dependabot-nuget 0.247.0 → 0.249.0

data/lib/dependabot/nuget/update_checker/dependency_finder.rb

@@ -1,9 +1,11 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
+require "sorbet-runtime"
 require "stringio"
+require "zip"
+
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 
@@ -11,21 +13,34 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class DependencyFinder
+        extend T::Sig
+
         require_relative "requirements_updater"
         require_relative "nuspec_fetcher"
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.transitive_dependencies_cache
           CacheManager.cache("dependency_finder_transitive_dependencies")
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.updated_peer_dependencies_cache
           CacheManager.cache("dependency_finder_updated_peer_dependencies")
         end
 
+        sig { returns(T::Hash[String, T.untyped]) }
         def self.fetch_dependencies_cache
           CacheManager.cache("dependency_finder_fetch_dependencies")
         end
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            repo_contents_path: T.nilable(String)
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:, repo_contents_path:)
           @dependency             = dependency
           @dependency_files       = dependency_files
@@ -33,6 +48,7 @@ module Dependabot
           @repo_contents_path     = repo_contents_path
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def transitive_dependencies
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.transitive_dependencies_cache
@@ -44,7 +60,7 @@ module Dependabot
 
               cache[key] = fetch_transitive_dependencies(
                 @dependency.name,
-                @dependency.version
+                T.must(@dependency.version)
               ).map do |dependency_info|
                 package_name = dependency_info["packageName"]
                 target_version = dependency_info["version"]
@@ -65,13 +81,14 @@ module Dependabot
           cache[key]
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def updated_peer_dependencies
           key = "#{dependency.name.downcase}::#{dependency.version}"
           cache = DependencyFinder.updated_peer_dependencies_cache
 
           cache[key] ||= fetch_transitive_dependencies(
             @dependency.name,
-            @dependency.version
+            T.must(@dependency.version)
           ).filter_map do |dependency_info|
             package_name = dependency_info["packageName"]
             target_version = dependency_info["version"]
@@ -104,48 +121,79 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :dependency_files, :credentials, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
 
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+
+        sig do
+          params(
+            dep: Dependabot::Dependency,
+            target_version_details: T::Hash[Symbol, T.untyped]
+          )
+            .returns(T::Array[T::Hash[String, T.untyped]])
+        end
         def updated_requirements(dep, target_version_details)
-          @updated_requirements ||= {}
+          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T.untyped]))
           @updated_requirements[dep.name] ||=
             RequirementsUpdater.new(
               requirements: dep.requirements,
               latest_version: target_version_details.fetch(:version).to_s,
-              source_details: target_version_details
-                          &.slice(:nuspec_url, :repo_url, :source_url)
+              source_details: target_version_details.slice(:nuspec_url, :repo_url, :source_url)
             ).updated_requirements
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def top_level_dependencies
           @top_level_dependencies ||=
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select(&:top_level?)
+            T.let(
+              Nuget::FileParser.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select(&:top_level?),
+              T.nilable(T::Array[Dependabot::Dependency])
+            )
         end
 
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def nuget_configs
           @nuget_configs ||=
-            @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+            T.let(
+              @dependency_files.select { |f| f.name.match?(/nuget\.config$/i) },
+              T.nilable(T::Array[Dependabot::DependencyFile])
+            )
         end
 
+        sig { returns(T::Array[T::Hash[Symbol, String]]) }
         def dependency_urls
           @dependency_urls ||=
-            RepositoryFinder.new(
-              dependency: @dependency,
-              credentials: @credentials,
-              config_files: nuget_configs
-            ).dependency_urls
-                            .select { |url| url.fetch(:repository_type) == "v3" }
+            T.let(
+              RepositoryFinder.new(
+                dependency: @dependency,
+                credentials: @credentials,
+                config_files: nuget_configs
+              )
+              .dependency_urls
+              .select { |url| url.fetch(:repository_type) == "v3" },
+              T.nilable(T::Array[T::Hash[Symbol, String]])
+            )
         end
 
+        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
         def fetch_transitive_dependencies(package_id, package_version)
           all_dependencies = {}
           fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
           all_dependencies.map { |_, dependency_info| dependency_info }
         end
 
+        sig { params(package_id: String, package_version: String, all_dependencies: T::Hash[String, T.untyped]).void }
         def fetch_transitive_dependencies_impl(package_id, package_version, all_dependencies)
           dependencies = fetch_dependencies(package_id, package_version)
           return unless dependencies.any?
@@ -175,6 +223,7 @@ module Dependabot
           end
         end
 
+        sig { params(package_id: String, package_version: String).returns(T::Array[T::Hash[String, T.untyped]]) }
         def fetch_dependencies(package_id, package_version)
           key = "#{package_id.downcase}::#{package_version}"
           cache = DependencyFinder.fetch_dependencies_cache
@@ -191,6 +240,7 @@ module Dependabot
           cache[key]
         end
 
+        sig { params(nuspec_xml: Nokogiri::XML::Document).returns(T::Array[T::Hash[String, String]]) }
         def read_dependencies_from_nuspec(nuspec_xml) # rubocop:disable Metrics/PerceivedComplexity
           # we want to exclude development dependencies from the lookup
           allowed_attributes = %w(all compile native runtime)
@@ -223,6 +273,7 @@ module Dependabot
           dependency_list
         end
 
+        sig { params(dep: Dependabot::Dependency).returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
         def version_finder(dep)
           VersionFinder.new(
             dependency: dep,

data/lib/dependabot/nuget/update_checker/nupkg_fetcher.rb

@@ -1,23 +1,43 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
 require "stringio"
+require "sorbet-runtime"
+require "zip"
+
 require "dependabot/nuget/http_response_helpers"
 
 module Dependabot
   module Nuget
     class NupkgFetcher
+      extend T::Sig
+
       require_relative "repository_finder"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_buffer(dependency_urls, package_id, package_version)
         # check all repositories for the first one that has the nupkg
-        dependency_urls.reduce(nil) do |nupkg_buffer, repository_details|
+        dependency_urls.reduce(T.let(nil, T.nilable(String))) do |nupkg_buffer, repository_details|
           nupkg_buffer || fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
         end
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: T.nilable(String),
+          package_version: T.nilable(String)
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
         return unless package_id && package_version && !package_version.empty?
 
@@ -35,6 +55,14 @@ module Dependabot
         package_url
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_nupkg_buffer_from_repository(repository_details, package_id, package_version)
         package_url = fetch_nupkg_url_from_repository(repository_details, package_id, package_version)
         return unless package_url
@@ -43,6 +71,14 @@ module Dependabot
         fetch_stream(package_url, auth_header)
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v3_package_url(repository_details, package_id, package_version)
         base_url = repository_details[:base_url]
         unless base_url
@@ -57,15 +93,23 @@ module Dependabot
 
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v3_package_url_from_search(repository_details, package_id, package_version)
         search_url = repository_details[:search_url]
         return nil unless search_url
 
         # get search result
         search_result_response = fetch_url(search_url, repository_details)
-        return nil unless search_result_response.status == 200
+        return nil unless search_result_response&.status == 200
 
-        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(search_result_response.body)
+        search_response_body = HttpResponseHelpers.remove_wrapping_zero_width_chars(T.must(search_result_response).body)
         search_results = JSON.parse(search_response_body)
 
         # find matching package and version
@@ -90,15 +134,23 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: String,
+          package_version: String
+        )
+          .returns(T.nilable(String))
+      end
       def self.get_nuget_v2_package_url(repository_details, package_id, package_version)
         # get package XML
         base_url = repository_details[:base_url].delete_suffix("/")
         package_url = "#{base_url}/Packages(Id='#{package_id}',Version='#{package_version}')"
         response = fetch_url(package_url, repository_details)
-        return nil unless response.status == 200
+        return nil unless response&.status == 200
 
         # find relevant element
-        doc = Nokogiri::XML(response.body)
+        doc = Nokogiri::XML(T.must(response).body)
         doc.remove_namespaces!
 
         content_element = doc.xpath("/entry/content")
@@ -106,6 +158,14 @@ module Dependabot
         nupkg_url
       end
 
+      sig do
+        params(
+          stream_url: String,
+          auth_header: T::Hash[String, String],
+          max_redirects: Integer
+        )
+          .returns(T.nilable(String))
+      end
       def self.fetch_stream(stream_url, auth_header, max_redirects = 5)
         current_url = stream_url
         current_redirects = 0
@@ -128,17 +188,25 @@ module Dependabot
             current_redirects += 1
             return nil if current_redirects > max_redirects
 
-            current_url = response.headers["Location"]
+            current_url = T.must(response.headers["Location"])
           else
             return nil
           end
         end
       end
 
+      sig do
+        params(
+          url: String,
+          repository_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T.nilable(Excon::Response))
+      end
       def self.fetch_url(url, repository_details)
         fetch_url_with_auth(url, repository_details.fetch(:auth_header))
       end
 
+      sig { params(url: String, auth_header: T::Hash[T.any(String, Symbol), T.untyped]).returns(Excon::Response) }
       def self.fetch_url_with_auth(url, auth_header)
         cache = CacheManager.cache("nupkg_fetcher_cache")
         cache[url] ||= Dependabot::RegistryClient.get(

data/lib/dependabot/nuget/update_checker/nuspec_fetcher.rb

@@ -1,23 +1,42 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "nokogiri"
-require "zip"
 require "stringio"
+require "sorbet-runtime"
+require "zip"
 
 module Dependabot
   module Nuget
     class NuspecFetcher
+      extend T::Sig
+
       require_relative "nupkg_fetcher"
       require_relative "repository_finder"
 
+      sig do
+        params(
+          dependency_urls: T::Array[T::Hash[Symbol, String]],
+          package_id: String,
+          package_version: T.nilable(String)
+        )
+          .returns(T.nilable(Nokogiri::XML::Document))
+      end
       def self.fetch_nuspec(dependency_urls, package_id, package_version)
         # check all repositories for the first one that has the nuspec
-        dependency_urls.reduce(nil) do |nuspec_xml, repository_details|
+        dependency_urls.reduce(T.let(nil, T.nilable(Nokogiri::XML::Document))) do |nuspec_xml, repository_details|
           nuspec_xml || fetch_nuspec_from_repository(repository_details, package_id, package_version)
         end
       end
 
+      sig do
+        params(
+          repository_details: T::Hash[Symbol, T.untyped],
+          package_id: T.nilable(String),
+          package_version: T.nilable(String)
+        )
+          .returns(T.nilable(Nokogiri::XML::Document))
+      end
       def self.fetch_nuspec_from_repository(repository_details, package_id, package_version)
         return unless package_id && package_version && !package_version.empty?
 
@@ -55,6 +74,7 @@ module Dependabot
         nuspec_xml
       end
 
+      sig { params(feed_url: String).returns(T::Boolean) }
       def self.feed_supports_nuspec_download?(feed_url)
         feed_regexs = [
           # nuget
@@ -67,6 +87,7 @@ module Dependabot
         feed_regexs.any? { |reg| reg.match(feed_url) }
       end
 
+      sig { params(zip_stream: String, package_id: String).returns(T.nilable(String)) }
       def self.extract_nuspec(zip_stream, package_id)
         Zip::File.open_buffer(zip_stream) do |zip|
           nuspec_entry = zip.find { |entry| entry.name == "#{package_id}.nuspec" }
@@ -75,6 +96,7 @@ module Dependabot
         nil
       end
 
+      sig { params(string: String).returns(String) }
       def self.remove_invalid_characters(string)
         string.dup
               .force_encoding(Encoding::UTF_8)

data/lib/dependabot/nuget/update_checker/property_updater.rb

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
+require "sorbet-runtime"
+
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/file_parser"
 
@@ -8,28 +10,47 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class PropertyUpdater
+        extend T::Sig
+
         require_relative "version_finder"
         require_relative "requirements_updater"
         require_relative "dependency_finder"
 
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            target_version_details: T.nilable(T::Hash[Symbol, String]),
+            ignored_versions: T::Array[String],
+            repo_contents_path: T.nilable(String),
+            raise_on_ignored: T::Boolean
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:,
                        target_version_details:, ignored_versions:,
-                       raise_on_ignored: false, repo_contents_path:)
+                       repo_contents_path:, raise_on_ignored: false)
           @dependency       = dependency
           @dependency_files = dependency_files
           @credentials      = credentials
           @ignored_versions = ignored_versions
           @raise_on_ignored = raise_on_ignored
-          @target_version   = target_version_details&.fetch(:version)
-          @source_details   = target_version_details
-                              &.slice(:nuspec_url, :repo_url, :source_url)
+          @target_version   = T.let(
+            target_version_details&.fetch(:version),
+            T.nilable(T.any(String, Dependabot::Nuget::Version))
+          )
+          @source_details = T.let(
+            target_version_details&.slice(:nuspec_url, :repo_url, :source_url),
+            T.nilable(T::Hash[Symbol, String])
+          )
           @repo_contents_path = repo_contents_path
         end
 
+        sig { returns(T::Boolean) }
         def update_possible?
           return false unless target_version
 
-          @update_possible ||=
+          @update_possible ||= T.let(
             dependencies_using_property.all? do |dep|
               versions = VersionFinder.new(
                 dependency: dep,
@@ -42,42 +63,73 @@ module Dependabot
               ).versions.map { |v| v.fetch(:version) }
 
               versions.include?(target_version) || versions.none?
-            end
+            end,
+            T.nilable(T::Boolean)
+          )
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def updated_dependencies
           raise "Update not possible!" unless update_possible?
 
-          @updated_dependencies ||= begin
-            dependencies = {}
-
-            dependencies_using_property.each do |dep|
-              # Only keep one copy of each dependency, the one with the highest target version.
-              visited_dependency = dependencies[dep.name.downcase]
-              next unless visited_dependency.nil? || visited_dependency.numeric_version < target_version
-
-              updated_dependency = Dependency.new(
-                name: dep.name,
-                version: target_version.to_s,
-                requirements: updated_requirements(dep),
-                previous_version: dep.version,
-                previous_requirements: dep.requirements,
-                package_manager: dep.package_manager
-              )
-              dependencies[updated_dependency.name.downcase] = updated_dependency
-              # Add peer dependencies to the list of updated dependencies.
-              process_updated_peer_dependencies(updated_dependency, dependencies)
-            end
+          @updated_dependencies ||= T.let(
+            begin
+              dependencies = T.let({}, T::Hash[String, Dependabot::Dependency])
+
+              dependencies_using_property.each do |dep|
+                # Only keep one copy of each dependency, the one with the highest target version.
+                visited_dependency = dependencies[dep.name.downcase]
+                next unless visited_dependency.nil? || T.must(visited_dependency.numeric_version) < target_version
+
+                updated_dependency = Dependency.new(
+                  name: dep.name,
+                  version: target_version.to_s,
+                  requirements: updated_requirements(dep),
+                  previous_version: dep.version,
+                  previous_requirements: dep.requirements,
+                  package_manager: dep.package_manager
+                )
+                dependencies[updated_dependency.name.downcase] = updated_dependency
+                # Add peer dependencies to the list of updated dependencies.
+                process_updated_peer_dependencies(updated_dependency, dependencies)
+              end
 
-            dependencies.map { |_, dependency| dependency }
-          end
+              dependencies.map { |_, dependency| dependency }
+            end,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
         end
 
         private
 
-        attr_reader :dependency, :dependency_files, :target_version,
-                    :source_details, :credentials, :ignored_versions, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T.nilable(T.any(String, Dependabot::Nuget::Version))) }
+        attr_reader :target_version
 
+        sig { returns(T.nilable(T::Hash[Symbol, String])) }
+        attr_reader :source_details
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependencies: T::Hash[String, Dependabot::Dependency]
+          )
+            .returns(T::Array[Dependabot::Dependency])
+        end
         def process_updated_peer_dependencies(dependency, dependencies)
           DependencyFinder.new(
             dependency: dependency,
@@ -87,36 +139,48 @@ module Dependabot
           ).updated_peer_dependencies.each do |peer_dependency|
             # Only keep one copy of each dependency, the one with the highest target version.
             visited_dependency = dependencies[peer_dependency.name.downcase]
-            next unless visited_dependency.nil? || visited_dependency.numeric_version < peer_dependency.numeric_version
+            unless visited_dependency.nil? ||
+                   T.must(visited_dependency.numeric_version) < peer_dependency.numeric_version
+              next
+            end
 
             dependencies[peer_dependency.name.downcase] = peer_dependency
           end
         end
 
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def dependencies_using_property
           @dependencies_using_property ||=
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select do |dep|
-              dep.requirements.any? do |r|
-                r.dig(:metadata, :property_name) == property_name
-              end
-            end
+            T.let(
+              Nuget::FileParser.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select do |dep|
+                dep.requirements.any? do |r|
+                  r.dig(:metadata, :property_name) == property_name
+                end
+              end,
+              T.nilable(T::Array[Dependabot::Dependency])
+            )
         end
 
+        sig { returns(String) }
         def property_name
-          @property_name ||= dependency.requirements
-                                       .find { |r| r.dig(:metadata, :property_name) }
-                                       &.dig(:metadata, :property_name)
+          @property_name ||= T.let(
+            dependency.requirements
+              .find { |r| r.dig(:metadata, :property_name) }
+              &.dig(:metadata, :property_name),
+            T.nilable(String)
+          )
 
           raise "No requirement with a property name!" unless @property_name
 
           @property_name
         end
 
+        sig { params(dep: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements(dep)
-          @updated_requirements ||= {}
+          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T::Array[T::Hash[Symbol, T.untyped]]]))
           @updated_requirements[dep.name] ||=
             RequirementsUpdater.new(
               requirements: dep.requirements,