dependabot-go_modules 0.309.0 → 0.311.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: '087090666b622798f189304a67e8383de5dbeddaaddec1f12ad0d9493310a578'
|
|
4
|
+
data.tar.gz: c88dfb340497920aefa89a4ba79813755c2a273e1a617205ede0d95f6592d7e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8d2f0abb657659d6876e4690d1ec120f6f378e6ba1fd9b193ef8f1cffbc5874726ca8153b0cf652d9d1765ae6fad98ea918e8b45e7dd4eeb6e9e95cf1bdebba2
|
|
7
|
+
data.tar.gz: 6aaafa90636a7f22b115b36f83ec11a2f271d19c2ffdee3feb7e7842a53f8ccbec4e182334f1948c16aed724e30db733e10950dab4dc52602477ef72f4ac1060
|
|
@@ -0,0 +1,174 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "excon"
|
|
5
|
+
require "sorbet-runtime"
|
|
6
|
+
|
|
7
|
+
require "dependabot/go_modules/update_checker"
|
|
8
|
+
require "dependabot/update_checkers/version_filters"
|
|
9
|
+
require "dependabot/shared_helpers"
|
|
10
|
+
require "dependabot/errors"
|
|
11
|
+
require "dependabot/go_modules/requirement"
|
|
12
|
+
require "dependabot/go_modules/resolvability_errors"
|
|
13
|
+
|
|
14
|
+
module Dependabot
|
|
15
|
+
module GoModules
|
|
16
|
+
module Package
|
|
17
|
+
class PackageDetailsFetcher
|
|
18
|
+
extend T::Sig
|
|
19
|
+
|
|
20
|
+
RESOLVABILITY_ERROR_REGEXES = T.let(
|
|
21
|
+
[
|
|
22
|
+
# Package url/proxy doesn't include any redirect meta tags
|
|
23
|
+
/no go-import meta tags/,
|
|
24
|
+
# Package url 404s
|
|
25
|
+
/404 Not Found/,
|
|
26
|
+
/Repository not found/,
|
|
27
|
+
/unrecognized import path/,
|
|
28
|
+
/malformed module path/,
|
|
29
|
+
# (Private) module could not be fetched
|
|
30
|
+
/module .*: git ls-remote .*: exit status 128/m
|
|
31
|
+
].freeze,
|
|
32
|
+
T::Array[Regexp]
|
|
33
|
+
)
|
|
34
|
+
# The module was retracted from the proxy
|
|
35
|
+
# OR the version of Go required is greater than what Dependabot supports
|
|
36
|
+
# OR other go.mod version errors
|
|
37
|
+
INVALID_VERSION_REGEX = /(go: loading module retractions for)|(version "[^"]+" invalid)/m
|
|
38
|
+
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/
|
|
39
|
+
|
|
40
|
+
sig do
|
|
41
|
+
params(
|
|
42
|
+
dependency: Dependabot::Dependency,
|
|
43
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
44
|
+
credentials: T::Array[Dependabot::Credential],
|
|
45
|
+
goprivate: String
|
|
46
|
+
).void
|
|
47
|
+
end
|
|
48
|
+
def initialize(dependency:, dependency_files:, credentials:, goprivate:)
|
|
49
|
+
@dependency = dependency
|
|
50
|
+
@dependency_files = dependency_files
|
|
51
|
+
@credentials = credentials
|
|
52
|
+
@goprivate = T.let(goprivate, String)
|
|
53
|
+
|
|
54
|
+
@source_type = T.let(nil, T.nilable(String))
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
sig { returns(Dependabot::Dependency) }
|
|
58
|
+
attr_reader :dependency
|
|
59
|
+
|
|
60
|
+
sig { returns(T::Array[T.untyped]) }
|
|
61
|
+
attr_reader :dependency_files
|
|
62
|
+
|
|
63
|
+
sig { returns(T::Array[T.untyped]) }
|
|
64
|
+
attr_reader :credentials
|
|
65
|
+
|
|
66
|
+
sig { returns(String) }
|
|
67
|
+
attr_reader :goprivate
|
|
68
|
+
|
|
69
|
+
# rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
|
|
70
|
+
sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
|
|
71
|
+
def fetch_available_versions
|
|
72
|
+
SharedHelpers.in_a_temporary_directory do
|
|
73
|
+
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
74
|
+
manifest = parse_manifest
|
|
75
|
+
|
|
76
|
+
# Set up an empty go.mod so 'go list -m' won't attempt to download dependencies. This
|
|
77
|
+
# appears to be a side effect of operating with modules included in GOPRIVATE. We'll
|
|
78
|
+
# retain any exclude directives to omit those versions.
|
|
79
|
+
File.write("go.mod", "module dummy\n")
|
|
80
|
+
manifest["Exclude"]&.each do |r|
|
|
81
|
+
SharedHelpers.run_shell_command("go mod edit -exclude=#{r['Path']}@#{r['Version']}")
|
|
82
|
+
end
|
|
83
|
+
|
|
84
|
+
# Turn off the module proxy for private dependencies
|
|
85
|
+
env = { "GOPRIVATE" => @goprivate }
|
|
86
|
+
|
|
87
|
+
versions_json = SharedHelpers.run_shell_command(
|
|
88
|
+
"go list -m -versions -json #{dependency.name}",
|
|
89
|
+
fingerprint: "go list -m -versions -json <dependency_name>",
|
|
90
|
+
env: env
|
|
91
|
+
)
|
|
92
|
+
version_strings = JSON.parse(versions_json)["Versions"]
|
|
93
|
+
|
|
94
|
+
return [package_release(version: T.must(dependency.version))] if version_strings.nil?
|
|
95
|
+
|
|
96
|
+
version_info = version_strings.select { |v| version_class.correct?(v) }
|
|
97
|
+
.map { |version| version }
|
|
98
|
+
|
|
99
|
+
package_releases = []
|
|
100
|
+
|
|
101
|
+
version_info.map do |version|
|
|
102
|
+
package_releases << package_release(
|
|
103
|
+
version: version
|
|
104
|
+
)
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
return package_releases
|
|
108
|
+
end
|
|
109
|
+
end
|
|
110
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
111
|
+
retry_count ||= 0
|
|
112
|
+
retry_count += 1
|
|
113
|
+
retry if transitory_failure?(e) && retry_count < 2
|
|
114
|
+
|
|
115
|
+
ResolvabilityErrors.handle(e.message, goprivate: @goprivate)
|
|
116
|
+
[package_release(version: T.must(dependency.version))]
|
|
117
|
+
end
|
|
118
|
+
# rubocop:enable Metrics/AbcSize,Metrics/PerceivedComplexity
|
|
119
|
+
|
|
120
|
+
sig { params(error: StandardError).returns(T::Boolean) }
|
|
121
|
+
def transitory_failure?(error)
|
|
122
|
+
return true if error.message.include?("EOF")
|
|
123
|
+
|
|
124
|
+
error.message.include?("Internal Server Error")
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
128
|
+
def go_mod
|
|
129
|
+
@go_mod ||= T.let(dependency_files.find { |f| f.name == "go.mod" }, T.nilable(Dependabot::DependencyFile))
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
sig do
|
|
133
|
+
params(
|
|
134
|
+
version: String
|
|
135
|
+
).returns(Dependabot::Package::PackageRelease)
|
|
136
|
+
end
|
|
137
|
+
def package_release(version:)
|
|
138
|
+
Dependabot::Package::PackageRelease.new(
|
|
139
|
+
version: GoModules::Version.new(version),
|
|
140
|
+
details: { "version_string" => version }
|
|
141
|
+
)
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
145
|
+
def parse_manifest
|
|
146
|
+
SharedHelpers.in_a_temporary_directory do
|
|
147
|
+
File.write("go.mod", T.must(go_mod).content)
|
|
148
|
+
json = SharedHelpers.run_shell_command("go mod edit -json")
|
|
149
|
+
|
|
150
|
+
JSON.parse(json) || {}
|
|
151
|
+
end
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
sig { returns(T.class_of(Dependabot::Version)) }
|
|
155
|
+
def version_class
|
|
156
|
+
dependency.version_class
|
|
157
|
+
end
|
|
158
|
+
|
|
159
|
+
sig do
|
|
160
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease])
|
|
161
|
+
.returns(Dependabot::Package::PackageDetails)
|
|
162
|
+
end
|
|
163
|
+
def package_details(releases)
|
|
164
|
+
@package_details ||= T.let(
|
|
165
|
+
Dependabot::Package::PackageDetails.new(
|
|
166
|
+
dependency: dependency,
|
|
167
|
+
releases: releases.reverse.uniq(&:version)
|
|
168
|
+
), T.nilable(Dependabot::Package::PackageDetails)
|
|
169
|
+
)
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
end
|
|
174
|
+
end
|
|
@@ -10,11 +10,13 @@ require "dependabot/shared_helpers"
|
|
|
10
10
|
require "dependabot/errors"
|
|
11
11
|
require "dependabot/go_modules/requirement"
|
|
12
12
|
require "dependabot/go_modules/resolvability_errors"
|
|
13
|
+
require "dependabot/go_modules/package/package_details_fetcher"
|
|
14
|
+
require "dependabot/package/package_latest_version_finder"
|
|
13
15
|
|
|
14
16
|
module Dependabot
|
|
15
17
|
module GoModules
|
|
16
18
|
class UpdateChecker
|
|
17
|
-
class LatestVersionFinder
|
|
19
|
+
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
18
20
|
extend T::Sig
|
|
19
21
|
|
|
20
22
|
RESOLVABILITY_ERROR_REGEXES = T.let(
|
|
@@ -45,7 +47,8 @@ module Dependabot
|
|
|
45
47
|
ignored_versions: T::Array[String],
|
|
46
48
|
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
|
47
49
|
goprivate: String,
|
|
48
|
-
raise_on_ignored: T::Boolean
|
|
50
|
+
raise_on_ignored: T::Boolean,
|
|
51
|
+
cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
|
|
49
52
|
)
|
|
50
53
|
.void
|
|
51
54
|
end
|
|
@@ -56,7 +59,8 @@ module Dependabot
|
|
|
56
59
|
ignored_versions:,
|
|
57
60
|
security_advisories:,
|
|
58
61
|
goprivate:,
|
|
59
|
-
raise_on_ignored: false
|
|
62
|
+
raise_on_ignored: false,
|
|
63
|
+
cooldown_options: nil
|
|
60
64
|
)
|
|
61
65
|
@dependency = dependency
|
|
62
66
|
@dependency_files = dependency_files
|
|
@@ -65,16 +69,40 @@ module Dependabot
|
|
|
65
69
|
@security_advisories = security_advisories
|
|
66
70
|
@raise_on_ignored = raise_on_ignored
|
|
67
71
|
@goprivate = goprivate
|
|
72
|
+
@cooldown_options = cooldown_options
|
|
73
|
+
super(
|
|
74
|
+
dependency: dependency,
|
|
75
|
+
dependency_files: dependency_files,
|
|
76
|
+
credentials: credentials,
|
|
77
|
+
ignored_versions: ignored_versions,
|
|
78
|
+
security_advisories: security_advisories,
|
|
79
|
+
cooldown_options: cooldown_options,
|
|
80
|
+
raise_on_ignored: raise_on_ignored,
|
|
81
|
+
options: {}
|
|
82
|
+
)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
sig do
|
|
86
|
+
override.params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
87
|
+
.returns(T.nilable(Dependabot::Version))
|
|
88
|
+
end
|
|
89
|
+
def latest_version(language_version: nil)
|
|
90
|
+
@latest_version ||= T.let(fetch_latest_version(language_version: language_version),
|
|
91
|
+
T.nilable(Dependabot::Version))
|
|
68
92
|
end
|
|
69
93
|
|
|
70
|
-
sig
|
|
71
|
-
|
|
72
|
-
|
|
94
|
+
sig do
|
|
95
|
+
override.params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
96
|
+
.returns(T.nilable(Dependabot::Version))
|
|
97
|
+
end
|
|
98
|
+
def lowest_security_fix_version(language_version: nil)
|
|
99
|
+
@lowest_security_fix_version ||= T.let(fetch_lowest_security_fix_version(language_version: language_version),
|
|
100
|
+
T.nilable(Dependabot::Version))
|
|
73
101
|
end
|
|
74
102
|
|
|
75
|
-
sig { returns(T
|
|
76
|
-
def
|
|
77
|
-
|
|
103
|
+
sig { override.returns(T::Boolean) }
|
|
104
|
+
def cooldown_enabled?
|
|
105
|
+
Dependabot::Experiments.enabled?(:enable_cooldown_for_gomodules)
|
|
78
106
|
end
|
|
79
107
|
|
|
80
108
|
private
|
|
@@ -94,127 +122,144 @@ module Dependabot
|
|
|
94
122
|
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
|
95
123
|
attr_reader :security_advisories
|
|
96
124
|
|
|
97
|
-
sig { returns(
|
|
98
|
-
|
|
99
|
-
candidate_versions = available_versions
|
|
100
|
-
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
101
|
-
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
102
|
-
# Adding the psuedo-version to the list to avoid downgrades
|
|
103
|
-
candidate_versions << version_class.new(dependency.version) if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
125
|
+
sig { returns(String) }
|
|
126
|
+
attr_reader :goprivate
|
|
104
127
|
|
|
105
|
-
|
|
106
|
-
|
|
128
|
+
sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
|
|
129
|
+
attr_reader :cooldown_options
|
|
107
130
|
|
|
108
|
-
sig { returns(T
|
|
109
|
-
def
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
relevant_versions.min
|
|
131
|
+
sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
|
|
132
|
+
def available_versions_details
|
|
133
|
+
@available_versions_details ||= T.let(Package::PackageDetailsFetcher.new(
|
|
134
|
+
dependency: dependency,
|
|
135
|
+
dependency_files: dependency_files,
|
|
136
|
+
credentials: credentials,
|
|
137
|
+
goprivate: goprivate
|
|
138
|
+
).fetch_available_versions, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
|
|
118
139
|
end
|
|
119
140
|
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
141
|
+
# rubocop:disable Lint/UnusedMethodArgument
|
|
142
|
+
sig do
|
|
143
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
144
|
+
.returns(T.nilable(Dependabot::Version))
|
|
123
145
|
end
|
|
146
|
+
def fetch_latest_version(language_version: nil)
|
|
147
|
+
candidate_versions = available_versions_details
|
|
148
|
+
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
149
|
+
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
150
|
+
candidate_versions = lazy_filter_cooldown_versions(candidate_versions)
|
|
151
|
+
# Adding the psuedo-version to the list to avoid downgrades
|
|
152
|
+
if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
153
|
+
candidate_versions << Dependabot::Package::PackageRelease.new(
|
|
154
|
+
version: GoModules::Version.new(dependency.version)
|
|
155
|
+
)
|
|
156
|
+
end
|
|
124
157
|
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
SharedHelpers.in_a_temporary_directory do
|
|
128
|
-
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
129
|
-
manifest = parse_manifest
|
|
158
|
+
candidate_versions.max_by(&:version)&.version
|
|
159
|
+
end
|
|
130
160
|
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
161
|
+
sig do
|
|
162
|
+
params(releases: T::Array[Dependabot::Package::PackageRelease], check_max: T::Boolean)
|
|
163
|
+
.returns(T::Array[Dependabot::Package::PackageRelease])
|
|
164
|
+
end
|
|
165
|
+
def lazy_filter_cooldown_versions(releases, check_max: true)
|
|
166
|
+
return releases unless cooldown_enabled?
|
|
167
|
+
return releases unless cooldown_options
|
|
168
|
+
|
|
169
|
+
Dependabot.logger.info("Initializing cooldown filter")
|
|
170
|
+
|
|
171
|
+
sorted_releases = if check_max
|
|
172
|
+
releases.sort_by(&:version).reverse
|
|
173
|
+
else
|
|
174
|
+
releases.sort_by(&:version)
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
filtered_versions = []
|
|
178
|
+
cooldown_filtered_versions = 0
|
|
179
|
+
|
|
180
|
+
# Iterate through the sorted versions lazily, filtering out cooldown versions
|
|
181
|
+
sorted_releases.each do |release|
|
|
182
|
+
if in_cooldown_period?(release)
|
|
183
|
+
Dependabot.logger.info("Filtered out (cooldown) : #{release}")
|
|
184
|
+
cooldown_filtered_versions += 1
|
|
185
|
+
next
|
|
186
|
+
end
|
|
138
187
|
|
|
139
|
-
|
|
140
|
-
|
|
188
|
+
filtered_versions << release
|
|
189
|
+
break
|
|
190
|
+
end
|
|
141
191
|
|
|
142
|
-
|
|
143
|
-
"go list -m -versions -json #{dependency.name}",
|
|
144
|
-
fingerprint: "go list -m -versions -json <dependency_name>",
|
|
145
|
-
env: env
|
|
146
|
-
)
|
|
147
|
-
version_strings = JSON.parse(versions_json)["Versions"]
|
|
192
|
+
Dependabot.logger.info("Filtered out #{cooldown_filtered_versions} version(s) due to cooldown")
|
|
148
193
|
|
|
149
|
-
|
|
194
|
+
filtered_versions
|
|
195
|
+
end
|
|
150
196
|
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
197
|
+
# rubocop:disable Metrics/AbcSize
|
|
198
|
+
sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
|
|
199
|
+
def in_cooldown_period?(release)
|
|
200
|
+
env = { "GOPRIVATE" => @goprivate }
|
|
201
|
+
|
|
202
|
+
begin
|
|
203
|
+
release_info = SharedHelpers.run_shell_command(
|
|
204
|
+
"go list -m -json #{dependency.name}@#{release.details.[]('version_string')}",
|
|
205
|
+
fingerprint: "go list -m -json <dependency_name>",
|
|
206
|
+
env: env
|
|
207
|
+
)
|
|
208
|
+
rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
|
|
209
|
+
Dependabot.logger.info("Error while fetching release date info: #{e.message}")
|
|
210
|
+
return false
|
|
154
211
|
end
|
|
155
|
-
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
156
|
-
retry_count ||= 0
|
|
157
|
-
retry_count += 1
|
|
158
|
-
retry if transitory_failure?(e) && retry_count < 2
|
|
159
212
|
|
|
160
|
-
|
|
161
|
-
|
|
213
|
+
release.instance_variable_set(
|
|
214
|
+
:@released_at, JSON.parse(release_info)["Time"] ? Time.parse(JSON.parse(release_info)["Time"]) : nil
|
|
215
|
+
)
|
|
162
216
|
|
|
163
|
-
|
|
164
|
-
def transitory_failure?(error)
|
|
165
|
-
return true if error.message.include?("EOF")
|
|
217
|
+
return false unless release.released_at
|
|
166
218
|
|
|
167
|
-
|
|
168
|
-
|
|
219
|
+
current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
|
|
220
|
+
days = cooldown_days_for(current_version, release.version)
|
|
169
221
|
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
end
|
|
222
|
+
# Calculate the number of seconds passed since the release
|
|
223
|
+
passed_seconds = Time.now.to_i - release.released_at.to_i
|
|
224
|
+
passed_days = passed_seconds / DAY_IN_SECONDS
|
|
174
225
|
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
File.write("go.mod", T.must(go_mod).content)
|
|
179
|
-
json = SharedHelpers.run_shell_command("go mod edit -json")
|
|
180
|
-
|
|
181
|
-
JSON.parse(json) || {}
|
|
226
|
+
if passed_days < days
|
|
227
|
+
Dependabot.logger.info("Version #{release.version}, Release date: #{release.released_at}." \
|
|
228
|
+
" Days since release: #{passed_days} (cooldown days: #{days})")
|
|
182
229
|
end
|
|
183
|
-
end
|
|
184
|
-
|
|
185
|
-
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
186
|
-
def filter_prerelease_versions(versions_array)
|
|
187
|
-
return versions_array if wants_prerelease?
|
|
188
230
|
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
Dependabot.logger.info("Filtered out #{versions_array.count - filtered.count} pre-release versions")
|
|
192
|
-
end
|
|
193
|
-
filtered
|
|
231
|
+
# Check if the release is within the cooldown period
|
|
232
|
+
passed_seconds < days * DAY_IN_SECONDS
|
|
194
233
|
end
|
|
234
|
+
# rubocop:enable Metrics/AbcSize
|
|
195
235
|
|
|
196
|
-
sig
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
.
|
|
236
|
+
sig do
|
|
237
|
+
override.returns(T.nilable(Dependabot::Package::PackageDetails))
|
|
238
|
+
end
|
|
239
|
+
def package_details
|
|
240
|
+
@package_details ||= T.let(
|
|
241
|
+
Dependabot::Package::PackageDetails.new(
|
|
242
|
+
dependency: dependency,
|
|
243
|
+
releases: available_versions_details.reverse.uniq(&:version)
|
|
244
|
+
), T.nilable(Dependabot::Package::PackageDetails)
|
|
245
|
+
)
|
|
202
246
|
end
|
|
203
247
|
|
|
204
|
-
sig
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
248
|
+
sig do
|
|
249
|
+
params(language_version: T.nilable(T.any(String, Dependabot::Version)))
|
|
250
|
+
.returns(T.nilable(Dependabot::Version))
|
|
251
|
+
end
|
|
252
|
+
def fetch_lowest_security_fix_version(language_version: nil)
|
|
253
|
+
relevant_versions = available_versions_details
|
|
254
|
+
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
255
|
+
relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
|
|
256
|
+
security_advisories)
|
|
257
|
+
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
258
|
+
relevant_versions = filter_lower_versions(relevant_versions)
|
|
215
259
|
|
|
216
|
-
|
|
260
|
+
relevant_versions.min_by(&:version)&.version
|
|
217
261
|
end
|
|
262
|
+
# rubocop:enable Lint/UnusedMethodArgument
|
|
218
263
|
|
|
219
264
|
sig { returns(T::Boolean) }
|
|
220
265
|
def wants_prerelease?
|
|
@@ -226,21 +271,6 @@ module Dependabot
|
|
|
226
271
|
T.nilable(T::Boolean)
|
|
227
272
|
)
|
|
228
273
|
end
|
|
229
|
-
|
|
230
|
-
sig { returns(T::Array[Dependabot::Requirement]) }
|
|
231
|
-
def ignore_requirements
|
|
232
|
-
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
233
|
-
end
|
|
234
|
-
|
|
235
|
-
sig { returns(T.class_of(Dependabot::Requirement)) }
|
|
236
|
-
def requirement_class
|
|
237
|
-
dependency.requirement_class
|
|
238
|
-
end
|
|
239
|
-
|
|
240
|
-
sig { returns(T.class_of(Dependabot::Version)) }
|
|
241
|
-
def version_class
|
|
242
|
-
dependency.version_class
|
|
243
|
-
end
|
|
244
274
|
end
|
|
245
275
|
end
|
|
246
276
|
end
|
|
@@ -66,6 +66,7 @@ module Dependabot
|
|
|
66
66
|
ignored_versions: ignored_versions,
|
|
67
67
|
security_advisories: security_advisories,
|
|
68
68
|
raise_on_ignored: raise_on_ignored,
|
|
69
|
+
cooldown_options: update_cooldown,
|
|
69
70
|
goprivate: options.fetch(:goprivate, "*")
|
|
70
71
|
),
|
|
71
72
|
T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.311.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-
|
|
10
|
+
date: 2025-05-01 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: dependabot-common
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.311.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.311.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -223,16 +223,16 @@ dependencies:
|
|
|
223
223
|
name: webrick
|
|
224
224
|
requirement: !ruby/object:Gem::Requirement
|
|
225
225
|
requirements:
|
|
226
|
-
- - "
|
|
226
|
+
- - "~>"
|
|
227
227
|
- !ruby/object:Gem::Version
|
|
228
|
-
version: '1.
|
|
228
|
+
version: '1.9'
|
|
229
229
|
type: :development
|
|
230
230
|
prerelease: false
|
|
231
231
|
version_requirements: !ruby/object:Gem::Requirement
|
|
232
232
|
requirements:
|
|
233
|
-
- - "
|
|
233
|
+
- - "~>"
|
|
234
234
|
- !ruby/object:Gem::Version
|
|
235
|
-
version: '1.
|
|
235
|
+
version: '1.9'
|
|
236
236
|
description: Dependabot-Go_Modules provides support for bumping Go Modules versions
|
|
237
237
|
via Dependabot. If you want support for multiple package managers, you probably
|
|
238
238
|
want the meta-gem dependabot-omnibus.
|
|
@@ -257,6 +257,7 @@ files:
|
|
|
257
257
|
- lib/dependabot/go_modules/language.rb
|
|
258
258
|
- lib/dependabot/go_modules/metadata_finder.rb
|
|
259
259
|
- lib/dependabot/go_modules/native_helpers.rb
|
|
260
|
+
- lib/dependabot/go_modules/package/package_details_fetcher.rb
|
|
260
261
|
- lib/dependabot/go_modules/package_manager.rb
|
|
261
262
|
- lib/dependabot/go_modules/path_converter.rb
|
|
262
263
|
- lib/dependabot/go_modules/replace_stubber.rb
|
|
@@ -270,7 +271,7 @@ licenses:
|
|
|
270
271
|
- MIT
|
|
271
272
|
metadata:
|
|
272
273
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
273
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
274
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.311.0
|
|
274
275
|
rdoc_options: []
|
|
275
276
|
require_paths:
|
|
276
277
|
- lib
|