dependabot-core 0.94.13 → 0.95.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- metadata +14 -337
- data/CHANGELOG.md +0 -7079
- data/LICENSE +0 -39
- data/README.md +0 -114
- data/helpers/test/run.rb +0 -18
- data/helpers/utils/git-credential-store-immutable +0 -10
- data/lib/dependabot/clients/bitbucket.rb +0 -105
- data/lib/dependabot/clients/github_with_retries.rb +0 -121
- data/lib/dependabot/clients/gitlab.rb +0 -72
- data/lib/dependabot/dependency.rb +0 -115
- data/lib/dependabot/dependency_file.rb +0 -60
- data/lib/dependabot/errors.rb +0 -179
- data/lib/dependabot/file_fetchers/README.md +0 -65
- data/lib/dependabot/file_fetchers/base.rb +0 -368
- data/lib/dependabot/file_fetchers.rb +0 -18
- data/lib/dependabot/file_parsers/README.md +0 -45
- data/lib/dependabot/file_parsers/base/dependency_set.rb +0 -77
- data/lib/dependabot/file_parsers/base.rb +0 -31
- data/lib/dependabot/file_parsers.rb +0 -18
- data/lib/dependabot/file_updaters/README.md +0 -58
- data/lib/dependabot/file_updaters/base.rb +0 -52
- data/lib/dependabot/file_updaters.rb +0 -18
- data/lib/dependabot/git_commit_checker.rb +0 -412
- data/lib/dependabot/metadata_finders/README.md +0 -53
- data/lib/dependabot/metadata_finders/base/changelog_finder.rb +0 -321
- data/lib/dependabot/metadata_finders/base/changelog_pruner.rb +0 -177
- data/lib/dependabot/metadata_finders/base/commits_finder.rb +0 -221
- data/lib/dependabot/metadata_finders/base/release_finder.rb +0 -255
- data/lib/dependabot/metadata_finders/base.rb +0 -117
- data/lib/dependabot/metadata_finders.rb +0 -18
- data/lib/dependabot/pull_request_creator/branch_namer.rb +0 -170
- data/lib/dependabot/pull_request_creator/commit_signer.rb +0 -63
- data/lib/dependabot/pull_request_creator/github.rb +0 -277
- data/lib/dependabot/pull_request_creator/gitlab.rb +0 -136
- data/lib/dependabot/pull_request_creator/labeler.rb +0 -373
- data/lib/dependabot/pull_request_creator/message_builder.rb +0 -906
- data/lib/dependabot/pull_request_creator.rb +0 -153
- data/lib/dependabot/pull_request_updater/github.rb +0 -165
- data/lib/dependabot/pull_request_updater.rb +0 -43
- data/lib/dependabot/shared_helpers.rb +0 -224
- data/lib/dependabot/source.rb +0 -120
- data/lib/dependabot/update_checkers/README.md +0 -67
- data/lib/dependabot/update_checkers/base.rb +0 -220
- data/lib/dependabot/update_checkers.rb +0 -18
- data/lib/dependabot/utils.rb +0 -33
- data/lib/dependabot/version.rb +0 -5
- data/lib/dependabot.rb +0 -4
- data/lib/rubygems_version_patch.rb +0 -14
|
@@ -1,67 +0,0 @@
|
|
|
1
|
-
# Update checkers
|
|
2
|
-
|
|
3
|
-
Update checkers check whether a given dependency is up-to-date. If it isn't,
|
|
4
|
-
they augment it with details of the version to update to.
|
|
5
|
-
|
|
6
|
-
There is a `Dependabot::UpdateCheckers` class for each language Dependabot
|
|
7
|
-
supports.
|
|
8
|
-
|
|
9
|
-
## Public API
|
|
10
|
-
|
|
11
|
-
Each `Dependabot::UpdateCheckers` class implements the following methods:
|
|
12
|
-
|
|
13
|
-
| Method | Description |
|
|
14
|
-
|------------------------------|-----------------------------------------------------------------------------------------------|
|
|
15
|
-
| `#up_to_date?` | Returns a boolean for whether the dependency this instance was created with is currently at the latest version. |
|
|
16
|
-
| `#can_update?` | Returns a boolean for whether the dependency this instance was created with needs updating. This will be true if the dependency and/or its requirements can be updated to support a newer version whilst keeping the dependency files it came from resolvable. |
|
|
17
|
-
| `#updated_dependencies` | Returns an array of updated `Dependabot::Dependency` instance with updated `version` and `requirements` attributes. The previous valuse are stored on the instance as `previous_version` and `previous_requirements`. |
|
|
18
|
-
| `#latest_version` | See the "Writing an update checker" section. |
|
|
19
|
-
| `#latest_resolvable_version` | See the "Writing an update checker" section. |
|
|
20
|
-
| `#updated_requirements` | See the "Writing an update checker" section. |
|
|
21
|
-
|
|
22
|
-
An integration might look as follows:
|
|
23
|
-
|
|
24
|
-
```ruby
|
|
25
|
-
require 'dependabot/update_checkers'
|
|
26
|
-
|
|
27
|
-
dependency = dependencies.first
|
|
28
|
-
|
|
29
|
-
update_checker_class = Dependabot::UpdateCheckers::Ruby::Bundler
|
|
30
|
-
update_checker = update_checker_class.new(
|
|
31
|
-
dependency: dependency,
|
|
32
|
-
dependency_files: files,
|
|
33
|
-
credentials: [{
|
|
34
|
-
"type" => "git_source",
|
|
35
|
-
"host" => "github.com",
|
|
36
|
-
"username" => "x-access-token",
|
|
37
|
-
"password" => "token"
|
|
38
|
-
}]
|
|
39
|
-
)
|
|
40
|
-
|
|
41
|
-
puts "Update needed for #{dependency.name}? "\
|
|
42
|
-
"#{update_checker.can_update?(requirements_to_update: :own)}"
|
|
43
|
-
```
|
|
44
|
-
|
|
45
|
-
## Writing an update checker for a new language
|
|
46
|
-
|
|
47
|
-
All new update checkers should inherit from `Dependabot::UpdateCheckers::Base` and
|
|
48
|
-
implement the following methods:
|
|
49
|
-
|
|
50
|
-
| Method | Description |
|
|
51
|
-
|------------------------------|-----------------------------------------------------------------------------------------------|
|
|
52
|
-
| `#latest_version` | The latest version of the dependency, ignoring resolvability. This is used to short-circuit update checking when the dependency is already at the latest version (since checking resolvability is typically slow). |
|
|
53
|
-
| `#latest_resolvable_version` | The latest version of the dependency that will still allow the full dependency set to resolve. |
|
|
54
|
-
| `#latest_resolvable_version_with_no_unlock` | The latest version of the dependency that satisfies the dependency's current version constraints and will still allow the full dependency set to resolve. |
|
|
55
|
-
| `#updated_requirements` | An updated set of requirements for the dependency that should replace the existing requirements in the manifest file. Use by the file updater class when updating the manifest file. |
|
|
56
|
-
| `#latest_version_resolvable_with_full_unlock?` | A boolean for whether the latest version can be resolved if all other dependencies are unlocked in the manifest file. Can be set to always return `false` if multi-dependency updates aren't yet supported. |
|
|
57
|
-
| `#updated_dependencies_after_full_unlock` | And updated set of dependencies after a full unlock and update has taken place. Not required if `latest_version_resolvable_with_full_unlock?` always returns false. |
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
To ensure the above are implemented, you should include
|
|
61
|
-
`it_behaves_like "a dependency update checker"` in your specs for the new update
|
|
62
|
-
checker.
|
|
63
|
-
|
|
64
|
-
Writing update checkers generally gets tricky when resolvability has to
|
|
65
|
-
be taken into account. It is almost always easiest to do so in the language your
|
|
66
|
-
update checker relates to, so you may wish to shell out to that language. See
|
|
67
|
-
`UpdateCheckers::Php::Composer` for an example of how to do so.
|
|
@@ -1,220 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "json"
|
|
4
|
-
require "dependabot/utils"
|
|
5
|
-
|
|
6
|
-
module Dependabot
|
|
7
|
-
module UpdateCheckers
|
|
8
|
-
class Base
|
|
9
|
-
attr_reader :dependency, :dependency_files, :credentials,
|
|
10
|
-
:ignored_versions, :requirements_update_strategy
|
|
11
|
-
|
|
12
|
-
def initialize(dependency:, dependency_files:, credentials:,
|
|
13
|
-
ignored_versions: [], requirements_update_strategy: nil)
|
|
14
|
-
@dependency = dependency
|
|
15
|
-
@dependency_files = dependency_files
|
|
16
|
-
@credentials = credentials
|
|
17
|
-
@requirements_update_strategy = requirements_update_strategy
|
|
18
|
-
@ignored_versions = ignored_versions
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
def up_to_date?
|
|
22
|
-
if dependency.appears_in_lockfile?
|
|
23
|
-
version_up_to_date?
|
|
24
|
-
else
|
|
25
|
-
requirements_up_to_date?
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
def can_update?(requirements_to_unlock:)
|
|
30
|
-
if dependency.appears_in_lockfile?
|
|
31
|
-
version_can_update?(requirements_to_unlock: requirements_to_unlock)
|
|
32
|
-
else
|
|
33
|
-
# TODO: Handle full unlock updates for dependencies without a lockfile
|
|
34
|
-
return false if requirements_to_unlock == :none
|
|
35
|
-
|
|
36
|
-
requirements_can_update?
|
|
37
|
-
end
|
|
38
|
-
end
|
|
39
|
-
|
|
40
|
-
def updated_dependencies(requirements_to_unlock:)
|
|
41
|
-
unless can_update?(requirements_to_unlock: requirements_to_unlock)
|
|
42
|
-
return []
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
case requirements_to_unlock&.to_sym
|
|
46
|
-
when :none then [updated_dependency_without_unlock]
|
|
47
|
-
when :own then [updated_dependency_with_own_req_unlock]
|
|
48
|
-
when :all then updated_dependencies_after_full_unlock
|
|
49
|
-
else raise "Unknown unlock level '#{requirements_to_unlock}'"
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
|
|
53
|
-
def latest_version
|
|
54
|
-
raise NotImplementedError
|
|
55
|
-
end
|
|
56
|
-
|
|
57
|
-
def latest_resolvable_version
|
|
58
|
-
raise NotImplementedError
|
|
59
|
-
end
|
|
60
|
-
|
|
61
|
-
def latest_resolvable_version_with_no_unlock
|
|
62
|
-
raise NotImplementedError
|
|
63
|
-
end
|
|
64
|
-
|
|
65
|
-
def updated_requirements
|
|
66
|
-
raise NotImplementedError
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
def version_class
|
|
70
|
-
Utils.version_class_for_package_manager(dependency.package_manager)
|
|
71
|
-
end
|
|
72
|
-
|
|
73
|
-
def requirement_class
|
|
74
|
-
Utils.requirement_class_for_package_manager(dependency.package_manager)
|
|
75
|
-
end
|
|
76
|
-
|
|
77
|
-
# For some langauges, the manifest file may be constructed such that
|
|
78
|
-
# Dependabot has no way to update it (e.g., if it fetches its versions
|
|
79
|
-
# from a web API). This method is overridden in those cases.
|
|
80
|
-
def requirements_unlocked_or_can_be?
|
|
81
|
-
true
|
|
82
|
-
end
|
|
83
|
-
|
|
84
|
-
private
|
|
85
|
-
|
|
86
|
-
def latest_version_resolvable_with_full_unlock?
|
|
87
|
-
raise NotImplementedError
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
def updated_dependency_without_unlock
|
|
91
|
-
Dependency.new(
|
|
92
|
-
name: dependency.name,
|
|
93
|
-
version: latest_resolvable_version_with_no_unlock.to_s,
|
|
94
|
-
requirements: dependency.requirements,
|
|
95
|
-
previous_version: dependency.version,
|
|
96
|
-
previous_requirements: dependency.requirements,
|
|
97
|
-
package_manager: dependency.package_manager
|
|
98
|
-
)
|
|
99
|
-
end
|
|
100
|
-
|
|
101
|
-
def updated_dependency_with_own_req_unlock
|
|
102
|
-
Dependency.new(
|
|
103
|
-
name: dependency.name,
|
|
104
|
-
version: latest_resolvable_version.to_s,
|
|
105
|
-
requirements: updated_requirements,
|
|
106
|
-
previous_version: dependency.version,
|
|
107
|
-
previous_requirements: dependency.requirements,
|
|
108
|
-
package_manager: dependency.package_manager
|
|
109
|
-
)
|
|
110
|
-
end
|
|
111
|
-
|
|
112
|
-
def updated_dependencies_after_full_unlock
|
|
113
|
-
raise NotImplementedError
|
|
114
|
-
end
|
|
115
|
-
|
|
116
|
-
def version_up_to_date?
|
|
117
|
-
return sha1_version_up_to_date? if existing_version_is_sha?
|
|
118
|
-
|
|
119
|
-
numeric_version_up_to_date?
|
|
120
|
-
end
|
|
121
|
-
|
|
122
|
-
def version_can_update?(requirements_to_unlock:)
|
|
123
|
-
if existing_version_is_sha?
|
|
124
|
-
return sha1_version_can_update?(
|
|
125
|
-
requirements_to_unlock: requirements_to_unlock
|
|
126
|
-
)
|
|
127
|
-
end
|
|
128
|
-
|
|
129
|
-
numeric_version_can_update?(
|
|
130
|
-
requirements_to_unlock: requirements_to_unlock
|
|
131
|
-
)
|
|
132
|
-
end
|
|
133
|
-
|
|
134
|
-
def existing_version_is_sha?
|
|
135
|
-
return false if version_class.correct?(dependency.version)
|
|
136
|
-
|
|
137
|
-
dependency.version.match?(/^[0-9a-f]{6,}$/)
|
|
138
|
-
end
|
|
139
|
-
|
|
140
|
-
def sha1_version_up_to_date?
|
|
141
|
-
latest_version&.to_s&.start_with?(dependency.version)
|
|
142
|
-
end
|
|
143
|
-
|
|
144
|
-
def sha1_version_can_update?(requirements_to_unlock:)
|
|
145
|
-
return false if sha1_version_up_to_date?
|
|
146
|
-
|
|
147
|
-
# All we can do with SHA-1 hashes is check for presence and equality
|
|
148
|
-
case requirements_to_unlock&.to_sym
|
|
149
|
-
when :none
|
|
150
|
-
new_version = latest_resolvable_version_with_no_unlock
|
|
151
|
-
new_version && !new_version.to_s.start_with?(dependency.version)
|
|
152
|
-
when :own
|
|
153
|
-
new_version = latest_resolvable_version
|
|
154
|
-
new_version && !new_version.to_s.start_with?(dependency.version)
|
|
155
|
-
when :all
|
|
156
|
-
latest_version_resolvable_with_full_unlock?
|
|
157
|
-
else raise "Unknown unlock level '#{requirements_to_unlock}'"
|
|
158
|
-
end
|
|
159
|
-
end
|
|
160
|
-
|
|
161
|
-
def numeric_version_up_to_date?
|
|
162
|
-
return false unless latest_version
|
|
163
|
-
|
|
164
|
-
# If a lockfile isn't out of date and the package has switched to a git
|
|
165
|
-
# source then we'll get a numeric version switching to a git SHA. In
|
|
166
|
-
# this case we treat the verison as up-to-date so that it's ignored.
|
|
167
|
-
return true if latest_version.to_s.match?(/^[0-9a-f]{40}$/)
|
|
168
|
-
|
|
169
|
-
latest_version <= version_class.new(dependency.version)
|
|
170
|
-
end
|
|
171
|
-
|
|
172
|
-
def numeric_version_can_update?(requirements_to_unlock:)
|
|
173
|
-
return false if numeric_version_up_to_date?
|
|
174
|
-
|
|
175
|
-
case requirements_to_unlock&.to_sym
|
|
176
|
-
when :none
|
|
177
|
-
new_version = latest_resolvable_version_with_no_unlock
|
|
178
|
-
new_version && new_version > version_class.new(dependency.version)
|
|
179
|
-
when :own
|
|
180
|
-
new_version = latest_resolvable_version
|
|
181
|
-
new_version && new_version > version_class.new(dependency.version)
|
|
182
|
-
when :all
|
|
183
|
-
latest_version_resolvable_with_full_unlock?
|
|
184
|
-
else raise "Unknown unlock level '#{requirements_to_unlock}'"
|
|
185
|
-
end
|
|
186
|
-
end
|
|
187
|
-
|
|
188
|
-
def requirements_up_to_date?
|
|
189
|
-
return true if (updated_requirements - dependency.requirements).none?
|
|
190
|
-
return false unless latest_version
|
|
191
|
-
return false unless version_class.correct?(latest_version.to_s)
|
|
192
|
-
return false unless version_from_requirements
|
|
193
|
-
|
|
194
|
-
version_from_requirements >= version_class.new(latest_version.to_s)
|
|
195
|
-
end
|
|
196
|
-
|
|
197
|
-
def version_from_requirements
|
|
198
|
-
@version_from_requirements ||=
|
|
199
|
-
dependency.requirements.map { |r| r.fetch(:requirement) }.compact.
|
|
200
|
-
flat_map { |req_str| requirement_class.requirements_array(req_str) }.
|
|
201
|
-
flat_map(&:requirements).
|
|
202
|
-
reject { |req_array| req_array.first.start_with?("<") }.
|
|
203
|
-
map(&:last).
|
|
204
|
-
max
|
|
205
|
-
end
|
|
206
|
-
|
|
207
|
-
def requirements_can_update?
|
|
208
|
-
changed_reqs = updated_requirements - dependency.requirements
|
|
209
|
-
|
|
210
|
-
return false if changed_reqs.none?
|
|
211
|
-
|
|
212
|
-
changed_reqs.none? { |r| r[:requirement] == :unfixable }
|
|
213
|
-
end
|
|
214
|
-
|
|
215
|
-
def ignore_reqs
|
|
216
|
-
ignored_versions.map { |req| requirement_class.new(req.split(",")) }
|
|
217
|
-
end
|
|
218
|
-
end
|
|
219
|
-
end
|
|
220
|
-
end
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
module Dependabot
|
|
4
|
-
module UpdateCheckers
|
|
5
|
-
@update_checkers = {}
|
|
6
|
-
|
|
7
|
-
def self.for_package_manager(package_manager)
|
|
8
|
-
update_checker = @update_checkers[package_manager]
|
|
9
|
-
return update_checker if update_checker
|
|
10
|
-
|
|
11
|
-
raise "Unsupported package_manager #{package_manager}"
|
|
12
|
-
end
|
|
13
|
-
|
|
14
|
-
def self.register(package_manager, update_checker)
|
|
15
|
-
@update_checkers[package_manager] = update_checker
|
|
16
|
-
end
|
|
17
|
-
end
|
|
18
|
-
end
|
data/lib/dependabot/utils.rb
DELETED
|
@@ -1,33 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
# TODO: in due course, these "registries" should live in a wrapper gem, not
|
|
4
|
-
# dependabot-core.
|
|
5
|
-
module Dependabot
|
|
6
|
-
module Utils
|
|
7
|
-
@version_classes = {}
|
|
8
|
-
|
|
9
|
-
def self.version_class_for_package_manager(package_manager)
|
|
10
|
-
version_class = @version_classes[package_manager]
|
|
11
|
-
return version_class if version_class
|
|
12
|
-
|
|
13
|
-
raise "Unsupported package_manager #{package_manager}"
|
|
14
|
-
end
|
|
15
|
-
|
|
16
|
-
def self.register_version_class(package_manager, version_class)
|
|
17
|
-
@version_classes[package_manager] = version_class
|
|
18
|
-
end
|
|
19
|
-
|
|
20
|
-
@requirement_classes = {}
|
|
21
|
-
|
|
22
|
-
def self.requirement_class_for_package_manager(package_manager)
|
|
23
|
-
requirement_class = @requirement_classes[package_manager]
|
|
24
|
-
return requirement_class if requirement_class
|
|
25
|
-
|
|
26
|
-
raise "Unsupported package_manager #{package_manager}"
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
def self.register_requirement_class(package_manager, requirement_class)
|
|
30
|
-
@requirement_classes[package_manager] = requirement_class
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
end
|
data/lib/dependabot/version.rb
DELETED
data/lib/dependabot.rb
DELETED
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require "rubygems/version"
|
|
4
|
-
|
|
5
|
-
# Opt in to Rubygems 4 behaviour
|
|
6
|
-
module Gem
|
|
7
|
-
class Version
|
|
8
|
-
def self.correct?(version)
|
|
9
|
-
return false if version.nil?
|
|
10
|
-
|
|
11
|
-
version.to_s.match?(ANCHORED_VERSION_PATTERN)
|
|
12
|
-
end
|
|
13
|
-
end
|
|
14
|
-
end
|