dependabot-core 0.94.13 → 0.95.0

data/LICENSE

@@ -1,39 +0,0 @@
-The Prosperity Public License 2.0.0
-
-Contributor: Dependabot Ltd
-
-Source Code: https://github.com/dependabot/dependabot-core
-
-This license lets you use and share this software for free,
-with a trial-length time limit on commercial use. Specifically:
-
-If you follow the rules below, you may do everything with this
-software that would otherwise infringe either the contributor's
-copyright in it, any patent claim the contributor can license
-that covers this software as of the contributor's latest
-contribution, or both.
-
-1. You must limit use of this software in any manner primarily
-   intended for or directed toward commercial advantage or
-   private monetary compensation to a trial period of 32
-   consecutive calendar days. This limit does not apply to use in
-   developing feedback, modifications, or extensions that you
-   contribute back to those giving this license.
-
-2. Ensure everyone who gets a copy of this software from you, in
-   source code or any other form, gets the text of this license
-   and the contributor and source code lines above.
-
-3. Do not make any legal claim against anyone for infringing any
-   patent claim they would infringe by using this software alone,
-   accusing this software, with or without changes, alone or as
-   part of a larger application.
-
-You are excused for unknowingly breaking rule 1 if you stop
-doing anything requiring this license within 30 days of
-learning you broke the rule.
-
-**This software comes as is, without any warranty at all. As far
-as the law allows, the contributor will not be liable for any
-damages related to this software or this license, for any kind of
-legal claim.**

data/README.md

@@ -1,114 +0,0 @@
-<p align="center">
-  <img src="https://s3.eu-west-2.amazonaws.com/dependabot-images/logo-with-name-horizontal.svg?v4" alt="Dependabot" width="336">
-</p>
-
-# Dependabot Core [![Dependabot Status][dependabot-status]][dependabot]
-
-Dependabot Core is the heart of [Dependabot][dependabot]. It handles the logic
-for updating dependencies on GitHub (including GitHub Enterprise) and GitLab. We
-plan to add support for Bitbucket and Azure DevOps in the future, too.
-
-If you want to host your own automated dependency update bot then this repo
-should give you the tools you need. A reference implementation is available
-[here][dependabot-script].
-
-## What's in this repo?
-
-Dependabot Core is a collection of helper classes for automating dependency
-updating in Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java and
-.NET. It can also update git submodules, Docker files and Terraform files.
-Highlights include:
-
-- Logic to check for the latest version of a dependency *that's resolvable given
-  a project's other dependencies*
-- Logic to generate updated manifest and lockfiles for a new dependency version
-- Logic to find changelogs, release notes, and commits for a dependency update
-
-## Other Dependabot resources
-
-In addition to this library, you may be interested in:
-
-- The [dependabot-script][dependabot-script] repo, which provides a collection
-  of scripts that use this library to update dependencies on GitHub Enterprise
-  or GitLab
-- The [API docs][api-docs] for Dependabot's hosted instance (dependabot.com)
-
-## Setup
-
-To run all of Dependabot Core, you'll need Ruby, Python, PHP, Elixir, Node, Go,
-Elm and Rust installed. However, if you just wish to run it for a single
-language you can get away with just having that language and Ruby.
-
-The main library is written in Ruby, while JavaScript, Python, PHP, Elm,
-Elixir, Go and Rust are required for dealing with updates for their respective
-languages.
-
-Before running Dependabot Core, install dependencies for the core library and
-the helpers:
-
-1. `bundle install`
-2. `cd npm_and_yarn/helpers && yarn install --production && cd -`
-3. `cd composer/helpers && composer install --no-dev && cd -`
-4. `cd python/helpers && pyenv exec pip install -r requirements.txt && cd -`
-5. `cd elixir/helpers && mix deps.get && cd -`
-
-## Architecture
-
-Dependabot Core has helper classes for seven concerns. Where relevant, each
-concern will have a language-specific class.
-
-| Service                          | Description                                                                                   |
-|----------------------------------|-----------------------------------------------------------------------------------------------|
-| `Dependabot::FileFetchers`       | Fetches the relevant dependency files for a project (e.g., the `Gemfile` and `Gemfile.lock`). See the [file fetchers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_fetchers) for more details. |
-| `Dependabot::FileParsers`        | Parses a dependency file and extracts a list of dependencies for a project. See the [file parsers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_parsers) for more details. |
-| `Dependabot::UpdateCheckers`     | Checks whether a given dependency is up-to-date. See the [update checkers](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/update_checkers) for more details. |
-| `Dependabot::FileUpdaters`       | Updates a dependency file to use the latest version of a given dependency. See the [file updaters](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/file_updaters) for more details. |
-| `Dependabot::MetadataFinders`    | Looks up metadata about a dependency, such as its GitHub URL. See the [metadata finders](https://github.com/dependabot/dependabot-core/tree/master/lib/dependabot/metadata_finders) for more details. |
-| `Dependabot::PullRequestCreator` | Creates a Pull Request to the original repo with the updated dependency file.                 |
-| `Dependabot::PullRequestUpdater` | Updates an existing Pull Request with new dependency files (e.g., to resolve conflicts).      |
-
-## Why is this public?
-
-As the name suggests, Dependabot Core is the core of Dependabot (the rest of the
-app is pretty much just a UI and database). If we were paranoid about someone
-stealing our business then we'd be keeping it under lock and key.
-
-Dependabot Core is public because we're more interested in it having an
-impact than we are in making a buck from it. We'd love you to use
-[Dependabot][dependabot], so that we can continue to develop it, but if you want
-to build and host your own version then this library should make doing so a
-*lot* easier.
-
-If you use Dependabot Core then we'd love to hear what you build!
-
-## License
-
-We use the License Zero Prosperity Public License, which essentially enshrines
-the following:
-- If you would like to use Dependabot Core for non-commercial purposes, such as
-  to host a bot at your workplace, then we give you full permission to do so. In
-  fact, we'd love you to, and will help and support you however we can.
-- If you would like to add Dependabot's functionality to your for-profit
-  company's offering then we DO NOT give you permission to use Dependabot Core
-  to do so. Please contact us directly to discuss a partnership or licensing
-  arrangement.
-
-If you make a significant contribution to Dependabot Core then you will be asked
-to transfer the IP of that contribution to Dependabot Ltd so that it can be
-licensed in the same way as the above.
-
-## History
-
-Dependabot and Dependabot Core started life as [Bump][bump] and
-[Bump Core][bump-core], back when Harry and Grey were working at
-[GoCardless][gocardless]. We remain grateful for the help and support of
-GoCardless in helping make Dependabot possible - if you need to collect
-recurring payments from Europe, check them out.
-
-[dependabot]: https://dependabot.com
-[dependabot-status]: https://api.dependabot.com/badges/status?host=github&identifier=93163073
-[dependabot-script]: https://github.com/dependabot/dependabot-script
-[api-docs]: https://github.com/dependabot/api-docs
-[bump]: https://github.com/gocardless/bump
-[bump-core]: https://github.com/gocardless/bump-core
-[gocardless]: https://gocardless.com

data/helpers/test/run.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-require "json"
-
-request = JSON.parse($stdin.read)
-case request["function"]
-when "error"
-  $stdout.write(JSON.dump(error: "Something went wrong"))
-  exit 1
-when "useful_error"
-  $stderr.write("Some useful error")
-  exit 1
-when "hard_error"
-  puts "Oh no!"
-  exit 0
-else
-  $stdout.write(JSON.dump(result: request))
-end

data/helpers/utils/git-credential-store-immutable

@@ -1,10 +0,0 @@
-#!/usr/bin/env ruby
-
-require "shellwords"
-
-# Valid commands are: `get`, `store`, `erase`. We only want to let `get`
-# through, as the others mutate the credential store.
-if ARGV.include?("get")
-  args = ARGV.map { |arg| Shellwords.escape(arg) }.join(" ")
-  exec "git credential-store #{args}"
-end

data/lib/dependabot/clients/bitbucket.rb

@@ -1,105 +0,0 @@
-# frozen_string_literal: true
-
-require "dependabot/shared_helpers"
-require "excon"
-
-module Dependabot
-  module Clients
-    class Bitbucket
-      class NotFound < StandardError; end
-      class Unauthorized < StandardError; end
-      class Forbidden < StandardError; end
-
-      #######################
-      # Constructor methods #
-      #######################
-
-      def self.for_bitbucket_dot_org(credentials:)
-        credential =
-          credentials.
-          select { |cred| cred["type"] == "git_source" }.
-          find { |cred| cred["host"] == "bitbucket.org" }
-
-        new(credential)
-      end
-
-      ##########
-      # Client #
-      ##########
-
-      def initialize(credentials)
-        @credentials = credentials
-      end
-
-      def fetch_commit(repo, branch)
-        path = "#{repo}/refs/branches/#{branch}"
-        response = get(base_url + path)
-
-        JSON.parse(response.body).fetch("target").fetch("hash")
-      end
-
-      def fetch_default_branch(repo)
-        response = get(base_url + repo)
-
-        JSON.parse(response.body).fetch("mainbranch").fetch("name")
-      end
-
-      def fetch_repo_contents(repo, commit = nil, path = nil)
-        raise "Commit is required if path provided!" if commit.nil? && path
-
-        api_path = "#{repo}/src"
-        api_path += "/#{commit}" if commit
-        api_path += "/#{path.gsub(%r{/+$}, '')}" if path
-        api_path += "?pagelen=100"
-        response = get(base_url + api_path)
-
-        JSON.parse(response.body).fetch("values")
-      end
-
-      def fetch_file_contents(repo, commit, path)
-        path = "#{repo}/src/#{commit}/#{path.gsub(%r{/+$}, '')}"
-        response = get(base_url + path)
-
-        response.body
-      end
-
-      def tags(repo)
-        path = "#{repo}/refs/tags?pagelen=100"
-        response = get(base_url + path)
-
-        JSON.parse(response.body).fetch("values")
-      end
-
-      def compare(repo, previous_tag, new_tag)
-        path = "#{repo}/commits/?include=#{new_tag}&exclude=#{previous_tag}"
-        response = get(base_url + path)
-
-        JSON.parse(response.body).fetch("values")
-      end
-
-      def get(url)
-        response = Excon.get(
-          url,
-          user: credentials&.fetch("username"),
-          password: credentials&.fetch("password"),
-          idempotent: true,
-          **Dependabot::SharedHelpers.excon_defaults
-        )
-        raise Unauthorized if response.status == 401
-        raise Forbidden if response.status == 403
-        raise NotFound if response.status == 404
-
-        response
-      end
-
-      private
-
-      attr_reader :credentials
-
-      def base_url
-        # TODO: Make this configurable when we support enterprise Bitbucket
-        "https://api.bitbucket.org/2.0/repositories/"
-      end
-    end
-  end
-end

data/lib/dependabot/clients/github_with_retries.rb

@@ -1,121 +0,0 @@
-# frozen_string_literal: true
-
-require "octokit"
-
-module Dependabot
-  module Clients
-    class GithubWithRetries
-      DEFAULT_CLIENT_ARGS = {
-        connection_options: {
-          request: {
-            open_timeout: 2,
-            timeout: 5
-          }
-        }
-      }.freeze
-
-      RETRYABLE_ERRORS = [
-        Faraday::ConnectionFailed,
-        Faraday::TimeoutError,
-        Octokit::InternalServerError,
-        Octokit::BadGateway
-      ].freeze
-
-      #######################
-      # Constructor methods #
-      #######################
-
-      def self.for_source(source:, credentials:)
-        access_tokens =
-          credentials.
-          select { |cred| cred["type"] == "git_source" }.
-          select { |cred| cred["host"] == source.hostname }.
-          map { |cred| cred.fetch("password") }
-
-        new(
-          access_tokens: access_tokens,
-          api_endpoint: source.api_endpoint
-        )
-      end
-
-      def self.for_github_dot_com(credentials:)
-        access_tokens =
-          credentials.
-          select { |cred| cred["type"] == "git_source" }.
-          select { |cred| cred["host"] == "github.com" }.
-          map { |cred| cred.fetch("password") }
-
-        new(access_tokens: access_tokens)
-      end
-
-      #################
-      # VCS Interface #
-      #################
-
-      def fetch_commit(repo, branch)
-        response = ref(repo, "heads/#{branch}")
-
-        raise Octokit::NotFound if response.is_a?(Array)
-
-        response.object.sha
-      end
-
-      def fetch_default_branch(repo)
-        repository(repo).default_branch
-      end
-
-      ############
-      # Proxying #
-      ############
-
-      def initialize(max_retries: 3, **args)
-        args = DEFAULT_CLIENT_ARGS.merge(args)
-
-        access_tokens = args.delete(:access_tokens) || []
-        access_tokens << args[:access_token] if args[:access_token]
-        access_tokens << nil if access_tokens.empty?
-        access_tokens.uniq!
-
-        @max_retries = max_retries || 3
-        @clients = access_tokens.map do |token|
-          Octokit::Client.new(args.merge(access_token: token))
-        end
-      end
-
-      def method_missing(method_name, *args, &block)
-        untried_clients = @clients.dup
-        client = untried_clients.pop
-
-        begin
-          retry_connection_failures do
-            if client.respond_to?(method_name)
-              mutatable_args = args.map(&:dup)
-              client.public_send(method_name, *mutatable_args, &block)
-            else
-              super
-            end
-          end
-        rescue Octokit::NotFound, Octokit::Unauthorized, Octokit::Forbidden
-          raise unless (client = untried_clients.pop)
-
-          retry
-        end
-      end
-
-      def respond_to_missing?(method_name, include_private = false)
-        @clients.first.respond_to?(method_name) || super
-      end
-
-      def retry_connection_failures
-        retry_attempt = 0
-
-        begin
-          yield
-        rescue *RETRYABLE_ERRORS
-          retry_attempt += 1
-          retry_attempt <= @max_retries ? retry : raise
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/clients/gitlab.rb

@@ -1,72 +0,0 @@
-# frozen_string_literal: true
-
-require "gitlab"
-
-module Dependabot
-  module Clients
-    class Gitlab
-      #######################
-      # Constructor methods #
-      #######################
-
-      def self.for_source(source:, credentials:)
-        access_token =
-          credentials.
-          select { |cred| cred["type"] == "git_source" }.
-          find { |cred| cred["host"] == source.hostname }&.
-          fetch("password")
-
-        new(
-          endpoint: source.api_endpoint,
-          private_token: access_token || ""
-        )
-      end
-
-      def self.for_gitlab_dot_com(credentials:)
-        access_token =
-          credentials.
-          select { |cred| cred["type"] == "git_source" }.
-          find { |cred| cred["host"] == "gitlab.com" }&.
-          fetch("password")
-
-        new(
-          endpoint: "https://gitlab.com/api/v4",
-          private_token: access_token || ""
-        )
-      end
-
-      #################
-      # VCS Interface #
-      #################
-
-      def fetch_commit(repo, branch)
-        branch(repo, branch).commit.id
-      end
-
-      def fetch_default_branch(repo)
-        project(repo).default_branch
-      end
-
-      ############
-      # Proxying #
-      ############
-
-      def initialize(**args)
-        @client = ::Gitlab::Client.new(args)
-      end
-
-      def method_missing(method_name, *args, &block)
-        if @client.respond_to?(method_name)
-          mutatable_args = args.map(&:dup)
-          @client.public_send(method_name, *mutatable_args, &block)
-        else
-          super
-        end
-      end
-
-      def respond_to_missing?(method_name, include_private = false)
-        @client.respond_to?(method_name) || super
-      end
-    end
-  end
-end

data/lib/dependabot/dependency.rb

@@ -1,115 +0,0 @@
-# frozen_string_literal: true
-
-require "rubygems_version_patch"
-
-module Dependabot
-  class Dependency
-    @production_checks = {}
-
-    def self.production_check_for_package_manager(package_manager)
-      production_check = @production_checks[package_manager]
-      return production_check if production_check
-
-      raise "Unsupported package_manager #{package_manager}"
-    end
-
-    def self.register_production_check(package_manager, production_check)
-      @production_checks[package_manager] = production_check
-    end
-
-    attr_reader :name, :version, :requirements, :package_manager,
-                :previous_version, :previous_requirements
-
-    def initialize(name:, requirements:, package_manager:, version: nil,
-                   previous_version: nil, previous_requirements: nil)
-      @name = name
-      @version = version
-      @requirements = requirements.map { |req| symbolize_keys(req) }
-      @previous_version = previous_version
-      @previous_requirements =
-        previous_requirements&.map { |req| symbolize_keys(req) }
-      @package_manager = package_manager
-
-      check_values
-    end
-
-    def top_level?
-      requirements.any?
-    end
-
-    def to_h
-      {
-        "name" => name,
-        "version" => version,
-        "requirements" => requirements,
-        "previous_version" => previous_version,
-        "previous_requirements" => previous_requirements,
-        "package_manager" => package_manager
-      }
-    end
-
-    def appears_in_lockfile?
-      previous_version || (version && previous_requirements.nil?)
-    end
-
-    def production?
-      return true unless top_level?
-
-      groups = requirements.flat_map { |r| r.fetch(:groups).map(&:to_s) }
-
-      self.class.
-        production_check_for_package_manager(package_manager).
-        call(groups)
-    end
-
-    def display_name
-      return name unless %w(maven gradle).include?(package_manager)
-
-      name.split(":").last
-    end
-
-    def ==(other)
-      other.instance_of?(self.class) && to_h == other.to_h
-    end
-
-    def hash
-      to_h.hash
-    end
-
-    def eql?(other)
-      self.==(other)
-    end
-
-    private
-
-    def check_values
-      if [version, previous_version].any? { |v| v == "" }
-        raise ArgumentError, "blank strings must not be provided as versions"
-      end
-
-      requirement_fields = [requirements, previous_requirements].compact
-      unless requirement_fields.all? { |r| r.is_a?(Array) } &&
-             requirement_fields.flatten.all? { |r| r.is_a?(Hash) }
-        raise ArgumentError, "requirements must be an array of hashes"
-      end
-
-      required_keys = %i(requirement file groups source)
-      optional_keys = %i(metadata)
-      unless requirement_fields.flatten.
-             all? { |r| required_keys.sort == (r.keys - optional_keys).sort }
-        raise ArgumentError, "each requirement must have the following "\
-                             "required keys: #{required_keys.join(', ')}."\
-                             "Optionally, it may have the following keys: "\
-                             "#{optional_keys.join(', ')}."
-      end
-
-      return if requirement_fields.flatten.none? { |r| r[:requirement] == "" }
-
-      raise ArgumentError, "blank strings must not be provided as requirements"
-    end
-
-    def symbolize_keys(hash)
-      Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
-    end
-  end
-end

data/lib/dependabot/dependency_file.rb

@@ -1,60 +0,0 @@
-# frozen_string_literal: true
-
-require "pathname"
-
-module Dependabot
-  class DependencyFile
-    attr_accessor :name, :content, :directory, :type, :support_file
-
-    def initialize(name:, content:, directory: "/", type: "file",
-                   support_file: false)
-      @name = name
-      @content = content
-      @directory = clean_directory(directory)
-      @support_file = support_file
-
-      # Type is used *very* sparingly. It lets the git_modules updater know that
-      # a "file" is actually a submodule, and lets our Go updaters know which
-      # file represents the main.go.
-      # New use cases should be avoided if at all possible (and use the
-      # support_file flag instead)
-      @type = type
-    end
-
-    def to_h
-      {
-        "name" => name,
-        "content" => content,
-        "directory" => directory,
-        "type" => type
-      }
-    end
-
-    def path
-      Pathname.new(File.join(directory, name)).cleanpath.to_path
-    end
-
-    def ==(other)
-      other.instance_of?(self.class) && to_h == other.to_h
-    end
-
-    def hash
-      to_h.hash
-    end
-
-    def eql?(other)
-      self.==(other)
-    end
-
-    def support_file?
-      @support_file
-    end
-
-    private
-
-    def clean_directory(directory)
-      # Directory should always start with a `/`
-      directory.sub(%r{^/*}, "/")
-    end
-  end
-end