RubyGems - dependabot-nuget - Versions diffs - 0.247.0 → 0.249.0 - Mend

dependabot-nuget 0.247.0 → 0.249.0

Files changed (28) hide show

data/lib/dependabot/nuget/update_checker/repository_finder.rb CHANGED Viewed

@@ -1,8 +1,10 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
@@ -12,23 +14,34 @@ require "dependabot/nuget/http_response_helpers"
 module Dependabot
   module Nuget
     class RepositoryFinder
+      extend T::Sig
       DEFAULT_REPOSITORY_URL = "https://api.nuget.org/v3/index.json"
       DEFAULT_REPOSITORY_API_KEY = "nuget.org"
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential],
+          config_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
       def initialize(dependency:, credentials:, config_files: [])
         @dependency  = dependency
         @credentials = credentials
         @config_files = config_files
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def dependency_urls
         find_dependency_urls
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def known_repositories
         return @known_repositories if @known_repositories
-        @known_repositories = []
+        @known_repositories ||= T.let([], T.nilable(T::Array[T::Hash[Symbol, String]]))
         @known_repositories += credential_repositories
         @known_repositories += config_file_repositories
@@ -40,6 +53,7 @@ module Dependabot
         @known_repositories.uniq
       end
+      sig { params(dependency_name: String).returns(T::Hash[Symbol, T.untyped]) }
       def self.get_default_repository_details(dependency_name)
         {
           base_url: "https://api.nuget.org/v3-flatcontainer/",
@@ -56,21 +70,33 @@ module Dependabot
       private
-      attr_reader :dependency, :credentials, :config_files
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :config_files
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def find_dependency_urls
         @find_dependency_urls ||=
-          known_repositories.flat_map do |details|
-            if details.fetch(:url) == DEFAULT_REPOSITORY_URL
-              # Save a request for the default URL, since we already know how
-              # it addresses packages
-              next default_repository_details
-            end
+          T.let(
+            known_repositories.flat_map do |details|
+              if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+                # Save a request for the default URL, since we already know how
+                # it addresses packages
+                next default_repository_details
+              end
-            build_url_for_details(details)
-          end.compact.uniq
+              build_url_for_details(details)
+            end.compact.uniq,
+            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+          )
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details(repo_details)
         url = repo_details.fetch(:url)
         url_obj = URI.parse(url)
@@ -86,6 +112,7 @@ module Dependabot
         details
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
@@ -118,11 +145,12 @@ module Dependabot
         details
       rescue JSON::ParserError
-        build_v2_url(response, repo_details)
+        build_v2_url(T.must(response), repo_details)
       rescue Excon::Error::Timeout, Excon::Error::Socket
         handle_timeout(repo_metadata_url: repo_details.fetch(:url))
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(Excon::Response) }
       def get_repo_metadata(repo_details)
         url = repo_details.fetch(:url)
         cache = CacheManager.cache("repo_finder_metadatacache")
@@ -138,6 +166,7 @@ module Dependabot
         end
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def base_url_from_v3_metadata(metadata)
         metadata
           .fetch("resources", [])
@@ -145,6 +174,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def registration_url_from_v3_metadata(metadata)
         allowed_registration_types = %w(
           RegistrationsBaseUrl
@@ -159,6 +189,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def search_url_from_v3_metadata(metadata)
         # allowable values from here: https://learn.microsoft.com/en-us/nuget/api/search-query-service-resource#versioning
         allowed_search_types = %w(
@@ -173,6 +204,13 @@ module Dependabot
           &.fetch("@id")
       end
+      sig do
+        params(
+          response: Excon::Response,
+          repo_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
       def build_v2_url(response, repo_details)
         doc = Nokogiri::XML(response.body)
@@ -194,6 +232,7 @@ module Dependabot
         }
       end
+      sig { params(response: Excon::Response, details: T::Hash[Symbol, T.untyped]).void }
       def check_repo_response(response, details)
         return unless [401, 402, 403].include?(response.status)
         raise if details.fetch(:url) == DEFAULT_REPOSITORY_URL
@@ -201,19 +240,25 @@ module Dependabot
         raise PrivateSourceAuthenticationFailure, details.fetch(:url)
       end
+      sig { params(repo_metadata_url: String).returns(T.noreturn) }
       def handle_timeout(repo_metadata_url:)
         raise if repo_metadata_url == DEFAULT_REPOSITORY_URL
         raise PrivateSourceTimedOut, repo_metadata_url
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def credential_repositories
         @credential_repositories ||=
-          credentials
-          .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
-          .map { |c| { url: c.fetch("url"), token: c["token"] } }
+          T.let(
+            credentials
+            .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
+            .map { |c| { url: c.fetch("url"), token: c["token"] } },
+            T.nilable(T::Array[T::Hash[Symbol, String]])
+          )
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def config_file_repositories
         config_files.flat_map { |file| repos_from_config_file(file) }
       end
@@ -222,13 +267,14 @@ module Dependabot
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
+      sig { params(config_file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, String]]) }
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
         doc.remove_namespaces!
         # analogous to having a root config with the default repository
         base_sources = [{ url: DEFAULT_REPOSITORY_URL, key: "nuget.org" }]
-        sources = []
+        sources = T.let([], T::Array[T::Hash[Symbol, String]])
         # regular package sources
         doc.css("configuration > packageSources").children.each do |node|
@@ -269,6 +315,23 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
+        # filter out based on packageSourceMapping
+        package_mapping_elements = doc.xpath("/configuration/packageSourceMapping/packageSource/package[@pattern]")
+        matching_package_elements = package_mapping_elements.select do |package_element|
+          pattern = package_element.attribute("pattern").value
+          # reusing this function for a case insensitive GLOB pattern patch (e.g., "Microsoft.Azure.*")
+          File.fnmatch(pattern, @dependency.name, File::FNM_CASEFOLD)
+        end
+        longest_matching_package_element = matching_package_elements.max_by do |package_element|
+          package_element.attribute("pattern").value.length
+        end
+        matching_key = longest_matching_package_element&.parent&.attribute("key")&.value
+        if matching_key
+          # found a matching source, only keep that one
+          sources.select! { |s| s.fetch(:key) == matching_key }
+        end
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
@@ -279,11 +342,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def default_repository_details
         RepositoryFinder.get_default_repository_details(dependency.name)
       end
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(doc: Nokogiri::XML::Document).returns(T::Array[String]) }
       def disabled_sources(doc)
         doc.css("configuration > disabledPackageSources > add").filter_map do |node|
           value = node.attribute("value")&.value ||
@@ -298,6 +363,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          sources: T::Array[T::Hash[Symbol, T.nilable(String)]],
+          doc: Nokogiri::XML::Document
+        )
+          .void
+      end
       def add_config_file_credentials(sources:, doc:)
         sources.each do |source_details|
           key = source_details.fetch(:key)
@@ -329,11 +401,10 @@ module Dependabot
           # Any non-ascii characters in the tag with cause a syntax error
           next source_details[:token] = nil
         end
-        sources
       end
       # rubocop:enable Metrics/PerceivedComplexity
+      sig { params(string: String).returns(String) }
       def expand_windows_style_environment_variables(string)
         # NuGet.Config files can have Windows-style environment variables that need to be replaced
         # https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#using-environment-variables
@@ -352,6 +423,7 @@ module Dependabot
         end
       end
+      sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
       def auth_header_for_token(token)
         return {} unless token

data/lib/dependabot/nuget/update_checker/requirements_updater.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 #######################################################################
@@ -6,6 +6,8 @@
 # https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
 #######################################################################
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
@@ -13,14 +15,25 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class RequirementsUpdater
+        extend T::Sig
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            latest_version: T.nilable(T.any(String, Dependabot::Nuget::Version)),
+            source_details: T.nilable(T::Hash[Symbol, T.untyped])
+          )
+            .void
+        end
         def initialize(requirements:, latest_version:, source_details:)
           @requirements = requirements
           @source_details = source_details
           return unless latest_version
-          @latest_version = version_class.new(latest_version)
+          @latest_version = T.let(version_class.new(latest_version), Dependabot::Nuget::Version)
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements unless latest_version
@@ -52,32 +65,42 @@ module Dependabot
         private
-        attr_reader :requirements, :latest_version, :source_details
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        attr_reader :requirements
+        sig { returns(T.nilable(Dependabot::Nuget::Version)) }
+        attr_reader :latest_version
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        attr_reader :source_details
+        sig { returns(T.class_of(Dependabot::Nuget::Version)) }
         def version_class
-          Nuget::Version
+          Dependabot::Nuget::Version
         end
+        sig { params(req_string: String).returns(String) }
         def update_wildcard_requirement(req_string)
           return req_string if req_string == "*-*"
           return req_string if req_string == "*"
-          precision = req_string.split("*").first.split(/\.|\-/).count
+          precision = T.must(req_string.split("*").first).split(/\.|\-/).count
           wildcard_section = req_string.partition(/(?=[.\-]\*)/).last
-          version_parts = latest_version.segments.first(precision)
+          version_parts = T.must(latest_version).segments.first(precision)
           version = version_parts.join(".")
           version + wildcard_section
         end
+        sig { returns(T::Hash[Symbol, T.untyped]) }
         def updated_source
           {
             type: "nuget_repo",
-            url: source_details.fetch(:repo_url),
-            nuspec_url: source_details.fetch(:nuspec_url),
-            source_url: source_details.fetch(:source_url)
+            url: source_details&.fetch(:repo_url),
+            nuspec_url: source_details&.fetch(:nuspec_url),
+            source_url: source_details&.fetch(:source_url)
           }
         end
       end

data/lib/dependabot/nuget/update_checker/tfm_comparer.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
@@ -10,19 +12,22 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmComparer
+      extend T::Sig
+      sig { params(project_tfms: T::Array[String], package_tfms: T::Array[String]).returns(T::Boolean) }
       def self.are_frameworks_compatible?(project_tfms, package_tfms)
         return false if package_tfms.empty?
         return false if project_tfms.empty?
         key = "project_ftms:#{project_tfms.sort.join(',')}:package_tfms:#{package_tfms.sort.join(',')}".downcase
-        @cached_framework_check ||= {}
+        @cached_framework_check ||= T.let({}, T.nilable(T::Hash[String, T::Boolean]))
         unless @cached_framework_check.key?(key)
           @cached_framework_check[key] =
             NativeHelpers.run_nuget_framework_check(project_tfms,
                                                     package_tfms)
         end
-        @cached_framework_check[key]
+        T.must(@cached_framework_check[key])
       end
     end
   end

data/lib/dependabot/nuget/update_checker/tfm_finder.rb CHANGED Viewed

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
@@ -13,15 +14,25 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmFinder
+      extend T::Sig
       require "dependabot/nuget/file_parser/packages_config_parser"
       require "dependabot/nuget/file_parser/project_file_parser"
+      sig do
+        params(
+          dependency_files: T::Array[Dependabot::DependencyFile],
+          credentials: T::Array[Dependabot::Credential],
+          repo_contents_path: T.nilable(String)
+        ).void
+      end
       def initialize(dependency_files:, credentials:, repo_contents_path:)
         @dependency_files       = dependency_files
         @credentials            = credentials
         @repo_contents_path     = repo_contents_path
       end
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def frameworks(dependency)
         tfms = Set.new
         tfms += project_file_tfms(dependency)
@@ -31,14 +42,23 @@ module Dependabot
       private
-      attr_reader :dependency_files, :credentials, :repo_contents_path
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T.nilable(String)) }
+      attr_reader :repo_contents_path
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def project_file_tfms(dependency)
         project_files_with_dependency(dependency).flat_map do |file|
           project_file_parser.target_frameworks(project_file: file)
         end
       end
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[Dependabot::DependencyFile]) }
       def project_files_with_dependency(dependency)
         project_files.select do |file|
           packages_config_contains_dependency?(file, dependency) ||
@@ -46,6 +66,7 @@ module Dependabot
         end
       end
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def packages_config_contains_dependency?(file, dependency)
         config_file = find_packages_config_file(file)
         return false unless config_file
@@ -56,36 +77,48 @@ module Dependabot
         end
       end
+      sig { params(file: Dependabot::DependencyFile, dependency: Dependabot::Dependency).returns(T::Boolean) }
       def project_file_contains_dependency?(file, dependency)
         project_file_parser.dependency_set(project_file: file).dependencies.any? do |d|
           d.name.casecmp(dependency.name)&.zero?
         end
       end
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(Dependabot::DependencyFile)) }
       def find_packages_config_file(file)
         return file if file.name.end_with?("packages.config")
         filename = File.basename(file.name)
         search_path = file.name.sub(filename, "packages.config")
-        dependency_files.find { |f| f.name.casecmp(search_path).zero? }
+        dependency_files.find { |f| f.name.casecmp(search_path)&.zero? }
       end
+      sig { returns(T::Array[String]) }
       def project_import_file_tfms
-        @project_import_file_tfms ||= project_import_files.flat_map do |file|
-          project_file_parser.target_frameworks(project_file: file)
-        end
+        @project_import_file_tfms ||=
+          T.let(
+            project_import_files.flat_map do |file|
+              project_file_parser.target_frameworks(project_file: file)
+            end,
+            T.nilable(T::Array[String])
+          )
       end
+      sig { returns(FileParser::ProjectFileParser) }
       def project_file_parser
         @project_file_parser ||=
-          FileParser::ProjectFileParser.new(
-            dependency_files: dependency_files,
-            credentials: credentials,
-            repo_contents_path: repo_contents_path
+          T.let(
+            FileParser::ProjectFileParser.new(
+              dependency_files: dependency_files,
+              credentials: credentials,
+              repo_contents_path: repo_contents_path
+            ),
+            T.nilable(FileParser::ProjectFileParser)
           )
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_files
         projfile = /\.[a-z]{2}proj$/
         packageprops = /[Dd]irectory.[Pp]ackages.props/
@@ -96,12 +129,14 @@ module Dependabot
         end
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def packages_config_files
         dependency_files.select do |f|
-          f.name.split("/").last.casecmp("packages.config").zero?
+          f.name.split("/").last&.casecmp("packages.config")&.zero?
         end
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def project_import_files
         dependency_files -
           project_files -
@@ -111,16 +146,19 @@ module Dependabot
           [dotnet_tools_json]
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def nuget_configs
         dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
       end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def global_json
-        dependency_files.find { |f| f.name.casecmp("global.json").zero? }
+        dependency_files.find { |f| f.name.casecmp("global.json")&.zero? }
       end
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def dotnet_tools_json
-        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json").zero? }
+        dependency_files.find { |f| f.name.casecmp(".config/dotnet-tools.json")&.zero? }
       end
     end
   end