dependabot-dep 0.90.0

data/lib/dependabot/dep/update_checker/file_preparer.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+require "toml-rb"
+require "dependabot/dependency_file"
+require "dependabot/dep/file_parser"
+require "dependabot/dep/update_checker"
+
+module Dependabot
+  module Dep
+    class UpdateChecker
+      # This class takes a set of dependency files and prepares them for use
+      # in Dep::UpdateChecker.
+      class FilePreparer
+        def initialize(dependency_files:, dependency:,
+                       remove_git_source: false,
+                       unlock_requirement: true,
+                       replacement_git_pin: nil,
+                       latest_allowable_version: nil)
+          @dependency_files         = dependency_files
+          @dependency               = dependency
+          @unlock_requirement       = unlock_requirement
+          @remove_git_source        = remove_git_source
+          @replacement_git_pin      = replacement_git_pin
+          @latest_allowable_version = latest_allowable_version
+        end
+
+        def prepared_dependency_files
+          files = []
+
+          files << manifest_for_update_check
+          files << lockfile if lockfile
+
+          files
+        end
+
+        private
+
+        attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                    :latest_allowable_version
+
+        def unlock_requirement?
+          @unlock_requirement
+        end
+
+        def remove_git_source?
+          @remove_git_source
+        end
+
+        def replace_git_pin?
+          !replacement_git_pin.nil?
+        end
+
+        def manifest_for_update_check
+          DependencyFile.new(
+            name: manifest.name,
+            content: manifest_content_for_update_check(manifest),
+            directory: manifest.directory
+          )
+        end
+
+        def manifest_content_for_update_check(file)
+          content = file.content
+
+          content = remove_git_source(content) if remove_git_source?
+          content = replace_git_pin(content) if replace_git_pin?
+          content = replace_version_constraint(content, file.name)
+          content = add_fsnotify_override(content)
+
+          content
+        end
+
+        def remove_git_source(content)
+          parsed_manifest = TomlRB.parse(content)
+
+          Dep::FileParser::REQUIREMENT_TYPES.each do |type|
+            (parsed_manifest[type] || []).each do |details|
+              next unless details["name"] == dependency.name
+
+              details.delete("revision")
+              details.delete("branch")
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        def replace_git_pin(content)
+          parsed_manifest = TomlRB.parse(content)
+
+          Dep::FileParser::REQUIREMENT_TYPES.each do |type|
+            (parsed_manifest[type] || []).each do |details|
+              next unless details["name"] == dependency.name
+
+              raise "Invalid details! #{details}" if details["branch"]
+
+              if details["version"]
+                details["version"] = replacement_git_pin
+              else
+                details["revision"] = replacement_git_pin
+              end
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        # Note: We don't need to care about formatting in this method, since
+        # we're only using the manifest to find the latest resolvable version
+        def replace_version_constraint(content, filename)
+          parsed_manifest = TomlRB.parse(content)
+
+          Dep::FileParser::REQUIREMENT_TYPES.each do |type|
+            (parsed_manifest[type] || []).each do |details|
+              next unless details["name"] == dependency.name
+              next if details["revision"] || details["branch"]
+              next if replacement_git_pin
+
+              updated_req = temporary_requirement_for_resolution(filename)
+
+              details["version"] = updated_req
+            end
+          end
+
+          TomlRB.dump(parsed_manifest)
+        end
+
+        # A dep bug means we have to specify a source for gopkg.in/fsnotify.v1
+        # or we get `panic: version queue is empty` errors
+        def add_fsnotify_override(content)
+          parsed_manifest = TomlRB.parse(content)
+
+          overrides = parsed_manifest.fetch("override", [])
+          dep_name = "gopkg.in/fsnotify.v1"
+
+          override = overrides.find { |s| s["name"] == dep_name }
+          if override.nil?
+            override = { "name" => dep_name }
+            overrides << override
+          end
+
+          unless override["source"]
+            override["source"] = "gopkg.in/fsnotify/fsnotify.v1"
+          end
+
+          parsed_manifest["override"] = overrides
+          TomlRB.dump(parsed_manifest)
+        end
+
+        def temporary_requirement_for_resolution(filename)
+          original_req = dependency.requirements.
+                         find { |r| r.fetch(:file) == filename }&.
+                         fetch(:requirement)
+
+          lower_bound_req =
+            if original_req && !unlock_requirement?
+              original_req
+            else
+              ">= #{lower_bound_version}"
+            end
+
+          unless latest_allowable_version &&
+                 version_class.correct?(latest_allowable_version) &&
+                 version_class.new(latest_allowable_version) >=
+                 version_class.new(lower_bound_version)
+            return lower_bound_req
+          end
+
+          lower_bound_req + ", <= #{latest_allowable_version}"
+        end
+
+        def lower_bound_version
+          @lower_bound_version ||=
+            if version_from_lockfile
+              version_from_lockfile
+            else
+              version_from_requirement =
+                dependency.requirements.map { |r| r.fetch(:requirement) }.
+                compact.
+                flat_map { |req_str| requirement_class.new(req_str) }.
+                flat_map(&:requirements).
+                reject { |req_array| req_array.first.start_with?("<") }.
+                map(&:last).
+                max&.to_s
+
+              version_from_requirement || 0
+            end
+        end
+
+        def version_from_lockfile
+          return unless lockfile
+
+          TomlRB.parse(lockfile.content).
+            fetch("projects", []).
+            find { |p| p["name"] == dependency.name }&.
+            fetch("version", nil)&.
+            sub(/^v?/, "")
+        end
+
+        def version_class
+          Utils.version_class_for_package_manager(dependency.package_manager)
+        end
+
+        def requirement_class
+          Utils.requirement_class_for_package_manager(
+            dependency.package_manager
+          )
+        end
+
+        def manifest
+          @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+        end
+
+        def lockfile
+          @lockfile ||= dependency_files.find { |f| f.name == "Gopkg.lock" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dep/update_checker/latest_version_finder.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require "excon"
+require "toml-rb"
+
+require "dependabot/source"
+require "dependabot/dep/update_checker"
+require "dependabot/git_commit_checker"
+require "dependabot/dep/path_converter"
+
+module Dependabot
+  module Dep
+    class UpdateChecker
+      class LatestVersionFinder
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions:)
+          @dependency       = dependency
+          @dependency_files = dependency_files
+          @credentials      = credentials
+          @ignored_versions = ignored_versions
+        end
+
+        def latest_version
+          @latest_version ||=
+            if git_dependency? then latest_version_for_git_dependency
+            else latest_release_tag_version
+            end
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials,
+                    :ignored_versions
+
+        def latest_release_tag_version
+          if @latest_release_tag_lookup_attempted
+            return @latest_release_tag_version
+          end
+
+          @latest_release_tag_lookup_attempted = true
+
+          latest_release_str = fetch_latest_release_tag&.sub(/^v?/, "")
+          return unless latest_release_str
+          return unless version_class.correct?(latest_release_str)
+
+          @latest_release_tag_version =
+            version_class.new(latest_release_str)
+        end
+
+        def fetch_latest_release_tag
+          # If this is a git dependency then getting the latest tag is trivial
+          if git_dependency?
+            return git_commit_checker.
+                   local_tag_for_latest_version&.fetch(:tag)
+          end
+
+          # If not, we need to find the URL for the source code.
+          path = dependency.requirements.
+                 map { |r| r.dig(:source, :source) }.compact.first
+          path ||= dependency.name
+
+          source_url = git_source(path)
+          return unless source_url
+
+          # Given a source, we want to find the latest tag. Piggy-back off the
+          # logic in GitCommitChecker to do so.
+          git_dep = Dependency.new(
+            name: dependency.name,
+            version: dependency.version,
+            requirements: [{
+              file: "Gopkg.toml",
+              groups: [],
+              requirement: nil,
+              source: { type: "git", url: source_url }
+            }],
+            package_manager: dependency.package_manager
+          )
+
+          GitCommitChecker.
+            new(dependency: git_dep, credentials: credentials).
+            local_tag_for_latest_version&.fetch(:tag)
+        end
+
+        def latest_version_for_git_dependency
+          latest_release = latest_release_tag_version
+
+          # If there's been a release that includes the current pinned ref or
+          # that the current branch is behind, we switch to that release.
+          return latest_release if branch_or_ref_in_release?(latest_release)
+
+          # Otherwise, if the gem isn't pinned, the latest version is just the
+          # latest commit for the specified branch.
+          unless git_commit_checker.pinned?
+            return git_commit_checker.head_commit_for_current_branch
+          end
+
+          # If the dependency is pinned to a tag that looks like a version
+          # then we want to update that tag.
+          if git_commit_checker.pinned_ref_looks_like_version?
+            latest_tag = git_commit_checker.local_tag_for_latest_version
+            return version_from_tag(latest_tag)
+          end
+
+          # If the dependency is pinned to a tag that doesn't look like a
+          # version then there's nothing we can do.
+          nil
+        end
+
+        def git_source(path)
+          Dependabot::Dep::PathConverter.git_url_for_path(path)
+        end
+
+        def version_from_tag(tag)
+          # To compare with the current version we either use the commit SHA
+          # (if that's what the parser picked up) of the tag name.
+          if dependency.version&.match?(/^[0-9a-f]{40}$/)
+            return tag&.fetch(:commit_sha)
+          end
+
+          tag&.fetch(:tag)
+        end
+
+        def branch_or_ref_in_release?(release)
+          return false unless release
+
+          git_commit_checker.branch_or_ref_in_release?(release)
+        end
+
+        def git_dependency?
+          git_commit_checker.git_dependency?
+        end
+
+        def git_commit_checker
+          @git_commit_checker ||=
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials,
+              ignored_versions: ignored_versions
+            )
+        end
+
+        def parsed_file(file)
+          @parsed_file ||= {}
+          @parsed_file[file.name] ||= TomlRB.parse(file.content)
+        end
+
+        def version_class
+          Utils.version_class_for_package_manager(dependency.package_manager)
+        end
+
+        def manifest
+          @manifest ||= dependency_files.find { |f| f.name == "Gopkg.toml" }
+          raise "No Gopkg.lock!" unless @manifest
+
+          @manifest
+        end
+
+        def lockfile
+          @lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
+          raise "No Gopkg.lock!" unless @lockfile
+
+          @lockfile
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dep/update_checker/requirements_updater.rb

@@ -0,0 +1,221 @@
+# frozen_string_literal: true
+
+require "dependabot/dep/update_checker"
+require "dependabot/dep/requirement"
+require "dependabot/dep/version"
+
+module Dependabot
+  module Dep
+    class UpdateChecker
+      class RequirementsUpdater
+        class UnfixableRequirement < StandardError; end
+
+        VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/.freeze
+        ALLOWED_UPDATE_STRATEGIES = %i(widen_ranges bump_versions).freeze
+
+        def initialize(requirements:, updated_source:, update_strategy:,
+                       latest_version:, latest_resolvable_version:)
+          @requirements = requirements
+          @updated_source = updated_source
+          @update_strategy = update_strategy
+
+          check_update_strategy
+
+          if latest_version && version_class.correct?(latest_version)
+            @latest_version = version_class.new(latest_version)
+          end
+
+          return unless latest_resolvable_version
+          return unless version_class.correct?(latest_resolvable_version)
+
+          @latest_resolvable_version =
+            version_class.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          requirements.map do |req|
+            req = req.merge(source: updated_source)
+            next req unless latest_resolvable_version
+            next initial_req_after_source_change(req) unless req[:requirement]
+
+            case update_strategy
+            when :widen_ranges then widen_requirement(req)
+            when :bump_versions then update_version(req)
+            else raise "Unexpected update strategy: #{update_strategy}"
+            end
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :updated_source, :update_strategy,
+                    :latest_version, :latest_resolvable_version
+
+        def check_update_strategy
+          return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+          raise "Unknown update strategy: #{update_strategy}"
+        end
+
+        def updating_from_git_to_version?
+          return false unless updated_source&.fetch(:type) == "default"
+
+          original_source = requirements.map { |r| r[:source] }.compact.first
+          original_source&.fetch(:type) == "git"
+        end
+
+        def initial_req_after_source_change(req)
+          return req unless updating_from_git_to_version?
+          return req unless req.fetch(:requirement).nil?
+
+          new_req =
+            if req.fetch(:file) == "go.mod"
+              "v#{latest_resolvable_version.to_s.gsub(/^v/, '')}"
+            else
+              "^#{latest_resolvable_version}"
+            end
+          req.merge(requirement: new_req)
+        end
+
+        def widen_requirement(req)
+          current_requirement = req[:requirement]
+          version = latest_resolvable_version
+
+          ruby_reqs = ruby_requirements(current_requirement)
+          return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+          reqs = current_requirement.strip.split(",").map(&:strip)
+
+          updated_requirement =
+            if current_requirement.include?("||")
+              # Further widen the range by adding another OR condition
+              current_requirement + " || ^#{version}"
+            elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
+              # Further widen the range by updating the upper bound
+              update_range_requirement(current_requirement)
+            else
+              # Convert existing requirement to a range
+              create_new_range_requirement(reqs)
+            end
+
+          req.merge(requirement: updated_requirement)
+        end
+
+        def update_version(req)
+          current_requirement = req[:requirement]
+          version = latest_resolvable_version
+
+          ruby_reqs = ruby_requirements(current_requirement)
+          reqs = current_requirement.strip.split(",").map(&:strip)
+
+          if ruby_reqs.any? { |r| r.satisfied_by?(version) } &&
+             current_requirement.match?(/(<|-\s|\|\|)/)
+            return req
+          end
+
+          updated_requirement =
+            if current_requirement.include?("||")
+              # Further widen the range by adding another OR condition
+              current_requirement + " || ^#{version}"
+            elsif reqs.any? { |r| r.match?(/(<|-\s)/) }
+              # Further widen the range by updating the upper bound
+              update_range_requirement(current_requirement)
+            else
+              update_version_requirement(reqs)
+            end
+
+          req.merge(requirement: updated_requirement)
+        end
+
+        def ruby_requirements(requirement_string)
+          requirement_class.requirements_array(requirement_string)
+        end
+
+        def update_range_requirement(req_string)
+          range_requirement = req_string.split(",").
+                              find { |r| r.match?(/<|(\s+-\s+)/) }
+
+          versions = range_requirement.scan(VERSION_REGEX)
+          upper_bound = versions.map { |v| version_class.new(v) }.max
+          new_upper_bound = update_greatest_version(
+            upper_bound,
+            latest_resolvable_version
+          )
+
+          req_string.sub(
+            upper_bound.to_s,
+            new_upper_bound.to_s
+          )
+        end
+
+        def create_new_range_requirement(string_reqs)
+          version = latest_resolvable_version
+
+          lower_bound =
+            string_reqs.
+            map { |req| requirement_class.new(req) }.
+            flat_map { |req| req.requirements.map(&:last) }.
+            min.to_s
+
+          upper_bound =
+            if string_reqs.first.start_with?("~") &&
+               version.to_s.split(".").count > 1
+              create_upper_bound_for_tilda_req(string_reqs.first)
+            else
+              upper_bound_parts = [version.to_s.split(".").first.to_i + 1]
+              upper_bound_parts.
+                fill("0", 1..(lower_bound.split(".").count - 1)).
+                join(".")
+            end
+
+          ">= #{lower_bound}, < #{upper_bound}"
+        end
+
+        def update_version_requirement(string_reqs)
+          version = latest_resolvable_version.to_s.gsub(/^v/, "")
+          current_req = string_reqs.first
+
+          current_req.gsub(VERSION_REGEX, version)
+        end
+
+        def create_upper_bound_for_tilda_req(string_req)
+          tilda_version = requirement_class.new(string_req).
+                          requirements.map(&:last).
+                          min.to_s
+
+          upper_bound_parts = latest_resolvable_version.to_s.split(".")
+          upper_bound_parts.slice(0, tilda_version.to_s.split(".").count)
+          upper_bound_parts[-1] = "0"
+          upper_bound_parts[-2] = (upper_bound_parts[-2].to_i + 1).to_s
+
+          upper_bound_parts.join(".")
+        end
+
+        def update_greatest_version(old_version, version_to_be_permitted)
+          version = version_class.new(old_version)
+          version = version.release if version.prerelease?
+
+          index_to_update =
+            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+          version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else 0
+            end
+          end.join(".")
+        end
+
+        def version_class
+          Dep::Version
+        end
+
+        def requirement_class
+          Dep::Requirement
+        end
+      end
+    end
+  end
+end