dependabot-pub 0.212.0 → 0.214.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fd396990d0534aa0e083d063237cb2e49b29311d8909097f93e9ba9875a440ee
4
- data.tar.gz: 11b3cd736296b07f6a8fac4f8976b0df157127bfdf372d325b5b7c3e8fc6a4e6
3
+ metadata.gz: d727a361fb81d56fa752aeb69bc5515c8ee2761f6f612069382e0c68bdfa2717
4
+ data.tar.gz: b25f27d1ffbda1a9d2a859ab0e082cf6c53005ed9a742b939f00c5b5e8e3cc07
5
5
  SHA512:
6
- metadata.gz: 6c4ed82fd24db8fd4af09d393b177646d55c3ba296fc1202dc50665c3809f660e1395908920672f1b2ab44216457d37426cb4c2296a69a3a92927913776c0df0
7
- data.tar.gz: 4a111393f6d02f1fd448a401782a7bd619b96a9200b7ac18cfaf9b6eebcb0b7d0a72f78e9d3411cff2f196f14fd17aede65789b59d9e37553cbea2e285f7b470
6
+ metadata.gz: 06451a70a859aceb04eb731058f942391092f531834fbc93ab6fb9416b9ec356b08260bf500585b11aef0d597f6ef1e54bc1e6b379ec65dcf378cbe1e67bd44d
7
+ data.tar.gz: d9663a74898cfb97e3b78a0753c5772bd9b19ff05b7d56f4faadd57ae2cf71982bf26fbd59b3a895e6e398bc7fe5614ef50f2923cac0b38fd2d0f70a4e695011
@@ -5,6 +5,7 @@ require "open3"
5
5
  require "digest"
6
6
 
7
7
  require "dependabot/errors"
8
+ require "dependabot/logger"
8
9
  require "dependabot/shared_helpers"
9
10
  require "dependabot/pub/requirement"
10
11
 
@@ -61,6 +62,7 @@ module Dependabot
61
62
  def ensure_flutter_repo
62
63
  return if File.directory?("/tmp/flutter/.git")
63
64
 
65
+ Dependabot.logger.info "Cloning the flutter repo https://github.com/flutter/flutter."
64
66
  # Make a flutter checkout
65
67
  _, stderr, status = Open3.capture3(
66
68
  {},
@@ -76,6 +78,7 @@ module Dependabot
76
78
  # Will ensure that /tmp/flutter contains the flutter repo checked out at `ref`.
77
79
  def check_out_flutter_ref(ref)
78
80
  ensure_flutter_repo
81
+ Dependabot.logger.info "Checking out Flutter version #{ref}"
79
82
  # Ensure we have the right version (by tag)
80
83
  _, stderr, status = Open3.capture3(
81
84
  {},
@@ -106,43 +109,70 @@ module Dependabot
106
109
  def ensure_right_flutter_release
107
110
  @ensure_right_flutter_release ||= begin
108
111
  versions = Helpers.run_infer_sdk_versions url: options[:flutter_releases_url]
109
- flutter_ref = if versions
110
- "refs/tags/#{versions['flutter']}"
111
- else
112
- # Choose the 'stable' version if the tool failed to infer a version.
113
- "stable"
114
- end
112
+ flutter_ref =
113
+ if versions
114
+ Dependabot.logger.info(
115
+ "Installing the Flutter SDK version: #{versions['flutter']} " \
116
+ "from channel #{versions['channel']} with Dart #{versions['dart']}"
117
+ )
118
+ "refs/tags/#{versions['flutter']}"
119
+ else
120
+ Dependabot.logger.info(
121
+ "Failed to infer the flutter version. Attempting to use latest stable release."
122
+ )
123
+ # Choose the 'stable' version if the tool failed to infer a version.
124
+ "stable"
125
+ end
115
126
 
116
127
  check_out_flutter_ref flutter_ref
128
+ run_flutter_doctor
129
+ run_flutter_version
130
+ end
131
+ end
117
132
 
118
- # Run `flutter --version` to make Flutter download engine artifacts and create flutter/version.
119
- _, stderr, status = Open3.capture3(
120
- {},
121
- "/tmp/flutter/bin/flutter",
122
- "doctor",
123
- chdir: "/tmp/flutter/"
124
- )
125
- raise Dependabot::DependabotError, "Running 'flutter doctor' failed: #{stderr}" unless status.success?
133
+ def run_flutter_doctor
134
+ Dependabot.logger.info(
135
+ "Running `flutter doctor` to install artifacts and create flutter/version."
136
+ )
137
+ _, stderr, status = Open3.capture3(
138
+ {},
139
+ "/tmp/flutter/bin/flutter",
140
+ "doctor",
141
+ chdir: "/tmp/flutter/"
142
+ )
143
+ raise Dependabot::DependabotError, "Running 'flutter doctor' failed: #{stderr}" unless status.success?
144
+ end
126
145
 
127
- # Run `flutter --version --machine` to get the current flutter version.
128
- stdout, stderr, status = Open3.capture3(
129
- {},
130
- "/tmp/flutter/bin/flutter",
131
- "--version",
132
- "--machine",
133
- chdir: "/tmp/flutter/"
134
- )
135
- unless status.success?
136
- raise Dependabot::DependabotError,
137
- "Running 'flutter --version --machine' failed: #{stderr}"
138
- end
146
+ # Runs `flutter version` and returns the dart and flutter version numbers in a map.
147
+ def run_flutter_version
148
+ Dependabot.logger.info "Running `flutter --version`"
149
+ # Run `flutter --version --machine` to get the current flutter version.
150
+ stdout, stderr, status = Open3.capture3(
151
+ {},
152
+ "/tmp/flutter/bin/flutter",
153
+ "--version",
154
+ "--machine",
155
+ chdir: "/tmp/flutter/"
156
+ )
157
+ unless status.success?
158
+ raise Dependabot::DependabotError,
159
+ "Running 'flutter --version --machine' failed: #{stderr}"
160
+ end
139
161
 
140
- parsed = JSON.parse(stdout)
141
- {
142
- "flutter" => parsed["frameworkVersion"],
143
- "dart" => parsed["dartSdkVersion"].split.first
144
- }
162
+ parsed = JSON.parse(stdout)
163
+ flutter_version = parsed["frameworkVersion"]
164
+ dart_version = parsed["dartSdkVersion"]&.split&.first
165
+ unless flutter_version && dart_version
166
+ raise Dependabot::DependabotError,
167
+ "Bad output from `flutter --version`: #{stdout}"
145
168
  end
169
+ Dependabot.logger.info(
170
+ "Installed the Flutter SDK version: #{flutter_version} with Dart #{dart_version}."
171
+ )
172
+ {
173
+ "flutter" => flutter_version,
174
+ "dart" => dart_version
175
+ }
146
176
  end
147
177
 
148
178
  def run_dependency_services(command, stdin_data: nil)
@@ -15,7 +15,7 @@ module Dependabot
15
15
  version_pattern = Pub::Version::VERSION_PATTERN
16
16
 
17
17
  PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
18
- PATTERN = /\A#{PATTERN_RAW}\z/.freeze
18
+ PATTERN = /\A#{PATTERN_RAW}\z/
19
19
 
20
20
  # Use Pub::Version rather than Gem::Version to ensure that
21
21
  # pre-release versions aren't transformed.
@@ -32,7 +32,7 @@ module Dependabot
32
32
  [matches[1] || "=", Pub::Version.new(matches[2])]
33
33
  end
34
34
 
35
- # For consistency with other langauges, we define a requirements array.
35
+ # For consistency with other languages, we define a requirements array.
36
36
  # Dart doesn't have an `OR` separator for requirements, so it always
37
37
  # contains a single element.
38
38
  def self.requirements_array(requirement_string)
@@ -2,6 +2,7 @@
2
2
 
3
3
  require "dependabot/update_checkers"
4
4
  require "dependabot/update_checkers/base"
5
+ require "dependabot/update_checkers/version_filters"
5
6
  require "dependabot/pub/helpers"
6
7
  require "yaml"
7
8
  module Dependabot
@@ -34,6 +35,29 @@ module Dependabot
34
35
  version_unless_ignored(entry["version"])
35
36
  end
36
37
 
38
+ def lowest_resolvable_security_fix_version
39
+ raise "Dependency not vulnerable!" unless vulnerable?
40
+
41
+ lowest_security_fix_version
42
+ end
43
+
44
+ def lowest_security_fix_version
45
+ # TODO: Pub lacks a lowest-non-vulnerable version strategy, for now we simply bump to latest resolvable:
46
+ # https://github.com/dependabot/dependabot-core/issues/5391
47
+ relevant_version = latest_resolvable_version
48
+ return unless relevant_version
49
+
50
+ # NOTE: in other ecosystems, the native helpers return a list of possible versions, to which we apply
51
+ # post-filtering. Ideally we move toward a world where we hand the native helper a list of ignored versions
52
+ # and possibly a flag indicating "use min version rather than max". The pub team is interested in supporting
53
+ # that. But in the meantime for internal consistency with other dependabot ecosystem implementations I kept
54
+ # `relevant_versions` as an array.
55
+ relevant_versions = [relevant_version]
56
+ relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
57
+ security_advisories)
58
+ relevant_versions.min
59
+ end
60
+
37
61
  def updated_requirements
38
62
  # Requirements that need to be changed, if obtain:
39
63
  # latest_resolvable_version
@@ -17,7 +17,7 @@ module Dependabot
17
17
  module Pub
18
18
  class Version < Gem::Version
19
19
  VERSION_PATTERN = Gem::Version::VERSION_PATTERN + "(\\+[0-9a-zA-Z\\-.]+)?"
20
- ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
20
+ ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
21
21
 
22
22
  attr_reader :build_info
23
23
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-pub
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.212.0
4
+ version: 0.214.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-09-06 00:00:00.000000000 Z
11
+ date: 2022-12-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,42 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.212.0
19
+ version: 0.214.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.212.0
26
+ version: 0.214.0
27
27
  - !ruby/object:Gem::Dependency
28
- name: debase
28
+ name: webrick
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - '='
32
- - !ruby/object:Gem::Version
33
- version: 0.2.3
34
- type: :development
35
- prerelease: false
36
- version_requirements: !ruby/object:Gem::Requirement
37
- requirements:
38
- - - '='
39
- - !ruby/object:Gem::Version
40
- version: 0.2.3
41
- - !ruby/object:Gem::Dependency
42
- name: debase-ruby_core_source
43
- requirement: !ruby/object:Gem::Requirement
44
- requirements:
45
- - - '='
31
+ - - ">="
46
32
  - !ruby/object:Gem::Version
47
- version: 0.10.16
33
+ version: '1.7'
48
34
  type: :development
49
35
  prerelease: false
50
36
  version_requirements: !ruby/object:Gem::Requirement
51
37
  requirements:
52
- - - '='
38
+ - - ">="
53
39
  - !ruby/object:Gem::Version
54
- version: 0.10.16
40
+ version: '1.7'
55
41
  - !ruby/object:Gem::Dependency
56
42
  name: debug
57
43
  requirement: !ruby/object:Gem::Requirement
@@ -86,14 +72,14 @@ dependencies:
86
72
  requirements:
87
73
  - - "~>"
88
74
  - !ruby/object:Gem::Version
89
- version: 3.12.0
75
+ version: 4.0.0
90
76
  type: :development
91
77
  prerelease: false
92
78
  version_requirements: !ruby/object:Gem::Requirement
93
79
  requirements:
94
80
  - - "~>"
95
81
  - !ruby/object:Gem::Version
96
- version: 3.12.0
82
+ version: 4.0.0
97
83
  - !ruby/object:Gem::Dependency
98
84
  name: rake
99
85
  requirement: !ruby/object:Gem::Requirement
@@ -142,42 +128,28 @@ dependencies:
142
128
  requirements:
143
129
  - - "~>"
144
130
  - !ruby/object:Gem::Version
145
- version: 1.36.0
131
+ version: 1.39.0
146
132
  type: :development
147
133
  prerelease: false
148
134
  version_requirements: !ruby/object:Gem::Requirement
149
135
  requirements:
150
136
  - - "~>"
151
137
  - !ruby/object:Gem::Version
152
- version: 1.36.0
138
+ version: 1.39.0
153
139
  - !ruby/object:Gem::Dependency
154
140
  name: rubocop-performance
155
141
  requirement: !ruby/object:Gem::Requirement
156
142
  requirements:
157
143
  - - "~>"
158
144
  - !ruby/object:Gem::Version
159
- version: 1.14.2
160
- type: :development
161
- prerelease: false
162
- version_requirements: !ruby/object:Gem::Requirement
163
- requirements:
164
- - - "~>"
165
- - !ruby/object:Gem::Version
166
- version: 1.14.2
167
- - !ruby/object:Gem::Dependency
168
- name: ruby-debug-ide
169
- requirement: !ruby/object:Gem::Requirement
170
- requirements:
171
- - - "~>"
172
- - !ruby/object:Gem::Version
173
- version: 0.7.3
145
+ version: 1.15.0
174
146
  type: :development
175
147
  prerelease: false
176
148
  version_requirements: !ruby/object:Gem::Requirement
177
149
  requirements:
178
150
  - - "~>"
179
151
  - !ruby/object:Gem::Version
180
- version: 0.7.3
152
+ version: 1.15.0
181
153
  - !ruby/object:Gem::Dependency
182
154
  name: simplecov
183
155
  requirement: !ruby/object:Gem::Requirement
@@ -276,14 +248,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
276
248
  requirements:
277
249
  - - ">="
278
250
  - !ruby/object:Gem::Version
279
- version: 2.7.0
251
+ version: 3.1.0
280
252
  required_rubygems_version: !ruby/object:Gem::Requirement
281
253
  requirements:
282
254
  - - ">="
283
255
  - !ruby/object:Gem::Version
284
- version: 2.7.0
256
+ version: 3.1.0
285
257
  requirements: []
286
- rubygems_version: 3.1.6
258
+ rubygems_version: 3.3.7
287
259
  signing_key:
288
260
  specification_version: 4
289
261
  summary: Dart (pub) support for dependabot