dependabot-pre_commit 0.381.0 → 0.383.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: db90dd134e2c56d73c6d1704648f7e53078225fb55c72e658e2c4e0153737bfc
|
|
4
|
+
data.tar.gz: 59fb6fe620e22cdf60ae7a725a89c08bb81be1872c747855b2b2f975b982dd0f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f68683ecba1916a93cd1646ae9d2dce7376eb216ec4df03218bf674c898503bcc76eb94fd5b4f75efb97f252fdf35282dac91584d9e39328238951dc5255225f
|
|
7
|
+
data.tar.gz: 8c4b2f0cc14473646bb6d210f9410a4da060be712308e250542bf19f344a57795114ef276a1dca9f4a522b7bac2f36048c9fff24c31702ffea23b3bef79b0767
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
|
|
4
4
|
require "sorbet-runtime"
|
|
5
5
|
require "dependabot/dependency"
|
|
6
|
+
require "dependabot/dependency_requirement"
|
|
6
7
|
require "dependabot/update_checkers"
|
|
7
8
|
require "dependabot/requirements_update_strategy"
|
|
8
9
|
require "dependabot/python/update_checker/requirements_updater"
|
|
@@ -165,12 +166,14 @@ module Dependabot
|
|
|
165
166
|
return ">=#{new_version}" unless original_requirement
|
|
166
167
|
|
|
167
168
|
updater = Dependabot::Python::UpdateChecker::RequirementsUpdater.new(
|
|
168
|
-
requirements: [
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
169
|
+
requirements: [Dependabot::DependencyRequirement.create(
|
|
170
|
+
{
|
|
171
|
+
requirement: original_requirement,
|
|
172
|
+
file: "requirements.txt",
|
|
173
|
+
groups: [],
|
|
174
|
+
source: nil
|
|
175
|
+
}
|
|
176
|
+
)],
|
|
174
177
|
update_strategy: Dependabot::RequirementsUpdateStrategy::BumpVersions,
|
|
175
178
|
has_lockfile: false,
|
|
176
179
|
latest_resolvable_version: new_version
|
|
@@ -2,7 +2,9 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "sorbet-runtime"
|
|
5
|
+
require "dependabot/clients/github_with_retries"
|
|
5
6
|
require "dependabot/errors"
|
|
7
|
+
require "dependabot/git_cooldown_date_resolver"
|
|
6
8
|
require "dependabot/pre_commit/comment_version_helper"
|
|
7
9
|
require "dependabot/pre_commit/file_parser"
|
|
8
10
|
require "dependabot/pre_commit/package/package_details_fetcher"
|
|
@@ -19,6 +21,7 @@ module Dependabot
|
|
|
19
21
|
class UpdateChecker
|
|
20
22
|
class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
|
|
21
23
|
extend T::Sig
|
|
24
|
+
include Dependabot::GitCooldownDateResolver
|
|
22
25
|
|
|
23
26
|
sig do
|
|
24
27
|
params(
|
|
@@ -48,6 +51,7 @@ module Dependabot
|
|
|
48
51
|
@options = options
|
|
49
52
|
@cooldown_options = cooldown_options
|
|
50
53
|
@cooldown_selected_tag = T.let(nil, T.nilable(T::Hash[Symbol, T.untyped]))
|
|
54
|
+
@cooldown_rejected_all = T.let(false, T::Boolean)
|
|
51
55
|
|
|
52
56
|
@git_helper = T.let(git_helper, Dependabot::PreCommit::Helpers::Githelper)
|
|
53
57
|
super(
|
|
@@ -92,9 +96,21 @@ module Dependabot
|
|
|
92
96
|
|
|
93
97
|
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
94
98
|
def latest_version_tag
|
|
99
|
+
return nil if @cooldown_rejected_all
|
|
100
|
+
|
|
95
101
|
@cooldown_selected_tag || available_latest_version_tag
|
|
96
102
|
end
|
|
97
103
|
|
|
104
|
+
sig { override.returns(T.nilable(String)) }
|
|
105
|
+
def cooldown_source_url
|
|
106
|
+
@git_helper.git_commit_checker.dependency_source_details&.fetch(:url)
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
sig { override.returns(T::Array[Dependabot::Credential]) }
|
|
110
|
+
def cooldown_credentials
|
|
111
|
+
@credentials
|
|
112
|
+
end
|
|
113
|
+
|
|
98
114
|
private
|
|
99
115
|
|
|
100
116
|
sig do
|
|
@@ -113,6 +129,7 @@ module Dependabot
|
|
|
113
129
|
return result if result
|
|
114
130
|
|
|
115
131
|
Dependabot.logger.info("All candidate versions are in cooldown, keeping current version #{current_version}")
|
|
132
|
+
@cooldown_rejected_all = true
|
|
116
133
|
current_version
|
|
117
134
|
end
|
|
118
135
|
|
|
@@ -151,15 +168,81 @@ module Dependabot
|
|
|
151
168
|
true
|
|
152
169
|
end
|
|
153
170
|
|
|
154
|
-
# Checks versions from latest downward (among versions > current_version)
|
|
155
|
-
#
|
|
156
|
-
#
|
|
171
|
+
# Checks versions from latest downward (among versions > current_version).
|
|
172
|
+
# First attempts to use GitHub Release published_at dates (no clone needed).
|
|
173
|
+
# Falls back to a bare clone for git-based date detection.
|
|
157
174
|
sig { returns(T.nilable(Dependabot::Version)) }
|
|
158
175
|
def find_latest_version_outside_cooldown
|
|
159
176
|
candidates = version_candidates_descending
|
|
160
177
|
return nil if candidates.empty?
|
|
161
178
|
|
|
162
|
-
|
|
179
|
+
# Try GitHub Release dates first (avoids clone)
|
|
180
|
+
result = check_candidates_via_github_releases(candidates)
|
|
181
|
+
return result if result
|
|
182
|
+
|
|
183
|
+
# Fallback: clone and check tag/commit dates
|
|
184
|
+
check_candidates_via_git_clone(candidates)
|
|
185
|
+
rescue StandardError => e
|
|
186
|
+
Dependabot.logger.error("Error checking cooldown for #{dependency.name}: #{e.message}")
|
|
187
|
+
nil
|
|
188
|
+
end
|
|
189
|
+
|
|
190
|
+
# Attempts to resolve cooldown using GitHub Release published_at dates.
|
|
191
|
+
# Returns:
|
|
192
|
+
# - A version outside cooldown (first eligible candidate)
|
|
193
|
+
# - current_version when ALL candidates have releases and all are in cooldown
|
|
194
|
+
# - nil when no releases exist or some candidates lack releases (triggers git fallback)
|
|
195
|
+
sig do
|
|
196
|
+
params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
|
|
197
|
+
.returns(T.nilable(Dependabot::Version))
|
|
198
|
+
end
|
|
199
|
+
def check_candidates_via_github_releases(candidates)
|
|
200
|
+
releases = cached_github_releases
|
|
201
|
+
return nil if releases.empty?
|
|
202
|
+
|
|
203
|
+
filtered_count = 0
|
|
204
|
+
all_have_releases = T.let(true, T::Boolean)
|
|
205
|
+
|
|
206
|
+
candidates.each do |tag|
|
|
207
|
+
tag_name = normalize_tag_name(tag[:tag] || "v#{tag[:version]}")
|
|
208
|
+
release = releases.find { |r| r.tag_name == tag_name }
|
|
209
|
+
|
|
210
|
+
unless release&.published_at
|
|
211
|
+
all_have_releases = false
|
|
212
|
+
next
|
|
213
|
+
end
|
|
214
|
+
|
|
215
|
+
unless release_in_cooldown_period?(release.published_at)
|
|
216
|
+
log_cooldown_result(filtered_count, tag[:version], release.published_at)
|
|
217
|
+
@cooldown_selected_tag = tag
|
|
218
|
+
return T.cast(tag[:version], Dependabot::Version)
|
|
219
|
+
end
|
|
220
|
+
|
|
221
|
+
filtered_count += 1
|
|
222
|
+
end
|
|
223
|
+
|
|
224
|
+
return nil if filtered_count.zero?
|
|
225
|
+
|
|
226
|
+
# Some candidates lacked releases — fall back to git clone for those
|
|
227
|
+
return nil unless all_have_releases
|
|
228
|
+
|
|
229
|
+
# Every candidate had a release and all were in cooldown
|
|
230
|
+
Dependabot.logger.info(
|
|
231
|
+
"Filtered #{filtered_count} version(s) due to cooldown for #{dependency.name}, " \
|
|
232
|
+
"no eligible version found (via GitHub Releases)"
|
|
233
|
+
)
|
|
234
|
+
@cooldown_rejected_all = true
|
|
235
|
+
T.cast(current_version, T.nilable(Dependabot::Version))
|
|
236
|
+
end
|
|
237
|
+
|
|
238
|
+
# Checks candidate tags inside a bare clone directory, returning the first
|
|
239
|
+
# version whose tag creation date falls outside the cooldown window.
|
|
240
|
+
sig do
|
|
241
|
+
params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
|
|
242
|
+
.returns(T.nilable(Dependabot::Version))
|
|
243
|
+
end
|
|
244
|
+
def check_candidates_via_git_clone(candidates)
|
|
245
|
+
url = cooldown_source_url
|
|
163
246
|
source = T.must(Source.from_url(url))
|
|
164
247
|
|
|
165
248
|
SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
|
|
@@ -170,13 +253,12 @@ module Dependabot
|
|
|
170
253
|
return check_candidates_cooldown(candidates)
|
|
171
254
|
end
|
|
172
255
|
end
|
|
173
|
-
rescue StandardError => e
|
|
174
|
-
Dependabot.logger.error("Error checking cooldown for #{dependency.name}: #{e.message}")
|
|
175
|
-
nil
|
|
176
256
|
end
|
|
177
257
|
|
|
178
258
|
# Iterates candidate tags inside a bare clone directory, returning the first
|
|
179
259
|
# version whose release date falls outside the cooldown window.
|
|
260
|
+
# Prefers GitHub Release published_at when available for a candidate,
|
|
261
|
+
# falling back to tag creation date from the cloned repo.
|
|
180
262
|
sig do
|
|
181
263
|
params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
|
|
182
264
|
.returns(T.nilable(Dependabot::Version))
|
|
@@ -188,11 +270,8 @@ module Dependabot
|
|
|
188
270
|
commit_sha = tag[:commit_sha]
|
|
189
271
|
next unless commit_sha
|
|
190
272
|
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
fingerprint: "git show --no-patch --format=\"%cd\" --date=iso <commit_sha>"
|
|
194
|
-
)
|
|
195
|
-
release_date = Time.parse(date_str)
|
|
273
|
+
tag_name = normalize_tag_name(tag[:tag] || "v#{tag[:version]}")
|
|
274
|
+
release_date = resolve_candidate_date(tag_name, commit_sha)
|
|
196
275
|
|
|
197
276
|
if release_in_cooldown_period?(release_date)
|
|
198
277
|
filtered_count += 1
|
|
@@ -45,11 +45,11 @@ module Dependabot
|
|
|
45
45
|
dependency.version
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
-
sig { override.returns(T::Array[
|
|
48
|
+
sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
|
|
49
49
|
def updated_requirements
|
|
50
|
-
return additional_dependency_updated_requirements if additional_dependency?
|
|
50
|
+
return wrap_requirements(additional_dependency_updated_requirements) if additional_dependency?
|
|
51
51
|
|
|
52
|
-
dependency.requirements.map do |req|
|
|
52
|
+
updated_reqs = dependency.requirements.map do |req|
|
|
53
53
|
source = T.cast(req[:source], T.nilable(T::Hash[Symbol, T.untyped]))
|
|
54
54
|
updated = updated_ref(source)
|
|
55
55
|
next req unless updated
|
|
@@ -68,6 +68,7 @@ module Dependabot
|
|
|
68
68
|
new_metadata = updated_comment_version_metadata(req, updated)
|
|
69
69
|
req.merge(source: new_source, metadata: new_metadata)
|
|
70
70
|
end
|
|
71
|
+
wrap_requirements(updated_reqs)
|
|
71
72
|
end
|
|
72
73
|
|
|
73
74
|
private
|
|
@@ -113,10 +114,18 @@ module Dependabot
|
|
|
113
114
|
frozen_ver = version_from_comment
|
|
114
115
|
return super unless frozen_ver
|
|
115
116
|
|
|
117
|
+
# Use latest_version (which respects cooldown) for semantic comparison.
|
|
118
|
+
# This ensures that when cooldown rejects all candidates, the dependency
|
|
119
|
+
# is correctly treated as up-to-date.
|
|
120
|
+
lv = latest_version
|
|
121
|
+
return true if lv.is_a?(Dependabot::Version) && lv <= frozen_ver
|
|
122
|
+
|
|
116
123
|
resolved_sha = latest_commit_sha
|
|
117
|
-
|
|
124
|
+
# If no SHA can be resolved (e.g., all candidate versions rejected by cooldown),
|
|
125
|
+
# there is nothing to update to — treat as up-to-date.
|
|
126
|
+
return true unless resolved_sha
|
|
118
127
|
|
|
119
|
-
|
|
128
|
+
resolved_sha == dependency.version
|
|
120
129
|
end
|
|
121
130
|
|
|
122
131
|
sig { override.returns(T::Boolean) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-pre_commit
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.383.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,84 +15,84 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.383.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.383.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: dependabot-cargo
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
29
29
|
requirements:
|
|
30
30
|
- - '='
|
|
31
31
|
- !ruby/object:Gem::Version
|
|
32
|
-
version: 0.
|
|
32
|
+
version: 0.383.0
|
|
33
33
|
type: :runtime
|
|
34
34
|
prerelease: false
|
|
35
35
|
version_requirements: !ruby/object:Gem::Requirement
|
|
36
36
|
requirements:
|
|
37
37
|
- - '='
|
|
38
38
|
- !ruby/object:Gem::Version
|
|
39
|
-
version: 0.
|
|
39
|
+
version: 0.383.0
|
|
40
40
|
- !ruby/object:Gem::Dependency
|
|
41
41
|
name: dependabot-common
|
|
42
42
|
requirement: !ruby/object:Gem::Requirement
|
|
43
43
|
requirements:
|
|
44
44
|
- - '='
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: 0.
|
|
46
|
+
version: 0.383.0
|
|
47
47
|
type: :runtime
|
|
48
48
|
prerelease: false
|
|
49
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
50
50
|
requirements:
|
|
51
51
|
- - '='
|
|
52
52
|
- !ruby/object:Gem::Version
|
|
53
|
-
version: 0.
|
|
53
|
+
version: 0.383.0
|
|
54
54
|
- !ruby/object:Gem::Dependency
|
|
55
55
|
name: dependabot-go_modules
|
|
56
56
|
requirement: !ruby/object:Gem::Requirement
|
|
57
57
|
requirements:
|
|
58
58
|
- - '='
|
|
59
59
|
- !ruby/object:Gem::Version
|
|
60
|
-
version: 0.
|
|
60
|
+
version: 0.383.0
|
|
61
61
|
type: :runtime
|
|
62
62
|
prerelease: false
|
|
63
63
|
version_requirements: !ruby/object:Gem::Requirement
|
|
64
64
|
requirements:
|
|
65
65
|
- - '='
|
|
66
66
|
- !ruby/object:Gem::Version
|
|
67
|
-
version: 0.
|
|
67
|
+
version: 0.383.0
|
|
68
68
|
- !ruby/object:Gem::Dependency
|
|
69
69
|
name: dependabot-npm_and_yarn
|
|
70
70
|
requirement: !ruby/object:Gem::Requirement
|
|
71
71
|
requirements:
|
|
72
72
|
- - '='
|
|
73
73
|
- !ruby/object:Gem::Version
|
|
74
|
-
version: 0.
|
|
74
|
+
version: 0.383.0
|
|
75
75
|
type: :runtime
|
|
76
76
|
prerelease: false
|
|
77
77
|
version_requirements: !ruby/object:Gem::Requirement
|
|
78
78
|
requirements:
|
|
79
79
|
- - '='
|
|
80
80
|
- !ruby/object:Gem::Version
|
|
81
|
-
version: 0.
|
|
81
|
+
version: 0.383.0
|
|
82
82
|
- !ruby/object:Gem::Dependency
|
|
83
83
|
name: dependabot-python
|
|
84
84
|
requirement: !ruby/object:Gem::Requirement
|
|
85
85
|
requirements:
|
|
86
86
|
- - '='
|
|
87
87
|
- !ruby/object:Gem::Version
|
|
88
|
-
version: 0.
|
|
88
|
+
version: 0.383.0
|
|
89
89
|
type: :runtime
|
|
90
90
|
prerelease: false
|
|
91
91
|
version_requirements: !ruby/object:Gem::Requirement
|
|
92
92
|
requirements:
|
|
93
93
|
- - '='
|
|
94
94
|
- !ruby/object:Gem::Version
|
|
95
|
-
version: 0.
|
|
95
|
+
version: 0.383.0
|
|
96
96
|
- !ruby/object:Gem::Dependency
|
|
97
97
|
name: debug
|
|
98
98
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -338,7 +338,7 @@ licenses:
|
|
|
338
338
|
- MIT
|
|
339
339
|
metadata:
|
|
340
340
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
341
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
341
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.383.0
|
|
342
342
|
rdoc_options: []
|
|
343
343
|
require_paths:
|
|
344
344
|
- lib
|