dependabot-maven 0.305.0 → 0.306.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/maven/update_checker/version_finder.rb +73 -23
  3. data/lib/dependabot/maven/update_checker.rb +55 -4
  4. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: edfa9b495411ee0c7f0e315b0e46edcb649c1e0d94d7b4538adae4fbb797057e
4
- data.tar.gz: 535081e417481ba4e5928410f1d28590814437cdd8047d394bc59470bba9e0c7
3
+ metadata.gz: ad0045ecf222ca64f0953ca81cda66b318b9b6f3fd073ee1d3ae329e01165a10
4
+ data.tar.gz: 67792a247a3d1a8dd8d82973bec8d2853bccb0e2a84543710b769f100f55eeb5
5
5
  SHA512:
6
- metadata.gz: 4d503a9c107865106132ae1e2a65f4399df27a15b785a2587a334620e60625c75b30a60413fe385f04f94af3a6ef218c51c7a4d5339170ae81e74ef6d14838d7
7
- data.tar.gz: 9ba9470f1b4f4ab968be52ec0d32c85a0fc462a73082c1e625d1348845613acfb5b5b0cf55cbd5d335bb457dad79337de95ea15902160143df623295405ebb9c
6
+ metadata.gz: 7bf491217c706d453933ec9524d0898622c7fce8db1a004d9b751fb44e3dc4fdd363ba66fce915b5931800dfcd4eaa25b1eae8b9cfdb05e53ffa28ed6225674b
7
+ data.tar.gz: 825b3ad39ac19fc162dbb36ccf7f2eb5083f9c0550ee67aaf09db94ceaf2519846fde3cda02306362cb77cf7d81cb657bba7f2466d5218c4c21ecf8e7982a4e5
data/lib/dependabot/maven/update_checker/version_finder.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "nokogiri"
@@ -19,6 +19,16 @@ module Dependabot
19
19
 
20
20
  TYPE_SUFFICES = %w(jre android java native_mt agp).freeze
21
21
 
22
+ sig do
23
+ params(
24
+ dependency: Dependabot::Dependency,
25
+ dependency_files: T::Array[Dependabot::DependencyFile],
26
+ credentials: T::Array[Dependabot::Credential],
27
+ ignored_versions: T::Array[String],
28
+ security_advisories: T::Array[Dependabot::SecurityAdvisory],
29
+ raise_on_ignored: T::Boolean
30
+ ).void
31
+ end
22
32
  def initialize(dependency:, dependency_files:, credentials:,
23
33
  ignored_versions:, security_advisories:,
24
34
  raise_on_ignored: false)
@@ -28,10 +38,16 @@ module Dependabot
28
38
  @ignored_versions = ignored_versions
29
39
  @raise_on_ignored = raise_on_ignored
30
40
  @security_advisories = security_advisories
31
- @forbidden_urls = []
32
- @dependency_metadata = {}
41
+ @forbidden_urls = T.let([], T::Array[String])
42
+ @dependency_metadata = T.let({}, T::Hash[T.untyped, Nokogiri::XML::Document])
43
+ @auth_headers_finder = T.let(nil, T.nilable(Utils::AuthHeadersFinder))
44
+ @pom_repository_details = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
45
+ @repository_finder = T.let(nil, T.nilable(Maven::FileParser::RepositoriesFinder))
46
+ @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
47
+ @released_check = T.let({}, T::Hash[Version, T::Boolean])
33
48
  end
34
49
 
50
+ sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
35
51
  def latest_version_details
36
52
  possible_versions = versions
37
53
 
@@ -43,6 +59,7 @@ module Dependabot
43
59
  possible_versions.reverse.find { |v| released?(v.fetch(:version)) }
44
60
  end
45
61
 
62
+ sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
46
63
  def lowest_security_fix_version_details
47
64
  possible_versions = versions
48
65
 
@@ -78,11 +95,17 @@ module Dependabot
78
95
 
79
96
  private
80
97
 
98
+ sig { returns(Dependabot::Dependency) }
81
99
  attr_reader :dependency
100
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
82
101
  attr_reader :dependency_files
102
+ sig { returns(T::Array[Dependabot::Credential]) }
83
103
  attr_reader :credentials
104
+ sig { returns(T::Array[String]) }
84
105
  attr_reader :ignored_versions
106
+ sig { returns(T::Array[String]) }
85
107
  attr_reader :forbidden_urls
108
+ sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
86
109
  attr_reader :security_advisories
87
110
 
88
111
  sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
@@ -112,7 +135,7 @@ module Dependabot
112
135
  filtered = possible_versions.select { |v| matches_dependency_version_type?(v.fetch(:version)) }
113
136
  if possible_versions.count > filtered.count
114
137
  diff = possible_versions.count - filtered.count
115
- classifier = dependency.version.split(/[.\-]/).last
138
+ classifier = dependency.version&.split(/[.\-]/)&.last
116
139
  Dependabot.logger.info("Filtered out #{diff} non-#{classifier} classifier versions")
117
140
  end
118
141
  filtered
@@ -151,23 +174,23 @@ module Dependabot
151
174
  end
152
175
  end
153
176
 
177
+ sig { returns(T::Boolean) }
154
178
  def wants_prerelease?
155
179
  return false unless dependency.numeric_version
156
180
 
157
- dependency.numeric_version.prerelease?
181
+ dependency.numeric_version&.prerelease? || false
158
182
  end
159
183
 
184
+ sig { returns(T::Boolean) }
160
185
  def wants_date_based_version?
161
186
  return false unless dependency.numeric_version
162
187
 
163
- dependency.numeric_version >= version_class.new(100)
188
+ T.must(dependency.numeric_version) >= version_class.new(100)
164
189
  end
165
190
 
191
+ sig { params(version: Version).returns(T::Boolean) }
166
192
  def released?(version)
167
- @released_check ||= {}
168
- return @released_check[version] if @released_check.key?(version)
169
-
170
- @released_check[version] =
193
+ @released_check[version] ||=
171
194
  repositories.any? do |repository_details|
172
195
  url = repository_details.fetch("url")
173
196
  response = Dependabot::RegistryClient.head(
@@ -184,13 +207,18 @@ module Dependabot
184
207
  end
185
208
  end
186
209
 
210
+ sig { params(repository_details: T::Hash[String, T.untyped]).returns(T.nilable(Nokogiri::XML::Document)) }
187
211
  def dependency_metadata(repository_details)
188
212
  repository_key = repository_details.hash
189
213
  return @dependency_metadata[repository_key] if @dependency_metadata.key?(repository_key)
190
214
 
191
- @dependency_metadata[repository_key] = fetch_dependency_metadata(repository_details)
215
+ xml_document = fetch_dependency_metadata(repository_details)
216
+
217
+ @dependency_metadata[repository_key] ||= xml_document if xml_document
218
+ @dependency_metadata[repository_key]
192
219
  end
193
220
 
221
+ sig { params(repository_details: T::Hash[String, T.untyped]).returns(T.nilable(Nokogiri::XML::Document)) }
194
222
  def fetch_dependency_metadata(repository_details)
195
223
  response = Dependabot::RegistryClient.get(
196
224
  url: dependency_metadata_url(repository_details.fetch("url")),
@@ -219,6 +247,7 @@ module Dependabot
219
247
  nil
220
248
  end
221
249
 
250
+ sig { params(response: Excon::Response, repository_url: String).void }
222
251
  def check_response(response, repository_url)
223
252
  return unless [401, 403].include?(response.status)
224
253
  return if @forbidden_urls.include?(repository_url)
@@ -227,8 +256,9 @@ module Dependabot
227
256
  @forbidden_urls << repository_url
228
257
  end
229
258
 
259
+ sig { returns(T::Array[T::Hash[String, T.untyped]]) }
230
260
  def repositories
231
- return @repositories if defined?(@repositories)
261
+ return @repositories if @repositories
232
262
 
233
263
  @repositories = credentials_repository_details
234
264
  pom_repository_details.each do |repo|
@@ -237,24 +267,33 @@ module Dependabot
237
267
  @repositories
238
268
  end
239
269
 
270
+ sig { returns(Maven::FileParser::RepositoriesFinder) }
240
271
  def repository_finder
241
- @repository_finder ||=
272
+ return @repository_finder if @repository_finder
273
+
274
+ @repository_finder =
242
275
  Maven::FileParser::RepositoriesFinder.new(
243
276
  pom_fetcher: Maven::FileParser::PomFetcher.new(dependency_files: dependency_files),
244
277
  dependency_files: dependency_files,
245
278
  credentials: credentials
246
279
  )
280
+ @repository_finder
247
281
  end
248
282
 
283
+ sig { returns(T::Array[T::Hash[String, T.untyped]]) }
249
284
  def pom_repository_details
250
- @pom_repository_details ||=
285
+ return @pom_repository_details if @pom_repository_details
286
+
287
+ @pom_repository_details =
251
288
  repository_finder
252
289
  .repository_urls(pom: pom)
253
290
  .map do |url|
254
291
  { "url" => url, "auth_headers" => {} }
255
292
  end
293
+ @pom_repository_details
256
294
  end
257
295
 
296
+ sig { returns(T::Array[T.untyped]) }
258
297
  def credentials_repository_details
259
298
  credentials
260
299
  .select { |cred| cred["type"] == "maven_repository" && cred["url"] }
@@ -266,13 +305,14 @@ module Dependabot
266
305
  end
267
306
  end
268
307
 
308
+ sig { params(comparison_version: Version).returns(T::Boolean) }
269
309
  def matches_dependency_version_type?(comparison_version)
270
310
  return true unless dependency.version
271
311
 
272
312
  current_type = dependency.version
273
- .gsub("native-mt", "native_mt")
274
- .split(/[.\-]/)
275
- .find do |type|
313
+ &.gsub("native-mt", "native_mt")
314
+ &.split(/[.\-]/)
315
+ &.find do |type|
276
316
  TYPE_SUFFICES.find { |s| type.include?(s) }
277
317
  end
278
318
 
@@ -286,47 +326,57 @@ module Dependabot
286
326
  current_type == version_type
287
327
  end
288
328
 
329
+ sig { returns(T.nilable(Dependabot::DependencyFile)) }
289
330
  def pom
290
- filename = dependency.requirements.first.fetch(:file)
331
+ filename = dependency.requirements.first&.fetch(:file)
291
332
  dependency_files.find { |f| f.name == filename }
292
333
  end
293
334
 
335
+ sig { params(repository_url: String).returns(String) }
294
336
  def dependency_metadata_url(repository_url)
295
337
  group_id, artifact_id = dependency.name.split(":")
296
338
 
297
339
  "#{repository_url}/" \
298
- "#{group_id.tr('.', '/')}/" \
340
+ "#{group_id&.tr('.', '/')}/" \
299
341
  "#{artifact_id}/" \
300
342
  "maven-metadata.xml"
301
343
  end
302
344
 
345
+ sig { params(repository_url: String, version: Version).returns(String) }
303
346
  def dependency_files_url(repository_url, version)
304
347
  group_id, artifact_id = dependency.name.split(":")
305
- type = dependency.requirements.first.dig(:metadata, :packaging_type)
306
- classifier = dependency.requirements.first.dig(:metadata, :classifier)
348
+ type = dependency.requirements.first&.dig(:metadata, :packaging_type)
349
+ classifier = dependency.requirements.first&.dig(:metadata, :classifier)
307
350
 
308
351
  actual_classifier = classifier.nil? ? "" : "-#{classifier}"
309
352
  "#{repository_url}/" \
310
- "#{group_id.tr('.', '/')}/" \
353
+ "#{group_id&.tr('.', '/')}/" \
311
354
  "#{artifact_id}/" \
312
355
  "#{version}/" \
313
356
  "#{artifact_id}-#{version}#{actual_classifier}.#{type}"
314
357
  end
315
358
 
359
+ sig { returns(T.class_of(Dependabot::Version)) }
316
360
  def version_class
317
361
  dependency.version_class
318
362
  end
319
363
 
364
+ sig { returns(T::Array[String]) }
320
365
  def central_repo_urls
321
366
  central_url_without_protocol = repository_finder.central_repo_url.gsub(%r{^.*://}, "")
322
367
 
323
368
  %w(http:// https://).map { |p| p + central_url_without_protocol }
324
369
  end
325
370
 
371
+ sig { returns(Utils::AuthHeadersFinder) }
326
372
  def auth_headers_finder
327
- @auth_headers_finder ||= Utils::AuthHeadersFinder.new(credentials)
373
+ return @auth_headers_finder if @auth_headers_finder
374
+
375
+ @auth_headers_finder = Utils::AuthHeadersFinder.new(credentials)
376
+ @auth_headers_finder
328
377
  end
329
378
 
379
+ sig { params(maven_repo_url: String).returns(T::Hash[String, String]) }
330
380
  def auth_headers(maven_repo_url)
331
381
  auth_headers_finder.auth_headers(maven_repo_url)
332
382
  end
data/lib/dependabot/maven/update_checker.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "dependabot/update_checkers"
@@ -12,10 +12,42 @@ module Dependabot
12
12
  require_relative "update_checker/version_finder"
13
13
  require_relative "update_checker/property_updater"
14
14
 
15
+ sig do
16
+ params(
17
+ dependency: Dependabot::Dependency,
18
+ dependency_files: T::Array[Dependabot::DependencyFile],
19
+ credentials: T::Array[Dependabot::Credential],
20
+ repo_contents_path: T.nilable(String),
21
+ ignored_versions: T::Array[String],
22
+ raise_on_ignored: T::Boolean,
23
+ security_advisories: T::Array[Dependabot::SecurityAdvisory],
24
+ requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
25
+ dependency_group: T.nilable(Dependabot::DependencyGroup),
26
+ update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
27
+ options: T::Hash[Symbol, T.untyped]
28
+ )
29
+ .void
30
+ end
31
+ def initialize(dependency:, dependency_files:, credentials:,
32
+ repo_contents_path: nil, ignored_versions: [],
33
+ raise_on_ignored: false, security_advisories: [],
34
+ requirements_update_strategy: nil, dependency_group: nil,
35
+ update_cooldown: nil, options: {})
36
+ super
37
+
38
+ @version_finder = T.let(nil, T.nilable(VersionFinder))
39
+ @property_updater = T.let(nil, T.nilable(PropertyUpdater))
40
+ @property_value_finder = T.let(nil, T.nilable(Maven::FileParser::PropertyValueFinder))
41
+ @declarations_using_a_property = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
42
+ @all_property_based_dependencies = T.let(nil, T.nilable(T::Array[Dependabot::Dependency]))
43
+ end
44
+
45
+ sig { override.returns(T.nilable(Dependabot::Version)) }
15
46
  def latest_version
16
47
  latest_version_details&.fetch(:version)
17
48
  end
18
49
 
50
+ sig { override.returns(T.nilable(Dependabot::Version)) }
19
51
  def latest_resolvable_version
20
52
  # Maven's version resolution algorithm is very simple: it just uses
21
53
  # the version defined "closest", with the first declaration winning
@@ -27,14 +59,17 @@ module Dependabot
27
59
  latest_version
28
60
  end
29
61
 
62
+ sig { override.returns(T.nilable(Dependabot::Version)) }
30
63
  def lowest_security_fix_version
31
64
  lowest_security_fix_version_details&.fetch(:version)
32
65
  end
33
66
 
67
+ sig { override.returns(T.nilable(Dependabot::Version)) }
34
68
  def lowest_resolvable_security_fix_version
35
69
  lowest_security_fix_version
36
70
  end
37
71
 
72
+ sig { override.returns(T.nilable(Dependabot::Version)) }
38
73
  def latest_resolvable_version_with_no_unlock
39
74
  # Irrelevant, since Maven has a single dependency file (the pom.xml).
40
75
  #
@@ -46,6 +81,7 @@ module Dependabot
46
81
  nil
47
82
  end
48
83
 
84
+ sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
49
85
  def updated_requirements
50
86
  property_names =
51
87
  declarations_using_a_property
@@ -59,11 +95,14 @@ module Dependabot
59
95
  ).updated_requirements
60
96
  end
61
97
 
98
+ sig { override.returns(T::Boolean) }
62
99
  def requirements_unlocked_or_can_be?
63
100
  declarations_using_a_property.none? do |requirement|
64
101
  prop_name = requirement.dig(:metadata, :property_name)
65
102
  pom = dependency_files.find { |f| f.name == requirement[:file] }
66
103
 
104
+ return false unless prop_name && pom
105
+
67
106
  declaration_pom_name =
68
107
  property_value_finder
69
108
  .property_details(property_name: prop_name, callsite_pom: pom)
@@ -75,43 +114,50 @@ module Dependabot
75
114
 
76
115
  private
77
116
 
117
+ sig { override.returns(T::Boolean) }
78
118
  def latest_version_resolvable_with_full_unlock?
79
119
  return false unless version_comes_from_multi_dependency_property?
80
120
 
81
121
  property_updater.update_possible?
82
122
  end
83
123
 
124
+ sig { override.returns(T::Array[Dependabot::Dependency]) }
84
125
  def updated_dependencies_after_full_unlock
85
126
  property_updater.updated_dependencies
86
127
  end
87
128
 
129
+ sig { override.returns(T::Boolean) }
88
130
  def numeric_version_up_to_date?
89
131
  return false unless version_class.correct?(dependency.version)
90
132
 
91
133
  super
92
134
  end
93
135
 
136
+ sig { override.params(requirements_to_unlock: T.nilable(Symbol)).returns(T::Boolean) }
94
137
  def numeric_version_can_update?(requirements_to_unlock:)
95
138
  return false unless version_class.correct?(dependency.version)
96
139
 
97
140
  super
98
141
  end
99
142
 
143
+ sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
100
144
  def preferred_version_details
101
145
  return lowest_security_fix_version_details if vulnerable?
102
146
 
103
147
  latest_version_details
104
148
  end
105
149
 
150
+ sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
106
151
  def latest_version_details
107
- @latest_version_details ||= version_finder.latest_version_details
152
+ version_finder.latest_version_details
108
153
  end
109
154
 
155
+ sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
110
156
  def lowest_security_fix_version_details
111
- @lowest_security_fix_version_details ||=
112
- version_finder.lowest_security_fix_version_details
157
+ version_finder.lowest_security_fix_version_details
113
158
  end
114
159
 
160
+ sig { returns(VersionFinder) }
115
161
  def version_finder
116
162
  @version_finder ||=
117
163
  VersionFinder.new(
@@ -124,6 +170,7 @@ module Dependabot
124
170
  )
125
171
  end
126
172
 
173
+ sig { returns(PropertyUpdater) }
127
174
  def property_updater
128
175
  @property_updater ||=
129
176
  PropertyUpdater.new(
@@ -135,12 +182,14 @@ module Dependabot
135
182
  )
136
183
  end
137
184
 
185
+ sig { returns(Maven::FileParser::PropertyValueFinder) }
138
186
  def property_value_finder
139
187
  @property_value_finder ||=
140
188
  Maven::FileParser::PropertyValueFinder
141
189
  .new(dependency_files: dependency_files, credentials: credentials.map(&:to_s))
142
190
  end
143
191
 
192
+ sig { returns(T::Boolean) }
144
193
  def version_comes_from_multi_dependency_property?
145
194
  declarations_using_a_property.any? do |requirement|
146
195
  property_name = requirement.fetch(:metadata).fetch(:property_name)
@@ -159,12 +208,14 @@ module Dependabot
159
208
  end
160
209
  end
161
210
 
211
+ sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
162
212
  def declarations_using_a_property
163
213
  @declarations_using_a_property ||=
164
214
  dependency.requirements
165
215
  .select { |req| req.dig(:metadata, :property_name) }
166
216
  end
167
217
 
218
+ sig { returns(T::Array[Dependabot::Dependency]) }
168
219
  def all_property_based_dependencies
169
220
  @all_property_based_dependencies ||=
170
221
  Maven::FileParser.new(
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.305.0
4
+ version: 0.306.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2025-04-06 00:00:00.000000000 Z
11
+ date: 2025-04-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.305.0
19
+ version: 0.306.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.305.0
26
+ version: 0.306.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -268,7 +268,7 @@ licenses:
268
268
  - MIT
269
269
  metadata:
270
270
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
271
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.305.0
271
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.306.0
272
272
  post_install_message:
273
273
  rdoc_options: []
274
274
  require_paths: