dependabot-pub 0.260.0 → 0.261.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2cf81b6bb26d12ae3892697200ad7587f46721de4e02f6c8356a32fc03ea2983
|
4
|
+
data.tar.gz: 3ffc7ae3afe4a9cdeea18701aa4a07d33c2c27df3487f6f65a61e0a59a2f1a25
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 75c025a9d3e3c640efd69915fc274cc38c4e3deb01ccfd155b2ef816eed232678db52613922094aa9daee5c6a2bc6f0abaee8565a5f80bab3856feab0469b3fa
|
7
|
+
data.tar.gz: fe2b94562c43fcc97642c5e4e9ad22df18b17f8f4c5d5b3c5136b4d75fd8ff439f94eb1212ebba4dcb3aa6ea934e8e013c6195dacd72cb19930b273c14b743ba
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "dependabot/file_parsers"
|
@@ -6,13 +6,17 @@ require "dependabot/file_parsers/base"
|
|
6
6
|
require "dependabot/dependency"
|
7
7
|
require "dependabot/pub/version"
|
8
8
|
require "dependabot/pub/helpers"
|
9
|
+
require "sorbet-runtime"
|
9
10
|
|
10
11
|
module Dependabot
|
11
12
|
module Pub
|
12
13
|
class FileParser < Dependabot::FileParsers::Base
|
14
|
+
extend T::Sig
|
15
|
+
|
13
16
|
require "dependabot/file_parsers/base/dependency_set"
|
14
17
|
include Dependabot::Pub::Helpers
|
15
18
|
|
19
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
16
20
|
def parse
|
17
21
|
dependency_set = DependencySet.new
|
18
22
|
list.map do |d|
|
@@ -23,12 +27,14 @@ module Dependabot
|
|
23
27
|
|
24
28
|
private
|
25
29
|
|
30
|
+
sig { override.void }
|
26
31
|
def check_required_files
|
27
32
|
raise "No pubspec.yaml!" unless get_original_file("pubspec.yaml")
|
28
33
|
end
|
29
34
|
|
35
|
+
sig { returns(T::Array[Dependabot::Dependency]) }
|
30
36
|
def list
|
31
|
-
@list ||= dependency_services_list
|
37
|
+
@list ||= T.let(dependency_services_list, T.nilable(T::Array[Dependabot::Dependency]))
|
32
38
|
end
|
33
39
|
end
|
34
40
|
end
|
@@ -1,15 +1,19 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "dependabot/file_updaters"
|
5
5
|
require "dependabot/file_updaters/base"
|
6
6
|
require "dependabot/pub/helpers"
|
7
|
+
require "sorbet-runtime"
|
7
8
|
|
8
9
|
module Dependabot
|
9
10
|
module Pub
|
10
11
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
12
|
+
extend T::Sig
|
13
|
+
|
11
14
|
include Dependabot::Pub::Helpers
|
12
15
|
|
16
|
+
sig { override.returns(T::Array[Regexp]) }
|
13
17
|
def self.updated_files_regex
|
14
18
|
[
|
15
19
|
/^pubspec\.yaml$/,
|
@@ -17,12 +21,14 @@ module Dependabot
|
|
17
21
|
]
|
18
22
|
end
|
19
23
|
|
24
|
+
sig { override.returns(T::Array[DependencyFile]) }
|
20
25
|
def updated_dependency_files
|
21
26
|
dependency_services_apply(@dependencies)
|
22
27
|
end
|
23
28
|
|
24
29
|
private
|
25
30
|
|
31
|
+
sig { override.void }
|
26
32
|
def check_required_files
|
27
33
|
raise "No pubspec.yaml!" unless get_original_file("pubspec.yaml")
|
28
34
|
end
|
@@ -1,9 +1,10 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "digest"
|
4
5
|
require "json"
|
5
6
|
require "open3"
|
6
|
-
require "
|
7
|
+
require "sorbet-runtime"
|
7
8
|
|
8
9
|
require "dependabot/errors"
|
9
10
|
require "dependabot/logger"
|
@@ -14,17 +15,31 @@ require "dependabot/shared_helpers"
|
|
14
15
|
module Dependabot
|
15
16
|
module Pub
|
16
17
|
module Helpers
|
18
|
+
include Kernel
|
19
|
+
|
20
|
+
extend T::Sig
|
21
|
+
extend T::Helpers
|
22
|
+
|
23
|
+
abstract!
|
24
|
+
|
25
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
26
|
+
attr_reader :credentials
|
27
|
+
|
28
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
29
|
+
attr_reader :dependency_files
|
30
|
+
|
31
|
+
sig { returns(T::Hash[Symbol, T.untyped]) }
|
32
|
+
attr_reader :options
|
33
|
+
|
17
34
|
def self.pub_helpers_path
|
18
35
|
File.join(ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil), "pub")
|
19
36
|
end
|
20
37
|
|
21
38
|
def self.run_infer_sdk_versions(dir, url: nil)
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
chdir: dir
|
27
|
-
)
|
39
|
+
env = {}
|
40
|
+
cmd = File.join(pub_helpers_path, "infer_sdk_versions")
|
41
|
+
opts = url ? "--flutter-releases-url=#{url}" : ""
|
42
|
+
stdout, _, status = Open3.capture3(env, cmd, opts, chdir: dir)
|
28
43
|
return nil unless status.success?
|
29
44
|
|
30
45
|
JSON.parse(stdout)
|
@@ -58,42 +73,10 @@ module Dependabot
|
|
58
73
|
end
|
59
74
|
end
|
60
75
|
|
61
|
-
def dependency_services_smallest_update
|
62
|
-
return @smallest_update if @smallest_update
|
63
|
-
|
64
|
-
security_advisories.each do |a|
|
65
|
-
# Sanity check, that we only get the advisories for a single package
|
66
|
-
# at a time. If we got all advisories for all current dependencies,
|
67
|
-
# the helper would be able to handle it, but we would need a better
|
68
|
-
# way to find the repository url.
|
69
|
-
if a.dependency_name != dependency.name
|
70
|
-
raise "Only expected advisories for #{dependency.name} got for #{a.dependency_name}"
|
71
|
-
end
|
72
|
-
end
|
73
|
-
vulnerable_versions = available_versions(dependency).select do |v|
|
74
|
-
security_advisories.any? { |a| a.vulnerable?(v) }
|
75
|
-
end
|
76
|
-
input = {
|
77
|
-
# For "smallest update" we don't cache the report to be shared between
|
78
|
-
# dependencies, but run a specific report for the current dependency.
|
79
|
-
target: dependency.name,
|
80
|
-
disallowed:
|
81
|
-
[
|
82
|
-
{
|
83
|
-
name: dependency.name,
|
84
|
-
url: repository_url(dependency),
|
85
|
-
versions: vulnerable_versions.map { |v| { range: v.to_s } }
|
86
|
-
}
|
87
|
-
]
|
88
|
-
}
|
89
|
-
report = JSON.parse(run_dependency_services("report", stdin_data: JSON.generate(input)))["dependencies"]
|
90
|
-
@smallest_update = report.find { |d| d["name"] == dependency.name }["smallestUpdate"]
|
91
|
-
end
|
92
|
-
|
93
76
|
def dependency_services_report
|
94
77
|
sha256 = Digest::SHA256.new
|
95
78
|
dependency_files.each do |f|
|
96
|
-
sha256 << (f.path + "\n" + f.content + "\n")
|
79
|
+
sha256 << (f.path + "\n" + T.must(f.content) + "\n")
|
97
80
|
end
|
98
81
|
hash = sha256.hexdigest
|
99
82
|
|
@@ -165,7 +148,7 @@ module Dependabot
|
|
165
148
|
## Returns the sdk versions
|
166
149
|
def ensure_right_flutter_release(dir)
|
167
150
|
versions = Helpers.run_infer_sdk_versions(
|
168
|
-
File.join(dir, dependency_files.first
|
151
|
+
File.join(dir, dependency_files.first&.directory),
|
169
152
|
url: options[:flutter_releases_url]
|
170
153
|
)
|
171
154
|
flutter_ref =
|
@@ -251,7 +234,7 @@ module Dependabot
|
|
251
234
|
# TODO(sigurdm): Would be nice to have a better handle for fixing the dart sdk version.
|
252
235
|
"_PUB_TEST_SDK_VERSION" => sdk_versions["dart"]
|
253
236
|
}
|
254
|
-
command_dir = File.join(temp_dir, dependency_files.first
|
237
|
+
command_dir = File.join(temp_dir, dependency_files.first&.directory)
|
255
238
|
|
256
239
|
stdout, stderr, status = Open3.capture3(
|
257
240
|
env.compact,
|
@@ -329,7 +312,7 @@ module Dependabot
|
|
329
312
|
}
|
330
313
|
end
|
331
314
|
end
|
332
|
-
Dependency.new(**params)
|
315
|
+
Dependency.new(**T.unsafe(params))
|
333
316
|
end
|
334
317
|
|
335
318
|
# expects "auto" to already have been resolved to one of the other
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: strict
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "excon"
|
@@ -14,6 +14,7 @@ module Dependabot
|
|
14
14
|
class MetadataFinder < Dependabot::MetadataFinders::Base
|
15
15
|
private
|
16
16
|
|
17
|
+
sig { override.returns(T.nilable(Dependabot::Source)) }
|
17
18
|
def look_up_source
|
18
19
|
source = dependency.requirements.first&.dig(:source)
|
19
20
|
if source&.dig("type") == "git"
|
@@ -34,6 +35,7 @@ module Dependabot
|
|
34
35
|
Source.from_url(repo)
|
35
36
|
end
|
36
37
|
|
38
|
+
sig { params(repository_url: String).returns(T::Hash[String, T.untyped]) }
|
37
39
|
def repository_listing(repository_url)
|
38
40
|
response = Dependabot::RegistryClient.get(url: "#{repository_url}/api/packages/#{dependency.name}")
|
39
41
|
JSON.parse(response.body)
|
@@ -90,6 +90,38 @@ module Dependabot
|
|
90
90
|
|
91
91
|
private
|
92
92
|
|
93
|
+
def dependency_services_smallest_update
|
94
|
+
return @smallest_update if @smallest_update
|
95
|
+
|
96
|
+
security_advisories.each do |a|
|
97
|
+
# Sanity check, that we only get the advisories for a single package
|
98
|
+
# at a time. If we got all advisories for all current dependencies,
|
99
|
+
# the helper would be able to handle it, but we would need a better
|
100
|
+
# way to find the repository url.
|
101
|
+
if a.dependency_name != dependency.name
|
102
|
+
raise "Only expected advisories for #{dependency.name} got for #{a.dependency_name}"
|
103
|
+
end
|
104
|
+
end
|
105
|
+
vulnerable_versions = available_versions(dependency).select do |v|
|
106
|
+
security_advisories.any? { |a| a.vulnerable?(v) }
|
107
|
+
end
|
108
|
+
input = {
|
109
|
+
# For "smallest update" we don't cache the report to be shared between
|
110
|
+
# dependencies, but run a specific report for the current dependency.
|
111
|
+
target: dependency.name,
|
112
|
+
disallowed:
|
113
|
+
[
|
114
|
+
{
|
115
|
+
name: dependency.name,
|
116
|
+
url: repository_url(dependency),
|
117
|
+
versions: vulnerable_versions.map { |v| { range: v.to_s } }
|
118
|
+
}
|
119
|
+
]
|
120
|
+
}
|
121
|
+
report = JSON.parse(run_dependency_services("report", stdin_data: JSON.generate(input)))["dependencies"]
|
122
|
+
@smallest_update = report.find { |d| d["name"] == dependency.name }["smallestUpdate"]
|
123
|
+
end
|
124
|
+
|
93
125
|
# Returns unparsed_version if it looks like a git-revision.
|
94
126
|
#
|
95
127
|
# Otherwise it will be parsed with Dependabot::Pub::Version.new and
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-pub
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.261.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-06-
|
11
|
+
date: 2024-06-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.261.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.261.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -256,7 +256,7 @@ licenses:
|
|
256
256
|
- MIT
|
257
257
|
metadata:
|
258
258
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
259
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
259
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.0
|
260
260
|
post_install_message:
|
261
261
|
rdoc_options: []
|
262
262
|
require_paths:
|