dependabot-nuget 0.246.0 → 0.248.0

data/lib/dependabot/nuget/file_updater/property_value_updater.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -11,25 +11,38 @@ module Dependabot
   module Nuget
     class FileUpdater
       class PropertyValueUpdater
+        extend T::Sig
+
+        sig { params(dependency_files: T::Array[Dependabot::DependencyFile]).void }
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
+        sig do
+          params(property_name: String,
+                 updated_value: String,
+                 callsite_file: Dependabot::DependencyFile)
+            .returns(T::Array[Dependabot::DependencyFile])
+        end
         def update_files_for_property_change(property_name:, updated_value:,
                                              callsite_file:)
           declaration_details =
-            property_value_finder
-            .property_details(
+            property_value_finder.property_details(
               property_name: property_name,
               callsite_file: callsite_file
             )
+          throw "Unable to locate property details" unless declaration_details
 
+          declaration_filename = declaration_details.fetch(:file)
           declaration_file = dependency_files.find do |f|
-            declaration_details.fetch(:file) == f.name
+            declaration_filename == f.name
           end
+          throw "Unable to locate declaration file" unless declaration_file
+
+          content = T.must(declaration_file.content)
           node = declaration_details.fetch(:node)
 
-          updated_content = declaration_file.content.sub(
+          updated_content = content.sub(
             %r{(<#{Regexp.quote(node.name)}(?:\s[^>]*)?>)
                \s*#{Regexp.quote(node.content)}\s*
                </#{Regexp.quote(node.name)}>}xm,
@@ -37,21 +50,25 @@ module Dependabot
           )
 
           files = dependency_files.dup
-          files[files.index(declaration_file)] =
+          file_index = T.must(files.index(declaration_file))
+          files[file_index] =
             update_file(file: declaration_file, content: updated_content)
           files
         end
 
         private
 
+        sig { returns(T::Array[DependencyFile]) }
         attr_reader :dependency_files
 
+        sig { returns(FileParser::PropertyValueFinder) }
         def property_value_finder
           @property_value_finder ||=
-            Nuget::FileParser::PropertyValueFinder
-            .new(dependency_files: dependency_files)
+            T.let(FileParser::PropertyValueFinder
+            .new(dependency_files: dependency_files), T.nilable(FileParser::PropertyValueFinder))
         end
 
+        sig { params(file: DependencyFile, content: String).returns(DependencyFile) }
         def update_file(file:, content:)
           updated_file = file.dup
           updated_file.content = content

data/lib/dependabot/nuget/file_updater.rb

@@ -1,10 +1,11 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/dependency_file"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/nuget/native_helpers"
+require "dependabot/shared_helpers"
 require "sorbet-runtime"
 
 module Dependabot
@@ -17,6 +18,7 @@ module Dependabot
       require_relative "file_parser/dotnet_tools_json_parser"
       require_relative "file_parser/packages_config_parser"
 
+      sig { override.returns(T::Array[Regexp]) }
       def self.updated_files_regex
         [
           %r{^[^/]*\.([a-z]{2})?proj$},
@@ -29,32 +31,33 @@ module Dependabot
         ]
       end
 
+      sig { override.returns(T::Array[Dependabot::DependencyFile]) }
       def updated_dependency_files
-        dependencies.each do |dependency|
-          try_update_projects(dependency) || try_update_json(dependency)
-        end
+        base_dir = T.must(dependency_files.first).directory
+        SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+          dependencies.each do |dependency|
+            try_update_projects(dependency) || try_update_json(dependency)
+          end
+          updated_files = dependency_files.filter_map do |f|
+            updated_content = File.read(dependency_file_path(f))
+            next if updated_content == f.content
 
-        # update all with content from disk
-        updated_files = dependency_files.filter_map do |f|
-          updated_content = File.read(dependency_file_path(f))
-          next if updated_content == f.content
+            normalized_content = normalize_content(f, updated_content)
+            next if normalized_content == f.content
 
-          normalized_content = normalize_content(f, updated_content)
-          next if normalized_content == f.content
+            next if only_deleted_lines?(f.content, normalized_content)
 
-          puts "The contents of file [#{f.name}] were updated."
+            puts "The contents of file [#{f.name}] were updated."
 
-          updated_file(file: f, content: normalized_content)
+            updated_file(file: f, content: normalized_content)
+          end
+          updated_files
         end
-
-        # reset repo files
-        SharedHelpers.reset_git_repo(T.cast(repo_contents_path, String)) if repo_contents_path
-
-        updated_files
       end
 
       private
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_projects(dependency)
         update_ran = T.let(false, T::Boolean)
         checked_files = Set.new
@@ -64,7 +67,7 @@ module Dependabot
           project_dependencies = project_dependencies(project_file)
           proj_path = dependency_file_path(project_file)
 
-          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+          next unless project_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           next unless repo_contents_path
 
@@ -79,16 +82,16 @@ module Dependabot
           end
           update_ran = true
         end
-
         update_ran
       end
 
+      sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
       def try_update_json(dependency)
-        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? } ||
-           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name).zero? }
+        if dotnet_tools_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? } ||
+           global_json_dependencies.any? { |dep| dep.name.casecmp(dependency.name)&.zero? }
 
           # We just need to feed the updater a project file, grab the first
-          project_file = project_files.first
+          project_file = T.must(project_files.first)
           proj_path = dependency_file_path(project_file)
 
           return false unless repo_contents_path
@@ -109,13 +112,14 @@ module Dependabot
         # Tests need to track how many times we call the tooling updater to ensure we don't recurse needlessly
         # Ideally we should find a way to not run this code in prod
         # (or a better way to track calls made to NativeHelpers)
-        @update_tooling_calls ||= {}
+        @update_tooling_calls ||= T.let({}, T.nilable(T::Hash[String, Integer]))
         key = proj_path + dependency.name
-        if @update_tooling_calls[key]
-          @update_tooling_calls[key] += 1
-        else
-          @update_tooling_calls[key] = 1
-        end
+        @update_tooling_calls[key] =
+          if @update_tooling_calls[key]
+            T.must(@update_tooling_calls[key]) + 1
+          else
+            1
+          end
       end
 
       # Don't call this from outside tests, we're only checking that we aren't recursing needlessly
@@ -124,6 +128,7 @@ module Dependabot
         @update_tooling_calls
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
       def project_dependencies(project_file)
         # Collect all dependencies from the project file and associated packages.config
         dependencies = project_file_parser.dependency_set(project_file: project_file).dependencies
@@ -134,38 +139,54 @@ module Dependabot
                                                        .dependency_set.dependencies
       end
 
+      sig { params(project_file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
       def find_packages_config(project_file)
         project_file_name = File.basename(project_file.name)
         packages_config_path = project_file.name.gsub(project_file_name, "packages.config")
         packages_config_files.find { |f| f.name == packages_config_path }
       end
 
+      sig { returns(Dependabot::Nuget::FileParser::ProjectFileParser) }
       def project_file_parser
         @project_file_parser ||=
-          FileParser::ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: repo_contents_path
+          T.let(
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials,
+              repo_contents_path: repo_contents_path
+            ),
+            T.nilable(Dependabot::Nuget::FileParser::ProjectFileParser)
           )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def global_json_dependencies
         return [] unless global_json
 
         @global_json_dependencies ||=
-          FileParser::GlobalJsonParser.new(global_json: global_json).dependency_set.dependencies
+          T.let(
+            FileParser::GlobalJsonParser.new(global_json: T.must(global_json)).dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def dotnet_tools_json_dependencies
         return [] unless dotnet_tools_json
 
         @dotnet_tools_json_dependencies ||=
-          FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: dotnet_tools_json).dependency_set.dependencies
+          T.let(
+            FileParser::DotNetToolsJsonParser.new(dotnet_tools_json: T.must(dotnet_tools_json))
+                                             .dependency_set.dependencies,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(dependency_file: Dependabot::DependencyFile, updated_content: String).returns(String) }
       def normalize_content(dependency_file, updated_content)
         # Fix up line endings
-        if dependency_file.content.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
+        if dependency_file.content&.include?("\r\n") && updated_content.match?(/(?<!\r)\n/)
           # The original content contain windows style newlines.
           # Ensure the updated content also uses windows style newlines.
           updated_content = updated_content.gsub(/(?<!\r)\n/, "\r\n")
@@ -178,19 +199,21 @@ module Dependabot
         end
 
         # Fix up BOM
-        if !dependency_file.content.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
+        if !dependency_file.content&.start_with?("\uFEFF") && updated_content.start_with?("\uFEFF")
           updated_content = updated_content.delete_prefix("\uFEFF")
           puts "Removing BOM from [#{dependency_file.name}]."
-        elsif dependency_file.content.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
+        elsif dependency_file.content&.start_with?("\uFEFF") && !updated_content.start_with?("\uFEFF")
           updated_content = "\uFEFF" + updated_content
           puts "Adding BOM to [#{dependency_file.name}]."
         end
 
         updated_content
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(dependency_file: Dependabot::DependencyFile).returns(String) }
       def dependency_file_path(dependency_file)
-        if dependency_file.directory.start_with?(repo_contents_path)
+        if dependency_file.directory.start_with?(T.must(repo_contents_path))
           File.join(dependency_file.directory, dependency_file.name)
         else
           file_directory = dependency_file.directory
@@ -199,29 +222,42 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         dependency_files.select { |df| df.name.match?(/\.([a-z]{2})?proj$/) }
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
           T.must(T.must(f.name.split("/").last).casecmp("packages.config")).zero?
         end
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
         dependency_files.find { |f| T.must(f.name.casecmp("global.json")).zero? }
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
         dependency_files.find { |f| T.must(f.name.casecmp(".config/dotnet-tools.json")).zero? }
       end
 
+      sig { override.void }
       def check_required_files
         return if project_files.any? || packages_config_files.any?
 
         raise "No project file or packages.config!"
       end
+
+      sig { params(original_content: T.nilable(String), updated_content: String).returns(T::Boolean) }
+      def only_deleted_lines?(original_content, updated_content)
+        original_lines = original_content&.lines || []
+        updated_lines = updated_content.lines
+
+        original_lines.count > updated_lines.count
+      end
     end
   end
 end

data/lib/dependabot/nuget/http_response_helpers.rb

@@ -1,9 +1,14 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Nuget
     module HttpResponseHelpers
+      extend T::Sig
+
+      sig { params(string: String).returns(String) }
       def self.remove_wrapping_zero_width_chars(string)
         string.force_encoding("UTF-8").encode
               .gsub(/\A[\u200B-\u200D\uFEFF]/, "")

data/lib/dependabot/nuget/metadata_finder.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
@@ -12,13 +12,28 @@ module Dependabot
     class MetadataFinder < Dependabot::MetadataFinders::Base
       extend T::Sig
 
+      sig do
+        override
+          .params(
+            dependency: Dependabot::Dependency,
+            credentials: T::Array[Dependabot::Credential]
+          )
+          .void
+      end
+      def initialize(dependency:, credentials:)
+        @dependency_nuspec_file = T.let(nil, T.nilable(Nokogiri::XML::Document))
+
+        super
+      end
+
       private
 
+      sig { override.returns(T.nilable(Dependabot::Source)) }
       def look_up_source
         return Source.from_url(dependency_source_url) if dependency_source_url
 
         if dependency_nuspec_file
-          src_repo = look_up_source_in_nuspec(dependency_nuspec_file)
+          src_repo = look_up_source_in_nuspec(T.must(dependency_nuspec_file))
           return src_repo if src_repo
         end
 
@@ -33,6 +48,7 @@ module Dependabot
         nil
       end
 
+      sig { returns(T.nilable(Dependabot::Source)) }
       def src_repo_from_project
         source = dependency.requirements.find { |r| r.fetch(:source) }&.fetch(:source)
         return unless source
@@ -60,6 +76,7 @@ module Dependabot
         # Ignored, this is expected for some registries that don't handle these request.
       end
 
+      sig { params(body: String).returns(T.nilable(String)) }
       def extract_search_url(body)
         JSON.parse(body)
             .fetch("resources", [])
@@ -67,6 +84,7 @@ module Dependabot
             &.fetch("@id")
       end
 
+      sig { params(body: String).returns(T.nilable(Dependabot::Source)) }
       def extract_source_repo(body)
         JSON.parse(body).fetch("data", []).each do |search_result|
           next unless search_result["id"].casecmp(dependency.name).zero?
@@ -84,6 +102,7 @@ module Dependabot
         nil
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(Dependabot::Source)) }
       def look_up_source_in_nuspec(nuspec)
         potential_source_urls = [
           nuspec.at_css("package > metadata > repository")
@@ -99,6 +118,7 @@ module Dependabot
         Source.from_url(source_url)
       end
 
+      sig { params(nuspec: Nokogiri::XML::Document).returns(T.nilable(String)) }
       def source_from_anywhere_in_nuspec(nuspec)
         github_urls = []
         nuspec.to_s.force_encoding(Encoding::UTF_8)
@@ -112,19 +132,21 @@ module Dependabot
         end
       end
 
+      sig { returns(T.nilable(Nokogiri::XML::Document)) }
       def dependency_nuspec_file
         return @dependency_nuspec_file unless @dependency_nuspec_file.nil?
 
         return if dependency_nuspec_url.nil?
 
         response = Dependabot::RegistryClient.get(
-          url: dependency_nuspec_url,
+          url: T.must(dependency_nuspec_url),
           headers: auth_header
         )
 
         @dependency_nuspec_file = Nokogiri::XML(response.body)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_nuspec_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -132,6 +154,7 @@ module Dependabot
         source.fetch(:nuspec_url) if source&.key?(:nuspec_url)
       end
 
+      sig { returns(T.nilable(String)) }
       def dependency_source_url
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)
@@ -143,6 +166,7 @@ module Dependabot
       end
 
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T::Hash[String, String]) }
       def auth_header
         source = dependency.requirements
                            .find { |r| r.fetch(:source) }&.fetch(:source)

data/lib/dependabot/nuget/nuget_client.rb

@@ -21,11 +21,33 @@ module Dependabot
           get_package_versions_v3(dependency_name, repository_details)
         elsif repository_type == "v2"
           get_package_versions_v2(dependency_name, repository_details)
+        elsif repository_type == "local"
+          get_package_versions_local(dependency_name, repository_details)
         else
           raise "Unknown repository type: #{repository_type}"
         end
       end
 
+      sig do
+        params(dependency_name: String, repository_details: T::Hash[Symbol, String])
+          .returns(T.nilable(T::Set[String]))
+      end
+      private_class_method def self.get_package_versions_local(dependency_name, repository_details)
+        url = repository_details.fetch(:base_url)
+        raise "Local repo #{url} doesn't exist or isn't a directory" unless File.exist?(url) && File.directory?(url)
+
+        package_dir = File.join(url, dependency_name)
+
+        versions = Set.new
+        return versions unless File.exist?(package_dir) && File.directory?(package_dir)
+
+        Dir.each_child(package_dir) do |child|
+          versions.add(child) if File.directory?(File.join(package_dir, child))
+        end
+
+        versions
+      end
+
       sig do
         params(dependency_name: String, repository_details: T::Hash[Symbol, String])
           .returns(T.nilable(T::Set[String]))
@@ -133,6 +155,7 @@ module Dependabot
             &.find { |d| d.fetch("id").casecmp(dependency_name.downcase).zero? }
             &.fetch("versions")
             &.map { |d| d.fetch("version") }
+            &.to_set
       end
 
       sig do

data/lib/dependabot/nuget/nuget_config_credential_helpers.rb

@@ -1,18 +1,25 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 module Dependabot
   module Nuget
     module NuGetConfigCredentialHelpers
+      extend T::Sig
+
+      sig { returns(String) }
       def self.user_nuget_config_path
         home_directory = Dir.home
         File.join(home_directory, ".nuget", "NuGet", "NuGet.Config")
       end
 
+      sig { returns(String) }
       def self.temporary_nuget_config_path
         user_nuget_config_path + "_ORIGINAL"
       end
 
+      sig { params(credentials: T::Array[Dependabot::Credential]).void }
       def self.add_credentials_to_nuget_config(credentials)
         return unless File.exist?(user_nuget_config_path)
 
@@ -48,6 +55,7 @@ module Dependabot
         File.write(user_nuget_config_path, nuget_config)
       end
 
+      sig { void }
       def self.restore_user_nuget_config
         return unless File.exist?(temporary_nuget_config_path)
 
@@ -55,6 +63,7 @@ module Dependabot
         File.rename(temporary_nuget_config_path, user_nuget_config_path)
       end
 
+      sig { params(credentials: T::Array[Dependabot::Credential], _block: T.proc.void).void }
       def self.patch_nuget_config_for_action(credentials, &_block)
         add_credentials_to_nuget_config(credentials)
         begin

data/lib/dependabot/nuget/requirement.rb

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -12,6 +12,9 @@ require "dependabot/nuget/version"
 module Dependabot
   module Nuget
     class Requirement < Dependabot::Requirement
+      extend T::Sig
+
+      sig { override.params(obj: T.any(Gem::Version, String)).returns([String, Gem::Version]) }
       def self.parse(obj)
         return ["=", Nuget::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
 
@@ -28,11 +31,12 @@ module Dependabot
       # For consistency with other languages, we define a requirements array.
       # Dotnet doesn't have an `OR` separator for requirements, so it always
       # contains a single element.
-      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Dependabot::Requirement]) }
       def self.requirements_array(requirement_string)
         [new(requirement_string)]
       end
 
+      sig { params(requirements: T.any(T.nilable(String), T::Array[T.nilable(String)])).void }
       def initialize(*requirements)
         requirements = requirements.flatten.flat_map do |req_string|
           convert_dotnet_constraint_to_ruby_constraint(req_string)
@@ -41,6 +45,7 @@ module Dependabot
         super(requirements)
       end
 
+      sig { override.params(version: Gem::Version).returns(T::Boolean) }
       def satisfied_by?(version)
         version = Nuget::Version.new(version.to_s)
         super
@@ -48,10 +53,11 @@ module Dependabot
 
       private
 
+      sig { params(req_string: T.nilable(String)).returns(T.nilable(T.any(String, T::Array[String]))) }
       def convert_dotnet_constraint_to_ruby_constraint(req_string)
         return unless req_string
 
-        return convert_dotnet_range_to_ruby_range(req_string) if req_string&.start_with?("(", "[")
+        return convert_dotnet_range_to_ruby_range(req_string) if req_string.start_with?("(", "[")
 
         return req_string.split(",").map(&:strip) if req_string.include?(",")
 
@@ -60,6 +66,8 @@ module Dependabot
         convert_wildcard_req(req_string)
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(req_string: String).returns(T::Array[String]) }
       def convert_dotnet_range_to_ruby_range(req_string)
         lower_b, upper_b = req_string.split(",").map(&:strip).map do |bound|
           next convert_range_wildcard_req(bound) if bound.include?("*")
@@ -69,13 +77,14 @@ module Dependabot
 
         lower_b =
           if ["(", "["].include?(lower_b) then nil
-          elsif lower_b.start_with?("(") then "> #{lower_b.sub(/\(\s*/, '')}"
+          elsif T.must(lower_b).start_with?("(") then "> #{T.must(lower_b).sub(/\(\s*/, '')}"
           else
-            ">= #{lower_b.sub(/\[\s*/, '').strip}"
+            ">= #{T.must(lower_b).sub(/\[\s*/, '').strip}"
           end
 
         upper_b =
-          if [")", "]"].include?(upper_b) then nil
+          if !upper_b then nil
+          elsif [")", "]"].include?(upper_b) then nil
           elsif upper_b.end_with?(")") then "< #{upper_b.sub(/\s*\)/, '')}"
           else
             "<= #{upper_b.sub(/\s*\]/, '').strip}"
@@ -83,21 +92,24 @@ module Dependabot
 
         [lower_b, upper_b].compact
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
+      sig { params(req_string: String).returns(String) }
       def convert_range_wildcard_req(req_string)
-        range_end = req_string[-1]
-        defined_part = req_string.split("*").first
+        range_end = T.must(req_string[-1])
+        defined_part = T.must(req_string.split("*").first)
         version = defined_part + "0"
         version += range_end if [")", "]"].include?(range_end)
         version
       end
 
+      sig { params(req_string: String).returns(String) }
       def convert_wildcard_req(req_string)
         return ">= 0-a" if req_string == "*-*"
 
         return ">= 0" if req_string.start_with?("*")
 
-        defined_part = req_string.split("*").first
+        defined_part = T.must(req_string.split("*").first)
         suffix = defined_part.end_with?(".") ? "0" : "a"
         version = defined_part + suffix
         "~> #{version}"