dependabot-maven 0.186.1 → 0.189.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e1a2783c11d5d8604b71ca5b61ae195a9301643612473feba9f36c088d791b1
-  data.tar.gz: 81b870922031db076a242e4f12b51985c4ecc2357cf87fa7c63ab1ae8635acea
+  metadata.gz: bb809a76fc89757535851f229a3da24216246e51202de85b11bf2adf468de0c9
+  data.tar.gz: 187f16b34d5207f8c3f47cb99f5e37a2fe9f10ad93574a78f772d2b3cf48043b
 SHA512:
-  metadata.gz: c9312ba524cde77bab1d5993857371d10cbd4f1fb3a92eee035577655b70e6bcf496ea5f19003ff87e5e4983c418ec880c9a58bfeefaac2aa55ae97e3efb9102
-  data.tar.gz: 51fbad4d09cfd030c51e31bac82788c4d1126e7ff0988a6093b6de1378bdd68ec85884c478fe0a7c72228a2bc1d61495966a4597ecdcebb003cd1dff1a874676
+  metadata.gz: 94ae994c766edc2b666da5b85bb0e6a91103a36b7682b42c7a0215d3afe0727737a8a6aefe57f9da866f4f25feb4657929ad86ea71760df2372a7fe86b36ce36
+  data.tar.gz: dbf67e08c040fe66d7f8adb2f8216347aa4f4c940c9fe81647b5c70d1f84991b08c23066161484b7fe107d01296b56d6474ac534e533d099181bf1ebc04c936a

data/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -4,7 +4,6 @@ require "nokogiri"
 
 require "dependabot/dependency_file"
 require "dependabot/maven/file_parser"
-require "dependabot/shared_helpers"
 
 # For documentation, see:
 # - http://maven.apache.org/guides/introduction/introduction-to-the-pom.html
@@ -128,11 +127,7 @@ module Dependabot
             url = remote_pom_url(group_id, artifact_id, version, base_url)
 
             @maven_responses ||= {}
-            @maven_responses[url] ||= Excon.get(
-              url,
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
+            @maven_responses[url] ||= RegistryClient.get(url: url)
             next unless @maven_responses[url].status == 200
             next unless pom?(@maven_responses[url].body)
 

data/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -4,7 +4,6 @@ require "nokogiri"
 
 require "dependabot/dependency_file"
 require "dependabot/maven/file_parser"
-require "dependabot/shared_helpers"
 require "dependabot/errors"
 
 # For documentation, see:
@@ -110,10 +109,13 @@ module Dependabot
             url = remote_pom_url(group_id, artifact_id, version, base_url)
 
             @maven_responses ||= {}
-            @maven_responses[url] ||= Excon.get(
-              url,
-              idempotent: true,
-              **SharedHelpers.excon_defaults
+            @maven_responses[url] ||= RegistryClient.get(
+              url: url,
+              # We attempt to find dependencies in private repos before failing over to the CENTRAL_REPO_URL,
+              # but this can burn a lot of a job's time against slow servers due to our `read_timeout` being 20 seconds.
+              #
+              # In order to avoid the overall job timing out, we only make one retry attempt
+              options: { retry_limit: 1 }
             )
             next unless @maven_responses[url].status == 200
             next unless pom?(@maven_responses[url].body)

data/lib/dependabot/maven/metadata_finder.rb

@@ -104,12 +104,9 @@ module Dependabot
       def dependency_pom_file
         return @dependency_pom_file unless @dependency_pom_file.nil?
 
-        response = Excon.get(
-          "#{maven_repo_dependency_url}/"\
-          "#{dependency.version}/"\
-          "#{dependency_artifact_id}-#{dependency.version}.pom",
-          idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_headers)
+        response = RegistryClient.get(
+          url: "#{maven_repo_dependency_url}/#{dependency.version}/#{dependency_artifact_id}-#{dependency.version}.pom",
+          headers: auth_headers
         )
 
         @dependency_pom_file = Nokogiri::XML(response.body)
@@ -137,10 +134,9 @@ module Dependabot
               "#{version}/"\
               "#{artifact_id}-#{version}.pom"
 
-        response = Excon.get(
-          substitute_properties_in_source_url(url, pom),
-          idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_headers)
+        response = RegistryClient.get(
+          url: substitute_properties_in_source_url(url, pom),
+          headers: auth_headers
         )
 
         Nokogiri::XML(response.body)

data/lib/dependabot/maven/registry_client.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+
+# This class provides a thin wrapper around our normal usage of Excon as a simple HTTP client in order to
+# provide some minor caching functionality.
+#
+# This is not used to support full response caching currently, we just use it to ensure we detect unreachable
+# hosts and fast-fail on any subsequent requests to them to avoid excessive use of retries and connect- or
+# read-timeouts as Maven jobs tend to be sensitive to exceeding our overall 45 minute timeout.
+module Dependabot
+  module Maven
+    class RegistryClient
+      @cached_errors = {}
+
+      def self.get(url:, headers: {}, options: {})
+        raise cached_error_for(url) if cached_error_for(url)
+
+        Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults({ headers: headers }.merge(options))
+        )
+      rescue Excon::Error::Timeout => e
+        cache_error(url, e)
+        raise e
+      end
+
+      def self.head(url:, headers: {}, options: {})
+        raise cached_error_for(url) if cached_error_for(url)
+
+        Excon.head(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults({ headers: headers }.merge(options))
+        )
+      rescue Excon::Error::Timeout => e
+        cache_error(url, e)
+        raise e
+      end
+
+      def self.clear_cache!
+        @cached_errors = {}
+      end
+
+      private_class_method def self.cache_error(url, error)
+        host = URI(url).host
+        @cached_errors[host] = error
+      end
+
+      private_class_method def self.cached_error_for(url)
+        host = URI(url).host
+        @cached_errors.fetch(host, nil)
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker/property_updater.rb

@@ -23,8 +23,9 @@ module Dependabot
 
         def update_possible?
           return false unless target_version
+          return @update_possible if defined?(@update_possible)
 
-          @update_possible ||=
+          @update_possible =
             dependencies_using_property.all? do |dep|
               next false if includes_property_reference?(updated_version(dep))
 

data/lib/dependabot/maven/update_checker/version_finder.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "nokogiri"
-require "dependabot/shared_helpers"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/maven/file_parser/repositories_finder"
 require "dependabot/maven/update_checker"
@@ -25,6 +24,7 @@ module Dependabot
           @raise_on_ignored    = raise_on_ignored
           @security_advisories = security_advisories
           @forbidden_urls      = []
+          @dependency_metadata = {}
         end
 
         def latest_version_details
@@ -138,10 +138,9 @@ module Dependabot
           @released_check[version] =
             repositories.any? do |repository_details|
               url = repository_details.fetch("url")
-              response = Excon.head(
-                dependency_files_url(url, version),
-                idempotent: true,
-                **SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
+              response = RegistryClient.head(
+                url: dependency_files_url(url, version),
+                headers: repository_details.fetch("auth_headers")
               )
 
               response.status < 400
@@ -154,25 +153,27 @@ module Dependabot
         end
 
         def dependency_metadata(repository_details)
-          @dependency_metadata ||= {}
-          @dependency_metadata[repository_details.hash] ||=
-            begin
-              response = Excon.get(
-                dependency_metadata_url(repository_details.fetch("url")),
-                idempotent: true,
-                **Dependabot::SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
-              )
-              check_response(response, repository_details.fetch("url"))
+          repository_key = repository_details.hash
+          return @dependency_metadata[repository_key] if @dependency_metadata.key?(repository_key)
 
-              Nokogiri::XML(response.body)
-            rescue URI::InvalidURIError
-              Nokogiri::XML("")
-            rescue Excon::Error::Socket, Excon::Error::Timeout,
-                   Excon::Error::TooManyRedirects
-              raise if central_repo_urls.include?(repository_details["url"])
+          @dependency_metadata[repository_key] = fetch_dependency_metadata(repository_details)
+        end
 
-              Nokogiri::XML("")
-            end
+        def fetch_dependency_metadata(repository_details)
+          response = RegistryClient.get(
+            url: dependency_metadata_url(repository_details.fetch("url")),
+            headers: repository_details.fetch("auth_headers")
+          )
+          check_response(response, repository_details.fetch("url"))
+
+          Nokogiri::XML(response.body)
+        rescue URI::InvalidURIError
+          Nokogiri::XML("")
+        rescue Excon::Error::Socket, Excon::Error::Timeout,
+               Excon::Error::TooManyRedirects
+          raise if central_repo_urls.include?(repository_details["url"])
+
+          Nokogiri::XML("")
         end
 
         def check_response(response, repository_url)
@@ -184,7 +185,7 @@ module Dependabot
         end
 
         def repositories
-          return @repositories if @repositories
+          return @repositories if defined?(@repositories)
 
           details = pom_repository_details + credentials_repository_details
 

data/lib/dependabot/maven.rb

@@ -9,6 +9,7 @@ require "dependabot/maven/file_updater"
 require "dependabot/maven/metadata_finder"
 require "dependabot/maven/requirement"
 require "dependabot/maven/version"
+require "dependabot/maven/registry_client"
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.186.1
+  version: 0.189.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-10 00:00:00.000000000 Z
+date: 2022-05-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.186.1
+        version: 0.189.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.186.1
+        version: 0.189.0
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.28.2
+        version: 1.29.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.28.2
+        version: 1.29.1
 - !ruby/object:Gem::Dependency
   name: ruby-debug-ide
   requirement: !ruby/object:Gem::Requirement
@@ -236,6 +236,7 @@ files:
 - lib/dependabot/maven/file_updater/declaration_finder.rb
 - lib/dependabot/maven/file_updater/property_value_updater.rb
 - lib/dependabot/maven/metadata_finder.rb
+- lib/dependabot/maven/registry_client.rb
 - lib/dependabot/maven/requirement.rb
 - lib/dependabot/maven/update_checker.rb
 - lib/dependabot/maven/update_checker/property_updater.rb