dependabot-go_modules 0.144.0 → 0.145.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/go.mod +1 -1
- data/helpers/go.sum +2 -2
- data/helpers/main.go +2 -2
- data/helpers/updatechecker/main.go +13 -37
- data/lib/dependabot/go_modules/update_checker.rb +8 -59
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +147 -0
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e5a1572ab4bc566ad0c86a6ff2c332124e76c98cbbf8ba711b31bea5ee129656
|
|
4
|
+
data.tar.gz: 910e1cc9f46cbdd5816e0dbc9ae4faf59e362c7005bac0827c8179b06fe88cba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 04cd9f7ea9755e2818896714d5f8b0d038b08b8b96bf777a937f75c0ee3e7a2577c8170bea33ad6db25a87a7ad681fc135221809424d02fa204e9b9eaf4f3524
|
|
7
|
+
data.tar.gz: 18dfc3b740ceca107e515a594eb432737530d020bd6a60fc10625488ac8bb158b6eb48d6d506295411a9a18df4243b9febf152544c108b30c690795025a9a7b2
|
data/helpers/go.mod
CHANGED
data/helpers/go.sum
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
|
|
2
2
|
github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
|
|
3
|
-
github.com/dependabot/gomodules-extracted v1.
|
|
4
|
-
github.com/dependabot/gomodules-extracted v1.
|
|
3
|
+
github.com/dependabot/gomodules-extracted v1.3.0 h1:Rsnl5uR+wjE+7ontePia/B3p48aBRsyEhyNrzCwbkaw=
|
|
4
|
+
github.com/dependabot/gomodules-extracted v1.3.0/go.mod h1:cpzrmDX1COyhSDQXHfkRMw0STb0vmguBFqmrkr51h1I=
|
|
5
5
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
|
6
6
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
|
7
7
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
data/helpers/main.go
CHANGED
|
@@ -33,10 +33,10 @@ func main() {
|
|
|
33
33
|
funcErr error
|
|
34
34
|
)
|
|
35
35
|
switch helperParams.Function {
|
|
36
|
-
case "
|
|
36
|
+
case "getVersions":
|
|
37
37
|
var args updatechecker.Args
|
|
38
38
|
parseArgs(helperParams.Args, &args)
|
|
39
|
-
funcOut, funcErr = updatechecker.
|
|
39
|
+
funcOut, funcErr = updatechecker.GetVersions(&args)
|
|
40
40
|
case "updateDependencyFile":
|
|
41
41
|
var args updater.Args
|
|
42
42
|
parseArgs(helperParams.Args, &args)
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
package updatechecker
|
|
2
2
|
|
|
3
3
|
import (
|
|
4
|
+
"context"
|
|
4
5
|
"errors"
|
|
5
6
|
"io/ioutil"
|
|
6
|
-
"regexp"
|
|
7
7
|
|
|
8
8
|
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
|
|
9
9
|
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
|
|
@@ -11,44 +11,27 @@ import (
|
|
|
11
11
|
"golang.org/x/mod/semver"
|
|
12
12
|
)
|
|
13
13
|
|
|
14
|
-
var (
|
|
15
|
-
pseudoVersionRegexp = regexp.MustCompile(`\b\d{14}-[0-9a-f]{12}$`)
|
|
16
|
-
)
|
|
17
|
-
|
|
18
14
|
type Dependency struct {
|
|
19
|
-
Name
|
|
20
|
-
Version
|
|
21
|
-
Indirect bool `json:"indirect"`
|
|
22
|
-
}
|
|
23
|
-
|
|
24
|
-
type IgnoreRange struct {
|
|
25
|
-
MinVersionInclusive string `json:"min_version_inclusive"`
|
|
26
|
-
MaxVersionExclusive string `json:"max_version_exclusive"`
|
|
15
|
+
Name string `json:"name"`
|
|
16
|
+
Version string `json:"version"`
|
|
27
17
|
}
|
|
28
18
|
|
|
29
19
|
type Args struct {
|
|
30
|
-
Dependency
|
|
31
|
-
IgnoreRanges []*IgnoreRange `json:"ignore_ranges"`
|
|
20
|
+
Dependency *Dependency `json:"dependency"`
|
|
32
21
|
}
|
|
33
22
|
|
|
34
|
-
|
|
23
|
+
// GetVersions returns a list of versions for the given dependency that
|
|
24
|
+
// are within the same major version.
|
|
25
|
+
func GetVersions(args *Args) (interface{}, error) {
|
|
35
26
|
if args.Dependency == nil {
|
|
36
27
|
return nil, errors.New("Expected args.dependency to not be nil")
|
|
37
28
|
}
|
|
38
29
|
|
|
39
30
|
currentVersion := args.Dependency.Version
|
|
40
|
-
currentPrerelease := semver.Prerelease(currentVersion)
|
|
41
|
-
if pseudoVersionRegexp.MatchString(currentPrerelease) {
|
|
42
|
-
return currentVersion, nil
|
|
43
|
-
}
|
|
44
|
-
|
|
45
|
-
modload.InitMod()
|
|
46
31
|
|
|
47
|
-
|
|
48
|
-
if err != nil {
|
|
49
|
-
return nil, err
|
|
50
|
-
}
|
|
32
|
+
modload.LoadModFile(context.Background())
|
|
51
33
|
|
|
34
|
+
repo := modfetch.Lookup("direct", args.Dependency.Name)
|
|
52
35
|
versions, err := repo.Versions("")
|
|
53
36
|
if err != nil {
|
|
54
37
|
return nil, err
|
|
@@ -60,7 +43,8 @@ func GetUpdatedVersion(args *Args) (interface{}, error) {
|
|
|
60
43
|
}
|
|
61
44
|
|
|
62
45
|
currentMajor := semver.Major(currentVersion)
|
|
63
|
-
|
|
46
|
+
|
|
47
|
+
var candidateVersions []string
|
|
64
48
|
|
|
65
49
|
Outer:
|
|
66
50
|
for _, v := range versions {
|
|
@@ -68,24 +52,16 @@ Outer:
|
|
|
68
52
|
continue
|
|
69
53
|
}
|
|
70
54
|
|
|
71
|
-
if semver.Compare(v, latestVersion) < 1 {
|
|
72
|
-
continue
|
|
73
|
-
}
|
|
74
|
-
|
|
75
|
-
if currentPrerelease == "" && semver.Prerelease(v) != "" {
|
|
76
|
-
continue
|
|
77
|
-
}
|
|
78
|
-
|
|
79
55
|
for _, exclude := range excludes {
|
|
80
56
|
if v == exclude {
|
|
81
57
|
continue Outer
|
|
82
58
|
}
|
|
83
59
|
}
|
|
84
60
|
|
|
85
|
-
|
|
61
|
+
candidateVersions = append(candidateVersions, v)
|
|
86
62
|
}
|
|
87
63
|
|
|
88
|
-
return
|
|
64
|
+
return candidateVersions, nil
|
|
89
65
|
}
|
|
90
66
|
|
|
91
67
|
func goModExcludes(dependency string) ([]string, error) {
|
|
@@ -5,20 +5,12 @@ require "dependabot/update_checkers/base"
|
|
|
5
5
|
require "dependabot/shared_helpers"
|
|
6
6
|
require "dependabot/errors"
|
|
7
7
|
require "dependabot/go_modules/native_helpers"
|
|
8
|
-
require "dependabot/go_modules/resolvability_errors"
|
|
9
8
|
require "dependabot/go_modules/version"
|
|
10
9
|
|
|
11
10
|
module Dependabot
|
|
12
11
|
module GoModules
|
|
13
12
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
14
|
-
|
|
15
|
-
# Package url/proxy doesn't include any redirect meta tags
|
|
16
|
-
/no go-import meta tags/,
|
|
17
|
-
# Package url 404s
|
|
18
|
-
/404 Not Found/,
|
|
19
|
-
/Repository not found/,
|
|
20
|
-
/unrecognized import path/
|
|
21
|
-
].freeze
|
|
13
|
+
require_relative "update_checker/latest_version_finder"
|
|
22
14
|
|
|
23
15
|
def latest_resolvable_version
|
|
24
16
|
# We don't yet support updating indirect dependencies for go_modules
|
|
@@ -33,7 +25,13 @@ module Dependabot
|
|
|
33
25
|
end
|
|
34
26
|
|
|
35
27
|
@latest_resolvable_version ||=
|
|
36
|
-
|
|
28
|
+
LatestVersionFinder.new(
|
|
29
|
+
dependency: dependency,
|
|
30
|
+
dependency_files: dependency_files,
|
|
31
|
+
credentials: credentials,
|
|
32
|
+
ignored_versions: ignored_versions,
|
|
33
|
+
raise_on_ignored: raise_on_ignored,
|
|
34
|
+
).latest_version
|
|
37
35
|
end
|
|
38
36
|
|
|
39
37
|
# This is currently used to short-circuit latest_resolvable_version,
|
|
@@ -56,51 +54,6 @@ module Dependabot
|
|
|
56
54
|
|
|
57
55
|
private
|
|
58
56
|
|
|
59
|
-
def find_latest_resolvable_version
|
|
60
|
-
SharedHelpers.in_a_temporary_directory do
|
|
61
|
-
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
62
|
-
File.write("go.mod", go_mod.content)
|
|
63
|
-
|
|
64
|
-
# Turn off the module proxy for now, as it's causing issues with
|
|
65
|
-
# private git dependencies
|
|
66
|
-
env = { "GOPRIVATE" => "*" }
|
|
67
|
-
|
|
68
|
-
SharedHelpers.run_helper_subprocess(
|
|
69
|
-
command: NativeHelpers.helper_path,
|
|
70
|
-
env: env,
|
|
71
|
-
function: "getUpdatedVersion",
|
|
72
|
-
args: {
|
|
73
|
-
dependency: {
|
|
74
|
-
name: dependency.name,
|
|
75
|
-
version: "v" + dependency.version,
|
|
76
|
-
indirect: dependency.requirements.empty?
|
|
77
|
-
}
|
|
78
|
-
}
|
|
79
|
-
)
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
83
|
-
retry_count ||= 0
|
|
84
|
-
retry_count += 1
|
|
85
|
-
retry if transitory_failure?(e) && retry_count < 2
|
|
86
|
-
|
|
87
|
-
handle_subprocess_error(e)
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
def handle_subprocess_error(error)
|
|
91
|
-
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
|
92
|
-
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
|
93
|
-
end
|
|
94
|
-
|
|
95
|
-
raise
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
def transitory_failure?(error)
|
|
99
|
-
return true if error.message.include?("EOF")
|
|
100
|
-
|
|
101
|
-
error.message.include?("Internal Server Error")
|
|
102
|
-
end
|
|
103
|
-
|
|
104
57
|
def latest_version_resolvable_with_full_unlock?
|
|
105
58
|
# Full unlock checks aren't implemented for Go (yet)
|
|
106
59
|
false
|
|
@@ -137,10 +90,6 @@ module Dependabot
|
|
|
137
90
|
{ type: "default", source: dependency.name }
|
|
138
91
|
end
|
|
139
92
|
|
|
140
|
-
def go_mod
|
|
141
|
-
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
142
|
-
end
|
|
143
|
-
|
|
144
93
|
def git_commit_checker
|
|
145
94
|
@git_commit_checker ||=
|
|
146
95
|
GitCommitChecker.new(
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "excon"
|
|
4
|
+
|
|
5
|
+
require "dependabot/shared_helpers"
|
|
6
|
+
require "dependabot/errors"
|
|
7
|
+
require "dependabot/go_modules/requirement"
|
|
8
|
+
require "dependabot/go_modules/resolvability_errors"
|
|
9
|
+
|
|
10
|
+
module Dependabot
|
|
11
|
+
module GoModules
|
|
12
|
+
class UpdateChecker
|
|
13
|
+
class LatestVersionFinder
|
|
14
|
+
RESOLVABILITY_ERROR_REGEXES = [
|
|
15
|
+
# Package url/proxy doesn't include any redirect meta tags
|
|
16
|
+
/no go-import meta tags/,
|
|
17
|
+
# Package url 404s
|
|
18
|
+
/404 Not Found/,
|
|
19
|
+
/Repository not found/,
|
|
20
|
+
/unrecognized import path/
|
|
21
|
+
].freeze
|
|
22
|
+
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
|
|
23
|
+
|
|
24
|
+
def initialize(dependency:, dependency_files:, credentials:,
|
|
25
|
+
ignored_versions:, raise_on_ignored: false)
|
|
26
|
+
@dependency = dependency
|
|
27
|
+
@dependency_files = dependency_files
|
|
28
|
+
@credentials = credentials
|
|
29
|
+
@ignored_versions = ignored_versions
|
|
30
|
+
@raise_on_ignored = raise_on_ignored
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def latest_version
|
|
34
|
+
@latest_version ||= fetch_latest_version
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
private
|
|
38
|
+
|
|
39
|
+
attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
|
|
40
|
+
|
|
41
|
+
def fetch_latest_version
|
|
42
|
+
return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
|
|
43
|
+
|
|
44
|
+
candidate_versions = available_versions
|
|
45
|
+
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
46
|
+
candidate_versions = filter_lower_versions(candidate_versions)
|
|
47
|
+
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
48
|
+
|
|
49
|
+
candidate_versions.max
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def available_versions
|
|
53
|
+
SharedHelpers.in_a_temporary_directory do
|
|
54
|
+
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
55
|
+
File.write("go.mod", go_mod.content)
|
|
56
|
+
|
|
57
|
+
# Turn off the module proxy for now, as it's causing issues with
|
|
58
|
+
# private git dependencies
|
|
59
|
+
env = { "GOPRIVATE" => "*" }
|
|
60
|
+
|
|
61
|
+
version_strings = SharedHelpers.run_helper_subprocess(
|
|
62
|
+
command: NativeHelpers.helper_path,
|
|
63
|
+
env: env,
|
|
64
|
+
function: "getVersions",
|
|
65
|
+
args: {
|
|
66
|
+
dependency: {
|
|
67
|
+
name: dependency.name,
|
|
68
|
+
version: "v" + dependency.version,
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
)
|
|
72
|
+
|
|
73
|
+
version_strings.select { |v| version_class.correct?(v) }
|
|
74
|
+
.map { |v| version_class.new(v) }
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
78
|
+
retry_count ||= 0
|
|
79
|
+
retry_count += 1
|
|
80
|
+
retry if transitory_failure?(e) && retry_count < 2
|
|
81
|
+
|
|
82
|
+
handle_subprocess_error(e)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
def handle_subprocess_error(error)
|
|
86
|
+
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
|
87
|
+
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
raise
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def transitory_failure?(error)
|
|
94
|
+
return true if error.message.include?("EOF")
|
|
95
|
+
|
|
96
|
+
error.message.include?("Internal Server Error")
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def go_mod
|
|
100
|
+
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
def filter_prerelease_versions(versions_array)
|
|
104
|
+
return versions_array if wants_prerelease?
|
|
105
|
+
|
|
106
|
+
versions_array.reject(&:prerelease?)
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
def filter_lower_versions(versions_array)
|
|
110
|
+
versions_array.
|
|
111
|
+
select { |version| version > version_class.new(dependency.version) }
|
|
112
|
+
end
|
|
113
|
+
|
|
114
|
+
def filter_ignored_versions(versions_array)
|
|
115
|
+
filtered = versions_array.
|
|
116
|
+
reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
117
|
+
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
118
|
+
|
|
119
|
+
filtered
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
def wants_prerelease?
|
|
123
|
+
@wants_prerelease ||=
|
|
124
|
+
begin
|
|
125
|
+
current_version = dependency.version
|
|
126
|
+
current_version && version_class.correct?(current_version) &&
|
|
127
|
+
version_class.new(current_version).prerelease?
|
|
128
|
+
end
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def ignore_requirements
|
|
132
|
+
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
def requirement_class
|
|
136
|
+
Utils.requirement_class_for_package_manager(
|
|
137
|
+
dependency.package_manager
|
|
138
|
+
)
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
def version_class
|
|
142
|
+
Utils.version_class_for_package_manager(dependency.package_manager)
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
end
|
|
146
|
+
end
|
|
147
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.145.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.145.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.145.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -206,6 +206,7 @@ files:
|
|
|
206
206
|
- lib/dependabot/go_modules/requirement.rb
|
|
207
207
|
- lib/dependabot/go_modules/resolvability_errors.rb
|
|
208
208
|
- lib/dependabot/go_modules/update_checker.rb
|
|
209
|
+
- lib/dependabot/go_modules/update_checker/latest_version_finder.rb
|
|
209
210
|
- lib/dependabot/go_modules/version.rb
|
|
210
211
|
homepage: https://github.com/dependabot/dependabot-core
|
|
211
212
|
licenses:
|