dependabot-swift 0.222.0 → 0.224.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4aef4a94ae75bf75d90152d46b40c74149b9b6724392bcd7aed6ab75843dc359
4
- data.tar.gz: b1423ec2d83751d7f0fca41a5e24b0d7c952015ca355042ab5a585f02b321895
3
+ metadata.gz: daa823cdb9f7cf8a02a3ae2db25b54b941c87b80c57633c9c2a6e3c09cf2af9d
4
+ data.tar.gz: 59a6217a928b15e42b033c987cb7e52572961699cd9b78a6b137e88c21d7ccef
5
5
  SHA512:
6
- metadata.gz: 2451f0816f18243f61732cd2cb751953ba5b7cb8e55727901c33a81ae9f574282ee58f098df107b7b550e1dfa98b37475b50e1e0e323ae0b3dc9c7a5ec04002c
7
- data.tar.gz: 7a8dc186c3490327e53c721c01a2424c34a18350bc00d92367866e667980e851379ac2a9f3efb74d892f8bcdb238260fc67843054805c69d62de3228c75f0b0b
6
+ metadata.gz: 4ed7d0edc5cf21554321deb0ef4b5ba1caf36878af28c6a36129d60d016f657706d5dfe516ec6c4082fcc68a3007ed6725e2f18840dc2f72a1bb1dc584043818
7
+ data.tar.gz: 929239d17f49f5260cd217deba666429de17e93afb2c4b970496fa4f0656d4ce9fe3515de067995e087ccb4ea97388156b048cb2f1ebe9948b221f062381d132
@@ -2,6 +2,7 @@
2
2
 
3
3
  require "dependabot/file_updaters/base"
4
4
  require "dependabot/shared_helpers"
5
+ require "dependabot/logger"
5
6
 
6
7
  module Dependabot
7
8
  module Swift
@@ -18,11 +19,10 @@ module Dependabot
18
19
  SharedHelpers.in_a_temporary_repo_directory(manifest.directory, repo_contents_path) do
19
20
  File.write(manifest.name, manifest.content)
20
21
 
22
+ dependency_names = dependencies.map(&:name).join(" ")
23
+
21
24
  SharedHelpers.with_git_configured(credentials: credentials) do
22
- SharedHelpers.run_shell_command(
23
- "swift package update #{dependencies.map(&:name).join(' ')}",
24
- fingerprint: "swift package update <dependency_name>"
25
- )
25
+ try_lockfile_update(dependency_names)
26
26
 
27
27
  File.read("Package.resolved")
28
28
  end
@@ -31,6 +31,19 @@ module Dependabot
31
31
 
32
32
  private
33
33
 
34
+ def try_lockfile_update(dependency_names)
35
+ SharedHelpers.run_shell_command(
36
+ "swift package update #{dependency_names}",
37
+ fingerprint: "swift package update <dependency_names>"
38
+ )
39
+ rescue SharedHelpers::HelperSubprocessFailed => e
40
+ # This class is not only used for final lockfile updates, but for
41
+ # checking resolvability. So resolvability errors here are expected in
42
+ # certain situations and will result in `no_update_possible` outcomes.
43
+ # That said, since we're swallowing all errors we at least log them to ease debugging.
44
+ Dependabot.logger.info("Lockfile failed to be updated due to error:\n#{e.message}")
45
+ end
46
+
34
47
  attr_reader :dependencies, :manifest, :repo_contents_path, :credentials
35
48
  end
36
49
  end
@@ -90,7 +90,7 @@ module Dependabot
90
90
  end
91
91
 
92
92
  def parse_range(separator)
93
- declaration.split(separator).map { |str| unquote(str) }
93
+ declaration.split(separator).map { |str| unquote(str.strip) }
94
94
  end
95
95
 
96
96
  def single_version_declaration?
@@ -8,9 +8,10 @@ module Dependabot
8
8
  module Swift
9
9
  class UpdateChecker < Dependabot::UpdateCheckers::Base
10
10
  class VersionResolver
11
- def initialize(dependency:, manifest:, repo_contents_path:, credentials:)
11
+ def initialize(dependency:, manifest:, lockfile:, repo_contents_path:, credentials:)
12
12
  @dependency = dependency
13
13
  @manifest = manifest
14
+ @lockfile = lockfile
14
15
  @credentials = credentials
15
16
  @repo_contents_path = repo_contents_path
16
17
  end
@@ -29,12 +30,14 @@ module Dependabot
29
30
  credentials: credentials
30
31
  ).updated_lockfile_content
31
32
 
32
- lockfile = DependencyFile.new(
33
+ return if updated_lockfile_content == lockfile.content
34
+
35
+ updated_lockfile = DependencyFile.new(
33
36
  name: "Package.resolved",
34
37
  content: updated_lockfile_content
35
38
  )
36
39
 
37
- dependency_parser(manifest, lockfile).parse.find do |parsed_dep|
40
+ dependency_parser(manifest, updated_lockfile).parse.find do |parsed_dep|
38
41
  parsed_dep.name == dependency.name
39
42
  end.version
40
43
  end
@@ -47,7 +50,7 @@ module Dependabot
47
50
  )
48
51
  end
49
52
 
50
- attr_reader :dependency, :manifest, :repo_contents_path, :credentials
53
+ attr_reader :dependency, :manifest, :lockfile, :repo_contents_path, :credentials
51
54
  end
52
55
  end
53
56
  end
@@ -2,6 +2,7 @@
2
2
 
3
3
  require "dependabot/update_checkers"
4
4
  require "dependabot/update_checkers/base"
5
+ require "dependabot/update_checkers/version_filters"
5
6
  require "dependabot/git_commit_checker"
6
7
  require "dependabot/swift/native_requirement"
7
8
  require "dependabot/swift/file_updater/manifest_updater"
@@ -24,6 +25,18 @@ module Dependabot
24
25
  raise NotImplementedError
25
26
  end
26
27
 
28
+ def lowest_security_fix_version
29
+ @lowest_security_fix_version ||= fetch_lowest_security_fix_version
30
+ end
31
+
32
+ def lowest_resolvable_security_fix_version
33
+ raise "Dependency not vulnerable!" unless vulnerable?
34
+
35
+ return @lowest_resolvable_security_fix_version if defined?(@lowest_resolvable_security_fix_version)
36
+
37
+ @lowest_resolvable_security_fix_version = fetch_lowest_resolvable_security_fix_version
38
+ end
39
+
27
40
  def updated_requirements
28
41
  RequirementsUpdater.new(
29
42
  requirements: old_requirements,
@@ -43,14 +56,33 @@ module Dependabot
43
56
  latest_version_tag.fetch(:version)
44
57
  end
45
58
 
59
+ def fetch_lowest_security_fix_version
60
+ return unless git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
61
+
62
+ lowest_security_fix_version_tag.fetch(:version)
63
+ end
64
+
46
65
  def fetch_latest_resolvable_version
47
- Version.new(version_resolver.latest_resolvable_version)
66
+ latest_resolvable_version = version_resolver_for(unlocked_requirements).latest_resolvable_version
67
+ return current_version unless latest_resolvable_version
68
+
69
+ Version.new(latest_resolvable_version)
70
+ end
71
+
72
+ def fetch_lowest_resolvable_security_fix_version
73
+ lowest_resolvable_security_fix_version = version_resolver_for(
74
+ force_lowest_security_fix_requirements
75
+ ).latest_resolvable_version
76
+ return unless lowest_resolvable_security_fix_version
77
+
78
+ Version.new(lowest_resolvable_security_fix_version)
48
79
  end
49
80
 
50
- def version_resolver
81
+ def version_resolver_for(requirements)
51
82
  VersionResolver.new(
52
83
  dependency: dependency,
53
- manifest: prepared_manifest,
84
+ manifest: prepare_manifest_for(requirements),
85
+ lockfile: lockfile,
54
86
  repo_contents_path: repo_contents_path,
55
87
  credentials: credentials
56
88
  )
@@ -62,19 +94,29 @@ module Dependabot
62
94
  end
63
95
  end
64
96
 
65
- def prepared_manifest
97
+ def force_lowest_security_fix_requirements
98
+ NativeRequirement.map_requirements(old_requirements) do |_old_requirement|
99
+ "\"#{lowest_security_fix_version}\"...\"#{lowest_security_fix_version}\""
100
+ end
101
+ end
102
+
103
+ def prepare_manifest_for(new_requirements)
66
104
  DependencyFile.new(
67
105
  name: manifest.name,
68
106
  content: FileUpdater::ManifestUpdater.new(
69
107
  manifest.content,
70
108
  old_requirements: old_requirements,
71
- new_requirements: unlocked_requirements
109
+ new_requirements: new_requirements
72
110
  ).updated_manifest_content
73
111
  )
74
112
  end
75
113
 
76
114
  def manifest
77
- dependency_files.find { |file| file.name == "Package.swift" }
115
+ @manifest ||= dependency_files.find { |file| file.name == "Package.swift" }
116
+ end
117
+
118
+ def lockfile
119
+ @lockfile ||= dependency_files.find { |file| file.name == "Package.resolved" }
78
120
  end
79
121
 
80
122
  def latest_version_resolvable_with_full_unlock?
@@ -99,6 +141,25 @@ module Dependabot
99
141
  def latest_version_tag
100
142
  git_commit_checker.local_tag_for_latest_version
101
143
  end
144
+
145
+ def lowest_security_fix_version_tag
146
+ tags = git_commit_checker.local_tags_for_allowed_versions
147
+ find_lowest_secure_version(tags)
148
+ end
149
+
150
+ def find_lowest_secure_version(tags)
151
+ relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
152
+ relevant_tags = filter_lower_tags(relevant_tags)
153
+
154
+ relevant_tags.min_by { |tag| tag.fetch(:version) }
155
+ end
156
+
157
+ def filter_lower_tags(tags_array)
158
+ return tags_array unless current_version
159
+
160
+ tags_array.
161
+ select { |tag| tag.fetch(:version) > current_version }
162
+ end
102
163
  end
103
164
  end
104
165
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-swift
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.222.0
4
+ version: 0.224.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-07-25 00:00:00.000000000 Z
11
+ date: 2023-07-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.222.0
19
+ version: 0.224.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.222.0
26
+ version: 0.224.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -207,7 +207,7 @@ licenses:
207
207
  - Nonstandard
208
208
  metadata:
209
209
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
210
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.222.0
210
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.224.0
211
211
  post_install_message:
212
212
  rdoc_options: []
213
213
  require_paths: