RubyGems - dependabot-hex - Versions diffs - 0.88.0 - Mend

dependabot-hex 0.88.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml +7 -0
data/helpers/build +19 -0
data/helpers/deps/jason/.fetch +0 -0
data/helpers/deps/jason/.hex +2 -0
data/helpers/deps/jason/CHANGELOG.md +60 -0
data/helpers/deps/jason/LICENSE +13 -0
data/helpers/deps/jason/README.md +179 -0
data/helpers/deps/jason/hex_metadata.config +20 -0
data/helpers/deps/jason/lib/codegen.ex +158 -0
data/helpers/deps/jason/lib/decoder.ex +657 -0
data/helpers/deps/jason/lib/encode.ex +630 -0
data/helpers/deps/jason/lib/encoder.ex +216 -0
data/helpers/deps/jason/lib/formatter.ex +253 -0
data/helpers/deps/jason/lib/fragment.ex +11 -0
data/helpers/deps/jason/lib/helpers.ex +90 -0
data/helpers/deps/jason/lib/jason.ex +228 -0
data/helpers/deps/jason/mix.exs +92 -0
data/helpers/lib/check_update.exs +92 -0
data/helpers/lib/do_update.exs +39 -0
data/helpers/lib/parse_deps.exs +103 -0
data/helpers/lib/run.exs +76 -0
data/helpers/mix.exs +21 -0
data/helpers/mix.lock +3 -0
data/lib/dependabot/hex.rb +11 -0
data/lib/dependabot/hex/file_fetcher.rb +79 -0
data/lib/dependabot/hex/file_parser.rb +125 -0
data/lib/dependabot/hex/file_updater.rb +71 -0
data/lib/dependabot/hex/file_updater/lockfile_updater.rb +142 -0
data/lib/dependabot/hex/file_updater/mixfile_git_pin_updater.rb +51 -0
data/lib/dependabot/hex/file_updater/mixfile_requirement_updater.rb +72 -0
data/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb +26 -0
data/lib/dependabot/hex/file_updater/mixfile_updater.rb +94 -0
data/lib/dependabot/hex/metadata_finder.rb +70 -0
data/lib/dependabot/hex/native_helpers.rb +20 -0
data/lib/dependabot/hex/requirement.rb +53 -0
data/lib/dependabot/hex/update_checker.rb +275 -0
data/lib/dependabot/hex/update_checker/file_preparer.rb +191 -0
data/lib/dependabot/hex/update_checker/requirements_updater.rb +173 -0
data/lib/dependabot/hex/update_checker/version_resolver.rb +170 -0
data/lib/dependabot/hex/version.rb +67 -0
metadata +208 -0

data/helpers/lib/do_update.exs ADDED

@@ -0,0 +1,39 @@
+[dependency_name | credentials] = System.argv()
+grouped_creds = Enum.reduce credentials, [], fn cred, acc ->
+  if List.last(acc) == nil || List.last(acc)[:token] do
+    List.insert_at(acc, -1, %{ organization: cred })
+  else
+    { item, acc } = List.pop_at(acc, -1)
+    item = Map.put(item, :token, cred)
+    List.insert_at(acc, -1, item)
+  end
+end
+Enum.each grouped_creds, fn cred ->
+  hexpm = Hex.Repo.get_repo("hexpm")
+  repo = %{
+    url: hexpm.url <> "/repos/#{cred.organization}",
+    public_key: nil,
+    auth_key: cred.token
+  }
+  Hex.Config.read()
+  |> Hex.Config.read_repos()
+  |> Map.put("hexpm:#{cred.organization}", repo)
+  |> Hex.Config.update_repos()
+end
+# dependency atom
+dependency = String.to_atom(dependency_name)
+# Fetch dependencies that needs updating
+{dependency_lock, rest_lock} = Map.split(Mix.Dep.Lock.read(), [dependency])
+Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
+lockfile_content =
+  "mix.lock"
+  |> File.read()
+  |> :erlang.term_to_binary()
+IO.write(:stdio, lockfile_content)

data/helpers/lib/parse_deps.exs ADDED

@@ -0,0 +1,103 @@
+defmodule Parser do
+  def run do
+    Mix.Dep.load_on_environment([])
+    |> Enum.flat_map(&parse_dep/1)
+    |> Enum.map(&build_dependency(&1.opts[:lock], &1))
+  end
+  defp build_dependency(nil, dep) do
+    %{
+      name: dep.app,
+      from: Path.relative_to_cwd(dep.from),
+      groups: [],
+      requirement: normalise_requirement(dep.requirement),
+      top_level: dep.top_level || umbrella_top_level_dep?(dep)
+    }
+  end
+  defp build_dependency(lock, dep) do
+    {version, checksum, source} = parse_lock(lock)
+    groups = parse_groups(dep.opts[:only])
+    %{
+      name: dep.app,
+      from: Path.relative_to_cwd(dep.from),
+      version: version,
+      groups: groups,
+      checksum: checksum,
+      requirement: normalise_requirement(dep.requirement),
+      source: source,
+      top_level: dep.top_level || umbrella_top_level_dep?(dep)
+    }
+  end
+  defp parse_groups(nil), do: []
+  defp parse_groups(only) when is_list(only), do: only
+  defp parse_groups(only), do: [only]
+  # path dependency
+  defp parse_dep(%{scm: Mix.SCM.Path, opts: opts} = dep) do
+    cond do
+      # umbrella dependency - ignore
+      opts[:in_umbrella] ->
+        []
+      # umbrella application
+      opts[:from_umbrella] ->
+        Enum.reject(dep.deps, fn dep -> dep.opts[:in_umbrella] end)
+      true ->
+        []
+    end
+  end
+  # hex, git dependency
+  defp parse_dep(%{scm: scm} = dep) when scm in [Hex.SCM, Mix.SCM.Git], do: [dep]
+  # unsupported
+  defp parse_dep(_dep), do: []
+  defp umbrella_top_level_dep?(dep) do
+    if Mix.Project.umbrella?() do
+      apps_paths = Path.expand(Mix.Project.config()[:apps_path], File.cwd!())
+      String.contains?(Path.dirname(Path.dirname(dep.from)), apps_paths)
+    else
+      false
+    end
+  end
+  defp parse_lock({:git, repo_url, checksum, opts}),
+    do: {nil, checksum, git_source(repo_url, opts)}
+  defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies, _source}),
+    do: {version, checksum, nil}
+  defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies}),
+    do: {version, checksum, nil}
+  defp normalise_requirement(req) do
+    req
+    |> maybe_regex_to_str()
+    |> empty_str_to_nil()
+  end
+  defp maybe_regex_to_str(s), do: if Regex.regex?(s), do: Regex.source(s), else: s
+  defp empty_str_to_nil(""), do: nil
+  defp empty_str_to_nil(s), do: s
+  def git_source(repo_url, opts) do
+    ref = opts[:ref] || opts[:tag]
+    ref = if is_list(ref), do: to_string(ref), else: ref
+    %{
+      type: "git",
+      url: repo_url,
+      branch: opts[:branch] || "master",
+      ref: ref
+    }
+  end
+end
+dependencies = :erlang.term_to_binary({:ok, Parser.run()})
+IO.write(:stdio, dependencies)

data/helpers/lib/run.exs ADDED

@@ -0,0 +1,76 @@
+defmodule DependencyHelper do
+  def main() do
+    IO.read(:stdio, :all)
+    |> Jason.decode!()
+    |> run()
+    |> case do
+      {output, 0} ->
+        if output =~ "No authenticated organization found" do
+          {:error, output}
+        else
+          {:ok, :erlang.binary_to_term(output)}
+        end
+      {error, 1} -> {:error, error}
+    end
+    |> handle_result()
+  end
+  defp handle_result({:ok, {:ok, result}}) do
+    encode_and_write(%{"result" => result})
+  end
+  defp handle_result({:ok, {:error, reason}}) do
+    encode_and_write(%{"error" => reason})
+    System.halt(1)
+  end
+  defp handle_result({:error, reason}) do
+    encode_and_write(%{"error" => reason})
+    System.halt(1)
+  end
+  defp encode_and_write(content) do
+    content
+    |> Jason.encode!()
+    |> IO.write()
+  end
+  defp run(%{"function" => "parse", "args" => [dir]}) do
+    run_script("parse_deps.exs", dir)
+  end
+  defp run(%{"function" => "get_latest_resolvable_version", "args" => [dir, dependency_name, credentials]}) do
+    run_script("check_update.exs", dir, [dependency_name] ++ credentials)
+  end
+  defp run(%{"function" => "get_updated_lockfile", "args" => [dir, dependency_name, credentials]}) do
+    run_script("do_update.exs", dir, [dependency_name] ++ credentials)
+  end
+  defp run_script(script, dir, args \\ []) do
+    args = [
+      "run",
+      "--no-deps-check",
+      "--no-start",
+      "--no-compile",
+      "--no-elixir-version-check",
+      script
+    ] ++ args
+    System.cmd(
+      "mix",
+      args,
+      [
+        cd: dir,
+        env: %{
+          "MIX_EXS" => nil,
+          "MIX_LOCK" => nil,
+          "MIX_DEPS" => nil
+        }
+      ]
+    )
+  end
+end
+DependencyHelper.main()

data/helpers/mix.exs ADDED

@@ -0,0 +1,21 @@
+defmodule DependabotCore.Mixfile do
+  use Mix.Project
+  def project do
+    [app: :dependabot_core,
+     version: "0.1.0",
+     elixir: "~> 1.5",
+     start_permanent: Mix.env == :prod,
+     lockfile: System.get_env("MIX_LOCK") || "mix.lock",
+     deps_path: System.get_env("MIX_DEPS") || "deps",
+     deps: deps()]
+  end
+  def application do
+    [extra_applications: [:logger]]
+  end
+  defp deps() do
+    [{:jason, "~> 1.0-rc"}]
+  end
+end

data/helpers/mix.lock ADDED

@@ -0,0 +1,3 @@
+%{
+  "jason": {:hex, :jason, "1.1.2", "b03dedea67a99223a2eaf9f1264ce37154564de899fd3d8b9a21b1a6fd64afe7", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
+}

data/lib/dependabot/hex.rb ADDED

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/hex/file_fetcher"
+require "dependabot/hex/file_parser"
+require "dependabot/hex/update_checker"
+require "dependabot/hex/file_updater"
+require "dependabot/hex/metadata_finder"
+require "dependabot/hex/requirement"
+require "dependabot/hex/version"

data/lib/dependabot/hex/file_fetcher.rb ADDED

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+module Dependabot
+  module Hex
+    class FileFetcher < Dependabot::FileFetchers::Base
+      APPS_PATH_REGEX = /apps_path:\s*"(?<path>.*?)"/m.freeze
+      STRING_ARG = %{(?:["'](.*?)["'])}
+      EVAL_FILE = /Code\.eval_file\(#{STRING_ARG}(?:\s*,\s*#{STRING_ARG})?\)/.
+                  freeze
+      def self.required_files_in?(filenames)
+        filenames.include?("mix.exs")
+      end
+      def self.required_files_message
+        "Repo must contain a mix.exs."
+      end
+      private
+      def fetch_files
+        fetched_files = []
+        fetched_files << mixfile
+        fetched_files << lockfile if lockfile
+        fetched_files += subapp_mixfiles
+        fetched_files += evaled_files
+        fetched_files
+      end
+      def mixfile
+        @mixfile ||= fetch_file_from_host("mix.exs")
+      end
+      def lockfile
+        return @lockfile if @lockfile_lookup_attempted
+        @lockfile_lookup_attempted = true
+        @lockfile ||= fetch_file_from_host("mix.lock")
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+      def subapp_mixfiles
+        apps_path = mixfile.content.match(APPS_PATH_REGEX)&.
+                    named_captures&.fetch("path")
+        return [] unless apps_path
+        app_directories = repo_contents(dir: apps_path).
+                          select { |f| f.type == "dir" }
+        app_directories.map do |dir|
+          fetch_file_from_host("#{dir.path}/mix.exs")
+        rescue Dependabot::DependencyFileNotFound
+          # If the folder doesn't have a mix.exs it *might* be because it's
+          # not an app. Ignore the fact we couldn't fetch one and proceed with
+          # updating (it will blow up later if there are problems)
+          nil
+        end.compact
+      rescue Octokit::NotFound, Gitlab::Error::NotFound
+        # If the path specified in apps_path doesn't exist then it's not being
+        # used. We can just return an empty array of subapp files.
+        []
+      end
+      def evaled_files
+        mixfile.content.scan(EVAL_FILE).map do |eval_file_args|
+          path = Pathname.new(File.join(*eval_file_args.reverse)).
+                 cleanpath.to_path
+          fetch_file_from_host(path).tap { |f| f.support_file = true }
+        end
+      end
+    end
+  end
+end
+Dependabot::FileFetchers.register("hex", Dependabot::Hex::FileFetcher)

data/lib/dependabot/hex/file_parser.rb ADDED

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/hex/native_helpers"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+# For docs, see https://hexdocs.pm/mix/Mix.Tasks.Deps.html
+module Dependabot
+  module Hex
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+      def parse
+        dependency_set = DependencySet.new
+        dependency_details.each do |dep|
+          git_dependency = dep["source"]&.fetch("type") == "git"
+          dependency_set <<
+            Dependency.new(
+              name: dep["name"],
+              version: git_dependency ? dep["checksum"] : dep["version"],
+              requirements: [{
+                requirement: dep["requirement"],
+                groups: dep["groups"],
+                source: dep["source"] && symbolize_keys(dep["source"]),
+                file: dep["from"]
+              }],
+              package_manager: "hex"
+            )
+        end
+        dependency_set.dependencies.sort_by(&:name)
+      end
+      private
+      def dependency_details
+        SharedHelpers.in_a_temporary_directory do
+          write_sanitized_mixfiles
+          write_supporting_files
+          File.write("mix.lock", lockfile.content) if lockfile
+          FileUtils.cp(elixir_helper_parse_deps_path, "parse_deps.exs")
+          SharedHelpers.run_helper_subprocess(
+            env: mix_env,
+            command: "mix run #{elixir_helper_path}",
+            function: "parse",
+            args: [Dir.pwd],
+            popen_opts: { err: %i(child out) }
+          )
+        end
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
+        result_json =
+          error.message.lines.
+          drop_while { |l| !l.start_with?('{"result":') }.
+          join
+        raise DependencyFileNotEvaluatable, error.message if result_json.empty?
+        JSON.parse(result_json).fetch("result")
+      end
+      def write_sanitized_mixfiles
+        mixfiles.each do |file|
+          path = file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, sanitize_mixfile(file.content))
+        end
+      end
+      def write_supporting_files
+        dependency_files.select(&:support_file).each do |file|
+          path = file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, file.content)
+        end
+      end
+      def sanitize_mixfile(content)
+        content.
+          gsub(/File\.read!\(.*?\)/, '"0.0.1"').
+          gsub(/File\.read\(.*?\)/, '{:ok, "0.0.1"}')
+      end
+      def mix_env
+        {
+          "MIX_EXS" => File.join(NativeHelpers.hex_helpers_dir, "mix.exs"),
+          "MIX_LOCK" => File.join(NativeHelpers.hex_helpers_dir, "mix.lock"),
+          "MIX_DEPS" => File.join(NativeHelpers.hex_helpers_dir, "deps"),
+          "MIX_QUIET" => "1"
+        }
+      end
+      def elixir_helper_path
+        File.join(NativeHelpers.hex_helpers_dir, "lib/run.exs")
+      end
+      def elixir_helper_parse_deps_path
+        File.join(NativeHelpers.hex_helpers_dir, "lib/parse_deps.exs")
+      end
+      def check_required_files
+        raise "No mixfile!" if mixfiles.none?
+      end
+      def symbolize_keys(hash)
+        Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
+      end
+      def mixfiles
+        dependency_files.select { |f| f.name.end_with?("mix.exs") }
+      end
+      def lockfile
+        @lockfile ||= get_original_file("mix.lock")
+      end
+    end
+  end
+end
+Dependabot::FileParsers.register("hex", Dependabot::Hex::FileParser)