dependabot-maven 0.380.0 → 0.381.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/maven/pom.xml +1 -1
  3. data/lib/dependabot/maven/shared/shared_version_finder.rb +19 -15
  4. data/lib/dependabot/maven/update_checker/property_updater.rb +51 -6
  5. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1c60264678a505d63a80aab010d67f409dbdc4dddac58701489efe8382cfff0a
4
- data.tar.gz: 1c052a45257a63bf5d4ed6d5b760c60471a68cfef49c7db082c1a261952241b0
3
+ metadata.gz: be7ae98668076c1a36917baffcfd6383f090552ceac52e34ea058f40917f6878
4
+ data.tar.gz: 634c128308da3630f6666dc2bd9f47d4737c52b23f6290216aa36de8111b39aa
5
5
  SHA512:
6
- metadata.gz: 663229493a0b49552fb623ca0414b30ae057c9cc023fb91268638efa911b5a00a8f3987c6095facbd86a88e205730087d176904aa457755bbf63f931ec41f16f
7
- data.tar.gz: efb9c45145cf52afc442537ac2ad0ac1895f99667f44b6e293cec26d2fde299f0e8d8de55cf2e47d9051237b928cf0d79f92e1990ba99aeb8e5f447642d976a5
6
+ metadata.gz: 97b36d606f3efdc8db7269d34be8d024d554b75c4f5ea357e1593aa026b899cc4a69d7f9f4eb7eeb3461fa06c065aa6517fc0b862d28c39e5a2220f0956b2a86
7
+ data.tar.gz: 34cad0af96100c6ae9414d021171765e1dd6c56eaab50e74d11f5af187207a708d82ed77ea9d1a1ab1630b7fb396ba703149a11c823a88cd6708c3fcba37b0f7
data/lib/dependabot/maven/pom.xml CHANGED
@@ -10,7 +10,7 @@
10
10
  -->
11
11
 
12
12
  <properties>
13
- <maven-dependency-plugin.version>3.10.0</maven-dependency-plugin.version>
13
+ <maven-dependency-plugin.version>3.11.0</maven-dependency-plugin.version>
14
14
  </properties>
15
15
 
16
16
  <dependencies>
data/lib/dependabot/maven/shared/shared_version_finder.rb CHANGED
@@ -26,23 +26,19 @@ module Dependabot
26
26
  /ix
27
27
 
28
28
  # Common Maven pre-release qualifiers.
29
- # They often indicate versions that are not yet stable but that are released to the public for testing.
29
+ # Indicate versions not yet stable but released for testing.
30
30
  # Examples: 1.0.0-RC1, 2.0.0-ALPHA2, 3.1.0-BETA, 4.0.0-DEV5, etc.
31
31
  # See https://maven.apache.org/guides/mini/guide-naming-conventions.html#version-identifier
32
32
  MAVEN_PRE_RELEASE_QUALIFIERS = /
33
33
  # Must be at start OR preceded by a delimiter
34
34
  (?: \A | [-._])(
35
- # --- Qualifiers that usually REQUIRE a number ---
36
- # Examples: "RC1", "BETA2", "M3", "ALPHA-1", "EAP.2"
37
- # The number differentiates multiple pre-releases; a version like "1.0.0-RC"
38
- (?i)(?:RC|CR|M|MILESTONE|ALPHA|BETA|EA|EAP)(?:[-._]?\d+)?
39
- |
40
- # --- Qualifiers that do NOT usually have numbers ---
41
- DEV|
42
- PREVIEW|
43
- PRERELEASE|
44
- EXPERIMENTAL|
45
- UNSTABLE
35
+ # Pre-release qualifiers, each with an optional numeric suffix
36
+ # (e.g., RC1, BETA2, DEV, PREVIEW1)
37
+ (?:
38
+ RC | CR | M | MILESTONE | ALPHA | BETA | EA | EAP |
39
+ DEV | PREVIEW | PRERELEASE | EXPERIMENTAL | UNSTABLE
40
+ )
41
+ (?:[-._]?\d+)?
46
42
  )$
47
43
  /ix
48
44
 
@@ -109,9 +105,17 @@ module Dependabot
109
105
 
110
106
  sig { returns(T::Boolean) }
111
107
  def wants_prerelease?
112
- return false unless dependency.numeric_version
113
-
114
- dependency.numeric_version&.prerelease? || false
108
+ return true if dependency.numeric_version&.prerelease?
109
+
110
+ dependency.requirements.any? do |req|
111
+ req_string = T.cast(req.fetch(:requirement), T.nilable(String)).to_s
112
+ req_string.split(",").any? do |segment|
113
+ normalized = segment.strip.gsub(/\A[\[\(]\s*/, "")
114
+ .gsub(/\s*[\]\)]\z/, "")
115
+ normalized.match?(MAVEN_PRE_RELEASE_QUALIFIERS) ||
116
+ normalized.match?(MAVEN_SNAPSHOT_QUALIFIER)
117
+ end
118
+ end
115
119
  end
116
120
 
117
121
  sig { returns(T::Boolean) }
data/lib/dependabot/maven/update_checker/property_updater.rb CHANGED
@@ -41,6 +41,7 @@ module Dependabot
41
41
  @target_version = T.let(target_version_details&.fetch(:version), T.nilable(Dependabot::Maven::Version))
42
42
  @source_url = T.let(target_version_details&.fetch(:source_url), T.nilable(String))
43
43
  @update_cooldown = update_cooldown
44
+ @property_value_finder = T.let(nil, T.nilable(Dependabot::Maven::FileParser::PropertyValueFinder))
44
45
  end
45
46
 
46
47
  sig { returns(T::Boolean) }
@@ -79,7 +80,7 @@ module Dependabot
79
80
  name: dep.name,
80
81
  version: updated_version(dep),
81
82
  requirements: updated_requirements(dep),
82
- previous_version: dep.version,
83
+ previous_version: previous_version(dep),
83
84
  previous_requirements: dep.requirements,
84
85
  package_manager: dep.package_manager
85
86
  )
@@ -159,13 +160,9 @@ module Dependabot
159
160
 
160
161
  sig { params(dep: Dependabot::Dependency).returns(T.nilable(String)) }
161
162
  def version_string(dep)
162
- declaring_requirement =
163
- dep.requirements
164
- .find { |r| r.dig(:metadata, :property_name) == property_name }
165
-
166
163
  Maven::FileUpdater::DeclarationFinder.new(
167
164
  dependency: dep,
168
- declaring_requirement: T.must(declaring_requirement),
165
+ declaring_requirement: declaring_property_requirement(dep),
169
166
  dependency_files: dependency_files
170
167
  ).declaration_nodes.first&.at_css("version")&.content
171
168
  end
@@ -185,6 +182,45 @@ module Dependabot
185
182
  T.must(version_string(dep)).gsub("${#{property_name}}", T.must(target_version).to_s)
186
183
  end
187
184
 
185
+ sig { params(dep: Dependabot::Dependency).returns(String) }
186
+ def previous_version(dep)
187
+ T.must(version_string(dep)).gsub("${#{property_name}}", current_property_value(dep))
188
+ end
189
+
190
+ sig { params(dep: Dependabot::Dependency).returns(String) }
191
+ def current_property_value(dep)
192
+ declaring_requirement = declaring_property_requirement(dep)
193
+ callsite_pom = dependency_files.find { |f| f.name == declaring_requirement.fetch(:file) }
194
+ unless callsite_pom
195
+ raise DependencyFileNotEvaluatable,
196
+ "POM not found: #{declaring_requirement.fetch(:file)} for property #{property_name}"
197
+ end
198
+
199
+ property_value =
200
+ property_value_finder
201
+ .property_details(property_name: property_name, callsite_pom: callsite_pom)
202
+ &.fetch(:value)
203
+
204
+ return property_value if property_value.is_a?(String)
205
+
206
+ raise DependencyFileNotEvaluatable, "Property not found: #{property_name}"
207
+ end
208
+
209
+ sig { params(dep: Dependabot::Dependency).returns(T::Hash[Symbol, T.untyped]) }
210
+ def declaring_property_requirement(dep)
211
+ declaring_requirement =
212
+ dep.requirements.find do |r|
213
+ next false unless r.dig(:metadata, :property_name) == property_name
214
+
215
+ r.dig(:metadata, :property_source) == property_source
216
+ end
217
+
218
+ return declaring_requirement if declaring_requirement
219
+
220
+ raise DependencyFileNotEvaluatable,
221
+ "Requirement not found for property #{property_name} from #{property_source || 'unknown source'}"
222
+ end
223
+
188
224
  sig { params(dep: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
189
225
  def updated_requirements(dep)
190
226
  @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T::Array[T::Hash[Symbol, T.untyped]]]))
@@ -196,6 +232,15 @@ module Dependabot
196
232
  properties_to_update: [property_name]
197
233
  ).updated_requirements
198
234
  end
235
+
236
+ sig { returns(Dependabot::Maven::FileParser::PropertyValueFinder) }
237
+ def property_value_finder
238
+ @property_value_finder ||=
239
+ Dependabot::Maven::FileParser::PropertyValueFinder.new(
240
+ dependency_files: dependency_files,
241
+ credentials: credentials
242
+ )
243
+ end
199
244
  end
200
245
  end
201
246
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-maven
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.380.0
4
+ version: 0.381.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,14 +15,14 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.380.0
18
+ version: 0.381.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.380.0
25
+ version: 0.381.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: rexml
28
28
  requirement: !ruby/object:Gem::Requirement
@@ -291,7 +291,7 @@ licenses:
291
291
  - MIT
292
292
  metadata:
293
293
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
294
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.380.0
294
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
295
295
  rdoc_options: []
296
296
  require_paths:
297
297
  - lib