dependabot-core 0.76.10 → 0.76.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/helpers/python/lib/parser.py +3 -3
- data/lib/dependabot/file_parsers/java/gradle.rb +1 -1
- data/lib/dependabot/file_parsers/python/pip/setup_file_parser.rb +4 -0
- data/lib/dependabot/file_updaters/java/maven/declaration_finder.rb +16 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb +11 -7
- data/lib/dependabot/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a5a81bf12f28897fd225b92b4e37e0476b0896fcc58685457173f696f3010c44
|
|
4
|
+
data.tar.gz: b30ff79c7eb025531e5d559270f7f13b06d4a0fd099f478a3019a9ad9fa2fe63
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b1379cee6737a8d68f06463024c9793f1db3ffc0750af144e358e717ae8fab08febb492c7ff4638bd8b74980d257cf7ca50d901be33f51e757409dc5ee68c8cc
|
|
7
|
+
data.tar.gz: 527956ec32bea4528e5868d2168cd9ac5c23331783a8da287393a00b7a669dee2a8cfdb91066bbd315deb93dd23b623c0f4461e2ff177d2eda1bfb33ca7e2f4f
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
## v0.76.11, 7 December 2018
|
|
2
|
+
|
|
3
|
+
- Python: Ignore dependencies that we had to insert a version for
|
|
4
|
+
- JS(npm): Raise helpful errer for forbidden missing deps
|
|
5
|
+
- Gradle: Don't consider dependencies that concatenate properties to build a version
|
|
6
|
+
- Maven: Check distribution type when looking up declaration to update
|
|
7
|
+
|
|
1
8
|
## v0.76.10, 6 December 2018
|
|
2
9
|
|
|
3
10
|
- Cache commit tag lookup in changelog finder
|
|
@@ -92,8 +92,8 @@ def parse_setup(directory):
|
|
|
92
92
|
|
|
93
93
|
global fake_open
|
|
94
94
|
def fake_open(*args, **kwargs):
|
|
95
|
-
content = ("VERSION = (0, 0, 1)\n"
|
|
96
|
-
"__version__ = '0.0.1'\n"
|
|
95
|
+
content = ("VERSION = ('0', '0', '1+dependabot')\n"
|
|
96
|
+
"__version__ = '0.0.1+dependabot'\n"
|
|
97
97
|
"__author__ = 'someone'\n"
|
|
98
98
|
"__title__ = 'something'\n"
|
|
99
99
|
"__description__ = 'something'\n"
|
|
@@ -113,7 +113,7 @@ def parse_setup(directory):
|
|
|
113
113
|
content = re.sub(version_re, "", content)
|
|
114
114
|
|
|
115
115
|
# Set variables likely to be imported
|
|
116
|
-
__version__ = '0.0.1'
|
|
116
|
+
__version__ = '0.0.1+dependabot'
|
|
117
117
|
__author__ = 'someone'
|
|
118
118
|
__title__ = 'something'
|
|
119
119
|
__description__ = 'something'
|
|
@@ -175,7 +175,7 @@ module Dependabot
|
|
|
175
175
|
end
|
|
176
176
|
|
|
177
177
|
def evaluated_value(value, buildfile)
|
|
178
|
-
return value unless value.
|
|
178
|
+
return value unless value.scan(PROPERTY_REGEX).count == 1
|
|
179
179
|
|
|
180
180
|
property_name = value.match(PROPERTY_REGEX).
|
|
181
181
|
named_captures.fetch("property_name")
|
|
@@ -29,6 +29,10 @@ module Dependabot
|
|
|
29
29
|
# probably blocked. Ignore it.
|
|
30
30
|
next if dep["markers"].include?("<")
|
|
31
31
|
|
|
32
|
+
# If the requirement is our inserted version, ignore it
|
|
33
|
+
# (we wouldn't be able to update it)
|
|
34
|
+
next if dep["version"] == "0.0.1+dependabot"
|
|
35
|
+
|
|
32
36
|
dependencies <<
|
|
33
37
|
Dependency.new(
|
|
34
38
|
name: normalised_name(dep["name"]),
|
|
@@ -59,6 +59,7 @@ module Dependabot
|
|
|
59
59
|
].compact.join(":")
|
|
60
60
|
|
|
61
61
|
next false unless node_name == dependency_name
|
|
62
|
+
next false unless packaging_type_matches?(node)
|
|
62
63
|
|
|
63
64
|
declaring_requirement_matches?(node)
|
|
64
65
|
end
|
|
@@ -99,6 +100,21 @@ module Dependabot
|
|
|
99
100
|
end
|
|
100
101
|
end
|
|
101
102
|
|
|
103
|
+
def packaging_type_matches?(node)
|
|
104
|
+
type = declaring_requirement.dig(:metadata, :packaging_type)
|
|
105
|
+
type == packaging_type(node)
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
def packaging_type(dependency_node)
|
|
109
|
+
return "pom" if dependency_node.child.node_name == "parent"
|
|
110
|
+
return "jar" unless dependency_node.at_xpath("./*/type")
|
|
111
|
+
|
|
112
|
+
packaging_type_content = dependency_node.at_xpath("./*/type").
|
|
113
|
+
content.strip
|
|
114
|
+
|
|
115
|
+
evaluated_value(packaging_type_content)
|
|
116
|
+
end
|
|
117
|
+
|
|
102
118
|
def evaluated_value(value)
|
|
103
119
|
unless value.match?(FileParsers::Java::Maven::PROPERTY_REGEX)
|
|
104
120
|
return value
|
|
@@ -175,7 +175,7 @@ module Dependabot
|
|
|
175
175
|
error.message.match(MISSING_PACKAGE).
|
|
176
176
|
named_captures["package_req"].
|
|
177
177
|
split(/(?<=\w)\@/).first
|
|
178
|
-
handle_missing_package(package_name)
|
|
178
|
+
handle_missing_package(package_name, error, lockfile)
|
|
179
179
|
end
|
|
180
180
|
names = dependencies.map(&:name)
|
|
181
181
|
if names.any? { |name| error.message.include?("#{name}@") } &&
|
|
@@ -209,7 +209,7 @@ module Dependabot
|
|
|
209
209
|
error.message.match(FORBIDDEN_PACKAGE).
|
|
210
210
|
named_captures["package_req"].
|
|
211
211
|
split(/(?<=\w)\@/).first
|
|
212
|
-
handle_missing_package(package_name)
|
|
212
|
+
handle_missing_package(package_name, error, lockfile)
|
|
213
213
|
end
|
|
214
214
|
if error.message.match?(UNREACHABLE_GIT)
|
|
215
215
|
dependency_url =
|
|
@@ -232,14 +232,14 @@ module Dependabot
|
|
|
232
232
|
raise Dependabot::DependencyFileNotResolvable, msg
|
|
233
233
|
end
|
|
234
234
|
|
|
235
|
-
def handle_missing_package(package_name)
|
|
235
|
+
def handle_missing_package(package_name, error, lockfile)
|
|
236
236
|
missing_dep = FileParsers::JavaScript::NpmAndYarn.new(
|
|
237
237
|
dependency_files: dependency_files,
|
|
238
238
|
source: nil,
|
|
239
239
|
credentials: credentials
|
|
240
240
|
).parse.find { |dep| dep.name == package_name }
|
|
241
241
|
|
|
242
|
-
|
|
242
|
+
raise_resolvability_error(error, lockfile) unless missing_dep
|
|
243
243
|
|
|
244
244
|
reg = UpdateCheckers::JavaScript::NpmAndYarn::RegistryFinder.new(
|
|
245
245
|
dependency: missing_dep,
|
|
@@ -250,13 +250,17 @@ module Dependabot
|
|
|
250
250
|
find { |f| f.name.end_with?(".yarnrc") }
|
|
251
251
|
).registry
|
|
252
252
|
|
|
253
|
-
if reg
|
|
254
|
-
return
|
|
255
|
-
end
|
|
253
|
+
return if central_registry?(reg) && !package_name.start_with?("@")
|
|
256
254
|
|
|
257
255
|
raise Dependabot::PrivateSourceAuthenticationFailure, reg
|
|
258
256
|
end
|
|
259
257
|
|
|
258
|
+
def central_registry?(registry)
|
|
259
|
+
FileParsers::JavaScript::NpmAndYarn::CENTRAL_REGISTRIES.any? do |r|
|
|
260
|
+
r.include?(registry)
|
|
261
|
+
end
|
|
262
|
+
end
|
|
263
|
+
|
|
260
264
|
def resolvable_before_update?(lockfile)
|
|
261
265
|
@resolvable_before_update ||= {}
|
|
262
266
|
if @resolvable_before_update.key?(lockfile.name)
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.76.
|
|
4
|
+
version: 0.76.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-12-
|
|
11
|
+
date: 2018-12-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-ecr
|