dependabot-go_modules 0.154.5 → 0.155.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a22515c63450e8e75482634d205444f95891a6cd1f8b49e6eb381cb2b700ffa3
|
|
4
|
+
data.tar.gz: 364a289eecab254b2bf0da29c3a0488a0ea87774b481684f669ea4816b0ec9a9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ead7c1289f410404d0976e62d6acd95ce9b804ab48d37272cf0c049bce665f83c26d2d1011ef8e7ccdc9d343fcd27abff55448f236268d621444563ced7ea236
|
|
7
|
+
data.tar.gz: '049c045b259382f3ec2d877a28864fb99fa8dfe0aae50859c2a58ef86db40e18961e903e9dbaa18a3bb5b875830e56fce8aac2ba2bc4e8ebb0381052bde33cc9'
|
|
@@ -24,14 +24,7 @@ module Dependabot
|
|
|
24
24
|
return version_class.new(dependency.version)
|
|
25
25
|
end
|
|
26
26
|
|
|
27
|
-
|
|
28
|
-
LatestVersionFinder.new(
|
|
29
|
-
dependency: dependency,
|
|
30
|
-
dependency_files: dependency_files,
|
|
31
|
-
credentials: credentials,
|
|
32
|
-
ignored_versions: ignored_versions,
|
|
33
|
-
raise_on_ignored: raise_on_ignored
|
|
34
|
-
).latest_version
|
|
27
|
+
latest_version_finder.latest_version
|
|
35
28
|
end
|
|
36
29
|
|
|
37
30
|
# This is currently used to short-circuit latest_resolvable_version,
|
|
@@ -41,6 +34,22 @@ module Dependabot
|
|
|
41
34
|
latest_resolvable_version
|
|
42
35
|
end
|
|
43
36
|
|
|
37
|
+
def lowest_resolvable_security_fix_version
|
|
38
|
+
raise "Dependency not vulnerable!" unless vulnerable?
|
|
39
|
+
|
|
40
|
+
unless dependency.top_level?
|
|
41
|
+
return unless dependency.version
|
|
42
|
+
|
|
43
|
+
return version_class.new(dependency.version)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
lowest_security_fix_version
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def lowest_security_fix_version
|
|
50
|
+
latest_version_finder.lowest_security_fix_version
|
|
51
|
+
end
|
|
52
|
+
|
|
44
53
|
def latest_resolvable_version_with_no_unlock
|
|
45
54
|
# Irrelevant, since Go modules uses a single dependency file
|
|
46
55
|
nil
|
|
@@ -54,6 +63,18 @@ module Dependabot
|
|
|
54
63
|
|
|
55
64
|
private
|
|
56
65
|
|
|
66
|
+
def latest_version_finder
|
|
67
|
+
@latest_version_finder ||=
|
|
68
|
+
LatestVersionFinder.new(
|
|
69
|
+
dependency: dependency,
|
|
70
|
+
dependency_files: dependency_files,
|
|
71
|
+
credentials: credentials,
|
|
72
|
+
ignored_versions: ignored_versions,
|
|
73
|
+
security_advisories: security_advisories,
|
|
74
|
+
raise_on_ignored: raise_on_ignored
|
|
75
|
+
)
|
|
76
|
+
end
|
|
77
|
+
|
|
57
78
|
def latest_version_resolvable_with_full_unlock?
|
|
58
79
|
# Full unlock checks aren't implemented for Go (yet)
|
|
59
80
|
false
|
|
@@ -24,11 +24,12 @@ module Dependabot
|
|
|
24
24
|
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
|
|
25
25
|
|
|
26
26
|
def initialize(dependency:, dependency_files:, credentials:,
|
|
27
|
-
ignored_versions:, raise_on_ignored: false)
|
|
27
|
+
ignored_versions:, security_advisories:, raise_on_ignored: false)
|
|
28
28
|
@dependency = dependency
|
|
29
29
|
@dependency_files = dependency_files
|
|
30
30
|
@credentials = credentials
|
|
31
31
|
@ignored_versions = ignored_versions
|
|
32
|
+
@security_advisories = security_advisories
|
|
32
33
|
@raise_on_ignored = raise_on_ignored
|
|
33
34
|
end
|
|
34
35
|
|
|
@@ -36,9 +37,13 @@ module Dependabot
|
|
|
36
37
|
@latest_version ||= fetch_latest_version
|
|
37
38
|
end
|
|
38
39
|
|
|
40
|
+
def lowest_security_fix_version
|
|
41
|
+
@lowest_security_fix_version ||= fetch_lowest_security_fix_version
|
|
42
|
+
end
|
|
43
|
+
|
|
39
44
|
private
|
|
40
45
|
|
|
41
|
-
attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
|
|
46
|
+
attr_reader :dependency, :dependency_files, :credentials, :ignored_versions, :security_advisories
|
|
42
47
|
|
|
43
48
|
def fetch_latest_version
|
|
44
49
|
return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
|
|
@@ -50,6 +55,19 @@ module Dependabot
|
|
|
50
55
|
candidate_versions.max
|
|
51
56
|
end
|
|
52
57
|
|
|
58
|
+
def fetch_lowest_security_fix_version
|
|
59
|
+
return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
|
|
60
|
+
|
|
61
|
+
relevant_versions = available_versions
|
|
62
|
+
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
63
|
+
relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
|
|
64
|
+
security_advisories)
|
|
65
|
+
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
66
|
+
relevant_versions = filter_lower_versions(relevant_versions)
|
|
67
|
+
|
|
68
|
+
relevant_versions.min
|
|
69
|
+
end
|
|
70
|
+
|
|
53
71
|
def available_versions
|
|
54
72
|
SharedHelpers.in_a_temporary_directory do
|
|
55
73
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.155.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.155.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.155.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|