RubyGems - dependabot-pub - Versions diffs - 0.313.0 → 0.314.0 - Mend

dependabot-pub 0.313.0 → 0.314.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/dependabot/pub/helpers.rb +5 -0
data/lib/dependabot/pub/package/package_details_fetcher.rb +114 -0
data/lib/dependabot/pub/update_checker/latest_version_finder.rb +215 -0
data/lib/dependabot/pub/update_checker.rb +46 -43
metadata +7 -5

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '01096fb7d16aa388209c212b5886f6e18663855ec26ead152776f5a58af5ef5e'
-  data.tar.gz: f4df8bca6ca81d4e876e24d0be79a544c91b708e8aa6bfaaadda206ef7519289
+  metadata.gz: b1d8d80fff978983eed70309e27fff98acb23bd39b17465cf5f8f4a4b54e7143
+  data.tar.gz: b713d25fcd36c560602fb896d0aa0c6c7b33d74097274ac633f736b9e79db15b
 SHA512:
-  metadata.gz: 50f5e426b7c6bbf96d8e0e199488b78b30606e7c871e894fc63eeeaf4c1c8951e01c392b80c6569f349163e2b824fb6842690ccd3c881f31c7ce08c1c2d89727
-  data.tar.gz: 6c0121a571a1a25b82d38b3b0fd294294d0503c7fca43bd6105f63ca4515f5a070070c6ea4948afa6d98be4bf186c6845a766f254716e1ab957cff0b90fa9d1d
+  metadata.gz: 8df8ac5de2592d0c59e926483115141fd28788d9b89873e101bcf3d906740706bcfb621296c36bafc6420fd3a5c2754824982ebadd2505a8d47534ff956f94ad
+  data.tar.gz: ce021fa1b516ea8a806ca620374691d3b5565f9f0dd03772354bec6b1b7f55018513ceefe992d408eaf168c4f64fc893624ab44b32ce8a6cb117d4e0ff66a21d

data/lib/dependabot/pub/helpers.rb CHANGED Viewed

@@ -120,6 +120,11 @@ module Dependabot
         )
       end
+      sig { params(dependency: Dependabot::Dependency).returns(Excon::Response) }
+      def fetch_package_metadata(dependency)
+        Dependabot::RegistryClient.get(url: "#{repository_url(dependency)}/api/packages/#{dependency.name}")
+      end
       # Clones the flutter repo into /tmp/flutter if needed
       sig { void }
       def ensure_flutter_repo

data/lib/dependabot/pub/package/package_details_fetcher.rb ADDED Viewed

@@ -0,0 +1,114 @@
+# typed: strict
+# frozen_string_literal: true
+require "json"
+require "time"
+require "cgi"
+require "excon"
+require "nokogiri"
+require "sorbet-runtime"
+require "dependabot/registry_client"
+require "dependabot/pub"
+require "dependabot/package/package_release"
+require "dependabot/package/package_details"
+require "dependabot/pub/helpers"
+require "dependabot/requirements_update_strategy"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/update_checkers/version_filters"
+module Dependabot
+  module Pub
+    module Package
+      class PackageDetailsFetcher
+        extend T::Sig
+        include Dependabot::Pub::Helpers
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { override.returns(T::Hash[Symbol, T.untyped]) }
+        attr_reader :options
+        sig { override.returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            ignored_versions: T::Array[String],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory],
+            options: T::Hash[Symbol, T.untyped]
+          )
+            .void
+        end
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions: [],
+                       security_advisories: [], options: {})
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @ignored_versions = ignored_versions
+          @security_advisories = security_advisories
+          @options = options
+        end
+        sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+        def report
+          @report ||= T.let(
+            dependency_services_report,
+            T.nilable(T::Array[T::Hash[String, T.untyped]])
+          )
+        end
+        sig { returns(T.any(T::Array[Dependabot::Package::PackageRelease], T.untyped)) }
+        def package_details_metadata
+          package_releases = []
+          T.let({}, T::Hash[String, T.untyped])
+          Dependabot.logger.error("Initializing package metadata for \"#{@dependency.name}\"")
+          response = fetch_package_metadata(dependency)
+          return package_releases if response.status >= 500
+          begin
+            package_details_metadata = JSON.parse(response.body)
+            package_details_metadata["versions"].select do |v|
+              package_releases << package_release(version: v["version"],
+                                                  publish_date: Time.parse(v["published"]))
+            end
+            package_releases
+          rescue JSON::ParserError
+            Dependabot.logger.error("Failed to parse package metadata")
+            package_releases
+          end
+        rescue StandardError => e
+          Dependabot.logger.error("Failed to fetch package metadata #{e.message}")
+          package_releases
+        end
+        private
+        sig do
+          params(
+            version: String,
+            publish_date: T.nilable(Time)
+          ).returns(Dependabot::Package::PackageRelease)
+        end
+        def package_release(version:, publish_date: nil)
+          Dependabot::Package::PackageRelease.new(
+            version: Pub::Version.new(version),
+            released_at: publish_date
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/pub/update_checker/latest_version_finder.rb ADDED Viewed

@@ -0,0 +1,215 @@
+# typed: strict
+# frozen_string_literal: true
+require "excon"
+require "dependabot/pub/update_checker"
+require "dependabot/update_checkers/version_filters"
+require "dependabot/registry_client"
+require "dependabot/pub/package/package_details_fetcher"
+require "dependabot/package/package_latest_version_finder"
+require "sorbet-runtime"
+module Dependabot
+  module Pub
+    class UpdateChecker
+      class LatestVersionFinder
+        extend T::Sig
+        include Dependabot::Pub::Package
+        DAY_IN_SECONDS = T.let(24 * 60 * 60, Integer)
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential],
+            ignored_versions: T::Array[String],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory],
+            options: T::Hash[Symbol, T.untyped],
+            cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
+          ).void
+        end
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions: [],
+                       security_advisories: [], options: {},
+                       cooldown_options: nil)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @ignored_versions = ignored_versions
+          @security_advisories = security_advisories
+          @options = options
+          @cooldown_options = cooldown_options
+        end
+        sig { returns(T::Hash[String, T.untyped]) }
+        def current_report
+          @current_report ||= T.let(T.must(PackageDetailsFetcher.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories,
+            options: options
+          ).report.find { |d| d["name"] == dependency.name }), T.nilable(T::Hash[String, T.untyped]))
+        end
+        sig { returns(T.nilable(String)) }
+        def latest_version
+          latest_version = current_report["latest"]
+          return nil unless latest_version
+          filter_cooldown_versions(latest_version)
+        end
+        sig { returns(T.nilable(String)) }
+        def latest_resolvable_version
+          latest_resolvable_version = current_report["singleBreaking"]&.find { |d| d["name"] == dependency.name }
+          return nil unless latest_resolvable_version
+          filter_cooldown_versions(latest_resolvable_version["version"])
+        end
+        sig { returns(T.nilable(String)) }
+        def latest_resolvable_version_with_no_unlock
+          version_with_no_unlock = current_report["compatible"]&.find { |d| d["name"] == dependency.name }
+          return nil unless version_with_no_unlock
+          filter_cooldown_versions(version_with_no_unlock["version"])
+        end
+        sig { returns(T.nilable(String)) }
+        def latest_version_resolvable_with_full_unlock
+          version_with_full_unlock = current_report["multiBreaking"]&.find { |d| d["name"] == dependency.name }
+          return nil unless version_with_full_unlock
+          filter_cooldown_versions(version_with_full_unlock["version"])
+        end
+        sig { returns(T.untyped) }
+        def latest_version_resolvable_with_full_unlock_hash
+          current_report["multiBreaking"]
+        end
+        sig { returns(T.untyped) }
+        def latest_resolvable_version_hash
+          current_report["singleBreaking"].find { |d| d["name"] == dependency.name }
+        end
+        private
+        sig do
+          params(
+            unparsed_version: String
+          ).returns(T.nilable(String))
+        end
+        def filter_cooldown_versions(unparsed_version)
+          return unparsed_version unless cooldown_enabled?
+          return unparsed_version unless cooldown_options
+          @package_details ||= T.let(PackageDetailsFetcher.new(
+            dependency: dependency,
+            dependency_files: dependency_files,
+            credentials: credentials,
+            ignored_versions: ignored_versions,
+            security_advisories: security_advisories,
+            options: options
+          ).package_details_metadata, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
+          return unparsed_version unless @package_details.any?
+          version_release = @package_details.find do |release|
+            release.version == unparsed_version
+          end
+          return unparsed_version unless in_cooldown_period?(version_release)
+          dependency.version
+          rescue StandardError => e
+            Dependabot.logger.error("Failed to filter cooldown versions for \"#{dependency.name}\": #{e.backtrace}")
+            unparsed_version
+        end
+        sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
+        def in_cooldown_period?(release)
+          unless release.released_at
+            Dependabot.logger.info("Release date not available for version #{release.version}")
+            return false
+          end
+          current_version = version_class.correct?(dependency.version) ? version_class.new(dependency.version) : nil
+          days = cooldown_days_for(current_version, release.version)
+          # Calculate the number of seconds passed since the release
+          passed_seconds = Time.now.to_i - release.released_at.to_i
+          passed_days = passed_seconds / DAY_IN_SECONDS
+          if passed_days < days
+            Dependabot.logger.info("Version #{release.version}, Release date: #{release.released_at}." \
+                                   " Days since release: #{passed_days} (cooldown days: #{days})")
+          end
+          # Check if the release is within the cooldown period
+          passed_seconds < days * DAY_IN_SECONDS
+        end
+        sig do
+          params(
+            current_version: T.nilable(Dependabot::Version),
+            new_version: Dependabot::Version
+          ).returns(Integer)
+        end
+        def cooldown_days_for(current_version, new_version)
+          cooldown = @cooldown_options
+          return 0 if cooldown.nil?
+          return 0 unless cooldown_enabled?
+          return 0 unless cooldown.included?(dependency.name)
+          return cooldown.default_days if current_version.nil?
+          current_version_semver = current_version.semver_parts
+          new_version_semver = new_version.semver_parts
+          # If semver_parts is nil for either, return default cooldown
+          return cooldown.default_days if current_version_semver.nil? || new_version_semver.nil?
+          # Ensure values are always integers
+          current_major, current_minor, current_patch = current_version_semver
+          new_major, new_minor, new_patch = new_version_semver
+          # Determine cooldown based on version difference
+          return cooldown.semver_major_days if new_major > current_major
+          return cooldown.semver_minor_days if new_minor > current_minor
+          return cooldown.semver_patch_days if new_patch > current_patch
+          cooldown.default_days
+        end
+        sig { returns(T::Boolean) }
+        def cooldown_enabled?
+          Dependabot::Experiments.enabled?(:enable_cooldown_for_pub)
+        end
+        sig { returns(T.class_of(Dependabot::Version)) }
+        def version_class
+          dependency.version_class
+        end
+        sig { returns(Dependabot::Dependency) }
+        attr_reader :dependency
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+        sig { returns(T::Array[String]) }
+        attr_reader :ignored_versions
+        sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
+        attr_reader :security_advisories
+        sig { returns(T::Hash[Symbol, T.untyped]) }
+        attr_reader :options
+        sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
+        attr_reader :cooldown_options
+      end
+    end
+  end
+end

data/lib/dependabot/pub/update_checker.rb CHANGED Viewed

@@ -17,39 +17,25 @@ module Dependabot
       include Dependabot::Pub::Helpers
+      require_relative "update_checker/latest_version_finder"
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_version
-        version = version_unless_ignored(current_report["latest"], current_version: dependency.version)
+        version = version_unless_ignored(T.must(version_report.latest_version), current_version: dependency.version)
         raise AllVersionsIgnored if version.nil? && @raise_on_ignored
         version
       end
-      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
-      def latest_resolvable_version_with_no_unlock
-        # Version we can get if we're not allowed to change pubspec.yaml, but we
-        # allow changes in the pubspec.lock file.
-        entry = current_report["compatible"].find { |d| d["name"] == dependency.name }
-        return nil unless entry
-        version_unless_ignored(entry["version"])
-      end
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_resolvable_version
         # Latest version we can get if we're allowed to unlock the current
         # package in pubspec.yaml
-        entry = current_report["singleBreaking"].find { |d| d["name"] == dependency.name }
+        entry = version_report.latest_resolvable_version
         return nil unless entry
-        version_unless_ignored(entry["version"])
-      end
-      sig { override.returns(T.nilable(Dependabot::Version)) }
-      def lowest_resolvable_security_fix_version
-        raise "Dependency not vulnerable!" unless vulnerable?
-        lowest_security_fix_version
+        version_unless_ignored(entry)
       end
       sig { override.returns(T.nilable(Dependabot::Version)) }
@@ -68,7 +54,23 @@ module Dependabot
         T.cast(version_unless_ignored(version), Dependabot::Version)
       end
-      # rubocop:disable Metrics/PerceivedComplexity
+      sig { override.returns(T.nilable(Dependabot::Version)) }
+      def lowest_resolvable_security_fix_version
+        raise "Dependency not vulnerable!" unless vulnerable?
+        lowest_security_fix_version
+      end
+      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      def latest_resolvable_version_with_no_unlock
+        # Version we can get if we're not allowed to change pubspec.yaml, but we
+        # allow changes in the pubspec.lock file.
+        entry = version_report.latest_resolvable_version_with_no_unlock
+        return nil unless entry
+        version_unless_ignored(entry)
+      end
       sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
       def updated_requirements
         # Requirements that need to be changed, if obtain:
@@ -87,14 +89,13 @@ module Dependabot
                   updates&.find { |u| u["name"] == dependency.name }
                 else
-                  current_report["singleBreaking"].find { |d| d["name"] == dependency.name }
+                  version_report.latest_resolvable_version_hash
                 end
         return [] unless entry
         parse_updated_dependency(entry, resolved_requirements_update_strategy)
           .requirements
       end
-      # rubocop:enable Metrics/PerceivedComplexity
       private
@@ -167,20 +168,15 @@ module Dependabot
         end
       end
-      sig { params(version_string: String).returns(T::Boolean) }
-      def git_revision?(version_string)
-        version_string.match?(/^[0-9a-f]{6,}$/)
-      end
       sig { override.returns(T::Boolean) }
       def latest_version_resolvable_with_full_unlock?
-        entry = current_report["multiBreaking"].find { |d| d["name"] == dependency.name }
+        entry = version_report.latest_version_resolvable_with_full_unlock
         # This a bit dumb, but full-unlock is only considered if we can get the
         # latest version!
         return false unless entry
-        (!git_revision?(entry["version"]) && latest_version == Dependabot::Pub::Version.new(entry["version"])) ||
-          latest_version == entry["version"]
+        (!git_revision?(entry) && latest_version == Dependabot::Pub::Version.new(entry)) ||
+          latest_version == entry
       end
       sig { override.returns(T::Array[Dependabot::Dependency]) }
@@ -188,7 +184,7 @@ module Dependabot
         report_section = if vulnerable?
                            dependency_services_smallest_update
                          else
-                           current_report["multiBreaking"]
+                           version_report.latest_version_resolvable_with_full_unlock_hash
                          end
         # We only expose non-transitive dependencies here...
         direct_deps = report_section.reject do |d|
@@ -199,17 +195,19 @@ module Dependabot
         end
       end
-      sig { returns(T::Array[T::Hash[String, T.untyped]]) }
-      def report
-        @report ||= T.let(
-          dependency_services_report,
-          T.nilable(T::Array[T::Hash[String, T.untyped]])
-        )
-      end
-      sig { returns(T::Hash[String, T.untyped]) }
-      def current_report
-        T.must(report.find { |d| d["name"] == dependency.name })
+      sig { returns(Dependabot::Pub::UpdateChecker::LatestVersionFinder) }
+      def version_report
+        @version_report ||=
+          T.let(LatestVersionFinder.new(
+                  dependency: dependency,
+                  dependency_files: dependency_files,
+                  credentials: credentials,
+                  ignored_versions: ignored_versions,
+                  security_advisories: security_advisories,
+                  options: options,
+                  cooldown_options: update_cooldown
+                ),
+                T.nilable(Dependabot::Pub::UpdateChecker::LatestVersionFinder))
       end
       sig { returns(Dependabot::RequirementsUpdateStrategy) }
@@ -220,6 +218,11 @@ module Dependabot
         )
       end
+      sig { params(version_string: String).returns(T::Boolean) }
+      def git_revision?(version_string)
+        version_string.match?(/^[0-9a-f]{6,}$/)
+      end
       sig { returns(Dependabot::RequirementsUpdateStrategy) }
       def resolve_requirements_update_strategy
         raise "Unexpected requirements_update_strategy #{requirements_update_strategy}" unless

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-pub
 version: !ruby/object:Gem::Version
-  version: 0.313.0
+  version: 0.314.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-05-15 00:00:00.000000000 Z
+date: 2025-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.313.0
+        version: 0.314.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.313.0
+        version: 0.314.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -248,16 +248,18 @@ files:
 - lib/dependabot/pub/helpers.rb
 - lib/dependabot/pub/language.rb
 - lib/dependabot/pub/metadata_finder.rb
+- lib/dependabot/pub/package/package_details_fetcher.rb
 - lib/dependabot/pub/package_manager.rb
 - lib/dependabot/pub/requirement.rb
 - lib/dependabot/pub/update_checker.rb
+- lib/dependabot/pub/update_checker/latest_version_finder.rb
 - lib/dependabot/pub/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.313.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.314.0
 rdoc_options: []
 require_paths:
 - lib