update_strategy: requirements_update_strategy,
-            updated_source: updated_source,
-            latest_version: latest_version_details&.fetch(:version)&.to_s,
-            latest_resolvable_version:
-              latest_resolvable_version_details&.fetch(:version)&.to_s
-          ).updated_requirements
-        end
-
-        def requirements_unlocked_or_can_be?
-          dependency.requirements.
-            reject { |r| r[:requirement].nil? }.
-            all? do |req|
-              requirement = requirement_class.new(req[:requirement])
-              next true if requirement.satisfied_by?(Gem::Version.new("100000"))
-
-              file = dependency_files.find { |f| f.name == req.fetch(:file) }
-              updated = FileUpdaters::Ruby::Bundler::RequirementReplacer.new(
-                dependency: dependency,
-                file_type: file.name.end_with?("gemspec") ? :gemspec : :gemfile,
-                updated_requirement: "whatever"
-              ).rewrite(file.content)
-
-              updated != file.content
-            end
-        end
-
-        def requirements_update_strategy
-          # If passed in as an option (in the base class) honour that option
-          if @requirements_update_strategy
-            return @requirements_update_strategy.to_sym
-          end
-
-          # Otherwise, widen ranges for libraries and bump versions for apps
-          dependency.version.nil? ? :bump_versions_if_necessary : :bump_versions
-        end
-
-        private
-
-        def latest_version_resolvable_with_full_unlock?
-          return false unless latest_version
-
-          updated_dependencies = force_updater.updated_dependencies
-
-          updated_dependencies.none? do |dep|
-            old_version = dep.previous_version
-            next unless Gem::Version.correct?(old_version)
-            next if Gem::Version.new(old_version).prerelease?
-
-            Gem::Version.new(dep.version).prerelease?
-          end
-        rescue Dependabot::DependencyFileNotResolvable
-          false
-        end
-
-        def updated_dependencies_after_full_unlock
-          force_updater.updated_dependencies
-        end
-
-        def git_dependency?
-          git_commit_checker.git_dependency?
-        end
-
-        def latest_version_details(remove_git_source: false)
-          @latest_version_details ||= {}
-          @latest_version_details[remove_git_source] ||=
-            latest_version_finder(remove_git_source: remove_git_source).
-            latest_version_details
-        end
-
-        def latest_resolvable_version_details(remove_git_source: false)
-          @latest_resolvable_version_details ||= {}
-          @latest_resolvable_version_details[remove_git_source] ||=
-            version_resolver(remove_git_source: remove_git_source).
-            latest_resolvable_version_details
-        end
-
-        def latest_version_for_git_dependency
-          latest_release =
-            latest_version_details(remove_git_source: true)&.
-            fetch(:version)
-
-          # If there's been a release that includes the current pinned ref or
-          # that the current branch is behind, we switch to that release.
-          return latest_release if git_branch_or_ref_in_release?(latest_release)
-
-          # Otherwise, if the gem isn't pinned, the latest version is just the
-          # latest commit for the specified branch.
-          unless git_commit_checker.pinned?
-            return git_commit_checker.head_commit_for_current_branch
-          end
-
-          # If the dependency is pinned to a tag that looks like a version then
-          # we want to update that tag. The latest version will then be the SHA
-          # of the latest tag that looks like a version.
-          if git_commit_checker.pinned_ref_looks_like_version?
-            latest_tag = git_commit_checker.local_tag_for_latest_version
-            return latest_tag&.fetch(:tag_sha) || dependency.version
-          end
-
-          # If the dependency is pinned to a tag that doesn't look like a
-          # version then there's nothing we can do.
-          dependency.version
-        end
-
-        def latest_resolvable_version_for_git_dependency
-          latest_release = latest_resolvable_version_without_git_source
-
-          # If there's a resolvable release that includes the current pinned
-          # ref or that the current branch is behind, we switch to that release.
-          return latest_release if git_branch_or_ref_in_release?(latest_release)
-
-          # Otherwise, if the gem isn't pinned, the latest version is just the
-          # latest commit for the specified branch.
-          unless git_commit_checker.pinned?
-            return latest_resolvable_commit_with_unchanged_git_source
-          end
-
-          # If the dependency is pinned to a tag that looks like a version then
-          # we want to update that tag. The latest version will then be the SHA
-          # of the latest tag that looks like a version.
-          if git_commit_checker.pinned_ref_looks_like_version? &&
-             latest_git_tag_is_resolvable?
-            new_tag = git_commit_checker.local_tag_for_latest_version
-            return new_tag.fetch(:tag_sha)
-          end
-
-          # If the dependency is pinned to a tag that doesn't look like a
-          # version then there's nothing we can do.
-          dependency.version
-        end
-
-        def latest_resolvable_version_without_git_source
-          return nil unless latest_version.is_a?(Gem::Version)
-
-          latest_resolvable_version_details(remove_git_source: true)&.
-          fetch(:version)
-        rescue Dependabot::DependencyFileNotResolvable
-          nil
-        end
-
-        def latest_resolvable_commit_with_unchanged_git_source
-          details = latest_resolvable_version_details(remove_git_source: false)
-
-          # If this dependency has a git version in the Gemfile.lock but not in
-          # the Gemfile (i.e., because they're out-of-sync) we might not get a
-          # commit_sha back from Bundler. In that case, return `nil`.
-          return unless details.key?(:commit_sha)
-
-          details.fetch(:commit_sha)
-        rescue Dependabot::DependencyFileNotResolvable
-          nil
-        end
-
-        def latest_git_tag_is_resolvable?
-          return @git_tag_resolvable if @latest_git_tag_is_resolvable_checked
-
-          @latest_git_tag_is_resolvable_checked = true
-
-          return false if git_commit_checker.local_tag_for_latest_version.nil?
-
-          replacement_tag = git_commit_checker.local_tag_for_latest_version
-
-          VersionResolver.new(
-            dependency: dependency,
-            unprepared_dependency_files: dependency_files,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            replacement_git_pin: replacement_tag.fetch(:tag)
-          ).latest_resolvable_version_details
-
-          @git_tag_resolvable = true
-        rescue Dependabot::DependencyFileNotResolvable
-          @git_tag_resolvable = false
-        end
-
-        def git_branch_or_ref_in_release?(release)
-          return false unless release
-
-          git_commit_checker.branch_or_ref_in_release?(release)
-        end
-
-        def updated_source
-          # Never need to update source, unless a git_dependency
-          return dependency_source_details unless git_dependency?
-
-          # Source becomes `nil` if switching to default rubygems
-          return nil if should_switch_source_from_git_to_rubygems?
-
-          # Update the git tag if updating a pinned version
-          if git_commit_checker.pinned_ref_looks_like_version? &&
-             latest_git_tag_is_resolvable?
-            new_tag = git_commit_checker.local_tag_for_latest_version
-            return dependency_source_details.merge(ref: new_tag.fetch(:tag))
-          end
-
-          # Otherwise return the original source
-          dependency_source_details
-        end
-
-        def dependency_source_details
-          sources =
-            dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-          raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-          sources.first
-        end
-
-        def should_switch_source_from_git_to_rubygems?
-          return false unless git_dependency?
-          return false if latest_resolvable_version_for_git_dependency.nil?
-
-          Gem::Version.correct?(latest_resolvable_version_for_git_dependency)
-        end
-
-        def force_updater
-          @force_updater ||=
-            ForceUpdater.new(
-              dependency: dependency,
-              dependency_files: dependency_files,
-              credentials: credentials,
-              target_version: latest_version,
-              requirements_update_strategy: requirements_update_strategy
-            )
-        end
-
-        def git_commit_checker
-          @git_commit_checker ||=
-            GitCommitChecker.new(
-              dependency: dependency,
-              credentials: credentials
-            )
-        end
-
-        def version_resolver(remove_git_source:, unlock_requirement: true)
-          @version_resolver ||= {}
-          @version_resolver[remove_git_source] ||= {}
-          @version_resolver[remove_git_source][unlock_requirement] ||=
-            begin
-              VersionResolver.new(
-                dependency: dependency,
-                unprepared_dependency_files: dependency_files,
-                credentials: credentials,
-                ignored_versions: ignored_versions,
-                remove_git_source: remove_git_source,
-                unlock_requirement: unlock_requirement,
-                latest_allowable_version: latest_version
-              )
-            end
-        end
-
-        def latest_version_finder(remove_git_source:)
-          @latest_version_finder ||= {}
-          @latest_version_finder[remove_git_source] ||=
-            begin
-              prepared_dependency_files = prepared_dependency_files(
-                remove_git_source: remove_git_source,
-                unlock_requirement: true
-              )
-
-              LatestVersionFinder.new(
-                dependency: dependency,
-                dependency_files: prepared_dependency_files,
-                credentials: credentials,
-                ignored_versions: ignored_versions
-              )
-            end
-        end
-
-        def prepared_dependency_files(remove_git_source:, unlock_requirement:,
-                                      latest_allowable_version: nil)
-          FilePreparer.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            remove_git_source: remove_git_source,
-            unlock_requirement: unlock_requirement,
-            latest_allowable_version: latest_allowable_version
-          ).prepared_dependency_files
-        end
-      end
-    end
-  end
-end