RubyGems - dependabot-hex - Versions diffs - 0.332.0 → 0.333.0 - Mend

dependabot-hex 0.332.0 → 0.333.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/lib/dependabot/hex/file_fetcher.rb +19 -5
data/lib/dependabot/hex/file_parser.rb +2 -0
data/lib/dependabot/hex/file_updater/lockfile_updater.rb +43 -9
data/lib/dependabot/hex/file_updater/mixfile_requirement_updater.rb +41 -13
data/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb +1 -0
data/lib/dependabot/hex/file_updater/mixfile_updater.rb +20 -9
data/lib/dependabot/hex/file_updater.rb +1 -1
data/lib/dependabot/hex/requirement.rb +16 -5
data/lib/dependabot/hex/update_checker/file_preparer.rb +51 -13
data/lib/dependabot/hex/update_checker/requirements_updater.rb +50 -19
data/lib/dependabot/hex/update_checker/version_resolver.rb +49 -10
data/lib/dependabot/hex/update_checker.rb +15 -12
data/lib/dependabot/hex/version.rb +11 -4
metadata +6 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 65267b78a2189ab82e3a952dccb5468c5c786ee6f6dfc33e2bd0ed84161f136c
-  data.tar.gz: b7412fa72b891da510e724fcf372ae1f1f5a00836c093b78c5411fd8bd3d7f22
+  metadata.gz: f286072dcda605590c5ba5f897e77265f75e0fe9d8921cbe61340a4588cff115
+  data.tar.gz: 2a9ad6bb806461c48df4d401301752ab0a61aa0f602f7c3c4940634ccd7da268
 SHA512:
-  metadata.gz: a4230d09236ef6ceee11f6a9d0acf7ad846a80533ebeb9ea1069426a28eca6ec4b51e4eeb1e9ff473f08f44493768cbefccb2b6f1a039b33f35091f29567a71e
-  data.tar.gz: 4074991d5ae39a2789755ef025951816deca60d1e8e22ad849d9f949f817bde59a4909341cd29b4cbaa9f5cb706b2d02f3a663a34ef2adc6b7dc2148191374ef
+  metadata.gz: c16d7e0dd44dc71a9f3d2209062715588b5d238b8eb144eb63caeff4e0901448147fb423c8f6e90445af9bb6bdce5d8d8542e39ded0eaa6183513e5f7a98a4b7
+  data.tar.gz: 3af81cc43c90df269cd7ddb72c3e740e7e399324978abf48da0b6483bb9805b6a444f21d49a218f8e8fa9550a7b47e72a6ef7cb95eeba4bf5ee3f5516f3772d1

data/lib/dependabot/hex/file_fetcher.rb CHANGED Viewed

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/file_filtering"
 module Dependabot
   module Hex
@@ -34,7 +35,12 @@ module Dependabot
         fetched_files << lockfile if lockfile
         fetched_files += subapp_mixfiles
         fetched_files += support_files
-        fetched_files
+        # Apply final filtering to exclude any files that match the exclude_paths configuration
+        filtered_files = fetched_files.compact.reject do |file|
+          Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
+        end
+        filtered_files
       end
       private
@@ -62,14 +68,22 @@ module Dependabot
                      &.named_captures&.fetch("path")
         return [] unless apps_path
-        repo_contents(dir: apps_path)
-          .select { |f| f.type == "dir" }
-          .map { |f| File.join(apps_path, f.name) }
+        directories = repo_contents(dir: apps_path)
+                      .select { |f| f.type == "dir" }
+                      .map { |f| File.join(apps_path, f.name) }
+        directories.reject do |dir|
+          Dependabot::FileFiltering.should_exclude_path?(dir, "umbrella app directory", @exclude_paths)
+        end
       end
       sig { returns(T::Array[String]) }
       def sub_project_directories
-        T.must(T.must(mixfile).content).scan(PATH_DEPS_REGEX).flatten
+        directories = T.must(T.must(mixfile).content).scan(PATH_DEPS_REGEX).flatten
+        directories.reject do |dir|
+          Dependabot::FileFiltering.should_exclude_path?(dir, "path dependency directory", @exclude_paths)
+        end
       end
       sig { returns(T::Array[Dependabot::DependencyFile]) }

data/lib/dependabot/hex/file_parser.rb CHANGED Viewed

@@ -17,8 +17,10 @@ require "dependabot/errors"
 module Dependabot
   module Hex
     extend T::Sig
     class FileParser < Dependabot::FileParsers::Base
       extend T::Sig
       require "dependabot/file_parsers/base/dependency_set"
       sig { override.returns(T::Array[Dependabot::Dependency]) }

data/lib/dependabot/hex/file_updater/lockfile_updater.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/hex/file_updater"
 require "dependabot/hex/file_updater/mixfile_updater"
 require "dependabot/hex/file_updater/mixfile_sanitizer"
@@ -14,13 +16,24 @@ module Dependabot
   module Hex
     class FileUpdater
       class LockfileUpdater
+        extend T::Sig
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
         def initialize(dependencies:, dependency_files:, credentials:)
-          @dependencies = dependencies
-          @dependency_files = dependency_files
-          @credentials = credentials
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
         end
+        sig { returns(String) }
         def updated_lockfile_content
+          @updated_lockfile_content = T.let(@updated_lockfile_content, T.nilable(String))
           @updated_lockfile_content ||=
             SharedHelpers.in_a_temporary_directory do
               write_temporary_dependency_files
@@ -41,23 +54,32 @@ module Dependabot
         private
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { returns(Dependabot::Dependency) }
         def dependency
           # For now, we'll only ever be updating a single dep for Elixir
-          dependencies.first
+          T.must(dependencies.first)
         end
+        sig { params(content: String).returns(String) }
         def post_process_lockfile(content)
-          return content unless lockfile.content.start_with?("%{\"")
+          lockfile_content = T.must(lockfile.content)
+          return content unless lockfile_content.start_with?("%{\"")
           return content if content.start_with?("%{\"")
           # Substitute back old file beginning and ending
           content.sub(/\A%\{\n  "/, "%{\"").sub("},\n}", "}}")
         end
+        sig { void }
         def write_temporary_dependency_files
           mixfiles.each do |file|
             path = file.name
@@ -65,21 +87,23 @@ module Dependabot
             File.write(path, mixfile_content_for_lockfile_generation(file))
           end
-          File.write("mix.lock", lockfile.content)
+          File.write("mix.lock", T.must(lockfile.content))
           dependency_files.select(&:support_file).each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, sanitize_mixfile(file.content))
+            File.write(path, sanitize_mixfile(T.must(file.content)))
           end
         end
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def mixfile_content_for_lockfile_generation(file)
           content = updated_mixfile_content(file)
           content = lock_mixfile_dependency_versions(content, file.name)
           sanitize_mixfile(content)
         end
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def updated_mixfile_content(file)
           MixfileUpdater.new(
             dependencies: dependencies,
@@ -87,6 +111,7 @@ module Dependabot
           ).updated_mixfile_content
         end
+        sig { params(mixfile_content: String, filename: String).returns(String) }
         def lock_mixfile_dependency_versions(mixfile_content, filename)
           dependencies
             .reduce(mixfile_content.dup) do |content, dep|
@@ -107,10 +132,12 @@ module Dependabot
             end
         end
+        sig { params(content: String).returns(String) }
         def sanitize_mixfile(content)
           MixfileSanitizer.new(mixfile_content: content).sanitized_content
         end
+        sig { returns(T::Hash[String, String]) }
         def mix_env
           {
             "MIX_EXS" => File.join(NativeHelpers.hex_helpers_dir, "mix.exs"),
@@ -118,20 +145,27 @@ module Dependabot
           }
         end
+        sig { returns(String) }
         def elixir_helper_path
           File.join(NativeHelpers.hex_helpers_dir, "lib/run.exs")
         end
+        sig { returns(String) }
         def elixir_helper_do_update_path
           File.join(NativeHelpers.hex_helpers_dir, "lib/do_update.exs")
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def mixfiles
           dependency_files.select { |f| f.name.end_with?("mix.exs") }
         end
+        sig { returns(Dependabot::DependencyFile) }
         def lockfile
-          @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
+          @lockfile ||= T.let(
+            T.must(dependency_files.find { |f| f.name == "mix.lock" }),
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
       end
     end

data/lib/dependabot/hex/file_updater/mixfile_requirement_updater.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/hex/file_updater"
 require "dependabot/shared_helpers"
@@ -8,16 +10,28 @@ module Dependabot
   module Hex
     class FileUpdater
       class MixfileRequirementUpdater
+        extend T::Sig
+        sig do
+          params(
+            dependency_name: String,
+            mixfile_content: String,
+            previous_requirement: T.nilable(String),
+            updated_requirement: T.nilable(String),
+            insert_if_bare: T::Boolean
+          ).void
+        end
         def initialize(dependency_name:, mixfile_content:,
                        previous_requirement:, updated_requirement:,
                        insert_if_bare: false)
-          @dependency_name      = dependency_name
-          @mixfile_content      = mixfile_content
-          @previous_requirement = previous_requirement
-          @updated_requirement  = updated_requirement
-          @insert_if_bare       = insert_if_bare
+          @dependency_name      = T.let(dependency_name, String)
+          @mixfile_content      = T.let(mixfile_content, String)
+          @previous_requirement = T.let(previous_requirement, T.nilable(String))
+          @updated_requirement  = T.let(updated_requirement, T.nilable(String))
+          @insert_if_bare       = T.let(insert_if_bare, T::Boolean)
         end
+        sig { returns(String) }
         def updated_content
           updated_content = update_requirement(mixfile_content)
@@ -28,15 +42,24 @@ module Dependabot
         private
+        sig { returns(String) }
         attr_reader :dependency_name
+        sig { returns(String) }
         attr_reader :mixfile_content
+        sig { returns(T.nilable(String)) }
         attr_reader :previous_requirement
+        sig { returns(T.nilable(String)) }
         attr_reader :updated_requirement
+        sig { returns(T::Boolean) }
         def insert_if_bare?
-          !@insert_if_bare.nil?
+          @insert_if_bare
         end
+        sig { params(content: String).returns(String) }
         def update_requirement(content)
           return content if previous_requirement.nil? && !insert_if_bare?
@@ -44,28 +67,33 @@ module Dependabot
             if previous_requirement
               /
                 :#{Regexp.escape(dependency_name)}\s*,.*
-                #{Regexp.escape(previous_requirement)}
+                #{Regexp.escape(T.must(previous_requirement))}
               /x
             else
               /:#{Regexp.escape(dependency_name)}(,|\s|\})/
             end
           content.gsub(requirement_line_regex) do |requirement_line|
-            if previous_requirement
-              requirement_line.gsub(previous_requirement, updated_requirement)
-            else
+            if previous_requirement && updated_requirement
+              requirement_line.gsub(T.must(previous_requirement), T.must(updated_requirement))
+            elsif updated_requirement
               requirement_line.gsub(
                 ":#{dependency_name}",
-                ":#{dependency_name}, \"#{updated_requirement}\""
+                ":#{dependency_name}, \"#{T.must(updated_requirement)}\""
               )
+            else
+              # If we don't have an updated requirement, return the line unchanged
+              requirement_line
             end
           end
         end
+        sig { returns(T::Boolean) }
         def content_should_change?
           return false if previous_requirement == updated_requirement
+          return false if updated_requirement.nil? && !insert_if_bare?
-          previous_requirement || insert_if_bare?
+          !previous_requirement.nil? || insert_if_bare?
         end
       end
     end

data/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb CHANGED Viewed

@@ -10,6 +10,7 @@ module Dependabot
     class FileUpdater
       class MixfileSanitizer
         extend T::Sig
         sig { params(mixfile_content: String).void }
         def initialize(mixfile_content:)
           @mixfile_content = mixfile_content

data/lib/dependabot/hex/file_updater/mixfile_updater.rb CHANGED Viewed

@@ -1,6 +1,7 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/hex/file_updater"
 require "dependabot/hex/file_updater/mixfile_requirement_updater"
 require "dependabot/hex/file_updater/mixfile_git_pin_updater"
@@ -9,15 +10,19 @@ module Dependabot
   module Hex
     class FileUpdater
       class MixfileUpdater
+        extend T::Sig
+        sig { params(mixfile: Dependabot::DependencyFile, dependencies: T::Array[Dependabot::Dependency]).void }
         def initialize(mixfile:, dependencies:)
-          @mixfile = mixfile
-          @dependencies = dependencies
+          @mixfile = T.let(mixfile, Dependabot::DependencyFile)
+          @dependencies = T.let(dependencies, T::Array[Dependabot::Dependency])
         end
+        sig { returns(String) }
         def updated_mixfile_content
           dependencies
             .select { |dep| requirement_changed?(mixfile, dep) }
-            .reduce(mixfile.content.dup) do |content, dep|
+            .reduce(T.must(mixfile.content).dup) do |content, dep|
               updated_content = content
               updated_content = update_requirement(
@@ -40,25 +45,30 @@ module Dependabot
         private
+        sig { returns(Dependabot::DependencyFile) }
         attr_reader :mixfile
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+        sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
         def requirement_changed?(file, dependency)
           changed_requirements =
-            dependency.requirements - dependency.previous_requirements
+            dependency.requirements - (dependency.previous_requirements || [])
           changed_requirements.any? { |f| f[:file] == file.name }
         end
+        sig { params(content: String, filename: String, dependency: Dependabot::Dependency).returns(String) }
         def update_requirement(content:, filename:, dependency:)
           updated_req =
             dependency.requirements.find { |r| r[:file] == filename }
-                      .fetch(:requirement)
+                      &.fetch(:requirement)
           old_req =
             dependency.previous_requirements
-                      .find { |r| r[:file] == filename }
-                      .fetch(:requirement)
+                      &.find { |r| r[:file] == filename }
+                      &.fetch(:requirement)
           return content unless old_req
@@ -70,6 +80,7 @@ module Dependabot
           ).updated_content
         end
+        sig { params(content: String, filename: String, dependency: Dependabot::Dependency).returns(String) }
         def update_git_pin(content:, filename:, dependency:)
           updated_pin =
             dependency.requirements.find { |r| r[:file] == filename }
@@ -77,7 +88,7 @@ module Dependabot
           old_pin =
             dependency.previous_requirements
-                      .find { |r| r[:file] == filename }
+                      &.find { |r| r[:file] == filename }
                       &.dig(:source, :ref)
           return content unless old_pin

data/lib/dependabot/hex/file_updater.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 require "dependabot/file_updaters"

data/lib/dependabot/hex/requirement.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "sorbet-runtime"
@@ -16,11 +16,16 @@ module Dependabot
       OR_SEPARATOR = /\s+or\s+/
       # Add the double-equality matcher to the list of allowed operations
-      OPS = OPS.merge("==" => ->(v, r) { v == r })
+      OPS = T.let(
+        OPS.merge("==" => lambda { |v, r|
+          v == r
+        }),
+        T::Hash[String, T.proc.params(arg0: Gem::Version, arg1: Gem::Version).returns(T::Boolean)]
+      )
       # Override the version pattern to allow local versions
-      quoted = OPS.keys.map { |k| Regexp.quote k }.join "|"
-      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{Hex::Version::VERSION_PATTERN})\\s*".freeze
+      quoted = OPS.keys.map { |k| Regexp.quote k }.join("|")
+      PATTERN_RAW = T.let("\\s*(#{quoted})?\\s*(#{Hex::Version::VERSION_PATTERN})\\s*".freeze, String)
       PATTERN = /\A#{PATTERN_RAW}\z/
       # Returns an array of requirements. At least one requirement from the
@@ -35,6 +40,7 @@ module Dependabot
       # Patches Gem::Requirement to make it accept requirement strings like
       # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      sig { params(requirements: T.any(String, T::Array[String])).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
           req_string.split(",").map(&:strip)
@@ -44,6 +50,10 @@ module Dependabot
       end
       # Override the parser to create Hex::Versions
+      sig do
+        params(obj: T.any(String, Gem::Version))
+          .returns(T::Array[T.any(String, Gem::Version)])
+      end
       def self.parse(obj)
         return ["=", Hex::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
@@ -57,10 +67,11 @@ module Dependabot
         [matches[1] || "=", Hex::Version.new(T.must(matches[2]))]
       end
+      sig { params(version: T.any(String, Gem::Version, Dependabot::Version)).returns(T::Boolean) }
       def satisfied_by?(version)
         version = Hex::Version.new(version.to_s)
-        requirements.all? { |op, rv| (OPS[op] || OPS["="]).call(version, rv) }
+        requirements.all? { |op, rv| T.must(OPS[op] || OPS["="]).call(version, rv) }
       end
     end
   end

data/lib/dependabot/hex/update_checker/file_preparer.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "sorbet-runtime"
@@ -18,17 +18,27 @@ module Dependabot
       class FilePreparer
         extend T::Sig
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            dependency: Dependabot::Dependency,
+            unlock_requirement: T.any(T.nilable(Symbol), T::Boolean),
+            replacement_git_pin: T.nilable(String),
+            latest_allowable_version: T.nilable(Gem::Version)
+          ).void
+        end
         def initialize(dependency_files:, dependency:,
                        unlock_requirement: true,
                        replacement_git_pin: nil,
                        latest_allowable_version: nil)
-          @dependency_files = dependency_files
-          @dependency = dependency
-          @unlock_requirement = unlock_requirement
-          @replacement_git_pin = replacement_git_pin
-          @latest_allowable_version = latest_allowable_version
+          @dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
+          @dependency = T.let(dependency, Dependabot::Dependency)
+          @unlock_requirement = T.let(unlock_requirement ? true : false, T::Boolean)
+          @replacement_git_pin = T.let(replacement_git_pin, T.nilable(String))
+          @latest_allowable_version = T.let(latest_allowable_version, T.nilable(Gem::Version))
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def prepared_dependency_files
           files = []
           files += mixfiles.map do |file|
@@ -45,21 +55,31 @@ module Dependabot
         private
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+        sig { returns(T.nilable(String)) }
         attr_reader :replacement_git_pin
+        sig { returns(T.nilable(Gem::Version)) }
         attr_reader :latest_allowable_version
+        sig { returns(T::Boolean) }
         def unlock_requirement?
           @unlock_requirement
         end
+        sig { returns(T::Boolean) }
         def replace_git_pin?
           !replacement_git_pin.nil?
         end
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def mixfile_content_for_update_check(file)
-          content = file.content
+          content = T.must(file.content)
           return sanitize_mixfile(content) unless dependency_appears_in_file?(file.name)
@@ -69,10 +89,11 @@ module Dependabot
           sanitize_mixfile(content)
         end
+        sig { params(content: String, filename: String).returns(String) }
         def relax_version(content, filename:)
           old_requirement =
             dependency.requirements.find { |r| r.fetch(:file) == filename }
-                      .fetch(:requirement)
+                      &.fetch(:requirement)
           updated_requirement = updated_version_requirement_string(filename)
           Hex::FileUpdater::MixfileRequirementUpdater.new(
@@ -80,10 +101,11 @@ module Dependabot
             mixfile_content: content,
             previous_requirement: old_requirement,
             updated_requirement: updated_requirement,
-            insert_if_bare: updated_requirement && updated_requirement != ">= 0"
+            insert_if_bare: !updated_requirement.nil?
           ).updated_content
         end
+        sig { params(filename: String).returns(T.nilable(String)) }
         def updated_version_requirement_string(filename)
           lower_bound_req = updated_version_req_lower_bound(filename)
@@ -96,6 +118,7 @@ module Dependabot
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/CyclomaticComplexity
+        sig { params(filename: String).returns(String) }
         def updated_version_req_lower_bound(filename)
           original_req = dependency.requirements
                                    .find { |r| r.fetch(:file) == filename }
@@ -126,6 +149,7 @@ module Dependabot
         # rubocop:enable Metrics/CyclomaticComplexity
         # rubocop:enable Metrics/AbcSize
+        sig { params(content: String, filename: String).returns(String) }
         def replace_git_pin(content, filename:)
           old_pin =
             dependency.requirements.find { |r| r.fetch(:file) == filename }
@@ -138,16 +162,18 @@ module Dependabot
             dependency_name: dependency.name,
             mixfile_content: content,
             previous_pin: old_pin,
-            updated_pin: replacement_git_pin
+            updated_pin: T.must(replacement_git_pin)
           ).updated_content
         end
+        sig { params(content: String).returns(String) }
         def sanitize_mixfile(content)
           Hex::FileUpdater::MixfileSanitizer.new(
             mixfile_content: content
           ).sanitized_content
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def mixfiles
           mixfiles =
             dependency_files
@@ -157,14 +183,23 @@ module Dependabot
           mixfiles
         end
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def lockfile
-          @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
+          @lockfile ||= T.let(
+            dependency_files.find { |f| f.name == "mix.lock" },
+            T.nilable(Dependabot::DependencyFile)
+          )
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def support_files
-          @support_files ||= dependency_files.select(&:support_file)
+          @support_files ||= T.let(
+            dependency_files.select(&:support_file),
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
         end
+        sig { returns(T::Boolean) }
         def wants_prerelease?
           current_version = dependency.version
           if current_version &&
@@ -178,14 +213,17 @@ module Dependabot
           end
         end
+        sig { returns(T.class_of(Dependabot::Version)) }
         def version_class
           dependency.version_class
         end
+        sig { returns(Regexp) }
         def version_regex
-          Dependabot::Hex::Version::VERSION_PATTERN
+          Regexp.new(Dependabot::Hex::Version::VERSION_PATTERN)
         end
+        sig { params(file_name: String).returns(T::Boolean) }
         def dependency_appears_in_file?(file_name)
           dependency.requirements.any? { |r| r[:file] == file_name }
         end

data/lib/dependabot/hex/update_checker/requirements_updater.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/hex/version"
 require "dependabot/hex/requirement"
 require "dependabot/hex/update_checker"
@@ -9,34 +11,50 @@ module Dependabot
   module Hex
     class UpdateChecker
       class RequirementsUpdater
+        extend T::Sig
         OPERATORS = />=|<=|>|<|==|~>/
         AND_SEPARATOR = /\s+and\s+/
         OR_SEPARATOR = /\s+or\s+/
         SEPARATOR = /#{AND_SEPARATOR}|#{OR_SEPARATOR}/
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            latest_resolvable_version: T.nilable(String),
+            updated_source: T.nilable(T::Hash[Symbol, T.nilable(String)])
+          ).void
+        end
         def initialize(requirements:, latest_resolvable_version:,
                        updated_source:)
-          @requirements = requirements
-          @updated_source = updated_source
+          @requirements = T.let(requirements, T::Array[T::Hash[Symbol, T.untyped]])
+          @updated_source = T.let(updated_source, T.nilable(T::Hash[Symbol, T.nilable(String)]))
+          @latest_resolvable_version = T.let(nil, T.nilable(Dependabot::Version))
           return unless latest_resolvable_version
           return unless Hex::Version.correct?(latest_resolvable_version)
-          @latest_resolvable_version =
-            Hex::Version.new(latest_resolvable_version)
+          @latest_resolvable_version = Hex::Version.new(latest_resolvable_version)
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           requirements.map { |req| updated_mixfile_requirement(req) }
         end
         private
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         attr_reader :requirements
+        sig { returns(T.nilable(Dependabot::Version)) }
         attr_reader :latest_resolvable_version
+        sig { returns(T.nilable(T::Hash[Symbol, T.nilable(String)])) }
         attr_reader :updated_source
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/AbcSize
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def updated_mixfile_requirement(req)
           req = update_source(req)
           return req unless latest_resolvable_version && req[:requirement]
@@ -49,10 +67,10 @@ module Dependabot
           new_requirement =
             if last_string_reqs.any? { |r| r.match(/^(?:\d|=)/) }
               exact_req = last_string_reqs.find { |r| r.match(/^(?:\d|=)/) }
-              update_exact_version(exact_req, latest_resolvable_version).to_s
+              update_exact_version(exact_req, T.must(latest_resolvable_version)).to_s
             elsif last_string_reqs.any? { |r| r.start_with?("~>") }
               tw_req = last_string_reqs.find { |r| r.start_with?("~>") }
-              update_twiddle_version(tw_req, latest_resolvable_version).to_s
+              update_twiddle_version(tw_req, T.must(latest_resolvable_version)).to_s
             else
               update_mixfile_range(last_string_reqs).map(&:to_s).join(" and ")
             end
@@ -64,6 +82,7 @@ module Dependabot
         # rubocop:enable Metrics/AbcSize
         # rubocop:enable Metrics/PerceivedComplexity
+        sig { params(requirement_hash: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_source(requirement_hash)
           # Only git sources ever need to be updated. Anything else should be
           # left alone.
@@ -72,15 +91,18 @@ module Dependabot
           requirement_hash.merge(source: updated_source)
         end
+        sig { params(requirement_string: String).returns(T::Boolean) }
         def req_satisfied_by_latest_resolvable?(requirement_string)
           ruby_requirements(requirement_string)
-            .any? { |r| r.satisfied_by?(latest_resolvable_version) }
+            .any? { |r| r.satisfied_by?(T.must(latest_resolvable_version)) }
         end
+        sig { params(requirement_string: String).returns(T::Array[Hex::Requirement]) }
         def ruby_requirements(requirement_string)
           requirement_class.requirements_array(requirement_string)
         end
+        sig { params(previous_req: String, new_version: Dependabot::Version).returns(String) }
         def update_exact_version(previous_req, new_version)
           op = previous_req.match(OPERATORS).to_s
           old_version =
@@ -89,6 +111,7 @@ module Dependabot
           "#{op} #{updated_version}".strip
         end
+        sig { params(previous_req: String, new_version: Dependabot::Version).returns(Hex::Requirement) }
         def update_twiddle_version(previous_req, new_version)
           previous_req = requirement_class.new(previous_req)
           old_version = previous_req.requirements.first.last
@@ -96,15 +119,16 @@ module Dependabot
           requirement_class.new("~> #{updated_version}")
         end
+        sig { params(requirements: T::Array[String]).returns(T::Array[Hex::Requirement]) }
         def update_mixfile_range(requirements)
           requirements = requirements.map { |r| requirement_class.new(r) }
           updated_requirements =
             requirements.flat_map do |r|
-              next r if r.satisfied_by?(latest_resolvable_version)
+              next r if r.satisfied_by?(T.must(latest_resolvable_version))
               case op = r.requirements.first.first
               when "<", "<="
-                [update_greatest_version(r, latest_resolvable_version)]
+                [update_greatest_version(r, T.must(latest_resolvable_version))]
               when "!="
                 []
               else
@@ -116,6 +140,7 @@ module Dependabot
           binding_requirements(updated_requirements)
         end
+        sig { params(new_version: Dependabot::Version, old_version: Dependabot::Version).returns(String) }
         def at_same_precision(new_version, old_version)
           precision = old_version.to_s.split(".").count
           new_version.to_s.split(".").first(precision).join(".")
@@ -123,11 +148,10 @@ module Dependabot
         # Updates the version in a "<" or "<=" constraint to allow the given
         # version
+        sig do
+          params(requirement: Hex::Requirement, version_to_be_permitted: Dependabot::Version).returns(Hex::Requirement)
+        end
         def update_greatest_version(requirement, version_to_be_permitted)
-          if version_to_be_permitted.is_a?(String)
-            version_to_be_permitted =
-              Hex::Version.new(version_to_be_permitted)
-          end
           op, version = requirement.requirements.first
           version = version.release if version.prerelease?
@@ -138,7 +162,7 @@ module Dependabot
             if index < index_to_update
               version_to_be_permitted.segments[index]
             elsif index == index_to_update
-              version_to_be_permitted.segments[index] + 1
+              version_to_be_permitted.segments[index].to_i + 1
             else
               0
             end
@@ -147,22 +171,29 @@ module Dependabot
           requirement_class.new("#{op} #{new_segments.join('.')}")
         end
+        sig { params(requirements: T::Array[Hex::Requirement]).returns(T::Array[Hex::Requirement]) }
         def binding_requirements(requirements)
           grouped_by_operator =
             requirements.group_by { |r| r.requirements.first.first }
           binding_reqs = grouped_by_operator.flat_map do |operator, reqs|
             case operator
-            when "<", "<=" then reqs.min_by { |r| r.requirements.first.last }
-            when ">", ">=" then reqs.max_by { |r| r.requirements.first.last }
-            else requirements
+            when "<", "<="
+              min_req = reqs.min_by { |r| r.requirements.first.last }
+              min_req ? [min_req] : []
+            when ">", ">="
+              max_req = reqs.max_by { |r| r.requirements.first.last }
+              max_req ? [max_req] : []
+            else
+              requirements
             end
-          end.uniq
+          end.uniq.compact
           binding_reqs << requirement_class.new if binding_reqs.empty?
           binding_reqs.sort_by { |r| r.requirements.first.last }
         end
+        sig { returns(T.class_of(Hex::Requirement)) }
         def requirement_class
           Hex::Requirement
         end

data/lib/dependabot/hex/update_checker/version_resolver.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/hex/version"
 require "dependabot/hex/update_checker"
 require "dependabot/hex/credential_helpers"
@@ -13,25 +15,45 @@ module Dependabot
   module Hex
     class UpdateChecker
       class VersionResolver
+        extend T::Sig
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential],
+            original_dependency_files: T::Array[Dependabot::DependencyFile],
+            prepared_dependency_files: T::Array[Dependabot::DependencyFile]
+          ).void
+        end
         def initialize(dependency:, credentials:,
                        original_dependency_files:, prepared_dependency_files:)
-          @dependency = dependency
-          @original_dependency_files = original_dependency_files
-          @prepared_dependency_files = prepared_dependency_files
-          @credentials = credentials
+          @dependency = T.let(dependency, Dependabot::Dependency)
+          @original_dependency_files = T.let(original_dependency_files, T::Array[Dependabot::DependencyFile])
+          @prepared_dependency_files = T.let(prepared_dependency_files, T::Array[Dependabot::DependencyFile])
+          @credentials = T.let(credentials, T::Array[Dependabot::Credential])
+          @latest_resolvable_version = T.let(nil, T.nilable(T.any(Dependabot::Version, String, T::Boolean)))
         end
+        sig { returns(T.nilable(T.any(Dependabot::Version, String, T::Boolean))) }
         def latest_resolvable_version
           @latest_resolvable_version ||= fetch_latest_resolvable_version
         end
         private
+        sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :original_dependency_files
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :prepared_dependency_files
+        sig { returns(T.nilable(T.any(Dependabot::Version, String, T::Boolean))) }
         def fetch_latest_resolvable_version
           latest_resolvable_version =
             SharedHelpers.in_a_temporary_directory do
@@ -51,6 +73,7 @@ module Dependabot
           handle_hex_errors(e)
         end
+        sig { returns(String) }
         def run_elixir_update_checker
           SharedHelpers.run_helper_subprocess(
             env: mix_env,
@@ -61,6 +84,10 @@ module Dependabot
           )
         end
+        sig do
+          params(error: Dependabot::SharedHelpers::HelperSubprocessFailed)
+            .returns(T.nilable(T.any(Dependabot::Version, String, T::Boolean)))
+        end
         def handle_hex_errors(error)
           if (match = error.message.match(/No authenticated organization found for (?<repo>[a-z_]+)\./))
             raise Dependabot::PrivateSourceAuthenticationFailure, match[:repo]
@@ -98,25 +125,31 @@ module Dependabot
           raise error
         end
+        sig do
+          params(error: Dependabot::SharedHelpers::HelperSubprocessFailed).returns(T.any(Dependabot::Version, String,
+                                                                                         T::Boolean))
+        end
         def error_result(error)
           return false unless includes_result?(error)
-          result_json = error.message&.split("\n")&.last
-          result = JSON.parse(result_json)["result"]
+          result_json = error.message.split("\n").last
+          result = JSON.parse(T.must(result_json))["result"]
           return version_class.new(result) if version_class.correct?(result)
           result
         end
+        sig { params(error: Dependabot::SharedHelpers::HelperSubprocessFailed).returns(T::Boolean) }
         def includes_result?(error)
-          result = error.message&.split("\n")&.last
+          result = error.message.split("\n").last
           return false unless result
-          JSON.parse(error.message&.split("\n")&.last).key?("result")
+          JSON.parse(result).key?("result")
         rescue JSON::ParserError
           false
         end
+        sig { returns(T.any(T::Boolean, Dependabot::Version, String)) }
         def check_original_requirements_resolvable
           SharedHelpers.in_a_temporary_directory do
             write_temporary_sanitized_dependency_files(prepared: false)
@@ -141,6 +174,7 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, e.message
         end
+        sig { params(prepared: T::Boolean).void }
         def write_temporary_sanitized_dependency_files(prepared: true)
           files = if prepared then prepared_dependency_files
                   else
@@ -150,20 +184,23 @@ module Dependabot
           files.each do |file|
             path = file.name
             FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(path, sanitize_mixfile(file.content))
+            File.write(path, sanitize_mixfile(T.must(file.content)))
           end
         end
+        sig { params(content: String).returns(String) }
         def sanitize_mixfile(content)
           Hex::FileUpdater::MixfileSanitizer.new(
             mixfile_content: content
           ).sanitized_content
         end
+        sig { returns(T.class_of(Dependabot::Version)) }
         def version_class
           dependency.version_class
         end
+        sig { returns(T::Hash[String, String]) }
         def mix_env
           {
             "MIX_EXS" => File.join(NativeHelpers.hex_helpers_dir, "mix.exs"),
@@ -171,10 +208,12 @@ module Dependabot
           }
         end
+        sig { returns(String) }
         def elixir_helper_path
           File.join(NativeHelpers.hex_helpers_dir, "lib/run.exs")
         end
+        sig { returns(String) }
         def elixir_helper_check_update_path
           File.join(NativeHelpers.hex_helpers_dir, "lib/check_update.exs")
         end

data/lib/dependabot/hex/update_checker.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Dependabot
   module Hex
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       extend T::Sig
       require_relative "update_checker/file_preparer"
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/version_resolver"
@@ -20,26 +21,26 @@ module Dependabot
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version, Gem::Version))) }
       def latest_version
-        @latest_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version, Gem::Version)))
-        @latest_version ||=
+        @latest_version ||= T.let(
           if git_dependency?
             latest_version_for_git_dependency
           else
             latest_release_from_hex_registry || latest_resolvable_version
-          end
+          end,
+          T.nilable(T.any(String, Dependabot::Version, Gem::Version))
+        )
       end
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version, Gem::Version))) }
       def latest_resolvable_version
-        @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version, Gem::Version)))
-        @latest_resolvable_version ||=
+        @latest_resolvable_version ||= T.let(
           if git_dependency?
             latest_resolvable_version_for_git_dependency
           else
             fetch_latest_resolvable_version(unlock_requirement: true)
-          end
+          end,
+          T.nilable(T.any(String, Dependabot::Version, Gem::Version))
+        )
       end
       sig { override.returns(T.any(String, T.nilable(Dependabot::Version))) }
@@ -157,11 +158,13 @@ module Dependabot
         ).latest_resolvable_version
         @git_tag_resolvable = !resolver_result.nil?
+        @git_tag_resolvable
       rescue SharedHelpers::HelperSubprocessFailed,
              Dependabot::DependencyFileNotResolvable => e
         raise e unless e.message.include?("resolution failed")
         @git_tag_resolvable = T.let(false, T.nilable(T::Boolean))
+        false
       end
       sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
@@ -247,13 +250,13 @@ module Dependabot
       sig { returns(Dependabot::GitCommitChecker) }
       def git_commit_checker
-        @git_commit_checker = T.let(nil, T.nilable(Dependabot::GitCommitChecker))
-        @git_commit_checker ||=
+        @git_commit_checker ||= T.let(
           GitCommitChecker.new(
             dependency: dependency,
             credentials: credentials
-          )
+          ),
+          T.nilable(Dependabot::GitCommitChecker)
+        )
       end
     end
   end

data/lib/dependabot/hex/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "sorbet-runtime"
@@ -15,33 +15,40 @@ module Dependabot
     class Version < Dependabot::Version
       extend T::Sig
+      sig { returns(T.nilable(String)) }
       attr_reader :build_info
-      VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+      VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
+      ANCHORED_VERSION_PATTERN = T.let(/\A\s*(#{VERSION_PATTERN})?\s*\z/, Regexp)
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
       def self.correct?(version)
         return false if version.nil?
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
+      sig { override.params(version: VersionParameter).void }
       def initialize(version)
-        @version_string = version.to_s
+        @version_string = T.let(version.to_s, String)
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
+        @build_info = T.let(@build_info, T.nilable(String))
         super
       end
+      sig { override.returns(String) }
       def to_s
         @version_string
       end
+      sig { override.returns(String) }
       def inspect # :nodoc:
         "#<#{self.class} #{@version_string}>"
       end
+      sig { params(other: T.untyped).returns(T.nilable(Integer)) }
       def <=>(other)
         version_comparison = super
         return version_comparison unless version_comparison&.zero?

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-hex
 version: !ruby/object:Gem::Version
-  version: 0.332.0
+  version: 0.333.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.332.0
+        version: 0.333.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.332.0
+        version: 0.333.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -211,14 +211,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -274,7 +274,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.332.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.333.0
 rdoc_options: []
 require_paths:
 - lib