dependabot-go_modules 0.340.0 → 0.341.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a9ca492d6b9d56a7be03e19e38be007bc307d7ea23ec4d0a5d88f371029a73da
|
|
4
|
+
data.tar.gz: db692934cb7d258f6f2ae10b325840e08877561573ca5603b2fc8c230bb703f6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cfb88ba08e3122dbdadbf85b188d0360ac3331f2c674793a11305f583d2c9f4b9f8637b36aa7e75f4d340f397543add55a6f662971cfc4748ceedffa59d942e4
|
|
7
|
+
data.tar.gz: a3e94ce7e338c7cf6f13c8da2f272f63fb69f8a9923fffde63e947bb4e831f1eebef9a28a2f0e25d81a35aac923a16a5e87120e02a88757cba079984f0c25c2a
|
|
@@ -9,6 +9,17 @@ require "dependabot/dependency_graphers/base"
|
|
|
9
9
|
module Dependabot
|
|
10
10
|
module GoModules
|
|
11
11
|
class DependencyGrapher < Dependabot::DependencyGraphers::Base
|
|
12
|
+
# Used to capture output from `go mod graph`
|
|
13
|
+
#
|
|
14
|
+
# The parent and child are space-separated and we process one line at a time.
|
|
15
|
+
#
|
|
16
|
+
# Example output:
|
|
17
|
+
# github.com/dependabot/core-test rsc.io/sampler@v1.3.0
|
|
18
|
+
# rsc.io/sampler@v1.3.0 golang.org/x/text@v0.0.0-20170915032832-14c0d48ead0c
|
|
19
|
+
# <---parent---> <----child------>
|
|
20
|
+
#
|
|
21
|
+
GO_MOD_GRAPH_LINE_REGEX = /^(?<parent>[^@\s]+)@?[^\s]*\s(?<child>[^@\s]+)/
|
|
22
|
+
|
|
12
23
|
sig { override.returns(Dependabot::DependencyFile) }
|
|
13
24
|
def relevant_dependency_file
|
|
14
25
|
# This cannot realistically happen as the parser will throw a runtime error on init without a go_mod file,
|
|
@@ -26,7 +37,7 @@ module Dependabot
|
|
|
26
37
|
# doing this in the parser shouldn't add a huge overhead.
|
|
27
38
|
sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
|
|
28
39
|
def fetch_subdependencies(dependency)
|
|
29
|
-
|
|
40
|
+
package_relationships.fetch(dependency.name, [])
|
|
30
41
|
end
|
|
31
42
|
|
|
32
43
|
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
@@ -52,6 +63,31 @@ module Dependabot
|
|
|
52
63
|
def purl_pkg_for(_dependency)
|
|
53
64
|
"golang"
|
|
54
65
|
end
|
|
66
|
+
|
|
67
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
68
|
+
def package_relationships
|
|
69
|
+
@package_relationships ||= T.let(
|
|
70
|
+
fetch_package_relationships,
|
|
71
|
+
T.nilable(T::Hash[String, T.untyped])
|
|
72
|
+
)
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
76
|
+
def fetch_package_relationships
|
|
77
|
+
T.cast(
|
|
78
|
+
file_parser,
|
|
79
|
+
Dependabot::GoModules::FileParser
|
|
80
|
+
).run_in_parsed_context("go mod graph").lines.each_with_object({}) do |line, rels|
|
|
81
|
+
match = line.match(GO_MOD_GRAPH_LINE_REGEX)
|
|
82
|
+
unless match
|
|
83
|
+
Dependabot.logger.warn("Unexpected output from 'go mod graph': 'line'")
|
|
84
|
+
next
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
rels[match[:parent]] ||= []
|
|
88
|
+
rels[match[:parent]] << match[:child]
|
|
89
|
+
end
|
|
90
|
+
end
|
|
55
91
|
end
|
|
56
92
|
end
|
|
57
93
|
end
|
|
@@ -72,6 +72,26 @@ module Dependabot
|
|
|
72
72
|
)
|
|
73
73
|
end
|
|
74
74
|
|
|
75
|
+
# Utility method to allow collaborators to check other go commands inside the parsed project's context
|
|
76
|
+
sig { params(command: String).returns(String) }
|
|
77
|
+
def run_in_parsed_context(command)
|
|
78
|
+
SharedHelpers.in_a_temporary_directory do |path|
|
|
79
|
+
# Create a fake empty module for each local module so that
|
|
80
|
+
# `go mod edit` works, even if some modules have been `replace`d with
|
|
81
|
+
# a local module that we don't have access to.
|
|
82
|
+
local_replacements.each do |_, stub_path|
|
|
83
|
+
FileUtils.mkdir_p(stub_path)
|
|
84
|
+
FileUtils.touch(File.join(stub_path, "go.mod"))
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
File.write("go.mod", go_mod_content)
|
|
88
|
+
stdout, stderr, status = Open3.capture3(command)
|
|
89
|
+
handle_parser_error(path, stderr) unless status.success?
|
|
90
|
+
|
|
91
|
+
stdout
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
75
95
|
private
|
|
76
96
|
|
|
77
97
|
sig { void }
|
|
@@ -194,23 +214,7 @@ module Dependabot
|
|
|
194
214
|
def required_packages
|
|
195
215
|
@required_packages ||=
|
|
196
216
|
T.let(
|
|
197
|
-
|
|
198
|
-
# Create a fake empty module for each local module so that
|
|
199
|
-
# `go mod edit` works, even if some modules have been `replace`d with
|
|
200
|
-
# a local module that we don't have access to.
|
|
201
|
-
local_replacements.each do |_, stub_path|
|
|
202
|
-
FileUtils.mkdir_p(stub_path)
|
|
203
|
-
FileUtils.touch(File.join(stub_path, "go.mod"))
|
|
204
|
-
end
|
|
205
|
-
|
|
206
|
-
File.write("go.mod", go_mod_content)
|
|
207
|
-
|
|
208
|
-
command = "go mod edit -json"
|
|
209
|
-
|
|
210
|
-
stdout, stderr, status = Open3.capture3(command)
|
|
211
|
-
handle_parser_error(path, stderr) unless status.success?
|
|
212
|
-
JSON.parse(stdout)["Require"] || []
|
|
213
|
-
end,
|
|
217
|
+
JSON.parse(run_in_parsed_context("go mod edit -json"))["Require"] || [],
|
|
214
218
|
T.nilable(T::Array[T::Hash[String, T.untyped]])
|
|
215
219
|
)
|
|
216
220
|
end
|
|
@@ -32,15 +32,6 @@ module Dependabot
|
|
|
32
32
|
use_repo_contents_stub if repo_contents_path.nil?
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
sig { override.returns(T::Array[Regexp]) }
|
|
36
|
-
def self.updated_files_regex
|
|
37
|
-
[
|
|
38
|
-
/^go\.mod$/,
|
|
39
|
-
/^go\.sum$/,
|
|
40
|
-
%r{^vendor/.*}
|
|
41
|
-
]
|
|
42
|
-
end
|
|
43
|
-
|
|
44
35
|
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
|
45
36
|
def updated_dependency_files
|
|
46
37
|
updated_files = []
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.341.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.341.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.341.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -272,7 +272,7 @@ licenses:
|
|
|
272
272
|
- MIT
|
|
273
273
|
metadata:
|
|
274
274
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
275
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
275
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.341.0
|
|
276
276
|
rdoc_options: []
|
|
277
277
|
require_paths:
|
|
278
278
|
- lib
|