dependabot-core 0.76.10 → 0.76.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -0
- data/helpers/python/lib/parser.py +3 -3
- data/lib/dependabot/file_parsers/java/gradle.rb +1 -1
- data/lib/dependabot/file_parsers/python/pip/setup_file_parser.rb +4 -0
- data/lib/dependabot/file_updaters/java/maven/declaration_finder.rb +16 -0
- data/lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb +11 -7
- data/lib/dependabot/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a5a81bf12f28897fd225b92b4e37e0476b0896fcc58685457173f696f3010c44
|
|
4
|
+
data.tar.gz: b30ff79c7eb025531e5d559270f7f13b06d4a0fd099f478a3019a9ad9fa2fe63
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b1379cee6737a8d68f06463024c9793f1db3ffc0750af144e358e717ae8fab08febb492c7ff4638bd8b74980d257cf7ca50d901be33f51e757409dc5ee68c8cc
|
|
7
|
+
data.tar.gz: 527956ec32bea4528e5868d2168cd9ac5c23331783a8da287393a00b7a669dee2a8cfdb91066bbd315deb93dd23b623c0f4461e2ff177d2eda1bfb33ca7e2f4f
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,10 @@
|
|
|
1
|
+
## v0.76.11, 7 December 2018
|
|
2
|
+
|
|
3
|
+
- Python: Ignore dependencies that we had to insert a version for
|
|
4
|
+
- JS(npm): Raise helpful errer for forbidden missing deps
|
|
5
|
+
- Gradle: Don't consider dependencies that concatenate properties to build a version
|
|
6
|
+
- Maven: Check distribution type when looking up declaration to update
|
|
7
|
+
|
|
1
8
|
## v0.76.10, 6 December 2018
|
|
2
9
|
|
|
3
10
|
- Cache commit tag lookup in changelog finder
|
|
@@ -92,8 +92,8 @@ def parse_setup(directory):
|
|
|
92
92
|
|
|
93
93
|
global fake_open
|
|
94
94
|
def fake_open(*args, **kwargs):
|
|
95
|
-
content = ("VERSION = (0, 0, 1)\n"
|
|
96
|
-
"__version__ = '0.0.1'\n"
|
|
95
|
+
content = ("VERSION = ('0', '0', '1+dependabot')\n"
|
|
96
|
+
"__version__ = '0.0.1+dependabot'\n"
|
|
97
97
|
"__author__ = 'someone'\n"
|
|
98
98
|
"__title__ = 'something'\n"
|
|
99
99
|
"__description__ = 'something'\n"
|
|
@@ -113,7 +113,7 @@ def parse_setup(directory):
|
|
|
113
113
|
content = re.sub(version_re, "", content)
|
|
114
114
|
|
|
115
115
|
# Set variables likely to be imported
|
|
116
|
-
__version__ = '0.0.1'
|
|
116
|
+
__version__ = '0.0.1+dependabot'
|
|
117
117
|
__author__ = 'someone'
|
|
118
118
|
__title__ = 'something'
|
|
119
119
|
__description__ = 'something'
|
|
@@ -175,7 +175,7 @@ module Dependabot
|
|
|
175
175
|
end
|
|
176
176
|
|
|
177
177
|
def evaluated_value(value, buildfile)
|
|
178
|
-
return value unless value.
|
|
178
|
+
return value unless value.scan(PROPERTY_REGEX).count == 1
|
|
179
179
|
|
|
180
180
|
property_name = value.match(PROPERTY_REGEX).
|
|
181
181
|
named_captures.fetch("property_name")
|
|
@@ -29,6 +29,10 @@ module Dependabot
|
|
|
29
29
|
# probably blocked. Ignore it.
|
|
30
30
|
next if dep["markers"].include?("<")
|
|
31
31
|
|
|
32
|
+
# If the requirement is our inserted version, ignore it
|
|
33
|
+
# (we wouldn't be able to update it)
|
|
34
|
+
next if dep["version"] == "0.0.1+dependabot"
|
|
35
|
+
|
|
32
36
|
dependencies <<
|
|
33
37
|
Dependency.new(
|
|
34
38
|
name: normalised_name(dep["name"]),
|
|
@@ -59,6 +59,7 @@ module Dependabot
|
|
|
59
59
|
].compact.join(":")
|
|
60
60
|
|
|
61
61
|
next false unless node_name == dependency_name
|
|
62
|
+
next false unless packaging_type_matches?(node)
|
|
62
63
|
|
|
63
64
|
declaring_requirement_matches?(node)
|
|
64
65
|
end
|
|
@@ -99,6 +100,21 @@ module Dependabot
|
|
|
99
100
|
end
|
|
100
101
|
end
|
|
101
102
|
|
|
103
|
+
def packaging_type_matches?(node)
|
|
104
|
+
type = declaring_requirement.dig(:metadata, :packaging_type)
|
|
105
|
+
type == packaging_type(node)
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
def packaging_type(dependency_node)
|
|
109
|
+
return "pom" if dependency_node.child.node_name == "parent"
|
|
110
|
+
return "jar" unless dependency_node.at_xpath("./*/type")
|
|
111
|
+
|
|
112
|
+
packaging_type_content = dependency_node.at_xpath("./*/type").
|
|
113
|
+
content.strip
|
|
114
|
+
|
|
115
|
+
evaluated_value(packaging_type_content)
|
|
116
|
+
end
|
|
117
|
+
|
|
102
118
|
def evaluated_value(value)
|
|
103
119
|
unless value.match?(FileParsers::Java::Maven::PROPERTY_REGEX)
|
|
104
120
|
return value
|
|
@@ -175,7 +175,7 @@ module Dependabot
|
|
|
175
175
|
error.message.match(MISSING_PACKAGE).
|
|
176
176
|
named_captures["package_req"].
|
|
177
177
|
split(/(?<=\w)\@/).first
|
|
178
|
-
handle_missing_package(package_name)
|
|
178
|
+
handle_missing_package(package_name, error, lockfile)
|
|
179
179
|
end
|
|
180
180
|
names = dependencies.map(&:name)
|
|
181
181
|
if names.any? { |name| error.message.include?("#{name}@") } &&
|
|
@@ -209,7 +209,7 @@ module Dependabot
|
|
|
209
209
|
error.message.match(FORBIDDEN_PACKAGE).
|
|
210
210
|
named_captures["package_req"].
|
|
211
211
|
split(/(?<=\w)\@/).first
|
|
212
|
-
handle_missing_package(package_name)
|
|
212
|
+
handle_missing_package(package_name, error, lockfile)
|
|
213
213
|
end
|
|
214
214
|
if error.message.match?(UNREACHABLE_GIT)
|
|
215
215
|
dependency_url =
|
|
@@ -232,14 +232,14 @@ module Dependabot
|
|
|
232
232
|
raise Dependabot::DependencyFileNotResolvable, msg
|
|
233
233
|
end
|
|
234
234
|
|
|
235
|
-
def handle_missing_package(package_name)
|
|
235
|
+
def handle_missing_package(package_name, error, lockfile)
|
|
236
236
|
missing_dep = FileParsers::JavaScript::NpmAndYarn.new(
|
|
237
237
|
dependency_files: dependency_files,
|
|
238
238
|
source: nil,
|
|
239
239
|
credentials: credentials
|
|
240
240
|
).parse.find { |dep| dep.name == package_name }
|
|
241
241
|
|
|
242
|
-
|
|
242
|
+
raise_resolvability_error(error, lockfile) unless missing_dep
|
|
243
243
|
|
|
244
244
|
reg = UpdateCheckers::JavaScript::NpmAndYarn::RegistryFinder.new(
|
|
245
245
|
dependency: missing_dep,
|
|
@@ -250,13 +250,17 @@ module Dependabot
|
|
|
250
250
|
find { |f| f.name.end_with?(".yarnrc") }
|
|
251
251
|
).registry
|
|
252
252
|
|
|
253
|
-
if reg
|
|
254
|
-
return
|
|
255
|
-
end
|
|
253
|
+
return if central_registry?(reg) && !package_name.start_with?("@")
|
|
256
254
|
|
|
257
255
|
raise Dependabot::PrivateSourceAuthenticationFailure, reg
|
|
258
256
|
end
|
|
259
257
|
|
|
258
|
+
def central_registry?(registry)
|
|
259
|
+
FileParsers::JavaScript::NpmAndYarn::CENTRAL_REGISTRIES.any? do |r|
|
|
260
|
+
r.include?(registry)
|
|
261
|
+
end
|
|
262
|
+
end
|
|
263
|
+
|
|
260
264
|
def resolvable_before_update?(lockfile)
|
|
261
265
|
@resolvable_before_update ||= {}
|
|
262
266
|
if @resolvable_before_update.key?(lockfile.name)
|
data/lib/dependabot/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.76.
|
|
4
|
+
version: 0.76.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-12-
|
|
11
|
+
date: 2018-12-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-ecr
|