dependabot-maven 0.212.0 → 0.213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 742cfd118855d8a31a6789c4f6e49e6750a56507c5163155f331fc2c37cd02ea
-  data.tar.gz: 5d2997c3c84a670196038e17b10f6a8838d651435bff71ef4a52893424b63139
+  metadata.gz: 68711b5b438172e0e075d72ef2cb8b7b86994f612f5e65d4ccd8132a8e46212c
+  data.tar.gz: 14ab13cf9c9f09662510ff5ea97d3f37677620d8a96b3d18be5c6b7b3e90bae5
 SHA512:
-  metadata.gz: cae2fb00b853ad401cf24b1ebcb5db66eac4287e060de4feca5e4d2c765408244f6b852ff57884f556e43defe40caae56144f62964aae25f0f583f853107a3d6
-  data.tar.gz: fb83ba87f201e2a6480686f3a1144412fc44e0aaeab1cb4ff9ac5d53ec6df0fcd54e65fb4abab8d2185b9cdab9416d49e99309ccf976eeda1e2aea79474d5fa4
+  metadata.gz: 633b8678f53dbc5caae6a1ca4d226a1651b51c3a6605fc5aed2f8b053912cc37427ee1f16873e588976ccb47987f1e1ad4a7e2df11d09aa5efdf55fd245e1645
+  data.tar.gz: 619707ebc8b916e98e73aa3151bcdcc3dd1c8ba0c15f131012ad75432de66d7a15633e39033305ecc5216bee798a24968aaf4ac6560ea77e58d382ac6fd1ee8f

data/lib/dependabot/maven/file_parser/pom_fetcher.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require "nokogiri"
+
+require "dependabot/dependency_file"
+require "dependabot/maven/file_parser"
+require "dependabot/registry_client"
+
+module Dependabot
+  module Maven
+    class FileParser
+      class PomFetcher
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+          @poms = {}
+        end
+
+        def internal_dependency_poms
+          return @internal_dependency_poms if @internal_dependency_poms
+
+          @internal_dependency_poms = {}
+          dependency_files.each do |pom|
+            doc = Nokogiri::XML(pom.content)
+            group_id = doc.at_css("project > groupId") ||
+                       doc.at_css("project > parent > groupId")
+            artifact_id = doc.at_css("project > artifactId")
+
+            next unless group_id && artifact_id
+
+            dependency_name = [
+              group_id.content.strip,
+              artifact_id.content.strip
+            ].join(":")
+
+            @internal_dependency_poms[dependency_name] = pom
+          end
+
+          @internal_dependency_poms
+        end
+
+        def fetch_remote_parent_pom(group_id, artifact_id, version, urls_to_try)
+          pom_id = "#{group_id}:#{artifact_id}:#{version}"
+          return @poms[pom_id] if @poms.key?(pom_id)
+
+          urls_to_try.each do |base_url|
+            url =
+              if version.include?("SNAPSHOT")
+                fetch_snapshot_pom_url(group_id, artifact_id, version, base_url)
+              else
+                remote_pom_url(group_id, artifact_id, version, base_url)
+              end
+            next if url.nil?
+
+            response = fetch(url)
+            next unless response.status == 200
+            next unless pom?(response.body)
+
+            dependency_file = DependencyFile.new(
+              name: "remote_pom.xml",
+              content: response.body
+            )
+
+            @poms[pom_id] = dependency_file
+            return dependency_file
+          rescue Excon::Error::Socket, Excon::Error::Timeout,
+                 Excon::Error::TooManyRedirects, URI::InvalidURIError
+            nil
+          end
+
+          # If a parent POM couldn't be found, return `nil`
+          nil
+        end
+
+        private
+
+        def remote_pom_url(group_id, artifact_id, version, base_repo_url)
+          "#{base_repo_url}/" \
+            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/" \
+            "#{artifact_id}-#{version}.pom"
+        end
+
+        def remote_pom_snapshot_url(group_id, artifact_id, version, snapshot_version, base_repo_url)
+          "#{base_repo_url}/" \
+            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/" \
+            "#{artifact_id}-#{snapshot_version}.pom"
+        end
+
+        def remote_pom_snapshot_metadata_url(group_id, artifact_id, version, base_repo_url)
+          "#{base_repo_url}/" \
+            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/" \
+            "maven-metadata.xml"
+        end
+
+        def fetch_snapshot_pom_url(group_id, artifact_id, version, base_url)
+          url = remote_pom_snapshot_metadata_url(group_id, artifact_id, version, base_url)
+          response = fetch(url)
+          return nil unless response.status == 200
+
+          snapshot = Nokogiri::XML(response.body).
+                     css("snapshotVersion").
+                     find { |node| node.at_css("extension").content == "pom" }&.
+                     at_css("value")&.
+                     content
+          return nil unless snapshot
+
+          remote_pom_snapshot_url(group_id, artifact_id, version, snapshot, base_url)
+        end
+
+        def fetch(url)
+          @maven_responses ||= {}
+          @maven_responses[url] ||= Dependabot::RegistryClient.get(url: url, options: { retry_limit: 1 })
+        end
+
+        def pom?(content)
+          !Nokogiri::XML(content).at_css("project > artifactId").nil?
+        end
+
+        attr_reader :dependency_files
+      end
+    end
+  end
+end

data/lib/dependabot/maven/file_parser/property_value_finder.rb

@@ -14,11 +14,14 @@ module Dependabot
     class FileParser
       class PropertyValueFinder
         require_relative "repositories_finder"
+        require_relative "pom_fetcher"
 
-        DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}.freeze
+        DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
 
-        def initialize(dependency_files:)
+        def initialize(dependency_files:, credentials: [])
           @dependency_files = dependency_files
+          @credentials = credentials
+          @pom_fetcher = PomFetcher.new(dependency_files: dependency_files)
         end
 
         def property_details(property_name:, callsite_pom:)
@@ -60,29 +63,6 @@ module Dependabot
 
         attr_reader :dependency_files
 
-        def internal_dependency_poms
-          return @internal_dependency_poms if @internal_dependency_poms
-
-          @internal_dependency_poms = {}
-          dependency_files.each do |pom|
-            doc = Nokogiri::XML(pom.content)
-            group_id = doc.at_css("project > groupId") ||
-                       doc.at_css("project > parent > groupId")
-            artifact_id = doc.at_css("project > artifactId")
-
-            next unless group_id && artifact_id
-
-            dependency_name = [
-              group_id.content.strip,
-              artifact_id.content.strip
-            ].join(":")
-
-            @internal_dependency_poms[dependency_name] = pom
-          end
-
-          @internal_dependency_poms
-        end
-
         def sanitize_property_name(property_name)
           property_name.sub(/^pom\./, "").sub(/^project\./, "")
         end
@@ -100,11 +80,11 @@ module Dependabot
 
           name = [group_id, artifact_id].join(":")
 
-          return internal_dependency_poms[name] if internal_dependency_poms[name]
+          return @pom_fetcher.internal_dependency_poms[name] if @pom_fetcher.internal_dependency_poms[name]
 
           return unless version && !version.include?(",")
 
-          fetch_remote_parent_pom(group_id, artifact_id, version, pom)
+          @pom_fetcher.fetch_remote_parent_pom(group_id, artifact_id, version, parent_repository_urls(pom))
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
@@ -118,44 +98,12 @@ module Dependabot
         def repositories_finder
           @repositories_finder ||=
             RepositoriesFinder.new(
+              pom_fetcher: @pom_fetcher,
               dependency_files: dependency_files,
+              credentials: @credentials,
               evaluate_properties: false
             )
         end
-
-        def fetch_remote_parent_pom(group_id, artifact_id, version, pom)
-          parent_repository_urls(pom).each do |base_url|
-            url = remote_pom_url(group_id, artifact_id, version, base_url)
-
-            @maven_responses ||= {}
-            @maven_responses[url] ||= Dependabot::RegistryClient.get(url: url)
-            next unless @maven_responses[url].status == 200
-            next unless pom?(@maven_responses[url].body)
-
-            dependency_file = DependencyFile.new(
-              name: "remote_pom.xml",
-              content: @maven_responses[url].body
-            )
-
-            return dependency_file
-          rescue Excon::Error::Socket, Excon::Error::Timeout,
-                 Excon::Error::TooManyRedirects, URI::InvalidURIError
-            nil
-          end
-
-          # If a parent POM couldn't be found, return `nil`
-          nil
-        end
-
-        def remote_pom_url(group_id, artifact_id, version, base_repo_url)
-          "#{base_repo_url}/" \
-            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/" \
-            "#{artifact_id}-#{version}.pom"
-        end
-
-        def pom?(content)
-          !Nokogiri::XML(content).at_css("project > artifactId").nil?
-        end
       end
     end
   end

data/lib/dependabot/maven/file_parser/repositories_finder.rb

@@ -15,48 +15,78 @@ module Dependabot
     class FileParser
       class RepositoriesFinder
         require_relative "property_value_finder"
+        require_relative "pom_fetcher"
         # In theory we should check the artifact type and either look in
         # <repositories> or <pluginRepositories>. In practice it's unlikely
         # anyone makes this distinction.
         REPOSITORY_SELECTOR = "repositories > repository, " \
                               "pluginRepositories > pluginRepository"
 
-        # The Central Repository is included in the Super POM, which is
-        # always inherited from.
-        CENTRAL_REPO_URL = "https://repo.maven.apache.org/maven2"
-
-        def initialize(dependency_files:, evaluate_properties: true)
+        def initialize(pom_fetcher:, dependency_files: [], credentials: [], evaluate_properties: true)
+          @pom_fetcher = pom_fetcher
           @dependency_files = dependency_files
+          @credentials = credentials
 
           # We need the option not to evaluate properties so as not to have a
           # circular dependency between this class and the PropertyValueFinder
           # class
           @evaluate_properties = evaluate_properties
+          # Aggregates URLs seen in POMs to avoid short term memory loss.
+          # For instance a repository in a child POM might apply to the parent too.
+          @known_urls = []
+        end
+
+        def central_repo_url
+          base = @credentials.find { |cred| cred["type"] == "maven_repository" && cred["replaces-base"] == true }
+          base ? base["url"] : "https://repo.maven.apache.org/maven2"
         end
 
         # Collect all repository URLs from this POM and its parents
         def repository_urls(pom:, exclude_inherited: false)
-          repo_urls_in_pom =
-            Nokogiri::XML(pom.content).
-            css(REPOSITORY_SELECTOR).
-            map { |node| node.at_css("url").content.strip.gsub(%r{/$}, "") }.
-            reject { |url| contains_property?(url) && !evaluate_properties? }.
-            select { |url| url.start_with?("http") }.
-            map { |url| evaluated_value(url, pom) }
+          entries = gather_repository_urls(pom: pom, exclude_inherited: exclude_inherited)
+          ids = Set.new
+          @known_urls += entries.map do |entry|
+            next if entry[:id] && ids.include?(entry[:id])
 
-          return repo_urls_in_pom + [CENTRAL_REPO_URL] if exclude_inherited
-
-          unless (parent = parent_pom(pom, repo_urls_in_pom))
-            return repo_urls_in_pom + [CENTRAL_REPO_URL]
+            ids.add(entry[:id]) unless entry[:id].nil?
+            entry
           end
+          @known_urls = @known_urls.uniq.compact
 
-          repo_urls_in_pom + repository_urls(pom: parent)
+          urls = urls_from_credentials + @known_urls.map { |entry| entry[:url] }
+          urls += [central_repo_url] unless @known_urls.any? { |entry| entry[:id] == super_pom[:id] }
+          urls.uniq
         end
 
         private
 
         attr_reader :dependency_files
 
+        # The Central Repository is included in the Super POM, which is
+        # always inherited from.
+        def super_pom
+          { url: central_repo_url, id: "central" }
+        end
+
+        def gather_repository_urls(pom:, exclude_inherited: false)
+          repos_in_pom =
+            Nokogiri::XML(pom.content).
+            css(REPOSITORY_SELECTOR).
+            map { |node| { url: node.at_css("url").content.strip, id: node.at_css("id").content.strip } }.
+            reject { |entry| contains_property?(entry[:url]) && !evaluate_properties? }.
+            select { |entry| entry[:url].start_with?("http") }.
+            map { |entry| { url: evaluated_value(entry[:url], pom).gsub(%r{/$}, ""), id: entry[:id] } }
+
+          return repos_in_pom if exclude_inherited
+
+          urls_in_pom = repos_in_pom.map { |repo| repo[:url] }
+          unless (parent = parent_pom(pom, urls_in_pom))
+            return repos_in_pom
+          end
+
+          repos_in_pom + gather_repository_urls(pom: parent)
+        end
+
         def evaluate_properties?
           @evaluate_properties
         end
@@ -74,72 +104,19 @@ module Dependabot
 
           name = [group_id, artifact_id].join(":")
 
-          return internal_dependency_poms[name] if internal_dependency_poms[name]
+          return @pom_fetcher.internal_dependency_poms[name] if @pom_fetcher.internal_dependency_poms[name]
 
           return unless version && !version.include?(",")
 
-          fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
+          urls = urls_from_credentials + repo_urls + [central_repo_url]
+          @pom_fetcher.fetch_remote_parent_pom(group_id, artifact_id, version, urls)
         end
         # rubocop:enable Metrics/PerceivedComplexity
 
-        def internal_dependency_poms
-          return @internal_dependency_poms if @internal_dependency_poms
-
-          @internal_dependency_poms = {}
-          dependency_files.each do |pom|
-            doc = Nokogiri::XML(pom.content)
-            group_id = doc.at_css("project > groupId") ||
-                       doc.at_css("project > parent > groupId")
-            artifact_id = doc.at_css("project > artifactId")
-
-            next unless group_id && artifact_id
-
-            dependency_name = [
-              group_id.content.strip,
-              artifact_id.content.strip
-            ].join(":")
-
-            @internal_dependency_poms[dependency_name] = pom
-          end
-
-          @internal_dependency_poms
-        end
-
-        def fetch_remote_parent_pom(group_id, artifact_id, version, repo_urls)
-          (repo_urls + [CENTRAL_REPO_URL]).uniq.each do |base_url|
-            url = remote_pom_url(group_id, artifact_id, version, base_url)
-
-            @maven_responses ||= {}
-            @maven_responses[url] ||= Dependabot::RegistryClient.get(
-              url: url,
-              # We attempt to find dependencies in private repos before failing over to the CENTRAL_REPO_URL,
-              # but this can burn a lot of a job's time against slow servers due to our `read_timeout` being 20 seconds.
-              #
-              # In order to avoid the overall job timing out, we only make one retry attempt
-              options: { retry_limit: 1 }
-            )
-            next unless @maven_responses[url].status == 200
-            next unless pom?(@maven_responses[url].body)
-
-            dependency_file = DependencyFile.new(
-              name: "remote_pom.xml",
-              content: @maven_responses[url].body
-            )
-
-            return dependency_file
-          rescue Excon::Error::Socket, Excon::Error::Timeout,
-                 Excon::Error::TooManyRedirects, URI::InvalidURIError
-            nil
-          end
-
-          # If a parent POM couldn't be found, return `nil`
-          nil
-        end
-
-        def remote_pom_url(group_id, artifact_id, version, base_repo_url)
-          "#{base_repo_url}/" \
-            "#{group_id.tr('.', '/')}/#{artifact_id}/#{version}/" \
-            "#{artifact_id}-#{version}.pom"
+        def urls_from_credentials
+          @credentials.
+            select { |cred| cred["type"] == "maven_repository" }.
+            filter_map { |cred| cred["url"]&.strip&.gsub(%r{/$}, "") }
         end
 
         def contains_property?(value)
@@ -174,16 +151,12 @@ module Dependabot
         # values from parent POMs)
         def property_value_finder
           @property_value_finder ||=
-            PropertyValueFinder.new(dependency_files: dependency_files)
+            PropertyValueFinder.new(dependency_files: dependency_files, credentials: @credentials)
         end
 
         def property_regex
           Maven::FileParser::PROPERTY_REGEX
         end
-
-        def pom?(content)
-          !Nokogiri::XML(content).at_css("project > artifactId").nil?
-        end
       end
     end
   end

data/lib/dependabot/maven/file_parser.rb

@@ -28,7 +28,7 @@ module Dependabot
       EXTENSION_SELECTOR  = "extensions > extension"
 
       # Regex to get the property name from a declaration that uses a property
-      PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/.freeze
+      PROPERTY_REGEX      = /\$\{(?<property>.*?)\}/
 
       def parse
         dependency_set = DependencySet.new
@@ -267,7 +267,7 @@ module Dependabot
       # values from parent POMs)
       def property_value_finder
         @property_value_finder ||=
-          PropertyValueFinder.new(dependency_files: dependency_files)
+          PropertyValueFinder.new(dependency_files: dependency_files, credentials: credentials)
       end
 
       def pomfiles

data/lib/dependabot/maven/file_updater/declaration_finder.rb

@@ -11,7 +11,7 @@ module Dependabot
       class DeclarationFinder
         DECLARATION_REGEX =
           %r{<parent>.*?</parent>|<dependency>.*?</dependency>|
-             <plugin>.*?(?:<plugin>.*?</plugin>.*)?</plugin>|<extension>.*?</extension>}mx.freeze
+             <plugin>.*?(?:<plugin>.*?</plugin>.*)?</plugin>|<extension>.*?</extension>}mx
 
         attr_reader :dependency, :declaring_requirement, :dependency_files
 

data/lib/dependabot/maven/file_updater.rb

@@ -89,10 +89,9 @@ module Dependabot
         updated_content = file.content
 
         original_file_declarations(dependency, previous_req).each do |old_dec|
-          updated_content = updated_content.gsub(
-            old_dec,
+          updated_content = updated_content.gsub(old_dec) do
             updated_file_declaration(old_dec, previous_req, requirement)
-          )
+          end
         end
 
         raise "Expected content to change!" if updated_content == file.content

data/lib/dependabot/maven/metadata_finder.rb

@@ -12,7 +12,7 @@ require "dependabot/registry_client"
 module Dependabot
   module Maven
     class MetadataFinder < Dependabot::MetadataFinders::Base
-      DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}.freeze
+      DOT_SEPARATOR_REGEX = %r{\.(?!\d+([.\/_\-]|$)+)}
 
       private
 
@@ -149,7 +149,7 @@ module Dependabot
 
         source&.fetch(:url, nil) ||
           source&.fetch("url") ||
-          Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL
+          Maven::FileParser::RepositoriesFinder.new(credentials: credentials).central_repo_url
       end
 
       def maven_repo_dependency_url

data/lib/dependabot/maven/requirement.rb

@@ -7,10 +7,9 @@ module Dependabot
   module Maven
     class Requirement < Gem::Requirement
       quoted = OPS.keys.map { |k| Regexp.quote k }.join("|")
-      OR_SYNTAX = /(?<=\]|\)),/.freeze
-      PATTERN_RAW =
-        "\\s*(#{quoted})?\\s*(#{Maven::Version::VERSION_PATTERN})\\s*"
-      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+      OR_SYNTAX = /(?<=\]|\)),/
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{Maven::Version::VERSION_PATTERN})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/
 
       def self.parse(obj)
         return ["=", Maven::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)

data/lib/dependabot/maven/update_checker/version_finder.rb

@@ -57,8 +57,10 @@ module Dependabot
           version_details =
             repositories.map do |repository_details|
               url = repository_details.fetch("url")
-              dependency_metadata(repository_details).
-                css("versions > version").
+              xml = dependency_metadata(repository_details)
+              next [] if xml.blank?
+
+              break xml.css("versions > version").
                 select { |node| version_class.correct?(node.content) }.
                 map { |node| version_class.new(node.content) }.
                 map { |version| { version: version, source_url: url } }
@@ -166,15 +168,16 @@ module Dependabot
             headers: repository_details.fetch("auth_headers")
           )
           check_response(response, repository_details.fetch("url"))
+          return unless response.status < 400
 
           Nokogiri::XML(response.body)
         rescue URI::InvalidURIError
-          Nokogiri::XML("")
+          nil
         rescue Excon::Error::Socket, Excon::Error::Timeout,
                Excon::Error::TooManyRedirects
           raise if central_repo_urls.include?(repository_details["url"])
 
-          Nokogiri::XML("")
+          nil
         end
 
         def check_response(response, repository_url)
@@ -188,21 +191,25 @@ module Dependabot
         def repositories
           return @repositories if defined?(@repositories)
 
-          details = pom_repository_details + credentials_repository_details
-
-          @repositories =
-            details.reject do |repo|
-              next if repo["auth_headers"]
+          @repositories = credentials_repository_details
+          pom_repository_details.each do |repo|
+            @repositories << repo unless @repositories.any? { |r| r["url"] == repo["url"] }
+          end
+          @repositories
+        end
 
-              # Reject this entry if an identical one with non-empty auth_headers exists
-              details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
-            end
+        def repository_finder
+          @repository_finder ||=
+            Maven::FileParser::RepositoriesFinder.new(
+              pom_fetcher: Maven::FileParser::PomFetcher.new(dependency_files: dependency_files),
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
         end
 
         def pom_repository_details
           @pom_repository_details ||=
-            Maven::FileParser::RepositoriesFinder.
-            new(dependency_files: dependency_files).
+            repository_finder.
             repository_urls(pom: pom).
             map do |url|
               { "url" => url, "auth_headers" => {} }
@@ -272,9 +279,7 @@ module Dependabot
         end
 
         def central_repo_urls
-          central_url_without_protocol =
-            Maven::FileParser::RepositoriesFinder::CENTRAL_REPO_URL.
-            gsub(%r{^.*://}, "")
+          central_url_without_protocol = repository_finder.central_repo_url.gsub(%r{^.*://}, "")
 
           %w(http:// https://).map { |p| p + central_url_without_protocol }
         end

data/lib/dependabot/maven/update_checker.rb

@@ -138,7 +138,7 @@ module Dependabot
       def property_value_finder
         @property_value_finder ||=
           Maven::FileParser::PropertyValueFinder.
-          new(dependency_files: dependency_files)
+          new(dependency_files: dependency_files, credentials: credentials)
       end
 
       def version_comes_from_multi_dependency_property?

data/lib/dependabot/maven/utils/auth_headers_finder.rb

@@ -47,7 +47,7 @@ module Dependabot
         end
 
         def gitlab_maven_repo?(maven_repo_path)
-          gitlab_maven_repo_reg = %r{^/api/v4.*/packages/maven/?$}.freeze
+          gitlab_maven_repo_reg = %r{^/api/v4.*/packages/maven/?$}
           maven_repo_path.match?(gitlab_maven_repo_reg)
         end
       end

data/lib/dependabot/maven/version.rb

@@ -30,7 +30,7 @@ module Dependabot
         "[0-9a-zA-Z]+" \
         '(?>\.[0-9a-zA-Z]*)*' \
         '([_\-\+][0-9A-Za-z_-]*(\.[0-9A-Za-z_-]*)*)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
       def self.correct?(version)
         return false if version.nil?
@@ -43,6 +43,10 @@ module Dependabot
         super(version.to_s.tr("_", "-"))
       end
 
+      def inspect
+        "#<#{self.class} #{@version_string}>"
+      end
+
       def to_s
         @version_string
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.212.0
+  version: 0.213.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2022-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,42 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
+        version: 0.213.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
-- !ruby/object:Gem::Dependency
-  name: debase
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-- !ruby/object:Gem::Dependency
-  name: debase-ruby_core_source
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
+        version: 0.213.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -142,42 +114,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.37.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.37.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.14.2
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -258,6 +216,7 @@ files:
 - lib/dependabot/maven.rb
 - lib/dependabot/maven/file_fetcher.rb
 - lib/dependabot/maven/file_parser.rb
+- lib/dependabot/maven/file_parser/pom_fetcher.rb
 - lib/dependabot/maven/file_parser/property_value_finder.rb
 - lib/dependabot/maven/file_parser/repositories_finder.rb
 - lib/dependabot/maven/file_updater.rb
@@ -283,14 +242,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Maven support for dependabot