dependabot-go_modules 0.263.0 → 0.264.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/go.mod +4 -1
- data/helpers/go.sum +2 -0
- data/helpers/version_test.go +30 -0
- data/lib/dependabot/go_modules/file_updater.rb +46 -17
- data/lib/dependabot/go_modules/metadata_finder.rb +1 -1
- data/lib/dependabot/go_modules/native_helpers.rb +8 -1
- data/lib/dependabot/go_modules/path_converter.rb +18 -5
- data/lib/dependabot/go_modules/resolvability_errors.rb +8 -2
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +74 -28
- data/lib/dependabot/go_modules/update_checker.rb +21 -3
- data/lib/dependabot/go_modules/version.rb +15 -3
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7006f9b6ed7c801d5b926f0d2ada961f624f7a7bde2057f822c661849744e54c
|
|
4
|
+
data.tar.gz: 796211ae01a7396bcb759cd744a4ed7074d83718b89b6ffd163d084ce5c3fdc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8d2f7726c1fccc5324dc6bd7c48d088fd0fd0f2bf33062ef08d70203e92dbbf9f4222336d21b46de44a9b4d674711a860f5ab9cd98b9c9ee3a83de72d1785e8f
|
|
7
|
+
data.tar.gz: 76ec94c0e17dd82e22a91aabbf68d4a6976a580e1c18e2cf7c837319370e6a4054a66fc4ed16a815a54c15bd070028c8c831e2eaa500d0e255a889b23b9e4ae9
|
data/helpers/go.mod
CHANGED
data/helpers/go.sum
CHANGED
|
@@ -1,2 +1,4 @@
|
|
|
1
1
|
github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE=
|
|
2
2
|
github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8=
|
|
3
|
+
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
|
|
4
|
+
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
package main
|
|
2
|
+
|
|
3
|
+
import (
|
|
4
|
+
"encoding/json"
|
|
5
|
+
"golang.org/x/mod/semver"
|
|
6
|
+
"os"
|
|
7
|
+
"reflect"
|
|
8
|
+
"testing"
|
|
9
|
+
)
|
|
10
|
+
|
|
11
|
+
// TestVersionComparison verifies that the ordered version fixture is sorted correctly.
|
|
12
|
+
func TestVersionComparison(t *testing.T) {
|
|
13
|
+
data, err := os.ReadFile("../spec/fixtures/ordered_versions.json")
|
|
14
|
+
if err != nil {
|
|
15
|
+
t.Fatalf("failed to read file: %v", err)
|
|
16
|
+
}
|
|
17
|
+
var expected []string
|
|
18
|
+
if err = json.Unmarshal(data, &expected); err != nil {
|
|
19
|
+
t.Fatalf("failed to unmarshal json: %v", err)
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
actual := make([]string, len(expected))
|
|
23
|
+
copy(actual, expected)
|
|
24
|
+
semver.Sort(actual)
|
|
25
|
+
|
|
26
|
+
// The sorted order should equal the original order in the file.
|
|
27
|
+
if !reflect.DeepEqual(actual, expected) {
|
|
28
|
+
t.Fatalf("got %v", actual)
|
|
29
|
+
}
|
|
30
|
+
}
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/shared_helpers"
|
|
5
7
|
require "dependabot/file_updaters"
|
|
6
8
|
require "dependabot/file_updaters/base"
|
|
@@ -9,16 +11,29 @@ require "dependabot/file_updaters/vendor_updater"
|
|
|
9
11
|
module Dependabot
|
|
10
12
|
module GoModules
|
|
11
13
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
14
|
+
extend T::Sig
|
|
15
|
+
|
|
12
16
|
require_relative "file_updater/go_mod_updater"
|
|
13
17
|
|
|
14
|
-
|
|
15
|
-
|
|
18
|
+
sig do
|
|
19
|
+
override
|
|
20
|
+
.params(
|
|
21
|
+
dependencies: T::Array[Dependabot::Dependency],
|
|
22
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
23
|
+
credentials: T::Array[Dependabot::Credential],
|
|
24
|
+
repo_contents_path: T.nilable(String),
|
|
25
|
+
options: T::Hash[Symbol, T.untyped]
|
|
26
|
+
)
|
|
27
|
+
.void
|
|
28
|
+
end
|
|
29
|
+
def initialize(dependencies:, dependency_files:, credentials:, repo_contents_path: nil, options: {})
|
|
16
30
|
super
|
|
17
31
|
|
|
18
|
-
@goprivate = options.fetch(:goprivate, "*")
|
|
32
|
+
@goprivate = T.let(options.fetch(:goprivate, "*"), String)
|
|
19
33
|
use_repo_contents_stub if repo_contents_path.nil?
|
|
20
34
|
end
|
|
21
35
|
|
|
36
|
+
sig { override.returns(T::Array[Regexp]) }
|
|
22
37
|
def self.updated_files_regex
|
|
23
38
|
[
|
|
24
39
|
/^go\.mod$/,
|
|
@@ -26,25 +41,26 @@ module Dependabot
|
|
|
26
41
|
]
|
|
27
42
|
end
|
|
28
43
|
|
|
44
|
+
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
|
29
45
|
def updated_dependency_files
|
|
30
46
|
updated_files = []
|
|
31
47
|
|
|
32
|
-
if go_mod && dependency_changed?(go_mod)
|
|
48
|
+
if go_mod && dependency_changed?(T.must(go_mod))
|
|
33
49
|
updated_files <<
|
|
34
50
|
updated_file(
|
|
35
|
-
file: go_mod,
|
|
36
|
-
content: file_updater.updated_go_mod_content
|
|
51
|
+
file: T.must(go_mod),
|
|
52
|
+
content: T.must(file_updater.updated_go_mod_content)
|
|
37
53
|
)
|
|
38
54
|
|
|
39
|
-
if go_sum && go_sum.content != file_updater.updated_go_sum_content
|
|
55
|
+
if go_sum && T.must(go_sum).content != file_updater.updated_go_sum_content
|
|
40
56
|
updated_files <<
|
|
41
57
|
updated_file(
|
|
42
|
-
file: go_sum,
|
|
43
|
-
content: file_updater.updated_go_sum_content
|
|
58
|
+
file: T.must(go_sum),
|
|
59
|
+
content: T.must(file_updater.updated_go_sum_content)
|
|
44
60
|
)
|
|
45
61
|
end
|
|
46
62
|
|
|
47
|
-
vendor_updater.
|
|
63
|
+
vendor_updater.updated_files(base_directory: T.must(directory))
|
|
48
64
|
.each do |file|
|
|
49
65
|
updated_files << file
|
|
50
66
|
end
|
|
@@ -57,19 +73,22 @@ module Dependabot
|
|
|
57
73
|
|
|
58
74
|
private
|
|
59
75
|
|
|
76
|
+
sig { params(go_mod: Dependabot::DependencyFile).returns(T::Boolean) }
|
|
60
77
|
def dependency_changed?(go_mod)
|
|
61
78
|
# file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
|
|
62
79
|
file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
|
|
63
80
|
end
|
|
64
81
|
|
|
82
|
+
sig { override.void }
|
|
65
83
|
def check_required_files
|
|
66
84
|
return if go_mod
|
|
67
85
|
|
|
68
86
|
raise "No go.mod!"
|
|
69
87
|
end
|
|
70
88
|
|
|
89
|
+
sig { returns(String) }
|
|
71
90
|
def use_repo_contents_stub
|
|
72
|
-
@repo_contents_stub = true
|
|
91
|
+
@repo_contents_stub = T.let(true, T.nilable(T::Boolean))
|
|
73
92
|
@repo_contents_path = Dir.mktmpdir
|
|
74
93
|
|
|
75
94
|
Dir.chdir(@repo_contents_path) do
|
|
@@ -92,22 +111,27 @@ module Dependabot
|
|
|
92
111
|
end
|
|
93
112
|
end
|
|
94
113
|
|
|
114
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
95
115
|
def go_mod
|
|
96
|
-
@go_mod ||= get_original_file("go.mod")
|
|
116
|
+
@go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
|
|
97
117
|
end
|
|
98
118
|
|
|
119
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
99
120
|
def go_sum
|
|
100
|
-
@go_sum ||= get_original_file("go.sum")
|
|
121
|
+
@go_sum ||= T.let(get_original_file("go.sum"), T.nilable(Dependabot::DependencyFile))
|
|
101
122
|
end
|
|
102
123
|
|
|
124
|
+
sig { returns(T.nilable(String)) }
|
|
103
125
|
def directory
|
|
104
126
|
dependency_files.first&.directory
|
|
105
127
|
end
|
|
106
128
|
|
|
129
|
+
sig { returns(String) }
|
|
107
130
|
def vendor_dir
|
|
108
131
|
File.join(repo_contents_path, directory, "vendor")
|
|
109
132
|
end
|
|
110
133
|
|
|
134
|
+
sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
|
|
111
135
|
def vendor_updater
|
|
112
136
|
Dependabot::FileUpdaters::VendorUpdater.new(
|
|
113
137
|
repo_contents_path: repo_contents_path,
|
|
@@ -115,22 +139,27 @@ module Dependabot
|
|
|
115
139
|
)
|
|
116
140
|
end
|
|
117
141
|
|
|
142
|
+
sig { returns(GoModUpdater) }
|
|
118
143
|
def file_updater
|
|
119
|
-
@file_updater ||=
|
|
144
|
+
@file_updater ||= T.let(
|
|
120
145
|
GoModUpdater.new(
|
|
121
146
|
dependencies: dependencies,
|
|
122
147
|
dependency_files: dependency_files,
|
|
123
148
|
credentials: credentials,
|
|
124
149
|
repo_contents_path: repo_contents_path,
|
|
125
|
-
directory: directory,
|
|
150
|
+
directory: T.must(directory),
|
|
126
151
|
options: { tidy: tidy?, vendor: vendor?, goprivate: @goprivate }
|
|
127
|
-
)
|
|
152
|
+
),
|
|
153
|
+
T.nilable(Dependabot::GoModules::FileUpdater::GoModUpdater)
|
|
154
|
+
)
|
|
128
155
|
end
|
|
129
156
|
|
|
157
|
+
sig { returns(T::Boolean) }
|
|
130
158
|
def tidy?
|
|
131
159
|
!@repo_contents_stub
|
|
132
160
|
end
|
|
133
161
|
|
|
162
|
+
sig { returns(T::Boolean) }
|
|
134
163
|
def vendor?
|
|
135
164
|
File.exist?(File.join(vendor_dir, "modules.txt"))
|
|
136
165
|
end
|
|
@@ -1,18 +1,25 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
module Dependabot
|
|
5
7
|
module GoModules
|
|
6
8
|
module NativeHelpers
|
|
9
|
+
extend T::Sig
|
|
10
|
+
|
|
11
|
+
sig { returns(String) }
|
|
7
12
|
def self.helper_path
|
|
8
13
|
clean_path(File.join(native_helpers_root, "go_modules/bin/helper"))
|
|
9
14
|
end
|
|
10
15
|
|
|
16
|
+
sig { returns(String) }
|
|
11
17
|
def self.native_helpers_root
|
|
12
18
|
default_path = File.join(__dir__, "../../../helpers/install-dir")
|
|
13
19
|
ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
|
|
14
20
|
end
|
|
15
21
|
|
|
22
|
+
sig { params(path: String).returns(String) }
|
|
16
23
|
def self.clean_path(path)
|
|
17
24
|
Pathname.new(path).cleanpath.to_path
|
|
18
25
|
end
|
|
@@ -1,19 +1,32 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/go_modules/native_helpers"
|
|
5
7
|
|
|
6
8
|
module Dependabot
|
|
7
9
|
module GoModules
|
|
8
10
|
module PathConverter
|
|
11
|
+
extend T::Sig
|
|
12
|
+
|
|
13
|
+
sig do
|
|
14
|
+
params(path: String)
|
|
15
|
+
.returns(
|
|
16
|
+
T.nilable(String)
|
|
17
|
+
)
|
|
18
|
+
end
|
|
9
19
|
def self.git_url_for_path(path)
|
|
10
20
|
# Save a query by manually converting golang.org/x names
|
|
11
21
|
import_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
|
|
12
22
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
23
|
+
T.cast(
|
|
24
|
+
SharedHelpers.run_helper_subprocess(
|
|
25
|
+
command: NativeHelpers.helper_path,
|
|
26
|
+
function: "getVcsRemoteForImport",
|
|
27
|
+
args: { import: import_path }
|
|
28
|
+
),
|
|
29
|
+
T.nilable(String)
|
|
17
30
|
)
|
|
18
31
|
end
|
|
19
32
|
end
|
|
@@ -1,11 +1,16 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
module Dependabot
|
|
5
7
|
module GoModules
|
|
6
8
|
module ResolvabilityErrors
|
|
9
|
+
extend T::Sig
|
|
10
|
+
|
|
7
11
|
GITHUB_REPO_REGEX = %r{github.com/[^:@]*}
|
|
8
12
|
|
|
13
|
+
sig { params(message: String, goprivate: T.untyped).void }
|
|
9
14
|
def self.handle(message, goprivate:)
|
|
10
15
|
mod_path = message.scan(GITHUB_REPO_REGEX).last
|
|
11
16
|
unless mod_path && message.include?("If this is a private repository")
|
|
@@ -17,9 +22,10 @@ module Dependabot
|
|
|
17
22
|
SharedHelpers.in_a_temporary_directory do
|
|
18
23
|
File.write("go.mod", "module dummy\n")
|
|
19
24
|
|
|
25
|
+
mod_path = T.cast(mod_path, String)
|
|
20
26
|
mod_split = mod_path.split("/")
|
|
21
27
|
repo_path = if mod_split.size > 3
|
|
22
|
-
mod_split[0..2].join("/")
|
|
28
|
+
T.must(mod_split[0..2]).join("/")
|
|
23
29
|
else
|
|
24
30
|
mod_path
|
|
25
31
|
end
|
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
5
|
+
require "sorbet-runtime"
|
|
5
6
|
|
|
6
7
|
require "dependabot/go_modules/update_checker"
|
|
7
8
|
require "dependabot/update_checkers/version_filters"
|
|
@@ -9,7 +10,6 @@ require "dependabot/shared_helpers"
|
|
|
9
10
|
require "dependabot/errors"
|
|
10
11
|
require "dependabot/go_modules/requirement"
|
|
11
12
|
require "dependabot/go_modules/resolvability_errors"
|
|
12
|
-
require "sorbet-runtime"
|
|
13
13
|
|
|
14
14
|
module Dependabot
|
|
15
15
|
module GoModules
|
|
@@ -17,26 +17,47 @@ module Dependabot
|
|
|
17
17
|
class LatestVersionFinder
|
|
18
18
|
extend T::Sig
|
|
19
19
|
|
|
20
|
-
RESOLVABILITY_ERROR_REGEXES =
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
20
|
+
RESOLVABILITY_ERROR_REGEXES = T.let(
|
|
21
|
+
[
|
|
22
|
+
# Package url/proxy doesn't include any redirect meta tags
|
|
23
|
+
/no go-import meta tags/,
|
|
24
|
+
# Package url 404s
|
|
25
|
+
/404 Not Found/,
|
|
26
|
+
/Repository not found/,
|
|
27
|
+
/unrecognized import path/,
|
|
28
|
+
/malformed module path/,
|
|
29
|
+
# (Private) module could not be fetched
|
|
30
|
+
/module .*: git ls-remote .*: exit status 128/m
|
|
31
|
+
].freeze,
|
|
32
|
+
T::Array[Regexp]
|
|
33
|
+
)
|
|
31
34
|
# The module was retracted from the proxy
|
|
32
35
|
# OR the version of Go required is greater than what Dependabot supports
|
|
33
36
|
# OR other go.mod version errors
|
|
34
37
|
INVALID_VERSION_REGEX = /(go: loading module retractions for)|(version "[^"]+" invalid)/m
|
|
35
38
|
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/
|
|
36
39
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
+
sig do
|
|
41
|
+
params(
|
|
42
|
+
dependency: Dependabot::Dependency,
|
|
43
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
44
|
+
credentials: T::Array[Dependabot::Credential],
|
|
45
|
+
ignored_versions: T::Array[String],
|
|
46
|
+
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
|
47
|
+
goprivate: String,
|
|
48
|
+
raise_on_ignored: T::Boolean
|
|
49
|
+
)
|
|
50
|
+
.void
|
|
51
|
+
end
|
|
52
|
+
def initialize(
|
|
53
|
+
dependency:,
|
|
54
|
+
dependency_files:,
|
|
55
|
+
credentials:,
|
|
56
|
+
ignored_versions:,
|
|
57
|
+
security_advisories:,
|
|
58
|
+
goprivate:,
|
|
59
|
+
raise_on_ignored: false
|
|
60
|
+
)
|
|
40
61
|
@dependency = dependency
|
|
41
62
|
@dependency_files = dependency_files
|
|
42
63
|
@credentials = credentials
|
|
@@ -46,32 +67,45 @@ module Dependabot
|
|
|
46
67
|
@goprivate = goprivate
|
|
47
68
|
end
|
|
48
69
|
|
|
70
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
49
71
|
def latest_version
|
|
50
|
-
@latest_version ||= fetch_latest_version
|
|
72
|
+
@latest_version ||= T.let(fetch_latest_version, T.nilable(Dependabot::Version))
|
|
51
73
|
end
|
|
52
74
|
|
|
75
|
+
sig { returns(Dependabot::Version) }
|
|
53
76
|
def lowest_security_fix_version
|
|
54
|
-
@lowest_security_fix_version ||= fetch_lowest_security_fix_version
|
|
77
|
+
@lowest_security_fix_version ||= T.let(fetch_lowest_security_fix_version, T.nilable(Dependabot::Version))
|
|
55
78
|
end
|
|
56
79
|
|
|
57
80
|
private
|
|
58
81
|
|
|
82
|
+
sig { returns(Dependabot::Dependency) }
|
|
59
83
|
attr_reader :dependency
|
|
84
|
+
|
|
85
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
60
86
|
attr_reader :dependency_files
|
|
87
|
+
|
|
88
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
61
89
|
attr_reader :credentials
|
|
90
|
+
|
|
91
|
+
sig { returns(T::Array[String]) }
|
|
62
92
|
attr_reader :ignored_versions
|
|
93
|
+
|
|
94
|
+
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
|
63
95
|
attr_reader :security_advisories
|
|
64
96
|
|
|
97
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
65
98
|
def fetch_latest_version
|
|
66
99
|
candidate_versions = available_versions
|
|
67
100
|
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
68
101
|
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
69
102
|
# Adding the psuedo-version to the list to avoid downgrades
|
|
70
|
-
candidate_versions << dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
103
|
+
candidate_versions << version_class.new(dependency.version) if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
71
104
|
|
|
72
105
|
candidate_versions.max
|
|
73
106
|
end
|
|
74
107
|
|
|
108
|
+
sig { returns(Dependabot::Version) }
|
|
75
109
|
def fetch_lowest_security_fix_version
|
|
76
110
|
relevant_versions = available_versions
|
|
77
111
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
@@ -80,13 +114,15 @@ module Dependabot
|
|
|
80
114
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
81
115
|
relevant_versions = filter_lower_versions(relevant_versions)
|
|
82
116
|
|
|
83
|
-
relevant_versions.min
|
|
117
|
+
T.must(relevant_versions.min)
|
|
84
118
|
end
|
|
85
119
|
|
|
120
|
+
sig { returns(T::Array[Dependabot::Version]) }
|
|
86
121
|
def available_versions
|
|
87
|
-
@available_versions ||= fetch_available_versions
|
|
122
|
+
@available_versions ||= T.let(fetch_available_versions, T.nilable(T::Array[Dependabot::Version]))
|
|
88
123
|
end
|
|
89
124
|
|
|
125
|
+
sig { returns(T::Array[Dependabot::Version]) }
|
|
90
126
|
def fetch_available_versions
|
|
91
127
|
SharedHelpers.in_a_temporary_directory do
|
|
92
128
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
@@ -124,26 +160,29 @@ module Dependabot
|
|
|
124
160
|
ResolvabilityErrors.handle(e.message, goprivate: @goprivate)
|
|
125
161
|
end
|
|
126
162
|
|
|
163
|
+
sig { params(error: StandardError).returns(T::Boolean) }
|
|
127
164
|
def transitory_failure?(error)
|
|
128
165
|
return true if error.message.include?("EOF")
|
|
129
166
|
|
|
130
167
|
error.message.include?("Internal Server Error")
|
|
131
168
|
end
|
|
132
169
|
|
|
170
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
133
171
|
def go_mod
|
|
134
|
-
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
172
|
+
@go_mod ||= T.let(dependency_files.find { |f| f.name == "go.mod" }, T.nilable(Dependabot::DependencyFile))
|
|
135
173
|
end
|
|
136
174
|
|
|
175
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
137
176
|
def parse_manifest
|
|
138
177
|
SharedHelpers.in_a_temporary_directory do
|
|
139
|
-
File.write("go.mod", go_mod.content)
|
|
178
|
+
File.write("go.mod", T.must(go_mod).content)
|
|
140
179
|
json = SharedHelpers.run_shell_command("go mod edit -json")
|
|
141
180
|
|
|
142
181
|
JSON.parse(json) || {}
|
|
143
182
|
end
|
|
144
183
|
end
|
|
145
184
|
|
|
146
|
-
sig { params(versions_array: T::Array[
|
|
185
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
147
186
|
def filter_prerelease_versions(versions_array)
|
|
148
187
|
return versions_array if wants_prerelease?
|
|
149
188
|
|
|
@@ -154,6 +193,7 @@ module Dependabot
|
|
|
154
193
|
filtered
|
|
155
194
|
end
|
|
156
195
|
|
|
196
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
157
197
|
def filter_lower_versions(versions_array)
|
|
158
198
|
return versions_array unless dependency.numeric_version
|
|
159
199
|
|
|
@@ -161,7 +201,7 @@ module Dependabot
|
|
|
161
201
|
.select { |version| version > dependency.numeric_version }
|
|
162
202
|
end
|
|
163
203
|
|
|
164
|
-
sig { params(versions_array: T::Array[
|
|
204
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
165
205
|
def filter_ignored_versions(versions_array)
|
|
166
206
|
filtered = versions_array
|
|
167
207
|
.reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
@@ -176,22 +216,28 @@ module Dependabot
|
|
|
176
216
|
filtered
|
|
177
217
|
end
|
|
178
218
|
|
|
219
|
+
sig { returns(T::Boolean) }
|
|
179
220
|
def wants_prerelease?
|
|
180
|
-
@wants_prerelease ||=
|
|
221
|
+
@wants_prerelease ||= T.let(
|
|
181
222
|
begin
|
|
182
223
|
current_version = dependency.numeric_version
|
|
183
|
-
current_version&.prerelease?
|
|
184
|
-
end
|
|
224
|
+
!current_version&.prerelease?.nil?
|
|
225
|
+
end,
|
|
226
|
+
T.nilable(T::Boolean)
|
|
227
|
+
)
|
|
185
228
|
end
|
|
186
229
|
|
|
230
|
+
sig { returns(T::Array[Dependabot::Requirement]) }
|
|
187
231
|
def ignore_requirements
|
|
188
232
|
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
189
233
|
end
|
|
190
234
|
|
|
235
|
+
sig { returns(T.class_of(Dependabot::Requirement)) }
|
|
191
236
|
def requirement_class
|
|
192
237
|
dependency.requirement_class
|
|
193
238
|
end
|
|
194
239
|
|
|
240
|
+
sig { returns(T.class_of(Dependabot::Version)) }
|
|
195
241
|
def version_class
|
|
196
242
|
dependency.version_class
|
|
197
243
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/update_checkers"
|
|
5
7
|
require "dependabot/update_checkers/base"
|
|
6
8
|
require "dependabot/shared_helpers"
|
|
@@ -10,8 +12,11 @@ require "dependabot/go_modules/version"
|
|
|
10
12
|
module Dependabot
|
|
11
13
|
module GoModules
|
|
12
14
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
15
|
+
extend T::Sig
|
|
16
|
+
|
|
13
17
|
require_relative "update_checker/latest_version_finder"
|
|
14
18
|
|
|
19
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
15
20
|
def latest_resolvable_version
|
|
16
21
|
latest_version_finder.latest_version
|
|
17
22
|
end
|
|
@@ -19,25 +24,30 @@ module Dependabot
|
|
|
19
24
|
# This is currently used to short-circuit latest_resolvable_version,
|
|
20
25
|
# with the assumption that it'll be quicker than checking
|
|
21
26
|
# resolvability. As this is quite quick in Go anyway, we just alias.
|
|
27
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
22
28
|
def latest_version
|
|
23
29
|
latest_resolvable_version
|
|
24
30
|
end
|
|
25
31
|
|
|
32
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
|
26
33
|
def lowest_resolvable_security_fix_version
|
|
27
34
|
raise "Dependency not vulnerable!" unless vulnerable?
|
|
28
35
|
|
|
29
36
|
lowest_security_fix_version
|
|
30
37
|
end
|
|
31
38
|
|
|
39
|
+
sig { override.returns(Dependabot::Version) }
|
|
32
40
|
def lowest_security_fix_version
|
|
33
41
|
latest_version_finder.lowest_security_fix_version
|
|
34
42
|
end
|
|
35
43
|
|
|
44
|
+
sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
|
|
36
45
|
def latest_resolvable_version_with_no_unlock
|
|
37
46
|
# Irrelevant, since Go modules uses a single dependency file
|
|
38
47
|
nil
|
|
39
48
|
end
|
|
40
49
|
|
|
50
|
+
sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
41
51
|
def updated_requirements
|
|
42
52
|
dependency.requirements.map do |req|
|
|
43
53
|
req.merge(requirement: latest_version)
|
|
@@ -46,8 +56,9 @@ module Dependabot
|
|
|
46
56
|
|
|
47
57
|
private
|
|
48
58
|
|
|
59
|
+
sig { returns(Dependabot::GoModules::UpdateChecker::LatestVersionFinder) }
|
|
49
60
|
def latest_version_finder
|
|
50
|
-
@latest_version_finder ||=
|
|
61
|
+
@latest_version_finder ||= T.let(
|
|
51
62
|
LatestVersionFinder.new(
|
|
52
63
|
dependency: dependency,
|
|
53
64
|
dependency_files: dependency_files,
|
|
@@ -56,23 +67,29 @@ module Dependabot
|
|
|
56
67
|
security_advisories: security_advisories,
|
|
57
68
|
raise_on_ignored: raise_on_ignored,
|
|
58
69
|
goprivate: options.fetch(:goprivate, "*")
|
|
59
|
-
)
|
|
70
|
+
),
|
|
71
|
+
T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
|
|
72
|
+
)
|
|
60
73
|
end
|
|
61
74
|
|
|
75
|
+
sig { override.returns(T::Boolean) }
|
|
62
76
|
def latest_version_resolvable_with_full_unlock?
|
|
63
77
|
# Full unlock checks aren't implemented for Go (yet)
|
|
64
78
|
false
|
|
65
79
|
end
|
|
66
80
|
|
|
81
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
|
67
82
|
def updated_dependencies_after_full_unlock
|
|
68
83
|
raise NotImplementedError
|
|
69
84
|
end
|
|
70
85
|
|
|
71
86
|
# Go only supports semver and semver-compliant pseudo-versions, so it can't be a SHA.
|
|
87
|
+
sig { returns(T::Boolean) }
|
|
72
88
|
def existing_version_is_sha?
|
|
73
89
|
false
|
|
74
90
|
end
|
|
75
91
|
|
|
92
|
+
sig { params(tag: T.nilable(T::Hash[Symbol, String])).returns(T.untyped) }
|
|
76
93
|
def version_from_tag(tag)
|
|
77
94
|
# To compare with the current version we either use the commit SHA
|
|
78
95
|
# (if that's what the parser picked up) or the tag name.
|
|
@@ -81,6 +98,7 @@ module Dependabot
|
|
|
81
98
|
tag&.fetch(:tag)
|
|
82
99
|
end
|
|
83
100
|
|
|
101
|
+
sig { returns(T::Hash[Symbol, T.untyped]) }
|
|
84
102
|
def default_source
|
|
85
103
|
{ type: "default", source: dependency.name }
|
|
86
104
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
# Go pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
|
|
@@ -6,6 +6,8 @@
|
|
|
6
6
|
# alteration.
|
|
7
7
|
# Best docs are at https://github.com/Masterminds/semver
|
|
8
8
|
|
|
9
|
+
require "sorbet-runtime"
|
|
10
|
+
|
|
9
11
|
require "dependabot/version"
|
|
10
12
|
require "dependabot/utils"
|
|
11
13
|
|
|
@@ -19,6 +21,7 @@ module Dependabot
|
|
|
19
21
|
'(\+incompatible)?'
|
|
20
22
|
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
|
|
21
23
|
|
|
24
|
+
sig { override.params(version: VersionParameter).returns(T::Boolean) }
|
|
22
25
|
def self.correct?(version)
|
|
23
26
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
24
27
|
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
@@ -26,34 +29,40 @@ module Dependabot
|
|
|
26
29
|
super(version)
|
|
27
30
|
end
|
|
28
31
|
|
|
32
|
+
sig { override.params(version: VersionParameter).void }
|
|
29
33
|
def initialize(version)
|
|
30
|
-
@version_string = version.to_s.gsub(/^v/, "")
|
|
34
|
+
@version_string = T.let(version.to_s.gsub(/^v/, ""), String)
|
|
31
35
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
32
36
|
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
37
|
+
@prerelease = T.let(nil, T.nilable(String))
|
|
33
38
|
version, @prerelease = version.to_s.split("-", 2) if version.to_s.include?("-")
|
|
34
39
|
|
|
35
40
|
super
|
|
36
41
|
end
|
|
37
42
|
|
|
43
|
+
sig { returns(String) }
|
|
38
44
|
def inspect # :nodoc:
|
|
39
45
|
"#<#{self.class} #{@version_string.inspect}>"
|
|
40
46
|
end
|
|
41
47
|
|
|
48
|
+
sig { returns(String) }
|
|
42
49
|
def to_s
|
|
43
50
|
@version_string
|
|
44
51
|
end
|
|
45
52
|
|
|
53
|
+
sig { params(other: Object).returns(T.nilable(Integer)) }
|
|
46
54
|
def <=>(other)
|
|
47
55
|
result = super(other)
|
|
48
56
|
return if result.nil?
|
|
49
57
|
return result unless result.zero?
|
|
50
58
|
|
|
51
|
-
other = self.class.new(other) unless other.is_a?(Version)
|
|
59
|
+
other = self.class.new(other.to_s) unless other.is_a?(Version)
|
|
52
60
|
compare_prerelease(@prerelease || "", T.unsafe(other).prerelease || "")
|
|
53
61
|
end
|
|
54
62
|
|
|
55
63
|
protected
|
|
56
64
|
|
|
65
|
+
sig { returns(T.nilable(String)) }
|
|
57
66
|
attr_reader :prerelease
|
|
58
67
|
|
|
59
68
|
private
|
|
@@ -62,6 +71,7 @@ module Dependabot
|
|
|
62
71
|
# see https://github.com/golang/mod/blob/fa1ba4269bda724bb9f01ec381fbbaf031e45833/semver/semver.go#L333
|
|
63
72
|
# rubocop:disable Metrics/CyclomaticComplexity
|
|
64
73
|
# rubocop:disable Metrics/PerceivedComplexity
|
|
74
|
+
sig { params(left: T.untyped, right: T.untyped).returns(Integer) }
|
|
65
75
|
def compare_prerelease(left, right)
|
|
66
76
|
return 0 if left == right
|
|
67
77
|
return 1 if left == ""
|
|
@@ -98,12 +108,14 @@ module Dependabot
|
|
|
98
108
|
# rubocop:enable Metrics/CyclomaticComplexity
|
|
99
109
|
# rubocop:enable Metrics/PerceivedComplexity
|
|
100
110
|
|
|
111
|
+
sig { params(data: String).returns(T.untyped) }
|
|
101
112
|
def next_ident(data)
|
|
102
113
|
i = 0
|
|
103
114
|
i += 1 while i < data.length && data[i] != "."
|
|
104
115
|
[data[0..i], data[i..-1]]
|
|
105
116
|
end
|
|
106
117
|
|
|
118
|
+
sig { params(data: T.untyped).returns(T::Boolean) }
|
|
107
119
|
def num?(data)
|
|
108
120
|
i = 0
|
|
109
121
|
i += 1 while i < data.length && data[i] >= "0" && data[i] <= "9"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.264.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-07-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.264.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.264.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -248,6 +248,7 @@ files:
|
|
|
248
248
|
- helpers/go.sum
|
|
249
249
|
- helpers/importresolver/main.go
|
|
250
250
|
- helpers/main.go
|
|
251
|
+
- helpers/version_test.go
|
|
251
252
|
- lib/dependabot/go_modules.rb
|
|
252
253
|
- lib/dependabot/go_modules/file_fetcher.rb
|
|
253
254
|
- lib/dependabot/go_modules/file_parser.rb
|
|
@@ -267,7 +268,7 @@ licenses:
|
|
|
267
268
|
- MIT
|
|
268
269
|
metadata:
|
|
269
270
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
270
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
271
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
|
|
271
272
|
post_install_message:
|
|
272
273
|
rdoc_options: []
|
|
273
274
|
require_paths:
|