dependabot-go_modules 0.166.0 → 0.169.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/go.mod +1 -5
- data/helpers/go.sum +0 -18
- data/helpers/main.go +0 -5
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +24 -12
- metadata +4 -5
- data/helpers/updatechecker/main.go +0 -93
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ba323197349529a5a515b8ccb3e41d22f7d7df32771e190fbcd0417b99a12f0a
|
|
4
|
+
data.tar.gz: 45f197511d6ef315061207e934af5debbff20126428eca5bb8d38c46e2f03c8f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6f23cc0ccd829b67591f41c159a9f2d94fdd2d6ebcf4d7376f8f31a4dc113f1a9bcc35b39a23a94a2aa41574566639c35b29e0e2ac6e2c94ce4acb4fadb0a3d2
|
|
7
|
+
data.tar.gz: c5e24ae86808fcba4a384b99a8aea43c18345091ffa1f6f1ccce41854ff8c71745fc78c3c995f5c18d1606972d3607b432c6522b1b847cea5e33aa33ccd3f93a
|
data/helpers/go.mod
CHANGED
data/helpers/go.sum
CHANGED
|
@@ -1,20 +1,2 @@
|
|
|
1
1
|
github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
|
|
2
2
|
github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
|
|
3
|
-
github.com/dependabot/gomodules-extracted v1.4.2 h1:3IxvHARuuSojSNUHguc6kzWgs+uQN3fdRCowJMU1kDE=
|
|
4
|
-
github.com/dependabot/gomodules-extracted v1.4.2/go.mod h1:cpzrmDX1COyhSDQXHfkRMw0STb0vmguBFqmrkr51h1I=
|
|
5
|
-
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
|
6
|
-
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
|
7
|
-
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
|
8
|
-
golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
|
|
9
|
-
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
|
|
10
|
-
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
|
|
11
|
-
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
|
12
|
-
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
|
13
|
-
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
|
14
|
-
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
|
15
|
-
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
|
16
|
-
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e h1:aZzprAO9/8oim3qStq3wc1Xuxx4QmAGriC4VU4ojemQ=
|
|
17
|
-
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
|
18
|
-
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
|
19
|
-
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
|
|
20
|
-
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
data/helpers/main.go
CHANGED
|
@@ -7,7 +7,6 @@ import (
|
|
|
7
7
|
"os"
|
|
8
8
|
|
|
9
9
|
"github.com/dependabot/dependabot-core/go_modules/helpers/importresolver"
|
|
10
|
-
"github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker"
|
|
11
10
|
)
|
|
12
11
|
|
|
13
12
|
type HelperParams struct {
|
|
@@ -32,10 +31,6 @@ func main() {
|
|
|
32
31
|
funcErr error
|
|
33
32
|
)
|
|
34
33
|
switch helperParams.Function {
|
|
35
|
-
case "getVersions":
|
|
36
|
-
var args updatechecker.Args
|
|
37
|
-
parseArgs(helperParams.Args, &args)
|
|
38
|
-
funcOut, funcErr = updatechecker.GetVersions(&args)
|
|
39
34
|
case "getVcsRemoteForImport":
|
|
40
35
|
var args importresolver.Args
|
|
41
36
|
parseArgs(helperParams.Args, &args)
|
|
@@ -20,9 +20,11 @@ module Dependabot
|
|
|
20
20
|
/404 Not Found/,
|
|
21
21
|
/Repository not found/,
|
|
22
22
|
/unrecognized import path/,
|
|
23
|
+
/malformed module path/,
|
|
23
24
|
# (Private) module could not be fetched
|
|
24
25
|
/module .*: git ls-remote .*: exit status 128/m.freeze
|
|
25
26
|
].freeze
|
|
27
|
+
INVALID_VERSION_REGEX = /version "[^"]+" invalid/m.freeze
|
|
26
28
|
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
|
|
27
29
|
|
|
28
30
|
def initialize(dependency:, dependency_files:, credentials:,
|
|
@@ -73,23 +75,22 @@ module Dependabot
|
|
|
73
75
|
def available_versions
|
|
74
76
|
SharedHelpers.in_a_temporary_directory do
|
|
75
77
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
76
|
-
|
|
78
|
+
manifest = parse_manifest
|
|
79
|
+
|
|
80
|
+
# Set up an empty go.mod so 'go list -m' won't attempt to download dependencies. This
|
|
81
|
+
# appears to be a side effect of operating with GOPRIVATE=*. We'll retain any exclude
|
|
82
|
+
# directives to omit those versions.
|
|
83
|
+
File.write("go.mod", "module dummy\n")
|
|
84
|
+
manifest["Exclude"]&.each do |r|
|
|
85
|
+
SharedHelpers.run_shell_command("go mod edit -exclude=#{r['Path']}@#{r['Version']}")
|
|
86
|
+
end
|
|
77
87
|
|
|
78
88
|
# Turn off the module proxy for now, as it's causing issues with
|
|
79
89
|
# private git dependencies
|
|
80
90
|
env = { "GOPRIVATE" => "*" }
|
|
81
91
|
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
env: env,
|
|
85
|
-
function: "getVersions",
|
|
86
|
-
args: {
|
|
87
|
-
dependency: {
|
|
88
|
-
name: dependency.name,
|
|
89
|
-
version: "v" + dependency.version
|
|
90
|
-
}
|
|
91
|
-
}
|
|
92
|
-
)
|
|
92
|
+
versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)
|
|
93
|
+
version_strings = JSON.parse(versions_json)["Versions"]
|
|
93
94
|
|
|
94
95
|
return [version_class.new(dependency.version)] if version_strings.nil?
|
|
95
96
|
|
|
@@ -108,6 +109,8 @@ module Dependabot
|
|
|
108
109
|
def handle_subprocess_error(error)
|
|
109
110
|
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
|
110
111
|
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
|
112
|
+
elsif INVALID_VERSION_REGEX =~ error.message
|
|
113
|
+
raise Dependabot::DependencyFileNotResolvable, error.message
|
|
111
114
|
end
|
|
112
115
|
|
|
113
116
|
raise
|
|
@@ -123,6 +126,15 @@ module Dependabot
|
|
|
123
126
|
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
124
127
|
end
|
|
125
128
|
|
|
129
|
+
def parse_manifest
|
|
130
|
+
SharedHelpers.in_a_temporary_directory do
|
|
131
|
+
File.write("go.mod", go_mod.content)
|
|
132
|
+
json = SharedHelpers.run_shell_command("go mod edit -json")
|
|
133
|
+
|
|
134
|
+
JSON.parse(json) || {}
|
|
135
|
+
end
|
|
136
|
+
end
|
|
137
|
+
|
|
126
138
|
def filter_prerelease_versions(versions_array)
|
|
127
139
|
return versions_array if wants_prerelease?
|
|
128
140
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.169.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-11-
|
|
11
|
+
date: 2021-11-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.169.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.169.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -191,7 +191,6 @@ files:
|
|
|
191
191
|
- helpers/go.sum
|
|
192
192
|
- helpers/importresolver/main.go
|
|
193
193
|
- helpers/main.go
|
|
194
|
-
- helpers/updatechecker/main.go
|
|
195
194
|
- lib/dependabot/go_modules.rb
|
|
196
195
|
- lib/dependabot/go_modules/file_fetcher.rb
|
|
197
196
|
- lib/dependabot/go_modules/file_parser.rb
|
|
@@ -1,93 +0,0 @@
|
|
|
1
|
-
package updatechecker
|
|
2
|
-
|
|
3
|
-
import (
|
|
4
|
-
"context"
|
|
5
|
-
"errors"
|
|
6
|
-
"io/ioutil"
|
|
7
|
-
|
|
8
|
-
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
|
|
9
|
-
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
|
|
10
|
-
"golang.org/x/mod/modfile"
|
|
11
|
-
"golang.org/x/mod/semver"
|
|
12
|
-
)
|
|
13
|
-
|
|
14
|
-
type Dependency struct {
|
|
15
|
-
Name string `json:"name"`
|
|
16
|
-
Version string `json:"version"`
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
type Args struct {
|
|
20
|
-
Dependency *Dependency `json:"dependency"`
|
|
21
|
-
}
|
|
22
|
-
|
|
23
|
-
// GetVersions returns a list of versions for the given dependency that
|
|
24
|
-
// are within the same major version.
|
|
25
|
-
func GetVersions(args *Args) (interface{}, error) {
|
|
26
|
-
if args.Dependency == nil {
|
|
27
|
-
return nil, errors.New("Expected args.dependency to not be nil")
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
currentVersion := args.Dependency.Version
|
|
31
|
-
|
|
32
|
-
modload.DisallowWriteGoMod()
|
|
33
|
-
_ = modload.LoadModFile(context.Background())
|
|
34
|
-
|
|
35
|
-
repo := modfetch.Lookup("direct", args.Dependency.Name)
|
|
36
|
-
versions, err := repo.Versions("")
|
|
37
|
-
if err != nil {
|
|
38
|
-
return nil, err
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
excludes, err := goModExcludes(args.Dependency.Name)
|
|
42
|
-
if err != nil {
|
|
43
|
-
return nil, err
|
|
44
|
-
}
|
|
45
|
-
|
|
46
|
-
currentMajor := semver.Major(currentVersion)
|
|
47
|
-
|
|
48
|
-
var candidateVersions []string
|
|
49
|
-
|
|
50
|
-
Outer:
|
|
51
|
-
for _, v := range versions {
|
|
52
|
-
if semver.Major(v) != currentMajor {
|
|
53
|
-
continue
|
|
54
|
-
}
|
|
55
|
-
|
|
56
|
-
for _, exclude := range excludes {
|
|
57
|
-
if v == exclude {
|
|
58
|
-
continue Outer
|
|
59
|
-
}
|
|
60
|
-
}
|
|
61
|
-
|
|
62
|
-
candidateVersions = append(candidateVersions, v)
|
|
63
|
-
}
|
|
64
|
-
|
|
65
|
-
return candidateVersions, nil
|
|
66
|
-
}
|
|
67
|
-
|
|
68
|
-
func goModExcludes(dependency string) ([]string, error) {
|
|
69
|
-
data, err := ioutil.ReadFile("go.mod")
|
|
70
|
-
if err != nil {
|
|
71
|
-
return nil, err
|
|
72
|
-
}
|
|
73
|
-
|
|
74
|
-
var f *modfile.File
|
|
75
|
-
// TODO library detection - don't consider exclude etc for libraries
|
|
76
|
-
if "library" == "true" {
|
|
77
|
-
f, err = modfile.ParseLax("go.mod", data, nil)
|
|
78
|
-
} else {
|
|
79
|
-
f, err = modfile.Parse("go.mod", data, nil)
|
|
80
|
-
}
|
|
81
|
-
if err != nil {
|
|
82
|
-
return nil, err
|
|
83
|
-
}
|
|
84
|
-
|
|
85
|
-
var excludes []string
|
|
86
|
-
for _, e := range f.Exclude {
|
|
87
|
-
if e.Mod.Path == dependency {
|
|
88
|
-
excludes = append(excludes, e.Mod.Version)
|
|
89
|
-
}
|
|
90
|
-
}
|
|
91
|
-
|
|
92
|
-
return excludes, nil
|
|
93
|
-
}
|