spm_version_updates 1.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 922e9383223719cafb033ce65ca8b710013bc1654217973443b1b1b99eead693
+  data.tar.gz: b6a5fa439183d0cfcb8192b050565020b8f314e18f573d88b8e4ce40fb619bfb
+SHA512:
+  metadata.gz: cc90410091871b58726de87d0f8e992e3abf08c75799dc1901c1afd893ca5736f39c02076b136523a3ba437a5796e51cf196abcd728e513b4e1e27dd9332945f
+  data.tar.gz: a7329c84f09b9615cf25872e4e3181694b306e717dc978b36b8edbd8334543339f68d4bd2402ae84c15e425cad2005e6ace00475c41598c36ca81309f1f3f95a

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2023-2024 Harold Martin <harold.martin@gmail.com>
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,47 @@
+# spm_version_updates
+
+Core library for detecting available updates to Swift Package Manager
+dependencies. It powers both the
+[`danger-spm_version_updates`](https://rubygems.org/gems/danger-spm_version_updates)
+Danger plugin and the
+[Swift Package Version Updates GitHub Action](https://github.com/hbmartin/github-action-spm_version_updates),
+and can be used directly from any Ruby program.
+
+## Installation
+
+```sh
+gem install spm_version_updates
+```
+
+Xcode-project mode additionally requires the `xcodeproj` gem; manifest mode
+has no extra dependencies.
+
+## Usage
+
+```ruby
+require "spm_version_updates"
+
+checker = SpmChecker.new
+
+# Manifest mode: check one or more Package.swift files (a Package.resolved
+# next to each manifest is used automatically when present).
+warnings = checker.check_manifests(["path/to/Package.swift"])
+
+# Xcode mode: check the packages referenced by an Xcode project.
+# warnings = checker.check_for_updates("path/to/App.xcodeproj")
+
+warnings.each { |warning| puts warning }
+
+# Structured details (repository URL, current/available version, severity,
+# suggested update command, ...) for each warning:
+checker.warning_details.each { |detail| p detail }
+```
+
+Behavior is configurable through accessors on `SpmChecker` — for example
+`check_when_exact`, `check_branches`, `report_above_maximum`,
+`report_pre_releases`, `ignore_repos`, and allow-host restrictions. See the
+class documentation for the full list.
+
+## License
+
+MIT — see [LICENSE.txt](LICENSE.txt).

data/lib/spm_version_updates/allow_host_normalizer.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require_relative "git_host_normalizer"
+require_relative "git_operations"
+
+# Normalizes user-provided allow-host entries into hostnames.
+class AllowHostNormalizer
+  MALFORMED_SCHEME_PATTERN = %r{\A[a-z][a-z0-9+\-.]*//}i
+
+  def self.normalize(entry)
+    new(entry).normalize
+  end
+
+  def self.configured_entries(entries)
+    Array(entries).filter_map { |entry|
+      value = entry.to_s.strip
+      value unless value.empty?
+    }
+  end
+
+  def initialize(entry)
+    @raw = entry.to_s.strip
+  end
+
+  def normalize
+    return nil if raw.empty?
+    return parsed if parsed && !malformed_scheme?
+    return fallback if fallback.match?(GitHostNormalizer::HOST_PATTERN)
+
+    warn_unparseable
+    nil
+  end
+
+  private
+
+  attr_reader :raw
+
+  def parsed
+    @parsed ||= GitOperations.host(raw)
+  end
+
+  def fallback
+    @fallback ||= raw.sub(/:\d+\z/, "").downcase
+  end
+
+  def malformed_scheme?
+    raw.match?(MALFORMED_SCHEME_PATTERN)
+  end
+
+  def warn_unparseable
+    warn("allow-hosts entry #{raw.inspect} could not be parsed as a host and will not match any repository URL")
+  end
+end

data/lib/spm_version_updates/credential_redactor.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# Redacts credentials embedded in URL userinfo before logging or emitting data.
+module CredentialRedactor
+  class << self
+    def redact(value)
+      value&.to_s&.gsub(%r{([a-z][a-z0-9+\-.]*://)([^/\s@]+)@}i, '\1[REDACTED]@')
+    end
+
+    def redact_hash_value(hash, key)
+      hash.dup.tap { |copy|
+        copy[key] = redact(copy[key]) if copy.key?(key)
+      }
+    end
+  end
+end

data/lib/spm_version_updates/fail_on_threshold.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative "update_severity"
+
+# Parses fail-on inputs and evaluates whether reported updates should fail.
+module FailOnThreshold
+  ANY = "any"
+
+  def self.from_inputs(explicit_fail_on, legacy_fail_on)
+    input_name, value = [
+      ["fail-on", explicit_fail_on],
+      ["fail-on-updates", legacy_fail_on],
+      ["fail-on-updates", "false"],
+    ].find { |_name, candidate| candidate }
+    normalize(value, input_name)
+  end
+
+  def self.failure_message(threshold, reporter)
+    return nil unless threshold
+
+    count = failure_count(threshold, reporter)
+    count.positive? ? build_message(threshold, count) : nil
+  end
+
+  def self.failure_count(threshold, reporter)
+    return reporter.records.size if threshold == ANY
+
+    UpdateSeverity.count_at_or_above(reporter.severity_counts, threshold)
+  end
+
+  def self.normalize(value, input_name)
+    normalized = value.downcase
+    return nil if ["false", "none"].include?(normalized)
+    return ANY if normalized == "true"
+    return normalized if UpdateSeverity.threshold?(normalized)
+
+    raise(ArgumentError, "#{input_name} must be false, true, major, minor, or patch")
+  end
+
+  def self.build_message(threshold, count)
+    plural = count == 1 ? "" : "s"
+    threshold_note = threshold == ANY ? "" : " #{threshold}+"
+    "Found #{count}#{threshold_note} SPM dependency update#{plural}"
+  end
+end

data/lib/spm_version_updates/git_host_normalizer.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+require "uri"
+
+# Extracts and normalizes hostnames from common git remote URL forms.
+module GitHostNormalizer
+  HOST_PATTERN = /\A[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?\z/i
+  BRACKETED_IPV6_PATTERN = /\A\[(?<address>[^\]]+)\](?::\d+)?\z/
+
+  class << self
+    def host(repo_url)
+      url = repo_url.to_s.strip
+      return nil if url.empty?
+
+      parsed_host(url) || scp_like_host(url) || bare_host(url)
+    end
+
+    def parsed_host(url)
+      normalize_host(URI.parse(url).host)
+    rescue URI::InvalidURIError
+      nil
+    end
+
+    def scp_like_host(url)
+      match = url.match(%r{\A(?:[^@\s/]+@)?(?<host>[^:\s/]+):(?!/)[^:\s]+\z})
+      match && normalize_host(match[:host])
+    end
+
+    def bare_host(url)
+      return nil if url.start_with?("/", "./", "../")
+      return nil if url.include?("://")
+
+      normalize_host(url.split("/", 2).first)
+    end
+
+    def normalize_host(host)
+      normalized = normalized_ipv6_host(host)
+      return normalized if normalized
+
+      normalized = host.to_s.sub(/:\d+\z/, "").downcase
+      return normalized if normalized.match?(HOST_PATTERN)
+
+      nil
+    end
+
+    def normalized_ipv6_host(host)
+      raw = host.to_s.strip.downcase
+      bracketed = raw.match(BRACKETED_IPV6_PATTERN)
+      return normalize_ipv6_address(bracketed[:address]) if bracketed
+      return normalize_ipv6_address(raw) if raw.count(":") >= 2
+
+      nil
+    end
+
+    def normalize_ipv6_address(address)
+      parsed = IPAddr.new(address)
+      parsed.ipv6? ? parsed.to_s : nil
+    rescue IPAddr::Error
+      nil
+    end
+  end
+end

data/lib/spm_version_updates/git_operations.rb

@@ -0,0 +1,150 @@
+# frozen_string_literal: true
+
+require "open3"
+require_relative "credential_redactor"
+require_relative "git_host_normalizer"
+require_relative "semver"
+
+# Git operations for SPM version checking (migrated from git.rb)
+module GitOperations
+  ALLOWED_PROTOCOLS = "https:ssh:git"
+  LS_REMOTE_RETRY_DELAYS = [0.25, 0.5].freeze
+  NON_INTERACTIVE_ENV = {
+    "GIT_ALLOW_PROTOCOL" => ALLOWED_PROTOCOLS,
+    "GIT_TERMINAL_PROMPT" => "0"
+  }.freeze
+  TAG_REF_PATTERNS = ["[0-9]*.[0-9]*", "v[0-9]*.[0-9]*"].freeze
+
+  # Raised when git cannot complete a remote reference lookup.
+  class LsRemoteError < StandardError; end
+
+  # Removes protocol and trailing .git from a repo URL
+  # @param   [String] repo_url The URL of the repository
+  # @return [String]
+  def self.trim_repo_url(repo_url)
+    url = repo_url.to_s.strip
+    return "" if url.empty?
+
+    url.split("://").last.gsub(/\.git$/, "")
+  end
+
+  # Extract a readable name for the repo given the url, generally org/repo
+  # @return [String]
+  def self.repo_name(repo_url)
+    match = repo_url.match(%r{([\w-]+/[\w-]+)(.git)?$})
+    if match
+      match[1] || match[0]
+    else
+      repo_url
+    end
+  end
+
+  # Extracts the hostname from common git remote URL forms.
+  # @return [String, nil]
+  def self.host(repo_url)
+    GitHostNormalizer.host(repo_url)
+  end
+
+  # Call git to list tags
+  # @param   [String] repo_url The URL of the dependency's repository
+  # @return [Array<SpmVersionUpdates::Semver>]
+  def self.version_tags(repo_url)
+    output = ls_remote(repo_url, options: ["--tags", "--refs"], patterns: TAG_REF_PATTERNS)
+
+    versions = output
+      .split("\n")
+      .filter_map { |line| tag_name(line) }
+      .filter_map { |line|
+        begin
+          SpmVersionUpdates::Semver.new(line)
+        rescue ArgumentError
+          nil
+        end
+      }
+    versions.sort!.reverse!
+    versions
+  end
+
+  # Call git to find the last commit on a branch
+  # @param   [String] repo_url The URL of the dependency's repository
+  # @param   [String] branch_name The name of the branch on which to find the last commit
+  # @return [String, nil]
+  def self.branch_last_commit(repo_url, branch_name)
+    branch_ref = "refs/heads/#{branch_name}"
+    output = ls_remote(repo_url, options: ["--branches"], patterns: [branch_ref])
+
+    line = output
+      .split("\n")
+      .find { |remote_ref| remote_ref.split("\t")[1] == branch_ref }
+    line&.split("\t")&.first
+  end
+
+  # Run `git ls-remote` with an argument vector (no shell), so repository URLs
+  # are never word-split or interpreted by a shell. Raises after bounded retries
+  # instead of masking network/auth failures as "no updates available".
+  # @return [String]
+  def self.ls_remote(repo_url, options:, patterns: [])
+    attempts = 0
+    stdout = nil
+    stderr = nil
+
+    loop {
+      attempts += 1
+      stdout, stderr, status = capture_ls_remote(repo_url, options, patterns)
+      return stdout if status.success?
+
+      break if attempts >= ls_remote_attempts
+
+      sleep(LS_REMOTE_RETRY_DELAYS.fetch(attempts - 1))
+    }
+
+    raise_ls_remote_error(failure_message(repo_url, stderr, attempts))
+  rescue Errno::ENOENT
+    raise_ls_remote_error("git command not found. Please ensure git is installed and available in your PATH.")
+  rescue SystemCallError => error
+    raise_ls_remote_error("git ls-remote failed to start: #{error.message}")
+  end
+
+  def self.ls_remote_attempts
+    LS_REMOTE_RETRY_DELAYS.size + 1
+  end
+
+  def self.capture_ls_remote(repo_url, options, patterns)
+    Open3.capture3(
+      NON_INTERACTIVE_ENV,
+      "git",
+      "ls-remote",
+      *options,
+      "--",
+      repo_url,
+      *patterns
+    )
+  end
+
+  def self.failure_message(repo_url, stderr, attempts)
+    details = stderr.to_s.strip
+    details = "no stderr" if details.empty?
+    "git ls-remote failed for #{redact_credentials(repo_url)} after #{attempts} attempts: #{redact_credentials(details)}"
+  end
+
+  def self.raise_ls_remote_error(message)
+    warn(message)
+    raise(LsRemoteError, message)
+  end
+
+  def self.tag_name(line)
+    line[%r{\A[^\t]+\trefs/tags/(.+)\z}, 1]
+  end
+
+  def self.redact_credentials(value)
+    CredentialRedactor.redact(value)
+  end
+
+  private_class_method :ls_remote,
+                       :ls_remote_attempts,
+                       :capture_ls_remote,
+                       :failure_message,
+                       :raise_ls_remote_error,
+                       :tag_name,
+                       :redact_credentials
+end

data/lib/spm_version_updates/manifest_parser.rb

@@ -0,0 +1,258 @@
+# frozen_string_literal: true
+
+require_relative "git_operations"
+require_relative "package_resolved"
+
+# Parses Swift Package Manager manifests (`Package.swift`) and their adjacent
+# `Package.resolved` files.
+#
+# This supports the "SwiftPM-native" repo layout, where dependencies are
+# declared directly in one or more `Package.swift` manifests rather than as
+# `XCRemoteSwiftPackageReference` objects inside an `.xcodeproj`.
+#
+# Manifests are parsed with a lightweight, dependency-free scanner so the action
+# runs on any runner (e.g. `ubuntu-latest`) without requiring Swift or a
+# macOS/Xcode toolchain to be installed.
+#
+# The requirement hashes returned by {get_packages} intentionally mirror the
+# shape produced by `Xcodeproj` for `XCRemoteSwiftPackageReference#requirement`
+# (`"kind"`, `"minimumVersion"`, `"maximumVersion"`, `"version"`, `"branch"`,
+# `"revision"`) so the same comparison logic can be reused for both modes.
+module ManifestParser
+  PACKAGE_CALL = ".package("
+
+  # Find the direct SPM dependencies declared in a `Package.swift` manifest.
+  #
+  # Local packages (declared with `path:`) and packages without a recognizable
+  # version requirement are skipped.
+  #
+  # Keyed by the normalized repository URL (used to match against
+  # `Package.resolved` pins and `ignore-repos`), while the original,
+  # scheme-bearing `repository_url` is retained for git operations.
+  #
+  # @param  [String] manifest_path The path to a `Package.swift` file
+  # @raise  [ManifestPathMustBeSet] if the manifest_path is blank
+  # @raise  [CouldNotFindManifest] if the file does not exist
+  # @return [Hash<String, Hash>] normalized URL => { "repository_url", "requirement" }
+  def self.get_packages(manifest_path)
+    raise(ManifestPathMustBeSet) if manifest_path.nil? || manifest_path.empty?
+    raise(CouldNotFindManifest, manifest_path) unless File.exist?(manifest_path)
+
+    content = strip_comments(File.read(manifest_path))
+    package_calls(content).each_with_object({}) { |call, packages|
+      url = call[/\burl\s*:\s*"([^"]+)"/, 1]
+      next if url.nil? # local package (path:) or otherwise unrecognized
+
+      requirement = requirement_for(call)
+      next if requirement.nil?
+
+      packages[GitOperations.trim_repo_url(url)] = { "repository_url" => url, "requirement" => requirement }
+    }
+  end
+
+  # Extract the resolved versions from a `Package.resolved` file.
+  #
+  # @param  [String] resolved_path The path to a `Package.resolved` file
+  # @return [Hash<String, String>] normalized repository URL => version or revision
+  def self.get_resolved_versions(resolved_path)
+    PackageResolved.versions_from(resolved_path)
+  end
+
+  # Infer the `Package.resolved` path that sits next to a manifest.
+  #
+  # @param  [String] manifest_path The path to a `Package.swift` file
+  # @return [String]
+  def self.default_resolved_path(manifest_path)
+    File.join(File.dirname(manifest_path), "Package.resolved")
+  end
+
+  # Extract the argument body of each `.package( ... )` call, honoring nested
+  # parentheses (e.g. `.upToNextMajor(from: "1.0.0")`) and string literals.
+  #
+  # @param  [String] content The (comment-stripped) manifest source
+  # @return [Array<String>]
+  def self.package_calls(content)
+    calls = []
+    search_start = 0
+    while (marker_index = content.index(PACKAGE_CALL, search_start))
+      open_index = marker_index + PACKAGE_CALL.length - 1
+      close_index = matching_paren(content, open_index)
+      break if close_index.nil?
+
+      calls << content[(open_index + 1)...close_index]
+      search_start = close_index + 1
+    end
+    calls
+  end
+
+  # Map the body of a `.package(...)` call to an Xcodeproj-style requirement.
+  #
+  # Ordering matters: ranges and the explicit `.upToNextMajor`/`.upToNextMinor`
+  # forms are matched before the bare `from:` shorthand because they also
+  # contain the substring `from:`.
+  #
+  # @param  [String] call The body of a `.package(...)` call
+  # @return [Hash, nil]
+  def self.requirement_for(call)
+    if (range = call.match(/"([^"]+)"\s*(\.\.[.<])\s*"([^"]+)"/))
+      version_range_requirement(range[1], range[2], range[3])
+    elsif (version = call[/\.upToNextMinor\s*\(\s*from\s*:\s*"([^"]+)"/, 1])
+      { "kind" => "upToNextMinorVersion", "minimumVersion" => version }
+    elsif (version = call[/\.upToNextMajor\s*\(\s*from\s*:\s*"([^"]+)"/, 1] || call[/\bfrom\s*:\s*"([^"]+)"/, 1])
+      { "kind" => "upToNextMajorVersion", "minimumVersion" => version }
+    elsif (version = call[/\bexact\s*:\s*"([^"]+)"/, 1] || call[/\.exact\s*\(\s*"([^"]+)"/, 1])
+      { "kind" => "exactVersion", "version" => version }
+    elsif (branch = call[/\bbranch\s*:\s*"([^"]+)"/, 1] || call[/\.branch\s*\(\s*"([^"]+)"/, 1])
+      { "kind" => "branch", "branch" => branch }
+    elsif (revision = call[/\brevision\s*:\s*"([^"]+)"/, 1] || call[/\.revision\s*\(\s*"([^"]+)"/, 1])
+      { "kind" => "revision", "revision" => revision }
+    end
+  end
+
+  # Build a versionRange requirement from a Swift range literal.
+  #
+  # Xcode's `versionRange` (like Swift's `..<`) uses an exclusive maximum. SwiftPM
+  # normalizes a closed range `a...b` to the half-open range `a ..< (b + 1 patch)`,
+  # so we do the same here for `...` to keep the inclusive upper bound — otherwise
+  # version `b` would be incorrectly excluded from update checks.
+  #
+  # @return [Hash]
+  def self.version_range_requirement(minimum, range_operator, maximum)
+    maximum = increment_patch_version(maximum) if range_operator == "..."
+    { "kind" => "versionRange", "minimumVersion" => minimum, "maximumVersion" => maximum }
+  end
+
+  # Increment the patch component of an `x.y.z` version, dropping any
+  # pre-release/build suffix (matching how SwiftPM derives the exclusive upper
+  # bound of a closed range as `Version(major, minor, patch + 1)`). Returns the
+  # input unchanged if it is not a three-part version.
+  #
+  # @return [String]
+  def self.increment_patch_version(version)
+    major, minor, patch = version.match(/\A(\d+)\.(\d+)\.(\d+)/)&.captures
+    return version if patch.nil?
+
+    "#{major}.#{minor}.#{patch.to_i + 1}"
+  end
+
+  # Find the index of the `)` that closes the `(` at +open_index+, ignoring
+  # parentheses and the like that appear inside string literals.
+  #
+  # @return [Integer, nil]
+  def self.matching_paren(content, open_index)
+    depth = 0
+    index = open_index
+    length = content.length
+    in_string = false
+    while index < length
+      char = content[index]
+      if in_string
+        if char == "\\"
+          index += 2
+          next
+        end
+        in_string = false if char == '"'
+      elsif char == '"'
+        in_string = true
+      elsif char == "("
+        depth += 1
+      elsif char == ")"
+        depth -= 1
+        return index if depth.zero?
+      end
+      index += 1
+    end
+    nil
+  end
+
+  # Remove `//` line comments and `/* */` block comments while leaving string
+  # literals (e.g. URLs containing `//`) untouched.
+  #
+  # @param  [String] content The raw manifest source
+  # @return [String]
+  def self.strip_comments(content)
+    output = +""
+    index = 0
+    length = content.length
+    while index < length
+      char = content[index]
+      nxt = content[index + 1]
+      if char == '"'
+        index = copy_string_literal(content, index, output)
+      elsif char == "/" && nxt == "/"
+        index += 1 while index < length && content[index] != "\n"
+      elsif char == "/" && nxt == "*"
+        index = skip_block_comment(content, index)
+      else
+        output << char
+        index += 1
+      end
+    end
+    output
+  end
+
+  # Copy a double-quoted string literal verbatim into +output+, respecting
+  # backslash escapes, and return the index just past the closing quote.
+  #
+  # @return [Integer]
+  def self.copy_string_literal(content, index, output)
+    length = content.length
+    output << content[index] # opening quote
+    index += 1
+    while index < length
+      char = content[index]
+      output << char
+      if char == "\\"
+        output << content[index + 1] if index + 1 < length
+        index += 2
+        next
+      end
+      index += 1
+      break if char == '"'
+    end
+    index
+  end
+
+  # Return the index just past the closing `*/` of a block comment. Swift block
+  # comments nest, so depth is tracked: `/* a /* b */ c */` is a single comment.
+  #
+  # @return [Integer]
+  def self.skip_block_comment(content, index)
+    length = content.length
+    depth = 1
+    index += 2 # skip the opening "/*"
+    while index < length && depth.positive?
+      if content[index] == "/" && content[index + 1] == "*"
+        depth += 1
+        index += 2
+      elsif content[index] == "*" && content[index + 1] == "/"
+        depth -= 1
+        index += 2
+      else
+        index += 1
+      end
+    end
+    index
+  end
+
+  private_class_method :package_calls,
+                       :requirement_for,
+                       :version_range_requirement,
+                       :increment_patch_version,
+                       :matching_paren,
+                       :strip_comments,
+                       :copy_string_literal,
+                       :skip_block_comment
+
+  # Raised when manifest mode is invoked without a manifest path.
+  class ManifestPathMustBeSet < StandardError
+  end
+
+  # Raised when a configured Package.swift manifest is missing.
+  class CouldNotFindManifest < StandardError
+  end
+
+  # Raised when manifest mode cannot find an expected Package.resolved file.
+  class CouldNotFindResolvedFile < StandardError
+  end
+end