dependabot-go_modules 0.263.0 → 0.264.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bd3c6aac8571fb961cbc0aee44796dab0f3a6048ef2c9f317358900638accde5
4
- data.tar.gz: 8c86047a15e8a143973be0201deb0ed49c69a2b1e15e09f9c8de4706ebb865f7
3
+ metadata.gz: 7006f9b6ed7c801d5b926f0d2ada961f624f7a7bde2057f822c661849744e54c
4
+ data.tar.gz: 796211ae01a7396bcb759cd744a4ed7074d83718b89b6ffd163d084ce5c3fdc6
5
5
  SHA512:
6
- metadata.gz: 1a2f326aa6e4cefd8ea1ec8b38ac5e1fd5171785832d1b8488a5c2d0a320bb6a103352e745f09847c61da063bd3fc1bcf7294f143bde0d8f2d618f2da97bd550
7
- data.tar.gz: 5c37714f19647c51ec74ca9e91eebb62f138e80058807a4ba9c491f9f544932ba3e45aab0d7848cc1046b736dd670ddf276422e890b1a25800c7997e34fa3480
6
+ metadata.gz: 8d2f7726c1fccc5324dc6bd7c48d088fd0fd0f2bf33062ef08d70203e92dbbf9f4222336d21b46de44a9b4d674711a860f5ab9cd98b9c9ee3a83de72d1785e8f
7
+ data.tar.gz: 76ec94c0e17dd82e22a91aabbf68d4a6976a580e1c18e2cf7c837319370e6a4054a66fc4ed16a815a54c15bd070028c8c831e2eaa500d0e255a889b23b9e4ae9
data/helpers/go.mod CHANGED
@@ -2,4 +2,7 @@ module github.com/dependabot/dependabot-core/go_modules/helpers
2
2
 
3
3
  go 1.20
4
4
 
5
- require github.com/Masterminds/vcs v1.13.3
5
+ require (
6
+ github.com/Masterminds/vcs v1.13.3
7
+ golang.org/x/mod v0.18.0
8
+ )
data/helpers/go.sum CHANGED
@@ -1,2 +1,4 @@
1
1
  github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE=
2
2
  github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8=
3
+ golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
4
+ golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
@@ -0,0 +1,30 @@
1
+ package main
2
+
3
+ import (
4
+ "encoding/json"
5
+ "golang.org/x/mod/semver"
6
+ "os"
7
+ "reflect"
8
+ "testing"
9
+ )
10
+
11
+ // TestVersionComparison verifies that the ordered version fixture is sorted correctly.
12
+ func TestVersionComparison(t *testing.T) {
13
+ data, err := os.ReadFile("../spec/fixtures/ordered_versions.json")
14
+ if err != nil {
15
+ t.Fatalf("failed to read file: %v", err)
16
+ }
17
+ var expected []string
18
+ if err = json.Unmarshal(data, &expected); err != nil {
19
+ t.Fatalf("failed to unmarshal json: %v", err)
20
+ }
21
+
22
+ actual := make([]string, len(expected))
23
+ copy(actual, expected)
24
+ semver.Sort(actual)
25
+
26
+ // The sorted order should equal the original order in the file.
27
+ if !reflect.DeepEqual(actual, expected) {
28
+ t.Fatalf("got %v", actual)
29
+ }
30
+ }
@@ -1,6 +1,8 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  require "dependabot/shared_helpers"
5
7
  require "dependabot/file_updaters"
6
8
  require "dependabot/file_updaters/base"
@@ -9,16 +11,29 @@ require "dependabot/file_updaters/vendor_updater"
9
11
  module Dependabot
10
12
  module GoModules
11
13
  class FileUpdater < Dependabot::FileUpdaters::Base
14
+ extend T::Sig
15
+
12
16
  require_relative "file_updater/go_mod_updater"
13
17
 
14
- def initialize(dependencies:, dependency_files:, repo_contents_path: nil,
15
- credentials:, options: {})
18
+ sig do
19
+ override
20
+ .params(
21
+ dependencies: T::Array[Dependabot::Dependency],
22
+ dependency_files: T::Array[Dependabot::DependencyFile],
23
+ credentials: T::Array[Dependabot::Credential],
24
+ repo_contents_path: T.nilable(String),
25
+ options: T::Hash[Symbol, T.untyped]
26
+ )
27
+ .void
28
+ end
29
+ def initialize(dependencies:, dependency_files:, credentials:, repo_contents_path: nil, options: {})
16
30
  super
17
31
 
18
- @goprivate = options.fetch(:goprivate, "*")
32
+ @goprivate = T.let(options.fetch(:goprivate, "*"), String)
19
33
  use_repo_contents_stub if repo_contents_path.nil?
20
34
  end
21
35
 
36
+ sig { override.returns(T::Array[Regexp]) }
22
37
  def self.updated_files_regex
23
38
  [
24
39
  /^go\.mod$/,
@@ -26,25 +41,26 @@ module Dependabot
26
41
  ]
27
42
  end
28
43
 
44
+ sig { override.returns(T::Array[Dependabot::DependencyFile]) }
29
45
  def updated_dependency_files
30
46
  updated_files = []
31
47
 
32
- if go_mod && dependency_changed?(go_mod)
48
+ if go_mod && dependency_changed?(T.must(go_mod))
33
49
  updated_files <<
34
50
  updated_file(
35
- file: go_mod,
36
- content: file_updater.updated_go_mod_content
51
+ file: T.must(go_mod),
52
+ content: T.must(file_updater.updated_go_mod_content)
37
53
  )
38
54
 
39
- if go_sum && go_sum.content != file_updater.updated_go_sum_content
55
+ if go_sum && T.must(go_sum).content != file_updater.updated_go_sum_content
40
56
  updated_files <<
41
57
  updated_file(
42
- file: go_sum,
43
- content: file_updater.updated_go_sum_content
58
+ file: T.must(go_sum),
59
+ content: T.must(file_updater.updated_go_sum_content)
44
60
  )
45
61
  end
46
62
 
47
- vendor_updater.updated_vendor_cache_files(base_directory: directory)
63
+ vendor_updater.updated_files(base_directory: T.must(directory))
48
64
  .each do |file|
49
65
  updated_files << file
50
66
  end
@@ -57,19 +73,22 @@ module Dependabot
57
73
 
58
74
  private
59
75
 
76
+ sig { params(go_mod: Dependabot::DependencyFile).returns(T::Boolean) }
60
77
  def dependency_changed?(go_mod)
61
78
  # file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
62
79
  file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
63
80
  end
64
81
 
82
+ sig { override.void }
65
83
  def check_required_files
66
84
  return if go_mod
67
85
 
68
86
  raise "No go.mod!"
69
87
  end
70
88
 
89
+ sig { returns(String) }
71
90
  def use_repo_contents_stub
72
- @repo_contents_stub = true
91
+ @repo_contents_stub = T.let(true, T.nilable(T::Boolean))
73
92
  @repo_contents_path = Dir.mktmpdir
74
93
 
75
94
  Dir.chdir(@repo_contents_path) do
@@ -92,22 +111,27 @@ module Dependabot
92
111
  end
93
112
  end
94
113
 
114
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
95
115
  def go_mod
96
- @go_mod ||= get_original_file("go.mod")
116
+ @go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
97
117
  end
98
118
 
119
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
99
120
  def go_sum
100
- @go_sum ||= get_original_file("go.sum")
121
+ @go_sum ||= T.let(get_original_file("go.sum"), T.nilable(Dependabot::DependencyFile))
101
122
  end
102
123
 
124
+ sig { returns(T.nilable(String)) }
103
125
  def directory
104
126
  dependency_files.first&.directory
105
127
  end
106
128
 
129
+ sig { returns(String) }
107
130
  def vendor_dir
108
131
  File.join(repo_contents_path, directory, "vendor")
109
132
  end
110
133
 
134
+ sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
111
135
  def vendor_updater
112
136
  Dependabot::FileUpdaters::VendorUpdater.new(
113
137
  repo_contents_path: repo_contents_path,
@@ -115,22 +139,27 @@ module Dependabot
115
139
  )
116
140
  end
117
141
 
142
+ sig { returns(GoModUpdater) }
118
143
  def file_updater
119
- @file_updater ||=
144
+ @file_updater ||= T.let(
120
145
  GoModUpdater.new(
121
146
  dependencies: dependencies,
122
147
  dependency_files: dependency_files,
123
148
  credentials: credentials,
124
149
  repo_contents_path: repo_contents_path,
125
- directory: directory,
150
+ directory: T.must(directory),
126
151
  options: { tidy: tidy?, vendor: vendor?, goprivate: @goprivate }
127
- )
152
+ ),
153
+ T.nilable(Dependabot::GoModules::FileUpdater::GoModUpdater)
154
+ )
128
155
  end
129
156
 
157
+ sig { returns(T::Boolean) }
130
158
  def tidy?
131
159
  !@repo_contents_stub
132
160
  end
133
161
 
162
+ sig { returns(T::Boolean) }
134
163
  def vendor?
135
164
  File.exist?(File.join(vendor_dir, "modules.txt"))
136
165
  end
@@ -1,4 +1,4 @@
1
- # typed: strict
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
@@ -1,18 +1,25 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  module Dependabot
5
7
  module GoModules
6
8
  module NativeHelpers
9
+ extend T::Sig
10
+
11
+ sig { returns(String) }
7
12
  def self.helper_path
8
13
  clean_path(File.join(native_helpers_root, "go_modules/bin/helper"))
9
14
  end
10
15
 
16
+ sig { returns(String) }
11
17
  def self.native_helpers_root
12
18
  default_path = File.join(__dir__, "../../../helpers/install-dir")
13
19
  ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
14
20
  end
15
21
 
22
+ sig { params(path: String).returns(String) }
16
23
  def self.clean_path(path)
17
24
  Pathname.new(path).cleanpath.to_path
18
25
  end
@@ -1,19 +1,32 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  require "dependabot/go_modules/native_helpers"
5
7
 
6
8
  module Dependabot
7
9
  module GoModules
8
10
  module PathConverter
11
+ extend T::Sig
12
+
13
+ sig do
14
+ params(path: String)
15
+ .returns(
16
+ T.nilable(String)
17
+ )
18
+ end
9
19
  def self.git_url_for_path(path)
10
20
  # Save a query by manually converting golang.org/x names
11
21
  import_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
12
22
 
13
- SharedHelpers.run_helper_subprocess(
14
- command: NativeHelpers.helper_path,
15
- function: "getVcsRemoteForImport",
16
- args: { import: import_path }
23
+ T.cast(
24
+ SharedHelpers.run_helper_subprocess(
25
+ command: NativeHelpers.helper_path,
26
+ function: "getVcsRemoteForImport",
27
+ args: { import: import_path }
28
+ ),
29
+ T.nilable(String)
17
30
  )
18
31
  end
19
32
  end
@@ -1,11 +1,16 @@
1
- # typed: true
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  module Dependabot
5
7
  module GoModules
6
8
  module ResolvabilityErrors
9
+ extend T::Sig
10
+
7
11
  GITHUB_REPO_REGEX = %r{github.com/[^:@]*}
8
12
 
13
+ sig { params(message: String, goprivate: T.untyped).void }
9
14
  def self.handle(message, goprivate:)
10
15
  mod_path = message.scan(GITHUB_REPO_REGEX).last
11
16
  unless mod_path && message.include?("If this is a private repository")
@@ -17,9 +22,10 @@ module Dependabot
17
22
  SharedHelpers.in_a_temporary_directory do
18
23
  File.write("go.mod", "module dummy\n")
19
24
 
25
+ mod_path = T.cast(mod_path, String)
20
26
  mod_split = mod_path.split("/")
21
27
  repo_path = if mod_split.size > 3
22
- mod_split[0..2].join("/")
28
+ T.must(mod_split[0..2]).join("/")
23
29
  else
24
30
  mod_path
25
31
  end
@@ -1,7 +1,8 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "excon"
5
+ require "sorbet-runtime"
5
6
 
6
7
  require "dependabot/go_modules/update_checker"
7
8
  require "dependabot/update_checkers/version_filters"
@@ -9,7 +10,6 @@ require "dependabot/shared_helpers"
9
10
  require "dependabot/errors"
10
11
  require "dependabot/go_modules/requirement"
11
12
  require "dependabot/go_modules/resolvability_errors"
12
- require "sorbet-runtime"
13
13
 
14
14
  module Dependabot
15
15
  module GoModules
@@ -17,26 +17,47 @@ module Dependabot
17
17
  class LatestVersionFinder
18
18
  extend T::Sig
19
19
 
20
- RESOLVABILITY_ERROR_REGEXES = [
21
- # Package url/proxy doesn't include any redirect meta tags
22
- /no go-import meta tags/,
23
- # Package url 404s
24
- /404 Not Found/,
25
- /Repository not found/,
26
- /unrecognized import path/,
27
- /malformed module path/,
28
- # (Private) module could not be fetched
29
- /module .*: git ls-remote .*: exit status 128/m
30
- ].freeze
20
+ RESOLVABILITY_ERROR_REGEXES = T.let(
21
+ [
22
+ # Package url/proxy doesn't include any redirect meta tags
23
+ /no go-import meta tags/,
24
+ # Package url 404s
25
+ /404 Not Found/,
26
+ /Repository not found/,
27
+ /unrecognized import path/,
28
+ /malformed module path/,
29
+ # (Private) module could not be fetched
30
+ /module .*: git ls-remote .*: exit status 128/m
31
+ ].freeze,
32
+ T::Array[Regexp]
33
+ )
31
34
  # The module was retracted from the proxy
32
35
  # OR the version of Go required is greater than what Dependabot supports
33
36
  # OR other go.mod version errors
34
37
  INVALID_VERSION_REGEX = /(go: loading module retractions for)|(version "[^"]+" invalid)/m
35
38
  PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/
36
39
 
37
- def initialize(dependency:, dependency_files:, credentials:,
38
- ignored_versions:, security_advisories:, raise_on_ignored: false,
39
- goprivate:)
40
+ sig do
41
+ params(
42
+ dependency: Dependabot::Dependency,
43
+ dependency_files: T::Array[Dependabot::DependencyFile],
44
+ credentials: T::Array[Dependabot::Credential],
45
+ ignored_versions: T::Array[String],
46
+ security_advisories: T::Array[Dependabot::SecurityAdvisory],
47
+ goprivate: String,
48
+ raise_on_ignored: T::Boolean
49
+ )
50
+ .void
51
+ end
52
+ def initialize(
53
+ dependency:,
54
+ dependency_files:,
55
+ credentials:,
56
+ ignored_versions:,
57
+ security_advisories:,
58
+ goprivate:,
59
+ raise_on_ignored: false
60
+ )
40
61
  @dependency = dependency
41
62
  @dependency_files = dependency_files
42
63
  @credentials = credentials
@@ -46,32 +67,45 @@ module Dependabot
46
67
  @goprivate = goprivate
47
68
  end
48
69
 
70
+ sig { returns(T.nilable(Dependabot::Version)) }
49
71
  def latest_version
50
- @latest_version ||= fetch_latest_version
72
+ @latest_version ||= T.let(fetch_latest_version, T.nilable(Dependabot::Version))
51
73
  end
52
74
 
75
+ sig { returns(Dependabot::Version) }
53
76
  def lowest_security_fix_version
54
- @lowest_security_fix_version ||= fetch_lowest_security_fix_version
77
+ @lowest_security_fix_version ||= T.let(fetch_lowest_security_fix_version, T.nilable(Dependabot::Version))
55
78
  end
56
79
 
57
80
  private
58
81
 
82
+ sig { returns(Dependabot::Dependency) }
59
83
  attr_reader :dependency
84
+
85
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
60
86
  attr_reader :dependency_files
87
+
88
+ sig { returns(T::Array[Dependabot::Credential]) }
61
89
  attr_reader :credentials
90
+
91
+ sig { returns(T::Array[String]) }
62
92
  attr_reader :ignored_versions
93
+
94
+ sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
63
95
  attr_reader :security_advisories
64
96
 
97
+ sig { returns(T.nilable(Dependabot::Version)) }
65
98
  def fetch_latest_version
66
99
  candidate_versions = available_versions
67
100
  candidate_versions = filter_prerelease_versions(candidate_versions)
68
101
  candidate_versions = filter_ignored_versions(candidate_versions)
69
102
  # Adding the psuedo-version to the list to avoid downgrades
70
- candidate_versions << dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
103
+ candidate_versions << version_class.new(dependency.version) if PSEUDO_VERSION_REGEX.match?(dependency.version)
71
104
 
72
105
  candidate_versions.max
73
106
  end
74
107
 
108
+ sig { returns(Dependabot::Version) }
75
109
  def fetch_lowest_security_fix_version
76
110
  relevant_versions = available_versions
77
111
  relevant_versions = filter_prerelease_versions(relevant_versions)
@@ -80,13 +114,15 @@ module Dependabot
80
114
  relevant_versions = filter_ignored_versions(relevant_versions)
81
115
  relevant_versions = filter_lower_versions(relevant_versions)
82
116
 
83
- relevant_versions.min
117
+ T.must(relevant_versions.min)
84
118
  end
85
119
 
120
+ sig { returns(T::Array[Dependabot::Version]) }
86
121
  def available_versions
87
- @available_versions ||= fetch_available_versions
122
+ @available_versions ||= T.let(fetch_available_versions, T.nilable(T::Array[Dependabot::Version]))
88
123
  end
89
124
 
125
+ sig { returns(T::Array[Dependabot::Version]) }
90
126
  def fetch_available_versions
91
127
  SharedHelpers.in_a_temporary_directory do
92
128
  SharedHelpers.with_git_configured(credentials: credentials) do
@@ -124,26 +160,29 @@ module Dependabot
124
160
  ResolvabilityErrors.handle(e.message, goprivate: @goprivate)
125
161
  end
126
162
 
163
+ sig { params(error: StandardError).returns(T::Boolean) }
127
164
  def transitory_failure?(error)
128
165
  return true if error.message.include?("EOF")
129
166
 
130
167
  error.message.include?("Internal Server Error")
131
168
  end
132
169
 
170
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
133
171
  def go_mod
134
- @go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
172
+ @go_mod ||= T.let(dependency_files.find { |f| f.name == "go.mod" }, T.nilable(Dependabot::DependencyFile))
135
173
  end
136
174
 
175
+ sig { returns(T::Hash[String, T.untyped]) }
137
176
  def parse_manifest
138
177
  SharedHelpers.in_a_temporary_directory do
139
- File.write("go.mod", go_mod.content)
178
+ File.write("go.mod", T.must(go_mod).content)
140
179
  json = SharedHelpers.run_shell_command("go mod edit -json")
141
180
 
142
181
  JSON.parse(json) || {}
143
182
  end
144
183
  end
145
184
 
146
- sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
185
+ sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
147
186
  def filter_prerelease_versions(versions_array)
148
187
  return versions_array if wants_prerelease?
149
188
 
@@ -154,6 +193,7 @@ module Dependabot
154
193
  filtered
155
194
  end
156
195
 
196
+ sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
157
197
  def filter_lower_versions(versions_array)
158
198
  return versions_array unless dependency.numeric_version
159
199
 
@@ -161,7 +201,7 @@ module Dependabot
161
201
  .select { |version| version > dependency.numeric_version }
162
202
  end
163
203
 
164
- sig { params(versions_array: T::Array[Gem::Version]).returns(T::Array[Gem::Version]) }
204
+ sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
165
205
  def filter_ignored_versions(versions_array)
166
206
  filtered = versions_array
167
207
  .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
@@ -176,22 +216,28 @@ module Dependabot
176
216
  filtered
177
217
  end
178
218
 
219
+ sig { returns(T::Boolean) }
179
220
  def wants_prerelease?
180
- @wants_prerelease ||=
221
+ @wants_prerelease ||= T.let(
181
222
  begin
182
223
  current_version = dependency.numeric_version
183
- current_version&.prerelease?
184
- end
224
+ !current_version&.prerelease?.nil?
225
+ end,
226
+ T.nilable(T::Boolean)
227
+ )
185
228
  end
186
229
 
230
+ sig { returns(T::Array[Dependabot::Requirement]) }
187
231
  def ignore_requirements
188
232
  ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
189
233
  end
190
234
 
235
+ sig { returns(T.class_of(Dependabot::Requirement)) }
191
236
  def requirement_class
192
237
  dependency.requirement_class
193
238
  end
194
239
 
240
+ sig { returns(T.class_of(Dependabot::Version)) }
195
241
  def version_class
196
242
  dependency.version_class
197
243
  end
@@ -1,6 +1,8 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  require "dependabot/update_checkers"
5
7
  require "dependabot/update_checkers/base"
6
8
  require "dependabot/shared_helpers"
@@ -10,8 +12,11 @@ require "dependabot/go_modules/version"
10
12
  module Dependabot
11
13
  module GoModules
12
14
  class UpdateChecker < Dependabot::UpdateCheckers::Base
15
+ extend T::Sig
16
+
13
17
  require_relative "update_checker/latest_version_finder"
14
18
 
19
+ sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
15
20
  def latest_resolvable_version
16
21
  latest_version_finder.latest_version
17
22
  end
@@ -19,25 +24,30 @@ module Dependabot
19
24
  # This is currently used to short-circuit latest_resolvable_version,
20
25
  # with the assumption that it'll be quicker than checking
21
26
  # resolvability. As this is quite quick in Go anyway, we just alias.
27
+ sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
22
28
  def latest_version
23
29
  latest_resolvable_version
24
30
  end
25
31
 
32
+ sig { override.returns(T.nilable(Dependabot::Version)) }
26
33
  def lowest_resolvable_security_fix_version
27
34
  raise "Dependency not vulnerable!" unless vulnerable?
28
35
 
29
36
  lowest_security_fix_version
30
37
  end
31
38
 
39
+ sig { override.returns(Dependabot::Version) }
32
40
  def lowest_security_fix_version
33
41
  latest_version_finder.lowest_security_fix_version
34
42
  end
35
43
 
44
+ sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
36
45
  def latest_resolvable_version_with_no_unlock
37
46
  # Irrelevant, since Go modules uses a single dependency file
38
47
  nil
39
48
  end
40
49
 
50
+ sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
41
51
  def updated_requirements
42
52
  dependency.requirements.map do |req|
43
53
  req.merge(requirement: latest_version)
@@ -46,8 +56,9 @@ module Dependabot
46
56
 
47
57
  private
48
58
 
59
+ sig { returns(Dependabot::GoModules::UpdateChecker::LatestVersionFinder) }
49
60
  def latest_version_finder
50
- @latest_version_finder ||=
61
+ @latest_version_finder ||= T.let(
51
62
  LatestVersionFinder.new(
52
63
  dependency: dependency,
53
64
  dependency_files: dependency_files,
@@ -56,23 +67,29 @@ module Dependabot
56
67
  security_advisories: security_advisories,
57
68
  raise_on_ignored: raise_on_ignored,
58
69
  goprivate: options.fetch(:goprivate, "*")
59
- )
70
+ ),
71
+ T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
72
+ )
60
73
  end
61
74
 
75
+ sig { override.returns(T::Boolean) }
62
76
  def latest_version_resolvable_with_full_unlock?
63
77
  # Full unlock checks aren't implemented for Go (yet)
64
78
  false
65
79
  end
66
80
 
81
+ sig { override.returns(T::Array[Dependabot::Dependency]) }
67
82
  def updated_dependencies_after_full_unlock
68
83
  raise NotImplementedError
69
84
  end
70
85
 
71
86
  # Go only supports semver and semver-compliant pseudo-versions, so it can't be a SHA.
87
+ sig { returns(T::Boolean) }
72
88
  def existing_version_is_sha?
73
89
  false
74
90
  end
75
91
 
92
+ sig { params(tag: T.nilable(T::Hash[Symbol, String])).returns(T.untyped) }
76
93
  def version_from_tag(tag)
77
94
  # To compare with the current version we either use the commit SHA
78
95
  # (if that's what the parser picked up) or the tag name.
@@ -81,6 +98,7 @@ module Dependabot
81
98
  tag&.fetch(:tag)
82
99
  end
83
100
 
101
+ sig { returns(T::Hash[Symbol, T.untyped]) }
84
102
  def default_source
85
103
  { type: "default", source: dependency.name }
86
104
  end
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  # Go pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
@@ -6,6 +6,8 @@
6
6
  # alteration.
7
7
  # Best docs are at https://github.com/Masterminds/semver
8
8
 
9
+ require "sorbet-runtime"
10
+
9
11
  require "dependabot/version"
10
12
  require "dependabot/utils"
11
13
 
@@ -19,6 +21,7 @@ module Dependabot
19
21
  '(\+incompatible)?'
20
22
  ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
21
23
 
24
+ sig { override.params(version: VersionParameter).returns(T::Boolean) }
22
25
  def self.correct?(version)
23
26
  version = version.gsub(/^v/, "") if version.is_a?(String)
24
27
  version = version.to_s.split("+").first if version.to_s.include?("+")
@@ -26,34 +29,40 @@ module Dependabot
26
29
  super(version)
27
30
  end
28
31
 
32
+ sig { override.params(version: VersionParameter).void }
29
33
  def initialize(version)
30
- @version_string = version.to_s.gsub(/^v/, "")
34
+ @version_string = T.let(version.to_s.gsub(/^v/, ""), String)
31
35
  version = version.gsub(/^v/, "") if version.is_a?(String)
32
36
  version = version.to_s.split("+").first if version.to_s.include?("+")
37
+ @prerelease = T.let(nil, T.nilable(String))
33
38
  version, @prerelease = version.to_s.split("-", 2) if version.to_s.include?("-")
34
39
 
35
40
  super
36
41
  end
37
42
 
43
+ sig { returns(String) }
38
44
  def inspect # :nodoc:
39
45
  "#<#{self.class} #{@version_string.inspect}>"
40
46
  end
41
47
 
48
+ sig { returns(String) }
42
49
  def to_s
43
50
  @version_string
44
51
  end
45
52
 
53
+ sig { params(other: Object).returns(T.nilable(Integer)) }
46
54
  def <=>(other)
47
55
  result = super(other)
48
56
  return if result.nil?
49
57
  return result unless result.zero?
50
58
 
51
- other = self.class.new(other) unless other.is_a?(Version)
59
+ other = self.class.new(other.to_s) unless other.is_a?(Version)
52
60
  compare_prerelease(@prerelease || "", T.unsafe(other).prerelease || "")
53
61
  end
54
62
 
55
63
  protected
56
64
 
65
+ sig { returns(T.nilable(String)) }
57
66
  attr_reader :prerelease
58
67
 
59
68
  private
@@ -62,6 +71,7 @@ module Dependabot
62
71
  # see https://github.com/golang/mod/blob/fa1ba4269bda724bb9f01ec381fbbaf031e45833/semver/semver.go#L333
63
72
  # rubocop:disable Metrics/CyclomaticComplexity
64
73
  # rubocop:disable Metrics/PerceivedComplexity
74
+ sig { params(left: T.untyped, right: T.untyped).returns(Integer) }
65
75
  def compare_prerelease(left, right)
66
76
  return 0 if left == right
67
77
  return 1 if left == ""
@@ -98,12 +108,14 @@ module Dependabot
98
108
  # rubocop:enable Metrics/CyclomaticComplexity
99
109
  # rubocop:enable Metrics/PerceivedComplexity
100
110
 
111
+ sig { params(data: String).returns(T.untyped) }
101
112
  def next_ident(data)
102
113
  i = 0
103
114
  i += 1 while i < data.length && data[i] != "."
104
115
  [data[0..i], data[i..-1]]
105
116
  end
106
117
 
118
+ sig { params(data: T.untyped).returns(T::Boolean) }
107
119
  def num?(data)
108
120
  i = 0
109
121
  i += 1 while i < data.length && data[i] >= "0" && data[i] <= "9"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.263.0
4
+ version: 0.264.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-06-27 00:00:00.000000000 Z
11
+ date: 2024-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.263.0
19
+ version: 0.264.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.263.0
26
+ version: 0.264.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -248,6 +248,7 @@ files:
248
248
  - helpers/go.sum
249
249
  - helpers/importresolver/main.go
250
250
  - helpers/main.go
251
+ - helpers/version_test.go
251
252
  - lib/dependabot/go_modules.rb
252
253
  - lib/dependabot/go_modules/file_fetcher.rb
253
254
  - lib/dependabot/go_modules/file_parser.rb
@@ -267,7 +268,7 @@ licenses:
267
268
  - MIT
268
269
  metadata:
269
270
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
270
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.263.0
271
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
271
272
  post_install_message:
272
273
  rdoc_options: []
273
274
  require_paths: