dependabot-swift 0.223.0 → 0.224.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/swift/file_updater/lockfile_updater.rb +17 -4
  3. data/lib/dependabot/swift/native_requirement.rb +1 -1
  4. data/lib/dependabot/swift/update_checker/version_resolver.rb +7 -4
  5. data/lib/dependabot/swift/update_checker.rb +67 -6
  6. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b9c4d7a75751290497fd09eb0dc26f82ca32b29246bf0d07fabe6c71a9af64f2
4
- data.tar.gz: b84e6a5b45b30892f35e2033dc4b57cbb172b3f3f006f2b71f17c7fa4d7463f3
3
+ metadata.gz: daa823cdb9f7cf8a02a3ae2db25b54b941c87b80c57633c9c2a6e3c09cf2af9d
4
+ data.tar.gz: 59a6217a928b15e42b033c987cb7e52572961699cd9b78a6b137e88c21d7ccef
5
5
  SHA512:
6
- metadata.gz: a7fb390b84f5159787be751f8b30815918a76f86a3433961811c6647d2ede4bb1cce2ec201665dce979eafb35b06646c884d4400a313817f18a4a2855fc459b7
7
- data.tar.gz: c47f6f424a89188321c59fa5e9401cab4a821c3c80418e5bc7ae7f9b3ec555b1d11e8f525487516659791513fc10e381aee15663baf6b70f731fd849a3c2b5ef
6
+ metadata.gz: 4ed7d0edc5cf21554321deb0ef4b5ba1caf36878af28c6a36129d60d016f657706d5dfe516ec6c4082fcc68a3007ed6725e2f18840dc2f72a1bb1dc584043818
7
+ data.tar.gz: 929239d17f49f5260cd217deba666429de17e93afb2c4b970496fa4f0656d4ce9fe3515de067995e087ccb4ea97388156b048cb2f1ebe9948b221f062381d132
data/lib/dependabot/swift/file_updater/lockfile_updater.rb CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  require "dependabot/file_updaters/base"
4
4
  require "dependabot/shared_helpers"
5
+ require "dependabot/logger"
5
6
 
6
7
  module Dependabot
7
8
  module Swift
@@ -18,11 +19,10 @@ module Dependabot
18
19
  SharedHelpers.in_a_temporary_repo_directory(manifest.directory, repo_contents_path) do
19
20
  File.write(manifest.name, manifest.content)
20
21
 
22
+ dependency_names = dependencies.map(&:name).join(" ")
23
+
21
24
  SharedHelpers.with_git_configured(credentials: credentials) do
22
- SharedHelpers.run_shell_command(
23
- "swift package update #{dependencies.map(&:name).join(' ')}",
24
- fingerprint: "swift package update <dependency_name>"
25
- )
25
+ try_lockfile_update(dependency_names)
26
26
 
27
27
  File.read("Package.resolved")
28
28
  end
@@ -31,6 +31,19 @@ module Dependabot
31
31
 
32
32
  private
33
33
 
34
+ def try_lockfile_update(dependency_names)
35
+ SharedHelpers.run_shell_command(
36
+ "swift package update #{dependency_names}",
37
+ fingerprint: "swift package update <dependency_names>"
38
+ )
39
+ rescue SharedHelpers::HelperSubprocessFailed => e
40
+ # This class is not only used for final lockfile updates, but for
41
+ # checking resolvability. So resolvability errors here are expected in
42
+ # certain situations and will result in `no_update_possible` outcomes.
43
+ # That said, since we're swallowing all errors we at least log them to ease debugging.
44
+ Dependabot.logger.info("Lockfile failed to be updated due to error:\n#{e.message}")
45
+ end
46
+
34
47
  attr_reader :dependencies, :manifest, :repo_contents_path, :credentials
35
48
  end
36
49
  end
data/lib/dependabot/swift/native_requirement.rb CHANGED
@@ -90,7 +90,7 @@ module Dependabot
90
90
  end
91
91
 
92
92
  def parse_range(separator)
93
- declaration.split(separator).map { |str| unquote(str) }
93
+ declaration.split(separator).map { |str| unquote(str.strip) }
94
94
  end
95
95
 
96
96
  def single_version_declaration?
data/lib/dependabot/swift/update_checker/version_resolver.rb CHANGED
@@ -8,9 +8,10 @@ module Dependabot
8
8
  module Swift
9
9
  class UpdateChecker < Dependabot::UpdateCheckers::Base
10
10
  class VersionResolver
11
- def initialize(dependency:, manifest:, repo_contents_path:, credentials:)
11
+ def initialize(dependency:, manifest:, lockfile:, repo_contents_path:, credentials:)
12
12
  @dependency = dependency
13
13
  @manifest = manifest
14
+ @lockfile = lockfile
14
15
  @credentials = credentials
15
16
  @repo_contents_path = repo_contents_path
16
17
  end
@@ -29,12 +30,14 @@ module Dependabot
29
30
  credentials: credentials
30
31
  ).updated_lockfile_content
31
32
 
32
- lockfile = DependencyFile.new(
33
+ return if updated_lockfile_content == lockfile.content
34
+
35
+ updated_lockfile = DependencyFile.new(
33
36
  name: "Package.resolved",
34
37
  content: updated_lockfile_content
35
38
  )
36
39
 
37
- dependency_parser(manifest, lockfile).parse.find do |parsed_dep|
40
+ dependency_parser(manifest, updated_lockfile).parse.find do |parsed_dep|
38
41
  parsed_dep.name == dependency.name
39
42
  end.version
40
43
  end
@@ -47,7 +50,7 @@ module Dependabot
47
50
  )
48
51
  end
49
52
 
50
- attr_reader :dependency, :manifest, :repo_contents_path, :credentials
53
+ attr_reader :dependency, :manifest, :lockfile, :repo_contents_path, :credentials
51
54
  end
52
55
  end
53
56
  end
data/lib/dependabot/swift/update_checker.rb CHANGED
@@ -2,6 +2,7 @@
2
2
 
3
3
  require "dependabot/update_checkers"
4
4
  require "dependabot/update_checkers/base"
5
+ require "dependabot/update_checkers/version_filters"
5
6
  require "dependabot/git_commit_checker"
6
7
  require "dependabot/swift/native_requirement"
7
8
  require "dependabot/swift/file_updater/manifest_updater"
@@ -24,6 +25,18 @@ module Dependabot
24
25
  raise NotImplementedError
25
26
  end
26
27
 
28
+ def lowest_security_fix_version
29
+ @lowest_security_fix_version ||= fetch_lowest_security_fix_version
30
+ end
31
+
32
+ def lowest_resolvable_security_fix_version
33
+ raise "Dependency not vulnerable!" unless vulnerable?
34
+
35
+ return @lowest_resolvable_security_fix_version if defined?(@lowest_resolvable_security_fix_version)
36
+
37
+ @lowest_resolvable_security_fix_version = fetch_lowest_resolvable_security_fix_version
38
+ end
39
+
27
40
  def updated_requirements
28
41
  RequirementsUpdater.new(
29
42
  requirements: old_requirements,
@@ -43,14 +56,33 @@ module Dependabot
43
56
  latest_version_tag.fetch(:version)
44
57
  end
45
58
 
59
+ def fetch_lowest_security_fix_version
60
+ return unless git_commit_checker.pinned_ref_looks_like_version? && latest_version_tag
61
+
62
+ lowest_security_fix_version_tag.fetch(:version)
63
+ end
64
+
46
65
  def fetch_latest_resolvable_version
47
- Version.new(version_resolver.latest_resolvable_version)
66
+ latest_resolvable_version = version_resolver_for(unlocked_requirements).latest_resolvable_version
67
+ return current_version unless latest_resolvable_version
68
+
69
+ Version.new(latest_resolvable_version)
70
+ end
71
+
72
+ def fetch_lowest_resolvable_security_fix_version
73
+ lowest_resolvable_security_fix_version = version_resolver_for(
74
+ force_lowest_security_fix_requirements
75
+ ).latest_resolvable_version
76
+ return unless lowest_resolvable_security_fix_version
77
+
78
+ Version.new(lowest_resolvable_security_fix_version)
48
79
  end
49
80
 
50
- def version_resolver
81
+ def version_resolver_for(requirements)
51
82
  VersionResolver.new(
52
83
  dependency: dependency,
53
- manifest: prepared_manifest,
84
+ manifest: prepare_manifest_for(requirements),
85
+ lockfile: lockfile,
54
86
  repo_contents_path: repo_contents_path,
55
87
  credentials: credentials
56
88
  )
@@ -62,19 +94,29 @@ module Dependabot
62
94
  end
63
95
  end
64
96
 
65
- def prepared_manifest
97
+ def force_lowest_security_fix_requirements
98
+ NativeRequirement.map_requirements(old_requirements) do |_old_requirement|
99
+ "\"#{lowest_security_fix_version}\"...\"#{lowest_security_fix_version}\""
100
+ end
101
+ end
102
+
103
+ def prepare_manifest_for(new_requirements)
66
104
  DependencyFile.new(
67
105
  name: manifest.name,
68
106
  content: FileUpdater::ManifestUpdater.new(
69
107
  manifest.content,
70
108
  old_requirements: old_requirements,
71
- new_requirements: unlocked_requirements
109
+ new_requirements: new_requirements
72
110
  ).updated_manifest_content
73
111
  )
74
112
  end
75
113
 
76
114
  def manifest
77
- dependency_files.find { |file| file.name == "Package.swift" }
115
+ @manifest ||= dependency_files.find { |file| file.name == "Package.swift" }
116
+ end
117
+
118
+ def lockfile
119
+ @lockfile ||= dependency_files.find { |file| file.name == "Package.resolved" }
78
120
  end
79
121
 
80
122
  def latest_version_resolvable_with_full_unlock?
@@ -99,6 +141,25 @@ module Dependabot
99
141
  def latest_version_tag
100
142
  git_commit_checker.local_tag_for_latest_version
101
143
  end
144
+
145
+ def lowest_security_fix_version_tag
146
+ tags = git_commit_checker.local_tags_for_allowed_versions
147
+ find_lowest_secure_version(tags)
148
+ end
149
+
150
+ def find_lowest_secure_version(tags)
151
+ relevant_tags = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(tags, security_advisories)
152
+ relevant_tags = filter_lower_tags(relevant_tags)
153
+
154
+ relevant_tags.min_by { |tag| tag.fetch(:version) }
155
+ end
156
+
157
+ def filter_lower_tags(tags_array)
158
+ return tags_array unless current_version
159
+
160
+ tags_array.
161
+ select { |tag| tag.fetch(:version) > current_version }
162
+ end
102
163
  end
103
164
  end
104
165
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-swift
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.223.0
4
+ version: 0.224.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-07-25 00:00:00.000000000 Z
11
+ date: 2023-07-27 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.223.0
19
+ version: 0.224.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.223.0
26
+ version: 0.224.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -207,7 +207,7 @@ licenses:
207
207
  - Nonstandard
208
208
  metadata:
209
209
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
210
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.223.0
210
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.224.0
211
211
  post_install_message:
212
212
  rdoc_options: []
213
213
  require_paths: