dependabot-pre_commit 0.380.0 → 0.381.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/pre_commit/update_checker/latest_version_finder.rb +39 -2
  3. metadata +14 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8e78048cc01b6cc8337b84479eb4406150f0755fccf0903e49dcbc99a5edd4ea
4
- data.tar.gz: a8e05e70a8b9e6897d2d2282d6505eb3829a605c8b7a3398121a3481fed22257
3
+ metadata.gz: e64c71828ad34a8263811c40fdc4a53baea00bf66ceca5db1d2ed574509a62f6
4
+ data.tar.gz: 1522f423eefdadde7efffb1af67085a3f6a9c5347f9ad448715f0167aee2b38b
5
5
  SHA512:
6
- metadata.gz: 7bfd3900fac1e250950fc46e60af6297b585cb9e29ed7ca5d440d259caf6082c988cc9523b1bcc5fa158996e3f8b567a16ecc4318dfc05e15bd10816d14f3a49
7
- data.tar.gz: 0bf8f5fa2372328cec0bd516d5d59bff609da33a93dcb4b42f83428af191d46e461928313cca184bd029c03319a571f1c6306a793c0726e0cf286c4219bdb68b
6
+ metadata.gz: 13e0fb5a747300e2a350e5c9a79e66d6c01e2099ffa76e100d21544eba6d49bf0d9fbe8091e1b2acaddec720cea1d433c396ef41e4145a847b8d9afd7cf977ea
7
+ data.tar.gz: 589edbfcfad8e6f7755e718c01a886557f219ac5a6392590a6cabee20f669fe64d457a451351f77c71598b18b47218d2793f5f96d05268fdc913cbc6a44f0e6f
data/lib/dependabot/pre_commit/update_checker/latest_version_finder.rb CHANGED
@@ -3,6 +3,7 @@
3
3
 
4
4
  require "sorbet-runtime"
5
5
  require "dependabot/errors"
6
+ require "dependabot/pre_commit/comment_version_helper"
6
7
  require "dependabot/pre_commit/file_parser"
7
8
  require "dependabot/pre_commit/package/package_details_fetcher"
8
9
  require "dependabot/pre_commit/requirement"
@@ -225,7 +226,14 @@ module Dependabot
225
226
  # This ensures we evaluate from the newest candidate downward.
226
227
  sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
227
228
  def version_candidates_descending
228
- all_tags = @git_helper.git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
229
+ # When pinned to a SHA, precision matching against the SHA is meaningless
230
+ # (a SHA has no dots, so precision=1 matches nothing useful).
231
+ # Use the unfiltered allowed version tags instead.
232
+ all_tags = if sha_pinned_with_version_comment?
233
+ @git_helper.git_commit_checker.local_tags_for_allowed_versions
234
+ else
235
+ @git_helper.git_commit_checker.local_tags_for_allowed_versions_matching_existing_precision
236
+ end
229
237
  cur_version = current_version
230
238
 
231
239
  all_tags
@@ -260,7 +268,7 @@ module Dependabot
260
268
  return nil unless version_str
261
269
 
262
270
  stripped = version_str.sub(/\Av/i, "")
263
- return nil unless Dependabot::PreCommit::Version.correct?(stripped)
271
+ return version_from_frozen_comment unless Dependabot::PreCommit::Version.correct?(stripped)
264
272
 
265
273
  Dependabot::PreCommit::Version.new(stripped)
266
274
  end
@@ -270,6 +278,35 @@ module Dependabot
270
278
  available_release.is_a?(String)
271
279
  end
272
280
 
281
+ # Returns true when the dependency's stored ref isn't a semantic version (e.g., a commit SHA)
282
+ # but a frozen version comment (e.g. "# frozen: v5.0.0") provides a semantic
283
+ # version we can use for version ordering and tag selection.
284
+ sig { returns(T::Boolean) }
285
+ def sha_pinned_with_version_comment?
286
+ return false if release_type_sha?
287
+
288
+ version_str = dependency.version
289
+ return false unless version_str
290
+
291
+ !Dependabot::PreCommit::Version.correct?(version_str) && !version_from_frozen_comment.nil?
292
+ end
293
+
294
+ # Extracts the semantic version from a frozen comment (e.g. "# frozen: v5.0.0")
295
+ # when the dependency's stored version is a commit SHA.
296
+ sig { returns(T.nilable(Dependabot::Version)) }
297
+ def version_from_frozen_comment
298
+ comment = dependency.requirements.first&.dig(:metadata, :comment)
299
+ return nil unless comment
300
+
301
+ match = comment.match(CommentVersionHelper::FROZEN_COMMENT_REF_PATTERN)
302
+ return nil unless match
303
+
304
+ version_str = match[1].sub(/\Av/i, "")
305
+ return nil unless Dependabot::PreCommit::Version.correct?(version_str)
306
+
307
+ Dependabot::PreCommit::Version.new(version_str)
308
+ end
309
+
273
310
  sig { returns(Dependabot::PreCommit::Helpers::Githelper) }
274
311
  def git_helper
275
312
  Helpers::Githelper.new(
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-pre_commit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.380.0
4
+ version: 0.381.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,84 +15,84 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.380.0
18
+ version: 0.381.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.380.0
25
+ version: 0.381.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: dependabot-cargo
28
28
  requirement: !ruby/object:Gem::Requirement
29
29
  requirements:
30
30
  - - '='
31
31
  - !ruby/object:Gem::Version
32
- version: 0.380.0
32
+ version: 0.381.0
33
33
  type: :runtime
34
34
  prerelease: false
35
35
  version_requirements: !ruby/object:Gem::Requirement
36
36
  requirements:
37
37
  - - '='
38
38
  - !ruby/object:Gem::Version
39
- version: 0.380.0
39
+ version: 0.381.0
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: dependabot-common
42
42
  requirement: !ruby/object:Gem::Requirement
43
43
  requirements:
44
44
  - - '='
45
45
  - !ruby/object:Gem::Version
46
- version: 0.380.0
46
+ version: 0.381.0
47
47
  type: :runtime
48
48
  prerelease: false
49
49
  version_requirements: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - '='
52
52
  - !ruby/object:Gem::Version
53
- version: 0.380.0
53
+ version: 0.381.0
54
54
  - !ruby/object:Gem::Dependency
55
55
  name: dependabot-go_modules
56
56
  requirement: !ruby/object:Gem::Requirement
57
57
  requirements:
58
58
  - - '='
59
59
  - !ruby/object:Gem::Version
60
- version: 0.380.0
60
+ version: 0.381.0
61
61
  type: :runtime
62
62
  prerelease: false
63
63
  version_requirements: !ruby/object:Gem::Requirement
64
64
  requirements:
65
65
  - - '='
66
66
  - !ruby/object:Gem::Version
67
- version: 0.380.0
67
+ version: 0.381.0
68
68
  - !ruby/object:Gem::Dependency
69
69
  name: dependabot-npm_and_yarn
70
70
  requirement: !ruby/object:Gem::Requirement
71
71
  requirements:
72
72
  - - '='
73
73
  - !ruby/object:Gem::Version
74
- version: 0.380.0
74
+ version: 0.381.0
75
75
  type: :runtime
76
76
  prerelease: false
77
77
  version_requirements: !ruby/object:Gem::Requirement
78
78
  requirements:
79
79
  - - '='
80
80
  - !ruby/object:Gem::Version
81
- version: 0.380.0
81
+ version: 0.381.0
82
82
  - !ruby/object:Gem::Dependency
83
83
  name: dependabot-python
84
84
  requirement: !ruby/object:Gem::Requirement
85
85
  requirements:
86
86
  - - '='
87
87
  - !ruby/object:Gem::Version
88
- version: 0.380.0
88
+ version: 0.381.0
89
89
  type: :runtime
90
90
  prerelease: false
91
91
  version_requirements: !ruby/object:Gem::Requirement
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 0.380.0
95
+ version: 0.381.0
96
96
  - !ruby/object:Gem::Dependency
97
97
  name: debug
98
98
  requirement: !ruby/object:Gem::Requirement
@@ -338,7 +338,7 @@ licenses:
338
338
  - MIT
339
339
  metadata:
340
340
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
341
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.380.0
341
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
342
342
  rdoc_options: []
343
343
  require_paths:
344
344
  - lib