dependabot-pub 0.213.0 → 0.214.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/pub/requirement.rb +1 -1
- data/lib/dependabot/pub/update_checker.rb +24 -0
- metadata +8 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d727a361fb81d56fa752aeb69bc5515c8ee2761f6f612069382e0c68bdfa2717
|
|
4
|
+
data.tar.gz: b25f27d1ffbda1a9d2a859ab0e082cf6c53005ed9a742b939f00c5b5e8e3cc07
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06451a70a859aceb04eb731058f942391092f531834fbc93ab6fb9416b9ec356b08260bf500585b11aef0d597f6ef1e54bc1e6b379ec65dcf378cbe1e67bd44d
|
|
7
|
+
data.tar.gz: d9663a74898cfb97e3b78a0753c5772bd9b19ff05b7d56f4faadd57ae2cf71982bf26fbd59b3a895e6e398bc7fe5614ef50f2923cac0b38fd2d0f70a4e695011
|
|
@@ -14,7 +14,7 @@ module Dependabot
|
|
|
14
14
|
quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
|
|
15
15
|
version_pattern = Pub::Version::VERSION_PATTERN
|
|
16
16
|
|
|
17
|
-
PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
|
|
17
|
+
PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
|
|
18
18
|
PATTERN = /\A#{PATTERN_RAW}\z/
|
|
19
19
|
|
|
20
20
|
# Use Pub::Version rather than Gem::Version to ensure that
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
require "dependabot/update_checkers"
|
|
4
4
|
require "dependabot/update_checkers/base"
|
|
5
|
+
require "dependabot/update_checkers/version_filters"
|
|
5
6
|
require "dependabot/pub/helpers"
|
|
6
7
|
require "yaml"
|
|
7
8
|
module Dependabot
|
|
@@ -34,6 +35,29 @@ module Dependabot
|
|
|
34
35
|
version_unless_ignored(entry["version"])
|
|
35
36
|
end
|
|
36
37
|
|
|
38
|
+
def lowest_resolvable_security_fix_version
|
|
39
|
+
raise "Dependency not vulnerable!" unless vulnerable?
|
|
40
|
+
|
|
41
|
+
lowest_security_fix_version
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
def lowest_security_fix_version
|
|
45
|
+
# TODO: Pub lacks a lowest-non-vulnerable version strategy, for now we simply bump to latest resolvable:
|
|
46
|
+
# https://github.com/dependabot/dependabot-core/issues/5391
|
|
47
|
+
relevant_version = latest_resolvable_version
|
|
48
|
+
return unless relevant_version
|
|
49
|
+
|
|
50
|
+
# NOTE: in other ecosystems, the native helpers return a list of possible versions, to which we apply
|
|
51
|
+
# post-filtering. Ideally we move toward a world where we hand the native helper a list of ignored versions
|
|
52
|
+
# and possibly a flag indicating "use min version rather than max". The pub team is interested in supporting
|
|
53
|
+
# that. But in the meantime for internal consistency with other dependabot ecosystem implementations I kept
|
|
54
|
+
# `relevant_versions` as an array.
|
|
55
|
+
relevant_versions = [relevant_version]
|
|
56
|
+
relevant_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(relevant_versions,
|
|
57
|
+
security_advisories)
|
|
58
|
+
relevant_versions.min
|
|
59
|
+
end
|
|
60
|
+
|
|
37
61
|
def updated_requirements
|
|
38
62
|
# Requirements that need to be changed, if obtain:
|
|
39
63
|
# latest_resolvable_version
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-pub
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.214.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-12-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.214.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.214.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: webrick
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -72,14 +72,14 @@ dependencies:
|
|
|
72
72
|
requirements:
|
|
73
73
|
- - "~>"
|
|
74
74
|
- !ruby/object:Gem::Version
|
|
75
|
-
version:
|
|
75
|
+
version: 4.0.0
|
|
76
76
|
type: :development
|
|
77
77
|
prerelease: false
|
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
|
79
79
|
requirements:
|
|
80
80
|
- - "~>"
|
|
81
81
|
- !ruby/object:Gem::Version
|
|
82
|
-
version:
|
|
82
|
+
version: 4.0.0
|
|
83
83
|
- !ruby/object:Gem::Dependency
|
|
84
84
|
name: rake
|
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -128,14 +128,14 @@ dependencies:
|
|
|
128
128
|
requirements:
|
|
129
129
|
- - "~>"
|
|
130
130
|
- !ruby/object:Gem::Version
|
|
131
|
-
version: 1.
|
|
131
|
+
version: 1.39.0
|
|
132
132
|
type: :development
|
|
133
133
|
prerelease: false
|
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
|
135
135
|
requirements:
|
|
136
136
|
- - "~>"
|
|
137
137
|
- !ruby/object:Gem::Version
|
|
138
|
-
version: 1.
|
|
138
|
+
version: 1.39.0
|
|
139
139
|
- !ruby/object:Gem::Dependency
|
|
140
140
|
name: rubocop-performance
|
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|