RubyGems - dependabot-nuget - Versions diffs - 0.247.0 → 0.249.0 - Mend

dependabot-nuget 0.247.0 → 0.249.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

data/lib/dependabot/nuget/update_checker/repository_finder.rb CHANGED Viewed

@@ -1,8 +1,10 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
@@ -12,23 +14,34 @@ require "dependabot/nuget/http_response_helpers"
 module Dependabot
   module Nuget
     class RepositoryFinder
+      extend T::Sig
       DEFAULT_REPOSITORY_URL = "https://api.nuget.org/v3/index.json"
       DEFAULT_REPOSITORY_API_KEY = "nuget.org"
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential],
+          config_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
       def initialize(dependency:, credentials:, config_files: [])
         @dependency  = dependency
         @credentials = credentials
         @config_files = config_files
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def dependency_urls
         find_dependency_urls
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def known_repositories
         return @known_repositories if @known_repositories
-        @known_repositories = []
+        @known_repositories ||= T.let([], T.nilable(T::Array[T::Hash[Symbol, String]]))
         @known_repositories += credential_repositories
         @known_repositories += config_file_repositories
@@ -40,6 +53,7 @@ module Dependabot
         @known_repositories.uniq
       end
+      sig { params(dependency_name: String).returns(T::Hash[Symbol, T.untyped]) }
       def self.get_default_repository_details(dependency_name)
         {
           base_url: "https://api.nuget.org/v3-flatcontainer/",
@@ -56,21 +70,33 @@ module Dependabot
       private
-      attr_reader :dependency, :credentials, :config_files
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :config_files
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def find_dependency_urls
         @find_dependency_urls ||=
-          known_repositories.flat_map do |details|
-            if details.fetch(:url) == DEFAULT_REPOSITORY_URL
-              # Save a request for the default URL, since we already know how
-              # it addresses packages
-              next default_repository_details
-            end
+          T.let(
+            known_repositories.flat_map do |details|
+              if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+                # Save a request for the default URL, since we already know how
+                # it addresses packages
+                next default_repository_details
+              end
-            build_url_for_details(details)
-          end.compact.uniq
+              build_url_for_details(details)
+            end.compact.uniq,
+            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+          )
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details(repo_details)
         url = repo_details.fetch(:url)
         url_obj = URI.parse(url)
@@ -86,6 +112,7 @@ module Dependabot
         details
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
@@ -118,11 +145,12 @@ module Dependabot
         details
       rescue JSON::ParserError
-        build_v2_url(response, repo_details)
+        build_v2_url(T.must(response), repo_details)
       rescue Excon::Error::Timeout, Excon::Error::Socket
         handle_timeout(repo_metadata_url: repo_details.fetch(:url))
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(Excon::Response) }
       def get_repo_metadata(repo_details)
         url = repo_details.fetch(:url)
         cache = CacheManager.cache("repo_finder_metadatacache")
@@ -138,6 +166,7 @@ module Dependabot
         end
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def base_url_from_v3_metadata(metadata)
         metadata
           .fetch("resources", [])
@@ -145,6 +174,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def registration_url_from_v3_metadata(metadata)
         allowed_registration_types = %w(
           RegistrationsBaseUrl
@@ -159,6 +189,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def search_url_from_v3_metadata(metadata)
         # allowable values from here: https://learn.microsoft.com/en-us/nuget/api/search-query-service-resource#versioning
         allowed_search_types = %w(
@@ -173,6 +204,13 @@ module Dependabot
           &.fetch("@id")
       end
+      sig do
+        params(
+          response: Excon::Response,
+          repo_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
       def build_v2_url(response, repo_details)
         doc = Nokogiri::XML(response.body)
@@ -194,6 +232,7 @@ module Dependabot
         }
       end
+      sig { params(response: Excon::Response, details: T::Hash[Symbol, T.untyped]).void }
       def check_repo_response(response, details)
         return unless [401, 402, 403].include?(response.status)
         raise if details.fetch(:url) == DEFAULT_REPOSITORY_URL
@@ -201,19 +240,25 @@ module Dependabot
         raise PrivateSourceAuthenticationFailure, details.fetch(:url)
       end
+      sig { params(repo_metadata_url: String).returns(T.noreturn) }
       def handle_timeout(repo_metadata_url:)
         raise if repo_metadata_url == DEFAULT_REPOSITORY_URL
         raise PrivateSourceTimedOut, repo_metadata_url
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def credential_repositories
         @credential_repositories ||=
-          credentials
-          .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
-          .map { |c| { url: c.fetch("url"), token: c["token"] } }
+          T.let(
+            credentials
+            .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
+            .map { |c| { url: c.fetch("url"), token: c["token"] } },
+            T.nilable(T::Array[T::Hash[Symbol, String]])
+          )
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def config_file_repositories
         config_files.flat_map { |file| repos_from_config_file(file) }
       end
@@ -222,13 +267,14 @@ module Dependabot
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
+      sig { params(config_file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, String]]) }
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
         doc.remove_namespaces!
         # analogous to having a root config with the default repository
         base_sources = [{ url: DEFAULT_REPOSITORY_URL, key: "nuget.org" }]
-        sources = []
+        sources = T.let([], T::Array[T::Hash[Symbol, String]])
         # regular package sources
         doc.css("configuration > packageSources").children.each do |node|
@@ -269,6 +315,23 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
+        # filter out based on packageSourceMapping
+        package_mapping_elements = doc.xpath("/configuration/packageSourceMapping/packageSource/package[@pattern]")
+        matching_package_elements = package_mapping_elements.select do |package_element|
+          pattern = package_element.attribute("pattern").value
+          # reusing this function for a case insensitive GLOB pattern patch (e.g., "Microsoft.Azure.*")
+          File.fnmatch(pattern, @dependency.name, File::FNM_CASEFOLD)
+        end
+        longest_matching_package_element = matching_package_elements.max_by do |package_element|
+          package_element.attribute("pattern").value.length
+        end
+        matching_key = longest_matching_package_element&.parent&.attribute("key")&.value
+        if matching_key
+          # found a matching source, only keep that one
+          sources.select! { |s| s.fetch(:key) == matching_key }
+        end
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
@@ -279,11 +342,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def default_repository_details
         RepositoryFinder.get_default_repository_details(dependency.name)
       end
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(doc: Nokogiri::XML::Document).returns(T::Array[String]) }
       def disabled_sources(doc)
         doc.css("configuration > disabledPackageSources > add").filter_map do |node|
           value = node.attribute("value")&.value ||
@@ -298,6 +363,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          sources: T::Array[T::Hash[Symbol, T.nilable(String)]],
+          doc: Nokogiri::XML::Document
+        )
+          .void
+      end
       def add_config_file_credentials(sources:, doc:)
         sources.each do |source_details|
           key = source_details.fetch(:key)
@@ -329,11 +401,10 @@ module Dependabot
           # Any non-ascii characters in the tag with cause a syntax error
           next source_details[:token] = nil
         end
-        sources
       end
       # rubocop:enable Metrics/PerceivedComplexity
+      sig { params(string: String).returns(String) }
       def expand_windows_style_environment_variables(string)
         # NuGet.Config files can have Windows-style environment variables that need to be replaced
         # https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#using-environment-variables
@@ -352,6 +423,7 @@ module Dependabot
         end
       end
+      sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
       def auth_header_for_token(token)
         return {} unless token

data/lib/dependabot/nuget/update_checker/requirements_updater.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 #######################################################################
@@ -6,6 +6,8 @@
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
 #######################################################################
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
@@ -13,14 +15,25 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class RequirementsUpdater
+        extend T::Sig
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            latest_version: T.nilable(T.any(String, Dependabot::Nuget::Version)),
+            source_details: T.nilable(T::Hash[Symbol, T.untyped])
+          )
+            .void
+        end
         def initialize(requirements:, latest_version:, source_details:)
           @requirements = requirements
           @source_details = source_details
           return unless latest_version
-          @latest_version = version_class.new(latest_version)
+          @latest_version = T.let(version_class.new(latest_version), Dependabot::Nuget::Version)
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless latest_version
@@ -52,32 +65,42 @@ module Dependabot
         private
-        attr_reader :requirements, :latest_version, :source_details
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        attr_reader :requirements
+        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
+        attr_reader :latest_version
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        attr_reader :source_details
+        sig { returns(T.class_of(Dependabot::Nuget::Version)) }
         def version_class
-          Nuget::Version
+          Dependabot::Nuget::Version
         end
+        sig { params(req_string: String).returns(String) }
         def update_wildcard_requirement(req_string)
           return req_string if req_string == "*-*"
           return req_string if req_string == "*"
-          precision = req_string.split("*").first.split(/\.|\-/).count
+          precision = T.must(req_string.split("*").first).split(/\.|\-/).count
           wildcard_section = req_string.partition(/(?=[.\-]\*)/).last
-          version_parts = latest_version.segments.first(precision)
+          version_parts = T.must(latest_version).segments.first(precision)
           version = version_parts.join(".")
           version + wildcard_section
         end
+        sig { returns(T::Hash[Symbol, T.untyped]) }
         def updated_source
           {
             type: "nuget_repo",
-            url: source_details.fetch(:repo_url),
-            nuspec_url: source_details.fetch(:nuspec_url),
-            source_url: source_details.fetch(:source_url)
+            url: source_details&.fetch(:repo_url),
+            nuspec_url: source_details&.fetch(:nuspec_url),
+            source_url: source_details&.fetch(:source_url)
           }
         end
       end

data/lib/dependabot/nuget/update_checker/tfm_comparer.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
@@ -10,19 +12,22 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmComparer
+      extend T::Sig
+      sig { params(project_tfms: T::Array[String], package_tfms: T::Array[String]).returns(T::Boolean) }
       def self.are_frameworks_compatible?(project_tfms, package_tfms)
         return false if package_tfms.empty?
         return false if project_tfms.empty?
         key = "project_ftms:#{project_tfms.sort.join(',')}:package_tfms:#{package_tfms.sort.join(',')}".downcase
-        @cached_framework_check ||= {}
+        @cached_framework_check ||= T.let({}, T.nilable(T::Hash[String, T::Boolean]))
         unless @cached_framework_check.key?(key)
           @cached_framework_check[key] =
             NativeHelpers.run_nuget_framework_check(project_tfms,
                                                     package_tfms)
         end
-        @cached_framework_check[key]
+        T.must(@cached_framework_check[key])
       end
     end
   end

data/lib/dependabot/nuget/update_checker/tfm_finder.rb CHANGED Viewed

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
@@ -13,15 +14,25 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmFinder
+      extend T::Sig
       require "dependabot/nuget/file_parser/packages_config_parser"
       require "dependabot/nuget/file_parser/project_file_parser"
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          repo_contents_path: T.nilable(String)
+        ).void
+      end
       def initialize(dependency_files:, credentials:, repo_contents_path:)
         @dependency_files       = dependency_files
         @credentials            = credentials
         @repo_contents_path     = repo_contents_path
       end
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def frameworks(dependency)
         tfms = Set.new
         tfms += project_file_tfms(dependency)
@@ -31,14 +42,23 @@ module Dependabot
       private
-      attr_reader :dependency_files, :credentials, :repo_contents_path
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def project_file_tfms(dependency)
         project_files_with_dependency(dependency).flat_map do |file|
           project_file_parser.target_frameworks(project_file: file)
         end
       end
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[Dependabot::DependencyFile]) }
       def project_files_with_dependency(dependency)
         project_files.select do |file|
           packages_config_contains_dependency?(file, dependency) ||
@@ -46,6 +66,7 @@ module Dependabot
         end
       end
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def packages_config_contains_dependency?(file, dependency)
         config_file = find_packages_config_file(file)
         return false unless config_file
@@ -56,36 +77,48 @@ module Dependabot
         end
       end
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def project_file_contains_dependency?(file, dependency)
         project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
           d.name.casecmp(dependency.name)&.zero?
         end
       end
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
       def find_packages_config_file(file)
         return file if file.name.end_with?("packages.config")
         filename = File.basename(file.name)
         search_path = file.name.sub(filename, "packages.config")
-        dependency_files.find { |f| f.name.casecmp(search_path).zero? }
+        dependency_files.find { |f| f.name.casecmp(search_path)&.zero? }
       end
+      sig { returns(T::Array[String]) }
       def project_import_file_tfms
-        @project_import_file_tfms ||= project_import_files.flat_map do |file|
-          project_file_parser.target_frameworks(project_file: file)
-        end
+        @project_import_file_tfms ||=
+          T.let(
+            project_import_files.flat_map do |file|
+              project_file_parser.target_frameworks(project_file: file)
+            end,
+            T.nilable(T::Array[String])
+          )
       end
+      sig { returns(FileParser::ProjectFileParser) }
       def project_file_parser
         @project_file_parser ||=
-          FileParser::ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: repo_contents_path
+          T.let(
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials,
+              repo_contents_path: repo_contents_path
+            ),
+            T.nilable(FileParser::ProjectFileParser)
           )
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         projfile = /\.[a-z]{2}proj$/
         packageprops = /[Dd]irectory.[Pp]ackages.props/
@@ -96,12 +129,14 @@ module Dependabot
         end
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
-          f.name.split("/").last.casecmp("packages.config").zero?
+          f.name.split("/").last&.casecmp("packages.config")&.zero?
         end
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_import_files
         dependency_files -
           project_files -
@@ -111,16 +146,19 @@ module Dependabot
           [dotnet_tools_json]
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def nuget_configs
         dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
       end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
       end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
       end
     end
   end