RubyGems - dependabot-go_modules - Versions diffs - 0.380.0 → 0.381.0 - Mend

dependabot-go_modules 0.380.0 → 0.381.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/go_modules/file_parser.rb +35 -0
data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb +17 -16
data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb +36 -0
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bd0aa86d8519059a4ced604e4d32202c00c4b73fa451006c3918ff247069d234
-  data.tar.gz: 7a36751b391d9d8d2a184098d8dd0a2ba521e1de92292b4ee059d9dd0f2c0e0b
+  metadata.gz: d755e1ec7cfcbaeba0c4078e462dda1c0dad5a8656671c6951f2bf015af2f181
+  data.tar.gz: 604712cc627e5b5fa2510328fd4afc7d4e7833fb606ca98514a3dd81c5e8caa1
 SHA512:
-  metadata.gz: 1d46e5b1aabe273dc2d4cbb910259b7c2e64fe67fe55d12b1c6fa0ce557e907f9dedc7609fefeebc76664d63180968c7ae120c2138e93176e9b93600220e4321
-  data.tar.gz: 54d75e5a9b298b855f2761e87e101ceab4686d8dfe7833493e662b7f977c93538303690d01c65f933b69b10724efa76aa41debf590af2d06fbeec3398dc995b8
+  metadata.gz: 84fa95d8b8db24e5ff30cc16b7a7231e26c88ab89b44f6832e75b3575b2fa40b0c4b95200713ebe35315293b64ea86219598c8cdc1776ef357da11e5c9979f22
+  data.tar.gz: 1fa01e546e7fb67c4c88356d996046e6cd6c54eced985e3b7485e5295e16dc958fcfc3f6f227d5a720f8766f5da89e77e717f4b0c8362a78df2868ab8a5517cb

data/lib/dependabot/go_modules/file_parser.rb CHANGED Viewed

@@ -107,6 +107,8 @@ module Dependabot
         set_goenv_variable
         set_goproxy_variable
         set_goprivate_variable
+        set_gonoproxy_variable
+        set_gonosumdb_variable
       end
       sig { void }
@@ -148,6 +150,39 @@ module Dependabot
         ENV["GOPRIVATE"] = goprivate if goprivate
       end
+      # GONOPROXY explicitly controls which module paths skip the proxy.
+      # Setting this overrides GOPRIVATE's default for proxy decisions, letting
+      # us keep GOPRIVATE=* (to skip sumdb for unknown enterprise orgs) while
+      # still routing public modules through proxy.golang.org. The literal
+      # value "none" matches no module paths — see Go's mod_gonoproxy.txt test.
+      sig { void }
+      def set_gonoproxy_variable
+        return if go_env_includes_any?(%w(GONOPROXY GOPRIVATE GOPROXY))
+        return if goproxy_credentials.any?
+        gonoproxy = options.fetch(:gonoproxy, nil)
+        ENV["GONOPROXY"] = gonoproxy if gonoproxy
+      end
+      # GONOSUMDB explicitly controls which module paths skip checksum DB
+      # verification. Setting this overrides GOPRIVATE's default for sumdb,
+      # letting us narrow the scope independently of proxy routing.
+      sig { void }
+      def set_gonosumdb_variable
+        return if go_env_includes_any?(%w(GONOSUMDB GOPRIVATE))
+        gonosumdb = options.fetch(:gonosumdb, nil)
+        ENV["GONOSUMDB"] = gonosumdb if gonosumdb
+      end
+      sig { params(keys: T::Array[String]).returns(T::Boolean) }
+      def go_env_includes_any?(keys)
+        content = go_env&.content
+        return false unless content
+        keys.any? { |key| content.include?(key) }
+      end
       sig { void }
       def set_goproxy_variable
         return if go_env&.content&.include?("GOPROXY")

data/lib/dependabot/go_modules/file_updater/go_mod_updater.rb CHANGED Viewed

@@ -271,13 +271,7 @@ module Dependabot
           workspace_module_paths.each do |mod_path|
             Dir.chdir(mod_path) do
-              command = "go mod tidy -e"
-              _, stderr, status = Open3.capture3(command)
-              if status.success?
-                Dependabot.logger.info "`go mod tidy` succeeded in #{mod_path}"
-              else
-                Dependabot.logger.info "Failed to `go mod tidy` in #{mod_path}: #{stderr}"
-              end
+              run_go_mod_tidy(context: mod_path)
             end
           end
         end
@@ -332,21 +326,28 @@ module Dependabot
           results
         end
-        sig { void }
-        def run_go_mod_tidy
+        sig { params(context: T.nilable(String)).void }
+        def run_go_mod_tidy(context: nil)
           return unless tidy?
-          command = "go mod tidy -e"
+          label = context ? " in #{context}" : ""
-          # we explicitly don't raise an error for 'go mod tidy' and silently
-          # continue with an info log here. `go mod tidy` shouldn't block
-          # updating versions because there are some edge cases where it's OK to fail
-          # (such as generated files not available yet to us).
+          # Run a strict `go mod tidy` (without the `-e` flag). `-e` tells tidy
+          # to continue despite errors loading packages, which silently
+          # tolerates unreachable/private modules and can over-prune `/go.mod`
+          # checksum entries from go.sum for unrelated modules. We surface the
+          # real error instead so the underlying dependency problem is visible
+          # and can be fixed by giving Dependabot the same access to
+          # dependencies as the rest of the team.
+          command = "go mod tidy"
           _, stderr, status = Open3.capture3(command)
           if status.success?
-            Dependabot.logger.info "`go mod tidy` succeeded"
+            Dependabot.logger.info "`#{command}` succeeded#{label}"
           else
-            Dependabot.logger.info "Failed to `go mod tidy`: #{stderr}"
+            # Log the failing module before raising, as handle_subprocess_error
+            # scrubs the working directory from the message.
+            Dependabot.logger.info "Failed to `#{command}`#{label}: #{stderr}"
+            handle_subprocess_error(stderr)
           end
         end

data/lib/dependabot/go_modules/update_checker/latest_version_finder.rb CHANGED Viewed

@@ -253,6 +253,11 @@ module Dependabot
         def fetch_lowest_security_fix_version(language_version: nil)
           relevant_versions = available_versions_details
           relevant_versions = filter_prerelease_versions(relevant_versions)
+          # Add pseudo-versions from advisory boundaries after the prerelease filter.
+          # The Go proxy only indexes tagged releases, so commit-based pseudo-version
+          # fix boundaries won't appear in the version list. They're not traditional
+          # prereleases and must always be considered as candidates.
+          relevant_versions += pseudo_versions_from_advisory_boundaries
           relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(
             relevant_versions,
             security_advisories
@@ -264,6 +269,37 @@ module Dependabot
         end
         # rubocop:enable Lint/UnusedMethodArgument
+        # When an advisory's fix boundary is a pseudo-version (e.g. "< 2.3.1-0.20260320110106-0b84568fffcc"),
+        # the Go module proxy won't include it in its version list. Extract those pseudo-versions
+        # from the advisory requirement strings so they can be considered as fix candidates.
+        # Only pseudo-versions strictly greater than the current version are returned to avoid
+        # unnecessary processing of versions that would be discarded by filter_lower_versions anyway.
+        sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
+        def pseudo_versions_from_advisory_boundaries
+          current = dependency.numeric_version
+          security_advisories.flat_map do |advisory|
+            advisory.vulnerable_version_strings.flat_map do |req_string|
+              # Parse each constraint in requirement strings like
+              # ">= 1.1.0, < 2.3.1-0.20260320110106-0b84568fffcc" and extract
+              # any pseudo-version boundary that represents a possible fix.
+              req_string.to_s.split(",").filter_map do |constraint|
+                version_str = constraint.gsub(/\A\s*[<>=!~^]+\s*v?/, "").strip
+                next unless PSEUDO_VERSION_REGEX.match?(version_str)
+                next unless version_class.correct?(version_str)
+                candidate = version_class.new(version_str)
+                next if current && candidate <= current
+                Dependabot::Package::PackageRelease.new(
+                  version: candidate,
+                  details: { "version_string" => version_str }
+                )
+              end
+            end
+          end.uniq(&:version)
+        end
         sig { returns(T::Boolean) }
         def wants_prerelease?
           @wants_prerelease ||= T.let(

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-go_modules
 version: !ruby/object:Gem::Version
-  version: 0.380.0
+  version: 0.381.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.380.0
+        version: 0.381.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.380.0
+        version: 0.381.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -275,7 +275,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.380.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
 rdoc_options: []
 require_paths:
 - lib