dependabot-pub 0.260.0 → 0.261.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 33efd49d4b7f3cf34a121dc6d740012a3e6c14ede42d5cde6374b2e81f0ec780
|
|
4
|
+
data.tar.gz: 1a58dcbbe9630ece66a3c78533768ea57301344a33623a3b0ae988ee5433769e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce4239def226438a72e3e469b6e45e8bbe9c29713d2cd8bdc3d58498cc4be332846072ea0eb0225ad3ae5998a829db1b29051377652df4d5a2e4f41ebedc2742
|
|
7
|
+
data.tar.gz: 95197c467a01b7dab6c10e575d0a36f470eeeac64d4800ecaf750ca8c1e3d0e11d71fcca5a2155c2a1d38be626e3637f9ab0e7427cf1422977aff44a74c842ae
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/file_parsers"
|
|
@@ -6,13 +6,17 @@ require "dependabot/file_parsers/base"
|
|
|
6
6
|
require "dependabot/dependency"
|
|
7
7
|
require "dependabot/pub/version"
|
|
8
8
|
require "dependabot/pub/helpers"
|
|
9
|
+
require "sorbet-runtime"
|
|
9
10
|
|
|
10
11
|
module Dependabot
|
|
11
12
|
module Pub
|
|
12
13
|
class FileParser < Dependabot::FileParsers::Base
|
|
14
|
+
extend T::Sig
|
|
15
|
+
|
|
13
16
|
require "dependabot/file_parsers/base/dependency_set"
|
|
14
17
|
include Dependabot::Pub::Helpers
|
|
15
18
|
|
|
19
|
+
sig { override.returns(T::Array[Dependabot::Dependency]) }
|
|
16
20
|
def parse
|
|
17
21
|
dependency_set = DependencySet.new
|
|
18
22
|
list.map do |d|
|
|
@@ -23,12 +27,14 @@ module Dependabot
|
|
|
23
27
|
|
|
24
28
|
private
|
|
25
29
|
|
|
30
|
+
sig { override.void }
|
|
26
31
|
def check_required_files
|
|
27
32
|
raise "No pubspec.yaml!" unless get_original_file("pubspec.yaml")
|
|
28
33
|
end
|
|
29
34
|
|
|
35
|
+
sig { returns(T::Array[Dependabot::Dependency]) }
|
|
30
36
|
def list
|
|
31
|
-
@list ||= dependency_services_list
|
|
37
|
+
@list ||= T.let(dependency_services_list, T.nilable(T::Array[Dependabot::Dependency]))
|
|
32
38
|
end
|
|
33
39
|
end
|
|
34
40
|
end
|
|
@@ -1,15 +1,19 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/file_updaters"
|
|
5
5
|
require "dependabot/file_updaters/base"
|
|
6
6
|
require "dependabot/pub/helpers"
|
|
7
|
+
require "sorbet-runtime"
|
|
7
8
|
|
|
8
9
|
module Dependabot
|
|
9
10
|
module Pub
|
|
10
11
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
12
|
+
extend T::Sig
|
|
13
|
+
|
|
11
14
|
include Dependabot::Pub::Helpers
|
|
12
15
|
|
|
16
|
+
sig { override.returns(T::Array[Regexp]) }
|
|
13
17
|
def self.updated_files_regex
|
|
14
18
|
[
|
|
15
19
|
/^pubspec\.yaml$/,
|
|
@@ -17,12 +21,14 @@ module Dependabot
|
|
|
17
21
|
]
|
|
18
22
|
end
|
|
19
23
|
|
|
24
|
+
sig { override.returns(T::Array[DependencyFile]) }
|
|
20
25
|
def updated_dependency_files
|
|
21
26
|
dependency_services_apply(@dependencies)
|
|
22
27
|
end
|
|
23
28
|
|
|
24
29
|
private
|
|
25
30
|
|
|
31
|
+
sig { override.void }
|
|
26
32
|
def check_required_files
|
|
27
33
|
raise "No pubspec.yaml!" unless get_original_file("pubspec.yaml")
|
|
28
34
|
end
|
|
@@ -1,9 +1,10 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: true
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "digest"
|
|
4
5
|
require "json"
|
|
5
6
|
require "open3"
|
|
6
|
-
require "
|
|
7
|
+
require "sorbet-runtime"
|
|
7
8
|
|
|
8
9
|
require "dependabot/errors"
|
|
9
10
|
require "dependabot/logger"
|
|
@@ -14,17 +15,31 @@ require "dependabot/shared_helpers"
|
|
|
14
15
|
module Dependabot
|
|
15
16
|
module Pub
|
|
16
17
|
module Helpers
|
|
18
|
+
include Kernel
|
|
19
|
+
|
|
20
|
+
extend T::Sig
|
|
21
|
+
extend T::Helpers
|
|
22
|
+
|
|
23
|
+
abstract!
|
|
24
|
+
|
|
25
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
26
|
+
attr_reader :credentials
|
|
27
|
+
|
|
28
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
29
|
+
attr_reader :dependency_files
|
|
30
|
+
|
|
31
|
+
sig { returns(T::Hash[Symbol, T.untyped]) }
|
|
32
|
+
attr_reader :options
|
|
33
|
+
|
|
17
34
|
def self.pub_helpers_path
|
|
18
35
|
File.join(ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil), "pub")
|
|
19
36
|
end
|
|
20
37
|
|
|
21
38
|
def self.run_infer_sdk_versions(dir, url: nil)
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
chdir: dir
|
|
27
|
-
)
|
|
39
|
+
env = {}
|
|
40
|
+
cmd = File.join(pub_helpers_path, "infer_sdk_versions")
|
|
41
|
+
opts = url ? "--flutter-releases-url=#{url}" : ""
|
|
42
|
+
stdout, _, status = Open3.capture3(env, cmd, opts, chdir: dir)
|
|
28
43
|
return nil unless status.success?
|
|
29
44
|
|
|
30
45
|
JSON.parse(stdout)
|
|
@@ -58,42 +73,10 @@ module Dependabot
|
|
|
58
73
|
end
|
|
59
74
|
end
|
|
60
75
|
|
|
61
|
-
def dependency_services_smallest_update
|
|
62
|
-
return @smallest_update if @smallest_update
|
|
63
|
-
|
|
64
|
-
security_advisories.each do |a|
|
|
65
|
-
# Sanity check, that we only get the advisories for a single package
|
|
66
|
-
# at a time. If we got all advisories for all current dependencies,
|
|
67
|
-
# the helper would be able to handle it, but we would need a better
|
|
68
|
-
# way to find the repository url.
|
|
69
|
-
if a.dependency_name != dependency.name
|
|
70
|
-
raise "Only expected advisories for #{dependency.name} got for #{a.dependency_name}"
|
|
71
|
-
end
|
|
72
|
-
end
|
|
73
|
-
vulnerable_versions = available_versions(dependency).select do |v|
|
|
74
|
-
security_advisories.any? { |a| a.vulnerable?(v) }
|
|
75
|
-
end
|
|
76
|
-
input = {
|
|
77
|
-
# For "smallest update" we don't cache the report to be shared between
|
|
78
|
-
# dependencies, but run a specific report for the current dependency.
|
|
79
|
-
target: dependency.name,
|
|
80
|
-
disallowed:
|
|
81
|
-
[
|
|
82
|
-
{
|
|
83
|
-
name: dependency.name,
|
|
84
|
-
url: repository_url(dependency),
|
|
85
|
-
versions: vulnerable_versions.map { |v| { range: v.to_s } }
|
|
86
|
-
}
|
|
87
|
-
]
|
|
88
|
-
}
|
|
89
|
-
report = JSON.parse(run_dependency_services("report", stdin_data: JSON.generate(input)))["dependencies"]
|
|
90
|
-
@smallest_update = report.find { |d| d["name"] == dependency.name }["smallestUpdate"]
|
|
91
|
-
end
|
|
92
|
-
|
|
93
76
|
def dependency_services_report
|
|
94
77
|
sha256 = Digest::SHA256.new
|
|
95
78
|
dependency_files.each do |f|
|
|
96
|
-
sha256 << (f.path + "\n" + f.content + "\n")
|
|
79
|
+
sha256 << (f.path + "\n" + T.must(f.content) + "\n")
|
|
97
80
|
end
|
|
98
81
|
hash = sha256.hexdigest
|
|
99
82
|
|
|
@@ -165,7 +148,7 @@ module Dependabot
|
|
|
165
148
|
## Returns the sdk versions
|
|
166
149
|
def ensure_right_flutter_release(dir)
|
|
167
150
|
versions = Helpers.run_infer_sdk_versions(
|
|
168
|
-
File.join(dir, dependency_files.first
|
|
151
|
+
File.join(dir, dependency_files.first&.directory),
|
|
169
152
|
url: options[:flutter_releases_url]
|
|
170
153
|
)
|
|
171
154
|
flutter_ref =
|
|
@@ -251,7 +234,7 @@ module Dependabot
|
|
|
251
234
|
# TODO(sigurdm): Would be nice to have a better handle for fixing the dart sdk version.
|
|
252
235
|
"_PUB_TEST_SDK_VERSION" => sdk_versions["dart"]
|
|
253
236
|
}
|
|
254
|
-
command_dir = File.join(temp_dir, dependency_files.first
|
|
237
|
+
command_dir = File.join(temp_dir, dependency_files.first&.directory)
|
|
255
238
|
|
|
256
239
|
stdout, stderr, status = Open3.capture3(
|
|
257
240
|
env.compact,
|
|
@@ -329,7 +312,7 @@ module Dependabot
|
|
|
329
312
|
}
|
|
330
313
|
end
|
|
331
314
|
end
|
|
332
|
-
Dependency.new(**params)
|
|
315
|
+
Dependency.new(**T.unsafe(params))
|
|
333
316
|
end
|
|
334
317
|
|
|
335
318
|
# expects "auto" to already have been resolved to one of the other
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
@@ -14,6 +14,7 @@ module Dependabot
|
|
|
14
14
|
class MetadataFinder < Dependabot::MetadataFinders::Base
|
|
15
15
|
private
|
|
16
16
|
|
|
17
|
+
sig { override.returns(T.nilable(Dependabot::Source)) }
|
|
17
18
|
def look_up_source
|
|
18
19
|
source = dependency.requirements.first&.dig(:source)
|
|
19
20
|
if source&.dig("type") == "git"
|
|
@@ -34,6 +35,7 @@ module Dependabot
|
|
|
34
35
|
Source.from_url(repo)
|
|
35
36
|
end
|
|
36
37
|
|
|
38
|
+
sig { params(repository_url: String).returns(T::Hash[String, T.untyped]) }
|
|
37
39
|
def repository_listing(repository_url)
|
|
38
40
|
response = Dependabot::RegistryClient.get(url: "#{repository_url}/api/packages/#{dependency.name}")
|
|
39
41
|
JSON.parse(response.body)
|
|
@@ -90,6 +90,38 @@ module Dependabot
|
|
|
90
90
|
|
|
91
91
|
private
|
|
92
92
|
|
|
93
|
+
def dependency_services_smallest_update
|
|
94
|
+
return @smallest_update if @smallest_update
|
|
95
|
+
|
|
96
|
+
security_advisories.each do |a|
|
|
97
|
+
# Sanity check, that we only get the advisories for a single package
|
|
98
|
+
# at a time. If we got all advisories for all current dependencies,
|
|
99
|
+
# the helper would be able to handle it, but we would need a better
|
|
100
|
+
# way to find the repository url.
|
|
101
|
+
if a.dependency_name != dependency.name
|
|
102
|
+
raise "Only expected advisories for #{dependency.name} got for #{a.dependency_name}"
|
|
103
|
+
end
|
|
104
|
+
end
|
|
105
|
+
vulnerable_versions = available_versions(dependency).select do |v|
|
|
106
|
+
security_advisories.any? { |a| a.vulnerable?(v) }
|
|
107
|
+
end
|
|
108
|
+
input = {
|
|
109
|
+
# For "smallest update" we don't cache the report to be shared between
|
|
110
|
+
# dependencies, but run a specific report for the current dependency.
|
|
111
|
+
target: dependency.name,
|
|
112
|
+
disallowed:
|
|
113
|
+
[
|
|
114
|
+
{
|
|
115
|
+
name: dependency.name,
|
|
116
|
+
url: repository_url(dependency),
|
|
117
|
+
versions: vulnerable_versions.map { |v| { range: v.to_s } }
|
|
118
|
+
}
|
|
119
|
+
]
|
|
120
|
+
}
|
|
121
|
+
report = JSON.parse(run_dependency_services("report", stdin_data: JSON.generate(input)))["dependencies"]
|
|
122
|
+
@smallest_update = report.find { |d| d["name"] == dependency.name }["smallestUpdate"]
|
|
123
|
+
end
|
|
124
|
+
|
|
93
125
|
# Returns unparsed_version if it looks like a git-revision.
|
|
94
126
|
#
|
|
95
127
|
# Otherwise it will be parsed with Dependabot::Pub::Version.new and
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-pub
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.261.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-06-
|
|
11
|
+
date: 2024-06-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.261.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.261.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -256,7 +256,7 @@ licenses:
|
|
|
256
256
|
- MIT
|
|
257
257
|
metadata:
|
|
258
258
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
259
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
259
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.261.1
|
|
260
260
|
post_install_message:
|
|
261
261
|
rdoc_options: []
|
|
262
262
|
require_paths:
|