Class: Dependabot::Pub::UpdateChecker

Inherits:
UpdateCheckers::Base
  • Object
show all
Extended by:
T::Sig
Includes:
Helpers
Defined in:
lib/dependabot/pub/update_checker.rb,
lib/dependabot/pub/update_checker/latest_version_finder.rb

Defined Under Namespace

Classes: LatestVersionFinder

Instance Method Summary collapse

Methods included from Helpers

#credentials, #dependency_files, #options, pub_helpers_path, run_infer_sdk_versions

Instance Method Details

#latest_resolvable_versionObject 



32
33
34
35
36
37
38
39
 
# File 'lib/dependabot/pub/update_checker.rb', line 32

def latest_resolvable_version
  # Latest version we can get if we're allowed to unlock the current
  # package in pubspec.yaml
  entry = version_report.latest_resolvable_version
  return nil unless entry

  version_unless_ignored(entry)
end

#latest_resolvable_version_with_no_unlockObject 



65
66
67
68
69
70
71
72
 
# File 'lib/dependabot/pub/update_checker.rb', line 65

def latest_resolvable_version_with_no_unlock
  # Version we can get if we're not allowed to change pubspec.yaml, but we
  # allow changes in the pubspec.lock file.
  entry = version_report.latest_resolvable_version_with_no_unlock
  return nil unless entry

  version_unless_ignored(entry)
end

#latest_versionObject

Raises:

  • (AllVersionsIgnored) 


23
24
25
26
27
28
29
 
# File 'lib/dependabot/pub/update_checker.rb', line 23

def latest_version
  version = version_unless_ignored(T.must(version_report.latest_version), current_version: dependency.version)

  raise AllVersionsIgnored if version.nil? && @raise_on_ignored

  version
end

#lowest_resolvable_security_fix_versionObject 



58
59
60
61
62
 
# File 'lib/dependabot/pub/update_checker.rb', line 58

def lowest_resolvable_security_fix_version
  raise "Dependency not vulnerable!" unless vulnerable?

  lowest_security_fix_version
end

#lowest_security_fix_versionObject 



42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/dependabot/pub/update_checker.rb', line 42

def lowest_security_fix_version
  # Don't attempt to do security updates for git dependencies.
  return nil if git_revision? T.must(dependency.version)
  # If the current version is not vulnerable, we stay on it.
  return T.cast(version_unless_ignored(T.must(dependency.version)), Dependabot::Version) unless vulnerable?

  e = dependency_services_smallest_update
  return nil if e.nil?

  upgrade = e.find { |u| u["name"] == dependency.name }

  version = T.must(upgrade)["version"]
  T.cast(version_unless_ignored(version), Dependabot::Version)
end

#updated_requirementsObject 



75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'lib/dependabot/pub/update_checker.rb', line 75

def updated_requirements
  # Requirements that need to be changed, if obtain:
  # latest_resolvable_version or lowest_security_fix_version
  entry = if vulnerable?
            updates = dependency_services_smallest_update

            # Ideally we would like to do any upgrade that migrates away from the vulnerability
            # but this method can only return a single requirement udate.
            breaking_changes = updates&.filter { |d| d["previousConstraint"] != d["constraintBumpedIfNeeded"] }

            # This security update would require unlocking other packages, which is not currently supported.
            # Because of that, return original requirements, so that no requirements are actually updated and
            # the error bubbles up as security_update_not_possible to the user.
            return dependency.requirements if breaking_changes&.size&.> 1

            updates&.find { |u| u["name"] == dependency.name }
          else
            version_report.latest_resolvable_version_hash
          end
  return [] unless entry

  parse_updated_dependency(entry, resolved_requirements_update_strategy)
    .requirements
end