dependabot-nuget 0.100.2 → 0.101.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b6127f346f242e91f4d6d8dc9d1ce6d11d543ed63fc32727f6a8138af185d775
|
|
4
|
+
data.tar.gz: b832964c19dcbd0de3a20f89b06eaf2b298570399de786538a215f70b0e37728
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 13f11948ec57a58bf63f4d1a0991de9d208f33f18d7cc35b2b6520a0657d3f834d305f130e4976cb25998eb76b67809341ddc6f42ff81e1e97fee770109d63bd
|
|
7
|
+
data.tar.gz: '0386b5365781008d232db19a91d3b2fc4a6ad0851091cbb25da89693bc2cf68b2195eae43510b7bdeb72ec7951c9112b2be3e0bef8cf76ce3d77723ecfc6f37f'
|
|
@@ -22,6 +22,12 @@ module Dependabot
|
|
|
22
22
|
latest_version
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
+
def lowest_resolvable_security_fix_version
|
|
26
|
+
return nil if version_comes_from_multi_dependency_property?
|
|
27
|
+
|
|
28
|
+
lowest_security_fix_version_details&.fetch(:version)
|
|
29
|
+
end
|
|
30
|
+
|
|
25
31
|
def latest_resolvable_version_with_no_unlock
|
|
26
32
|
# Irrelevant, since Nuget has a single dependency file
|
|
27
33
|
nil
|
|
@@ -30,8 +36,8 @@ module Dependabot
|
|
|
30
36
|
def updated_requirements
|
|
31
37
|
RequirementsUpdater.new(
|
|
32
38
|
requirements: dependency.requirements,
|
|
33
|
-
latest_version:
|
|
34
|
-
source_details:
|
|
39
|
+
latest_version: preferred_resolvable_version&.to_s,
|
|
40
|
+
source_details: preferred_version_details&.
|
|
35
41
|
slice(:nuspec_url, :repo_url, :source_url)
|
|
36
42
|
).updated_requirements
|
|
37
43
|
end
|
|
@@ -67,17 +73,29 @@ module Dependabot
|
|
|
67
73
|
property_updater.updated_dependencies
|
|
68
74
|
end
|
|
69
75
|
|
|
76
|
+
def preferred_version_details
|
|
77
|
+
return lowest_security_fix_version_details if vulnerable?
|
|
78
|
+
|
|
79
|
+
latest_version_details
|
|
80
|
+
end
|
|
81
|
+
|
|
70
82
|
def latest_version_details
|
|
71
83
|
@latest_version_details ||= version_finder.latest_version_details
|
|
72
84
|
end
|
|
73
85
|
|
|
86
|
+
def lowest_security_fix_version_details
|
|
87
|
+
@lowest_security_fix_version_details ||=
|
|
88
|
+
version_finder.lowest_security_fix_version_details
|
|
89
|
+
end
|
|
90
|
+
|
|
74
91
|
def version_finder
|
|
75
92
|
@version_finder ||=
|
|
76
93
|
VersionFinder.new(
|
|
77
94
|
dependency: dependency,
|
|
78
95
|
dependency_files: dependency_files,
|
|
79
96
|
credentials: credentials,
|
|
80
|
-
ignored_versions: ignored_versions
|
|
97
|
+
ignored_versions: ignored_versions,
|
|
98
|
+
security_advisories: security_advisories
|
|
81
99
|
)
|
|
82
100
|
end
|
|
83
101
|
|
|
@@ -30,7 +30,8 @@ module Dependabot
|
|
|
30
30
|
dependency: dep,
|
|
31
31
|
dependency_files: dependency_files,
|
|
32
32
|
credentials: credentials,
|
|
33
|
-
ignored_versions: ignored_versions
|
|
33
|
+
ignored_versions: ignored_versions,
|
|
34
|
+
security_advisories: []
|
|
34
35
|
).versions.map { |v| v.fetch(:version) }
|
|
35
36
|
|
|
36
37
|
versions.include?(target_version) || versions.none?
|
|
@@ -15,25 +15,33 @@ module Dependabot
|
|
|
15
15
|
require_relative "repository_finder"
|
|
16
16
|
|
|
17
17
|
def initialize(dependency:, dependency_files:, credentials:,
|
|
18
|
-
ignored_versions:
|
|
19
|
-
@dependency
|
|
20
|
-
@dependency_files
|
|
21
|
-
@credentials
|
|
22
|
-
@ignored_versions
|
|
18
|
+
ignored_versions:, security_advisories:)
|
|
19
|
+
@dependency = dependency
|
|
20
|
+
@dependency_files = dependency_files
|
|
21
|
+
@credentials = credentials
|
|
22
|
+
@ignored_versions = ignored_versions
|
|
23
|
+
@security_advisories = security_advisories
|
|
23
24
|
end
|
|
24
25
|
|
|
25
26
|
def latest_version_details
|
|
26
27
|
@latest_version_details ||=
|
|
27
28
|
begin
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
29
|
+
possible_versions = versions
|
|
30
|
+
possible_versions = filter_prereleases(possible_versions)
|
|
31
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
|
32
|
+
possible_versions.max_by { |hash| hash.fetch(:version) }
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
def lowest_security_fix_version_details
|
|
37
|
+
@lowest_security_fix_version_details ||=
|
|
38
|
+
begin
|
|
39
|
+
possible_versions = versions
|
|
40
|
+
possible_versions = filter_prereleases(possible_versions)
|
|
41
|
+
possible_versions = filter_ignored_versions(possible_versions)
|
|
42
|
+
possible_versions = filter_vulnerable_versions(possible_versions)
|
|
43
|
+
possible_versions = filter_lower_versions(possible_versions)
|
|
44
|
+
possible_versions.min_by { |hash| hash.fetch(:version) }
|
|
37
45
|
end
|
|
38
46
|
end
|
|
39
47
|
|
|
@@ -42,10 +50,48 @@ module Dependabot
|
|
|
42
50
|
end
|
|
43
51
|
|
|
44
52
|
attr_reader :dependency, :dependency_files, :credentials,
|
|
45
|
-
:ignored_versions
|
|
53
|
+
:ignored_versions, :security_advisories
|
|
46
54
|
|
|
47
55
|
private
|
|
48
56
|
|
|
57
|
+
def filter_prereleases(possible_versions)
|
|
58
|
+
possible_versions.reject do |d|
|
|
59
|
+
version = d.fetch(:version)
|
|
60
|
+
version.prerelease? && !related_to_current_pre?(version)
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
def filter_ignored_versions(possible_versions)
|
|
65
|
+
versions_array = possible_versions
|
|
66
|
+
|
|
67
|
+
ignored_versions.each do |req|
|
|
68
|
+
ignore_req = requirement_class.new(req.split(","))
|
|
69
|
+
versions_array =
|
|
70
|
+
versions_array.
|
|
71
|
+
reject { |v| ignore_req.satisfied_by?(v.fetch(:version)) }
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
versions_array
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
def filter_vulnerable_versions(possible_versions)
|
|
78
|
+
versions_array = possible_versions
|
|
79
|
+
|
|
80
|
+
security_advisories.each do |advisory|
|
|
81
|
+
versions_array =
|
|
82
|
+
versions_array.
|
|
83
|
+
reject { |v| advisory.vulnerable?(v.fetch(:version)) }
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
versions_array
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
def filter_lower_versions(possible_versions)
|
|
90
|
+
possible_versions.select do |v|
|
|
91
|
+
v.fetch(:version) > version_class.new(dependency.version)
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
49
95
|
def available_v3_versions
|
|
50
96
|
v3_nuget_listings.flat_map do |listing|
|
|
51
97
|
listing.
|
|
@@ -208,10 +254,6 @@ module Dependabot
|
|
|
208
254
|
).dependency_urls
|
|
209
255
|
end
|
|
210
256
|
|
|
211
|
-
def ignore_reqs
|
|
212
|
-
ignored_versions.map { |req| requirement_class.new(req.split(",")) }
|
|
213
|
-
end
|
|
214
|
-
|
|
215
257
|
def nuget_config
|
|
216
258
|
@nuget_config ||=
|
|
217
259
|
dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-nuget
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.101.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.101.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.101.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|