Class: Dependabot::Pub::UpdateChecker

Inherits:

UpdateCheckers::Base

• Object
• UpdateCheckers::Base
• Dependabot::Pub::UpdateChecker

Extended by:

T::Sig

Includes:

Helpers

Defined in:

lib/dependabot/pub/update_checker.rb

Instance Attribute Summary

Attributes included from Helpers

#credentials, #dependency_files, #options

Instance Method Summary

• #latest_resolvable_version ⇒ Object
• #latest_resolvable_version_with_no_unlock ⇒ Object
• #latest_version ⇒ Object
• #lowest_resolvable_security_fix_version ⇒ Object
• #lowest_security_fix_version ⇒ Object
• #updated_requirements ⇒ Object

Methods included from Helpers

pub_helpers_path, run_infer_sdk_versions

Instance Method Details

#latest_resolvable_version ⇒ Object

# File 'lib/dependabot/pub/update_checker.rb', line 36

def latest_resolvable_version
  # Latest version we can get if we're allowed to unlock the current
  # package in pubspec.yaml
  entry = current_report["singleBreaking"].find { |d| d["name"] == dependency.name }
  return nil unless entry

  version_unless_ignored(entry["version"])
end

#latest_resolvable_version_with_no_unlock ⇒ Object

# File 'lib/dependabot/pub/update_checker.rb', line 27

def latest_resolvable_version_with_no_unlock
  # Version we can get if we're not allowed to change pubspec.yaml, but we
  # allow changes in the pubspec.lock file.
  entry = current_report["compatible"].find { |d| d["name"] == dependency.name }
  return nil unless entry

  version_unless_ignored(entry["version"])
end

#latest_version ⇒ Object

Raises:

• (AllVersionsIgnored)

# File 'lib/dependabot/pub/update_checker.rb', line 20

def latest_version
  version = version_unless_ignored(current_report["latest"], current_version: dependency.version)
  raise AllVersionsIgnored if version.nil? && @raise_on_ignored

  version
end

#lowest_resolvable_security_fix_version ⇒ Object

# File 'lib/dependabot/pub/update_checker.rb', line 45

def lowest_resolvable_security_fix_version
  raise "Dependency not vulnerable!" unless vulnerable?

  lowest_security_fix_version
end

#lowest_security_fix_version ⇒ Object

# File 'lib/dependabot/pub/update_checker.rb', line 51

def lowest_security_fix_version
  # Don't attempt to do security updates for git dependencies.
  return nil if git_revision? dependency.version
  # If the current version is not vulnerable, we stay on it.
  return version_unless_ignored dependency.version unless vulnerable?

  e = dependency_services_smallest_update
  return nil if e.nil?

  upgrade = e.find { |u| u["name"] == dependency.name }

  version = upgrade["version"]
  version_unless_ignored(version)
end

#updated_requirements ⇒ Object

# File 'lib/dependabot/pub/update_checker.rb', line 66

def updated_requirements
  # Requirements that need to be changed, if obtain:
  # latest_resolvable_version or lowest_security_fix_version
  entry = if vulnerable?
            updates = dependency_services_smallest_update

            # Ideally we would like to do any upgrade that migrates away from the vulnerability
            # but this method can only return a single requirement udate.
            breaking_changes = updates.filter { |d| d["previousConstraint"] != d["constraintBumpedIfNeeded"] }

            # This security update would require unlocking other packages, which is not currently supported.
            # Because of that, return original requirements, so that no requirements are actually updated and
            # the error bubbles up as security_update_not_possible to the user.
            return dependency.requirements if breaking_changes.size > 1

            updates.find { |u| u["name"] == dependency.name }
          else
            current_report["singleBreaking"].find { |d| d["name"] == dependency.name }
          end
  return unless entry

  parse_updated_dependency(entry, requirements_update_strategy: resolved_requirements_update_strategy)
    .requirements
end