RubyGems - dependabot-maven - Versions diffs - 0.375.0 → 0.376.0 - Mend

dependabot-maven 0.375.0 → 0.376.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/maven/shared/shared_package_details_fetcher.rb +58 -15
data/lib/dependabot/maven/shared/shared_property_value_updater.rb +87 -0
data/lib/dependabot/maven/update_checker/requirements_updater.rb +2 -0
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 776842dd7dfc634e7b49362b8fd1d91bb8e8bd89552a6bd7e691258e5b69f04d
-  data.tar.gz: 59e345219811845c9e868da85f474e1d8cb32b21ed3d6f3210ee051233cdea2b
+  metadata.gz: f6766c6eea0f8880538a54f48a87617d19e881622583b8324da63019adaedac9
+  data.tar.gz: 31573e51f96b69b76573cfd8b4576268e5c98de779ffacce88023dcb8317e4e0
 SHA512:
-  metadata.gz: a91dd63188f7a0d7470e60d14a1c164a7ee36e5676a32d03d09dc2a73b191a1f123537a6bc6597b228ac9921f165474f1df091526aabe6a6c82965b1b5f2d460
-  data.tar.gz: d333fc34854b5546764f994d71fe6edc72e3224b5b12d5dc38bdf1bdd28d780cbffedcbb23ac1ff649bc5c7bf77b06e944cca045a360a93a9ac4623d2e58809c
+  metadata.gz: b64dfca75c231cd7dfabc9c37b951006607472e64cd110d5b99ebb992cfd4fce84c72eecfc522df7c04b65ec5983befbeb4f9dc354a87d7914b1bbbef63802be
+  data.tar.gz: 2ea4854da94ac4236c9afdcbaee148e93049b8233ccf5d3bfc569e47240ae30172415adf239c10acaaef358eb0dc9a3ef7a4ffa8fe5d59b6b122fa9ee497a945

data/lib/dependabot/maven/shared/shared_package_details_fetcher.rb CHANGED Viewed

@@ -66,7 +66,7 @@ module Dependabot
           "#{dependency_base_url(repository_url)}/#{MAVEN_METADATA_XML}"
         end
-        # URL for a specific artifact file (JAR/POM).
+        # URL for a specific artifact file (JAR/AAR/etc).
         #
         # Example:
         #   "https://repo.maven.apache.org/maven2/com/google/guava/guava/23.6-jre/guava-23.6-jre.jar"
@@ -81,6 +81,15 @@ module Dependabot
           "#{base_url}/#{version}/#{artifact_id}-#{version}#{actual_classifier}.#{type}"
         end
+        # URL for the POM file of a specific version.
+        # Every published Maven artifact has a .pom file regardless of packaging type.
+        sig { params(repository_url: String, version: Dependabot::Version).returns(String) }
+        def dependency_pom_url(repository_url, version)
+          _, artifact_id = dependency_parts
+          base_url = dependency_base_url(repository_url)
+          "#{base_url}/#{version}/#{artifact_id}-#{version}.pom"
+        end
         # -- Metadata Fetching (XML) --
         # Fetches and parses maven-metadata.xml from a repository.
@@ -127,8 +136,11 @@ module Dependabot
         def fetch_dependency_metadata_from_html(repository_details)
           url = repository_details.fetch(URL_KEY)
           headers = repository_details.fetch(AUTH_HEADERS_KEY)
+          # Add trailing slash for directory listing
+          base_directory_url = dependency_base_url(url)
+          base_directory_url += "/" unless base_directory_url.end_with?("/")
           response = Dependabot::RegistryClient.get(
-            url: dependency_base_url(url),
+            url: base_directory_url,
             headers: headers
           )
           check_response(response, url)
@@ -151,26 +163,44 @@ module Dependabot
         def extract_version_details_from_html(html_doc)
           versions_detail_hash = T.let({}, T::Hash[String, T::Hash[Symbol, T.untyped]])
-          html_doc.css("a[title]").each do |link|
-            version_string = link["title"]
-            version = version_string.gsub(%r{/$}, "")
-            raw_date_text = link.next.text.strip.split("\n").last.strip
-            release_date = begin
-              Time.parse(raw_date_text)
-            rescue StandardError
-              nil
-            end
+          html_doc.css("a[href]").each do |link|
+            version = extract_version_from_link(link)
             next unless version && version_class.correct?(version)
+            release_date = extract_release_date_from_link(link)
             versions_detail_hash[version] = { release_date: release_date }
           end
           versions_detail_hash
         end
+        sig { params(link: Nokogiri::XML::Element).returns(T.nilable(String)) }
+        def extract_version_from_link(link)
+          href = link["href"]&.strip
+          return unless href&.end_with?("/")
+          identifier = [link["title"], link.text, href].find { |value| value && !value.strip.empty? }
+          return unless identifier
+          version = identifier.strip.gsub(%r{/$}, "")
+          return if ["..", "."].include?(version)
+          version
+        end
+        sig { params(link: Nokogiri::XML::Element).returns(T.nilable(Time)) }
+        def extract_release_date_from_link(link)
+          raw_date_text = link.next&.text.to_s
+          date_match = raw_date_text.match(/\b(?:\d{4}-\d{2}-\d{2}|\d{2}-[A-Za-z]{3}-\d{4}) \d{2}:\d{2}\b/)
+          return Time.parse(date_match[0]) if date_match
+          Time.parse(raw_date_text.strip)
+        rescue StandardError
+          nil
+        end
         # -- Response Checking & Error Handling --
         # Tracks forbidden URLs when receiving 401/403 responses (except for central repo).
@@ -304,7 +334,20 @@ module Dependabot
                 url: dependency_files_url(url, version),
                 headers: headers
               )
-              response.status < 400
+              next true if response.status < 400
+              # When the artifact file returns 404, fall back to checking the .pom file.
+              # This handles artifacts with non-jar packaging (e.g., aar, bundle) where
+              # the consumer POM omits <type>, causing the parser to default to "jar".
+              # Only fall back when there's no classifier (classifier artifacts are specific).
+              next false unless response.status == 404
+              next false if dependency.requirements.first&.dig(:metadata, :classifier)
+              pom_response = Dependabot::RegistryClient.head(
+                url: dependency_pom_url(url, version),
+                headers: headers
+              )
+              pom_response.status < 400
             rescue Excon::Error::Socket, Excon::Error::Timeout,
                    Excon::Error::TooManyRedirects
               false

data/lib/dependabot/maven/shared/shared_property_value_updater.rb ADDED Viewed

@@ -0,0 +1,87 @@
+# typed: strict
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/dependency_file"
+module Dependabot
+  module Maven
+    module Shared
+      # Shared base for text-based property value updaters (Gradle, SBT).
+      # Subclasses must override `property_value_finder` to return the
+      # ecosystem-specific PropertyValueFinder instance.
+      #
+      # Maven's PropertyValueUpdater is XML-based and does not share this class.
+      class SharedPropertyValueUpdater
+        extend T::Sig
+        extend T::Helpers
+        abstract!
+        sig { params(dependency_files: T::Array[DependencyFile]).void }
+        def initialize(dependency_files:)
+          @dependency_files = T.let(dependency_files, T::Array[DependencyFile])
+        end
+        sig do
+          params(
+            property_name: String,
+            callsite_buildfile: DependencyFile,
+            previous_value: String,
+            updated_value: String
+          ).returns(T::Array[DependencyFile])
+        end
+        def update_files_for_property_change(
+          property_name:,
+          callsite_buildfile:,
+          previous_value:,
+          updated_value:
+        )
+          declaration_details = property_value_finder.property_details(
+            property_name: property_name,
+            callsite_buildfile: callsite_buildfile
+          )
+          raise "Property '#{property_name}' not found" unless declaration_details
+          declaration_string = T.let(declaration_details.fetch(:declaration_string), String)
+          filename = T.let(declaration_details.fetch(:file), String)
+          file_to_update = T.must(dependency_files.find { |f| f.name == filename })
+          updated_content = T.must(file_to_update.content).sub(
+            declaration_string,
+            declaration_string.sub(
+              previous_value_regex(previous_value),
+              updated_value
+            )
+          )
+          updated_files = dependency_files.dup
+          updated_files[T.must(updated_files.index(file_to_update))] =
+            update_file(file: file_to_update, content: updated_content)
+          updated_files
+        end
+        private
+        sig { returns(T::Array[DependencyFile]) }
+        attr_reader :dependency_files
+        sig { abstract.returns(T.untyped) }
+        def property_value_finder; end
+        sig { params(previous_value: String).returns(Regexp) }
+        def previous_value_regex(previous_value)
+          /(?<=['"])#{Regexp.quote(previous_value)}(?=['"])/
+        end
+        sig { params(file: DependencyFile, content: String).returns(DependencyFile) }
+        def update_file(file:, content:)
+          updated_file = file.dup
+          updated_file.content = content
+          updated_file
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/maven/update_checker/requirements_updater.rb CHANGED Viewed

@@ -60,6 +60,8 @@ module Dependabot
             next req if property_name && !properties_to_update.include?(property_name)
             new_req = update_requirement(req[:requirement])
+            next req if new_req == req[:requirement]
             req.merge(requirement: new_req, source: updated_source)
           end
         end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.375.0
+  version: 0.376.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.375.0
+        version: 0.376.0
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -275,6 +275,7 @@ files:
 - lib/dependabot/maven/shared/base_version_finder.rb
 - lib/dependabot/maven/shared/shared_metadata_finder.rb
 - lib/dependabot/maven/shared/shared_package_details_fetcher.rb
+- lib/dependabot/maven/shared/shared_property_value_updater.rb
 - lib/dependabot/maven/shared/shared_requirement.rb
 - lib/dependabot/maven/shared/shared_version_finder.rb
 - lib/dependabot/maven/token_bucket.rb
@@ -290,7 +291,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.375.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.376.0
 rdoc_options: []
 require_paths:
 - lib