dependabot-go_modules 0.147.1 → 0.148.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/main.go +0 -5
- data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +15 -26
- metadata +3 -5
- data/helpers/updater/helpers.go +0 -65
- data/helpers/updater/main.go +0 -50
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 440891afa53b611d109e2420adc240a145ce52e52c5525603dcc69c4df4422df
|
|
4
|
+
data.tar.gz: 62d3aecf1258256a757cea7c7170d5b832dd2617f9ad46151932fc64ba484818
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9db12c769b35527d871fe014a34682ad5cb82b3260907969a2c1498348ff60577801132435cf2d8eb2d47539cf6ada58d8612c2019f4fb1eaacf34376f69f07b
|
|
7
|
+
data.tar.gz: 0f5589c8c8a3cf502a8079336f83964ebc48e6baffb14445bf9ca9cafcdb90565306f57d18787dd76f26843c9a549d7d57895759ebba602e19a04d42682a9ed3
|
data/helpers/main.go
CHANGED
|
@@ -8,7 +8,6 @@ import (
|
|
|
8
8
|
|
|
9
9
|
"github.com/dependabot/dependabot-core/go_modules/helpers/importresolver"
|
|
10
10
|
"github.com/dependabot/dependabot-core/go_modules/helpers/updatechecker"
|
|
11
|
-
"github.com/dependabot/dependabot-core/go_modules/helpers/updater"
|
|
12
11
|
)
|
|
13
12
|
|
|
14
13
|
type HelperParams struct {
|
|
@@ -37,10 +36,6 @@ func main() {
|
|
|
37
36
|
var args updatechecker.Args
|
|
38
37
|
parseArgs(helperParams.Args, &args)
|
|
39
38
|
funcOut, funcErr = updatechecker.GetVersions(&args)
|
|
40
|
-
case "updateDependencyFile":
|
|
41
|
-
var args updater.Args
|
|
42
|
-
parseArgs(helperParams.Args, &args)
|
|
43
|
-
funcOut, funcErr = updater.UpdateDependencyFile(&args)
|
|
44
39
|
case "getVcsRemoteForImport":
|
|
45
40
|
var args importresolver.Args
|
|
46
41
|
parseArgs(helperParams.Args, &args)
|
|
@@ -18,7 +18,7 @@ module Dependabot
|
|
|
18
18
|
RESOLVABILITY_ERROR_REGEXES = [
|
|
19
19
|
# The checksum in go.sum does not match the downloaded content
|
|
20
20
|
/verifying .*: checksum mismatch/.freeze,
|
|
21
|
-
/go
|
|
21
|
+
/go (?:get)?: .*: go.mod has post-v\d+ module path/
|
|
22
22
|
].freeze
|
|
23
23
|
|
|
24
24
|
REPO_RESOLVABILITY_ERROR_REGEXES = [
|
|
@@ -91,11 +91,12 @@ module Dependabot
|
|
|
91
91
|
# Replace full paths with path hashes in the go.mod
|
|
92
92
|
substitute_all(substitutions)
|
|
93
93
|
|
|
94
|
-
#
|
|
95
|
-
|
|
94
|
+
# Bump the deps we want to upgrade using `go get lib@version`
|
|
95
|
+
run_go_get(dependencies)
|
|
96
96
|
|
|
97
|
-
#
|
|
98
|
-
#
|
|
97
|
+
# Run `go get`'s internal validation checks against _each_ module in `go.mod`
|
|
98
|
+
# by running `go get` w/o specifying any library. It finds problems like when a
|
|
99
|
+
# module declares itself using a different name than specified in our `go.mod` etc.
|
|
99
100
|
run_go_get
|
|
100
101
|
|
|
101
102
|
# If we stubbed modules, don't run `go mod {tidy,vendor}` as
|
|
@@ -153,26 +154,7 @@ module Dependabot
|
|
|
153
154
|
handle_subprocess_error(stderr) unless status.success?
|
|
154
155
|
end
|
|
155
156
|
|
|
156
|
-
def
|
|
157
|
-
deps = dependencies.map do |dep|
|
|
158
|
-
{
|
|
159
|
-
name: dep.name,
|
|
160
|
-
version: "v" + dep.version.sub(/^v/i, ""),
|
|
161
|
-
indirect: dep.requirements.empty?
|
|
162
|
-
}
|
|
163
|
-
end
|
|
164
|
-
|
|
165
|
-
body = SharedHelpers.run_helper_subprocess(
|
|
166
|
-
command: NativeHelpers.helper_path,
|
|
167
|
-
env: ENVIRONMENT,
|
|
168
|
-
function: "updateDependencyFile",
|
|
169
|
-
args: { dependencies: deps }
|
|
170
|
-
)
|
|
171
|
-
|
|
172
|
-
write_go_mod(body)
|
|
173
|
-
end
|
|
174
|
-
|
|
175
|
-
def run_go_get
|
|
157
|
+
def run_go_get(dependencies = [])
|
|
176
158
|
tmp_go_file = "#{SecureRandom.hex}.go"
|
|
177
159
|
|
|
178
160
|
package = Dir.glob("[^\._]*.go").any? do |path|
|
|
@@ -181,7 +163,14 @@ module Dependabot
|
|
|
181
163
|
|
|
182
164
|
File.write(tmp_go_file, "package dummypkg\n") unless package
|
|
183
165
|
|
|
184
|
-
|
|
166
|
+
# TODO: go 1.18 will make `-d` the default behavior, so remove the flag then
|
|
167
|
+
command = +"go get -d"
|
|
168
|
+
# `go get` accepts multiple packages, each separated by a space
|
|
169
|
+
dependencies.each do |dep|
|
|
170
|
+
version = "v" + dep.version.sub(/^v/i, "")
|
|
171
|
+
command << " #{dep.name}@#{version}"
|
|
172
|
+
end
|
|
173
|
+
_, stderr, status = Open3.capture3(ENVIRONMENT, command)
|
|
185
174
|
handle_subprocess_error(stderr) unless status.success?
|
|
186
175
|
ensure
|
|
187
176
|
File.delete(tmp_go_file) if File.exist?(tmp_go_file)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.148.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.148.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.148.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -192,8 +192,6 @@ files:
|
|
|
192
192
|
- helpers/importresolver/main.go
|
|
193
193
|
- helpers/main.go
|
|
194
194
|
- helpers/updatechecker/main.go
|
|
195
|
-
- helpers/updater/helpers.go
|
|
196
|
-
- helpers/updater/main.go
|
|
197
195
|
- lib/dependabot/go_modules.rb
|
|
198
196
|
- lib/dependabot/go_modules/file_fetcher.rb
|
|
199
197
|
- lib/dependabot/go_modules/file_parser.rb
|
data/helpers/updater/helpers.go
DELETED
|
@@ -1,65 +0,0 @@
|
|
|
1
|
-
package updater
|
|
2
|
-
|
|
3
|
-
import (
|
|
4
|
-
"strings"
|
|
5
|
-
|
|
6
|
-
"golang.org/x/mod/modfile"
|
|
7
|
-
)
|
|
8
|
-
|
|
9
|
-
// Private methods lifted from the `modfile` package.
|
|
10
|
-
// Last synced: 4/28/2021 from:
|
|
11
|
-
// https://github.com/golang/mod/blob/858fdbee9c245c8109c359106e89c6b8d321f19c/modfile/rule.go
|
|
12
|
-
|
|
13
|
-
var slashSlash = []byte("//")
|
|
14
|
-
|
|
15
|
-
// setIndirect sets line to have (or not have) a "// indirect" comment.
|
|
16
|
-
func setIndirect(line *modfile.Line, indirect bool) {
|
|
17
|
-
if isIndirect(line) == indirect {
|
|
18
|
-
return
|
|
19
|
-
}
|
|
20
|
-
if indirect {
|
|
21
|
-
// Adding comment.
|
|
22
|
-
if len(line.Suffix) == 0 {
|
|
23
|
-
// New comment.
|
|
24
|
-
line.Suffix = []modfile.Comment{{Token: "// indirect", Suffix: true}}
|
|
25
|
-
return
|
|
26
|
-
}
|
|
27
|
-
|
|
28
|
-
com := &line.Suffix[0]
|
|
29
|
-
text := strings.TrimSpace(strings.TrimPrefix(com.Token, string(slashSlash)))
|
|
30
|
-
if text == "" {
|
|
31
|
-
// Empty comment.
|
|
32
|
-
com.Token = "// indirect"
|
|
33
|
-
return
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
// Insert at beginning of existing comment.
|
|
37
|
-
com.Token = "// indirect; " + text
|
|
38
|
-
return
|
|
39
|
-
}
|
|
40
|
-
|
|
41
|
-
// Removing comment.
|
|
42
|
-
f := strings.Fields(line.Suffix[0].Token)
|
|
43
|
-
if len(f) == 2 {
|
|
44
|
-
// Remove whole comment.
|
|
45
|
-
line.Suffix = nil
|
|
46
|
-
return
|
|
47
|
-
}
|
|
48
|
-
|
|
49
|
-
// Remove comment prefix.
|
|
50
|
-
com := &line.Suffix[0]
|
|
51
|
-
i := strings.Index(com.Token, "indirect;")
|
|
52
|
-
com.Token = "//" + com.Token[i+len("indirect;"):]
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
// isIndirect reports whether line has a "// indirect" comment,
|
|
56
|
-
// meaning it is in go.mod only for its effect on indirect dependencies,
|
|
57
|
-
// so that it can be dropped entirely once the effective version of the
|
|
58
|
-
// indirect dependency reaches the given minimum version.
|
|
59
|
-
func isIndirect(line *modfile.Line) bool {
|
|
60
|
-
if len(line.Suffix) == 0 {
|
|
61
|
-
return false
|
|
62
|
-
}
|
|
63
|
-
f := strings.Fields(strings.TrimPrefix(line.Suffix[0].Token, string(slashSlash)))
|
|
64
|
-
return (len(f) == 1 && f[0] == "indirect" || len(f) > 1 && f[0] == "indirect;")
|
|
65
|
-
}
|
data/helpers/updater/main.go
DELETED
|
@@ -1,50 +0,0 @@
|
|
|
1
|
-
package updater
|
|
2
|
-
|
|
3
|
-
import (
|
|
4
|
-
"io/ioutil"
|
|
5
|
-
|
|
6
|
-
"golang.org/x/mod/modfile"
|
|
7
|
-
)
|
|
8
|
-
|
|
9
|
-
type Dependency struct {
|
|
10
|
-
Name string `json:"name"`
|
|
11
|
-
Version string `json:"version"`
|
|
12
|
-
Indirect bool `json:"indirect"`
|
|
13
|
-
}
|
|
14
|
-
|
|
15
|
-
type Args struct {
|
|
16
|
-
Dependencies []Dependency `json:"dependencies"`
|
|
17
|
-
}
|
|
18
|
-
|
|
19
|
-
func UpdateDependencyFile(args *Args) (interface{}, error) {
|
|
20
|
-
data, err := ioutil.ReadFile("go.mod")
|
|
21
|
-
if err != nil {
|
|
22
|
-
return nil, err
|
|
23
|
-
}
|
|
24
|
-
|
|
25
|
-
f, err := modfile.Parse("go.mod", data, nil)
|
|
26
|
-
if err != nil {
|
|
27
|
-
return nil, err
|
|
28
|
-
}
|
|
29
|
-
|
|
30
|
-
for _, dep := range args.Dependencies {
|
|
31
|
-
if err := f.AddRequire(dep.Name, dep.Version); err != nil {
|
|
32
|
-
return nil, err
|
|
33
|
-
}
|
|
34
|
-
}
|
|
35
|
-
|
|
36
|
-
for _, r := range f.Require {
|
|
37
|
-
for _, dep := range args.Dependencies {
|
|
38
|
-
if r.Mod.Path == dep.Name {
|
|
39
|
-
setIndirect(r.Syntax, dep.Indirect)
|
|
40
|
-
}
|
|
41
|
-
}
|
|
42
|
-
}
|
|
43
|
-
|
|
44
|
-
f.SortBlocks()
|
|
45
|
-
f.Cleanup()
|
|
46
|
-
|
|
47
|
-
newModFile, _ := f.Format()
|
|
48
|
-
|
|
49
|
-
return string(newModFile), nil
|
|
50
|
-
}
|