RubyGems - dependabot-nuget - Versions diffs - 0.248.0 → 0.249.0 - Mend

dependabot-nuget 0.248.0 → 0.249.0

Files changed (21) hide show

data/lib/dependabot/nuget/update_checker/property_updater.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/file_parser"
@@ -8,28 +10,47 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class PropertyUpdater
+        extend T::Sig
         require_relative "version_finder"
         require_relative "requirements_updater"
         require_relative "dependency_finder"
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            target_version_details: T.nilable(T::Hash[Symbol, String]),
+            ignored_versions: T::Array[String],
+            repo_contents_path: T.nilable(String),
+            raise_on_ignored: T::Boolean
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:,
                        target_version_details:, ignored_versions:,
-                       raise_on_ignored: false, repo_contents_path:)
+                       repo_contents_path:, raise_on_ignored: false)
           @dependency       = dependency
           @dependency_files = dependency_files
           @credentials      = credentials
           @ignored_versions = ignored_versions
           @raise_on_ignored = raise_on_ignored
-          @target_version   = target_version_details&.fetch(:version)
-          @source_details   = target_version_details
-                              &.slice(:nuspec_url, :repo_url, :source_url)
+          @target_version   = T.let(
+            target_version_details&.fetch(:version),
+            T.nilable(T.any(String, Dependabot::Nuget::Version))
+          )
+          @source_details = T.let(
+            target_version_details&.slice(:nuspec_url, :repo_url, :source_url),
+            T.nilable(T::Hash[Symbol, String])
+          )
           @repo_contents_path = repo_contents_path
         end
+        sig { returns(T::Boolean) }
         def update_possible?
           return false unless target_version
-          @update_possible ||=
+          @update_possible ||= T.let(
             dependencies_using_property.all? do |dep|
               versions = VersionFinder.new(
                 dependency: dep,
@@ -42,42 +63,73 @@ module Dependabot
               ).versions.map { |v| v.fetch(:version) }
               versions.include?(target_version) || versions.none?
-            end
+            end,
+            T.nilable(T::Boolean)
+          )
         end
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def updated_dependencies
           raise "Update not possible!" unless update_possible?
-          @updated_dependencies ||= begin
-            dependencies = {}
-            dependencies_using_property.each do |dep|
-              # Only keep one copy of each dependency, the one with the highest target version.
-              visited_dependency = dependencies[dep.name.downcase]
-              next unless visited_dependency.nil? || visited_dependency.numeric_version < target_version
-              updated_dependency = Dependency.new(
-                name: dep.name,
-                version: target_version.to_s,
-                requirements: updated_requirements(dep),
-                previous_version: dep.version,
-                previous_requirements: dep.requirements,
-                package_manager: dep.package_manager
-              )
-              dependencies[updated_dependency.name.downcase] = updated_dependency
-              # Add peer dependencies to the list of updated dependencies.
-              process_updated_peer_dependencies(updated_dependency, dependencies)
-            end
+          @updated_dependencies ||= T.let(
+            begin
+              dependencies = T.let({}, T::Hash[String, Dependabot::Dependency])
+              dependencies_using_property.each do |dep|
+                # Only keep one copy of each dependency, the one with the highest target version.
+                visited_dependency = dependencies[dep.name.downcase]
+                next unless visited_dependency.nil? || T.must(visited_dependency.numeric_version) < target_version
+                updated_dependency = Dependency.new(
+                  name: dep.name,
+                  version: target_version.to_s,
+                  requirements: updated_requirements(dep),
+                  previous_version: dep.version,
+                  previous_requirements: dep.requirements,
+                  package_manager: dep.package_manager
+                )
+                dependencies[updated_dependency.name.downcase] = updated_dependency
+                # Add peer dependencies to the list of updated dependencies.
+                process_updated_peer_dependencies(updated_dependency, dependencies)
+              end
-            dependencies.map { |_, dependency| dependency }
-          end
+              dependencies.map { |_, dependency| dependency }
+            end,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
         end
         private
-        attr_reader :dependency, :dependency_files, :target_version,
-                    :source_details, :credentials, :ignored_versions, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(T.nilable(T.any(String, Dependabot::Nuget::Version))) }
+        attr_reader :target_version
+        sig { returns(T.nilable(T::Hash[Symbol, String])) }
+        attr_reader :source_details
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependencies: T::Hash[String, Dependabot::Dependency]
+          )
+            .returns(T::Array[Dependabot::Dependency])
+        end
         def process_updated_peer_dependencies(dependency, dependencies)
           DependencyFinder.new(
             dependency: dependency,
@@ -87,36 +139,48 @@ module Dependabot
           ).updated_peer_dependencies.each do |peer_dependency|
             # Only keep one copy of each dependency, the one with the highest target version.
             visited_dependency = dependencies[peer_dependency.name.downcase]
-            next unless visited_dependency.nil? || visited_dependency.numeric_version < peer_dependency.numeric_version
+            unless visited_dependency.nil? ||
+                   T.must(visited_dependency.numeric_version) < peer_dependency.numeric_version
+              next
+            end
             dependencies[peer_dependency.name.downcase] = peer_dependency
           end
         end
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def dependencies_using_property
           @dependencies_using_property ||=
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select do |dep|
-              dep.requirements.any? do |r|
-                r.dig(:metadata, :property_name) == property_name
-              end
-            end
+            T.let(
+              Nuget::FileParser.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select do |dep|
+                dep.requirements.any? do |r|
+                  r.dig(:metadata, :property_name) == property_name
+                end
+              end,
+              T.nilable(T::Array[Dependabot::Dependency])
+            )
         end
+        sig { returns(String) }
         def property_name
-          @property_name ||= dependency.requirements
-                                       .find { |r| r.dig(:metadata, :property_name) }
-                                       &.dig(:metadata, :property_name)
+          @property_name ||= T.let(
+            dependency.requirements
+              .find { |r| r.dig(:metadata, :property_name) }
+              &.dig(:metadata, :property_name),
+            T.nilable(String)
+          )
           raise "No requirement with a property name!" unless @property_name
           @property_name
         end
+        sig { params(dep: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements(dep)
-          @updated_requirements ||= {}
+          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T::Array[T::Hash[Symbol, T.untyped]]]))
           @updated_requirements[dep.name] ||=
             RequirementsUpdater.new(
               requirements: dep.requirements,

data/lib/dependabot/nuget/update_checker/repository_finder.rb CHANGED Viewed

@@ -1,8 +1,10 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
@@ -12,23 +14,34 @@ require "dependabot/nuget/http_response_helpers"
 module Dependabot
   module Nuget
     class RepositoryFinder
+      extend T::Sig
       DEFAULT_REPOSITORY_URL = "https://api.nuget.org/v3/index.json"
       DEFAULT_REPOSITORY_API_KEY = "nuget.org"
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential],
+          config_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
       def initialize(dependency:, credentials:, config_files: [])
         @dependency  = dependency
         @credentials = credentials
         @config_files = config_files
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def dependency_urls
         find_dependency_urls
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def known_repositories
         return @known_repositories if @known_repositories
-        @known_repositories = []
+        @known_repositories ||= T.let([], T.nilable(T::Array[T::Hash[Symbol, String]]))
         @known_repositories += credential_repositories
         @known_repositories += config_file_repositories
@@ -40,6 +53,7 @@ module Dependabot
         @known_repositories.uniq
       end
+      sig { params(dependency_name: String).returns(T::Hash[Symbol, T.untyped]) }
       def self.get_default_repository_details(dependency_name)
         {
           base_url: "https://api.nuget.org/v3-flatcontainer/",
@@ -56,21 +70,33 @@ module Dependabot
       private
-      attr_reader :dependency, :credentials, :config_files
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :config_files
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def find_dependency_urls
         @find_dependency_urls ||=
-          known_repositories.flat_map do |details|
-            if details.fetch(:url) == DEFAULT_REPOSITORY_URL
-              # Save a request for the default URL, since we already know how
-              # it addresses packages
-              next default_repository_details
-            end
+          T.let(
+            known_repositories.flat_map do |details|
+              if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+                # Save a request for the default URL, since we already know how
+                # it addresses packages
+                next default_repository_details
+              end
-            build_url_for_details(details)
-          end.compact.uniq
+              build_url_for_details(details)
+            end.compact.uniq,
+            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+          )
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details(repo_details)
         url = repo_details.fetch(:url)
         url_obj = URI.parse(url)
@@ -86,6 +112,7 @@ module Dependabot
         details
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
@@ -118,11 +145,12 @@ module Dependabot
         details
       rescue JSON::ParserError
-        build_v2_url(response, repo_details)
+        build_v2_url(T.must(response), repo_details)
       rescue Excon::Error::Timeout, Excon::Error::Socket
         handle_timeout(repo_metadata_url: repo_details.fetch(:url))
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(Excon::Response) }
       def get_repo_metadata(repo_details)
         url = repo_details.fetch(:url)
         cache = CacheManager.cache("repo_finder_metadatacache")
@@ -138,6 +166,7 @@ module Dependabot
         end
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def base_url_from_v3_metadata(metadata)
         metadata
           .fetch("resources", [])
@@ -145,6 +174,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def registration_url_from_v3_metadata(metadata)
         allowed_registration_types = %w(
           RegistrationsBaseUrl
@@ -159,6 +189,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def search_url_from_v3_metadata(metadata)
         # allowable values from here: https://learn.microsoft.com/en-us/nuget/api/search-query-service-resource#versioning
         allowed_search_types = %w(
@@ -173,6 +204,13 @@ module Dependabot
           &.fetch("@id")
       end
+      sig do
+        params(
+          response: Excon::Response,
+          repo_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
       def build_v2_url(response, repo_details)
         doc = Nokogiri::XML(response.body)
@@ -194,6 +232,7 @@ module Dependabot
         }
       end
+      sig { params(response: Excon::Response, details: T::Hash[Symbol, T.untyped]).void }
       def check_repo_response(response, details)
         return unless [401, 402, 403].include?(response.status)
         raise if details.fetch(:url) == DEFAULT_REPOSITORY_URL
@@ -201,19 +240,25 @@ module Dependabot
         raise PrivateSourceAuthenticationFailure, details.fetch(:url)
       end
+      sig { params(repo_metadata_url: String).returns(T.noreturn) }
       def handle_timeout(repo_metadata_url:)
         raise if repo_metadata_url == DEFAULT_REPOSITORY_URL
         raise PrivateSourceTimedOut, repo_metadata_url
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def credential_repositories
         @credential_repositories ||=
-          credentials
-          .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
-          .map { |c| { url: c.fetch("url"), token: c["token"] } }
+          T.let(
+            credentials
+            .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
+            .map { |c| { url: c.fetch("url"), token: c["token"] } },
+            T.nilable(T::Array[T::Hash[Symbol, String]])
+          )
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def config_file_repositories
         config_files.flat_map { |file| repos_from_config_file(file) }
       end
@@ -222,13 +267,14 @@ module Dependabot
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
+      sig { params(config_file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, String]]) }
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
         doc.remove_namespaces!
         # analogous to having a root config with the default repository
         base_sources = [{ url: DEFAULT_REPOSITORY_URL, key: "nuget.org" }]
-        sources = []
+        sources = T.let([], T::Array[T::Hash[Symbol, String]])
         # regular package sources
         doc.css("configuration > packageSources").children.each do |node|
@@ -269,6 +315,23 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
+        # filter out based on packageSourceMapping
+        package_mapping_elements = doc.xpath("/configuration/packageSourceMapping/packageSource/package[@pattern]")
+        matching_package_elements = package_mapping_elements.select do |package_element|
+          pattern = package_element.attribute("pattern").value
+          # reusing this function for a case insensitive GLOB pattern patch (e.g., "Microsoft.Azure.*")
+          File.fnmatch(pattern, @dependency.name, File::FNM_CASEFOLD)
+        end
+        longest_matching_package_element = matching_package_elements.max_by do |package_element|
+          package_element.attribute("pattern").value.length
+        end
+        matching_key = longest_matching_package_element&.parent&.attribute("key")&.value
+        if matching_key
+          # found a matching source, only keep that one
+          sources.select! { |s| s.fetch(:key) == matching_key }
+        end
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
@@ -279,11 +342,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def default_repository_details
         RepositoryFinder.get_default_repository_details(dependency.name)
       end
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(doc: Nokogiri::XML::Document).returns(T::Array[String]) }
       def disabled_sources(doc)
         doc.css("configuration > disabledPackageSources > add").filter_map do |node|
           value = node.attribute("value")&.value ||
@@ -298,6 +363,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          sources: T::Array[T::Hash[Symbol, T.nilable(String)]],
+          doc: Nokogiri::XML::Document
+        )
+          .void
+      end
       def add_config_file_credentials(sources:, doc:)
         sources.each do |source_details|
           key = source_details.fetch(:key)
@@ -329,11 +401,10 @@ module Dependabot
           # Any non-ascii characters in the tag with cause a syntax error
           next source_details[:token] = nil
         end
-        sources
       end
       # rubocop:enable Metrics/PerceivedComplexity
+      sig { params(string: String).returns(String) }
       def expand_windows_style_environment_variables(string)
         # NuGet.Config files can have Windows-style environment variables that need to be replaced
         # https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#using-environment-variables
@@ -352,6 +423,7 @@ module Dependabot
         end
       end
+      sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
       def auth_header_for_token(token)
         return {} unless token

data/lib/dependabot/nuget/update_checker/tfm_comparer.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
@@ -10,19 +12,22 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmComparer
+      extend T::Sig
+      sig { params(project_tfms: T::Array[String], package_tfms: T::Array[String]).returns(T::Boolean) }
       def self.are_frameworks_compatible?(project_tfms, package_tfms)
         return false if package_tfms.empty?
         return false if project_tfms.empty?
         key = "project_ftms:#{project_tfms.sort.join(',')}:package_tfms:#{package_tfms.sort.join(',')}".downcase
-        @cached_framework_check ||= {}
+        @cached_framework_check ||= T.let({}, T.nilable(T::Hash[String, T::Boolean]))
         unless @cached_framework_check.key?(key)
           @cached_framework_check[key] =
             NativeHelpers.run_nuget_framework_check(project_tfms,
                                                     package_tfms)
         end
-        @cached_framework_check[key]
+        T.must(@cached_framework_check[key])
       end
     end
   end