dependabot-gradle 0.100.2 → 0.101.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8c979db53e87cd19a2fb616e1b9201608af93320190277ceabd7ecd84c6673d1
|
4
|
+
data.tar.gz: a566aa43e2a11555af09edd1a3ebaead3bd96e642b28d2124dac8bcc26797d6c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8e3558fd561af7c84baa9fc633bfacff2c86be9fa75dd2f3d58e3438219c9e51d45bb0b7957265a21a60924b3506db4da712ea9c50c10e60a912d4f5106a6661
|
7
|
+
data.tar.gz: 57ffc24ba93500e931fdbaa88789342d89213fa517b9762506cdc012c97429dd97c0675c8cbe106fd6c43121c01db452220a97dd4fa2a1545568234a09c14864
|
@@ -27,6 +27,13 @@ module Dependabot
|
|
27
27
|
latest_version
|
28
28
|
end
|
29
29
|
|
30
|
+
def lowest_resolvable_security_fix_version
|
31
|
+
return nil if version_comes_from_multi_dependency_property?
|
32
|
+
return nil if version_comes_from_dependency_set?
|
33
|
+
|
34
|
+
lowest_security_fix_version_details&.fetch(:version)
|
35
|
+
end
|
36
|
+
|
30
37
|
def latest_resolvable_version_with_no_unlock
|
31
38
|
# Irrelevant, since Gradle has a single dependency file.
|
32
39
|
#
|
@@ -45,8 +52,8 @@ module Dependabot
|
|
45
52
|
|
46
53
|
RequirementsUpdater.new(
|
47
54
|
requirements: dependency.requirements,
|
48
|
-
latest_version:
|
49
|
-
source_url:
|
55
|
+
latest_version: preferred_resolvable_version&.to_s,
|
56
|
+
source_url: preferred_version_details&.fetch(:source_url),
|
50
57
|
properties_to_update: property_names
|
51
58
|
).updated_requirements
|
52
59
|
end
|
@@ -84,16 +91,28 @@ module Dependabot
|
|
84
91
|
super
|
85
92
|
end
|
86
93
|
|
94
|
+
def preferred_version_details
|
95
|
+
return lowest_security_fix_version_details if vulnerable?
|
96
|
+
|
97
|
+
latest_version_details
|
98
|
+
end
|
99
|
+
|
87
100
|
def latest_version_details
|
88
101
|
@latest_version_details ||= version_finder.latest_version_details
|
89
102
|
end
|
90
103
|
|
104
|
+
def lowest_security_fix_version_details
|
105
|
+
@lowest_security_fix_version_details ||=
|
106
|
+
version_finder.lowest_security_fix_version_details
|
107
|
+
end
|
108
|
+
|
91
109
|
def version_finder
|
92
110
|
@version_finder ||=
|
93
111
|
VersionFinder.new(
|
94
112
|
dependency: dependency,
|
95
113
|
dependency_files: dependency_files,
|
96
|
-
ignored_versions: ignored_versions
|
114
|
+
ignored_versions: ignored_versions,
|
115
|
+
security_advisories: security_advisories
|
97
116
|
)
|
98
117
|
end
|
99
118
|
|
@@ -27,7 +27,8 @@ module Dependabot
|
|
27
27
|
VersionFinder.new(
|
28
28
|
dependency: dep,
|
29
29
|
dependency_files: dependency_files,
|
30
|
-
ignored_versions: ignored_versions
|
30
|
+
ignored_versions: ignored_versions,
|
31
|
+
security_advisories: []
|
31
32
|
).versions.
|
32
33
|
map { |v| v.fetch(:version) }.
|
33
34
|
include?(target_version)
|
@@ -83,10 +84,6 @@ module Dependabot
|
|
83
84
|
dig(:metadata, :dependency_set)
|
84
85
|
end
|
85
86
|
|
86
|
-
def pom
|
87
|
-
dependency_files.find { |f| f.name == "pom.xml" }
|
88
|
-
end
|
89
|
-
|
90
87
|
def updated_requirements(dep)
|
91
88
|
@updated_requirements ||= {}
|
92
89
|
@updated_requirements[dep.name] ||=
|
@@ -14,39 +14,36 @@ module Dependabot
|
|
14
14
|
GOOGLE_MAVEN_REPO = "https://maven.google.com"
|
15
15
|
TYPE_SUFFICES = %w(jre android java).freeze
|
16
16
|
|
17
|
-
def initialize(dependency:, dependency_files:, ignored_versions
|
18
|
-
|
19
|
-
@
|
20
|
-
@
|
17
|
+
def initialize(dependency:, dependency_files:, ignored_versions:,
|
18
|
+
security_advisories:)
|
19
|
+
@dependency = dependency
|
20
|
+
@dependency_files = dependency_files
|
21
|
+
@ignored_versions = ignored_versions
|
22
|
+
@security_advisories = security_advisories
|
21
23
|
end
|
22
24
|
|
23
25
|
def latest_version_details
|
24
26
|
possible_versions = versions
|
25
27
|
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
end
|
28
|
+
possible_versions = filter_prereleases(possible_versions)
|
29
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
30
|
+
possible_versions = filter_version_types(possible_versions)
|
31
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
31
32
|
|
32
|
-
|
33
|
-
|
34
|
-
possible_versions.
|
35
|
-
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
36
|
-
end
|
33
|
+
possible_versions.last
|
34
|
+
end
|
37
35
|
|
38
|
-
|
39
|
-
|
40
|
-
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
36
|
+
def lowest_security_fix_version_details
|
37
|
+
possible_versions = versions
|
41
38
|
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
39
|
+
possible_versions = filter_prereleases(possible_versions)
|
40
|
+
possible_versions = filter_date_based_versions(possible_versions)
|
41
|
+
possible_versions = filter_version_types(possible_versions)
|
42
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
43
|
+
possible_versions = filter_vulnerable_versions(possible_versions)
|
44
|
+
possible_versions = filter_lower_versions(possible_versions)
|
48
45
|
|
49
|
-
possible_versions.
|
46
|
+
possible_versions.first
|
50
47
|
end
|
51
48
|
|
52
49
|
def versions
|
@@ -65,7 +62,57 @@ module Dependabot
|
|
65
62
|
|
66
63
|
private
|
67
64
|
|
68
|
-
attr_reader :dependency, :dependency_files, :ignored_versions
|
65
|
+
attr_reader :dependency, :dependency_files, :ignored_versions,
|
66
|
+
:security_advisories
|
67
|
+
|
68
|
+
def filter_prereleases(possible_versions)
|
69
|
+
return possible_versions if wants_prerelease?
|
70
|
+
|
71
|
+
possible_versions.reject { |v| v.fetch(:version).prerelease? }
|
72
|
+
end
|
73
|
+
|
74
|
+
def filter_date_based_versions(possible_versions)
|
75
|
+
return possible_versions if wants_date_based_version?
|
76
|
+
|
77
|
+
possible_versions.
|
78
|
+
reject { |v| v.fetch(:version) > version_class.new(1900) }
|
79
|
+
end
|
80
|
+
|
81
|
+
def filter_version_types(possible_versions)
|
82
|
+
possible_versions.
|
83
|
+
select { |v| matches_dependency_version_type?(v.fetch(:version)) }
|
84
|
+
end
|
85
|
+
|
86
|
+
def filter_ignored_versions(possible_versions)
|
87
|
+
versions_array = possible_versions
|
88
|
+
|
89
|
+
ignored_versions.each do |req|
|
90
|
+
ignore_req = Gradle::Requirement.new(req.split(","))
|
91
|
+
versions_array =
|
92
|
+
versions_array.
|
93
|
+
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
94
|
+
end
|
95
|
+
|
96
|
+
versions_array
|
97
|
+
end
|
98
|
+
|
99
|
+
def filter_vulnerable_versions(possible_versions)
|
100
|
+
versions_array = possible_versions
|
101
|
+
|
102
|
+
security_advisories.each do |advisory|
|
103
|
+
versions_array =
|
104
|
+
versions_array.
|
105
|
+
reject { |v| advisory.vulnerable?(v.fetch(:version)) }
|
106
|
+
end
|
107
|
+
|
108
|
+
versions_array
|
109
|
+
end
|
110
|
+
|
111
|
+
def filter_lower_versions(possible_versions)
|
112
|
+
possible_versions.select do |v|
|
113
|
+
v.fetch(:version) > version_class.new(dependency.version)
|
114
|
+
end
|
115
|
+
end
|
69
116
|
|
70
117
|
def wants_prerelease?
|
71
118
|
return false unless dependency.version
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-gradle
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.101.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.101.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.101.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|