dependabot-pre_commit 0.361.2

data/lib/dependabot/pre_commit/update_checker/latest_version_finder.rb

@@ -0,0 +1,240 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "dependabot/errors"
+require "dependabot/pre_commit/file_parser"
+require "dependabot/pre_commit/package/package_details_fetcher"
+require "dependabot/pre_commit/requirement"
+require "dependabot/pre_commit/update_checker"
+require "dependabot/pre_commit/helpers"
+require "dependabot/package/package_latest_version_finder"
+require "dependabot/shared_helpers"
+require "dependabot/update_checkers/version_filters"
+
+module Dependabot
+  module PreCommit
+    class UpdateChecker
+      class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
+        extend T::Sig
+
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            ignored_versions: T::Array[String],
+            raise_on_ignored: T::Boolean,
+            options: T::Hash[Symbol, T.untyped],
+            cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
+          ).void
+        end
+        def initialize(
+          dependency:,
+          dependency_files:,
+          credentials:,
+          ignored_versions:,
+          raise_on_ignored:,
+          options: {},
+          cooldown_options: nil
+        )
+          @dependency          = dependency
+          @dependency_files    = dependency_files
+          @credentials         = credentials
+          @ignored_versions    = ignored_versions
+          @raise_on_ignored    = raise_on_ignored
+          @options             = options
+          @cooldown_options = cooldown_options
+
+          @git_helper = T.let(git_helper, Dependabot::PreCommit::Helpers::Githelper)
+          super(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            security_advisories: [],
+            cooldown_options: cooldown_options,
+            raise_on_ignored: raise_on_ignored,
+            options: options
+          )
+        end
+
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
+        attr_reader :cooldown_options
+
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+
+        sig { returns(T::Boolean) }
+        attr_reader :raise_on_ignored
+
+        sig { override.returns(T.nilable(Dependabot::Package::PackageDetails)) }
+        def package_details; end
+
+        sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
+        def latest_release
+          release = available_release
+          return nil unless release
+
+          Dependabot.logger.info("Available release version/ref is #{release}")
+
+          release = cooldown_filter(release)
+          if release.nil?
+            Dependabot.logger.info("Returning current version/ref (no viable filtered release) #{current_version}")
+            return current_version
+          end
+
+          release
+        end
+
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def latest_version_tag
+          available_latest_version_tag
+        end
+
+        private
+
+        sig { returns(T.nilable(Dependabot::PreCommit::Package::PackageDetailsFetcher)) }
+        def package_details_fetcher
+          @package_details_fetcher ||= T.let(
+            Dependabot::PreCommit::Package::PackageDetailsFetcher
+                        .new(
+                          dependency: dependency,
+                          credentials: credentials,
+                          ignored_versions: ignored_versions,
+                          raise_on_ignored: raise_on_ignored
+                        ),
+            T.nilable(Dependabot::PreCommit::Package::PackageDetailsFetcher)
+          )
+        end
+
+        sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
+        def available_release
+          @available_release = T.let(
+            T.must(package_details_fetcher).release_list_for_git_dependency,
+            T.nilable(T.any(Dependabot::Version, String))
+          )
+        end
+
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+        def available_latest_version_tag
+          @latest_version_tag = T.let(
+            T.must(package_details_fetcher).latest_version_tag,
+            T.nilable(T::Hash[Symbol, T.untyped])
+          )
+        end
+
+        sig { override.returns(T::Boolean) }
+        def cooldown_enabled?
+          true
+        end
+
+        sig do
+          params(release: T.nilable(T.any(Dependabot::Version, String)))
+            .returns(T.nilable(T.any(Dependabot::Version, String)))
+        end
+        def cooldown_filter(release)
+          return release unless cooldown_enabled?
+          return release unless cooldown_options
+
+          Dependabot.logger.info("Initializing cooldown filter")
+          release_date = commit_metadata_details
+
+          unless release_date
+            Dependabot.logger.info("No release date found, skipping cooldown filtering")
+            return release
+          end
+
+          if release_in_cooldown_period?(Time.parse(release_date))
+            Dependabot.logger.info("Filtered out (cooldown) #{dependency.name}, #{release}")
+            return nil
+          end
+
+          release
+        end
+
+        sig { returns(T.nilable(String)) }
+        def commit_metadata_details
+          @commit_metadata_details ||= T.let(
+            begin
+              url = @git_helper.git_commit_checker.dependency_source_details&.fetch(:url)
+              source = T.must(Source.from_url(url))
+
+              SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
+                repo_contents_path = File.join(temp_dir, File.basename(source.repo))
+
+                SharedHelpers.run_shell_command("git clone --bare --no-recurse-submodules #{url} #{repo_contents_path}")
+                Dir.chdir(repo_contents_path) do
+                  date = SharedHelpers.run_shell_command(
+                    "git show --no-patch --format=\"%cd\" " \
+                    "--date=iso #{commit_ref}"
+                  )
+                  Dependabot.logger.info("Found release date : #{Time.parse(date)}")
+                  return date
+                end
+              end
+            rescue StandardError => e
+              Dependabot.logger.error("Error (pre_commit) while checking release date for #{dependency.name}")
+              Dependabot.logger.error(e.message)
+
+              nil
+            end,
+            T.nilable(String)
+          )
+        end
+
+        sig { params(release_date: Time).returns(T::Boolean) }
+        def release_in_cooldown_period?(release_date)
+          cooldown = @cooldown_options
+
+          return false unless T.must(cooldown).included?(dependency.name)
+
+          days = T.must(cooldown).default_days
+          passed_seconds = Time.now.to_i - release_date.to_i
+
+          Dependabot.logger.info(
+            "Days since release : #{passed_seconds / (3600 * 24)} " \
+            "(cooldown days #{T.must(cooldown_options).default_days})"
+          )
+
+          passed_seconds < days * DAY_IN_SECONDS
+        end
+
+        sig { returns(String) }
+        def commit_ref
+          T.cast(latest_version_tag&.fetch(:commit_sha), String)
+        end
+
+        sig { returns(T.nilable(T.any(Dependabot::Version, String))) }
+        def current_version
+          return dependency.source_details(allowed_types: ["git"])&.fetch(:ref) if release_type_sha?
+
+          T.let(dependency.numeric_version, T.nilable(Dependabot::Version))
+        end
+
+        sig { returns(T::Boolean) }
+        def release_type_sha?
+          available_release.is_a?(String)
+        end
+
+        sig { returns(Dependabot::PreCommit::Helpers::Githelper) }
+        def git_helper
+          Helpers::Githelper.new(
+            dependency: dependency,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            raise_on_ignored: raise_on_ignored,
+            consider_version_branches_pinned: false,
+            dependency_source_details: nil
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pre_commit/update_checker.rb

@@ -0,0 +1,284 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/errors"
+require "dependabot/pre_commit/requirement"
+require "dependabot/pre_commit/version"
+require "dependabot/pre_commit/additional_dependency_checkers"
+require "dependabot/pre_commit/additional_dependency_checkers/node"
+require "dependabot/pre_commit/additional_dependency_checkers/python"
+require "dependabot/pre_commit/additional_dependency_checkers/ruby"
+require "dependabot/pre_commit/additional_dependency_checkers/go"
+require "dependabot/pre_commit/additional_dependency_checkers/rust"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/update_checkers/version_filters"
+
+module Dependabot
+  module PreCommit
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      extend T::Sig
+
+      require_relative "update_checker/latest_version_finder"
+
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
+      def latest_version
+        return additional_dependency_latest_version if additional_dependency?
+
+        @latest_version ||= T.let(
+          T.must(latest_version_finder).latest_release,
+          T.nilable(T.any(String, Gem::Version))
+        )
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
+      def latest_resolvable_version
+        latest_version
+      end
+
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_resolvable_version_with_no_unlock
+        dependency.version
+      end
+
+      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def updated_requirements
+        return additional_dependency_updated_requirements if additional_dependency?
+
+        dependency.requirements.map do |req|
+          source = T.cast(req[:source], T.nilable(T::Hash[Symbol, T.untyped]))
+          updated = updated_ref(source)
+          next req unless updated
+
+          current = T.cast(source&.[](:ref), T.nilable(String))
+
+          # Maintain a short git hash only if it matches the latest
+          if T.cast(req[:type], T.nilable(String)) == "git" &&
+             git_commit_checker.ref_looks_like_commit_sha?(updated) &&
+             current && git_commit_checker.ref_looks_like_commit_sha?(current) &&
+             updated.start_with?(current)
+            next req
+          end
+
+          new_source = T.must(source).merge(ref: updated)
+          req.merge(source: new_source)
+        end
+      end
+
+      private
+
+      sig { returns(T.nilable(Dependabot::PreCommit::UpdateChecker::LatestVersionFinder)) }
+      def latest_version_finder
+        @latest_version_finder ||=
+          T.let(
+            LatestVersionFinder.new(
+              dependency: dependency,
+              credentials: credentials,
+              dependency_files: dependency_files,
+              ignored_versions: ignored_versions,
+              raise_on_ignored: raise_on_ignored,
+              cooldown_options: update_cooldown
+            ),
+            T.nilable(Dependabot::PreCommit::UpdateChecker::LatestVersionFinder)
+          )
+      end
+
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def current_version
+        return super if dependency.numeric_version
+
+        # For git dependencies, try to parse the version from the ref
+        source_details = dependency.source_details(allowed_types: ["git"])
+        return nil unless source_details
+
+        ref = T.cast(source_details.fetch(:ref, nil), T.nilable(String))
+        return nil unless ref
+
+        version_string = ref.sub(/^v/, "")
+        return nil unless version_class.correct?(version_string)
+
+        version_class.new(version_string)
+      end
+
+      sig { override.returns(T::Boolean) }
+      def latest_version_resolvable_with_full_unlock?
+        false
+      end
+
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def updated_dependencies_after_full_unlock
+        raise NotImplementedError
+      end
+
+      sig { returns(T.nilable(String)) }
+      def latest_commit_for_pinned_ref
+        @latest_commit_for_pinned_ref ||= T.let(
+          begin
+            head_commit_for_ref_sha = git_commit_checker.head_commit_for_pinned_ref
+            if head_commit_for_ref_sha
+              head_commit_for_ref_sha
+            else
+              url = T.cast(git_commit_checker.dependency_source_details&.fetch(:url), T.nilable(String))
+              source = T.must(Source.from_url(T.must(url)))
+
+              SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
+                repo_contents_path = File.join(temp_dir, File.basename(source.repo))
+
+                SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
+
+                Dir.chdir(repo_contents_path) do
+                  ref = T.cast(git_commit_checker.dependency_source_details&.fetch(:ref), T.nilable(String))
+                  ref_branch = find_container_branch(T.must(ref))
+                  git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
+                end
+              end
+            end
+          end,
+          T.nilable(String)
+        )
+      end
+
+      sig { params(source: T.nilable(T::Hash[Symbol, T.untyped])).returns(T.nilable(String)) }
+      def updated_ref(source)
+        return unless git_commit_checker.git_dependency?
+
+        source_git_commit_checker = git_helper.git_commit_checker_for(source)
+
+        # Return the git tag if updating a pinned version
+        if source_git_commit_checker.pinned_ref_looks_like_version? &&
+           (new_tag = T.must(latest_version_finder).latest_version_tag)
+          return T.cast(new_tag.fetch(:tag), String)
+        end
+
+        # Return the pinned git commit if one is available
+        if source_git_commit_checker.pinned_ref_looks_like_commit_sha? &&
+           (new_commit_sha = latest_commit_sha)
+          return new_commit_sha
+        end
+
+        nil
+      end
+
+      sig { returns(T.nilable(String)) }
+      def latest_commit_sha
+        new_tag = T.must(latest_version_finder).latest_version_tag
+
+        if new_tag
+          return T.cast(new_tag.fetch(:commit_sha), String) if git_commit_checker.local_tag_for_pinned_sha
+
+          return latest_commit_for_pinned_ref
+
+        end
+
+        # If there's no tag but we have a latest_version (commit SHA), use it
+        latest_ver = latest_version
+        return latest_ver if latest_ver.is_a?(String)
+
+        nil
+      end
+
+      sig { returns(Dependabot::GitCommitChecker) }
+      def git_commit_checker
+        @git_commit_checker ||= T.let(git_helper.git_commit_checker, T.nilable(Dependabot::GitCommitChecker))
+      end
+
+      sig { returns(Dependabot::PreCommit::Helpers::Githelper) }
+      def git_helper
+        Helpers::Githelper.new(
+          dependency: dependency,
+          credentials: credentials,
+          ignored_versions: ignored_versions,
+          raise_on_ignored: raise_on_ignored,
+          consider_version_branches_pinned: false,
+          dependency_source_details: nil
+        )
+      end
+
+      sig { params(sha: String).returns(T.nilable(String)) }
+      def find_container_branch(sha)
+        branches_including_ref = SharedHelpers.run_shell_command(
+          "git branch --remotes --contains #{sha}",
+          fingerprint: "git branch --remotes --contains <sha>"
+        ).split("\n").map { |branch| branch.strip.gsub("origin/", "") }
+        return if branches_including_ref.empty?
+
+        current_branch = branches_including_ref.find { |branch| branch.start_with?("HEAD -> ") }
+
+        if current_branch
+          current_branch.delete_prefix("HEAD -> ")
+        elsif branches_including_ref.size > 1
+          raise "Multiple ambiguous branches (#{branches_including_ref.join(', ')}) include #{sha}!"
+        else
+          branches_including_ref.first
+        end
+      end
+
+      # Additional dependency support methods
+
+      sig { returns(T::Boolean) }
+      def additional_dependency?
+        requirement = dependency.requirements.first
+        return false unless requirement
+
+        source = T.cast(requirement[:source], T.nilable(T::Hash[Symbol, T.untyped]))
+        return false unless source
+
+        T.cast(source[:type], T.nilable(String)) == "additional_dependency"
+      end
+
+      sig { returns(T.nilable(T.any(String, Gem::Version))) }
+      def additional_dependency_latest_version
+        source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, T.untyped])
+        language = T.cast(source[:language], T.nilable(String))
+        return nil unless language && AdditionalDependencyCheckers.supported?(language)
+
+        checker = additional_dependency_checker(language, source)
+        return nil unless checker
+
+        latest = checker.latest_version
+        Dependabot.logger.info("Latest version for #{dependency.name}: #{latest || 'none'}")
+
+        latest
+      end
+
+      sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      def additional_dependency_updated_requirements
+        source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, T.untyped])
+        language = T.cast(source[:language], T.nilable(String))
+        return dependency.requirements unless language && AdditionalDependencyCheckers.supported?(language)
+
+        checker = additional_dependency_checker(language, source)
+        return dependency.requirements unless checker
+
+        latest = checker.latest_version
+        return dependency.requirements unless latest
+
+        checker.updated_requirements(latest)
+      end
+
+      sig do
+        params(
+          language: String,
+          source: T::Hash[Symbol, T.untyped]
+        ).returns(T.nilable(Dependabot::PreCommit::AdditionalDependencyCheckers::Base))
+      end
+      def additional_dependency_checker(language, source)
+        checker_class = AdditionalDependencyCheckers.for_language(language)
+        checker_class.new(
+          source: source,
+          credentials: credentials,
+          requirements: dependency.requirements,
+          current_version: dependency.version
+        )
+      rescue StandardError => e
+        Dependabot.logger.error("Error creating checker for #{language}: #{e.message}")
+        nil
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers
+  .register("pre_commit", Dependabot::PreCommit::UpdateChecker)

data/lib/dependabot/pre_commit/version.rb

@@ -0,0 +1,15 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "dependabot/version"
+require "dependabot/utils"
+
+module Dependabot
+  module PreCommit
+    class Version < Dependabot::Version
+    end
+  end
+end
+
+Dependabot::Utils
+  .register_version_class("pre_commit", Dependabot::PreCommit::Version)

data/lib/dependabot/pre_commit.rb

@@ -0,0 +1,20 @@
+# typed: strong
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/pre_commit/file_fetcher"
+require "dependabot/pre_commit/file_parser"
+require "dependabot/pre_commit/update_checker"
+require "dependabot/pre_commit/file_updater"
+require "dependabot/pre_commit/metadata_finder"
+require "dependabot/pre_commit/version"
+require "dependabot/pre_commit/requirement"
+require "dependabot/pre_commit/helpers"
+
+require "dependabot/pull_request_creator/labeler"
+Dependabot::PullRequestCreator::Labeler
+  .register_label_details("pre_commit", name: "pre_commit", colour: "000000")
+
+require "dependabot/dependency"
+Dependabot::Dependency.register_production_check("pre_commit", ->(_) { true })