dependabot-go_modules 0.310.0 → 0.312.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +1 -19
  3. data/lib/dependabot/go_modules/package/package_details_fetcher.rb +4 -3
  4. data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +109 -12
  5. data/lib/dependabot/go_modules/update_checker.rb +1 -0
  6. metadata +27 -27
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '0584130933245e950367cb0ccdbbb7f62b3789316c32965452a103b6b705516b'
4
- data.tar.gz: b0b12c5d0ce02e625a82aaeeb3503b2afc0c1349598edd97fe32f2be4a8a0947
3
+ metadata.gz: a5ebb159ef51fc8d23107f99d210c922c06c73cd9732883879fd70ddbd058faf
4
+ data.tar.gz: 6f3a772c98fded0f05c6686bf630b0fc99a20c77735fdce27a7f97a67b16c750
5
5
  SHA512:
6
- metadata.gz: f086a3ba6f21b2532cd2ae8e84db5caf971db67f1d1cc9d566e00c89029c89862408acbcbd08128ea92df162f6d402abc123a5464c5bc6eaff06825edbe00375
7
- data.tar.gz: f7f8d638f4e7db951e1faee9ec10e1a0db5c587d21e29e7d46b11002797dfae18ffc20887d456ac37ce77310541e323b3b563c8f81b84488f13981c5e82fbe83
6
+ metadata.gz: 2be7417f6af5e4c8cfd98e8290cd530208f58b81b711c1b13a896beafa23a08571208b7edce5519bbdfbe677c4d60bed4ba32778dea9125bedb2221f8d6fbe4d
7
+ data.tar.gz: ff25c45e98ebf9d436b843d925909bbe0db8c2532b70481d7b3136286cd11602f0f0b71b4b7a76886f01e222204574c16c3d7601261fe9b846a3fc6391b97fdd
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED
@@ -132,7 +132,7 @@ module Dependabot
132
132
  end
133
133
 
134
134
  sig { returns(T::Hash[Symbol, String]) }
135
- def update_files # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
135
+ def update_files
136
136
  in_repo_path do
137
137
  # During grouped updates, the dependency_files are from a previous dependency
138
138
  # update, so we need to update them on disk after the git reset in in_repo_path.
@@ -143,7 +143,6 @@ module Dependabot
143
143
  end
144
144
 
145
145
  # Map paths in local replace directives to path hashes
146
- original_go_mod = File.read("go.mod")
147
146
  original_manifest = parse_manifest
148
147
  original_go_sum = File.read("go.sum") if File.exist?("go.sum")
149
148
 
@@ -175,23 +174,6 @@ module Dependabot
175
174
  updated_go_sum = original_go_sum ? File.read("go.sum") : nil
176
175
  updated_go_mod = File.read("go.mod")
177
176
 
178
- # running "go get" may inject the current go version, remove it
179
- original_go_version = original_go_mod.match(GO_MOD_VERSION)&.to_a&.first
180
- updated_go_version = updated_go_mod.match(GO_MOD_VERSION)&.to_a&.first
181
- if original_go_version != updated_go_version
182
- go_mod_lines = T.let(updated_go_mod.lines, T::Array[T.nilable(String)])
183
- go_mod_lines.each_with_index do |line, i|
184
- next unless line&.match?(GO_MOD_VERSION)
185
-
186
- # replace with the original version
187
- go_mod_lines[i] = original_go_version
188
- # avoid a stranded newline if there was no version originally
189
- go_mod_lines[i + 1] = nil if original_go_version.nil?
190
- end
191
-
192
- updated_go_mod = go_mod_lines.compact.join
193
- end
194
-
195
177
  { go_mod: updated_go_mod, go_sum: updated_go_sum }
196
178
  end
197
179
  end
data/lib/dependabot/go_modules/package/package_details_fetcher.rb CHANGED
@@ -94,13 +94,13 @@ module Dependabot
94
94
  return [package_release(version: T.must(dependency.version))] if version_strings.nil?
95
95
 
96
96
  version_info = version_strings.select { |v| version_class.correct?(v) }
97
- .map { |v| version_class.new(v) }
97
+ .map { |version| version }
98
98
 
99
99
  package_releases = []
100
100
 
101
101
  version_info.map do |version|
102
102
  package_releases << package_release(
103
- version: version.to_s
103
+ version: version
104
104
  )
105
105
  end
106
106
 
@@ -136,7 +136,8 @@ module Dependabot
136
136
  end
137
137
  def package_release(version:)
138
138
  Dependabot::Package::PackageRelease.new(
139
- version: GoModules::Version.new(version)
139
+ version: GoModules::Version.new(version),
140
+ details: { "version_string" => version }
140
141
  )
141
142
  end
142
143
 
data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb CHANGED
@@ -47,7 +47,8 @@ module Dependabot
47
47
  ignored_versions: T::Array[String],
48
48
  security_advisories: T::Array[Dependabot::SecurityAdvisory],
49
49
  goprivate: String,
50
- raise_on_ignored: T::Boolean
50
+ raise_on_ignored: T::Boolean,
51
+ cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
51
52
  )
52
53
  .void
53
54
  end
@@ -58,7 +59,8 @@ module Dependabot
58
59
  ignored_versions:,
59
60
  security_advisories:,
60
61
  goprivate:,
61
- raise_on_ignored: false
62
+ raise_on_ignored: false,
63
+ cooldown_options: nil
62
64
  )
63
65
  @dependency = dependency
64
66
  @dependency_files = dependency_files
@@ -67,6 +69,17 @@ module Dependabot
67
69
  @security_advisories = security_advisories
68
70
  @raise_on_ignored = raise_on_ignored
69
71
  @goprivate = goprivate
72
+ @cooldown_options = cooldown_options
73
+ super(
74
+ dependency: dependency,
75
+ dependency_files: dependency_files,
76
+ credentials: credentials,
77
+ ignored_versions: ignored_versions,
78
+ security_advisories: security_advisories,
79
+ cooldown_options: cooldown_options,
80
+ raise_on_ignored: raise_on_ignored,
81
+ options: {}
82
+ )
70
83
  end
71
84
 
72
85
  sig do
@@ -87,6 +100,11 @@ module Dependabot
87
100
  T.nilable(Dependabot::Version))
88
101
  end
89
102
 
103
+ sig { override.returns(T::Boolean) }
104
+ def cooldown_enabled?
105
+ Dependabot::Experiments.enabled?(:enable_cooldown_for_gomodules)
106
+ end
107
+
90
108
  private
91
109
 
92
110
  sig { returns(Dependabot::Dependency) }
@@ -107,6 +125,19 @@ module Dependabot
107
125
  sig { returns(String) }
108
126
  attr_reader :goprivate
109
127
 
128
+ sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
129
+ attr_reader :cooldown_options
130
+
131
+ sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
132
+ def available_versions_details
133
+ @available_versions_details ||= T.let(Package::PackageDetailsFetcher.new(
134
+ dependency: dependency,
135
+ dependency_files: dependency_files,
136
+ credentials: credentials,
137
+ goprivate: goprivate
138
+ ).fetch_available_versions, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
139
+ end
140
+
110
141
  # rubocop:disable Lint/UnusedMethodArgument
111
142
  sig do
112
143
  params(language_version: T.nilable(T.any(String, Dependabot::Version)))
@@ -116,6 +147,7 @@ module Dependabot
116
147
  candidate_versions = available_versions_details
117
148
  candidate_versions = filter_prerelease_versions(candidate_versions)
118
149
  candidate_versions = filter_ignored_versions(candidate_versions)
150
+ candidate_versions = lazy_filter_cooldown_versions(candidate_versions)
119
151
  # Adding the psuedo-version to the list to avoid downgrades
120
152
  if PSEUDO_VERSION_REGEX.match?(dependency.version)
121
153
  candidate_versions << Dependabot::Package::PackageRelease.new(
@@ -126,6 +158,81 @@ module Dependabot
126
158
  candidate_versions.max_by(&:version)&.version
127
159
  end
128
160
 
161
+ sig do
162
+ params(releases: T::Array[Dependabot::Package::PackageRelease], check_max: T::Boolean)
163
+ .returns(T::Array[Dependabot::Package::PackageRelease])
164
+ end
165
+ def lazy_filter_cooldown_versions(releases, check_max: true)
166
+ return releases unless cooldown_enabled?
167
+ return releases unless cooldown_options
168
+
169
+ Dependabot.logger.info("Initializing cooldown filter")
170
+
171
+ sorted_releases = if check_max
172
+ releases.sort_by(&:version).reverse
173
+ else
174
+ releases.sort_by(&:version)
175
+ end
176
+
177
+ filtered_versions = []
178
+ cooldown_filtered_versions = 0
179
+
180
+ # Iterate through the sorted versions lazily, filtering out cooldown versions
181
+ sorted_releases.each do |release|
182
+ if in_cooldown_period?(release)
183
+ Dependabot.logger.info("Filtered out (cooldown) : #{release}")
184
+ cooldown_filtered_versions += 1
185
+ next
186
+ end
187
+
188
+ filtered_versions << release
189
+ break
190
+ end
191
+
192
+ Dependabot.logger.info("Filtered out #{cooldown_filtered_versions} version(s) due to cooldown")
193
+
194
+ filtered_versions
195
+ end
196
+
197
+ # rubocop:disable Metrics/AbcSize
198
+ sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
199
+ def in_cooldown_period?(release)
200
+ env = { "GOPRIVATE" => @goprivate }
201
+
202
+ begin
203
+ release_info = SharedHelpers.run_shell_command(
204
+ "go list -m -json #{dependency.name}@#{release.details.[]('version_string')}",
205
+ fingerprint: "go list -m -json <dependency_name>",
206
+ env: env
207
+ )
208
+ rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
209
+ Dependabot.logger.info("Error while fetching release date info: #{e.message}")
210
+ return false
211
+ end
212
+
213
+ release.instance_variable_set(
214
+ :@released_at, JSON.parse(release_info)["Time"] ? Time.parse(JSON.parse(release_info)["Time"]) : nil
215
+ )
216
+
217
+ return false unless release.released_at
218
+
219
+ current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
220
+ days = cooldown_days_for(current_version, release.version)
221
+
222
+ # Calculate the number of seconds passed since the release
223
+ passed_seconds = Time.now.to_i - release.released_at.to_i
224
+ passed_days = passed_seconds / DAY_IN_SECONDS
225
+
226
+ if passed_days < days
227
+ Dependabot.logger.info("Version #{release.version}, Release date: #{release.released_at}." \
228
+ " Days since release: #{passed_days} (cooldown days: #{days})")
229
+ end
230
+
231
+ # Check if the release is within the cooldown period
232
+ passed_seconds < days * DAY_IN_SECONDS
233
+ end
234
+ # rubocop:enable Metrics/AbcSize
235
+
129
236
  sig do
130
237
  override.returns(T.nilable(Dependabot::Package::PackageDetails))
131
238
  end
@@ -154,16 +261,6 @@ module Dependabot
154
261
  end
155
262
  # rubocop:enable Lint/UnusedMethodArgument
156
263
 
157
- sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
158
- def available_versions_details
159
- @available_versions_details ||= T.let(Package::PackageDetailsFetcher.new(
160
- dependency: dependency,
161
- dependency_files: dependency_files,
162
- credentials: credentials,
163
- goprivate: goprivate
164
- ).fetch_available_versions, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
165
- end
166
-
167
264
  sig { returns(T::Boolean) }
168
265
  def wants_prerelease?
169
266
  @wants_prerelease ||= T.let(
data/lib/dependabot/go_modules/update_checker.rb CHANGED
@@ -66,6 +66,7 @@ module Dependabot
66
66
  ignored_versions: ignored_versions,
67
67
  security_advisories: security_advisories,
68
68
  raise_on_ignored: raise_on_ignored,
69
+ cooldown_options: update_cooldown,
69
70
  goprivate: options.fetch(:goprivate, "*")
70
71
  ),
71
72
  T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-go_modules
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.310.0
4
+ version: 0.312.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  bindir: bin
9
9
  cert_chain: []
10
- date: 2025-04-24 00:00:00.000000000 Z
10
+ date: 2025-05-09 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: dependabot-common
@@ -15,28 +15,28 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.310.0
18
+ version: 0.312.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.310.0
25
+ version: 0.312.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: debug
28
28
  requirement: !ruby/object:Gem::Requirement
29
29
  requirements:
30
30
  - - "~>"
31
31
  - !ruby/object:Gem::Version
32
- version: 1.9.2
32
+ version: '1.9'
33
33
  type: :development
34
34
  prerelease: false
35
35
  version_requirements: !ruby/object:Gem::Requirement
36
36
  requirements:
37
37
  - - "~>"
38
38
  - !ruby/object:Gem::Version
39
- version: 1.9.2
39
+ version: '1.9'
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: gpgme
42
42
  requirement: !ruby/object:Gem::Requirement
@@ -57,14 +57,14 @@ dependencies:
57
57
  requirements:
58
58
  - - "~>"
59
59
  - !ruby/object:Gem::Version
60
- version: '13'
60
+ version: '13.2'
61
61
  type: :development
62
62
  prerelease: false
63
63
  version_requirements: !ruby/object:Gem::Requirement
64
64
  requirements:
65
65
  - - "~>"
66
66
  - !ruby/object:Gem::Version
67
- version: '13'
67
+ version: '13.2'
68
68
  - !ruby/object:Gem::Dependency
69
69
  name: rspec
70
70
  requirement: !ruby/object:Gem::Requirement
@@ -99,98 +99,98 @@ dependencies:
99
99
  requirements:
100
100
  - - "~>"
101
101
  - !ruby/object:Gem::Version
102
- version: 1.9.2
102
+ version: '1.9'
103
103
  type: :development
104
104
  prerelease: false
105
105
  version_requirements: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - "~>"
108
108
  - !ruby/object:Gem::Version
109
- version: 1.9.2
109
+ version: '1.9'
110
110
  - !ruby/object:Gem::Dependency
111
111
  name: rubocop
112
112
  requirement: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - "~>"
115
115
  - !ruby/object:Gem::Version
116
- version: 1.67.0
116
+ version: '1.67'
117
117
  type: :development
118
118
  prerelease: false
119
119
  version_requirements: !ruby/object:Gem::Requirement
120
120
  requirements:
121
121
  - - "~>"
122
122
  - !ruby/object:Gem::Version
123
- version: 1.67.0
123
+ version: '1.67'
124
124
  - !ruby/object:Gem::Dependency
125
125
  name: rubocop-performance
126
126
  requirement: !ruby/object:Gem::Requirement
127
127
  requirements:
128
128
  - - "~>"
129
129
  - !ruby/object:Gem::Version
130
- version: 1.22.1
130
+ version: '1.22'
131
131
  type: :development
132
132
  prerelease: false
133
133
  version_requirements: !ruby/object:Gem::Requirement
134
134
  requirements:
135
135
  - - "~>"
136
136
  - !ruby/object:Gem::Version
137
- version: 1.22.1
137
+ version: '1.22'
138
138
  - !ruby/object:Gem::Dependency
139
139
  name: rubocop-rspec
140
140
  requirement: !ruby/object:Gem::Requirement
141
141
  requirements:
142
142
  - - "~>"
143
143
  - !ruby/object:Gem::Version
144
- version: 2.29.1
144
+ version: '2.29'
145
145
  type: :development
146
146
  prerelease: false
147
147
  version_requirements: !ruby/object:Gem::Requirement
148
148
  requirements:
149
149
  - - "~>"
150
150
  - !ruby/object:Gem::Version
151
- version: 2.29.1
151
+ version: '2.29'
152
152
  - !ruby/object:Gem::Dependency
153
153
  name: rubocop-sorbet
154
154
  requirement: !ruby/object:Gem::Requirement
155
155
  requirements:
156
156
  - - "~>"
157
157
  - !ruby/object:Gem::Version
158
- version: 0.8.7
158
+ version: '0.8'
159
159
  type: :development
160
160
  prerelease: false
161
161
  version_requirements: !ruby/object:Gem::Requirement
162
162
  requirements:
163
163
  - - "~>"
164
164
  - !ruby/object:Gem::Version
165
- version: 0.8.7
165
+ version: '0.8'
166
166
  - !ruby/object:Gem::Dependency
167
167
  name: simplecov
168
168
  requirement: !ruby/object:Gem::Requirement
169
169
  requirements:
170
170
  - - "~>"
171
171
  - !ruby/object:Gem::Version
172
- version: 0.22.0
172
+ version: '0.22'
173
173
  type: :development
174
174
  prerelease: false
175
175
  version_requirements: !ruby/object:Gem::Requirement
176
176
  requirements:
177
177
  - - "~>"
178
178
  - !ruby/object:Gem::Version
179
- version: 0.22.0
179
+ version: '0.22'
180
180
  - !ruby/object:Gem::Dependency
181
181
  name: turbo_tests
182
182
  requirement: !ruby/object:Gem::Requirement
183
183
  requirements:
184
184
  - - "~>"
185
185
  - !ruby/object:Gem::Version
186
- version: 2.2.0
186
+ version: '2.2'
187
187
  type: :development
188
188
  prerelease: false
189
189
  version_requirements: !ruby/object:Gem::Requirement
190
190
  requirements:
191
191
  - - "~>"
192
192
  - !ruby/object:Gem::Version
193
- version: 2.2.0
193
+ version: '2.2'
194
194
  - !ruby/object:Gem::Dependency
195
195
  name: vcr
196
196
  requirement: !ruby/object:Gem::Requirement
@@ -223,16 +223,16 @@ dependencies:
223
223
  name: webrick
224
224
  requirement: !ruby/object:Gem::Requirement
225
225
  requirements:
226
- - - ">="
226
+ - - "~>"
227
227
  - !ruby/object:Gem::Version
228
- version: '1.7'
228
+ version: '1.9'
229
229
  type: :development
230
230
  prerelease: false
231
231
  version_requirements: !ruby/object:Gem::Requirement
232
232
  requirements:
233
- - - ">="
233
+ - - "~>"
234
234
  - !ruby/object:Gem::Version
235
- version: '1.7'
235
+ version: '1.9'
236
236
  description: Dependabot-Go_Modules provides support for bumping Go Modules versions
237
237
  via Dependabot. If you want support for multiple package managers, you probably
238
238
  want the meta-gem dependabot-omnibus.
@@ -271,7 +271,7 @@ licenses:
271
271
  - MIT
272
272
  metadata:
273
273
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
274
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.310.0
274
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.312.0
275
275
  rdoc_options: []
276
276
  require_paths:
277
277
  - lib