dependabot-go_modules 0.125.4 → 0.126.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3da25d3177f3e2a3dc853142401621ec4450d6377454c997b84ab6c363c29e45
-  data.tar.gz: 9bacf420dd0cb1ecfdbec128d1bfd18107aff3976c58c552549d90fb457ec40f
+  metadata.gz: d4186139c2bb3f62bd4f9446eb2a9e00742d0059c02c3c230aa74a738f6c2ae6
+  data.tar.gz: 3635f9c4276e27e34fd1c3b0694bb821e1c9fdaac745f486cfdb0d9457de727a
 SHA512:
-  metadata.gz: c14c8b5a4e57341550edb2607c727e076727ddb92cde62f0e2355835306861ab3214bd19b8a4ab07594850779a4a136e461477175cbc6c090acb1bad821a4f2e
-  data.tar.gz: 746f16d79b4263e24054b84f26210c654e528888b127ba92d99aa6b2ef3111d36657f9676b700660d72e25ca3835bbf3fcef66d2c625f41c68702cdc47a48b5e
+  metadata.gz: 75a0df4e2bdd441cbf2acc8ea963fa64388eac99567494efe1e4fe9afc551642fbac4807f769244a3e10e586124fd1adbba93d409fbe473d43ba101c36f4f20f
+  data.tar.gz: 442e099ca2a89a721dcbd09b202413a69b9d479aa94d7498b0dd5c88ff8eebdde29de94835c9a6409768512325b5e83127879cbfda9cc12de11ea8f0efb48141

data/helpers/build

@@ -24,3 +24,4 @@ os="$(uname -s | tr '[:upper:]' '[:lower:]')"
 echo "building $install_dir/bin/helper"
 
 GO111MODULE=on GOOS="$os" GOARCH=amd64 go build -o "$install_dir/bin/helper" .
+go clean -cache -modcache

data/helpers/go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/Masterminds/vcs v1.13.1
 	github.com/dependabot/dependabot-core/go_modules/helpers/updater v0.0.0
 	github.com/dependabot/gomodules-extracted v1.2.0
-	golang.org/x/mod v0.3.0
+	golang.org/x/mod v0.4.0
 )
 
 replace github.com/dependabot/dependabot-core/go_modules/helpers/importresolver => ./importresolver

data/helpers/go.sum

@@ -1,14 +1,12 @@
 github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
 github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
-github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3 h1:Xj2leY0FVyZuo+p59vkIWG3dIqo+QtjskT5O1iTiywA=
-github.com/dependabot/gomodules-extracted v0.0.0-20181020215834-1b2f850478a3/go.mod h1:+dRXSrUymjpT4yzKtn1QmeknT1S/yAHRr35en18dHp8=
 github.com/dependabot/gomodules-extracted v1.2.0 h1:K/gTyOyhasOt4cjULvOPNiD3MAFGytp4F7e39aB+0Y0=
 github.com/dependabot/gomodules-extracted v1.2.0/go.mod h1:3NWkH8KcZVDM87JuZI8hCZzYbjfUSz98EZI53qjgMgY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.0 h1:8pl+sMODzuvGJkmj2W4kZihvVb5mKm8pB/X44PIQHv8=
+golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

data/lib/dependabot/go_modules/file_parser.rb

@@ -139,8 +139,9 @@ module Dependabot
       def handle_parser_error(path, stderr)
         case stderr
         when /go: .*: unknown revision/m
-          line = stderr.lines.grep(/unknown revision/).first
-          raise Dependabot::DependencyFileNotResolvable, line.strip
+          line = stderr.lines.grep(/unknown revision/).first.strip
+          handle_github_unknown_revision(line) if line.start_with?("go: github.com/")
+          raise Dependabot::DependencyFileNotResolvable, line
         when /go: .*: unrecognized import path/m
           line = stderr.lines.grep(/unrecognized import/).first
           raise Dependabot::DependencyFileNotResolvable, line.strip
@@ -156,6 +157,26 @@ module Dependabot
         end
       end
 
+      GITHUB_REPO_REGEX = %r{github.com/[^@]*}.freeze
+      def handle_github_unknown_revision(line)
+        repo_path = line.scan(GITHUB_REPO_REGEX).first
+        return unless repo_path
+
+        # Query for _any_ version of this module, to know if it doesn't exist (or is private)
+        # or we were just given a bad revision by this manifest
+        SharedHelpers.in_a_temporary_directory do
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            File.write("go.mod", "module dummy\n")
+
+            env = { "GOPRIVATE" => "*" }
+            _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{repo_path}"))
+            raise Dependabot::DependencyFileNotResolvable, line if status.success?
+
+            raise Dependabot::GitDependenciesNotReachable, [repo_path]
+          end
+        end
+      end
+
       def rev_identifier?(dep)
         dep["Version"]&.match?(GIT_VERSION_REGEX)
       end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -118,9 +118,15 @@ module Dependabot
         def run_go_mod_tidy
           return unless tidy?
 
+          # NOTE(arslan): use `go mod tidy -e` once Go 1.16 is out:
+          # https://github.com/golang/go/commit/3aa09489ab3aa13a3ac78b1ff012b148ffffe367
           command = "go mod tidy"
-          _, stderr, status = Open3.capture3(ENVIRONMENT, command)
-          handle_subprocess_error(stderr) unless status.success?
+
+          # we explicitly don't raise an error for 'go mod tidy' and silently
+          # continue here. `go mod tidy` shouldn't block updating versions
+          # because there are some edge cases where it's OK to fail (such as
+          # generated files not available yet to us).
+          Open3.capture3(ENVIRONMENT, command)
         end
 
         def run_go_vendor

data/lib/dependabot/go_modules/requirement.rb

@@ -132,7 +132,7 @@ module Dependabot
         "~> #{parts.join('.')}"
       end
 
-      # Note: Dep's caret notation implementation doesn't distinguish between
+      # NOTE: Dep's caret notation implementation doesn't distinguish between
       # pre and post-1.0.0 requirements (unlike in JS)
       def convert_caret_req(req_string)
         version = req_string.gsub(/^\^?v?/, "")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.125.4
+  version: 0.126.1
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-17 00:00:00.000000000 Z
+date: 2020-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.4
+        version: 0.126.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.4
+        version: 0.126.1
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,28 +100,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.6.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement