RubyGems - dependabot-pub - Versions diffs - 0.213.0 → 0.214.0 - Mend

dependabot-pub 0.213.0 → 0.214.0

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/pub/requirement.rb +1 -1
data/lib/dependabot/pub/update_checker.rb +24 -0
metadata +8 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae1319638c70bd17c82c7349b142a5e9047f002ca604fd5313107dc6d177801a
-  data.tar.gz: 1ca50d4cbd430e77fe396ac66a78d3d4f2c39b01aaaf725e64a5bda701898d30
+  metadata.gz: d727a361fb81d56fa752aeb69bc5515c8ee2761f6f612069382e0c68bdfa2717
+  data.tar.gz: b25f27d1ffbda1a9d2a859ab0e082cf6c53005ed9a742b939f00c5b5e8e3cc07
 SHA512:
-  metadata.gz: 15352fd4cb4558b9828c34b1f183ecc77a9e18c2e2249f34b86584cca9c2b6c3dadf07bbc94c26849dd5e561bcb4917d329c5825e9a62a993828856c7f3c607d
-  data.tar.gz: 7f646b209b0031d4c5e9e56afa716ff1877e7d1143c22e4a2866e366d1d1d320fa2672675f82d956640d4c9cabd2e615df4477cedf1689a7fbc0af30649a47b3
+  metadata.gz: 06451a70a859aceb04eb731058f942391092f531834fbc93ab6fb9416b9ec356b08260bf500585b11aef0d597f6ef1e54bc1e6b379ec65dcf378cbe1e67bd44d
+  data.tar.gz: d9663a74898cfb97e3b78a0753c5772bd9b19ff05b7d56f4faadd57ae2cf71982bf26fbd59b3a895e6e398bc7fe5614ef50f2923cac0b38fd2d0f70a4e695011

data/lib/dependabot/pub/requirement.rb CHANGED Viewed

@@ -14,7 +14,7 @@ module Dependabot
       quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
       version_pattern = Pub::Version::VERSION_PATTERN
-      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
       PATTERN = /\A#{PATTERN_RAW}\z/
       # Use Pub::Version rather than Gem::Version to ensure that

data/lib/dependabot/pub/update_checker.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
+require "dependabot/update_checkers/version_filters"
 require "dependabot/pub/helpers"
 require "yaml"
 module Dependabot
@@ -34,6 +35,29 @@ module Dependabot
         version_unless_ignored(entry["version"])
       end
+      def lowest_resolvable_security_fix_version
+        raise "Dependency not vulnerable!" unless vulnerable?
+        lowest_security_fix_version
+      end
+      def lowest_security_fix_version
+        # TODO: Pub lacks a lowest-non-vulnerable version strategy, for now we simply bump to latest resolvable:
+        # https://github.com/dependabot/dependabot-core/issues/5391
+        relevant_version = latest_resolvable_version
+        return unless relevant_version
+        # NOTE: in other ecosystems, the native helpers return a list of possible versions, to which we apply
+        # post-filtering. Ideally we move toward a world where we hand the native helper a list of ignored versions
+        # and possibly a flag indicating "use min version rather than max". The pub team is interested in supporting
+        # that. But in the meantime for internal consistency with other dependabot ecosystem implementations I kept
+        # `relevant_versions` as an array.
+        relevant_versions = [relevant_version]
+        relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
+                                                                                                  security_advisories)
+        relevant_versions.min
+      end
       def updated_requirements
         # Requirements that need to be changed, if obtain:
         # latest_resolvable_version

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-pub
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement