dependabot-go_modules 0.129.1 → 0.129.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9a5732b46b502a7660d58467755acc033f3eddd7ac90d457401479dc21985504
|
4
|
+
data.tar.gz: 70b7dc19d8f80346f8300ce48995e68e425e79e4a33ff6b33f80d3cf09c34321
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8b21e2f1b812745f68fe053aaa3e20735e56c5f50d060a896db9484087ffd1ee091ae22039e4d384ac9aefdc66561c657cda30aad5dab53a62a6f833a1305dbc
|
7
|
+
data.tar.gz: d75ca92c24e867137de528fb58db6a100333fb6089e487c5511e4438087f9b71abc8c8a4e5249eed543cc0548ffafa6703ddd8db193f3a7402a80e85487767c3
|
@@ -16,17 +16,8 @@ module Dependabot
|
|
16
16
|
def parse
|
17
17
|
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
18
18
|
|
19
|
-
|
20
|
-
|
21
|
-
group_by { |line| line == "{\n" ? i += 1 : i }
|
22
|
-
deps = chunks.values.map { |chunk| JSON.parse(chunk.join) }
|
23
|
-
|
24
|
-
deps.each do |dep|
|
25
|
-
# The project itself appears in this list as "Main"
|
26
|
-
next if dep["Main"]
|
27
|
-
|
28
|
-
dependency = dependency_from_details(dep)
|
29
|
-
dependency_set << dependency if dependency
|
19
|
+
required_packages.each do |dep|
|
20
|
+
dependency_set << dependency_from_details(dep) unless dep["Indirect"]
|
30
21
|
end
|
31
22
|
|
32
23
|
dependency_set.dependencies
|
@@ -65,39 +56,36 @@ module Dependabot
|
|
65
56
|
)
|
66
57
|
end
|
67
58
|
|
68
|
-
def
|
69
|
-
@
|
59
|
+
def required_packages
|
60
|
+
@required_packages ||=
|
70
61
|
SharedHelpers.in_a_temporary_directory do |path|
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
FileUtils.touch(File.join(stub_path, "go.mod"))
|
78
|
-
end
|
79
|
-
|
80
|
-
File.write("go.mod", go_mod_content)
|
81
|
-
|
82
|
-
command = "go mod edit -print > /dev/null"
|
83
|
-
command += " && go list -m -json all"
|
84
|
-
|
85
|
-
# Turn off the module proxy for now, as it's causing issues with
|
86
|
-
# private git dependencies
|
87
|
-
env = { "GOPRIVATE" => "*" }
|
88
|
-
|
89
|
-
stdout, stderr, status = Open3.capture3(env, command)
|
90
|
-
handle_parser_error(path, stderr) unless status.success?
|
91
|
-
stdout
|
92
|
-
rescue Dependabot::DependencyFileNotResolvable
|
93
|
-
# We sometimes see this error if a host times out.
|
94
|
-
# In such cases, retrying (a maximum of 3 times) may fix it.
|
95
|
-
retry_count ||= 0
|
96
|
-
raise if retry_count >= 3
|
97
|
-
|
98
|
-
retry_count += 1
|
99
|
-
retry
|
62
|
+
# Create a fake empty module for each local module so that
|
63
|
+
# `go mod edit` works, even if some modules have been `replace`d with
|
64
|
+
# a local module that we don't have access to.
|
65
|
+
local_replacements.each do |_, stub_path|
|
66
|
+
Dir.mkdir(stub_path) unless Dir.exist?(stub_path)
|
67
|
+
FileUtils.touch(File.join(stub_path, "go.mod"))
|
100
68
|
end
|
69
|
+
|
70
|
+
File.write("go.mod", go_mod_content)
|
71
|
+
|
72
|
+
command = "go mod edit -json"
|
73
|
+
|
74
|
+
# Turn off the module proxy for now, as it's causing issues with
|
75
|
+
# private git dependencies
|
76
|
+
env = { "GOPRIVATE" => "*" }
|
77
|
+
|
78
|
+
stdout, stderr, status = Open3.capture3(env, command)
|
79
|
+
handle_parser_error(path, stderr) unless status.success?
|
80
|
+
JSON.parse(stdout)["Require"]
|
81
|
+
rescue Dependabot::DependencyFileNotResolvable
|
82
|
+
# We sometimes see this error if a host times out.
|
83
|
+
# In such cases, retrying (a maximum of 3 times) may fix it.
|
84
|
+
retry_count ||= 0
|
85
|
+
raise if retry_count >= 3
|
86
|
+
|
87
|
+
retry_count += 1
|
88
|
+
retry
|
101
89
|
end
|
102
90
|
end
|
103
91
|
|
@@ -135,52 +123,9 @@ module Dependabot
|
|
135
123
|
end
|
136
124
|
end
|
137
125
|
|
138
|
-
GIT_ERROR_REGEX = /go: .*: git fetch .*: exit status 128/m.freeze
|
139
126
|
def handle_parser_error(path, stderr)
|
140
|
-
|
141
|
-
|
142
|
-
line = stderr.lines.grep(/unknown revision/).first.strip
|
143
|
-
handle_github_unknown_revision(line) if line.start_with?("go: github.com/")
|
144
|
-
raise Dependabot::DependencyFileNotResolvable, line
|
145
|
-
when /go: .*: unrecognized import path/m
|
146
|
-
line = stderr.lines.grep(/unrecognized import/).first
|
147
|
-
raise Dependabot::DependencyFileNotResolvable, line.strip
|
148
|
-
when /go: errors parsing go.mod/m
|
149
|
-
msg = stderr.gsub(path.to_s, "").strip
|
150
|
-
raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
|
151
|
-
when GIT_ERROR_REGEX
|
152
|
-
lines = stderr.lines.drop_while { |l| GIT_ERROR_REGEX !~ l }
|
153
|
-
raise Dependabot::DependencyFileNotResolvable.new, lines.join
|
154
|
-
else
|
155
|
-
msg = stderr.gsub(path.to_s, "").strip
|
156
|
-
raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
|
157
|
-
end
|
158
|
-
end
|
159
|
-
|
160
|
-
GITHUB_REPO_REGEX = %r{github.com/[^@]*}.freeze
|
161
|
-
def handle_github_unknown_revision(line)
|
162
|
-
mod_path = line.scan(GITHUB_REPO_REGEX).first
|
163
|
-
return unless mod_path
|
164
|
-
|
165
|
-
# Query for _any_ version of this module, to know if it doesn't exist (or is private)
|
166
|
-
# or we were just given a bad revision by this manifest
|
167
|
-
SharedHelpers.in_a_temporary_directory do
|
168
|
-
SharedHelpers.with_git_configured(credentials: credentials) do
|
169
|
-
File.write("go.mod", "module dummy\n")
|
170
|
-
|
171
|
-
env = { "GOPRIVATE" => "*" }
|
172
|
-
_, _, status = Open3.capture3(env, SharedHelpers.escape_command("go get #{mod_path}"))
|
173
|
-
raise Dependabot::DependencyFileNotResolvable, line if status.success?
|
174
|
-
|
175
|
-
mod_split = mod_path.split("/")
|
176
|
-
repo_path = if mod_split.size > 3
|
177
|
-
mod_split[0..2].join("/")
|
178
|
-
else
|
179
|
-
mod_path
|
180
|
-
end
|
181
|
-
raise Dependabot::GitDependenciesNotReachable, [repo_path]
|
182
|
-
end
|
183
|
-
end
|
127
|
+
msg = stderr.gsub(path.to_s, "").strip
|
128
|
+
raise Dependabot::DependencyFileNotParseable.new(go_mod.path, msg)
|
184
129
|
end
|
185
130
|
|
186
131
|
def rev_identifier?(dep)
|
@@ -40,6 +40,8 @@ module Dependabot
|
|
40
40
|
/no space left on device/.freeze
|
41
41
|
].freeze
|
42
42
|
|
43
|
+
GO_MOD_VERSION = /^go 1\.[\d]+$/.freeze
|
44
|
+
|
43
45
|
def initialize(dependencies:, credentials:, repo_contents_path:,
|
44
46
|
directory:, options:)
|
45
47
|
@dependencies = dependencies
|
@@ -67,10 +69,9 @@ module Dependabot
|
|
67
69
|
@updated_files ||= update_files
|
68
70
|
end
|
69
71
|
|
70
|
-
def update_files # rubocop:disable Metrics/AbcSize
|
72
|
+
def update_files # rubocop:disable Metrics/AbcSize, Metrics/PerceivedComplexity
|
71
73
|
in_repo_path do
|
72
74
|
# Map paths in local replace directives to path hashes
|
73
|
-
|
74
75
|
original_go_mod = File.read("go.mod")
|
75
76
|
original_manifest = parse_manifest
|
76
77
|
original_go_sum = File.read("go.sum") if File.exist?("go.sum")
|
@@ -87,35 +88,36 @@ module Dependabot
|
|
87
88
|
# Then run `go get` to pick up other changes to the file caused by
|
88
89
|
# the upgrade
|
89
90
|
run_go_get
|
90
|
-
run_go_vendor
|
91
|
-
run_go_mod_tidy
|
92
|
-
|
93
|
-
# At this point, the go.mod returned from run_go_get contains the
|
94
|
-
# correct set of modules, but running `go get` can change the file
|
95
|
-
# in undesirable ways (such as injecting the current Go version),
|
96
|
-
# so we need to update the original go.mod with the updated set of
|
97
|
-
# requirements rather than using the regenerated file directly
|
98
|
-
original_reqs = original_manifest["Require"] || []
|
99
|
-
updated_reqs = parse_manifest["Require"] || []
|
100
|
-
|
101
|
-
original_paths = original_reqs.map { |r| r["Path"] }
|
102
|
-
updated_paths = updated_reqs.map { |r| r["Path"] }
|
103
|
-
req_paths_to_remove = original_paths - updated_paths
|
104
|
-
|
105
|
-
# Put back the original content before we replace just the updated
|
106
|
-
# dependencies.
|
107
|
-
write_go_mod(original_go_mod)
|
108
91
|
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
92
|
+
# If we stubbed modules, don't run `go mod {tidy,vendor}` as
|
93
|
+
# dependencies are incomplete
|
94
|
+
if substitutions.empty?
|
95
|
+
run_go_mod_tidy
|
96
|
+
run_go_vendor
|
97
|
+
else
|
98
|
+
substitute_all(substitutions.invert)
|
99
|
+
end
|
115
100
|
|
116
101
|
updated_go_sum = original_go_sum ? File.read("go.sum") : nil
|
117
102
|
updated_go_mod = File.read("go.mod")
|
118
103
|
|
104
|
+
# running "go get" may inject the current go version, remove it
|
105
|
+
original_go_version = original_go_mod.match(GO_MOD_VERSION)&.to_a&.first
|
106
|
+
updated_go_version = updated_go_mod.match(GO_MOD_VERSION)&.to_a&.first
|
107
|
+
if original_go_version != updated_go_version
|
108
|
+
go_mod_lines = updated_go_mod.lines
|
109
|
+
go_mod_lines.each_with_index do |line, i|
|
110
|
+
next unless line&.match?(GO_MOD_VERSION)
|
111
|
+
|
112
|
+
# replace with the original version
|
113
|
+
go_mod_lines[i] = original_go_version
|
114
|
+
# avoid a stranded newline if there was no version originally
|
115
|
+
go_mod_lines[i + 1] = nil if original_go_version.nil?
|
116
|
+
end
|
117
|
+
|
118
|
+
updated_go_mod = go_mod_lines.compact.join
|
119
|
+
end
|
120
|
+
|
119
121
|
{ go_mod: updated_go_mod, go_sum: updated_go_sum }
|
120
122
|
end
|
121
123
|
end
|
@@ -184,24 +186,6 @@ module Dependabot
|
|
184
186
|
JSON.parse(stdout) || {}
|
185
187
|
end
|
186
188
|
|
187
|
-
def remove_requirements(requirement_paths)
|
188
|
-
requirement_paths.each do |path|
|
189
|
-
escaped_path = Shellwords.escape(path)
|
190
|
-
command = "go mod edit -droprequire #{escaped_path}"
|
191
|
-
_, stderr, status = Open3.capture3(ENVIRONMENT, command)
|
192
|
-
handle_subprocess_error(stderr) unless status.success?
|
193
|
-
end
|
194
|
-
end
|
195
|
-
|
196
|
-
def add_requirements(requirements)
|
197
|
-
requirements.each do |r|
|
198
|
-
escaped_req = Shellwords.escape("#{r['Path']}@#{r['Version']}")
|
199
|
-
command = "go mod edit -require #{escaped_req}"
|
200
|
-
_, stderr, status = Open3.capture3(ENVIRONMENT, command)
|
201
|
-
handle_subprocess_error(stderr) unless status.success?
|
202
|
-
end
|
203
|
-
end
|
204
|
-
|
205
189
|
def in_repo_path(&block)
|
206
190
|
SharedHelpers.
|
207
191
|
in_a_temporary_repo_directory(directory, repo_contents_path) do
|
@@ -268,7 +252,7 @@ module Dependabot
|
|
268
252
|
end
|
269
253
|
|
270
254
|
def module_pathname
|
271
|
-
@module_pathname ||= Pathname.new(repo_contents_path).join(directory)
|
255
|
+
@module_pathname ||= Pathname.new(repo_contents_path).join(directory.sub(%r{^/}, ""))
|
272
256
|
end
|
273
257
|
|
274
258
|
def substitute_all(substitutions)
|
@@ -312,24 +296,6 @@ module Dependabot
|
|
312
296
|
File.join(directory, "go.mod")
|
313
297
|
end
|
314
298
|
|
315
|
-
def requirement_to_dependency_obj(req)
|
316
|
-
# This is an approximation - we're not correctly populating `source`
|
317
|
-
# for instance, but it's only to plug the requirement into the
|
318
|
-
# `update_go_mod` method so this mapping doesn't need to be perfect
|
319
|
-
dep_req = {
|
320
|
-
file: "go.mod",
|
321
|
-
requirement: req["Version"],
|
322
|
-
groups: [],
|
323
|
-
source: nil
|
324
|
-
}
|
325
|
-
Dependency.new(
|
326
|
-
name: req["Path"],
|
327
|
-
version: req["Version"],
|
328
|
-
requirements: req["Indirect"] ? [] : [dep_req],
|
329
|
-
package_manager: "go_modules"
|
330
|
-
)
|
331
|
-
end
|
332
|
-
|
333
299
|
def write_go_mod(body)
|
334
300
|
File.write("go.mod", body)
|
335
301
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-go_modules
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.129.
|
4
|
+
version: 0.129.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-01-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.129.
|
19
|
+
version: 0.129.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.129.
|
26
|
+
version: 0.129.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -100,28 +100,28 @@ dependencies:
|
|
100
100
|
requirements:
|
101
101
|
- - "~>"
|
102
102
|
- !ruby/object:Gem::Version
|
103
|
-
version: 1.
|
103
|
+
version: 1.7.0
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
108
|
- - "~>"
|
109
109
|
- !ruby/object:Gem::Version
|
110
|
-
version: 1.
|
110
|
+
version: 1.7.0
|
111
111
|
- !ruby/object:Gem::Dependency
|
112
112
|
name: simplecov
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
115
|
- - "~>"
|
116
116
|
- !ruby/object:Gem::Version
|
117
|
-
version: 0.
|
117
|
+
version: 0.21.0
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
122
|
- - "~>"
|
123
123
|
- !ruby/object:Gem::Version
|
124
|
-
version: 0.
|
124
|
+
version: 0.21.0
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: simplecov-console
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|