dependabot-nuget 0.246.0 → 0.247.0

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -11,25 +11,38 @@ module Dependabot
   module Nuget
     class FileUpdater
       class PropertyValueUpdater
+        extend T::Sig
+
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig do
+          params(property_name: String,
+                 updated_value: String,
+                 callsite_file: Dependabot::DependencyFile)
+            .returns(T::Array[Dependabot::DependencyFile])
+        end
         def update_files_for_property_change(property_name:, updated_value:,
                                              callsite_file:)
           declaration_details =
-            property_value_finder
-            .property_details(
+            property_value_finder.property_details(
               property_name: property_name,
               callsite_file: callsite_file
             )
+          throw "Unable to locate property details" unless declaration_details
 
+          declaration_filename = declaration_details.fetch(:file)
           declaration_file = dependency_files.find do |f|
-            declaration_details.fetch(:file) == f.name
+            declaration_filename == f.name
           end
+          throw "Unable to locate declaration file" unless declaration_file
+
+          content = T.must(declaration_file.content)
           node = declaration_details.fetch(:node)
 
-          updated_content = declaration_file.content.sub(
+          updated_content = content.sub(
             %r{(<#{Regexp.quote(node.name)}(?:\s[^>]*)?>)
                \s*#{Regexp.quote(node.content)}\s*
                </#{Regexp.quote(node.name)}>}xm,
@@ -37,21 +50,25 @@ module Dependabot
           )
 
           files = dependency_files.dup
-          files[files.index(declaration_file)] =
+          file_index = T.must(files.index(declaration_file))
+          files[file_index] =
             update_file(file: declaration_file, content: updated_content)
           files
         end
 
         private
 
+        sig { returns(T::Array[DependencyFile]) }
         attr_reader :dependency_files
 
+        sig { returns(FileParser::PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
-            Nuget::FileParser::PropertyValueFinder
-            .new(dependency_files: dependency_files)
+            T.let(FileParser::PropertyValueFinder
+            .new(dependency_files: dependency_files), T.nilable(FileParser::PropertyValueFinder))
         end
 
+        sig { params(file: DependencyFile, content: String).returns(DependencyFile) }
         def update_file(file:, content:)
           updated_file = file.dup
           updated_file.content = content

data/lib/dependabot/nuget/file_updater.rb

@@ -1,10 +1,11 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/nuget/native_helpers"
+require "dependabot/shared_helpers"
 require "sorbet-runtime"
 
 module Dependabot
@@ -17,6 +18,7 @@ module Dependabot
       require_relative "file_parser/dotnet_tools_json_parser"
       require_relative "file_parser/packages_config_parser"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           %r{^[^/]*\.([a-z]{2})?proj$},
@@ -29,32 +31,33 @@ module Dependabot
         ]
       end
 
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
-        dependencies.each do |dependency|
-          try_update_projects(dependency) || try_update_json(dependency)
-        end
+        base_dir = T.must(dependency_files.first).directory
+        SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+          dependencies.each do |dependency|
+            try_update_projects(dependency) || try_update_json(dependency)
+          end
+          updated_files = dependency_files.filter_map do |f|
+            updated_content = File.read(dependency_file_path(f))
+            next if updated_content == f.content
 
-        # update all with content from disk
-        updated_files = dependency_files.filter_map do |f|
-          updated_content = File.read(dependency_file_path(f))
-          next if updated_content == f.content
+            normalized_content = normalize_content(f, updated_content)
+            next if normalized_content == f.content
 
-          normalized_content = normalize_content(f, updated_content)
-          next if normalized_content == f.content
+            next if only_deleted_lines?(f.content, normalized_content)
 
-          puts "The contents of file [#{f.name}] were updated."
+            puts "The contents of file [#{f.name}] were updated."
 
-          updated_file(file: f, content: normalized_content)
+            updated_file(file: f, content: normalized_content)
+          end
+          updated_files
         end
-
-        # reset repo files
-        SharedHelpers.reset_git_repo(T.cast(repo_contents_path, String)) if repo_contents_path
-
-        updated_files
       end
 
       private
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_projects(dependency)
         update_ran = T.let(false, T::Boolean)
         checked_files = Set.new
@@ -64,7 +67,7 @@ module Dependabot
           project_dependencies = project_dependencies(project_file)
           proj_path = dependency_file_path(project_file)
 
-          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           next unless repo_contents_path
 
@@ -79,16 +82,16 @@ module Dependabot
           end
           update_ran = true
         end
-
         update_ran
       end
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_json(dependency)
-        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? } ||
-           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           # We just need to feed the updater a project file, grab the first
-          project_file = project_files.first
+          project_file = T.must(project_files.first)
           proj_path = dependency_file_path(project_file)
 
           return false unless repo_contents_path
@@ -109,13 +112,14 @@ module Dependabot
         # Tests need to track how many times we call the tooling updater to ensure we don't recurse needlessly
         # Ideally we should find a way to not run this code in prod
         # (or a better way to track calls made to NativeHelpers)
-        @update_tooling_calls ||= {}
+        @update_tooling_calls ||= T.let({}, T.nilable(T::Hash[String, Integer]))
         key = proj_path + dependency.name
-        if @update_tooling_calls[key]
-          @update_tooling_calls[key] += 1
-        else
-          @update_tooling_calls[key] = 1
-        end
+        @update_tooling_calls[key] =
+          if @update_tooling_calls[key]
+            T.must(@update_tooling_calls[key]) + 1
+          else
+            1
+          end
       end
 
       # Don't call this from outside tests, we're only checking that we aren't recursing needlessly
@@ -124,6 +128,7 @@ module Dependabot
         @update_tooling_calls
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
       def project_dependencies(project_file)
         # Collect all dependencies from the project file and associated packages.config
         dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies
@@ -134,38 +139,54 @@ module Dependabot
                                                        .dependency_set.dependencies
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
       def find_packages_config(project_file)
         project_file_name = File.basename(project_file.name)
         packages_config_path = project_file.name.gsub(project_file_name, "packages.config")
         packages_config_files.find { |f| f.name == packages_config_path }
       end
 
+      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
       def project_file_parser
         @project_file_parser ||=
-          FileParser::ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: repo_contents_path
+          T.let(
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials,
+              repo_contents_path: repo_contents_path
+            ),
+            T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
           )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def global_json_dependencies
         return [] unless global_json
 
         @global_json_dependencies ||=
-          FileParser::GlobalJsonParser.new(global_json: global_json).dependency_set.dependencies
+          T.let(
+            FileParser::GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def dotnet_tools_json_dependencies
         return [] unless dotnet_tools_json
 
         @dotnet_tools_json_dependencies ||=
-          FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set.dependencies
+          T.let(
+            FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json))
+                                             .dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(dependency_file: Dependabot::DependencyFile, updated_content: String).returns(String) }
       def normalize_content(dependency_file, updated_content)
         # Fix up line endings
-        if dependency_file.content.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
+        if dependency_file.content&.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
           # The original content contain windows style newlines.
           # Ensure the updated content also uses windows style newlines.
           updated_content = updated_content.gsub(/(?<!\r)\n/, "\r\n")
@@ -178,19 +199,21 @@ module Dependabot
         end
 
         # Fix up BOM
-        if !dependency_file.content.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
+        if !dependency_file.content&.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
           updated_content = updated_content.delete_prefix("\uFEFF")
           puts "Removing BOM from [#{dependency_file.name}]."
-        elsif dependency_file.content.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
+        elsif dependency_file.content&.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
           updated_content = "\uFEFF" + updated_content
           puts "Adding BOM to [#{dependency_file.name}]."
         end
 
         updated_content
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(dependency_file: Dependabot::DependencyFile).returns(String) }
       def dependency_file_path(dependency_file)
-        if dependency_file.directory.start_with?(repo_contents_path)
+        if dependency_file.directory.start_with?(T.must(repo_contents_path))
           File.join(dependency_file.directory, dependency_file.name)
         else
           file_directory = dependency_file.directory
@@ -199,29 +222,42 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         dependency_files.select { |df| df.name.match?(/\.([a-z]{2})?proj$/) }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
           T.must(T.must(f.name.split("/").last).casecmp("packages.config")).zero?
         end
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
         dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
         dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
       end
 
+      sig { override.void }
       def check_required_files
         return if project_files.any? || packages_config_files.any?
 
         raise "No project file or packages.config!"
       end
+
+      sig { params(original_content: T.nilable(String), updated_content: String).returns(T::Boolean) }
+      def only_deleted_lines?(original_content, updated_content)
+        original_lines = original_content&.lines || []
+        updated_lines = updated_content.lines
+
+        original_lines.count > updated_lines.count
+      end
     end
   end
 end

data/lib/dependabot/nuget/http_response_helpers.rb

@@ -1,9 +1,14 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Nuget
     module HttpResponseHelpers
+      extend T::Sig
+
+      sig { params(string: String).returns(String) }
       def self.remove_wrapping_zero_width_chars(string)
         string.force_encoding("UTF-8").encode
               .gsub(/\A[\u200B-\u200D\uFEFF]/, "")

data/lib/dependabot/nuget/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -12,13 +12,28 @@ module Dependabot
     class MetadataFinder < Dependabot::MetadataFinders::Base
       extend T::Sig
 
+      sig do
+        override
+          .params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential]
+          )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        @dependency_nuspec_file = T.let(nil, T.nilable(Nokogiri::XML::Document))
+
+        super
+      end
+
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         return Source.from_url(dependency_source_url) if dependency_source_url
 
         if dependency_nuspec_file
-          src_repo = look_up_source_in_nuspec(dependency_nuspec_file)
+          src_repo = look_up_source_in_nuspec(T.must(dependency_nuspec_file))
           return src_repo if src_repo
         end
 
@@ -33,6 +48,7 @@ module Dependabot
         nil
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def src_repo_from_project
         source = dependency.requirements.find { |r| r.fetch(:source) }&.fetch(:source)
         return unless source
@@ -60,6 +76,7 @@ module Dependabot
         # Ignored, this is expected for some registries that don't handle these request.
       end
 
+      sig { params(body: String).returns(T.nilable(String)) }
       def extract_search_url(body)
         JSON.parse(body)
             .fetch("resources", [])
@@ -67,6 +84,7 @@ module Dependabot
             &.fetch("@id")
       end
 
+      sig { params(body: String).returns(T.nilable(Dependabot::Source)) }
       def extract_source_repo(body)
         JSON.parse(body).fetch("data", []).each do |search_result|
           next unless search_result["id"].casecmp(dependency.name).zero?
@@ -84,6 +102,7 @@ module Dependabot
         nil
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
       def look_up_source_in_nuspec(nuspec)
         potential_source_urls = [
           nuspec.at_css("package > metadata > repository")
@@ -99,6 +118,7 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(String)) }
       def source_from_anywhere_in_nuspec(nuspec)
         github_urls = []
         nuspec.to_s.force_encoding(Encoding::UTF_8)
@@ -112,19 +132,21 @@ module Dependabot
         end
       end
 
+      sig { returns(T.nilable(Nokogiri::XML::Document)) }
       def dependency_nuspec_file
         return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
 
         return if dependency_nuspec_url.nil?
 
         response = Dependabot::RegistryClient.get(
-          url: dependency_nuspec_url,
+          url: T.must(dependency_nuspec_url),
           headers: auth_header
         )
 
         @dependency_nuspec_file = Nokogiri::XML(response.body)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_nuspec_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -132,6 +154,7 @@ module Dependabot
         source.fetch(:nuspec_url) if source&.key?(:nuspec_url)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_source_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -143,6 +166,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T::Hash[String, String]) }
       def auth_header
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)

data/lib/dependabot/nuget/nuget_client.rb

@@ -21,11 +21,33 @@ module Dependabot
           get_package_versions_v3(dependency_name, repository_details)
         elsif repository_type == "v2"
           get_package_versions_v2(dependency_name, repository_details)
+        elsif repository_type == "local"
+          get_package_versions_local(dependency_name, repository_details)
         else
           raise "Unknown repository type: #{repository_type}"
         end
       end
 
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
+      private_class_method def self.get_package_versions_local(dependency_name, repository_details)
+        url = repository_details.fetch(:base_url)
+        raise "Local repo #{url} doesn't exist or isn't a directory" unless File.exist?(url) && File.directory?(url)
+
+        package_dir = File.join(url, dependency_name)
+
+        versions = Set.new
+        return versions unless File.exist?(package_dir) && File.directory?(package_dir)
+
+        Dir.each_child(package_dir) do |child|
+          versions.add(child) if File.directory?(File.join(package_dir, child))
+        end
+
+        versions
+      end
+
       sig do
         params(dependency_name: String, repository_details: T::Hash[Symbol, String])
           .returns(T.nilable(T::Set[String]))
@@ -133,6 +155,7 @@ module Dependabot
             &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
             &.fetch("versions")
             &.map { |d| d.fetch("version") }
+            &.to_set
       end
 
       sig do

data/lib/dependabot/nuget/requirement.rb

@@ -60,6 +60,7 @@ module Dependabot
         convert_wildcard_req(req_string)
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def convert_dotnet_range_to_ruby_range(req_string)
         lower_b, upper_b = req_string.split(",").map(&:strip).map do |bound|
           next convert_range_wildcard_req(bound) if bound.include?("*")
@@ -75,7 +76,8 @@ module Dependabot
           end
 
         upper_b =
-          if [")", "]"].include?(upper_b) then nil
+          if !upper_b then nil
+          elsif [")", "]"].include?(upper_b) then nil
           elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
           else
             "<= #{upper_b.sub(/\s*\]/, '').strip}"
@@ -83,6 +85,7 @@ module Dependabot
 
         [lower_b, upper_b].compact
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def convert_range_wildcard_req(req_string)
         range_end = req_string[-1]

data/lib/dependabot/nuget/update_checker/compatibility_checker.rb

@@ -66,23 +66,34 @@ module Dependabot
       end
 
       def fetch_package_tfms(dependency_version)
-        nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
-        return [] unless nupkg_buffer
-
-        # Parse tfms from the folders beneath the lib folder
-        folder_name = "lib/"
-        tfms = Set.new
-        Zip::File.open_buffer(nupkg_buffer) do |zip|
-          lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
-          # If there is no lib folder in this package, assume it is a development dependency
-          return nil if lib_file_entries.empty?
-
-          lib_file_entries.each do |entry|
-            _, tfm = entry.name.split("/").first(2)
-            tfms << tfm
+        cache = CacheManager.cache("compatibility_checker_tfms_cache")
+        key = "#{dependency.name}::#{dependency_version}"
+
+        cache[key] ||= begin
+          nupkg_buffer = NupkgFetcher.fetch_nupkg_buffer(dependency_urls, dependency.name, dependency_version)
+          return [] unless nupkg_buffer
+
+          # Parse tfms from the folders beneath the lib folder
+          folder_name = "lib/"
+          tfms = Set.new
+          Zip::File.open_buffer(nupkg_buffer) do |zip|
+            lib_file_entries = zip.select { |entry| entry.name.start_with?(folder_name) }
+            # If there is no lib folder in this package, assume it is a development dependency
+            return nil if lib_file_entries.empty?
+
+            lib_file_entries.each do |entry|
+              _, tfm = entry.name.split("/").first(2)
+
+              # some zip compressors create empty directory entries (in this case `lib/`) which can cause the string
+              # split to return `nil`, so we have to explicitly guard against that
+              tfms << tfm if tfm
+            end
           end
+
+          tfms.to_a
         end
-        tfms.to_a
+
+        cache[key]
       end
     end
   end

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -111,25 +111,19 @@ module Dependabot
         current_redirects = 0
 
         loop do
-          connection = Excon.new(current_url, persistent: true)
-
-          package_data = StringIO.new
-          response_block = lambda do |chunk, _remaining_bytes, _total_bytes|
-            package_data.write(chunk)
-          end
-
-          response = connection.request(
-            method: :get,
+          # Directly download the stream without any additional settings _except_ for `omit_default_port: true` which
+          # is necessary to not break the URL signing that some NuGet feeds use.
+          response = Excon.get(
+            current_url,
             headers: auth_header,
-            response_block: response_block
+            omit_default_port: true
           )
 
           # redirect the HTTP response as appropriate based on documentation here:
           # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections
           case response.status
           when 200
-            package_data.rewind
-            return package_data
+            return response.body
           when 301, 302, 303, 307, 308
             current_redirects += 1
             return nil if current_redirects > max_redirects
@@ -142,10 +136,14 @@ module Dependabot
       end
 
       def self.fetch_url(url, repository_details)
+        fetch_url_with_auth(url, repository_details.fetch(:auth_header))
+      end
+
+      def self.fetch_url_with_auth(url, auth_header)
         cache = CacheManager.cache("nupkg_fetcher_cache")
         cache[url] ||= Dependabot::RegistryClient.get(
           url: url,
-          headers: repository_details.fetch(:auth_header)
+          headers: auth_header
         )
 
         cache[url]