dependabot-dep 0.90.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/helpers/Makefile +9 -0
- data/helpers/build +26 -0
- data/helpers/go.mod +8 -0
- data/helpers/go.sum +2 -0
- data/helpers/importresolver/go.mod +1 -0
- data/helpers/importresolver/main.go +34 -0
- data/helpers/main.go +67 -0
- data/lib/dependabot/dep.rb +11 -0
- data/lib/dependabot/dep/file_fetcher.rb +70 -0
- data/lib/dependabot/dep/file_parser.rb +189 -0
- data/lib/dependabot/dep/file_updater.rb +78 -0
- data/lib/dependabot/dep/file_updater/lockfile_updater.rb +220 -0
- data/lib/dependabot/dep/file_updater/manifest_updater.rb +151 -0
- data/lib/dependabot/dep/metadata_finder.rb +57 -0
- data/lib/dependabot/dep/native_helpers.rb +20 -0
- data/lib/dependabot/dep/path_converter.rb +72 -0
- data/lib/dependabot/dep/requirement.rb +152 -0
- data/lib/dependabot/dep/update_checker.rb +312 -0
- data/lib/dependabot/dep/update_checker/file_preparer.rb +219 -0
- data/lib/dependabot/dep/update_checker/latest_version_finder.rb +167 -0
- data/lib/dependabot/dep/update_checker/requirements_updater.rb +221 -0
- data/lib/dependabot/dep/update_checker/version_resolver.rb +166 -0
- data/lib/dependabot/dep/version.rb +43 -0
- metadata +192 -0
|
@@ -0,0 +1,166 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "toml-rb"
|
|
4
|
+
require "open3"
|
|
5
|
+
require "dependabot/shared_helpers"
|
|
6
|
+
require "dependabot/dep/update_checker"
|
|
7
|
+
require "dependabot/errors"
|
|
8
|
+
|
|
9
|
+
module Dependabot
|
|
10
|
+
module Dep
|
|
11
|
+
class UpdateChecker
|
|
12
|
+
class VersionResolver
|
|
13
|
+
NOT_FOUND_REGEX =
|
|
14
|
+
/failed to list versions for (?<repo_url>.*?):\s+/.freeze
|
|
15
|
+
INDEX_OUT_OF_RANGE_REGEX =
|
|
16
|
+
/panic: runtime error: index out of range.*findValidVersion/m.freeze
|
|
17
|
+
|
|
18
|
+
def initialize(dependency:, dependency_files:, credentials:)
|
|
19
|
+
@dependency = dependency
|
|
20
|
+
@dependency_files = dependency_files
|
|
21
|
+
@credentials = credentials
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def latest_resolvable_version
|
|
25
|
+
if defined?(@latest_resolvable_version)
|
|
26
|
+
return @latest_resolvable_version
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
@latest_resolvable_version = fetch_latest_resolvable_version
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
private
|
|
33
|
+
|
|
34
|
+
attr_reader :dependency, :dependency_files, :credentials
|
|
35
|
+
|
|
36
|
+
def fetch_latest_resolvable_version
|
|
37
|
+
base_directory = File.join("src", "project",
|
|
38
|
+
dependency_files.first.directory)
|
|
39
|
+
base_parts = base_directory.split("/").length
|
|
40
|
+
updated_version =
|
|
41
|
+
SharedHelpers.in_a_temporary_directory(base_directory) do |dir|
|
|
42
|
+
write_temporary_dependency_files
|
|
43
|
+
|
|
44
|
+
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
45
|
+
# Shell out to dep, which handles everything for us, and does
|
|
46
|
+
# so without doing an install (so it's fast).
|
|
47
|
+
command = "dep ensure -update --no-vendor #{dependency.name}"
|
|
48
|
+
dir_parts = dir.realpath.to_s.split("/")
|
|
49
|
+
gopath = File.join(dir_parts[0..-(base_parts + 1)])
|
|
50
|
+
run_shell_command(command, "GOPATH" => gopath)
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
new_lockfile_content = File.read("Gopkg.lock")
|
|
54
|
+
|
|
55
|
+
get_version_from_lockfile(new_lockfile_content)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
updated_version
|
|
59
|
+
rescue SharedHelpers::HelperSubprocessFailed => error
|
|
60
|
+
handle_dep_errors(error)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def get_version_from_lockfile(lockfile_content)
|
|
64
|
+
package = TomlRB.parse(lockfile_content).fetch("projects").
|
|
65
|
+
find { |p| p["name"] == dependency.name }
|
|
66
|
+
|
|
67
|
+
version = package["version"]
|
|
68
|
+
|
|
69
|
+
if version && version_class.correct?(version.sub(/^v?/, ""))
|
|
70
|
+
version_class.new(version.sub(/^v?/, ""))
|
|
71
|
+
elsif version
|
|
72
|
+
version
|
|
73
|
+
else
|
|
74
|
+
package.fetch("revision")
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def handle_dep_errors(error)
|
|
79
|
+
if error.message.match?(NOT_FOUND_REGEX)
|
|
80
|
+
url = error.message.match(NOT_FOUND_REGEX).
|
|
81
|
+
named_captures.fetch("repo_url")
|
|
82
|
+
|
|
83
|
+
raise Dependabot::GitDependenciesNotReachable, url
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
# A dep bug that probably isn't going to be fixed any time soon :-(
|
|
87
|
+
# - https://github.com/golang/dep/issues/1437
|
|
88
|
+
# - https://github.com/golang/dep/issues/649
|
|
89
|
+
# - https://github.com/golang/dep/issues/2041
|
|
90
|
+
# - https://twitter.com/miekg/status/996682296739745792
|
|
91
|
+
return if error.message.match?(INDEX_OUT_OF_RANGE_REGEX)
|
|
92
|
+
|
|
93
|
+
raise
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
def run_shell_command(command, env = {})
|
|
97
|
+
start = Time.now
|
|
98
|
+
stdout, process = Open3.capture2e(env, command)
|
|
99
|
+
time_taken = start - Time.now
|
|
100
|
+
|
|
101
|
+
# Raise an error with the output from the shell session if dep
|
|
102
|
+
# returns a non-zero status
|
|
103
|
+
return if process.success?
|
|
104
|
+
|
|
105
|
+
raise SharedHelpers::HelperSubprocessFailed.new(
|
|
106
|
+
message: stdout,
|
|
107
|
+
error_context: {
|
|
108
|
+
command: command,
|
|
109
|
+
time_taken: time_taken,
|
|
110
|
+
process_exit_value: process.to_s
|
|
111
|
+
}
|
|
112
|
+
)
|
|
113
|
+
end
|
|
114
|
+
|
|
115
|
+
def write_temporary_dependency_files
|
|
116
|
+
dependency_files.each do |file|
|
|
117
|
+
path = file.name
|
|
118
|
+
FileUtils.mkdir_p(Pathname.new(path).dirname)
|
|
119
|
+
File.write(file.name, file.content)
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
File.write("hello.go", dummy_app_content)
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def dummy_app_content
|
|
126
|
+
base = "package main\n\n"\
|
|
127
|
+
"import \"fmt\"\n\n"
|
|
128
|
+
|
|
129
|
+
packages_to_import.each { |nm| base += "import \"#{nm}\"\n\n" }
|
|
130
|
+
|
|
131
|
+
base + "func main() {\n fmt.Printf(\"hello, world\\n\")\n}"
|
|
132
|
+
end
|
|
133
|
+
|
|
134
|
+
def packages_to_import
|
|
135
|
+
return [] unless lockfile
|
|
136
|
+
|
|
137
|
+
parsed_lockfile = TomlRB.parse(lockfile.content)
|
|
138
|
+
|
|
139
|
+
# If the lockfile was created using dep v0.5.0+ then it will tell us
|
|
140
|
+
# exactly which packages to import
|
|
141
|
+
if parsed_lockfile.dig("solve-meta", "input-imports")
|
|
142
|
+
return parsed_lockfile.dig("solve-meta", "input-imports")
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
# Otherwise we have no way of knowing, so import everything in the
|
|
146
|
+
# lockfile that isn't marked as internal
|
|
147
|
+
parsed_lockfile.fetch("projects").flat_map do |dep|
|
|
148
|
+
dep["packages"].map do |package|
|
|
149
|
+
next if package.start_with?("internal")
|
|
150
|
+
|
|
151
|
+
package == "." ? dep["name"] : File.join(dep["name"], package)
|
|
152
|
+
end.compact
|
|
153
|
+
end
|
|
154
|
+
end
|
|
155
|
+
|
|
156
|
+
def lockfile
|
|
157
|
+
@lockfile = dependency_files.find { |f| f.name == "Gopkg.lock" }
|
|
158
|
+
end
|
|
159
|
+
|
|
160
|
+
def version_class
|
|
161
|
+
Utils.version_class_for_package_manager(dependency.package_manager)
|
|
162
|
+
end
|
|
163
|
+
end
|
|
164
|
+
end
|
|
165
|
+
end
|
|
166
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "rubygems_version_patch"
|
|
4
|
+
require "dependabot/utils"
|
|
5
|
+
|
|
6
|
+
# Go pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
|
|
7
|
+
# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
|
|
8
|
+
# alteration.
|
|
9
|
+
# Best docs are at https://github.com/Masterminds/semver
|
|
10
|
+
|
|
11
|
+
module Dependabot
|
|
12
|
+
module Dep
|
|
13
|
+
class Version < Gem::Version
|
|
14
|
+
VERSION_PATTERN = '[0-9]+[0-9a-zA-Z]*(?>\.[0-9a-zA-Z]+)*' \
|
|
15
|
+
'(-[0-9A-Za-z-]+(\.[0-9a-zA-Z-]+)*)?' \
|
|
16
|
+
'(\+incompatible)?'
|
|
17
|
+
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
|
|
18
|
+
|
|
19
|
+
def self.correct?(version)
|
|
20
|
+
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
21
|
+
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
22
|
+
super(version)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def initialize(version)
|
|
26
|
+
@version_string = version.to_s.gsub(/^v/, "")
|
|
27
|
+
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
28
|
+
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
29
|
+
super
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
def inspect # :nodoc:
|
|
33
|
+
"#<#{self.class} #{@version_string.inspect}>"
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def to_s
|
|
37
|
+
@version_string
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
Dependabot::Utils.register_version_class("dep", Dependabot::Dep::Version)
|
metadata
ADDED
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: dependabot-dep
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.90.0
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Dependabot
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2019-01-14 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: dependabot-core
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - '='
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: 0.90.0
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - '='
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: 0.90.0
|
|
27
|
+
- !ruby/object:Gem::Dependency
|
|
28
|
+
name: byebug
|
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
|
30
|
+
requirements:
|
|
31
|
+
- - "~>"
|
|
32
|
+
- !ruby/object:Gem::Version
|
|
33
|
+
version: '10.0'
|
|
34
|
+
type: :development
|
|
35
|
+
prerelease: false
|
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
37
|
+
requirements:
|
|
38
|
+
- - "~>"
|
|
39
|
+
- !ruby/object:Gem::Version
|
|
40
|
+
version: '10.0'
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: rake
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - "~>"
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: '12'
|
|
48
|
+
type: :development
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: '12'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rspec
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '3.8'
|
|
62
|
+
type: :development
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - "~>"
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '3.8'
|
|
69
|
+
- !ruby/object:Gem::Dependency
|
|
70
|
+
name: rspec-its
|
|
71
|
+
requirement: !ruby/object:Gem::Requirement
|
|
72
|
+
requirements:
|
|
73
|
+
- - "~>"
|
|
74
|
+
- !ruby/object:Gem::Version
|
|
75
|
+
version: '1.2'
|
|
76
|
+
type: :development
|
|
77
|
+
prerelease: false
|
|
78
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
79
|
+
requirements:
|
|
80
|
+
- - "~>"
|
|
81
|
+
- !ruby/object:Gem::Version
|
|
82
|
+
version: '1.2'
|
|
83
|
+
- !ruby/object:Gem::Dependency
|
|
84
|
+
name: rspec_junit_formatter
|
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
|
86
|
+
requirements:
|
|
87
|
+
- - "~>"
|
|
88
|
+
- !ruby/object:Gem::Version
|
|
89
|
+
version: '0.4'
|
|
90
|
+
type: :development
|
|
91
|
+
prerelease: false
|
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
93
|
+
requirements:
|
|
94
|
+
- - "~>"
|
|
95
|
+
- !ruby/object:Gem::Version
|
|
96
|
+
version: '0.4'
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: rubocop
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - "~>"
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: '0.61'
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - "~>"
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: '0.61'
|
|
111
|
+
- !ruby/object:Gem::Dependency
|
|
112
|
+
name: vcr
|
|
113
|
+
requirement: !ruby/object:Gem::Requirement
|
|
114
|
+
requirements:
|
|
115
|
+
- - "~>"
|
|
116
|
+
- !ruby/object:Gem::Version
|
|
117
|
+
version: '4.0'
|
|
118
|
+
type: :development
|
|
119
|
+
prerelease: false
|
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
+
requirements:
|
|
122
|
+
- - "~>"
|
|
123
|
+
- !ruby/object:Gem::Version
|
|
124
|
+
version: '4.0'
|
|
125
|
+
- !ruby/object:Gem::Dependency
|
|
126
|
+
name: webmock
|
|
127
|
+
requirement: !ruby/object:Gem::Requirement
|
|
128
|
+
requirements:
|
|
129
|
+
- - "~>"
|
|
130
|
+
- !ruby/object:Gem::Version
|
|
131
|
+
version: '3.4'
|
|
132
|
+
type: :development
|
|
133
|
+
prerelease: false
|
|
134
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
135
|
+
requirements:
|
|
136
|
+
- - "~>"
|
|
137
|
+
- !ruby/object:Gem::Version
|
|
138
|
+
version: '3.4'
|
|
139
|
+
description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
|
|
140
|
+
Rust, Java, .NET, Elm and Go
|
|
141
|
+
email: support@dependabot.com
|
|
142
|
+
executables: []
|
|
143
|
+
extensions: []
|
|
144
|
+
extra_rdoc_files: []
|
|
145
|
+
files:
|
|
146
|
+
- helpers/Makefile
|
|
147
|
+
- helpers/build
|
|
148
|
+
- helpers/go.mod
|
|
149
|
+
- helpers/go.sum
|
|
150
|
+
- helpers/importresolver/go.mod
|
|
151
|
+
- helpers/importresolver/main.go
|
|
152
|
+
- helpers/main.go
|
|
153
|
+
- lib/dependabot/dep.rb
|
|
154
|
+
- lib/dependabot/dep/file_fetcher.rb
|
|
155
|
+
- lib/dependabot/dep/file_parser.rb
|
|
156
|
+
- lib/dependabot/dep/file_updater.rb
|
|
157
|
+
- lib/dependabot/dep/file_updater/lockfile_updater.rb
|
|
158
|
+
- lib/dependabot/dep/file_updater/manifest_updater.rb
|
|
159
|
+
- lib/dependabot/dep/metadata_finder.rb
|
|
160
|
+
- lib/dependabot/dep/native_helpers.rb
|
|
161
|
+
- lib/dependabot/dep/path_converter.rb
|
|
162
|
+
- lib/dependabot/dep/requirement.rb
|
|
163
|
+
- lib/dependabot/dep/update_checker.rb
|
|
164
|
+
- lib/dependabot/dep/update_checker/file_preparer.rb
|
|
165
|
+
- lib/dependabot/dep/update_checker/latest_version_finder.rb
|
|
166
|
+
- lib/dependabot/dep/update_checker/requirements_updater.rb
|
|
167
|
+
- lib/dependabot/dep/update_checker/version_resolver.rb
|
|
168
|
+
- lib/dependabot/dep/version.rb
|
|
169
|
+
homepage: https://github.com/dependabot/dependabot-core
|
|
170
|
+
licenses:
|
|
171
|
+
- Nonstandard
|
|
172
|
+
metadata: {}
|
|
173
|
+
post_install_message:
|
|
174
|
+
rdoc_options: []
|
|
175
|
+
require_paths:
|
|
176
|
+
- lib
|
|
177
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
178
|
+
requirements:
|
|
179
|
+
- - ">="
|
|
180
|
+
- !ruby/object:Gem::Version
|
|
181
|
+
version: 2.5.0
|
|
182
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
183
|
+
requirements:
|
|
184
|
+
- - ">="
|
|
185
|
+
- !ruby/object:Gem::Version
|
|
186
|
+
version: 2.5.0
|
|
187
|
+
requirements: []
|
|
188
|
+
rubygems_version: 3.0.1
|
|
189
|
+
signing_key:
|
|
190
|
+
specification_version: 4
|
|
191
|
+
summary: Go dep support for dependabot-core
|
|
192
|
+
test_files: []
|