RubyGems - dependabot-dotnet_sdk - Versions diffs - 0.317.0 → 0.318.0 - Mend

dependabot-dotnet_sdk 0.317.0 → 0.318.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/dotnet_sdk/package/package_details_fetcher.rb +135 -0
data/lib/dependabot/dotnet_sdk/update_checker/latest_version_finder.rb +32 -108
data/lib/dependabot/dotnet_sdk/update_checker.rb +21 -2
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c9cf3c0f4066c28fcab2b668a44264cc52ef9dac8dc5847de3f4ab6ecdc0215f
-  data.tar.gz: 516dfa1ae1d9d75533b4d134d35d126a7da8e84e26e36bc005c9a6260eb38342
+  metadata.gz: '039adc7e5a9dc839f07b1665a9f626a367d5acca93c6403d009862a76ab5aaff'
+  data.tar.gz: 1bf3eb9d9a53c91ff663fe256566758e3a7a4eceed8f3acc0275ca931d64b582
 SHA512:
-  metadata.gz: 212338f5124264f5ca0259539f5e46db59bf55563b863dee6578f51c472e6d744f982f7011f7f11d759c40cbe33c41462ce0320f667768e7eafe6334f8157f99
-  data.tar.gz: f1001d8a73701fc2bb1437997eb3a5779e856f87fb09f616372af4bea6e8ad35a476ef8c9959888d92f3611f73f64042fed58c7a0b00432161cf7bcc74f0b782
+  metadata.gz: f189b5e18550bc281c0d024d2881e120436dc73be455d08a75e124ee60f9d76d6b8041852848ed9f429bb2d6df1f2d851df6e3d2469149d6f34f4732d4b21df4
+  data.tar.gz: 7b645cbf524315097ece68eb189695234a60d930b14904d15c2123fe95d58f6a34796539fa3463a2e91a62824ffde1b3fb73f6d36dbb57778fb70b40d6fddbf5

data/lib/dependabot/dotnet_sdk/package/package_details_fetcher.rb ADDED Viewed

@@ -0,0 +1,135 @@
+# typed: strict
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/package/package_details"
+require "dependabot/dotnet_sdk/version"
+module Dependabot
+  module DotnetSdk
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+        RELEASES_INDEX_URL = "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json"
+        sig do
+          params(
+            dependency: Dependabot::Dependency
+          ).void
+        end
+        def initialize(dependency:)
+          @dependency = dependency
+          @package_details = T.let(nil, T.nilable(Dependabot::Package::PackageDetails))
+        end
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig do
+          returns(T.nilable(Dependabot::Package::PackageDetails))
+        end
+        def fetch
+          package_releases = releases.filter_map do |release|
+            version = release["version"]
+            release_date = release["release-date"]
+            next unless version && release_date
+            package_release(
+              version: version,
+              released_at: Time.parse(release_date)
+            )
+          end
+          package_details(package_releases)
+        end
+        private
+        sig { returns(T::Array[T::Hash[String, String]]) }
+        def releases
+          response = releases_response
+          return [] unless response.status == 200
+          parsed = JSON.parse(response.body)
+          parsed["releases-index"].flat_map do |release|
+            release_channel(release["releases.json"])
+          end
+        end
+        sig { returns(Excon::Response) }
+        def releases_response
+          Dependabot::RegistryClient.get(
+            url: RELEASES_INDEX_URL,
+            headers: { "Accept" => "application/json" }
+          )
+        end
+        sig { params(url: String).returns(T::Array[T::Hash[String, String]]) }
+        def release_channel(url)
+          response = release_channel_response(url)
+          return [] unless response
+          JSON.parse(response.body)
+              .fetch("releases", [])
+              .flat_map { |release| extract_release_versions(release) }
+        rescue JSON::ParserError
+          raise Dependabot::DependencyFileNotResolvable, "Invalid JSON response from #{url}"
+        end
+        sig { params(release: T::Hash[String, T.untyped]).returns(T::Array[T::Hash[String, String]]) }
+        def extract_release_versions(release)
+          release_date = release["release-date"]
+          return [] unless release_date
+          if release["sdks"].nil?
+            sdk_version = release.dig("sdk", "version")
+            return [] unless sdk_version
+            [{ "version" => sdk_version, "release-date" => release_date }]
+          else
+            release["sdks"]&.filter_map do |sdk|
+              next unless sdk["version"]
+              { "version" => sdk["version"], "release-date" => release_date }
+            end || []
+          end
+        end
+        sig { params(url: String).returns(T.nilable(Excon::Response)) }
+        def release_channel_response(url)
+          Dependabot::RegistryClient.get(
+            url: url,
+            headers: { "Accept" => "application/json" }
+          )
+        end
+        sig do
+          params(
+            version: String,
+            released_at: T.nilable(Time)
+          ).returns(Dependabot::Package::PackageRelease)
+        end
+        def package_release(version:, released_at:)
+          Dependabot::Package::PackageRelease.new(
+            version: DotnetSdk::Version.new(version),
+            released_at: released_at
+          )
+        end
+        sig do
+          params(releases: T::Array[Dependabot::Package::PackageRelease])
+            .returns(Dependabot::Package::PackageDetails)
+        end
+        def package_details(releases)
+          @package_details ||= Dependabot::Package::PackageDetails.new(
+            dependency: dependency,
+            releases: releases.reverse.uniq(&:version)
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/dotnet_sdk/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -1,138 +1,62 @@
 # typed: strict
 # frozen_string_literal: true
-require "excon"
 require "sorbet-runtime"
-require "dependabot/dotnet_sdk/requirement"
-require "dependabot/dotnet_sdk/version"
+require "dependabot/package/package_details"
+require "dependabot/package/package_latest_version_finder"
 require "dependabot/registry_client"
 require "dependabot/update_checkers/base"
+require "dependabot/dotnet_sdk/package/package_details_fetcher"
+require "dependabot/dotnet_sdk/requirement"
+require "dependabot/dotnet_sdk/version"
 module Dependabot
   module DotnetSdk
     class UpdateChecker < Dependabot::UpdateCheckers::Base
-      class LatestVersionFinder
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
         extend T::Sig
-        RELEASES_INDEX_URL = "https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/releases-index.json"
-        sig { params(dependency: Dependabot::Dependency, ignored_versions: T::Array[String]).void }
-        def initialize(dependency:, ignored_versions:)
-          @dependency = dependency
-          @ignored_versions = ignored_versions
+        sig do
+          override.returns(T.nilable(Dependabot::Package::PackageDetails))
         end
-        sig { returns(T.nilable(Dependabot::Version)) }
-        def latest_version
-          @latest_version ||= T.let(
-            fetch_latest_version,
-            T.nilable(Dependabot::Version)
-          )
+        def package_details
+          @package_details ||= Package::PackageDetailsFetcher.new(dependency: dependency).fetch
         end
-        private
-        sig { returns(Dependabot::Dependency) }
-        attr_reader :dependency
-        sig { returns(T::Array[String]) }
-        attr_reader :ignored_versions
-        sig { returns(T.nilable(Dependabot::Version)) }
-        def fetch_latest_version
-          versions = available_versions
-          versions = filter_prerelease_versions(versions)
-          versions = filter_ignored_versions(versions)
-          versions.max
+        sig do
+          override
+            .params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+            .returns(T.nilable(Dependabot::Version))
         end
-        sig { returns(T::Array[Dependabot::Version]) }
-        def available_versions
-          releases.map { |v| version_class.new(v) }
+        def latest_version(language_version: nil) # rubocop:disable Lint/UnusedMethodArgument
+          @latest_version ||= fetch_latest_version
         end
-        sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
-        def filter_prerelease_versions(versions)
-          return versions if wants_prerelease?
-          # This isn't entirely accurate. .NET considers release candidates to NOT be pre-releases.
-          # However, we want to be conservative.
-          # See https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core
-          versions.reject(&:prerelease?)
+        sig do
+          override
+            .params(language_version: T.nilable(T.any(String, Dependabot::Version)))
+            .returns(T.nilable(Dependabot::Version))
         end
-        sig { params(versions: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
-        def filter_ignored_versions(versions)
-          versions.reject do |version|
-            ignore_requirements.any? { |r| r.satisfied_by?(version) }
-          end
+        def lowest_security_fix_version(language_version: nil) # rubocop:disable Lint/UnusedMethodArgument
+          @lowest_security_fix_version ||= fetch_lowest_security_fix_version
         end
-        sig { returns(T::Array[String]) }
-        def releases
-          response = releases_response
-          return [] unless response.status == 200
+        protected
-          parsed = JSON.parse(response.body)
-          parsed["releases-index"].flat_map do |release|
-            release_channel(release["releases.json"])
-          end
-        end
-        sig { returns(Excon::Response) }
-        def releases_response
-          Dependabot::RegistryClient.get(
-            url: RELEASES_INDEX_URL,
-            headers: { "Accept" => "application/json" }
-          )
-        end
-        sig { params(url: String).returns(T::Array[String]) }
-        def release_channel(url)
-          response = release_channel_response(url)
-          begin
-            parsed = JSON.parse(T.must(response).body)
-          rescue JSON::ParserError
-            raise Dependabot::DependencyFileNotResolvable, "Invalid JSON response from #{url}"
-          end
-          parsed["releases"].map do |release|
-            if release["sdks"].nil?
-              release["sdk"]["version"]
-            else
-              release["sdks"].flat_map { |sdk| sdk["version"] }
-            end
-          end
-        .flatten
-        end
-        sig { params(url: String).returns(T.nilable(Excon::Response)) }
-        def release_channel_response(url)
-          Dependabot::RegistryClient.get(
-            url: url,
-            headers: { "Accept" => "application/json" }
-          )
-        end
-        sig { returns(T::Boolean) }
+        sig { override.returns(T::Boolean) }
         def wants_prerelease?
-          dependency.metadata[:allow_prerelease]
+          !!dependency.metadata[:allow_prerelease]
         end
-        sig { returns(T::Array[Dependabot::Requirement]) }
-        def ignore_requirements
-          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+        sig do
+          override
+            .params(releases: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
         end
-        sig { returns(T.class_of(Dependabot::Version)) }
-        def version_class
-          dependency.version_class
-        end
-        sig { returns(T.class_of(Dependabot::Requirement)) }
-        def requirement_class
-          dependency.requirement_class
+        def apply_post_fetch_lowest_security_fix_versions_filter(releases)
+          filter_prerelease_versions(releases)
         end
       end
     end

data/lib/dependabot/dotnet_sdk/update_checker.rb CHANGED Viewed

@@ -24,6 +24,17 @@ module Dependabot
         latest_version
       end
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def lowest_security_fix_version
+        latest_version_finder.lowest_security_fix_version
+      end
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def lowest_resolvable_security_fix_version
+        # Resolvability isn't an issue for dotnet SDKs
+        lowest_security_fix_version
+      end
       sig { override.returns(T.nilable(Dependabot::Version)) }
       def latest_resolvable_version_with_no_unlock
         raise NotImplementedError
@@ -34,7 +45,7 @@ module Dependabot
         dependency.requirements.map do |requirement|
           {
             file: requirement[:file],
-            requirement: latest_version,
+            requirement: preferred_resolvable_version,
             groups: requirement[:groups],
             source: requirement[:source]
           }
@@ -56,7 +67,15 @@ module Dependabot
       sig { returns(LatestVersionFinder) }
       def latest_version_finder
         @latest_version_finder ||= T.let(
-          LatestVersionFinder.new(dependency: dependency, ignored_versions: ignored_versions),
+          LatestVersionFinder.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories,
+            cooldown_options: update_cooldown,
+            raise_on_ignored: raise_on_ignored
+          ),
           T.nilable(LatestVersionFinder)
         )
       end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-dotnet_sdk
 version: !ruby/object:Gem::Version
-  version: 0.317.0
+  version: 0.318.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.317.0
+        version: 0.318.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.317.0
+        version: 0.318.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -246,6 +246,7 @@ files:
 - lib/dependabot/dotnet_sdk/file_updater.rb
 - lib/dependabot/dotnet_sdk/language.rb
 - lib/dependabot/dotnet_sdk/metadata_finder.rb
+- lib/dependabot/dotnet_sdk/package/package_details_fetcher.rb
 - lib/dependabot/dotnet_sdk/package_manager.rb
 - lib/dependabot/dotnet_sdk/requirement.rb
 - lib/dependabot/dotnet_sdk/update_checker.rb
@@ -256,7 +257,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.317.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.318.0
 rdoc_options: []
 require_paths:
 - lib