dependabot-pre_commit 0.385.0 → 0.387.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 03bc6af6648e9b7de6aaa99e65db23be65615658a8756d1508e139b9541d774f
4
- data.tar.gz: 59fb6fe620e22cdf60ae7a725a89c08bb81be1872c747855b2b2f975b982dd0f
3
+ metadata.gz: a2cfb0b6385ba550ad4b96e0f8a67066b88d6b0eeeca6c6bdb8326e416e759b3
4
+ data.tar.gz: d2cf43e22ab7b7e792949243c8ad026c5978e518c31ea9afe0674b03dc699fe5
5
5
  SHA512:
6
- metadata.gz: e47764192a3d912d269c9e82e103a930edd7537f0f9a0948da2efd2b152bdda9ed50f3b3a123900fc6e1663987480bf4ab43c9ebd4a1359db0eeabc380c558f0
7
- data.tar.gz: 8c4b2f0cc14473646bb6d210f9410a4da060be712308e250542bf19f344a57795114ef276a1dca9f4a522b7bac2f36048c9fff24c31702ffea23b3bef79b0767
6
+ metadata.gz: 2ba7d16160da8e821a5b50c277173329e788e09180fc32c4a64d0b2f8c40c454eb4d87b59af578b02d98588979918497b7b0414a5617b71054e98f3c312adfdf
7
+ data.tar.gz: bf2094a249ae2611c42058f176dab2ae835845417016ceb54542b92c7df3bd985af2353350c61ebc883c6f7f7edc1563feee2f67b0d6404a38d14b2a50043868
@@ -1,4 +1,4 @@
1
- # typed: strict
1
+ # typed: strong
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "sorbet-runtime"
@@ -41,9 +41,9 @@ module Dependabot
41
41
 
42
42
  sig do
43
43
  params(
44
- source: T::Hash[Symbol, T.untyped],
44
+ source: T::Hash[Symbol, Object],
45
45
  credentials: T::Array[Dependabot::Credential],
46
- requirements: T::Array[T::Hash[Symbol, T.untyped]],
46
+ requirements: T::Array[T::Hash[Symbol, Object]],
47
47
  current_version: T.nilable(String),
48
48
  cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
49
49
  ).void
@@ -65,18 +65,18 @@ module Dependabot
65
65
  # Generate updated requirements for the new version
66
66
  # Should preserve the original version constraint operator (>=, ~=, etc.)
67
67
  # and update the source hash with the new original_string
68
- sig { abstract.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
68
+ sig { abstract.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
69
69
  def updated_requirements(latest_version); end
70
70
 
71
71
  private
72
72
 
73
- sig { returns(T::Hash[Symbol, T.untyped]) }
73
+ sig { returns(T::Hash[Symbol, Object]) }
74
74
  attr_reader :source
75
75
 
76
76
  sig { returns(T::Array[Dependabot::Credential]) }
77
77
  attr_reader :credentials
78
78
 
79
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
79
+ sig { returns(T::Array[T::Hash[Symbol, Object]]) }
80
80
  attr_reader :requirements
81
81
 
82
82
  sig { returns(T.nilable(String)) }
@@ -89,6 +89,12 @@ module Dependabot
89
89
  def package_name
90
90
  source[:package_name]&.to_s
91
91
  end
92
+
93
+ sig { params(requirement: T.nilable(T::Hash[Symbol, Object])).returns(T.nilable(String)) }
94
+ def requirement_string(requirement)
95
+ value = requirement&.dig(:requirement)
96
+ value if value.is_a?(String)
97
+ end
92
98
  end
93
99
  end
94
100
  end
@@ -24,14 +24,14 @@ module Dependabot
24
24
  )
25
25
  end
26
26
 
27
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
27
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
28
28
  def updated_requirements(latest_version)
29
29
  requirements.map do |original_req|
30
30
  original_source = original_req[:source]
31
31
  next original_req unless original_source.is_a?(Hash)
32
32
  next original_req unless original_source[:type] == "additional_dependency"
33
33
 
34
- original_requirement = original_req[:requirement]
34
+ original_requirement = requirement_string(original_req)
35
35
  new_requirement = build_updated_requirement(original_requirement, latest_version)
36
36
 
37
37
  new_original_string = build_original_string(
@@ -24,7 +24,7 @@ module Dependabot
24
24
  )
25
25
  end
26
26
 
27
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
27
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
28
28
  def updated_requirements(latest_version)
29
29
  requirements.map do |original_req|
30
30
  original_source = original_req[:source]
@@ -25,14 +25,14 @@ module Dependabot
25
25
  )
26
26
  end
27
27
 
28
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
28
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
29
29
  def updated_requirements(latest_version)
30
30
  requirements.map do |original_req|
31
31
  original_source = original_req[:source]
32
32
  next original_req unless original_source.is_a?(Hash)
33
33
  next original_req unless original_source[:type] == "additional_dependency"
34
34
 
35
- original_requirement = original_req[:requirement]
35
+ original_requirement = requirement_string(original_req)
36
36
  new_requirement = build_updated_requirement(original_requirement, latest_version)
37
37
 
38
38
  new_original_string = build_original_string(
@@ -112,7 +112,7 @@ module Dependabot
112
112
 
113
113
  sig { returns(T.nilable(String)) }
114
114
  def extract_version_from_requirement
115
- req_string = requirements.first&.dig(:requirement)
115
+ req_string = requirement_string(requirements.first)
116
116
  return nil unless req_string
117
117
 
118
118
  version_part = req_string.sub(/\A[~^]|[><=]+\s*/, "")
@@ -26,14 +26,14 @@ module Dependabot
26
26
  )
27
27
  end
28
28
 
29
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
29
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
30
30
  def updated_requirements(latest_version)
31
31
  requirements.map do |original_req|
32
32
  original_source = original_req[:source]
33
33
  next original_req unless original_source.is_a?(Hash)
34
34
  next original_req unless original_source[:type] == "additional_dependency"
35
35
 
36
- original_requirement = original_req[:requirement]
36
+ original_requirement = requirement_string(original_req)
37
37
  new_requirement = build_updated_requirement(original_requirement, latest_version)
38
38
 
39
39
  new_original_string = build_original_string(
@@ -126,7 +126,7 @@ module Dependabot
126
126
 
127
127
  sig { returns(T.nilable(String)) }
128
128
  def extract_version_from_requirement
129
- req_string = requirements.first&.dig(:requirement)
129
+ req_string = requirement_string(requirements.first)
130
130
  return nil unless req_string
131
131
 
132
132
  match = req_string.match(/[\d]+(?:\.[\d]+)*(?:\.?\w+)*/)
@@ -25,14 +25,14 @@ module Dependabot
25
25
  )
26
26
  end
27
27
 
28
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
28
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
29
29
  def updated_requirements(latest_version)
30
30
  requirements.map do |original_req|
31
31
  original_source = original_req[:source]
32
32
  next original_req unless original_source.is_a?(Hash)
33
33
  next original_req unless original_source[:type] == "additional_dependency"
34
34
 
35
- original_requirement = original_req[:requirement]
35
+ original_requirement = requirement_string(original_req)
36
36
  new_requirement = build_updated_requirement(original_requirement, latest_version)
37
37
 
38
38
  new_original_string = build_original_string(
@@ -112,7 +112,7 @@ module Dependabot
112
112
 
113
113
  sig { returns(T.nilable(String)) }
114
114
  def extract_version_from_requirement
115
- req_string = requirements.first&.dig(:requirement)
115
+ req_string = requirement_string(requirements.first)
116
116
  return nil unless req_string
117
117
 
118
118
  version_part = req_string.sub(/\A[~><=!]+\s*/, "").strip
@@ -25,14 +25,14 @@ module Dependabot
25
25
  )
26
26
  end
27
27
 
28
- sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
28
+ sig { override.params(latest_version: String).returns(T::Array[T::Hash[Symbol, Object]]) }
29
29
  def updated_requirements(latest_version)
30
30
  requirements.map do |original_req|
31
31
  original_source = original_req[:source]
32
32
  next original_req unless original_source.is_a?(Hash)
33
33
  next original_req unless original_source[:type] == "additional_dependency"
34
34
 
35
- original_requirement = original_req[:requirement]
35
+ original_requirement = requirement_string(original_req)
36
36
  new_requirement = build_updated_requirement(original_requirement, latest_version)
37
37
 
38
38
  new_original_string = build_original_string(
@@ -113,7 +113,7 @@ module Dependabot
113
113
 
114
114
  sig { returns(T.nilable(String)) }
115
115
  def extract_version_from_requirement
116
- req_string = requirements.first&.dig(:requirement)
116
+ req_string = requirement_string(requirements.first)
117
117
  return nil unless req_string
118
118
 
119
119
  version_part = req_string.sub(/\A(?:[~^]|[><=]+)\s*/, "")
@@ -33,7 +33,7 @@ module Dependabot
33
33
  end
34
34
  end
35
35
 
36
- sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
36
+ sig { override.returns(T.nilable(T::Hash[Symbol, Object])) }
37
37
  def ecosystem_versions
38
38
  nil
39
39
  end
@@ -29,7 +29,7 @@ module Dependabot
29
29
  end
30
30
  def initialize(credentials:)
31
31
  @credentials = credentials
32
- @hooks_cache = T.let({}, T::Hash[String, T.nilable(T::Array[T::Hash[String, T.untyped]])])
32
+ @hooks_cache = T.let({}, T::Hash[String, T.nilable(T::Array[T::Hash[String, Object]])])
33
33
  end
34
34
 
35
35
  # Fetches the language for a specific hook from the hook source repository.
@@ -64,7 +64,7 @@ module Dependabot
64
64
  params(
65
65
  repo_url: String,
66
66
  revision: String
67
- ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
67
+ ).returns(T.nilable(T::Array[T::Hash[String, Object]]))
68
68
  end
69
69
  def fetch_hooks_from_repo(repo_url, revision)
70
70
  cache_key = "#{repo_url}@#{revision}"
@@ -79,7 +79,7 @@ module Dependabot
79
79
  params(
80
80
  repo_url: String,
81
81
  revision: String
82
- ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
82
+ ).returns(T.nilable(T::Array[T::Hash[String, Object]]))
83
83
  end
84
84
  def fetch_hooks_internal(repo_url, revision)
85
85
  source = Source.from_url(repo_url)
@@ -96,7 +96,7 @@ module Dependabot
96
96
  params(
97
97
  source: Dependabot::Source,
98
98
  revision: String
99
- ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
99
+ ).returns(T.nilable(T::Array[T::Hash[String, Object]]))
100
100
  end
101
101
  def fetch_from_github(source, revision)
102
102
  response = github_client.send(
@@ -121,7 +121,7 @@ module Dependabot
121
121
  params(
122
122
  repo_url: String,
123
123
  revision: String
124
- ).returns(T.nilable(T::Array[T::Hash[String, T.untyped]]))
124
+ ).returns(T.nilable(T::Array[T::Hash[String, Object]]))
125
125
  end
126
126
  def fetch_via_git_clone(repo_url, revision)
127
127
  source = Source.from_url(repo_url)
@@ -157,7 +157,7 @@ module Dependabot
157
157
  nil
158
158
  end
159
159
 
160
- sig { params(content: String).returns(T.nilable(T::Array[T::Hash[String, T.untyped]])) }
160
+ sig { params(content: String).returns(T.nilable(T::Array[T::Hash[String, Object]])) }
161
161
  def parse_hooks_yaml(content)
162
162
  yaml = YAML.safe_load(content, aliases: true)
163
163
  return nil unless yaml.is_a?(Array)
@@ -37,7 +37,7 @@ module Dependabot
37
37
  "ruby" => ->(dep_string) { Dependabot::Bundler::Requirement.parse_dep_string(dep_string) },
38
38
  "dart" => ->(dep_string) { Dependabot::Pub::Requirement.parse_dep_string(dep_string) }
39
39
  }.freeze,
40
- T::Hash[String, T.proc.params(dep_string: String).returns(T.nilable(T::Hash[Symbol, T.untyped]))]
40
+ T::Hash[String, T.proc.params(dep_string: String).returns(T.nilable(T::Hash[Symbol, Object]))]
41
41
  )
42
42
 
43
43
  sig { override.returns(Ecosystem) }
@@ -77,6 +77,8 @@ module Dependabot
77
77
  return dependency_set unless yaml.is_a?(Hash)
78
78
 
79
79
  repos = yaml.fetch("repos", [])
80
+ return dependency_set unless repos.is_a?(Array)
81
+
80
82
  repos.each do |repo|
81
83
  next unless repo.is_a?(Hash)
82
84
 
@@ -94,7 +96,7 @@ module Dependabot
94
96
 
95
97
  sig do
96
98
  params(
97
- repo: T::Hash[String, T.untyped],
99
+ repo: T::Hash[String, Object],
98
100
  file: Dependabot::DependencyFile
99
101
  ).returns(T.nilable(Dependency))
100
102
  end
@@ -102,7 +104,7 @@ module Dependabot
102
104
  repo_url = repo["repo"]
103
105
  rev = repo["rev"]
104
106
 
105
- return nil if repo_url.nil? || rev.nil?
107
+ return nil unless repo_url.is_a?(String) && rev.is_a?(String)
106
108
  return nil if %w(local meta).include?(repo_url)
107
109
 
108
110
  comment = rev_line_comment(file, repo_url)
@@ -128,7 +130,7 @@ module Dependabot
128
130
 
129
131
  sig do
130
132
  params(
131
- repo: T::Hash[String, T.untyped],
133
+ repo: T::Hash[String, Object],
132
134
  file: Dependabot::DependencyFile
133
135
  ).returns(T::Array[Dependabot::Dependency])
134
136
  end
@@ -137,9 +139,14 @@ module Dependabot
137
139
  repo_url = repo["repo"]
138
140
  revision = repo["rev"]
139
141
 
140
- return dependencies if repo_url.nil? || %w(local meta).include?(repo_url)
142
+ return dependencies unless repo_url.is_a?(String)
143
+ return dependencies if %w(local meta).include?(repo_url)
144
+
145
+ revision = nil unless revision.is_a?(String)
141
146
 
142
147
  hooks = repo.fetch("hooks", [])
148
+ return dependencies unless hooks.is_a?(Array)
149
+
143
150
  hooks.each do |hook|
144
151
  next unless hook.is_a?(Hash)
145
152
 
@@ -152,7 +159,7 @@ module Dependabot
152
159
 
153
160
  sig do
154
161
  params(
155
- hook: T::Hash[String, T.untyped],
162
+ hook: T::Hash[String, Object],
156
163
  repo_url: String,
157
164
  revision: T.nilable(String),
158
165
  file: Dependabot::DependencyFile
@@ -162,9 +169,10 @@ module Dependabot
162
169
  dependencies = []
163
170
  hook_id = hook["id"]
164
171
 
165
- return dependencies unless hook_id
172
+ return dependencies unless hook_id.is_a?(String)
166
173
 
167
174
  additional_deps = hook.fetch("additional_dependencies", [])
175
+ return dependencies unless additional_deps.is_a?(Array)
168
176
  return dependencies if additional_deps.empty?
169
177
 
170
178
  # Get language from local config first, then try fetching from hook source repo
@@ -178,28 +186,9 @@ module Dependabot
178
186
  next unless dep_string.is_a?(String)
179
187
 
180
188
  parsed = parser.call(dep_string)
181
- next unless parsed
182
-
183
- dependencies << Dependabot::Dependency.new(
184
- name: parsed[:normalised_name],
185
- version: parsed[:version],
186
- requirements: [{
187
- requirement: parsed[:requirement],
188
- groups: ["additional_dependencies"],
189
- file: file.name,
190
- source: {
191
- type: "additional_dependency",
192
- language: language,
193
- package_name: parsed[:normalised_name],
194
- original_name: parsed[:name],
195
- hook_id: hook_id,
196
- hook_repo: repo_url,
197
- extras: parsed[:extras],
198
- original_string: dep_string
199
- }
200
- }],
201
- package_manager: ECOSYSTEM
202
- )
189
+ source_details = { language: language, hook_id: hook_id, repo_url: repo_url }
190
+ dependency = parsed && build_additional_dependency(parsed, dep_string, source_details, file)
191
+ dependencies << dependency if dependency
203
192
  end
204
193
 
205
194
  dependencies
@@ -207,7 +196,56 @@ module Dependabot
207
196
 
208
197
  sig do
209
198
  params(
210
- hook: T::Hash[String, T.untyped],
199
+ parsed: T::Hash[Symbol, Object],
200
+ dep_string: String,
201
+ source_details: T::Hash[Symbol, String],
202
+ file: Dependabot::DependencyFile
203
+ ).returns(T.nilable(Dependabot::Dependency))
204
+ end
205
+ def build_additional_dependency(parsed, dep_string, source_details, file)
206
+ normalised_name = parsed[:normalised_name]
207
+ return unless normalised_name.is_a?(String)
208
+
209
+ version = parsed[:version]
210
+ return unless version.nil? || version.is_a?(String) || version.is_a?(Dependabot::Version)
211
+
212
+ Dependabot::Dependency.new(
213
+ name: normalised_name,
214
+ version: version,
215
+ requirements: [additional_dependency_requirement(parsed, dep_string, source_details, file)],
216
+ package_manager: ECOSYSTEM
217
+ )
218
+ end
219
+
220
+ sig do
221
+ params(
222
+ parsed: T::Hash[Symbol, Object],
223
+ dep_string: String,
224
+ source_details: T::Hash[Symbol, String],
225
+ file: Dependabot::DependencyFile
226
+ ).returns(T::Hash[Symbol, Object])
227
+ end
228
+ def additional_dependency_requirement(parsed, dep_string, source_details, file)
229
+ {
230
+ requirement: parsed[:requirement],
231
+ groups: ["additional_dependencies"],
232
+ file: file.name,
233
+ source: {
234
+ type: "additional_dependency",
235
+ language: source_details.fetch(:language),
236
+ package_name: parsed[:normalised_name],
237
+ original_name: parsed[:name],
238
+ hook_id: source_details.fetch(:hook_id),
239
+ hook_repo: source_details.fetch(:repo_url),
240
+ extras: parsed[:extras],
241
+ original_string: dep_string
242
+ }
243
+ }
244
+ end
245
+
246
+ sig do
247
+ params(
248
+ hook: T::Hash[String, Object],
211
249
  repo_url: String,
212
250
  revision: T.nilable(String),
213
251
  hook_id: String
@@ -216,7 +254,7 @@ module Dependabot
216
254
  def resolve_hook_language(hook, repo_url, revision, hook_id)
217
255
  # Use local language if explicitly specified
218
256
  local_language = hook["language"]
219
- return local_language if local_language
257
+ return local_language if local_language.is_a?(String)
220
258
 
221
259
  # Otherwise fetch from the hook source repository
222
260
  return nil unless revision
@@ -60,7 +60,7 @@ module Dependabot
60
60
 
61
61
  sig do
62
62
  params(file: Dependabot::DependencyFile)
63
- .returns(T::Array[[T::Hash[Symbol, T.untyped], T::Hash[Symbol, T.untyped]]])
63
+ .returns(T::Array[[T::Hash[Symbol, Object], T::Hash[Symbol, Object]]])
64
64
  end
65
65
  def requirement_pairs_for_file(file)
66
66
  pairs = dependency.requirements.zip(T.must(dependency.previous_requirements))
@@ -70,8 +70,8 @@ module Dependabot
70
70
  file_name = T.cast(new_req[:file], T.nilable(String))
71
71
  next true if file_name != file.name
72
72
 
73
- new_source = T.cast(new_req[:source], T.nilable(T::Hash[Symbol, T.untyped]))
74
- old_source = T.cast(old_req[:source], T.nilable(T::Hash[Symbol, T.untyped]))
73
+ new_source = T.cast(new_req[:source], T.nilable(T::Hash[Symbol, Object]))
74
+ old_source = T.cast(old_req[:source], T.nilable(T::Hash[Symbol, Object]))
75
75
  new_source == old_source
76
76
  end
77
77
 
@@ -81,12 +81,12 @@ module Dependabot
81
81
  sig do
82
82
  params(
83
83
  content: String,
84
- new_req: T::Hash[Symbol, T.untyped],
85
- old_req: T::Hash[Symbol, T.untyped]
84
+ new_req: T::Hash[Symbol, Object],
85
+ old_req: T::Hash[Symbol, Object]
86
86
  ).returns(String)
87
87
  end
88
88
  def apply_requirement_update(content, new_req, old_req)
89
- new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, T.untyped])
89
+ new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, Object])
90
90
  source_type = T.cast(new_source.fetch(:type), String)
91
91
 
92
92
  case source_type
@@ -102,18 +102,18 @@ module Dependabot
102
102
  sig do
103
103
  params(
104
104
  content: String,
105
- new_req: T::Hash[Symbol, T.untyped],
106
- old_req: T::Hash[Symbol, T.untyped]
105
+ new_req: T::Hash[Symbol, Object],
106
+ old_req: T::Hash[Symbol, Object]
107
107
  ).returns(String)
108
108
  end
109
109
  def apply_git_requirement_update(content, new_req, old_req)
110
- new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, T.untyped])
111
- old_source = T.cast(old_req.fetch(:source), T::Hash[Symbol, T.untyped])
110
+ new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, Object])
111
+ old_source = T.cast(old_req.fetch(:source), T::Hash[Symbol, Object])
112
112
  repo_url = T.cast(old_source.fetch(:url), String)
113
113
  old_ref = T.cast(old_source.fetch(:ref), String)
114
114
  new_ref = T.cast(new_source.fetch(:ref), String)
115
115
 
116
- new_metadata = T.cast(new_req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
116
+ new_metadata = T.cast(new_req.fetch(:metadata, {}), T::Hash[Symbol, Object])
117
117
  old_version = T.cast(new_metadata[:comment_version], T.nilable(String))
118
118
  new_version = T.cast(new_metadata[:new_comment_version], T.nilable(String))
119
119
 
@@ -130,13 +130,13 @@ module Dependabot
130
130
  sig do
131
131
  params(
132
132
  content: String,
133
- new_req: T::Hash[Symbol, T.untyped],
134
- old_req: T::Hash[Symbol, T.untyped]
133
+ new_req: T::Hash[Symbol, Object],
134
+ old_req: T::Hash[Symbol, Object]
135
135
  ).returns(String)
136
136
  end
137
137
  def apply_additional_dependency_update(content, new_req, old_req)
138
- old_source = T.cast(old_req.fetch(:source), T::Hash[Symbol, T.untyped])
139
- new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, T.untyped])
138
+ old_source = T.cast(old_req.fetch(:source), T::Hash[Symbol, Object])
139
+ new_source = T.cast(new_req.fetch(:source), T::Hash[Symbol, Object])
140
140
 
141
141
  old_string = T.cast(old_source.fetch(:original_string), String)
142
142
  new_string = T.cast(new_source.fetch(:original_string), String)
@@ -20,7 +20,7 @@ module Dependabot
20
20
  ignored_versions: T::Array[String],
21
21
  raise_on_ignored: T::Boolean,
22
22
  consider_version_branches_pinned: T::Boolean,
23
- dependency_source_details: T.nilable(T::Hash[Symbol, String])
23
+ dependency_source_details: T.nilable(T::Hash[Symbol, Object])
24
24
  )
25
25
  .void
26
26
  end
@@ -60,11 +60,11 @@ module Dependabot
60
60
  )
61
61
  end
62
62
 
63
- sig { params(source: T.nilable(T::Hash[Symbol, String])).returns(Dependabot::GitCommitChecker) }
63
+ sig { params(source: T.nilable(T::Hash[Symbol, Object])).returns(Dependabot::GitCommitChecker) }
64
64
  def git_commit_checker_for(source)
65
65
  @git_commit_checkers ||= T.let(
66
66
  {},
67
- T.nilable(T::Hash[T.nilable(T::Hash[Symbol, String]), Dependabot::GitCommitChecker])
67
+ T.nilable(T::Hash[T.nilable(T::Hash[Symbol, Object]), Dependabot::GitCommitChecker])
68
68
  )
69
69
 
70
70
  @git_commit_checkers[source] ||= Dependabot::GitCommitChecker.new(
@@ -62,7 +62,9 @@ module Dependabot
62
62
  def version_tag_release
63
63
  return unless git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
64
64
 
65
- latest_version = latest_version_tag&.fetch(:version)
65
+ latest_version = pre_commit_version(latest_version_tag&.fetch(:version))
66
+ return unless latest_version
67
+
66
68
  return current_version if shortened_semver_eq?(dependency.version, latest_version.to_s)
67
69
 
68
70
  latest_version
@@ -74,7 +76,7 @@ module Dependabot
74
76
 
75
77
  if latest_version_tag
76
78
  if git_commit_checker.local_tag_for_pinned_sha || version_comment?
77
- return T.must(latest_version_tag).fetch(:version)
79
+ return pre_commit_version(T.must(latest_version_tag).fetch(:version))
78
80
  end
79
81
 
80
82
  return latest_commit_for_pinned_ref
@@ -83,7 +85,7 @@ module Dependabot
83
85
  latest_commit_for_pinned_ref
84
86
  end
85
87
 
86
- sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
88
+ sig { returns(T.nilable(T::Hash[Symbol, Object])) }
87
89
  def latest_version_tag
88
90
  @latest_version_tag ||= T.let(
89
91
  begin
@@ -96,13 +98,20 @@ module Dependabot
96
98
 
97
99
  git_commit_checker.local_ref_for_latest_version_lower_precision
98
100
  end,
99
- T.nilable(T::Hash[Symbol, T.untyped])
101
+ T.nilable(T::Hash[Symbol, Object])
100
102
  )
101
103
  end
102
104
 
103
105
  private
104
106
 
105
- sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
107
+ sig { params(version: Object).returns(T.nilable(Dependabot::Version)) }
108
+ def pre_commit_version(version)
109
+ return unless version.is_a?(String) || version.is_a?(Gem::Version)
110
+
111
+ Dependabot::PreCommit::Version.new(version.to_s)
112
+ end
113
+
114
+ sig { returns(T.nilable(T::Hash[Symbol, Object])) }
106
115
  def constrained_latest_version_tag
107
116
  frozen_ref = frozen_comment_ref
108
117
  return nil unless frozen_ref
@@ -199,7 +208,7 @@ module Dependabot
199
208
  if head_commit_for_ref_sha
200
209
  head_commit_for_ref_sha
201
210
  else
202
- url = git_commit_checker.dependency_source_details&.fetch(:url)
211
+ url = git_commit_checker.dependency_source_details&.url
203
212
  source = T.must(Source.from_url(url))
204
213
 
205
214
  SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
@@ -208,7 +217,7 @@ module Dependabot
208
217
  SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
209
218
 
210
219
  Dir.chdir(repo_contents_path) do
211
- ref_branch = find_container_branch(git_commit_checker.dependency_source_details&.fetch(:ref))
220
+ ref_branch = find_container_branch(T.must(git_commit_checker.dependency_source_details&.ref))
212
221
  git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
213
222
  end
214
223
  end
@@ -238,12 +247,15 @@ module Dependabot
238
247
  end
239
248
 
240
249
  sig do
241
- params(tags_array: T::Array[T::Hash[Symbol, T.untyped]]).returns(T::Array[T::Hash[Symbol, T.untyped]])
250
+ params(tags_array: T::Array[T::Hash[Symbol, Object]]).returns(T::Array[T::Hash[Symbol, Object]])
242
251
  end
243
252
  def filter_lower_tags(tags_array)
244
253
  return tags_array unless current_version
245
254
 
246
- tags_array.select { |tag| tag.fetch(:version) > current_version }
255
+ tags_array.select do |tag|
256
+ version = tag.fetch(:version)
257
+ version.is_a?(Gem::Version) && version > current_version
258
+ end
247
259
  end
248
260
 
249
261
  sig { returns(T::Boolean) }
@@ -30,7 +30,7 @@ module Dependabot
30
30
  credentials: T::Array[Dependabot::Credential],
31
31
  ignored_versions: T::Array[String],
32
32
  raise_on_ignored: T::Boolean,
33
- options: T::Hash[Symbol, T.untyped],
33
+ options: T::Hash[Symbol, Object],
34
34
  cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
35
35
  ).void
36
36
  end
@@ -50,7 +50,7 @@ module Dependabot
50
50
  @raise_on_ignored = raise_on_ignored
51
51
  @options = options
52
52
  @cooldown_options = cooldown_options
53
- @cooldown_selected_tag = T.let(nil, T.nilable(T::Hash[Symbol, T.untyped]))
53
+ @cooldown_selected_tag = T.let(nil, T.nilable(T::Hash[Symbol, Object]))
54
54
  @cooldown_rejected_all = T.let(false, T::Boolean)
55
55
 
56
56
  @git_helper = T.let(git_helper, Dependabot::PreCommit::Helpers::Githelper)
@@ -94,7 +94,7 @@ module Dependabot
94
94
  filter_release_with_cooldown(release)
95
95
  end
96
96
 
97
- sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
97
+ sig { returns(T.nilable(T::Hash[Symbol, Object])) }
98
98
  def latest_version_tag
99
99
  return nil if @cooldown_rejected_all
100
100
 
@@ -103,7 +103,7 @@ module Dependabot
103
103
 
104
104
  sig { override.returns(T.nilable(String)) }
105
105
  def cooldown_source_url
106
- @git_helper.git_commit_checker.dependency_source_details&.fetch(:url)
106
+ @git_helper.git_commit_checker.dependency_source_details&.url
107
107
  end
108
108
 
109
109
  sig { override.returns(T::Array[Dependabot::Credential]) }
@@ -155,11 +155,11 @@ module Dependabot
155
155
  )
156
156
  end
157
157
 
158
- sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
158
+ sig { returns(T.nilable(T::Hash[Symbol, Object])) }
159
159
  def available_latest_version_tag
160
160
  @latest_version_tag = T.let(
161
161
  T.must(package_details_fetcher).latest_version_tag,
162
- T.nilable(T::Hash[Symbol, T.untyped])
162
+ T.nilable(T::Hash[Symbol, Object])
163
163
  )
164
164
  end
165
165
 
@@ -193,7 +193,7 @@ module Dependabot
193
193
  # - current_version when ALL candidates have releases and all are in cooldown
194
194
  # - nil when no releases exist or some candidates lack releases (triggers git fallback)
195
195
  sig do
196
- params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
196
+ params(candidates: T::Array[T::Hash[Symbol, Object]])
197
197
  .returns(T.nilable(Dependabot::Version))
198
198
  end
199
199
  def check_candidates_via_github_releases(candidates)
@@ -204,7 +204,7 @@ module Dependabot
204
204
  all_have_releases = T.let(true, T::Boolean)
205
205
 
206
206
  candidates.each do |tag|
207
- tag_name = normalize_tag_name(tag[:tag] || "v#{tag[:version]}")
207
+ tag_name = normalize_tag_name((tag[:tag] || "v#{tag[:version]}").to_s)
208
208
  release = releases.find { |r| r.tag_name == tag_name }
209
209
 
210
210
  unless release&.published_at
@@ -215,7 +215,7 @@ module Dependabot
215
215
  unless release_in_cooldown_period?(release.published_at)
216
216
  log_cooldown_result(filtered_count, tag[:version], release.published_at)
217
217
  @cooldown_selected_tag = tag
218
- return T.cast(tag[:version], Dependabot::Version)
218
+ return version_from_tag(tag)
219
219
  end
220
220
 
221
221
  filtered_count += 1
@@ -238,7 +238,7 @@ module Dependabot
238
238
  # Checks candidate tags inside a bare clone directory, returning the first
239
239
  # version whose tag creation date falls outside the cooldown window.
240
240
  sig do
241
- params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
241
+ params(candidates: T::Array[T::Hash[Symbol, Object]])
242
242
  .returns(T.nilable(Dependabot::Version))
243
243
  end
244
244
  def check_candidates_via_git_clone(candidates)
@@ -260,7 +260,7 @@ module Dependabot
260
260
  # Prefers GitHub Release published_at when available for a candidate,
261
261
  # falling back to tag creation date from the cloned repo.
262
262
  sig do
263
- params(candidates: T::Array[T::Hash[Symbol, T.untyped]])
263
+ params(candidates: T::Array[T::Hash[Symbol, Object]])
264
264
  .returns(T.nilable(Dependabot::Version))
265
265
  end
266
266
  def check_candidates_cooldown(candidates)
@@ -268,9 +268,9 @@ module Dependabot
268
268
 
269
269
  candidates.each do |tag|
270
270
  commit_sha = tag[:commit_sha]
271
- next unless commit_sha
271
+ next unless commit_sha.is_a?(String)
272
272
 
273
- tag_name = normalize_tag_name(tag[:tag] || "v#{tag[:version]}")
273
+ tag_name = normalize_tag_name((tag[:tag] || "v#{tag[:version]}").to_s)
274
274
  release_date = resolve_candidate_date(tag_name, commit_sha)
275
275
 
276
276
  if release_in_cooldown_period?(release_date)
@@ -278,7 +278,7 @@ module Dependabot
278
278
  else
279
279
  log_cooldown_result(filtered_count, tag[:version], release_date)
280
280
  @cooldown_selected_tag = tag
281
- return T.cast(tag[:version], Dependabot::Version)
281
+ return version_from_tag(tag)
282
282
  end
283
283
  end
284
284
 
@@ -290,7 +290,7 @@ module Dependabot
290
290
  end
291
291
 
292
292
  sig do
293
- params(filtered_count: Integer, version: T.untyped, release_date: Time).void
293
+ params(filtered_count: Integer, version: Object, release_date: Time).void
294
294
  end
295
295
  def log_cooldown_result(filtered_count, version, release_date)
296
296
  if filtered_count.positive?
@@ -301,9 +301,17 @@ module Dependabot
301
301
  Dependabot.logger.info("Selected version #{version} (released #{release_date})")
302
302
  end
303
303
 
304
+ sig { params(tag: T::Hash[Symbol, Object]).returns(T.nilable(Dependabot::Version)) }
305
+ def version_from_tag(tag)
306
+ version = tag[:version]
307
+ return unless version.is_a?(String) || version.is_a?(Gem::Version)
308
+
309
+ Dependabot::PreCommit::Version.new(version.to_s)
310
+ end
311
+
304
312
  # Returns all version tags > current_version, sorted descending (latest first).
305
313
  # This ensures we evaluate from the newest candidate downward.
306
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
314
+ sig { returns(T::Array[T::Hash[Symbol, Object]]) }
307
315
  def version_candidates_descending
308
316
  # When pinned to a SHA, precision matching against the SHA is meaningless
309
317
  # (a SHA has no dots, so precision=1 matches nothing useful).
@@ -315,11 +323,12 @@ module Dependabot
315
323
  end
316
324
  cur_version = current_version
317
325
 
318
- all_tags
319
- .select { |tag| tag[:version].is_a?(Gem::Version) }
320
- .select { |tag| cur_version.nil? || tag[:version] > cur_version }
321
- .sort_by { |tag| tag[:version] }
322
- .reverse
326
+ candidates = all_tags.select do |tag|
327
+ version = version_from_tag(tag)
328
+ version && (cur_version.nil? || version > cur_version)
329
+ end
330
+
331
+ candidates.sort_by { |tag| T.must(version_from_tag(tag)) }.reverse
323
332
  end
324
333
 
325
334
  sig { params(release_date: Time).returns(T::Boolean) }
@@ -50,7 +50,7 @@ module Dependabot
50
50
  return wrap_requirements(additional_dependency_updated_requirements) if additional_dependency?
51
51
 
52
52
  updated_reqs = dependency.requirements.map do |req|
53
- source = T.cast(req[:source], T.nilable(T::Hash[Symbol, T.untyped]))
53
+ source = T.cast(req[:source], T.nilable(T::Hash[Symbol, Object]))
54
54
  updated = updated_ref(source)
55
55
  next req unless updated
56
56
 
@@ -146,7 +146,7 @@ module Dependabot
146
146
  if head_commit_for_ref_sha
147
147
  head_commit_for_ref_sha
148
148
  else
149
- url = T.cast(git_commit_checker.dependency_source_details&.fetch(:url), T.nilable(String))
149
+ url = git_commit_checker.dependency_source_details&.url
150
150
  source = T.must(Source.from_url(T.must(url)))
151
151
 
152
152
  SharedHelpers.in_a_temporary_directory(File.dirname(source.repo)) do |temp_dir|
@@ -155,7 +155,7 @@ module Dependabot
155
155
  SharedHelpers.run_shell_command("git clone --no-recurse-submodules #{url} #{repo_contents_path}")
156
156
 
157
157
  Dir.chdir(repo_contents_path) do
158
- ref = T.cast(git_commit_checker.dependency_source_details&.fetch(:ref), T.nilable(String))
158
+ ref = git_commit_checker.dependency_source_details&.ref
159
159
  ref_branch = find_container_branch(T.must(ref))
160
160
  git_commit_checker.head_commit_for_local_branch(ref_branch) if ref_branch
161
161
  end
@@ -166,7 +166,7 @@ module Dependabot
166
166
  )
167
167
  end
168
168
 
169
- sig { params(source: T.nilable(T::Hash[Symbol, T.untyped])).returns(T.nilable(String)) }
169
+ sig { params(source: T.nilable(T::Hash[Symbol, Object])).returns(T.nilable(String)) }
170
170
  def updated_ref(source)
171
171
  return unless git_commit_checker.git_dependency?
172
172
 
@@ -213,12 +213,12 @@ module Dependabot
213
213
 
214
214
  sig do
215
215
  params(
216
- req: T::Hash[Symbol, T.untyped],
216
+ req: T::Hash[Symbol, Object],
217
217
  new_ref: String
218
- ).returns(T::Hash[Symbol, T.untyped])
218
+ ).returns(T::Hash[Symbol, Object])
219
219
  end
220
220
  def updated_comment_version_metadata(req, new_ref)
221
- existing_metadata = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])
221
+ existing_metadata = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, Object])
222
222
  comment = T.cast(existing_metadata[:comment], T.nilable(String))
223
223
  return existing_metadata unless comment
224
224
 
@@ -244,7 +244,7 @@ module Dependabot
244
244
  comment = T.let(
245
245
  @dependency.requirements
246
246
  .filter_map do |req|
247
- val = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, T.untyped])[:comment]
247
+ val = T.cast(req.fetch(:metadata, {}), T::Hash[Symbol, Object])[:comment]
248
248
  T.cast(val, T.nilable(String))
249
249
  end
250
250
  .first,
@@ -310,7 +310,7 @@ module Dependabot
310
310
  requirement = dependency.requirements.first
311
311
  return false unless requirement
312
312
 
313
- source = T.cast(requirement[:source], T.nilable(T::Hash[Symbol, T.untyped]))
313
+ source = T.cast(requirement[:source], T.nilable(T::Hash[Symbol, Object]))
314
314
  return false unless source
315
315
 
316
316
  T.cast(source[:type], T.nilable(String)) == "additional_dependency"
@@ -318,7 +318,7 @@ module Dependabot
318
318
 
319
319
  sig { returns(T.nilable(T.any(String, Gem::Version))) }
320
320
  def additional_dependency_latest_version
321
- source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, T.untyped])
321
+ source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, Object])
322
322
  language = T.cast(source[:language], T.nilable(String))
323
323
  return nil unless language && AdditionalDependencyCheckers.supported?(language)
324
324
 
@@ -331,9 +331,9 @@ module Dependabot
331
331
  latest
332
332
  end
333
333
 
334
- sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
334
+ sig { returns(T::Array[T::Hash[Symbol, Object]]) }
335
335
  def additional_dependency_updated_requirements
336
- source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, T.untyped])
336
+ source = T.cast(dependency.requirements.first&.dig(:source), T::Hash[Symbol, Object])
337
337
  language = T.cast(source[:language], T.nilable(String))
338
338
  return dependency.requirements unless language && AdditionalDependencyCheckers.supported?(language)
339
339
 
@@ -349,7 +349,7 @@ module Dependabot
349
349
  sig do
350
350
  params(
351
351
  language: String,
352
- source: T::Hash[Symbol, T.untyped]
352
+ source: T::Hash[Symbol, Object]
353
353
  ).returns(T.nilable(Dependabot::PreCommit::AdditionalDependencyCheckers::Base))
354
354
  end
355
355
  def additional_dependency_checker(language, source)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-pre_commit
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.385.0
4
+ version: 0.387.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -15,84 +15,84 @@ dependencies:
15
15
  requirements:
16
16
  - - '='
17
17
  - !ruby/object:Gem::Version
18
- version: 0.385.0
18
+ version: 0.387.0
19
19
  type: :runtime
20
20
  prerelease: false
21
21
  version_requirements: !ruby/object:Gem::Requirement
22
22
  requirements:
23
23
  - - '='
24
24
  - !ruby/object:Gem::Version
25
- version: 0.385.0
25
+ version: 0.387.0
26
26
  - !ruby/object:Gem::Dependency
27
27
  name: dependabot-cargo
28
28
  requirement: !ruby/object:Gem::Requirement
29
29
  requirements:
30
30
  - - '='
31
31
  - !ruby/object:Gem::Version
32
- version: 0.385.0
32
+ version: 0.387.0
33
33
  type: :runtime
34
34
  prerelease: false
35
35
  version_requirements: !ruby/object:Gem::Requirement
36
36
  requirements:
37
37
  - - '='
38
38
  - !ruby/object:Gem::Version
39
- version: 0.385.0
39
+ version: 0.387.0
40
40
  - !ruby/object:Gem::Dependency
41
41
  name: dependabot-common
42
42
  requirement: !ruby/object:Gem::Requirement
43
43
  requirements:
44
44
  - - '='
45
45
  - !ruby/object:Gem::Version
46
- version: 0.385.0
46
+ version: 0.387.0
47
47
  type: :runtime
48
48
  prerelease: false
49
49
  version_requirements: !ruby/object:Gem::Requirement
50
50
  requirements:
51
51
  - - '='
52
52
  - !ruby/object:Gem::Version
53
- version: 0.385.0
53
+ version: 0.387.0
54
54
  - !ruby/object:Gem::Dependency
55
55
  name: dependabot-go_modules
56
56
  requirement: !ruby/object:Gem::Requirement
57
57
  requirements:
58
58
  - - '='
59
59
  - !ruby/object:Gem::Version
60
- version: 0.385.0
60
+ version: 0.387.0
61
61
  type: :runtime
62
62
  prerelease: false
63
63
  version_requirements: !ruby/object:Gem::Requirement
64
64
  requirements:
65
65
  - - '='
66
66
  - !ruby/object:Gem::Version
67
- version: 0.385.0
67
+ version: 0.387.0
68
68
  - !ruby/object:Gem::Dependency
69
69
  name: dependabot-npm_and_yarn
70
70
  requirement: !ruby/object:Gem::Requirement
71
71
  requirements:
72
72
  - - '='
73
73
  - !ruby/object:Gem::Version
74
- version: 0.385.0
74
+ version: 0.387.0
75
75
  type: :runtime
76
76
  prerelease: false
77
77
  version_requirements: !ruby/object:Gem::Requirement
78
78
  requirements:
79
79
  - - '='
80
80
  - !ruby/object:Gem::Version
81
- version: 0.385.0
81
+ version: 0.387.0
82
82
  - !ruby/object:Gem::Dependency
83
83
  name: dependabot-python
84
84
  requirement: !ruby/object:Gem::Requirement
85
85
  requirements:
86
86
  - - '='
87
87
  - !ruby/object:Gem::Version
88
- version: 0.385.0
88
+ version: 0.387.0
89
89
  type: :runtime
90
90
  prerelease: false
91
91
  version_requirements: !ruby/object:Gem::Requirement
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 0.385.0
95
+ version: 0.387.0
96
96
  - !ruby/object:Gem::Dependency
97
97
  name: debug
98
98
  requirement: !ruby/object:Gem::Requirement
@@ -338,7 +338,7 @@ licenses:
338
338
  - MIT
339
339
  metadata:
340
340
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
341
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.385.0
341
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.387.0
342
342
  rdoc_options: []
343
343
  require_paths:
344
344
  - lib