dependabot-go_modules 0.169.8 → 0.171.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/go_modules/file_parser.rb +2 -18
- data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +10 -9
- data/lib/dependabot/go_modules/file_updater.rb +2 -1
- data/lib/dependabot/go_modules/resolvability_errors.rb +2 -2
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +8 -7
- data/lib/dependabot/go_modules/update_checker.rb +2 -1
- metadata +9 -9
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7bb98f9232fc60271c73a1831cc083e87c797b517df69d7ae0f6dfac3ce7296e
|
4
|
+
data.tar.gz: 022327e2aedc1847b7c61c4447bde204de83582dc7468de17c4a4998b94f5bbe
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5e7246519c6fdee204de424a9622ba98f385817ee50b0939a47580bb01f30d988660372edd24a35550fefed339ddd2c562563096463c21018b93a016a88a33e9
|
7
|
+
data.tar.gz: 303b4ffa79a6e3dfd15959c8154009d66039d56a0c809498dbc9b7d289b66609a80b990b88cbe170edbba8e284ef9fd7278bf7fe8132ea390f77d69b16d801bb
|
@@ -73,21 +73,9 @@ module Dependabot
|
|
73
73
|
|
74
74
|
command = "go mod edit -json"
|
75
75
|
|
76
|
-
|
77
|
-
# private git dependencies
|
78
|
-
env = { "GOPRIVATE" => "*" }
|
79
|
-
|
80
|
-
stdout, stderr, status = Open3.capture3(env, command)
|
76
|
+
stdout, stderr, status = Open3.capture3(command)
|
81
77
|
handle_parser_error(path, stderr) unless status.success?
|
82
78
|
JSON.parse(stdout)["Require"] || []
|
83
|
-
rescue Dependabot::DependencyFileNotResolvable
|
84
|
-
# We sometimes see this error if a host times out.
|
85
|
-
# In such cases, retrying (a maximum of 3 times) may fix it.
|
86
|
-
retry_count ||= 0
|
87
|
-
raise if retry_count >= 3
|
88
|
-
|
89
|
-
retry_count += 1
|
90
|
-
retry
|
91
79
|
end
|
92
80
|
end
|
93
81
|
|
@@ -109,11 +97,7 @@ module Dependabot
|
|
109
97
|
# directives
|
110
98
|
command = "go mod edit -json"
|
111
99
|
|
112
|
-
|
113
|
-
# private git dependencies
|
114
|
-
env = { "GOPRIVATE" => "*" }
|
115
|
-
|
116
|
-
stdout, stderr, status = Open3.capture3(env, command)
|
100
|
+
stdout, stderr, status = Open3.capture3(command)
|
117
101
|
handle_parser_error(path, stderr) unless status.success?
|
118
102
|
|
119
103
|
JSON.parse(stdout)
|
@@ -11,10 +11,6 @@ module Dependabot
|
|
11
11
|
module GoModules
|
12
12
|
class FileUpdater
|
13
13
|
class GoModUpdater
|
14
|
-
# Turn off the module proxy for now, as it's causing issues with
|
15
|
-
# private git dependencies
|
16
|
-
ENVIRONMENT = { "GOPRIVATE" => "*" }.freeze
|
17
|
-
|
18
14
|
RESOLVABILITY_ERROR_REGEXES = [
|
19
15
|
# The checksum in go.sum does not match the downloaded content
|
20
16
|
/verifying .*: checksum mismatch/.freeze,
|
@@ -61,6 +57,7 @@ module Dependabot
|
|
61
57
|
@directory = directory
|
62
58
|
@tidy = options.fetch(:tidy, false)
|
63
59
|
@vendor = options.fetch(:vendor, false)
|
60
|
+
@goprivate = options.fetch(:goprivate)
|
64
61
|
end
|
65
62
|
|
66
63
|
def updated_go_mod_content
|
@@ -145,14 +142,14 @@ module Dependabot
|
|
145
142
|
# continue here. `go mod tidy` shouldn't block updating versions
|
146
143
|
# because there are some edge cases where it's OK to fail (such as
|
147
144
|
# generated files not available yet to us).
|
148
|
-
Open3.capture3(
|
145
|
+
Open3.capture3(environment, command)
|
149
146
|
end
|
150
147
|
|
151
148
|
def run_go_vendor
|
152
149
|
return unless vendor?
|
153
150
|
|
154
151
|
command = "go mod vendor"
|
155
|
-
_, stderr, status = Open3.capture3(
|
152
|
+
_, stderr, status = Open3.capture3(environment, command)
|
156
153
|
handle_subprocess_error(stderr) unless status.success?
|
157
154
|
end
|
158
155
|
|
@@ -174,7 +171,7 @@ module Dependabot
|
|
174
171
|
end
|
175
172
|
command = SharedHelpers.escape_command(command)
|
176
173
|
|
177
|
-
_, stderr, status = Open3.capture3(
|
174
|
+
_, stderr, status = Open3.capture3(environment, command)
|
178
175
|
handle_subprocess_error(stderr) unless status.success?
|
179
176
|
ensure
|
180
177
|
File.delete(tmp_go_file) if File.exist?(tmp_go_file)
|
@@ -182,7 +179,7 @@ module Dependabot
|
|
182
179
|
|
183
180
|
def parse_manifest
|
184
181
|
command = "go mod edit -json"
|
185
|
-
stdout, stderr, status = Open3.capture3(
|
182
|
+
stdout, stderr, status = Open3.capture3(environment, command)
|
186
183
|
handle_subprocess_error(stderr) unless status.success?
|
187
184
|
|
188
185
|
JSON.parse(stdout) || {}
|
@@ -246,7 +243,7 @@ module Dependabot
|
|
246
243
|
repo_error_regex = REPO_RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
|
247
244
|
if repo_error_regex
|
248
245
|
error_message = filter_error_message(message: stderr, regex: repo_error_regex)
|
249
|
-
ResolvabilityErrors.handle(error_message, credentials: credentials)
|
246
|
+
ResolvabilityErrors.handle(error_message, credentials: credentials, goprivate: @goprivate)
|
250
247
|
end
|
251
248
|
|
252
249
|
path_regex = MODULE_PATH_MISMATCH_REGEXES.find { |r| stderr =~ r }
|
@@ -292,6 +289,10 @@ module Dependabot
|
|
292
289
|
def vendor?
|
293
290
|
!!@vendor
|
294
291
|
end
|
292
|
+
|
293
|
+
def environment
|
294
|
+
{ "GOPRIVATE" => @goprivate }
|
295
|
+
end
|
295
296
|
end
|
296
297
|
end
|
297
298
|
end
|
@@ -14,6 +14,7 @@ module Dependabot
|
|
14
14
|
credentials:, options: {})
|
15
15
|
super
|
16
16
|
|
17
|
+
@goprivate = options.fetch(:goprivate, "*")
|
17
18
|
use_repo_contents_stub if repo_contents_path.nil?
|
18
19
|
end
|
19
20
|
|
@@ -114,7 +115,7 @@ module Dependabot
|
|
114
115
|
credentials: credentials,
|
115
116
|
repo_contents_path: repo_contents_path,
|
116
117
|
directory: directory,
|
117
|
-
options: { tidy: tidy?, vendor: vendor
|
118
|
+
options: { tidy: tidy?, vendor: vendor?, goprivate: @goprivate }
|
118
119
|
)
|
119
120
|
end
|
120
121
|
|
@@ -5,7 +5,7 @@ module Dependabot
|
|
5
5
|
module ResolvabilityErrors
|
6
6
|
GITHUB_REPO_REGEX = %r{github.com/[^:@]*}.freeze
|
7
7
|
|
8
|
-
def self.handle(message, credentials:)
|
8
|
+
def self.handle(message, credentials:, goprivate:)
|
9
9
|
mod_path = message.scan(GITHUB_REPO_REGEX).last
|
10
10
|
raise Dependabot::DependencyFileNotResolvable, message unless mod_path
|
11
11
|
|
@@ -22,7 +22,7 @@ module Dependabot
|
|
22
22
|
mod_path
|
23
23
|
end
|
24
24
|
|
25
|
-
env = { "GOPRIVATE" =>
|
25
|
+
env = { "GOPRIVATE" => goprivate }
|
26
26
|
_, _, status = Open3.capture3(env, SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
|
27
27
|
raise Dependabot::DependencyFileNotResolvable, message if status.success?
|
28
28
|
|
@@ -28,13 +28,15 @@ module Dependabot
|
|
28
28
|
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
|
29
29
|
|
30
30
|
def initialize(dependency:, dependency_files:, credentials:,
|
31
|
-
ignored_versions:, security_advisories:, raise_on_ignored: false
|
31
|
+
ignored_versions:, security_advisories:, raise_on_ignored: false,
|
32
|
+
goprivate:)
|
32
33
|
@dependency = dependency
|
33
34
|
@dependency_files = dependency_files
|
34
35
|
@credentials = credentials
|
35
36
|
@ignored_versions = ignored_versions
|
36
37
|
@security_advisories = security_advisories
|
37
38
|
@raise_on_ignored = raise_on_ignored
|
39
|
+
@goprivate = goprivate
|
38
40
|
end
|
39
41
|
|
40
42
|
def latest_version
|
@@ -78,16 +80,15 @@ module Dependabot
|
|
78
80
|
manifest = parse_manifest
|
79
81
|
|
80
82
|
# Set up an empty go.mod so 'go list -m' won't attempt to download dependencies. This
|
81
|
-
# appears to be a side effect of operating with GOPRIVATE
|
82
|
-
# directives to omit those versions.
|
83
|
+
# appears to be a side effect of operating with modules included in GOPRIVATE. We'll
|
84
|
+
# retain any exclude directives to omit those versions.
|
83
85
|
File.write("go.mod", "module dummy\n")
|
84
86
|
manifest["Exclude"]&.each do |r|
|
85
87
|
SharedHelpers.run_shell_command("go mod edit -exclude=#{r['Path']}@#{r['Version']}")
|
86
88
|
end
|
87
89
|
|
88
|
-
# Turn off the module proxy for
|
89
|
-
|
90
|
-
env = { "GOPRIVATE" => "*" }
|
90
|
+
# Turn off the module proxy for private dependencies
|
91
|
+
env = { "GOPRIVATE" => @goprivate }
|
91
92
|
|
92
93
|
versions_json = SharedHelpers.run_shell_command("go list -m -versions -json #{dependency.name}", env: env)
|
93
94
|
version_strings = JSON.parse(versions_json)["Versions"]
|
@@ -108,7 +109,7 @@ module Dependabot
|
|
108
109
|
|
109
110
|
def handle_subprocess_error(error)
|
110
111
|
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
111
|
-
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
112
|
+
ResolvabilityErrors.handle(error.message, credentials: credentials, goprivate: @goprivate)
|
112
113
|
elsif INVALID_VERSION_REGEX =~ error.message
|
113
114
|
raise Dependabot::DependencyFileNotResolvable, error.message
|
114
115
|
end
|
@@ -71,7 +71,8 @@ module Dependabot
|
|
71
71
|
credentials: credentials,
|
72
72
|
ignored_versions: ignored_versions,
|
73
73
|
security_advisories: security_advisories,
|
74
|
-
raise_on_ignored: raise_on_ignored
|
74
|
+
raise_on_ignored: raise_on_ignored,
|
75
|
+
goprivate: options.fetch(:goprivate, "*")
|
75
76
|
)
|
76
77
|
end
|
77
78
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-go_modules
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.171.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,28 +16,28 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.171.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.171.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: 1.0.0
|
34
34
|
type: :development
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: 1.0.0
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: gpgme
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|