RubyGems - dependabot-nuget - Versions diffs - 0.247.0 → 0.249.0 - Mend

dependabot-nuget 0.247.0 → 0.249.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

data/lib/dependabot/nuget/update_checker/version_finder.rb CHANGED Viewed

@@ -1,16 +1,18 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
 require "dependabot/update_checkers/base"
 require "dependabot/update_checkers/version_filters"
 require "dependabot/nuget/nuget_client"
-require "sorbet-runtime"
 module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
+      # rubocop:disable Metrics/ClassLength
       class VersionFinder
         extend T::Sig
@@ -19,10 +21,24 @@ module Dependabot
         NUGET_RANGE_REGEX = /[\(\[].*,.*[\)\]]/
-        def initialize(dependency:, dependency_files:, credentials:,
-                       ignored_versions:, raise_on_ignored: false,
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            ignored_versions: T::Array[String],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory],
+            repo_contents_path: T.nilable(String),
+            raise_on_ignored: T::Boolean
+          ).void
+        end
+        def initialize(dependency:,
+                       dependency_files:,
+                       credentials:,
+                       ignored_versions:,
                        security_advisories:,
-                       repo_contents_path:)
+                       repo_contents_path:,
+                       raise_on_ignored: false)
           @dependency          = dependency
           @dependency_files    = dependency_files
           @credentials         = credentials
@@ -32,53 +48,89 @@ module Dependabot
           @repo_contents_path  = repo_contents_path
         end
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
         def latest_version_details
           @latest_version_details ||=
-            begin
-              possible_versions = versions
-              possible_versions = filter_prereleases(possible_versions)
-              possible_versions = filter_ignored_versions(possible_versions)
-              find_highest_compatible_version(possible_versions)
-            end
+            T.let(
+              begin
+                possible_versions = versions
+                possible_versions = filter_prereleases(possible_versions)
+                possible_versions = filter_ignored_versions(possible_versions)
+                find_highest_compatible_version(possible_versions)
+              end,
+              T.nilable(T::Hash[Symbol, T.untyped])
+            )
         end
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
         def lowest_security_fix_version_details
           @lowest_security_fix_version_details ||=
-            begin
-              possible_versions = versions
-              possible_versions = filter_prereleases(possible_versions)
-              possible_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(
-                possible_versions, security_advisories
-              )
-              possible_versions = filter_ignored_versions(possible_versions)
-              possible_versions = filter_lower_versions(possible_versions)
-              find_lowest_compatible_version(possible_versions)
-            end
+            T.let(
+              begin
+                possible_versions = versions
+                possible_versions = filter_prereleases(possible_versions)
+                possible_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(
+                  possible_versions, security_advisories
+                )
+                possible_versions = filter_ignored_versions(possible_versions)
+                possible_versions = filter_lower_versions(possible_versions)
+                find_lowest_compatible_version(possible_versions)
+              end,
+              T.nilable(T::Hash[Symbol, T.untyped])
+            )
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.nilable(T.any(Dependabot::Version, String))]]) }
         def versions
           available_v3_versions + available_v2_versions
         end
-        attr_reader :dependency, :dependency_files, :credentials,
-                    :ignored_versions, :security_advisories, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+        sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+        attr_reader :security_advisories
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
         private
+        sig do
+          params(possible_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_highest_compatible_version(possible_versions)
           # sorted versions descending
           sorted_versions = possible_versions.sort_by { |v| v.fetch(:version) }.reverse
           find_compatible_version(sorted_versions)
         end
+        sig do
+          params(possible_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_lowest_compatible_version(possible_versions)
           # sorted versions ascending
           sorted_versions = possible_versions.sort_by { |v| v.fetch(:version) }
           find_compatible_version(sorted_versions)
         end
+        sig do
+          params(sorted_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
         def find_compatible_version(sorted_versions)
           # By checking the first version separately, we can avoid additional network requests
           first_version = sorted_versions.first
@@ -92,27 +144,37 @@ module Dependabot
           sorted_versions.find { |v| version_compatible?(v.fetch(:version)) }
         end
+        sig { params(version: T.nilable(T.any(Dependabot::Version, String))).returns(T::Boolean) }
         def version_compatible?(version)
           str_version_compatible?(version.to_s)
         end
+        sig { params(version: String).returns(T::Boolean) }
         def str_version_compatible?(version)
           compatibility_checker.compatible?(version)
         end
+        sig { returns(Dependabot::Nuget::CompatibilityChecker) }
         def compatibility_checker
-          @compatibility_checker ||= CompatibilityChecker.new(
-            dependency_urls: dependency_urls,
-            dependency: dependency,
-            tfm_finder: TfmFinder.new(
-              dependency_files: dependency_files,
-              credentials: credentials,
-              repo_contents_path: repo_contents_path
+          @compatibility_checker ||=
+            T.let(
+              CompatibilityChecker.new(
+                dependency_urls: dependency_urls,
+                dependency: dependency,
+                tfm_finder: TfmFinder.new(
+                  dependency_files: dependency_files,
+                  credentials: credentials,
+                  repo_contents_path: repo_contents_path
+                )
+              ),
+              T.nilable(Dependabot::Nuget::CompatibilityChecker)
             )
-          )
         end
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T::Array[T::Hash[Symbol, T.untyped]])
+        end
         def filter_prereleases(possible_versions)
           filtered = possible_versions.reject do |d|
             version = d.fetch(:version)
@@ -124,7 +186,10 @@ module Dependabot
           filtered
         end
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T::Array[T::Hash[Symbol, T.untyped]])
+        end
         def filter_ignored_versions(possible_versions)
           filtered = possible_versions
@@ -147,6 +212,10 @@ module Dependabot
           filtered
         end
+        sig do
+          params(possible_versions: T::Array[T::Hash[Symbol, T.untyped]])
+            .returns(T::Array[T::Hash[Symbol, T.untyped]])
+        end
         def filter_lower_versions(possible_versions)
           return possible_versions unless dependency.numeric_version
@@ -155,12 +224,14 @@ module Dependabot
           end
         end
+        sig { params(string: String).returns(T::Array[String]) }
         def parse_requirement_string(string)
           return [string] if string.match?(NUGET_RANGE_REGEX)
           string.split(",").map(&:strip)
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.any(Dependabot::Version, String, NilClass)]]) }
         def available_v3_versions
           v3_nuget_listings.flat_map do |listing|
             listing
@@ -181,6 +252,7 @@ module Dependabot
           end
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.any(Dependabot::Version, String, NilClass)]]) }
         def available_v2_versions
           v2_nuget_listings.flat_map do |listing|
             body = listing.fetch("xml_body", [])
@@ -200,6 +272,10 @@ module Dependabot
           end
         end
+        sig do
+          params(entry: Nokogiri::XML::Element)
+            .returns(T::Hash[Symbol, T.any(Dependabot::Version, String, NilClass)])
+        end
         def dependency_details_from_v2_entry(entry)
           version = entry.at_xpath("./properties/Version").content.strip
           source_urls = []
@@ -221,10 +297,11 @@ module Dependabot
         end
         # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(version: Dependabot::Version).returns(T::Boolean) }
         def related_to_current_pre?(version)
           current_version = dependency.numeric_version
           if current_version&.prerelease? &&
-             current_version&.release == version.release
+             current_version.release == version.release
             return true
           end
@@ -242,36 +319,50 @@ module Dependabot
             false
           end
         end
         # rubocop:enable Metrics/PerceivedComplexity
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
         def v3_nuget_listings
           @v3_nuget_listings ||=
-            dependency_urls
-            .select { |details| details.fetch(:repository_type) == "v3" }
-            .filter_map do |url_details|
-              versions = NugetClient.get_package_versions(dependency.name, url_details)
-              next unless versions
-              { "versions" => versions, "listing_details" => url_details }
-            end
+            T.let(
+              dependency_urls
+              .select { |details| details.fetch(:repository_type) == "v3" }
+              .filter_map do |url_details|
+                versions = NugetClient.get_package_versions(dependency.name, url_details)
+                next unless versions
+                { "versions" => versions, "listing_details" => url_details }
+              end,
+              T.nilable(T::Array[T::Hash[String, T.untyped]])
+            )
         end
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
         def v2_nuget_listings
           @v2_nuget_listings ||=
-            dependency_urls
-            .select { |details| details.fetch(:repository_type) == "v2" }
-            .flat_map { |url_details| fetch_paginated_v2_nuget_listings(url_details) }
-            .filter_map do |url_details, response|
-              next unless response.status == 200
-              {
-                "xml_body" => response.body,
-                "listing_details" => url_details
-              }
-            end
+            T.let(
+              dependency_urls
+              .select { |details| details.fetch(:repository_type) == "v2" }
+              .flat_map { |url_details| fetch_paginated_v2_nuget_listings(url_details) }
+              .filter_map do |url_details, response|
+                next unless response.status == 200
+                {
+                  "xml_body" => response.body,
+                  "listing_details" => url_details
+                }
+              end,
+              T.nilable(T::Array[T::Hash[String, T.untyped]])
+            )
         end
+        sig do
+          params(
+            url_details: T::Hash[Symbol, T.untyped],
+            results: T::Hash[T::Hash[Symbol, T.untyped], Excon::Response]
+          )
+            .returns(T::Array[T::Array[T.untyped]])
+        end
         def fetch_paginated_v2_nuget_listings(url_details, results = {})
           response = Dependabot::RegistryClient.get(
             url: url_details[:versions_url],
@@ -295,6 +386,7 @@ module Dependabot
           results.to_a
         end
+        sig { params(xml_body: String).returns(T.nilable(String)) }
         def fetch_v2_next_link_href(xml_body)
           doc = Nokogiri::XML(xml_body)
           doc.remove_namespaces!
@@ -307,32 +399,44 @@ module Dependabot
           nil
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def dependency_urls
           @dependency_urls ||=
-            RepositoryFinder.new(
-              dependency: dependency,
-              credentials: credentials,
-              config_files: nuget_configs
-            ).dependency_urls
+            T.let(
+              RepositoryFinder.new(
+                dependency: dependency,
+                credentials: credentials,
+                config_files: nuget_configs
+              ).dependency_urls,
+              T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+            )
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def nuget_configs
           @nuget_configs ||=
-            dependency_files.select { |f| f.name.match?(/nuget\.config$/i) }
+            T.let(
+              dependency_files.select { |f| f.name.match?(/nuget\.config$/i) },
+              T.nilable(T::Array[Dependabot::DependencyFile])
+            )
         end
+        sig { returns(String) }
         def sanitized_name
           dependency.name.downcase
         end
+        sig { returns(T.class_of(Gem::Version)) }
         def version_class
           dependency.version_class
         end
+        sig { returns(T.class_of(Dependabot::Requirement)) }
         def requirement_class
           dependency.requirement_class
         end
+        sig { returns(T::Hash[Symbol, Integer]) }
         def excon_options
           # For large JSON files we sometimes need a little longer than for
           # other languages. For example, see:
@@ -345,6 +449,7 @@ module Dependabot
           }
         end
       end
+      # rubocop:enable Metrics/ClassLength
     end
   end
 end

data/lib/dependabot/nuget/update_checker.rb CHANGED Viewed

@@ -1,47 +1,59 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "dependabot/nuget/file_parser"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
+require "sorbet-runtime"
 module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
+      extend T::Sig
       require_relative "update_checker/version_finder"
       require_relative "update_checker/property_updater"
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/dependency_finder"
+      sig { override.returns(T.nilable(String)) }
       def latest_version
         # No need to find latest version for transitive dependencies unless they have a vulnerability.
         return dependency.version if !dependency.top_level? && !vulnerable?
         # if no update sources have the requisite package, then we can only assume that the current version is correct
-        @latest_version = latest_version_details&.fetch(:version) || dependency.version
+        @latest_version = T.let(
+          latest_version_details&.fetch(:version)&.to_s || dependency.version,
+          T.nilable(String)
+        )
       end
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
         # We always want a full unlock since any package update could update peer dependencies as well.
         # To force a full unlock instead of an own unlock, we return nil.
         nil
       end
+      sig { override.returns(Dependabot::Nuget::Version) }
       def lowest_security_fix_version
         lowest_security_fix_version_details&.fetch(:version)
       end
+      sig { override.returns(T.nilable(Dependabot::Version)) }
       def lowest_resolvable_security_fix_version
         return nil if version_comes_from_multi_dependency_property?
         lowest_security_fix_version
       end
+      sig { override.returns(NilClass) }
       def latest_resolvable_version_with_no_unlock
         # Irrelevant, since Nuget has a single dependency file
         nil
       end
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         RequirementsUpdater.new(
           requirements: dependency.requirements,
@@ -50,6 +62,7 @@ module Dependabot
         ).updated_requirements
       end
+      sig { returns(T::Boolean) }
       def up_to_date?
         # No need to update transitive dependencies unless they have a vulnerability.
         return true if !dependency.top_level? && !vulnerable?
@@ -62,6 +75,7 @@ module Dependabot
         super
       end
+      sig { returns(T::Boolean) }
       def requirements_unlocked_or_can_be?
         # If any requirements have an uninterpolated property in them then
         # that property couldn't be found, and the requirement therefore
@@ -73,6 +87,7 @@ module Dependabot
       private
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def preferred_resolvable_version_details
         # If this dependency is vulnerable, prefer trying to update to the
         # lowest_resolvable_security_fix_version. Otherwise update all the way
@@ -82,6 +97,7 @@ module Dependabot
         latest_version_details
       end
+      sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
         # We always want a full unlock since any package update could update peer dependencies as well.
         return true unless version_comes_from_multi_dependency_property?
@@ -89,6 +105,7 @@ module Dependabot
         property_updater.update_possible?
       end
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
       def updated_dependencies_after_full_unlock
         return property_updater.updated_dependencies if version_comes_from_multi_dependency_property?
@@ -96,7 +113,7 @@ module Dependabot
         updated_dependency = Dependency.new(
           name: dependency.name,
-          version: latest_version&.to_s,
+          version: latest_version,
           requirements: updated_requirements,
           previous_version: dependency.version,
           previous_requirements: dependency.requirements,
@@ -112,47 +129,66 @@ module Dependabot
         updated_dependencies
       end
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def preferred_version_details
         return lowest_security_fix_version_details if vulnerable?
         latest_version_details
       end
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def latest_version_details
-        @latest_version_details ||= version_finder.latest_version_details
+        @latest_version_details ||=
+          T.let(
+            version_finder.latest_version_details,
+            T.nilable(T::Hash[Symbol, T.untyped])
+          )
       end
+      sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def lowest_security_fix_version_details
         @lowest_security_fix_version_details ||=
-          version_finder.lowest_security_fix_version_details
+          T.let(
+            version_finder.lowest_security_fix_version_details,
+            T.nilable(T::Hash[Symbol, T.untyped])
+          )
       end
+      sig { returns(Dependabot::Nuget::UpdateChecker::VersionFinder) }
       def version_finder
         @version_finder ||=
-          VersionFinder.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: @raise_on_ignored,
-            security_advisories: security_advisories,
-            repo_contents_path: @repo_contents_path
+          T.let(
+            VersionFinder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              raise_on_ignored: @raise_on_ignored,
+              security_advisories: security_advisories,
+              repo_contents_path: @repo_contents_path
+            ),
+            T.nilable(Dependabot::Nuget::UpdateChecker::VersionFinder)
           )
       end
+      sig { returns(Dependabot::Nuget::UpdateChecker::PropertyUpdater) }
       def property_updater
         @property_updater ||=
-          PropertyUpdater.new(
-            dependency: dependency,
-            dependency_files: dependency_files,
-            target_version_details: latest_version_details,
-            credentials: credentials,
-            ignored_versions: ignored_versions,
-            raise_on_ignored: @raise_on_ignored,
-            repo_contents_path: @repo_contents_path
+          T.let(
+            PropertyUpdater.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              target_version_details: latest_version_details,
+              credentials: credentials,
+              ignored_versions: ignored_versions,
+              raise_on_ignored: @raise_on_ignored,
+              repo_contents_path: @repo_contents_path
+            ),
+            T.nilable(Dependabot::Nuget::UpdateChecker::PropertyUpdater)
           )
       end
+      sig { returns(T::Boolean) }
       def version_comes_from_multi_dependency_property?
         declarations_using_a_property.any? do |requirement|
           property_name = requirement.fetch(:metadata).fetch(:property_name)
@@ -167,20 +203,28 @@ module Dependabot
         end
       end
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def declarations_using_a_property
         @declarations_using_a_property ||=
-          dependency.requirements
-                    .select { |req| req.dig(:metadata, :property_name) }
+          T.let(
+            dependency.requirements
+                      .select { |req| req.dig(:metadata, :property_name) },
+            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+          )
       end
+      sig { returns(T::Array[Dependabot::Dependency]) }
       def all_property_based_dependencies
         @all_property_based_dependencies ||=
-          Nuget::FileParser.new(
-            dependency_files: dependency_files,
-            source: nil
-          ).parse.select do |dep|
-            dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
-          end
+          T.let(
+            Nuget::FileParser.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? { |req| req.dig(:metadata, :property_name) }
+            end,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
       end
     end
   end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-nuget
 version: !ruby/object:Gem::Version
-  version: 0.247.0
+  version: 0.249.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-14 00:00:00.000000000 Z
+date: 2024-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.247.0
+        version: 0.249.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.247.0
+        version: 0.249.0
 - !ruby/object:Gem::Dependency
   name: rubyzip
   requirement: !ruby/object:Gem::Requirement
@@ -385,7 +385,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.249.0
 post_install_message:
 rdoc_options: []
 require_paths: