RubyGems - dependabot-hex - Versions diffs - 0.88.0 - Mend

dependabot-hex 0.88.0

Files changed (41) hide show

checksums.yaml +7 -0
data/helpers/build +19 -0
data/helpers/deps/jason/.fetch +0 -0
data/helpers/deps/jason/.hex +2 -0
data/helpers/deps/jason/CHANGELOG.md +60 -0
data/helpers/deps/jason/LICENSE +13 -0
data/helpers/deps/jason/README.md +179 -0
data/helpers/deps/jason/hex_metadata.config +20 -0
data/helpers/deps/jason/lib/codegen.ex +158 -0
data/helpers/deps/jason/lib/decoder.ex +657 -0
data/helpers/deps/jason/lib/encode.ex +630 -0
data/helpers/deps/jason/lib/encoder.ex +216 -0
data/helpers/deps/jason/lib/formatter.ex +253 -0
data/helpers/deps/jason/lib/fragment.ex +11 -0
data/helpers/deps/jason/lib/helpers.ex +90 -0
data/helpers/deps/jason/lib/jason.ex +228 -0
data/helpers/deps/jason/mix.exs +92 -0
data/helpers/lib/check_update.exs +92 -0
data/helpers/lib/do_update.exs +39 -0
data/helpers/lib/parse_deps.exs +103 -0
data/helpers/lib/run.exs +76 -0
data/helpers/mix.exs +21 -0
data/helpers/mix.lock +3 -0
data/lib/dependabot/hex.rb +11 -0
data/lib/dependabot/hex/file_fetcher.rb +79 -0
data/lib/dependabot/hex/file_parser.rb +125 -0
data/lib/dependabot/hex/file_updater.rb +71 -0
data/lib/dependabot/hex/file_updater/lockfile_updater.rb +142 -0
data/lib/dependabot/hex/file_updater/mixfile_git_pin_updater.rb +51 -0
data/lib/dependabot/hex/file_updater/mixfile_requirement_updater.rb +72 -0
data/lib/dependabot/hex/file_updater/mixfile_sanitizer.rb +26 -0
data/lib/dependabot/hex/file_updater/mixfile_updater.rb +94 -0
data/lib/dependabot/hex/metadata_finder.rb +70 -0
data/lib/dependabot/hex/native_helpers.rb +20 -0
data/lib/dependabot/hex/requirement.rb +53 -0
data/lib/dependabot/hex/update_checker.rb +275 -0
data/lib/dependabot/hex/update_checker/file_preparer.rb +191 -0
data/lib/dependabot/hex/update_checker/requirements_updater.rb +173 -0
data/lib/dependabot/hex/update_checker/version_resolver.rb +170 -0
data/lib/dependabot/hex/version.rb +67 -0
metadata +208 -0

@@ -0,0 +1,39 @@
+[dependency_name | credentials] = System.argv()
+grouped_creds = Enum.reduce credentials, [], fn cred, acc ->
+  if List.last(acc) == nil || List.last(acc)[:token] do
+    List.insert_at(acc, -1, %{ organization: cred })
+  else
+    { item, acc } = List.pop_at(acc, -1)
+    item = Map.put(item, :token, cred)
+    List.insert_at(acc, -1, item)
+  end
+end
+Enum.each grouped_creds, fn cred ->
+  hexpm = Hex.Repo.get_repo("hexpm")
+  repo = %{
+    url: hexpm.url <> "/repos/#{cred.organization}",
+    public_key: nil,
+    auth_key: cred.token
+  }
+  Hex.Config.read()
+  |> Hex.Config.read_repos()
+  |> Map.put("hexpm:#{cred.organization}", repo)
+  |> Hex.Config.update_repos()
+end
+# dependency atom
+dependency = String.to_atom(dependency_name)
+# Fetch dependencies that needs updating
+{dependency_lock, rest_lock} = Map.split(Mix.Dep.Lock.read(), [dependency])
+Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
+lockfile_content =
+  "mix.lock"
+  |> File.read()
+  |> :erlang.term_to_binary()
+IO.write(:stdio, lockfile_content)

data/helpers/lib/parse_deps.exs ADDED

@@ -0,0 +1,103 @@
+defmodule Parser do
+  def run do
+    Mix.Dep.load_on_environment([])
+    |> Enum.flat_map(&parse_dep/1)
+    |> Enum.map(&build_dependency(&1.opts[:lock], &1))
+  end
+  defp build_dependency(nil, dep) do
+    %{
+      name: dep.app,
+      from: Path.relative_to_cwd(dep.from),
+      groups: [],
+      requirement: normalise_requirement(dep.requirement),
+      top_level: dep.top_level || umbrella_top_level_dep?(dep)
+    }
+  end
+  defp build_dependency(lock, dep) do
+    {version, checksum, source} = parse_lock(lock)
+    groups = parse_groups(dep.opts[:only])
+    %{
+      name: dep.app,
+      from: Path.relative_to_cwd(dep.from),
+      version: version,
+      groups: groups,
+      checksum: checksum,
+      requirement: normalise_requirement(dep.requirement),
+      source: source,
+      top_level: dep.top_level || umbrella_top_level_dep?(dep)
+    }
+  end
+  defp parse_groups(nil), do: []
+  defp parse_groups(only) when is_list(only), do: only
+  defp parse_groups(only), do: [only]
+  # path dependency
+  defp parse_dep(%{scm: Mix.SCM.Path, opts: opts} = dep) do
+    cond do
+      # umbrella dependency - ignore
+      opts[:in_umbrella] ->
+        []
+      # umbrella application
+      opts[:from_umbrella] ->
+        Enum.reject(dep.deps, fn dep -> dep.opts[:in_umbrella] end)
+      true ->
+        []
+    end
+  end
+  # hex, git dependency
+  defp parse_dep(%{scm: scm} = dep) when scm in [Hex.SCM, Mix.SCM.Git], do: [dep]
+  # unsupported
+  defp parse_dep(_dep), do: []
+  defp umbrella_top_level_dep?(dep) do
+    if Mix.Project.umbrella?() do
+      apps_paths = Path.expand(Mix.Project.config()[:apps_path], File.cwd!())
+      String.contains?(Path.dirname(Path.dirname(dep.from)), apps_paths)
+    else
+      false
+    end
+  end
+  defp parse_lock({:git, repo_url, checksum, opts}),
+    do: {nil, checksum, git_source(repo_url, opts)}
+  defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies, _source}),
+    do: {version, checksum, nil}
+  defp parse_lock({:hex, _app, version, checksum, _managers, _dependencies}),
+    do: {version, checksum, nil}
+  defp normalise_requirement(req) do
+    req
+    |> maybe_regex_to_str()
+    |> empty_str_to_nil()
+  end
+  defp maybe_regex_to_str(s), do: if Regex.regex?(s), do: Regex.source(s), else: s
+  defp empty_str_to_nil(""), do: nil
+  defp empty_str_to_nil(s), do: s
+  def git_source(repo_url, opts) do
+    ref = opts[:ref] || opts[:tag]
+    ref = if is_list(ref), do: to_string(ref), else: ref
+    %{
+      type: "git",
+      url: repo_url,
+      branch: opts[:branch] || "master",
+      ref: ref
+    }
+  end
+end
+dependencies = :erlang.term_to_binary({:ok, Parser.run()})
+IO.write(:stdio, dependencies)

data/helpers/lib/run.exs ADDED

@@ -0,0 +1,76 @@
+defmodule DependencyHelper do
+  def main() do
+    IO.read(:stdio, :all)
+    |> Jason.decode!()
+    |> run()
+    |> case do
+      {output, 0} ->
+        if output =~ "No authenticated organization found" do
+          {:error, output}
+        else
+          {:ok, :erlang.binary_to_term(output)}
+        end
+      {error, 1} -> {:error, error}
+    end
+    |> handle_result()
+  end
+  defp handle_result({:ok, {:ok, result}}) do
+    encode_and_write(%{"result" => result})
+  end
+  defp handle_result({:ok, {:error, reason}}) do
+    encode_and_write(%{"error" => reason})
+    System.halt(1)
+  end
+  defp handle_result({:error, reason}) do
+    encode_and_write(%{"error" => reason})
+    System.halt(1)
+  end
+  defp encode_and_write(content) do
+    content
+    |> Jason.encode!()
+    |> IO.write()
+  end
+  defp run(%{"function" => "parse", "args" => [dir]}) do
+    run_script("parse_deps.exs", dir)
+  end
+  defp run(%{"function" => "get_latest_resolvable_version", "args" => [dir, dependency_name, credentials]}) do
+    run_script("check_update.exs", dir, [dependency_name] ++ credentials)
+  end
+  defp run(%{"function" => "get_updated_lockfile", "args" => [dir, dependency_name, credentials]}) do
+    run_script("do_update.exs", dir, [dependency_name] ++ credentials)
+  end
+  defp run_script(script, dir, args \\ []) do
+    args = [
+      "run",
+      "--no-deps-check",
+      "--no-start",
+      "--no-compile",
+      "--no-elixir-version-check",
+      script
+    ] ++ args
+    System.cmd(
+      "mix",
+      args,
+      [
+        cd: dir,
+        env: %{
+          "MIX_EXS" => nil,
+          "MIX_LOCK" => nil,
+          "MIX_DEPS" => nil
+        }
+      ]
+    )
+  end
+end
+DependencyHelper.main()

data/helpers/mix.exs ADDED

@@ -0,0 +1,21 @@
+defmodule DependabotCore.Mixfile do
+  use Mix.Project
+  def project do
+    [app: :dependabot_core,
+     version: "0.1.0",
+     elixir: "~> 1.5",
+     start_permanent: Mix.env == :prod,
+     lockfile: System.get_env("MIX_LOCK") || "mix.lock",
+     deps_path: System.get_env("MIX_DEPS") || "deps",
+     deps: deps()]
+  end
+  def application do
+    [extra_applications: [:logger]]
+  end
+  defp deps() do
+    [{:jason, "~> 1.0-rc"}]
+  end
+end

data/helpers/mix.lock ADDED

@@ -0,0 +1,3 @@
+%{
+  "jason": {:hex, :jason, "1.1.2", "b03dedea67a99223a2eaf9f1264ce37154564de899fd3d8b9a21b1a6fd64afe7", [:mix], [{:decimal, "~> 1.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm"},
+}

data/lib/dependabot/hex.rb ADDED

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/hex/file_fetcher"
+require "dependabot/hex/file_parser"
+require "dependabot/hex/update_checker"
+require "dependabot/hex/file_updater"
+require "dependabot/hex/metadata_finder"
+require "dependabot/hex/requirement"
+require "dependabot/hex/version"

data/lib/dependabot/hex/file_fetcher.rb ADDED

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+module Dependabot
+  module Hex
+    class FileFetcher < Dependabot::FileFetchers::Base
+      APPS_PATH_REGEX = /apps_path:\s*"(?<path>.*?)"/m.freeze
+      STRING_ARG = %{(?:["'](.*?)["'])}
+      EVAL_FILE = /Code\.eval_file\(#{STRING_ARG}(?:\s*,\s*#{STRING_ARG})?\)/.
+                  freeze
+      def self.required_files_in?(filenames)
+        filenames.include?("mix.exs")
+      end
+      def self.required_files_message
+        "Repo must contain a mix.exs."
+      end
+      private
+      def fetch_files
+        fetched_files = []
+        fetched_files << mixfile
+        fetched_files << lockfile if lockfile
+        fetched_files += subapp_mixfiles
+        fetched_files += evaled_files
+        fetched_files
+      end
+      def mixfile
+        @mixfile ||= fetch_file_from_host("mix.exs")
+      end
+      def lockfile
+        return @lockfile if @lockfile_lookup_attempted
+        @lockfile_lookup_attempted = true
+        @lockfile ||= fetch_file_from_host("mix.lock")
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+      def subapp_mixfiles
+        apps_path = mixfile.content.match(APPS_PATH_REGEX)&.
+                    named_captures&.fetch("path")
+        return [] unless apps_path
+        app_directories = repo_contents(dir: apps_path).
+                          select { |f| f.type == "dir" }
+        app_directories.map do |dir|
+          fetch_file_from_host("#{dir.path}/mix.exs")
+        rescue Dependabot::DependencyFileNotFound
+          # If the folder doesn't have a mix.exs it *might* be because it's
+          # not an app. Ignore the fact we couldn't fetch one and proceed with
+          # updating (it will blow up later if there are problems)
+          nil
+        end.compact
+      rescue Octokit::NotFound, Gitlab::Error::NotFound
+        # If the path specified in apps_path doesn't exist then it's not being
+        # used. We can just return an empty array of subapp files.
+        []
+      end
+      def evaled_files
+        mixfile.content.scan(EVAL_FILE).map do |eval_file_args|
+          path = Pathname.new(File.join(*eval_file_args.reverse)).
+                 cleanpath.to_path
+          fetch_file_from_host(path).tap { |f| f.support_file = true }
+        end
+      end
+    end
+  end
+end
+Dependabot::FileFetchers.register("hex", Dependabot::Hex::FileFetcher)

data/lib/dependabot/hex/file_parser.rb ADDED

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/hex/native_helpers"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+# For docs, see https://hexdocs.pm/mix/Mix.Tasks.Deps.html
+module Dependabot
+  module Hex
+    class FileParser < Dependabot::FileParsers::Base
+      require "dependabot/file_parsers/base/dependency_set"
+      def parse
+        dependency_set = DependencySet.new
+        dependency_details.each do |dep|
+          git_dependency = dep["source"]&.fetch("type") == "git"
+          dependency_set <<
+            Dependency.new(
+              name: dep["name"],
+              version: git_dependency ? dep["checksum"] : dep["version"],
+              requirements: [{
+                requirement: dep["requirement"],
+                groups: dep["groups"],
+                source: dep["source"] && symbolize_keys(dep["source"]),
+                file: dep["from"]
+              }],
+              package_manager: "hex"
+            )
+        end
+        dependency_set.dependencies.sort_by(&:name)
+      end
+      private
+      def dependency_details
+        SharedHelpers.in_a_temporary_directory do
+          write_sanitized_mixfiles
+          write_supporting_files
+          File.write("mix.lock", lockfile.content) if lockfile
+          FileUtils.cp(elixir_helper_parse_deps_path, "parse_deps.exs")
+          SharedHelpers.run_helper_subprocess(
+            env: mix_env,
+            command: "mix run #{elixir_helper_path}",
+            function: "parse",
+            args: [Dir.pwd],
+            popen_opts: { err: %i(child out) }
+          )
+        end
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => error
+        result_json =
+          error.message.lines.
+          drop_while { |l| !l.start_with?('{"result":') }.
+          join
+        raise DependencyFileNotEvaluatable, error.message if result_json.empty?
+        JSON.parse(result_json).fetch("result")
+      end
+      def write_sanitized_mixfiles
+        mixfiles.each do |file|
+          path = file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, sanitize_mixfile(file.content))
+        end
+      end
+      def write_supporting_files
+        dependency_files.select(&:support_file).each do |file|
+          path = file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, file.content)
+        end
+      end
+      def sanitize_mixfile(content)
+        content.
+          gsub(/File\.read!\(.*?\)/, '"0.0.1"').
+          gsub(/File\.read\(.*?\)/, '{:ok, "0.0.1"}')
+      end
+      def mix_env
+        {
+          "MIX_EXS" => File.join(NativeHelpers.hex_helpers_dir, "mix.exs"),
+          "MIX_LOCK" => File.join(NativeHelpers.hex_helpers_dir, "mix.lock"),
+          "MIX_DEPS" => File.join(NativeHelpers.hex_helpers_dir, "deps"),
+          "MIX_QUIET" => "1"
+        }
+      end
+      def elixir_helper_path
+        File.join(NativeHelpers.hex_helpers_dir, "lib/run.exs")
+      end
+      def elixir_helper_parse_deps_path
+        File.join(NativeHelpers.hex_helpers_dir, "lib/parse_deps.exs")
+      end
+      def check_required_files
+        raise "No mixfile!" if mixfiles.none?
+      end
+      def symbolize_keys(hash)
+        Hash[hash.keys.map { |k| [k.to_sym, hash[k]] }]
+      end
+      def mixfiles
+        dependency_files.select { |f| f.name.end_with?("mix.exs") }
+      end
+      def lockfile
+        @lockfile ||= get_original_file("mix.lock")
+      end
+    end
+  end
+end
+Dependabot::FileParsers.register("hex", Dependabot::Hex::FileParser)