dependabot-go_modules 0.263.0 → 0.264.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/go.mod +4 -1
- data/helpers/go.sum +2 -0
- data/helpers/version_test.go +30 -0
- data/lib/dependabot/go_modules/file_updater.rb +46 -17
- data/lib/dependabot/go_modules/metadata_finder.rb +1 -1
- data/lib/dependabot/go_modules/native_helpers.rb +8 -1
- data/lib/dependabot/go_modules/path_converter.rb +18 -5
- data/lib/dependabot/go_modules/resolvability_errors.rb +8 -2
- data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +74 -28
- data/lib/dependabot/go_modules/update_checker.rb +21 -3
- data/lib/dependabot/go_modules/version.rb +15 -3
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7006f9b6ed7c801d5b926f0d2ada961f624f7a7bde2057f822c661849744e54c
|
|
4
|
+
data.tar.gz: 796211ae01a7396bcb759cd744a4ed7074d83718b89b6ffd163d084ce5c3fdc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8d2f7726c1fccc5324dc6bd7c48d088fd0fd0f2bf33062ef08d70203e92dbbf9f4222336d21b46de44a9b4d674711a860f5ab9cd98b9c9ee3a83de72d1785e8f
|
|
7
|
+
data.tar.gz: 76ec94c0e17dd82e22a91aabbf68d4a6976a580e1c18e2cf7c837319370e6a4054a66fc4ed16a815a54c15bd070028c8c831e2eaa500d0e255a889b23b9e4ae9
|
data/helpers/go.mod
CHANGED
data/helpers/go.sum
CHANGED
|
@@ -1,2 +1,4 @@
|
|
|
1
1
|
github.com/Masterminds/vcs v1.13.3 h1:IIA2aBdXvfbIM+yl/eTnL4hb1XwdpvuQLglAix1gweE=
|
|
2
2
|
github.com/Masterminds/vcs v1.13.3/go.mod h1:TiE7xuEjl1N4j016moRd6vezp6e6Lz23gypeXfzXeW8=
|
|
3
|
+
golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
|
|
4
|
+
golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
package main
|
|
2
|
+
|
|
3
|
+
import (
|
|
4
|
+
"encoding/json"
|
|
5
|
+
"golang.org/x/mod/semver"
|
|
6
|
+
"os"
|
|
7
|
+
"reflect"
|
|
8
|
+
"testing"
|
|
9
|
+
)
|
|
10
|
+
|
|
11
|
+
// TestVersionComparison verifies that the ordered version fixture is sorted correctly.
|
|
12
|
+
func TestVersionComparison(t *testing.T) {
|
|
13
|
+
data, err := os.ReadFile("../spec/fixtures/ordered_versions.json")
|
|
14
|
+
if err != nil {
|
|
15
|
+
t.Fatalf("failed to read file: %v", err)
|
|
16
|
+
}
|
|
17
|
+
var expected []string
|
|
18
|
+
if err = json.Unmarshal(data, &expected); err != nil {
|
|
19
|
+
t.Fatalf("failed to unmarshal json: %v", err)
|
|
20
|
+
}
|
|
21
|
+
|
|
22
|
+
actual := make([]string, len(expected))
|
|
23
|
+
copy(actual, expected)
|
|
24
|
+
semver.Sort(actual)
|
|
25
|
+
|
|
26
|
+
// The sorted order should equal the original order in the file.
|
|
27
|
+
if !reflect.DeepEqual(actual, expected) {
|
|
28
|
+
t.Fatalf("got %v", actual)
|
|
29
|
+
}
|
|
30
|
+
}
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/shared_helpers"
|
|
5
7
|
require "dependabot/file_updaters"
|
|
6
8
|
require "dependabot/file_updaters/base"
|
|
@@ -9,16 +11,29 @@ require "dependabot/file_updaters/vendor_updater"
|
|
|
9
11
|
module Dependabot
|
|
10
12
|
module GoModules
|
|
11
13
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
14
|
+
extend T::Sig
|
|
15
|
+
|
|
12
16
|
require_relative "file_updater/go_mod_updater"
|
|
13
17
|
|
|
14
|
-
|
|
15
|
-
|
|
18
|
+
sig do
|
|
19
|
+
override
|
|
20
|
+
.params(
|
|
21
|
+
dependencies: T::Array[Dependabot::Dependency],
|
|
22
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
23
|
+
credentials: T::Array[Dependabot::Credential],
|
|
24
|
+
repo_contents_path: T.nilable(String),
|
|
25
|
+
options: T::Hash[Symbol, T.untyped]
|
|
26
|
+
)
|
|
27
|
+
.void
|
|
28
|
+
end
|
|
29
|
+
def initialize(dependencies:, dependency_files:, credentials:, repo_contents_path: nil, options: {})
|
|
16
30
|
super
|
|
17
31
|
|
|
18
|
-
@goprivate = options.fetch(:goprivate, "*")
|
|
32
|
+
@goprivate = T.let(options.fetch(:goprivate, "*"), String)
|
|
19
33
|
use_repo_contents_stub if repo_contents_path.nil?
|
|
20
34
|
end
|
|
21
35
|
|
|
36
|
+
sig { override.returns(T::Array[Regexp]) }
|
|
22
37
|
def self.updated_files_regex
|
|
23
38
|
[
|
|
24
39
|
/^go\.mod$/,
|
|
@@ -26,25 +41,26 @@ module Dependabot
|
|
|
26
41
|
]
|
|
27
42
|
end
|
|
28
43
|
|
|
44
|
+
sig { override.returns(T::Array[Dependabot::DependencyFile]) }
|
|
29
45
|
def updated_dependency_files
|
|
30
46
|
updated_files = []
|
|
31
47
|
|
|
32
|
-
if go_mod && dependency_changed?(go_mod)
|
|
48
|
+
if go_mod && dependency_changed?(T.must(go_mod))
|
|
33
49
|
updated_files <<
|
|
34
50
|
updated_file(
|
|
35
|
-
file: go_mod,
|
|
36
|
-
content: file_updater.updated_go_mod_content
|
|
51
|
+
file: T.must(go_mod),
|
|
52
|
+
content: T.must(file_updater.updated_go_mod_content)
|
|
37
53
|
)
|
|
38
54
|
|
|
39
|
-
if go_sum && go_sum.content != file_updater.updated_go_sum_content
|
|
55
|
+
if go_sum && T.must(go_sum).content != file_updater.updated_go_sum_content
|
|
40
56
|
updated_files <<
|
|
41
57
|
updated_file(
|
|
42
|
-
file: go_sum,
|
|
43
|
-
content: file_updater.updated_go_sum_content
|
|
58
|
+
file: T.must(go_sum),
|
|
59
|
+
content: T.must(file_updater.updated_go_sum_content)
|
|
44
60
|
)
|
|
45
61
|
end
|
|
46
62
|
|
|
47
|
-
vendor_updater.
|
|
63
|
+
vendor_updater.updated_files(base_directory: T.must(directory))
|
|
48
64
|
.each do |file|
|
|
49
65
|
updated_files << file
|
|
50
66
|
end
|
|
@@ -57,19 +73,22 @@ module Dependabot
|
|
|
57
73
|
|
|
58
74
|
private
|
|
59
75
|
|
|
76
|
+
sig { params(go_mod: Dependabot::DependencyFile).returns(T::Boolean) }
|
|
60
77
|
def dependency_changed?(go_mod)
|
|
61
78
|
# file_changed? only checks for changed requirements. Need to check for indirect dep version changes too.
|
|
62
79
|
file_changed?(go_mod) || dependencies.any? { |dep| dep.previous_version != dep.version }
|
|
63
80
|
end
|
|
64
81
|
|
|
82
|
+
sig { override.void }
|
|
65
83
|
def check_required_files
|
|
66
84
|
return if go_mod
|
|
67
85
|
|
|
68
86
|
raise "No go.mod!"
|
|
69
87
|
end
|
|
70
88
|
|
|
89
|
+
sig { returns(String) }
|
|
71
90
|
def use_repo_contents_stub
|
|
72
|
-
@repo_contents_stub = true
|
|
91
|
+
@repo_contents_stub = T.let(true, T.nilable(T::Boolean))
|
|
73
92
|
@repo_contents_path = Dir.mktmpdir
|
|
74
93
|
|
|
75
94
|
Dir.chdir(@repo_contents_path) do
|
|
@@ -92,22 +111,27 @@ module Dependabot
|
|
|
92
111
|
end
|
|
93
112
|
end
|
|
94
113
|
|
|
114
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
95
115
|
def go_mod
|
|
96
|
-
@go_mod ||= get_original_file("go.mod")
|
|
116
|
+
@go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
|
|
97
117
|
end
|
|
98
118
|
|
|
119
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
99
120
|
def go_sum
|
|
100
|
-
@go_sum ||= get_original_file("go.sum")
|
|
121
|
+
@go_sum ||= T.let(get_original_file("go.sum"), T.nilable(Dependabot::DependencyFile))
|
|
101
122
|
end
|
|
102
123
|
|
|
124
|
+
sig { returns(T.nilable(String)) }
|
|
103
125
|
def directory
|
|
104
126
|
dependency_files.first&.directory
|
|
105
127
|
end
|
|
106
128
|
|
|
129
|
+
sig { returns(String) }
|
|
107
130
|
def vendor_dir
|
|
108
131
|
File.join(repo_contents_path, directory, "vendor")
|
|
109
132
|
end
|
|
110
133
|
|
|
134
|
+
sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
|
|
111
135
|
def vendor_updater
|
|
112
136
|
Dependabot::FileUpdaters::VendorUpdater.new(
|
|
113
137
|
repo_contents_path: repo_contents_path,
|
|
@@ -115,22 +139,27 @@ module Dependabot
|
|
|
115
139
|
)
|
|
116
140
|
end
|
|
117
141
|
|
|
142
|
+
sig { returns(GoModUpdater) }
|
|
118
143
|
def file_updater
|
|
119
|
-
@file_updater ||=
|
|
144
|
+
@file_updater ||= T.let(
|
|
120
145
|
GoModUpdater.new(
|
|
121
146
|
dependencies: dependencies,
|
|
122
147
|
dependency_files: dependency_files,
|
|
123
148
|
credentials: credentials,
|
|
124
149
|
repo_contents_path: repo_contents_path,
|
|
125
|
-
directory: directory,
|
|
150
|
+
directory: T.must(directory),
|
|
126
151
|
options: { tidy: tidy?, vendor: vendor?, goprivate: @goprivate }
|
|
127
|
-
)
|
|
152
|
+
),
|
|
153
|
+
T.nilable(Dependabot::GoModules::FileUpdater::GoModUpdater)
|
|
154
|
+
)
|
|
128
155
|
end
|
|
129
156
|
|
|
157
|
+
sig { returns(T::Boolean) }
|
|
130
158
|
def tidy?
|
|
131
159
|
!@repo_contents_stub
|
|
132
160
|
end
|
|
133
161
|
|
|
162
|
+
sig { returns(T::Boolean) }
|
|
134
163
|
def vendor?
|
|
135
164
|
File.exist?(File.join(vendor_dir, "modules.txt"))
|
|
136
165
|
end
|
|
@@ -1,18 +1,25 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
module Dependabot
|
|
5
7
|
module GoModules
|
|
6
8
|
module NativeHelpers
|
|
9
|
+
extend T::Sig
|
|
10
|
+
|
|
11
|
+
sig { returns(String) }
|
|
7
12
|
def self.helper_path
|
|
8
13
|
clean_path(File.join(native_helpers_root, "go_modules/bin/helper"))
|
|
9
14
|
end
|
|
10
15
|
|
|
16
|
+
sig { returns(String) }
|
|
11
17
|
def self.native_helpers_root
|
|
12
18
|
default_path = File.join(__dir__, "../../../helpers/install-dir")
|
|
13
19
|
ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
|
|
14
20
|
end
|
|
15
21
|
|
|
22
|
+
sig { params(path: String).returns(String) }
|
|
16
23
|
def self.clean_path(path)
|
|
17
24
|
Pathname.new(path).cleanpath.to_path
|
|
18
25
|
end
|
|
@@ -1,19 +1,32 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/go_modules/native_helpers"
|
|
5
7
|
|
|
6
8
|
module Dependabot
|
|
7
9
|
module GoModules
|
|
8
10
|
module PathConverter
|
|
11
|
+
extend T::Sig
|
|
12
|
+
|
|
13
|
+
sig do
|
|
14
|
+
params(path: String)
|
|
15
|
+
.returns(
|
|
16
|
+
T.nilable(String)
|
|
17
|
+
)
|
|
18
|
+
end
|
|
9
19
|
def self.git_url_for_path(path)
|
|
10
20
|
# Save a query by manually converting golang.org/x names
|
|
11
21
|
import_path = path.gsub(%r{^golang\.org/x}, "github.com/golang")
|
|
12
22
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
23
|
+
T.cast(
|
|
24
|
+
SharedHelpers.run_helper_subprocess(
|
|
25
|
+
command: NativeHelpers.helper_path,
|
|
26
|
+
function: "getVcsRemoteForImport",
|
|
27
|
+
args: { import: import_path }
|
|
28
|
+
),
|
|
29
|
+
T.nilable(String)
|
|
17
30
|
)
|
|
18
31
|
end
|
|
19
32
|
end
|
|
@@ -1,11 +1,16 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
module Dependabot
|
|
5
7
|
module GoModules
|
|
6
8
|
module ResolvabilityErrors
|
|
9
|
+
extend T::Sig
|
|
10
|
+
|
|
7
11
|
GITHUB_REPO_REGEX = %r{github.com/[^:@]*}
|
|
8
12
|
|
|
13
|
+
sig { params(message: String, goprivate: T.untyped).void }
|
|
9
14
|
def self.handle(message, goprivate:)
|
|
10
15
|
mod_path = message.scan(GITHUB_REPO_REGEX).last
|
|
11
16
|
unless mod_path && message.include?("If this is a private repository")
|
|
@@ -17,9 +22,10 @@ module Dependabot
|
|
|
17
22
|
SharedHelpers.in_a_temporary_directory do
|
|
18
23
|
File.write("go.mod", "module dummy\n")
|
|
19
24
|
|
|
25
|
+
mod_path = T.cast(mod_path, String)
|
|
20
26
|
mod_split = mod_path.split("/")
|
|
21
27
|
repo_path = if mod_split.size > 3
|
|
22
|
-
mod_split[0..2].join("/")
|
|
28
|
+
T.must(mod_split[0..2]).join("/")
|
|
23
29
|
else
|
|
24
30
|
mod_path
|
|
25
31
|
end
|
|
@@ -1,7 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
5
|
+
require "sorbet-runtime"
|
|
5
6
|
|
|
6
7
|
require "dependabot/go_modules/update_checker"
|
|
7
8
|
require "dependabot/update_checkers/version_filters"
|
|
@@ -9,7 +10,6 @@ require "dependabot/shared_helpers"
|
|
|
9
10
|
require "dependabot/errors"
|
|
10
11
|
require "dependabot/go_modules/requirement"
|
|
11
12
|
require "dependabot/go_modules/resolvability_errors"
|
|
12
|
-
require "sorbet-runtime"
|
|
13
13
|
|
|
14
14
|
module Dependabot
|
|
15
15
|
module GoModules
|
|
@@ -17,26 +17,47 @@ module Dependabot
|
|
|
17
17
|
class LatestVersionFinder
|
|
18
18
|
extend T::Sig
|
|
19
19
|
|
|
20
|
-
RESOLVABILITY_ERROR_REGEXES =
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
20
|
+
RESOLVABILITY_ERROR_REGEXES = T.let(
|
|
21
|
+
[
|
|
22
|
+
# Package url/proxy doesn't include any redirect meta tags
|
|
23
|
+
/no go-import meta tags/,
|
|
24
|
+
# Package url 404s
|
|
25
|
+
/404 Not Found/,
|
|
26
|
+
/Repository not found/,
|
|
27
|
+
/unrecognized import path/,
|
|
28
|
+
/malformed module path/,
|
|
29
|
+
# (Private) module could not be fetched
|
|
30
|
+
/module .*: git ls-remote .*: exit status 128/m
|
|
31
|
+
].freeze,
|
|
32
|
+
T::Array[Regexp]
|
|
33
|
+
)
|
|
31
34
|
# The module was retracted from the proxy
|
|
32
35
|
# OR the version of Go required is greater than what Dependabot supports
|
|
33
36
|
# OR other go.mod version errors
|
|
34
37
|
INVALID_VERSION_REGEX = /(go: loading module retractions for)|(version "[^"]+" invalid)/m
|
|
35
38
|
PSEUDO_VERSION_REGEX = /\b\d{14}-[0-9a-f]{12}$/
|
|
36
39
|
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
+
sig do
|
|
41
|
+
params(
|
|
42
|
+
dependency: Dependabot::Dependency,
|
|
43
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
44
|
+
credentials: T::Array[Dependabot::Credential],
|
|
45
|
+
ignored_versions: T::Array[String],
|
|
46
|
+
security_advisories: T::Array[Dependabot::SecurityAdvisory],
|
|
47
|
+
goprivate: String,
|
|
48
|
+
raise_on_ignored: T::Boolean
|
|
49
|
+
)
|
|
50
|
+
.void
|
|
51
|
+
end
|
|
52
|
+
def initialize(
|
|
53
|
+
dependency:,
|
|
54
|
+
dependency_files:,
|
|
55
|
+
credentials:,
|
|
56
|
+
ignored_versions:,
|
|
57
|
+
security_advisories:,
|
|
58
|
+
goprivate:,
|
|
59
|
+
raise_on_ignored: false
|
|
60
|
+
)
|
|
40
61
|
@dependency = dependency
|
|
41
62
|
@dependency_files = dependency_files
|
|
42
63
|
@credentials = credentials
|
|
@@ -46,32 +67,45 @@ module Dependabot
|
|
|
46
67
|
@goprivate = goprivate
|
|
47
68
|
end
|
|
48
69
|
|
|
70
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
49
71
|
def latest_version
|
|
50
|
-
@latest_version ||= fetch_latest_version
|
|
72
|
+
@latest_version ||= T.let(fetch_latest_version, T.nilable(Dependabot::Version))
|
|
51
73
|
end
|
|
52
74
|
|
|
75
|
+
sig { returns(Dependabot::Version) }
|
|
53
76
|
def lowest_security_fix_version
|
|
54
|
-
@lowest_security_fix_version ||= fetch_lowest_security_fix_version
|
|
77
|
+
@lowest_security_fix_version ||= T.let(fetch_lowest_security_fix_version, T.nilable(Dependabot::Version))
|
|
55
78
|
end
|
|
56
79
|
|
|
57
80
|
private
|
|
58
81
|
|
|
82
|
+
sig { returns(Dependabot::Dependency) }
|
|
59
83
|
attr_reader :dependency
|
|
84
|
+
|
|
85
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
60
86
|
attr_reader :dependency_files
|
|
87
|
+
|
|
88
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
61
89
|
attr_reader :credentials
|
|
90
|
+
|
|
91
|
+
sig { returns(T::Array[String]) }
|
|
62
92
|
attr_reader :ignored_versions
|
|
93
|
+
|
|
94
|
+
sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
|
|
63
95
|
attr_reader :security_advisories
|
|
64
96
|
|
|
97
|
+
sig { returns(T.nilable(Dependabot::Version)) }
|
|
65
98
|
def fetch_latest_version
|
|
66
99
|
candidate_versions = available_versions
|
|
67
100
|
candidate_versions = filter_prerelease_versions(candidate_versions)
|
|
68
101
|
candidate_versions = filter_ignored_versions(candidate_versions)
|
|
69
102
|
# Adding the psuedo-version to the list to avoid downgrades
|
|
70
|
-
candidate_versions << dependency.version if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
103
|
+
candidate_versions << version_class.new(dependency.version) if PSEUDO_VERSION_REGEX.match?(dependency.version)
|
|
71
104
|
|
|
72
105
|
candidate_versions.max
|
|
73
106
|
end
|
|
74
107
|
|
|
108
|
+
sig { returns(Dependabot::Version) }
|
|
75
109
|
def fetch_lowest_security_fix_version
|
|
76
110
|
relevant_versions = available_versions
|
|
77
111
|
relevant_versions = filter_prerelease_versions(relevant_versions)
|
|
@@ -80,13 +114,15 @@ module Dependabot
|
|
|
80
114
|
relevant_versions = filter_ignored_versions(relevant_versions)
|
|
81
115
|
relevant_versions = filter_lower_versions(relevant_versions)
|
|
82
116
|
|
|
83
|
-
relevant_versions.min
|
|
117
|
+
T.must(relevant_versions.min)
|
|
84
118
|
end
|
|
85
119
|
|
|
120
|
+
sig { returns(T::Array[Dependabot::Version]) }
|
|
86
121
|
def available_versions
|
|
87
|
-
@available_versions ||= fetch_available_versions
|
|
122
|
+
@available_versions ||= T.let(fetch_available_versions, T.nilable(T::Array[Dependabot::Version]))
|
|
88
123
|
end
|
|
89
124
|
|
|
125
|
+
sig { returns(T::Array[Dependabot::Version]) }
|
|
90
126
|
def fetch_available_versions
|
|
91
127
|
SharedHelpers.in_a_temporary_directory do
|
|
92
128
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
@@ -124,26 +160,29 @@ module Dependabot
|
|
|
124
160
|
ResolvabilityErrors.handle(e.message, goprivate: @goprivate)
|
|
125
161
|
end
|
|
126
162
|
|
|
163
|
+
sig { params(error: StandardError).returns(T::Boolean) }
|
|
127
164
|
def transitory_failure?(error)
|
|
128
165
|
return true if error.message.include?("EOF")
|
|
129
166
|
|
|
130
167
|
error.message.include?("Internal Server Error")
|
|
131
168
|
end
|
|
132
169
|
|
|
170
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
133
171
|
def go_mod
|
|
134
|
-
@go_mod ||= dependency_files.find { |f| f.name == "go.mod" }
|
|
172
|
+
@go_mod ||= T.let(dependency_files.find { |f| f.name == "go.mod" }, T.nilable(Dependabot::DependencyFile))
|
|
135
173
|
end
|
|
136
174
|
|
|
175
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
137
176
|
def parse_manifest
|
|
138
177
|
SharedHelpers.in_a_temporary_directory do
|
|
139
|
-
File.write("go.mod", go_mod.content)
|
|
178
|
+
File.write("go.mod", T.must(go_mod).content)
|
|
140
179
|
json = SharedHelpers.run_shell_command("go mod edit -json")
|
|
141
180
|
|
|
142
181
|
JSON.parse(json) || {}
|
|
143
182
|
end
|
|
144
183
|
end
|
|
145
184
|
|
|
146
|
-
sig { params(versions_array: T::Array[
|
|
185
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
147
186
|
def filter_prerelease_versions(versions_array)
|
|
148
187
|
return versions_array if wants_prerelease?
|
|
149
188
|
|
|
@@ -154,6 +193,7 @@ module Dependabot
|
|
|
154
193
|
filtered
|
|
155
194
|
end
|
|
156
195
|
|
|
196
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
157
197
|
def filter_lower_versions(versions_array)
|
|
158
198
|
return versions_array unless dependency.numeric_version
|
|
159
199
|
|
|
@@ -161,7 +201,7 @@ module Dependabot
|
|
|
161
201
|
.select { |version| version > dependency.numeric_version }
|
|
162
202
|
end
|
|
163
203
|
|
|
164
|
-
sig { params(versions_array: T::Array[
|
|
204
|
+
sig { params(versions_array: T::Array[Dependabot::Version]).returns(T::Array[Dependabot::Version]) }
|
|
165
205
|
def filter_ignored_versions(versions_array)
|
|
166
206
|
filtered = versions_array
|
|
167
207
|
.reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
|
|
@@ -176,22 +216,28 @@ module Dependabot
|
|
|
176
216
|
filtered
|
|
177
217
|
end
|
|
178
218
|
|
|
219
|
+
sig { returns(T::Boolean) }
|
|
179
220
|
def wants_prerelease?
|
|
180
|
-
@wants_prerelease ||=
|
|
221
|
+
@wants_prerelease ||= T.let(
|
|
181
222
|
begin
|
|
182
223
|
current_version = dependency.numeric_version
|
|
183
|
-
current_version&.prerelease?
|
|
184
|
-
end
|
|
224
|
+
!current_version&.prerelease?.nil?
|
|
225
|
+
end,
|
|
226
|
+
T.nilable(T::Boolean)
|
|
227
|
+
)
|
|
185
228
|
end
|
|
186
229
|
|
|
230
|
+
sig { returns(T::Array[Dependabot::Requirement]) }
|
|
187
231
|
def ignore_requirements
|
|
188
232
|
ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
|
|
189
233
|
end
|
|
190
234
|
|
|
235
|
+
sig { returns(T.class_of(Dependabot::Requirement)) }
|
|
191
236
|
def requirement_class
|
|
192
237
|
dependency.requirement_class
|
|
193
238
|
end
|
|
194
239
|
|
|
240
|
+
sig { returns(T.class_of(Dependabot::Version)) }
|
|
195
241
|
def version_class
|
|
196
242
|
dependency.version_class
|
|
197
243
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/update_checkers"
|
|
5
7
|
require "dependabot/update_checkers/base"
|
|
6
8
|
require "dependabot/shared_helpers"
|
|
@@ -10,8 +12,11 @@ require "dependabot/go_modules/version"
|
|
|
10
12
|
module Dependabot
|
|
11
13
|
module GoModules
|
|
12
14
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
15
|
+
extend T::Sig
|
|
16
|
+
|
|
13
17
|
require_relative "update_checker/latest_version_finder"
|
|
14
18
|
|
|
19
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
15
20
|
def latest_resolvable_version
|
|
16
21
|
latest_version_finder.latest_version
|
|
17
22
|
end
|
|
@@ -19,25 +24,30 @@ module Dependabot
|
|
|
19
24
|
# This is currently used to short-circuit latest_resolvable_version,
|
|
20
25
|
# with the assumption that it'll be quicker than checking
|
|
21
26
|
# resolvability. As this is quite quick in Go anyway, we just alias.
|
|
27
|
+
sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
|
|
22
28
|
def latest_version
|
|
23
29
|
latest_resolvable_version
|
|
24
30
|
end
|
|
25
31
|
|
|
32
|
+
sig { override.returns(T.nilable(Dependabot::Version)) }
|
|
26
33
|
def lowest_resolvable_security_fix_version
|
|
27
34
|
raise "Dependency not vulnerable!" unless vulnerable?
|
|
28
35
|
|
|
29
36
|
lowest_security_fix_version
|
|
30
37
|
end
|
|
31
38
|
|
|
39
|
+
sig { override.returns(Dependabot::Version) }
|
|
32
40
|
def lowest_security_fix_version
|
|
33
41
|
latest_version_finder.lowest_security_fix_version
|
|
34
42
|
end
|
|
35
43
|
|
|
44
|
+
sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
|
|
36
45
|
def latest_resolvable_version_with_no_unlock
|
|
37
46
|
# Irrelevant, since Go modules uses a single dependency file
|
|
38
47
|
nil
|
|
39
48
|
end
|
|
40
49
|
|
|
50
|
+
sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
41
51
|
def updated_requirements
|
|
42
52
|
dependency.requirements.map do |req|
|
|
43
53
|
req.merge(requirement: latest_version)
|
|
@@ -46,8 +56,9 @@ module Dependabot
|
|
|
46
56
|
|
|
47
57
|
private
|
|
48
58
|
|
|
59
|
+
sig { returns(Dependabot::GoModules::UpdateChecker::LatestVersionFinder) }
|
|
49
60
|
def latest_version_finder
|
|
50
|
-
@latest_version_finder ||=
|
|
61
|
+
@latest_version_finder ||= T.let(
|
|
51
62
|
LatestVersionFinder.new(
|
|
52
63
|
dependency: dependency,
|
|
53
64
|
dependency_files: dependency_files,
|
|
@@ -56,23 +67,29 @@ module Dependabot
|
|
|
56
67
|
security_advisories: security_advisories,
|
|
57
68
|
raise_on_ignored: raise_on_ignored,
|
|
58
69
|
goprivate: options.fetch(:goprivate, "*")
|
|
59
|
-
)
|
|
70
|
+
),
|
|
71
|
+
T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
|
|
72
|
+
)
|
|
60
73
|
end
|
|
61
74
|
|
|
75
|
+
sig { override.returns(T::Boolean) }
|
|
62
76
|
def latest_version_resolvable_with_full_unlock?
|
|
63
77
|
# Full unlock checks aren't implemented for Go (yet)
|
|
64
78
|
false
|
|
65
79
|
end
|
|
66
80
|
|
|
81
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
|
67
82
|
def updated_dependencies_after_full_unlock
|
|
68
83
|
raise NotImplementedError
|
|
69
84
|
end
|
|
70
85
|
|
|
71
86
|
# Go only supports semver and semver-compliant pseudo-versions, so it can't be a SHA.
|
|
87
|
+
sig { returns(T::Boolean) }
|
|
72
88
|
def existing_version_is_sha?
|
|
73
89
|
false
|
|
74
90
|
end
|
|
75
91
|
|
|
92
|
+
sig { params(tag: T.nilable(T::Hash[Symbol, String])).returns(T.untyped) }
|
|
76
93
|
def version_from_tag(tag)
|
|
77
94
|
# To compare with the current version we either use the commit SHA
|
|
78
95
|
# (if that's what the parser picked up) or the tag name.
|
|
@@ -81,6 +98,7 @@ module Dependabot
|
|
|
81
98
|
tag&.fetch(:tag)
|
|
82
99
|
end
|
|
83
100
|
|
|
101
|
+
sig { returns(T::Hash[Symbol, T.untyped]) }
|
|
84
102
|
def default_source
|
|
85
103
|
{ type: "default", source: dependency.name }
|
|
86
104
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
# Go pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
|
|
@@ -6,6 +6,8 @@
|
|
|
6
6
|
# alteration.
|
|
7
7
|
# Best docs are at https://github.com/Masterminds/semver
|
|
8
8
|
|
|
9
|
+
require "sorbet-runtime"
|
|
10
|
+
|
|
9
11
|
require "dependabot/version"
|
|
10
12
|
require "dependabot/utils"
|
|
11
13
|
|
|
@@ -19,6 +21,7 @@ module Dependabot
|
|
|
19
21
|
'(\+incompatible)?'
|
|
20
22
|
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
|
|
21
23
|
|
|
24
|
+
sig { override.params(version: VersionParameter).returns(T::Boolean) }
|
|
22
25
|
def self.correct?(version)
|
|
23
26
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
24
27
|
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
@@ -26,34 +29,40 @@ module Dependabot
|
|
|
26
29
|
super(version)
|
|
27
30
|
end
|
|
28
31
|
|
|
32
|
+
sig { override.params(version: VersionParameter).void }
|
|
29
33
|
def initialize(version)
|
|
30
|
-
@version_string = version.to_s.gsub(/^v/, "")
|
|
34
|
+
@version_string = T.let(version.to_s.gsub(/^v/, ""), String)
|
|
31
35
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
32
36
|
version = version.to_s.split("+").first if version.to_s.include?("+")
|
|
37
|
+
@prerelease = T.let(nil, T.nilable(String))
|
|
33
38
|
version, @prerelease = version.to_s.split("-", 2) if version.to_s.include?("-")
|
|
34
39
|
|
|
35
40
|
super
|
|
36
41
|
end
|
|
37
42
|
|
|
43
|
+
sig { returns(String) }
|
|
38
44
|
def inspect # :nodoc:
|
|
39
45
|
"#<#{self.class} #{@version_string.inspect}>"
|
|
40
46
|
end
|
|
41
47
|
|
|
48
|
+
sig { returns(String) }
|
|
42
49
|
def to_s
|
|
43
50
|
@version_string
|
|
44
51
|
end
|
|
45
52
|
|
|
53
|
+
sig { params(other: Object).returns(T.nilable(Integer)) }
|
|
46
54
|
def <=>(other)
|
|
47
55
|
result = super(other)
|
|
48
56
|
return if result.nil?
|
|
49
57
|
return result unless result.zero?
|
|
50
58
|
|
|
51
|
-
other = self.class.new(other) unless other.is_a?(Version)
|
|
59
|
+
other = self.class.new(other.to_s) unless other.is_a?(Version)
|
|
52
60
|
compare_prerelease(@prerelease || "", T.unsafe(other).prerelease || "")
|
|
53
61
|
end
|
|
54
62
|
|
|
55
63
|
protected
|
|
56
64
|
|
|
65
|
+
sig { returns(T.nilable(String)) }
|
|
57
66
|
attr_reader :prerelease
|
|
58
67
|
|
|
59
68
|
private
|
|
@@ -62,6 +71,7 @@ module Dependabot
|
|
|
62
71
|
# see https://github.com/golang/mod/blob/fa1ba4269bda724bb9f01ec381fbbaf031e45833/semver/semver.go#L333
|
|
63
72
|
# rubocop:disable Metrics/CyclomaticComplexity
|
|
64
73
|
# rubocop:disable Metrics/PerceivedComplexity
|
|
74
|
+
sig { params(left: T.untyped, right: T.untyped).returns(Integer) }
|
|
65
75
|
def compare_prerelease(left, right)
|
|
66
76
|
return 0 if left == right
|
|
67
77
|
return 1 if left == ""
|
|
@@ -98,12 +108,14 @@ module Dependabot
|
|
|
98
108
|
# rubocop:enable Metrics/CyclomaticComplexity
|
|
99
109
|
# rubocop:enable Metrics/PerceivedComplexity
|
|
100
110
|
|
|
111
|
+
sig { params(data: String).returns(T.untyped) }
|
|
101
112
|
def next_ident(data)
|
|
102
113
|
i = 0
|
|
103
114
|
i += 1 while i < data.length && data[i] != "."
|
|
104
115
|
[data[0..i], data[i..-1]]
|
|
105
116
|
end
|
|
106
117
|
|
|
118
|
+
sig { params(data: T.untyped).returns(T::Boolean) }
|
|
107
119
|
def num?(data)
|
|
108
120
|
i = 0
|
|
109
121
|
i += 1 while i < data.length && data[i] >= "0" && data[i] <= "9"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-go_modules
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.264.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-07-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.264.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.264.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -248,6 +248,7 @@ files:
|
|
|
248
248
|
- helpers/go.sum
|
|
249
249
|
- helpers/importresolver/main.go
|
|
250
250
|
- helpers/main.go
|
|
251
|
+
- helpers/version_test.go
|
|
251
252
|
- lib/dependabot/go_modules.rb
|
|
252
253
|
- lib/dependabot/go_modules/file_fetcher.rb
|
|
253
254
|
- lib/dependabot/go_modules/file_parser.rb
|
|
@@ -267,7 +268,7 @@ licenses:
|
|
|
267
268
|
- MIT
|
|
268
269
|
metadata:
|
|
269
270
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
270
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
271
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.264.0
|
|
271
272
|
post_install_message:
|
|
272
273
|
rdoc_options: []
|
|
273
274
|
require_paths:
|