RubyGems - dependabot-nuget - Versions diffs - 0.248.0 → 0.250.0 - Mend

dependabot-nuget 0.248.0 → 0.250.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

data/lib/dependabot/nuget/update_checker/property_updater.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/file_parser"
@@ -8,28 +10,47 @@ module Dependabot
   module Nuget
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class PropertyUpdater
+        extend T::Sig
         require_relative "version_finder"
         require_relative "requirements_updater"
         require_relative "dependency_finder"
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            target_version_details: T.nilable(T::Hash[Symbol, String]),
+            ignored_versions: T::Array[String],
+            repo_contents_path: T.nilable(String),
+            raise_on_ignored: T::Boolean
+          ).void
+        end
         def initialize(dependency:, dependency_files:, credentials:,
                        target_version_details:, ignored_versions:,
-                       raise_on_ignored: false, repo_contents_path:)
+                       repo_contents_path:, raise_on_ignored: false)
           @dependency       = dependency
           @dependency_files = dependency_files
           @credentials      = credentials
           @ignored_versions = ignored_versions
           @raise_on_ignored = raise_on_ignored
-          @target_version   = target_version_details&.fetch(:version)
-          @source_details   = target_version_details
-                              &.slice(:nuspec_url, :repo_url, :source_url)
+          @target_version   = T.let(
+            target_version_details&.fetch(:version),
+            T.nilable(T.any(String, Dependabot::Nuget::Version))
+          )
+          @source_details = T.let(
+            target_version_details&.slice(:nuspec_url, :repo_url, :source_url),
+            T.nilable(T::Hash[Symbol, String])
+          )
           @repo_contents_path = repo_contents_path
         end
+        sig { returns(T::Boolean) }
         def update_possible?
           return false unless target_version
-          @update_possible ||=
+          @update_possible ||= T.let(
             dependencies_using_property.all? do |dep|
               versions = VersionFinder.new(
                 dependency: dep,
@@ -42,42 +63,73 @@ module Dependabot
               ).versions.map { |v| v.fetch(:version) }
               versions.include?(target_version) || versions.none?
-            end
+            end,
+            T.nilable(T::Boolean)
+          )
         end
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def updated_dependencies
           raise "Update not possible!" unless update_possible?
-          @updated_dependencies ||= begin
-            dependencies = {}
-            dependencies_using_property.each do |dep|
-              # Only keep one copy of each dependency, the one with the highest target version.
-              visited_dependency = dependencies[dep.name.downcase]
-              next unless visited_dependency.nil? || visited_dependency.numeric_version < target_version
-              updated_dependency = Dependency.new(
-                name: dep.name,
-                version: target_version.to_s,
-                requirements: updated_requirements(dep),
-                previous_version: dep.version,
-                previous_requirements: dep.requirements,
-                package_manager: dep.package_manager
-              )
-              dependencies[updated_dependency.name.downcase] = updated_dependency
-              # Add peer dependencies to the list of updated dependencies.
-              process_updated_peer_dependencies(updated_dependency, dependencies)
-            end
+          @updated_dependencies ||= T.let(
+            begin
+              dependencies = T.let({}, T::Hash[String, Dependabot::Dependency])
+              dependencies_using_property.each do |dep|
+                # Only keep one copy of each dependency, the one with the highest target version.
+                visited_dependency = dependencies[dep.name.downcase]
+                next unless visited_dependency.nil? || T.must(visited_dependency.numeric_version) < target_version
+                updated_dependency = Dependency.new(
+                  name: dep.name,
+                  version: target_version.to_s,
+                  requirements: updated_requirements(dep),
+                  previous_version: dep.version,
+                  previous_requirements: dep.requirements,
+                  package_manager: dep.package_manager
+                )
+                dependencies[updated_dependency.name.downcase] = updated_dependency
+                # Add peer dependencies to the list of updated dependencies.
+                process_updated_peer_dependencies(updated_dependency, dependencies)
+              end
-            dependencies.map { |_, dependency| dependency }
-          end
+              dependencies.map { |_, dependency| dependency }
+            end,
+            T.nilable(T::Array[Dependabot::Dependency])
+          )
         end
         private
-        attr_reader :dependency, :dependency_files, :target_version,
-                    :source_details, :credentials, :ignored_versions, :repo_contents_path
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(T.nilable(T.any(String, Dependabot::Nuget::Version))) }
+        attr_reader :target_version
+        sig { returns(T.nilable(T::Hash[Symbol, String])) }
+        attr_reader :source_details
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+        sig { returns(T.nilable(String)) }
+        attr_reader :repo_contents_path
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependencies: T::Hash[String, Dependabot::Dependency]
+          )
+            .returns(T::Array[Dependabot::Dependency])
+        end
         def process_updated_peer_dependencies(dependency, dependencies)
           DependencyFinder.new(
             dependency: dependency,
@@ -87,36 +139,48 @@ module Dependabot
           ).updated_peer_dependencies.each do |peer_dependency|
             # Only keep one copy of each dependency, the one with the highest target version.
             visited_dependency = dependencies[peer_dependency.name.downcase]
-            next unless visited_dependency.nil? || visited_dependency.numeric_version < peer_dependency.numeric_version
+            unless visited_dependency.nil? ||
+                   T.must(visited_dependency.numeric_version) < peer_dependency.numeric_version
+              next
+            end
             dependencies[peer_dependency.name.downcase] = peer_dependency
           end
         end
+        sig { returns(T::Array[Dependabot::Dependency]) }
         def dependencies_using_property
           @dependencies_using_property ||=
-            Nuget::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil
-            ).parse.select do |dep|
-              dep.requirements.any? do |r|
-                r.dig(:metadata, :property_name) == property_name
-              end
-            end
+            T.let(
+              Nuget::FileParser.new(
+                dependency_files: dependency_files,
+                source: nil
+              ).parse.select do |dep|
+                dep.requirements.any? do |r|
+                  r.dig(:metadata, :property_name) == property_name
+                end
+              end,
+              T.nilable(T::Array[Dependabot::Dependency])
+            )
         end
+        sig { returns(String) }
         def property_name
-          @property_name ||= dependency.requirements
-                                       .find { |r| r.dig(:metadata, :property_name) }
-                                       &.dig(:metadata, :property_name)
+          @property_name ||= T.let(
+            dependency.requirements
+              .find { |r| r.dig(:metadata, :property_name) }
+              &.dig(:metadata, :property_name),
+            T.nilable(String)
+          )
           raise "No requirement with a property name!" unless @property_name
           @property_name
         end
+        sig { params(dep: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements(dep)
-          @updated_requirements ||= {}
+          @updated_requirements ||= T.let({}, T.nilable(T::Hash[String, T::Array[T::Hash[Symbol, T.untyped]]]))
           @updated_requirements[dep.name] ||=
             RequirementsUpdater.new(
               requirements: dep.requirements,

data/lib/dependabot/nuget/update_checker/repository_finder.rb CHANGED Viewed

@@ -1,8 +1,10 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "excon"
 require "nokogiri"
+require "sorbet-runtime"
 require "dependabot/errors"
 require "dependabot/update_checkers/base"
 require "dependabot/registry_client"
@@ -12,23 +14,34 @@ require "dependabot/nuget/http_response_helpers"
 module Dependabot
   module Nuget
     class RepositoryFinder
+      extend T::Sig
       DEFAULT_REPOSITORY_URL = "https://api.nuget.org/v3/index.json"
       DEFAULT_REPOSITORY_API_KEY = "nuget.org"
+      sig do
+        params(
+          dependency: Dependabot::Dependency,
+          credentials: T::Array[Dependabot::Credential],
+          config_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
       def initialize(dependency:, credentials:, config_files: [])
         @dependency  = dependency
         @credentials = credentials
         @config_files = config_files
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def dependency_urls
         find_dependency_urls
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def known_repositories
         return @known_repositories if @known_repositories
-        @known_repositories = []
+        @known_repositories ||= T.let([], T.nilable(T::Array[T::Hash[Symbol, String]]))
         @known_repositories += credential_repositories
         @known_repositories += config_file_repositories
@@ -40,6 +53,7 @@ module Dependabot
         @known_repositories.uniq
       end
+      sig { params(dependency_name: String).returns(T::Hash[Symbol, T.untyped]) }
       def self.get_default_repository_details(dependency_name)
         {
           base_url: "https://api.nuget.org/v3-flatcontainer/",
@@ -56,21 +70,33 @@ module Dependabot
       private
-      attr_reader :dependency, :credentials, :config_files
+      sig { returns(Dependabot::Dependency) }
+      attr_reader :dependency
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :config_files
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def find_dependency_urls
         @find_dependency_urls ||=
-          known_repositories.flat_map do |details|
-            if details.fetch(:url) == DEFAULT_REPOSITORY_URL
-              # Save a request for the default URL, since we already know how
-              # it addresses packages
-              next default_repository_details
-            end
+          T.let(
+            known_repositories.flat_map do |details|
+              if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+                # Save a request for the default URL, since we already know how
+                # it addresses packages
+                next default_repository_details
+              end
-            build_url_for_details(details)
-          end.compact.uniq
+              build_url_for_details(details)
+            end.compact.uniq,
+            T.nilable(T::Array[T::Hash[Symbol, T.untyped]])
+          )
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details(repo_details)
         url = repo_details.fetch(:url)
         url_obj = URI.parse(url)
@@ -86,6 +112,7 @@ module Dependabot
         details
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(T.nilable(T::Hash[Symbol, T.untyped])) }
       def build_url_for_details_remote(repo_details)
         response = get_repo_metadata(repo_details)
         check_repo_response(response, repo_details)
@@ -118,11 +145,12 @@ module Dependabot
         details
       rescue JSON::ParserError
-        build_v2_url(response, repo_details)
+        build_v2_url(T.must(response), repo_details)
       rescue Excon::Error::Timeout, Excon::Error::Socket
         handle_timeout(repo_metadata_url: repo_details.fetch(:url))
       end
+      sig { params(repo_details: T::Hash[Symbol, T.untyped]).returns(Excon::Response) }
       def get_repo_metadata(repo_details)
         url = repo_details.fetch(:url)
         cache = CacheManager.cache("repo_finder_metadatacache")
@@ -138,6 +166,7 @@ module Dependabot
         end
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def base_url_from_v3_metadata(metadata)
         metadata
           .fetch("resources", [])
@@ -145,6 +174,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def registration_url_from_v3_metadata(metadata)
         allowed_registration_types = %w(
           RegistrationsBaseUrl
@@ -159,6 +189,7 @@ module Dependabot
           &.fetch("@id")
       end
+      sig { params(metadata: T::Hash[String, T::Array[T::Hash[String, T.untyped]]]).returns(T.nilable(String)) }
       def search_url_from_v3_metadata(metadata)
         # allowable values from here: https://learn.microsoft.com/en-us/nuget/api/search-query-service-resource#versioning
         allowed_search_types = %w(
@@ -173,6 +204,13 @@ module Dependabot
           &.fetch("@id")
       end
+      sig do
+        params(
+          response: Excon::Response,
+          repo_details: T::Hash[Symbol, T.untyped]
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
       def build_v2_url(response, repo_details)
         doc = Nokogiri::XML(response.body)
@@ -194,6 +232,7 @@ module Dependabot
         }
       end
+      sig { params(response: Excon::Response, details: T::Hash[Symbol, T.untyped]).void }
       def check_repo_response(response, details)
         return unless [401, 402, 403].include?(response.status)
         raise if details.fetch(:url) == DEFAULT_REPOSITORY_URL
@@ -201,19 +240,25 @@ module Dependabot
         raise PrivateSourceAuthenticationFailure, details.fetch(:url)
       end
+      sig { params(repo_metadata_url: String).returns(T.noreturn) }
       def handle_timeout(repo_metadata_url:)
         raise if repo_metadata_url == DEFAULT_REPOSITORY_URL
         raise PrivateSourceTimedOut, repo_metadata_url
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def credential_repositories
         @credential_repositories ||=
-          credentials
-          .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
-          .map { |c| { url: c.fetch("url"), token: c["token"] } }
+          T.let(
+            credentials
+            .select { |cred| cred["type"] == "nuget_feed" && cred["url"] }
+            .map { |c| { url: c.fetch("url"), token: c["token"] } },
+            T.nilable(T::Array[T::Hash[Symbol, String]])
+          )
       end
+      sig { returns(T::Array[T::Hash[Symbol, String]]) }
       def config_file_repositories
         config_files.flat_map { |file| repos_from_config_file(file) }
       end
@@ -222,13 +267,14 @@ module Dependabot
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/AbcSize
+      sig { params(config_file: Dependabot::DependencyFile).returns(T::Array[T::Hash[Symbol, String]]) }
       def repos_from_config_file(config_file)
         doc = Nokogiri::XML(config_file.content)
         doc.remove_namespaces!
         # analogous to having a root config with the default repository
         base_sources = [{ url: DEFAULT_REPOSITORY_URL, key: "nuget.org" }]
-        sources = []
+        sources = T.let([], T::Array[T::Hash[Symbol, String]])
         # regular package sources
         doc.css("configuration > packageSources").children.each do |node|
@@ -269,6 +315,23 @@ module Dependabot
           known_urls.include?(s.fetch(:url))
         end
+        # filter out based on packageSourceMapping
+        package_mapping_elements = doc.xpath("/configuration/packageSourceMapping/packageSource/package[@pattern]")
+        matching_package_elements = package_mapping_elements.select do |package_element|
+          pattern = package_element.attribute("pattern").value
+          # reusing this function for a case insensitive GLOB pattern patch (e.g., "Microsoft.Azure.*")
+          File.fnmatch(pattern, @dependency.name, File::FNM_CASEFOLD)
+        end
+        longest_matching_package_element = matching_package_elements.max_by do |package_element|
+          package_element.attribute("pattern").value.length
+        end
+        matching_key = longest_matching_package_element&.parent&.attribute("key")&.value
+        if matching_key
+          # found a matching source, only keep that one
+          sources.select! { |s| s.fetch(:key) == matching_key }
+        end
         add_config_file_credentials(sources: sources, doc: doc)
         sources.each { |details| details.delete(:key) }
@@ -279,11 +342,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:enable Metrics/CyclomaticComplexity
+      sig { returns(T::Hash[Symbol, T.untyped]) }
       def default_repository_details
         RepositoryFinder.get_default_repository_details(dependency.name)
       end
       # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(doc: Nokogiri::XML::Document).returns(T::Array[String]) }
       def disabled_sources(doc)
         doc.css("configuration > disabledPackageSources > add").filter_map do |node|
           value = node.attribute("value")&.value ||
@@ -298,6 +363,13 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(
+          sources: T::Array[T::Hash[Symbol, T.nilable(String)]],
+          doc: Nokogiri::XML::Document
+        )
+          .void
+      end
       def add_config_file_credentials(sources:, doc:)
         sources.each do |source_details|
           key = source_details.fetch(:key)
@@ -329,11 +401,10 @@ module Dependabot
           # Any non-ascii characters in the tag with cause a syntax error
           next source_details[:token] = nil
         end
-        sources
       end
       # rubocop:enable Metrics/PerceivedComplexity
+      sig { params(string: String).returns(String) }
       def expand_windows_style_environment_variables(string)
         # NuGet.Config files can have Windows-style environment variables that need to be replaced
         # https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#using-environment-variables
@@ -352,6 +423,7 @@ module Dependabot
         end
       end
+      sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
       def auth_header_for_token(token)
         return {} unless token

data/lib/dependabot/nuget/update_checker/tfm_comparer.rb CHANGED Viewed

@@ -1,6 +1,8 @@
-# typed: true
+# typed: strong
 # frozen_string_literal: true
+require "sorbet-runtime"
 require "dependabot/update_checkers/base"
 require "dependabot/nuget/version"
 require "dependabot/nuget/requirement"
@@ -10,19 +12,22 @@ require "dependabot/shared_helpers"
 module Dependabot
   module Nuget
     class TfmComparer
+      extend T::Sig
+      sig { params(project_tfms: T::Array[String], package_tfms: T::Array[String]).returns(T::Boolean) }
       def self.are_frameworks_compatible?(project_tfms, package_tfms)
         return false if package_tfms.empty?
         return false if project_tfms.empty?
         key = "project_ftms:#{project_tfms.sort.join(',')}:package_tfms:#{package_tfms.sort.join(',')}".downcase
-        @cached_framework_check ||= {}
+        @cached_framework_check ||= T.let({}, T.nilable(T::Hash[String, T::Boolean]))
         unless @cached_framework_check.key?(key)
           @cached_framework_check[key] =
             NativeHelpers.run_nuget_framework_check(project_tfms,
                                                     package_tfms)
         end
-        @cached_framework_check[key]
+        T.must(@cached_framework_check[key])
       end
     end
   end