dependabot-go_modules 0.145.4 → 0.148.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 440891afa53b611d109e2420adc240a145ce52e52c5525603dcc69c4df4422df
|
|
4
|
+
data.tar.gz: 62d3aecf1258256a757cea7c7170d5b832dd2617f9ad46151932fc64ba484818
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9db12c769b35527d871fe014a34682ad5cb82b3260907969a2c1498348ff60577801132435cf2d8eb2d47539cf6ada58d8612c2019f4fb1eaacf34376f69f07b
|
|
7
|
+
data.tar.gz: 0f5589c8c8a3cf502a8079336f83964ebc48e6baffb14445bf9ca9cafcdb90565306f57d18787dd76f26843c9a549d7d57895759ebba602e19a04d42682a9ed3
|
data/helpers/main.go
CHANGED
|
@@ -8,7 +8,6 @@ import (
|
|
|
8
8
|
|
|
9
9
|
"github.com/dependabot/dependabot-core/go_modules/helpers/importresolver"
|
|
10
10
|
"github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker"
|
|
11
|
-
"github.com/dependabot/dependabot-core/go_modules/helpers/updater"
|
|
12
11
|
)
|
|
13
12
|
|
|
14
13
|
type HelperParams struct {
|
|
@@ -37,10 +36,6 @@ func main() {
|
|
|
37
36
|
var args updatechecker.Args
|
|
38
37
|
parseArgs(helperParams.Args, &args)
|
|
39
38
|
funcOut, funcErr = updatechecker.GetVersions(&args)
|
|
40
|
-
case "updateDependencyFile":
|
|
41
|
-
var args updater.Args
|
|
42
|
-
parseArgs(helperParams.Args, &args)
|
|
43
|
-
funcOut, funcErr = updater.UpdateDependencyFile(&args)
|
|
44
39
|
case "getVcsRemoteForImport":
|
|
45
40
|
var args importresolver.Args
|
|
46
41
|
parseArgs(helperParams.Args, &args)
|
|
@@ -18,7 +18,7 @@ module Dependabot
|
|
|
18
18
|
RESOLVABILITY_ERROR_REGEXES = [
|
|
19
19
|
# The checksum in go.sum does not match the downloaded content
|
|
20
20
|
/verifying .*: checksum mismatch/.freeze,
|
|
21
|
-
/go
|
|
21
|
+
/go (?:get)?: .*: go.mod has post-v\d+ module path/
|
|
22
22
|
].freeze
|
|
23
23
|
|
|
24
24
|
REPO_RESOLVABILITY_ERROR_REGEXES = [
|
|
@@ -91,16 +91,19 @@ module Dependabot
|
|
|
91
91
|
# Replace full paths with path hashes in the go.mod
|
|
92
92
|
substitute_all(substitutions)
|
|
93
93
|
|
|
94
|
-
#
|
|
95
|
-
|
|
94
|
+
# Bump the deps we want to upgrade using `go get lib@version`
|
|
95
|
+
run_go_get(dependencies)
|
|
96
96
|
|
|
97
|
-
#
|
|
98
|
-
#
|
|
97
|
+
# Run `go get`'s internal validation checks against _each_ module in `go.mod`
|
|
98
|
+
# by running `go get` w/o specifying any library. It finds problems like when a
|
|
99
|
+
# module declares itself using a different name than specified in our `go.mod` etc.
|
|
99
100
|
run_go_get
|
|
100
101
|
|
|
101
102
|
# If we stubbed modules, don't run `go mod {tidy,vendor}` as
|
|
102
103
|
# dependencies are incomplete
|
|
103
104
|
if substitutions.empty?
|
|
105
|
+
# go mod tidy should run before go mod vendor to ensure any
|
|
106
|
+
# dependencies removed by go mod tidy are also removed from vendors.
|
|
104
107
|
run_go_mod_tidy
|
|
105
108
|
run_go_vendor
|
|
106
109
|
else
|
|
@@ -151,26 +154,7 @@ module Dependabot
|
|
|
151
154
|
handle_subprocess_error(stderr) unless status.success?
|
|
152
155
|
end
|
|
153
156
|
|
|
154
|
-
def
|
|
155
|
-
deps = dependencies.map do |dep|
|
|
156
|
-
{
|
|
157
|
-
name: dep.name,
|
|
158
|
-
version: "v" + dep.version.sub(/^v/i, ""),
|
|
159
|
-
indirect: dep.requirements.empty?
|
|
160
|
-
}
|
|
161
|
-
end
|
|
162
|
-
|
|
163
|
-
body = SharedHelpers.run_helper_subprocess(
|
|
164
|
-
command: NativeHelpers.helper_path,
|
|
165
|
-
env: ENVIRONMENT,
|
|
166
|
-
function: "updateDependencyFile",
|
|
167
|
-
args: { dependencies: deps }
|
|
168
|
-
)
|
|
169
|
-
|
|
170
|
-
write_go_mod(body)
|
|
171
|
-
end
|
|
172
|
-
|
|
173
|
-
def run_go_get
|
|
157
|
+
def run_go_get(dependencies = [])
|
|
174
158
|
tmp_go_file = "#{SecureRandom.hex}.go"
|
|
175
159
|
|
|
176
160
|
package = Dir.glob("[^\._]*.go").any? do |path|
|
|
@@ -179,7 +163,14 @@ module Dependabot
|
|
|
179
163
|
|
|
180
164
|
File.write(tmp_go_file, "package dummypkg\n") unless package
|
|
181
165
|
|
|
182
|
-
|
|
166
|
+
# TODO: go 1.18 will make `-d` the default behavior, so remove the flag then
|
|
167
|
+
command = +"go get -d"
|
|
168
|
+
# `go get` accepts multiple packages, each separated by a space
|
|
169
|
+
dependencies.each do |dep|
|
|
170
|
+
version = "v" + dep.version.sub(/^v/i, "")
|
|
171
|
+
command << " #{dep.name}@#{version}"
|
|
172
|
+
end
|
|
173
|
+
_, stderr, status = Open3.capture3(ENVIRONMENT, command)
|
|
183
174
|
handle_subprocess_error(stderr) unless status.success?
|
|
184
175
|
ensure
|
|
185
176
|
File.delete(tmp_go_file) if File.exist?(tmp_go_file)
|
|
@@ -44,7 +44,6 @@ module Dependabot
|
|
|
44
44
|
|
|
45
45
|
candidate_versions = available_versions
|
|
46
46
|
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
47
|
-
candidate_versions = filter_lower_versions(candidate_versions)
|
|
48
47
|
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
49
48
|
|
|
50
49
|
candidate_versions.max
|
|
@@ -111,13 +110,15 @@ module Dependabot
|
|
|
111
110
|
|
|
112
111
|
def filter_lower_versions(versions_array)
|
|
113
112
|
versions_array.
|
|
114
|
-
select { |version| version
|
|
113
|
+
select { |version| version > version_class.new(dependency.version) }
|
|
115
114
|
end
|
|
116
115
|
|
|
117
116
|
def filter_ignored_versions(versions_array)
|
|
118
117
|
filtered = versions_array.
|
|
119
118
|
reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
120
|
-
|
|
119
|
+
if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
|
|
120
|
+
raise AllVersionsIgnored
|
|
121
|
+
end
|
|
121
122
|
|
|
122
123
|
filtered
|
|
123
124
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.148.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-05-
|
|
11
|
+
date: 2021-05-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.148.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.148.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -100,14 +100,14 @@ dependencies:
|
|
|
100
100
|
requirements:
|
|
101
101
|
- - "~>"
|
|
102
102
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 1.
|
|
103
|
+
version: 1.15.0
|
|
104
104
|
type: :development
|
|
105
105
|
prerelease: false
|
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
107
|
requirements:
|
|
108
108
|
- - "~>"
|
|
109
109
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 1.
|
|
110
|
+
version: 1.15.0
|
|
111
111
|
- !ruby/object:Gem::Dependency
|
|
112
112
|
name: simplecov
|
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -192,8 +192,6 @@ files:
|
|
|
192
192
|
- helpers/importresolver/main.go
|
|
193
193
|
- helpers/main.go
|
|
194
194
|
- helpers/updatechecker/main.go
|
|
195
|
-
- helpers/updater/helpers.go
|
|
196
|
-
- helpers/updater/main.go
|
|
197
195
|
- lib/dependabot/go_modules.rb
|
|
198
196
|
- lib/dependabot/go_modules/file_fetcher.rb
|
|
199
197
|
- lib/dependabot/go_modules/file_parser.rb
|
data/helpers/updater/helpers.go
DELETED
|
@@ -1,65 +0,0 @@
|
|
|
1
|
-
package updater
|
|
2
|
-
|
|
3
|
-
import (
|
|
4
|
-
"strings"
|
|
5
|
-
|
|
6
|
-
"golang.org/x/mod/modfile"
|
|
7
|
-
)
|
|
8
|
-
|
|
9
|
-
// Private methods lifted from the `modfile` package.
|
|
10
|
-
// Last synced: 4/28/2021 from:
|
|
11
|
-
// https://github.com/golang/mod/blob/858fdbee9c245c8109c359106e89c6b8d321f19c/modfile/rule.go
|
|
12
|
-
|
|
13
|
-
var slashSlash = []byte("//")
|
|
14
|
-
|
|
15
|
-
// setIndirect sets line to have (or not have) a "// indirect" comment.
|
|
16
|
-
func setIndirect(line *modfile.Line, indirect bool) {
|
|
17
|
-
if isIndirect(line) == indirect {
|
|
18
|
-
return
|
|
19
|
-
}
|
|
20
|
-
if indirect {
|
|
21
|
-
// Adding comment.
|
|
22
|
-
if len(line.Suffix) == 0 {
|
|
23
|
-
// New comment.
|
|
24
|
-
line.Suffix = []modfile.Comment{{Token: "// indirect", Suffix: true}}
|
|
25
|
-
return
|
|
26
|
-
}
|
|
27
|
-
|
|
28
|
-
com := &line.Suffix[0]
|
|
29
|
-
text := strings.TrimSpace(strings.TrimPrefix(com.Token, string(slashSlash)))
|
|
30
|
-
if text == "" {
|
|
31
|
-
// Empty comment.
|
|
32
|
-
com.Token = "// indirect"
|
|
33
|
-
return
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
// Insert at beginning of existing comment.
|
|
37
|
-
com.Token = "// indirect; " + text
|
|
38
|
-
return
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
// Removing comment.
|
|
42
|
-
f := strings.Fields(line.Suffix[0].Token)
|
|
43
|
-
if len(f) == 2 {
|
|
44
|
-
// Remove whole comment.
|
|
45
|
-
line.Suffix = nil
|
|
46
|
-
return
|
|
47
|
-
}
|
|
48
|
-
|
|
49
|
-
// Remove comment prefix.
|
|
50
|
-
com := &line.Suffix[0]
|
|
51
|
-
i := strings.Index(com.Token, "indirect;")
|
|
52
|
-
com.Token = "//" + com.Token[i+len("indirect;"):]
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
// isIndirect reports whether line has a "// indirect" comment,
|
|
56
|
-
// meaning it is in go.mod only for its effect on indirect dependencies,
|
|
57
|
-
// so that it can be dropped entirely once the effective version of the
|
|
58
|
-
// indirect dependency reaches the given minimum version.
|
|
59
|
-
func isIndirect(line *modfile.Line) bool {
|
|
60
|
-
if len(line.Suffix) == 0 {
|
|
61
|
-
return false
|
|
62
|
-
}
|
|
63
|
-
f := strings.Fields(strings.TrimPrefix(line.Suffix[0].Token, string(slashSlash)))
|
|
64
|
-
return (len(f) == 1 && f[0] == "indirect" || len(f) > 1 && f[0] == "indirect;")
|
|
65
|
-
}
|
data/helpers/updater/main.go
DELETED
|
@@ -1,50 +0,0 @@
|
|
|
1
|
-
package updater
|
|
2
|
-
|
|
3
|
-
import (
|
|
4
|
-
"io/ioutil"
|
|
5
|
-
|
|
6
|
-
"golang.org/x/mod/modfile"
|
|
7
|
-
)
|
|
8
|
-
|
|
9
|
-
type Dependency struct {
|
|
10
|
-
Name string `json:"name"`
|
|
11
|
-
Version string `json:"version"`
|
|
12
|
-
Indirect bool `json:"indirect"`
|
|
13
|
-
}
|
|
14
|
-
|
|
15
|
-
type Args struct {
|
|
16
|
-
Dependencies []Dependency `json:"dependencies"`
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
func UpdateDependencyFile(args *Args) (interface{}, error) {
|
|
20
|
-
data, err := ioutil.ReadFile("go.mod")
|
|
21
|
-
if err != nil {
|
|
22
|
-
return nil, err
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
f, err := modfile.Parse("go.mod", data, nil)
|
|
26
|
-
if err != nil {
|
|
27
|
-
return nil, err
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
for _, dep := range args.Dependencies {
|
|
31
|
-
if err := f.AddRequire(dep.Name, dep.Version); err != nil {
|
|
32
|
-
return nil, err
|
|
33
|
-
}
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
for _, r := range f.Require {
|
|
37
|
-
for _, dep := range args.Dependencies {
|
|
38
|
-
if r.Mod.Path == dep.Name {
|
|
39
|
-
setIndirect(r.Syntax, dep.Indirect)
|
|
40
|
-
}
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
|
|
44
|
-
f.SortBlocks()
|
|
45
|
-
f.Cleanup()
|
|
46
|
-
|
|
47
|
-
newModFile, _ := f.Format()
|
|
48
|
-
|
|
49
|
-
return string(newModFile), nil
|
|
50
|
-
}
|