dependabot-hex 0.88.0

data/lib/dependabot/hex/update_checker/requirements_updater.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+require "dependabot/hex/version"
+require "dependabot/hex/requirement"
+require "dependabot/hex/update_checker"
+
+module Dependabot
+  module Hex
+    class UpdateChecker
+      class RequirementsUpdater
+        OPERATORS = />=|<=|>|<|==|~>/.freeze
+        AND_SEPARATOR = /\s+and\s+/.freeze
+        OR_SEPARATOR = /\s+or\s+/.freeze
+        SEPARATOR = /#{AND_SEPARATOR}|#{OR_SEPARATOR}/.freeze
+
+        def initialize(requirements:, latest_resolvable_version:,
+                       updated_source:)
+          @requirements = requirements
+          @updated_source = updated_source
+
+          return unless latest_resolvable_version
+          return unless Hex::Version.correct?(latest_resolvable_version)
+
+          @latest_resolvable_version =
+            Hex::Version.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          requirements.map { |req| updated_mixfile_requirement(req) }
+        end
+
+        private
+
+        attr_reader :requirements, :latest_resolvable_version, :updated_source
+
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable PerceivedComplexity
+        def updated_mixfile_requirement(req)
+          req = update_source(req)
+          return req unless latest_resolvable_version && req[:requirement]
+          return req if req_satisfied_by_latest_resolvable?(req[:requirement])
+
+          or_string_reqs = req[:requirement].split(OR_SEPARATOR)
+          last_string_reqs = or_string_reqs.last.split(AND_SEPARATOR).
+                             map(&:strip)
+
+          new_requirement =
+            if last_string_reqs.any? { |r| r.match(/^(?:\d|=)/) }
+              exact_req = last_string_reqs.find { |r| r.match(/^(?:\d|=)/) }
+              update_exact_version(exact_req, latest_resolvable_version).to_s
+            elsif last_string_reqs.any? { |r| r.start_with?("~>") }
+              tw_req = last_string_reqs.find { |r| r.start_with?("~>") }
+              update_twiddle_version(tw_req, latest_resolvable_version).to_s
+            else
+              update_mixfile_range(last_string_reqs).map(&:to_s).join(" and ")
+            end
+
+          if or_string_reqs.count > 1
+            new_requirement = req[:requirement] + " or " + new_requirement
+          end
+
+          req.merge(requirement: new_requirement)
+        end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable PerceivedComplexity
+
+        def update_source(requirement_hash)
+          # Only git sources ever need to be updated. Anything else should be
+          # left alone.
+          unless requirement_hash.dig(:source, :type) == "git"
+            return requirement_hash
+          end
+
+          requirement_hash.merge(source: updated_source)
+        end
+
+        def req_satisfied_by_latest_resolvable?(requirement_string)
+          ruby_requirements(requirement_string).
+            any? { |r| r.satisfied_by?(latest_resolvable_version) }
+        end
+
+        def ruby_requirements(requirement_string)
+          requirement_class.requirements_array(requirement_string)
+        end
+
+        def update_exact_version(previous_req, new_version)
+          op = previous_req.match(OPERATORS).to_s
+          old_version =
+            Hex::Version.new(previous_req.gsub(OPERATORS, ""))
+          updated_version = at_same_precision(new_version, old_version)
+          "#{op} #{updated_version}".strip
+        end
+
+        def update_twiddle_version(previous_req, new_version)
+          previous_req = requirement_class.new(previous_req)
+          old_version = previous_req.requirements.first.last
+          updated_version = at_same_precision(new_version, old_version)
+          requirement_class.new("~> #{updated_version}")
+        end
+
+        def update_mixfile_range(requirements)
+          requirements = requirements.map { |r| requirement_class.new(r) }
+          updated_requirements =
+            requirements.flat_map do |r|
+              next r if r.satisfied_by?(latest_resolvable_version)
+
+              case op = r.requirements.first.first
+              when "<", "<="
+                [update_greatest_version(r, latest_resolvable_version)]
+              when "!="
+                []
+              else
+                raise "Unexpected operation for unsatisfied Gemfile "\
+                      "requirement: #{op}"
+              end
+            end
+
+          binding_requirements(updated_requirements)
+        end
+
+        def at_same_precision(new_version, old_version)
+          precision = old_version.to_s.split(".").count
+          new_version.to_s.split(".").first(precision).join(".")
+        end
+
+        # Updates the version in a "<" or "<=" constraint to allow the given
+        # version
+        def update_greatest_version(requirement, version_to_be_permitted)
+          if version_to_be_permitted.is_a?(String)
+            version_to_be_permitted =
+              Hex::Version.new(version_to_be_permitted)
+          end
+          op, version = requirement.requirements.first
+          version = version.release if version.prerelease?
+
+          index_to_update =
+            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+          new_segments = version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else 0
+            end
+          end
+
+          requirement_class.new("#{op} #{new_segments.join('.')}")
+        end
+
+        def binding_requirements(requirements)
+          grouped_by_operator =
+            requirements.group_by { |r| r.requirements.first.first }
+
+          binding_reqs = grouped_by_operator.flat_map do |operator, reqs|
+            case operator
+            when "<", "<=" then reqs.min_by { |r| r.requirements.first.last }
+            when ">", ">=" then reqs.max_by { |r| r.requirements.first.last }
+            else requirements
+            end
+          end.uniq
+
+          binding_reqs << requirement_class.new if binding_reqs.empty?
+          binding_reqs.sort_by { |r| r.requirements.first.last }
+        end
+
+        def requirement_class
+          Hex::Requirement
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/hex/update_checker/version_resolver.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+require "dependabot/hex/version"
+require "dependabot/hex/update_checker"
+require "dependabot/hex/native_helpers"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+
+module Dependabot
+  module Hex
+    class UpdateChecker
+      class VersionResolver
+        def initialize(dependency:, credentials:,
+                       original_dependency_files:, prepared_dependency_files:)
+          @dependency = dependency
+          @original_dependency_files = original_dependency_files
+          @prepared_dependency_files = prepared_dependency_files
+          @credentials = credentials
+        end
+
+        def latest_resolvable_version
+          @latest_resolvable_version ||= fetch_latest_resolvable_version
+        end
+
+        private
+
+        attr_reader :dependency, :credentials,
+                    :original_dependency_files, :prepared_dependency_files
+
+        def fetch_latest_resolvable_version
+          latest_resolvable_version =
+            SharedHelpers.in_a_temporary_directory do
+              write_temporary_dependency_files
+              FileUtils.cp(
+                elixir_helper_check_update_path,
+                "check_update.exs"
+              )
+
+              SharedHelpers.with_git_configured(credentials: credentials) do
+                run_elixir_update_checker
+              end
+            end
+
+          return if latest_resolvable_version.nil?
+          if latest_resolvable_version.match?(/^[0-9a-f]{40}$/)
+            return latest_resolvable_version
+          end
+
+          version_class.new(latest_resolvable_version)
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          handle_hex_errors(error)
+        end
+
+        def run_elixir_update_checker
+          SharedHelpers.run_helper_subprocess(
+            env: mix_env,
+            command: "mix run #{elixir_helper_path}",
+            function: "get_latest_resolvable_version",
+            args: [Dir.pwd,
+                   dependency.name,
+                   organization_credentials],
+            popen_opts: { err: %i(child out) }
+          )
+        end
+
+        def handle_hex_errors(error)
+          if error.message.include?("No authenticated organization found")
+            org = error.message.match(/found for ([a-z_]+)\./).captures.first
+            raise Dependabot::PrivateSourceAuthenticationFailure, org
+          end
+
+          if error.message.include?("Failed to fetch record for")
+            org_match = error.message.match(%r{for 'hexpm:([a-z_]+)/})
+            org = org_match&.captures&.first
+            raise Dependabot::PrivateSourceAuthenticationFailure, org if org
+          end
+
+          # TODO: This isn't pretty. It would be much nicer to catch the
+          # warnings as part of the Elixir module.
+          return error_result(error) if includes_result?(error)
+
+          # Ignore dependencies which don't resolve due to mis-matching
+          # environment specifications.
+          # TODO: Update the environment specifications instead
+          return if error.message.include?("Dependencies have diverged")
+
+          check_original_requirements_resolvable
+          raise error
+        end
+
+        def error_result(error)
+          return false unless includes_result?(error)
+
+          result_json = error.message&.split("\n")&.last
+          result = JSON.parse(result_json)["result"]
+          return version_class.new(result) if version_class.correct?(result)
+
+          result
+        end
+
+        def includes_result?(error)
+          result = error.message&.split("\n")&.last
+          return false unless result
+
+          JSON.parse(error.message&.split("\n")&.last)["result"]
+          true
+        rescue JSON::ParserError
+          false
+        end
+
+        def check_original_requirements_resolvable
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_dependency_files(prepared: false)
+            FileUtils.cp(
+              elixir_helper_check_update_path,
+              "check_update.exs"
+            )
+
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              run_elixir_update_checker
+            end
+          end
+
+          true
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          raise Dependabot::DependencyFileNotResolvable, error.message
+        end
+
+        def write_temporary_dependency_files(prepared: true)
+          files = if prepared then prepared_dependency_files
+                  else original_dependency_files
+                  end
+
+          files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, file.content)
+          end
+        end
+
+        def version_class
+          Hex::Version
+        end
+
+        def mix_env
+          {
+            "MIX_EXS" => File.join(NativeHelpers.hex_helpers_dir, "mix.exs"),
+            "MIX_LOCK" => File.join(NativeHelpers.hex_helpers_dir, "mix.lock"),
+            "MIX_DEPS" => File.join(NativeHelpers.hex_helpers_dir, "deps"),
+            "MIX_QUIET" => "1"
+          }
+        end
+
+        def elixir_helper_path
+          File.join(NativeHelpers.hex_helpers_dir, "lib/run.exs")
+        end
+
+        def elixir_helper_check_update_path
+          File.join(NativeHelpers.hex_helpers_dir, "lib/check_update.exs")
+        end
+
+        def organization_credentials
+          credentials.
+            select { |cred| cred["type"] == "hex_organization" }.
+            flat_map { |cred| [cred["organization"], cred["token"]] }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/hex/version.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "rubygems_version_patch"
+require "dependabot/utils"
+
+# Elixir versions can include build information, which Ruby can't parse.
+# This class augments Gem::Version with build information.
+# See https://hexdocs.pm/elixir/Version.html for details.
+
+module Dependabot
+  module Hex
+    class Version < Gem::Version
+      attr_reader :build_info
+
+      VERSION_PATTERN = Gem::Version::VERSION_PATTERN +
+                        '(\+[0-9a-zA-Z\-.]+)?'
+
+      def self.correct?(version)
+        return false if version.nil?
+
+        version = version.to_s.split("+").first if version.to_s.include?("+")
+        super
+      end
+
+      def initialize(version)
+        @version_string = version.to_s
+
+        if version.to_s.include?("+")
+          version, @build_info = version.to_s.split("+")
+        end
+
+        super
+      end
+
+      def to_s
+        @version_string
+      end
+
+      def inspect # :nodoc:
+        "#<#{self.class} #{@version_string}>"
+      end
+
+      def <=>(other)
+        version_comparison = super(other)
+        return version_comparison unless version_comparison.zero?
+
+        return build_info.nil? ? 0 : 1 unless other.is_a?(Hex::Version)
+
+        # Build information comparison
+        lhsegments = build_info.to_s.split(".").map(&:downcase)
+        rhsegments = other.build_info.to_s.split(".").map(&:downcase)
+        limit = [lhsegments.count, rhsegments.count].min
+
+        lhs = ["1", *lhsegments.first(limit)].join(".")
+        rhs = ["1", *rhsegments.first(limit)].join(".")
+
+        local_comparison = Gem::Version.new(lhs) <=> Gem::Version.new(rhs)
+
+        return local_comparison unless local_comparison.zero?
+
+        lhsegments.count <=> rhsegments.count
+      end
+    end
+  end
+end
+
+Dependabot::Utils.register_version_class("hex", Dependabot::Hex::Version)

metadata

@@ -0,0 +1,208 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-hex
+version: !ruby/object:Gem::Version
+  version: 0.88.0
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-01-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.88.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.88.0
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- helpers/build
+- helpers/deps/jason/.fetch
+- helpers/deps/jason/.hex
+- helpers/deps/jason/CHANGELOG.md
+- helpers/deps/jason/LICENSE
+- helpers/deps/jason/README.md
+- helpers/deps/jason/hex_metadata.config
+- helpers/deps/jason/lib/codegen.ex
+- helpers/deps/jason/lib/decoder.ex
+- helpers/deps/jason/lib/encode.ex
+- helpers/deps/jason/lib/encoder.ex
+- helpers/deps/jason/lib/formatter.ex
+- helpers/deps/jason/lib/fragment.ex
+- helpers/deps/jason/lib/helpers.ex
+- helpers/deps/jason/lib/jason.ex
+- helpers/deps/jason/mix.exs
+- helpers/lib/check_update.exs
+- helpers/lib/do_update.exs
+- helpers/lib/parse_deps.exs
+- helpers/lib/run.exs
+- helpers/mix.exs
+- helpers/mix.lock
+- lib/dependabot/hex.rb
+- lib/dependabot/hex/file_fetcher.rb
+- lib/dependabot/hex/file_parser.rb
+- lib/dependabot/hex/file_updater.rb
+- lib/dependabot/hex/file_updater/lockfile_updater.rb
+- lib/dependabot/hex/file_updater/mixfile_git_pin_updater.rb
+- lib/dependabot/hex/file_updater/mixfile_requirement_updater.rb
+- lib/dependabot/hex/file_updater/mixfile_sanitizer.rb
+- lib/dependabot/hex/file_updater/mixfile_updater.rb
+- lib/dependabot/hex/metadata_finder.rb
+- lib/dependabot/hex/native_helpers.rb
+- lib/dependabot/hex/requirement.rb
+- lib/dependabot/hex/update_checker.rb
+- lib/dependabot/hex/update_checker/file_preparer.rb
+- lib/dependabot/hex/update_checker/requirements_updater.rb
+- lib/dependabot/hex/update_checker/version_resolver.rb
+- lib/dependabot/hex/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubygems_version: 3.0.2
+signing_key: 
+specification_version: 4
+summary: Elixir (Hex) support for dependabot-core
+test_files: []