dependabot-go_modules 0.144.0 → 0.145.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/go.mod +1 -1
- data/helpers/go.sum +2 -2
- data/helpers/main.go +2 -2
- data/helpers/updatechecker/main.go +13 -37
- data/lib/dependabot/go_modules/update_checker.rb +8 -59
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +147 -0
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e5a1572ab4bc566ad0c86a6ff2c332124e76c98cbbf8ba711b31bea5ee129656
|
|
4
|
+
data.tar.gz: 910e1cc9f46cbdd5816e0dbc9ae4faf59e362c7005bac0827c8179b06fe88cba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 04cd9f7ea9755e2818896714d5f8b0d038b08b8b96bf777a937f75c0ee3e7a2577c8170bea33ad6db25a87a7ad681fc135221809424d02fa204e9b9eaf4f3524
|
|
7
|
+
data.tar.gz: 18dfc3b740ceca107e515a594eb432737530d020bd6a60fc10625488ac8bb158b6eb48d6d506295411a9a18df4243b9febf152544c108b30c690795025a9a7b2
|
data/helpers/go.mod
CHANGED
data/helpers/go.sum
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
github.com/Masterminds/vcs v1.13.1 h1:NL3G1X7/7xduQtA2sJLpVpfHTNBALVNSjob6KEjPXNQ=
|
|
2
2
|
github.com/Masterminds/vcs v1.13.1/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
|
|
3
|
-
github.com/dependabot/gomodules-extracted v1.
|
|
4
|
-
github.com/dependabot/gomodules-extracted v1.
|
|
3
|
+
github.com/dependabot/gomodules-extracted v1.3.0 h1:Rsnl5uR+wjE+7ontePia/B3p48aBRsyEhyNrzCwbkaw=
|
|
4
|
+
github.com/dependabot/gomodules-extracted v1.3.0/go.mod h1:cpzrmDX1COyhSDQXHfkRMw0STb0vmguBFqmrkr51h1I=
|
|
5
5
|
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
|
6
6
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
|
|
7
7
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
data/helpers/main.go
CHANGED
|
@@ -33,10 +33,10 @@ func main() {
|
|
|
33
33
|
funcErr error
|
|
34
34
|
)
|
|
35
35
|
switch helperParams.Function {
|
|
36
|
-
case "
|
|
36
|
+
case "getVersions":
|
|
37
37
|
var args updatechecker.Args
|
|
38
38
|
parseArgs(helperParams.Args, &args)
|
|
39
|
-
funcOut, funcErr = updatechecker.
|
|
39
|
+
funcOut, funcErr = updatechecker.GetVersions(&args)
|
|
40
40
|
case "updateDependencyFile":
|
|
41
41
|
var args updater.Args
|
|
42
42
|
parseArgs(helperParams.Args, &args)
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
package updatechecker
|
|
2
2
|
|
|
3
3
|
import (
|
|
4
|
+
"context"
|
|
4
5
|
"errors"
|
|
5
6
|
"io/ioutil"
|
|
6
|
-
"regexp"
|
|
7
7
|
|
|
8
8
|
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modfetch"
|
|
9
9
|
"github.com/dependabot/gomodules-extracted/cmd/go/_internal_/modload"
|
|
@@ -11,44 +11,27 @@ import (
|
|
|
11
11
|
"golang.org/x/mod/semver"
|
|
12
12
|
)
|
|
13
13
|
|
|
14
|
-
var (
|
|
15
|
-
pseudoVersionRegexp = regexp.MustCompile(`\b\d{14}-[0-9a-f]{12}$`)
|
|
16
|
-
)
|
|
17
|
-
|
|
18
14
|
type Dependency struct {
|
|
19
|
-
Name
|
|
20
|
-
Version
|
|
21
|
-
Indirect bool `json:"indirect"`
|
|
22
|
-
}
|
|
23
|
-
|
|
24
|
-
type IgnoreRange struct {
|
|
25
|
-
MinVersionInclusive string `json:"min_version_inclusive"`
|
|
26
|
-
MaxVersionExclusive string `json:"max_version_exclusive"`
|
|
15
|
+
Name string `json:"name"`
|
|
16
|
+
Version string `json:"version"`
|
|
27
17
|
}
|
|
28
18
|
|
|
29
19
|
type Args struct {
|
|
30
|
-
Dependency
|
|
31
|
-
IgnoreRanges []*IgnoreRange `json:"ignore_ranges"`
|
|
20
|
+
Dependency *Dependency `json:"dependency"`
|
|
32
21
|
}
|
|
33
22
|
|
|
34
|
-
|
|
23
|
+
// GetVersions returns a list of versions for the given dependency that
|
|
24
|
+
// are within the same major version.
|
|
25
|
+
func GetVersions(args *Args) (interface{}, error) {
|
|
35
26
|
if args.Dependency == nil {
|
|
36
27
|
return nil, errors.New("Expected args.dependency to not be nil")
|
|
37
28
|
}
|
|
38
29
|
|
|
39
30
|
currentVersion := args.Dependency.Version
|
|
40
|
-
currentPrerelease := semver.Prerelease(currentVersion)
|
|
41
|
-
if pseudoVersionRegexp.MatchString(currentPrerelease) {
|
|
42
|
-
return currentVersion, nil
|
|
43
|
-
}
|
|
44
|
-
|
|
45
|
-
modload.InitMod()
|
|
46
31
|
|
|
47
|
-
|
|
48
|
-
if err != nil {
|
|
49
|
-
return nil, err
|
|
50
|
-
}
|
|
32
|
+
modload.LoadModFile(context.Background())
|
|
51
33
|
|
|
34
|
+
repo := modfetch.Lookup("direct", args.Dependency.Name)
|
|
52
35
|
versions, err := repo.Versions("")
|
|
53
36
|
if err != nil {
|
|
54
37
|
return nil, err
|
|
@@ -60,7 +43,8 @@ func GetUpdatedVersion(args *Args) (interface{}, error) {
|
|
|
60
43
|
}
|
|
61
44
|
|
|
62
45
|
currentMajor := semver.Major(currentVersion)
|
|
63
|
-
|
|
46
|
+
|
|
47
|
+
var candidateVersions []string
|
|
64
48
|
|
|
65
49
|
Outer:
|
|
66
50
|
for _, v := range versions {
|
|
@@ -68,24 +52,16 @@ Outer:
|
|
|
68
52
|
continue
|
|
69
53
|
}
|
|
70
54
|
|
|
71
|
-
if semver.Compare(v, latestVersion) < 1 {
|
|
72
|
-
continue
|
|
73
|
-
}
|
|
74
|
-
|
|
75
|
-
if currentPrerelease == "" && semver.Prerelease(v) != "" {
|
|
76
|
-
continue
|
|
77
|
-
}
|
|
78
|
-
|
|
79
55
|
for _, exclude := range excludes {
|
|
80
56
|
if v == exclude {
|
|
81
57
|
continue Outer
|
|
82
58
|
}
|
|
83
59
|
}
|
|
84
60
|
|
|
85
|
-
|
|
61
|
+
candidateVersions = append(candidateVersions, v)
|
|
86
62
|
}
|
|
87
63
|
|
|
88
|
-
return
|
|
64
|
+
return candidateVersions, nil
|
|
89
65
|
}
|
|
90
66
|
|
|
91
67
|
func goModExcludes(dependency string) ([]string, error) {
|
|
@@ -5,20 +5,12 @@ require "dependabot/update_checkers/base"
|
|
|
5
5
|
require "dependabot/shared_helpers"
|
|
6
6
|
require "dependabot/errors"
|
|
7
7
|
require "dependabot/go_modules/native_helpers"
|
|
8
|
-
require "dependabot/go_modules/resolvability_errors"
|
|
9
8
|
require "dependabot/go_modules/version"
|
|
10
9
|
|
|
11
10
|
module Dependabot
|
|
12
11
|
module GoModules
|
|
13
12
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
14
|
-
|
|
15
|
-
# Package url/proxy doesn't include any redirect meta tags
|
|
16
|
-
/no go-import meta tags/,
|
|
17
|
-
# Package url 404s
|
|
18
|
-
/404 Not Found/,
|
|
19
|
-
/Repository not found/,
|
|
20
|
-
/unrecognized import path/
|
|
21
|
-
].freeze
|
|
13
|
+
require_relative "update_checker/latest_version_finder"
|
|
22
14
|
|
|
23
15
|
def latest_resolvable_version
|
|
24
16
|
# We don't yet support updating indirect dependencies for go_modules
|
|
@@ -33,7 +25,13 @@ module Dependabot
|
|
|
33
25
|
end
|
|
34
26
|
|
|
35
27
|
@latest_resolvable_version ||=
|
|
36
|
-
|
|
28
|
+
LatestVersionFinder.new(
|
|
29
|
+
dependency: dependency,
|
|
30
|
+
dependency_files: dependency_files,
|
|
31
|
+
credentials: credentials,
|
|
32
|
+
ignored_versions: ignored_versions,
|
|
33
|
+
raise_on_ignored: raise_on_ignored,
|
|
34
|
+
).latest_version
|
|
37
35
|
end
|
|
38
36
|
|
|
39
37
|
# This is currently used to short-circuit latest_resolvable_version,
|
|
@@ -56,51 +54,6 @@ module Dependabot
|
|
|
56
54
|
|
|
57
55
|
private
|
|
58
56
|
|
|
59
|
-
def find_latest_resolvable_version
|
|
60
|
-
SharedHelpers.in_a_temporary_directory do
|
|
61
|
-
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
62
|
-
File.write("go.mod", go_mod.content)
|
|
63
|
-
|
|
64
|
-
# Turn off the module proxy for now, as it's causing issues with
|
|
65
|
-
# private git dependencies
|
|
66
|
-
env = { "GOPRIVATE" => "*" }
|
|
67
|
-
|
|
68
|
-
SharedHelpers.run_helper_subprocess(
|
|
69
|
-
command: NativeHelpers.helper_path,
|
|
70
|
-
env: env,
|
|
71
|
-
function: "getUpdatedVersion",
|
|
72
|
-
args: {
|
|
73
|
-
dependency: {
|
|
74
|
-
name: dependency.name,
|
|
75
|
-
version: "v" + dependency.version,
|
|
76
|
-
indirect: dependency.requirements.empty?
|
|
77
|
-
}
|
|
78
|
-
}
|
|
79
|
-
)
|
|
80
|
-
end
|
|
81
|
-
end
|
|
82
|
-
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
83
|
-
retry_count ||= 0
|
|
84
|
-
retry_count += 1
|
|
85
|
-
retry if transitory_failure?(e) && retry_count < 2
|
|
86
|
-
|
|
87
|
-
handle_subprocess_error(e)
|
|
88
|
-
end
|
|
89
|
-
|
|
90
|
-
def handle_subprocess_error(error)
|
|
91
|
-
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
|
92
|
-
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
|
93
|
-
end
|
|
94
|
-
|
|
95
|
-
raise
|
|
96
|
-
end
|
|
97
|
-
|
|
98
|
-
def transitory_failure?(error)
|
|
99
|
-
return true if error.message.include?("EOF")
|
|
100
|
-
|
|
101
|
-
error.message.include?("Internal Server Error")
|
|
102
|
-
end
|
|
103
|
-
|
|
104
57
|
def latest_version_resolvable_with_full_unlock?
|
|
105
58
|
# Full unlock checks aren't implemented for Go (yet)
|
|
106
59
|
false
|
|
@@ -137,10 +90,6 @@ module Dependabot
|
|
|
137
90
|
{ type: "default", source: dependency.name }
|
|
138
91
|
end
|
|
139
92
|
|
|
140
|
-
def go_mod
|
|
141
|
-
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
142
|
-
end
|
|
143
|
-
|
|
144
93
|
def git_commit_checker
|
|
145
94
|
@git_commit_checker ||=
|
|
146
95
|
GitCommitChecker.new(
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "excon"
|
|
4
|
+
|
|
5
|
+
require "dependabot/shared_helpers"
|
|
6
|
+
require "dependabot/errors"
|
|
7
|
+
require "dependabot/go_modules/requirement"
|
|
8
|
+
require "dependabot/go_modules/resolvability_errors"
|
|
9
|
+
|
|
10
|
+
module Dependabot
|
|
11
|
+
module GoModules
|
|
12
|
+
class UpdateChecker
|
|
13
|
+
class LatestVersionFinder
|
|
14
|
+
RESOLVABILITY_ERROR_REGEXES = [
|
|
15
|
+
# Package url/proxy doesn't include any redirect meta tags
|
|
16
|
+
/no go-import meta tags/,
|
|
17
|
+
# Package url 404s
|
|
18
|
+
/404 Not Found/,
|
|
19
|
+
/Repository not found/,
|
|
20
|
+
/unrecognized import path/
|
|
21
|
+
].freeze
|
|
22
|
+
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/.freeze
|
|
23
|
+
|
|
24
|
+
def initialize(dependency:, dependency_files:, credentials:,
|
|
25
|
+
ignored_versions:, raise_on_ignored: false)
|
|
26
|
+
@dependency = dependency
|
|
27
|
+
@dependency_files = dependency_files
|
|
28
|
+
@credentials = credentials
|
|
29
|
+
@ignored_versions = ignored_versions
|
|
30
|
+
@raise_on_ignored = raise_on_ignored
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def latest_version
|
|
34
|
+
@latest_version ||= fetch_latest_version
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
private
|
|
38
|
+
|
|
39
|
+
attr_reader :dependency, :dependency_files, :credentials, :ignored_versions
|
|
40
|
+
|
|
41
|
+
def fetch_latest_version
|
|
42
|
+
return dependency.version if dependency.version =~ PSEUDO_VERSION_REGEX
|
|
43
|
+
|
|
44
|
+
candidate_versions = available_versions
|
|
45
|
+
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
46
|
+
candidate_versions = filter_lower_versions(candidate_versions)
|
|
47
|
+
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
48
|
+
|
|
49
|
+
candidate_versions.max
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def available_versions
|
|
53
|
+
SharedHelpers.in_a_temporary_directory do
|
|
54
|
+
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
55
|
+
File.write("go.mod", go_mod.content)
|
|
56
|
+
|
|
57
|
+
# Turn off the module proxy for now, as it's causing issues with
|
|
58
|
+
# private git dependencies
|
|
59
|
+
env = { "GOPRIVATE" => "*" }
|
|
60
|
+
|
|
61
|
+
version_strings = SharedHelpers.run_helper_subprocess(
|
|
62
|
+
command: NativeHelpers.helper_path,
|
|
63
|
+
env: env,
|
|
64
|
+
function: "getVersions",
|
|
65
|
+
args: {
|
|
66
|
+
dependency: {
|
|
67
|
+
name: dependency.name,
|
|
68
|
+
version: "v" + dependency.version,
|
|
69
|
+
}
|
|
70
|
+
}
|
|
71
|
+
)
|
|
72
|
+
|
|
73
|
+
version_strings.select { |v| version_class.correct?(v) }
|
|
74
|
+
.map { |v| version_class.new(v) }
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
78
|
+
retry_count ||= 0
|
|
79
|
+
retry_count += 1
|
|
80
|
+
retry if transitory_failure?(e) && retry_count < 2
|
|
81
|
+
|
|
82
|
+
handle_subprocess_error(e)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
def handle_subprocess_error(error)
|
|
86
|
+
if RESOLVABILITY_ERROR_REGEXES.any? { |rgx| error.message =~ rgx }
|
|
87
|
+
ResolvabilityErrors.handle(error.message, credentials: credentials)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
raise
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def transitory_failure?(error)
|
|
94
|
+
return true if error.message.include?("EOF")
|
|
95
|
+
|
|
96
|
+
error.message.include?("Internal Server Error")
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def go_mod
|
|
100
|
+
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
def filter_prerelease_versions(versions_array)
|
|
104
|
+
return versions_array if wants_prerelease?
|
|
105
|
+
|
|
106
|
+
versions_array.reject(&:prerelease?)
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
def filter_lower_versions(versions_array)
|
|
110
|
+
versions_array.
|
|
111
|
+
select { |version| version > version_class.new(dependency.version) }
|
|
112
|
+
end
|
|
113
|
+
|
|
114
|
+
def filter_ignored_versions(versions_array)
|
|
115
|
+
filtered = versions_array.
|
|
116
|
+
reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
117
|
+
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
118
|
+
|
|
119
|
+
filtered
|
|
120
|
+
end
|
|
121
|
+
|
|
122
|
+
def wants_prerelease?
|
|
123
|
+
@wants_prerelease ||=
|
|
124
|
+
begin
|
|
125
|
+
current_version = dependency.version
|
|
126
|
+
current_version && version_class.correct?(current_version) &&
|
|
127
|
+
version_class.new(current_version).prerelease?
|
|
128
|
+
end
|
|
129
|
+
end
|
|
130
|
+
|
|
131
|
+
def ignore_requirements
|
|
132
|
+
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
133
|
+
end
|
|
134
|
+
|
|
135
|
+
def requirement_class
|
|
136
|
+
Utils.requirement_class_for_package_manager(
|
|
137
|
+
dependency.package_manager
|
|
138
|
+
)
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
def version_class
|
|
142
|
+
Utils.version_class_for_package_manager(dependency.package_manager)
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
end
|
|
146
|
+
end
|
|
147
|
+
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.145.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.145.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.145.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -206,6 +206,7 @@ files:
|
|
|
206
206
|
- lib/dependabot/go_modules/requirement.rb
|
|
207
207
|
- lib/dependabot/go_modules/resolvability_errors.rb
|
|
208
208
|
- lib/dependabot/go_modules/update_checker.rb
|
|
209
|
+
- lib/dependabot/go_modules/update_checker/latest_version_finder.rb
|
|
209
210
|
- lib/dependabot/go_modules/version.rb
|
|
210
211
|
homepage: https://github.com/dependabot/dependabot-core
|
|
211
212
|
licenses:
|