dependabot-dep 0.98.20 → 0.98.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25d9fbd5ca13697bcf844da93ff2c8b6bf07b137f3dc2f080de4f99b495e8f08
-  data.tar.gz: 19b88d89426783a2af49d481a29597f66f3fee2e5e61a00a4e996ef53ed38550
+  metadata.gz: '00096e0b4071e0de6ff0834999f8be1490a94c61dc3877c1792fd6c1043b053a'
+  data.tar.gz: ebbfb8f1d243ab660d2ca2363f3f9dc62949ed9518b18c485010fd84f6ed8f08
 SHA512:
-  metadata.gz: 58b7776865e9603e6295d77fd4211224186269ffa305ad7a894444aa5c794adeee0c463ca8543e5460a2faf88f76ef2de99cfd1c27d177aa8345e8c9eaf2c974
-  data.tar.gz: b87634b68eefcdb85f8dd55716c761d63582fc2cd40586f2bda86d29c562a82cca661a6e124b477929a176b18bd62db71a2a29eb36a7b325d69c7692a390e3c7
+  metadata.gz: 58b7be5c81a8dae12e91b07aad57a7c3a9b414a5160fe0fc53c01d053ad9e66c9ff029bbde0eeb630633a1be27cfab74430e5b79aa0825bed9ff27ba91957d17
+  data.tar.gz: bed06fccc861a585d907d992cf090121537630be948151bd3d123cd0e77b01b891782e0df1268e0d0a5728517bc2cd7772107787f907b2406f01dffe1204d477

data/lib/dependabot/dep/file_updater/lockfile_updater.rb

@@ -2,7 +2,6 @@
 
 require "toml-rb"
 require "open3"
-require "shellwords"
 require "dependabot/shared_helpers"
 require "dependabot/dependency_file"
 require "dependabot/dep/file_updater"
@@ -34,8 +33,7 @@ module Dependabot
                 # Note: We are currently doing a full install here (we're not
                 # passing no-vendor) because dep needs to generate the digests
                 # for each project.
-                cmd_parts = ["dep", "ensure", "-update"] + deps.map(&:name)
-                command = Shellwords.join(cmd_parts)
+                command = "dep ensure -update #{deps.map(&:name).join(' ')}"
                 dir_parts = dir.realpath.to_s.split("/")
                 gopath = File.join(dir_parts[0..-(base_parts + 1)])
                 run_shell_command(command, "GOPATH" => gopath)
@@ -53,6 +51,7 @@ module Dependabot
 
         def run_shell_command(command, env = {})
           start = Time.now
+          command = SharedHelpers.escape_command(command)
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 

data/lib/dependabot/dep/update_checker/version_resolver.rb

@@ -2,7 +2,6 @@
 
 require "toml-rb"
 require "open3"
-require "shellwords"
 require "dependabot/shared_helpers"
 require "dependabot/dep/update_checker"
 require "dependabot/errors"
@@ -45,10 +44,7 @@ module Dependabot
               SharedHelpers.with_git_configured(credentials: credentials) do
                 # Shell out to dep, which handles everything for us, and does
                 # so without doing an install (so it's fast).
-                cmd_parts = ["dep", "ensure", "-update", "--no-vendor",
-                             dependency.name]
-                command = Shellwords.join(cmd_parts)
-
+                command = "dep ensure -update --no-vendor #{dependency.name}"
                 dir_parts = dir.realpath.to_s.split("/")
                 gopath = File.join(dir_parts[0..-(base_parts + 1)])
                 run_shell_command(command, "GOPATH" => gopath)
@@ -99,6 +95,7 @@ module Dependabot
 
         def run_shell_command(command, env = {})
           start = Time.now
+          command = SharedHelpers.escape_command(command)
           stdout, process = Open3.capture2e(env, command)
           time_taken = Time.now - start
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-dep
 version: !ruby/object:Gem::Version
-  version: 0.98.20
+  version: 0.98.21
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.20
+        version: 0.98.21
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.20
+        version: 0.98.21
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement