RubyGems - dependabot-go_modules - Versions diffs - 0.127.1 → 0.129.1 - Mend

dependabot-go_modules 0.127.1 → 0.129.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/go_modules/file_parser.rb +9 -3
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +26 -1
metadata +4 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22a9e568c386a7df3bf0957f2b72fcb162a40ee070cc3de867144ce39e741e5e
-  data.tar.gz: f0cfe75bee0826e65fc129ff19070d22d719ed55a8f4fb84250046cdc77e7024
+  metadata.gz: 66a84b6b47ca0b0c2123cbb74dc9289edf5a3456e47e243b9f5f7e3e811a6e83
+  data.tar.gz: c818cafc810e2d768e1048c30b9c28b06b2f74d0c15fe4fecb38ccc3341b4746
 SHA512:
-  metadata.gz: 9c62fad3ba7909a0dbcdb03e55bb7f68b32e39959ff0537a2c7ae44572b5f7b33a268be15b2658f7e2108a8342237038f650405c9e2b5dfeae604c8bc126fda5
-  data.tar.gz: f22c564dbff187664aa1f3a22f0c05071d6c26cd8be79754d92a76647887bd0511f644c27547b4ec11ac43f2f842e4df16d22c4e0266cec643ef209775d118db
+  metadata.gz: 6fafe82fab2b405593f8a7c8a431ff71804189922a9f7d3d920ee6b4295417294e904c4b123fb4f3cdea32e8044ad69f5a130e342418f36d0e819e934be1980b
+  data.tar.gz: 1456d1903e1b9b1b832de978aad3f2ba579d9dc30ef5179f97ef3d9f62963c01e8586967729e44e1da015166fa7e96ba4496d76309311ff79d3414d8b42726fc

data/lib/dependabot/go_modules/file_parser.rb CHANGED

@@ -159,8 +159,8 @@ module Dependabot
       GITHUB_REPO_REGEX = %r{github.com/[^@]*}.freeze
       def handle_github_unknown_revision(line)
-        repo_path = line.scan(GITHUB_REPO_REGEX).first
-        return unless repo_path
+        mod_path = line.scan(GITHUB_REPO_REGEX).first
+        return unless mod_path
         # Query for _any_ version of this module, to know if it doesn't exist (or is private)
         # or we were just given a bad revision by this manifest
@@ -169,9 +169,15 @@ module Dependabot
             File.write("go.mod", "module dummy\n")
             env = { "GOPRIVATE" => "*" }
-            _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{repo_path}"))
+            _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{mod_path}"))
             raise Dependabot::DependencyFileNotResolvable, line if status.success?
+            mod_split = mod_path.split("/")
+            repo_path = if mod_split.size > 3
+                          mod_split[0..2].join("/")
+                        else
+                          mod_path
+                        end
             raise Dependabot::GitDependenciesNotReachable, [repo_path]
           end
         end

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED

@@ -240,12 +240,37 @@ module Dependabot
               (manifest["Replace"] || []).
                 map { |r| r["New"]["Path"] }.
                 compact.
-                select { |p| p.start_with?(".") || p.start_with?("/") }.
+                select { |p| stub_replace_path?(p) }.
                 map { |p| [p, "./" + Digest::SHA2.hexdigest(p)] }.
                 to_h
             end
         end
+        # returns true if the provided path should be replaced with a stub
+        def stub_replace_path?(path)
+          return true if absolute_path?(path)
+          return false unless relative_replacement_path?(path)
+          resolved_path = module_pathname.join(path).realpath
+          inside_repo_contents_path = resolved_path.to_s.start_with?(repo_contents_path.to_s)
+          !inside_repo_contents_path
+        rescue Errno::ENOENT
+          true
+        end
+        def absolute_path?(path)
+          path.start_with?("/")
+        end
+        def relative_replacement_path?(path)
+          # https://golang.org/ref/mod#go-mod-file-replace
+          path.start_with?("./") || path.start_with?("../")
+        end
+        def module_pathname
+          @module_pathname ||= Pathname.new(repo_contents_path).join(directory)
+        end
         def substitute_all(substitutions)
           body = substitutions.reduce(File.read("go.mod")) do |text, (a, b)|
             text.sub(a, b)

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.127.1
+  version: 0.129.1
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-12-14 00:00:00.000000000 Z
+date: 2020-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.127.1
+        version: 0.129.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.127.1
+        version: 0.129.1
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement