dependabot-docker 0.138.2 → 0.138.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4313615ae9f2f6c0efeb65418663ec45f1f7965a7ea412981a209c5803b59e2d
-  data.tar.gz: 6f2006a43be48e68099eb3962a97d8bd1476c7f05442db26ec7b71949e01607f
+  metadata.gz: 5a7ca1d87624b0e684eadce789dc05e65b5fb668e57ff797a0431ddf67c5860e
+  data.tar.gz: 56e7b46e89980d93b2c7cedd0da05ae1fad1662726a9f72393b835a62aa48374
 SHA512:
-  metadata.gz: 20bf85790d52e25abe3232a2e1c034196b507562f23e741e753530ca33363d89ec60d440c292307f5bc567946e7538ab5bc429ea7883e409b7930866814dabc4
-  data.tar.gz: 4a9f1a48ad19b1676fb8d6486e00f0076101b9fb079b65b61b4f3586977ff4e6d6f39cbef93fd12e5bb0276f6231acfe2aad13f99f96dcea9001cad6a0c6a90b
+  metadata.gz: a4b4a2fd63c68b8c9d05bf3ef0baead20e017f60f044f7470ffda49764bc201482f4a6950fe9b95d50c6b62d07f0b27d1fde858df89dd8978ba9e74619dc755c
+  data.tar.gz: 20125ad9ee90d131b75030e0688a0031d6fc779cbfb4c8a9aedd0a26f01c0330dd5ab3ea751d3c31272bfa197f4b3f7e22ce3027fa87499e92b4274d0cb27ca5

data/lib/dependabot/docker/update_checker.rb

@@ -29,7 +29,7 @@ module DockerRegistry2
         headers["Accept"] = %w(
           application/vnd.docker.distribution.manifest.v2+json
           application/vnd.docker.distribution.manifest.list.v2+json
-          application/json"
+          application/json
         ).join(",")
       end
       headers["Content-Type"] = "application/vnd.docker.distribution.manifest.v2+json" unless payload.nil?
@@ -57,7 +57,7 @@ module Dependabot
       /x.freeze
 
       def latest_version
-        @latest_version ||= fetch_latest_version
+        fetch_latest_version(dependency.version)
       end
 
       def latest_resolvable_version
@@ -74,7 +74,7 @@ module Dependabot
         dependency.requirements.map do |req|
           updated_source = req.fetch(:source).dup
           updated_source[:digest] = updated_digest if req[:source][:digest]
-          updated_source[:tag] = latest_version if req[:source][:tag]
+          updated_source[:tag] = fetch_latest_version(req[:source][:tag]) if req[:source][:tag]
 
           req.merge(source: updated_source)
         end
@@ -97,17 +97,22 @@ module Dependabot
 
       def version_up_to_date?
         # If the tag isn't up-to-date then we can definitely update
-        return false if version_tag_up_to_date? == false
+        return false if version_tag_up_to_date?(dependency.version) == false
+        return false if dependency.requirements.any? do |req|
+                          version_tag_up_to_date?(req.fetch(:source, {})[:tag]) == false
+                        end
 
         # Otherwise, if the Dockerfile specifies a digest check that that is
         # up-to-date
         digest_up_to_date?
       end
 
-      def version_tag_up_to_date?
-        return unless dependency.version.match?(NAME_WITH_VERSION)
+      def version_tag_up_to_date?(version)
+        return unless version&.match?(NAME_WITH_VERSION)
 
-        old_v = numeric_version_from(dependency.version)
+        latest_version = fetch_latest_version(version)
+
+        old_v = numeric_version_from(version)
         latest_v = numeric_version_from(latest_version)
 
         return true if version_class.new(latest_v) <= version_class.new(old_v)
@@ -117,7 +122,7 @@ module Dependabot
         # digests are also unequal. Avoids 'updating' ruby-2 -> ruby-2.5.1
         return false if old_v.split(".").count == latest_v.split(".").count
 
-        digest_of(dependency.version) == digest_of(latest_version)
+        digest_of(version) == digest_of(latest_version)
       end
 
       def digest_up_to_date?
@@ -131,34 +136,39 @@ module Dependabot
 
       # NOTE: It's important that this *always* returns a version (even if
       # it's the existing one) as it is what we later check the digest of.
-      def fetch_latest_version
-        return dependency.version unless dependency.version.match?(NAME_WITH_VERSION)
-
-        # Prune out any downgrade tags before checking for pre-releases
-        # (which requires a call to the registry for each tag, so can be slow)
-        candidate_tags = comparable_tags_from_registry
-        non_downgrade_tags = remove_version_downgrades(candidate_tags)
-        candidate_tags = non_downgrade_tags if non_downgrade_tags.any?
-
-        unless prerelease?(dependency.version)
-          candidate_tags =
-            candidate_tags.
-            reject { |tag| prerelease?(tag) }
-        end
-
-        latest_tag =
-          filter_ignored(candidate_tags).
-          max_by do |tag|
-            [version_class.new(numeric_version_from(tag)), tag.length]
+      def fetch_latest_version(version)
+        @versions ||= {}
+        return @versions[version] if @versions.key?(version)
+
+        @versions[version] = begin
+          return version unless version.match?(NAME_WITH_VERSION)
+
+          # Prune out any downgrade tags before checking for pre-releases
+          # (which requires a call to the registry for each tag, so can be slow)
+          candidate_tags = comparable_tags_from_registry(version)
+          non_downgrade_tags = remove_version_downgrades(candidate_tags, version)
+          candidate_tags = non_downgrade_tags if non_downgrade_tags.any?
+
+          unless prerelease?(version)
+            candidate_tags =
+              candidate_tags.
+              reject { |tag| prerelease?(tag) }
           end
 
-        latest_tag || dependency.version
+          latest_tag =
+            filter_ignored(candidate_tags).
+            max_by do |tag|
+              [version_class.new(numeric_version_from(tag)), tag.length]
+            end
+
+          latest_tag || version
+        end
       end
 
-      def comparable_tags_from_registry
-        original_prefix = prefix_of(dependency.version)
-        original_suffix = suffix_of(dependency.version)
-        original_format = format_of(dependency.version)
+      def comparable_tags_from_registry(version)
+        original_prefix = prefix_of(version)
+        original_suffix = suffix_of(version)
+        original_format = format_of(version)
 
         tags_from_registry.
           select { |tag| tag.match?(NAME_WITH_VERSION) }.
@@ -168,10 +178,10 @@ module Dependabot
           reject { |tag| commit_sha_suffix?(tag) }
       end
 
-      def remove_version_downgrades(candidate_tags)
+      def remove_version_downgrades(candidate_tags, version)
         candidate_tags.select do |tag|
           version_class.new(numeric_version_from(tag)) >=
-            version_class.new(numeric_version_from(dependency.version))
+            version_class.new(numeric_version_from(version))
         end
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-docker
 version: !ruby/object:Gem::Version
-  version: 0.138.2
+  version: 0.138.7
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-23 00:00:00.000000000 Z
+date: 2021-03-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.2
+        version: 0.138.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.138.2
+        version: 0.138.7
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.11.0
+        version: 1.12.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement