Merge pull request #7464 from dependabot/deivid-rodriguez/refactor-de…

…pendency-source-management Allow `GitCommitChecker` to check subdependencies too
dependabot · Jul 17, 2023 · f58953d · f58953d
2 parents b76547c + 40b4473
commit f58953d
Show file tree

Hide file tree

Showing 12 changed files with 76 additions and 81 deletions.
diff --git a/bundler/lib/dependabot/bundler/metadata_finder.rb b/bundler/lib/dependabot/bundler/metadata_finder.rb
@@ -50,13 +50,7 @@ def suggested_changelog_url
       end
 
       def new_source_type
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        return "default" if sources.empty?
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first[:type] || sources.first.fetch("type")
+        dependency.source_type
       end
 
       def find_source_from_rubygems

diff --git a/bundler/lib/dependabot/bundler/update_checker.rb b/bundler/lib/dependabot/bundler/update_checker.rb
@@ -306,12 +306,7 @@ def updated_source
       end
 
       def dependency_source_details
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first
+        dependency.source_details
       end
 
       def force_updater

diff --git a/cargo/lib/dependabot/cargo/metadata_finder.rb b/cargo/lib/dependabot/cargo/metadata_finder.rb
@@ -21,13 +21,7 @@ def look_up_source
       end
 
       def new_source_type
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        return "default" if sources.empty?
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first[:type] || sources.first.fetch("type")
+        dependency.source_type
       end
 
       def find_source_from_crates_listing

diff --git a/cargo/lib/dependabot/cargo/update_checker.rb b/cargo/lib/dependabot/cargo/update_checker.rb
@@ -260,12 +260,7 @@ def updated_source
       end
 
       def dependency_source_details
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first
+        dependency.source_details
       end
 
       def git_dependency?
@@ -279,12 +274,7 @@ def git_subdependency?
       end
 
       def path_dependency?
-        sources = dependency.requirements.
-                  map { |r| r.fetch(:source) }.uniq.compact
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first&.fetch(:type) == "path"
+        dependency.source_type == "path"
       end
 
       def git_commit_checker

diff --git a/common/lib/dependabot/dependency.rb b/common/lib/dependabot/dependency.rb
@@ -211,6 +211,36 @@ def version_class
       Utils.version_class_for_package_manager(package_manager)
     end
 
+    def source_details(allowed_types: nil)
+      sources = all_sources.uniq.compact
+      sources.select! { |source| allowed_types.include?(source[:type].to_s) } if allowed_types
+
+      git = allowed_types == ["git"]
+
+      if (git && sources.map { |s| s[:url] }.uniq.count > 1) || (!git && sources.count > 1)
+        raise "Multiple sources! #{sources.join(', ')}"
+      end
+
+      sources.first
+    end
+
+    def source_type
+      details = source_details
+      return "default" if details.nil?
+
+      details[:type] || details.fetch("type")
+    end
+
+    def all_sources
+      if top_level?
+        requirements.map { |requirement| requirement.fetch(:source) }
+      elsif subdependency_metadata
+        subdependency_metadata.filter_map { |data| data[:source] }
+      else
+        []
+      end
+    end
+
     private
 
     def check_values

diff --git a/common/lib/dependabot/git_commit_checker.rb b/common/lib/dependabot/git_commit_checker.rb
@@ -163,21 +163,7 @@ def git_repo_reachable?
     end
 
     def dependency_source_details
-      sources =
-        dependency.requirements.
-        map { |requirement| requirement.fetch(:source) }.uniq.compact.
-        select { |source| source[:type] == "git" }
-
-      return sources.first if sources.count <= 1
-
-      # If there are multiple source URLs, then it's unclear how we should
-      # proceed
-      raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| s[:url] }.uniq.count > 1
-
-      # Otherwise it's reasonable to take the first source and use that. This
-      # will happen if we have multiple git sources with difference references
-      # specified. In that case it's fine to update them all.
-      sources.first
+      dependency.source_details(allowed_types: ["git"])
     end
 
     private

diff --git a/common/lib/dependabot/update_checkers/base.rb b/common/lib/dependabot/update_checkers/base.rb
@@ -164,7 +164,8 @@ def updated_dependency_without_unlock
           requirements: dependency.requirements,
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
-          package_manager: dependency.package_manager
+          package_manager: dependency.package_manager,
+          subdependency_metadata: dependency.subdependency_metadata
         )
       end
 
@@ -178,7 +179,8 @@ def updated_dependency_with_own_req_unlock
           requirements: updated_requirements,
           previous_version: previous_version,
           previous_requirements: dependency.requirements,
-          package_manager: dependency.package_manager
+          package_manager: dependency.package_manager,
+          subdependency_metadata: dependency.subdependency_metadata
         )
       end
 

diff --git a/hex/lib/dependabot/hex/metadata_finder.rb b/hex/lib/dependabot/hex/metadata_finder.rb
@@ -26,13 +26,7 @@ def look_up_source
       end
 
       def new_source_type
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        return "default" if sources.empty?
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first[:type] || sources.first.fetch("type")
+        dependency.source_type
       end
 
       def find_source_from_hex_listing

diff --git a/hex/lib/dependabot/hex/update_checker.rb b/hex/lib/dependabot/hex/update_checker.rb
@@ -162,12 +162,7 @@ def updated_source
       end
 
       def dependency_source_details
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first
+        dependency.source_details
       end
 
       def fetch_latest_resolvable_version(unlock_requirement:)

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb
@@ -2052,4 +2052,36 @@ def eq_including_metadata(expected_array)
       expect(updated_deps[0].name).to eq("is-stream")
     end
   end
+  context "if yarn berry subdependency, with subdependency metadata" do
+    let(:project_name) { "yarn_berry/subdependency" }
+    let(:repo_contents_path) { build_tmp_repo(project_name, path: "projects") }
+    let(:registry_listing_url) { "https://registry.npmjs.org/is-stream" }
+    let(:registry_response) do
+      fixture("npm_responses", "is-stream.json")
+    end
+    before do
+      stub_request(:get, registry_listing_url).
+        to_return(status: 200, body: registry_response)
+      stub_request(:get, registry_listing_url + "/latest").
+        to_return(status: 200, body: "{}")
+      stub_request(:get, registry_listing_url + "/3.0.0").
+        to_return(status: 200)
+    end
+    let(:dependency_files) { project_dependency_files("yarn_berry/subdependency") }
+    let(:dependency) do
+      Dependabot::Dependency.new(
+        name: "is-stream",
+        version: "1.0.1",
+        requirements: [],
+        package_manager: "npm_and_yarn",
+        subdependency_metadata: [{ production: false }]
+      )
+    end
+    it "returns 1 dependencies to update to the correct version" do
+      updated_deps = checker.updated_dependencies(requirements_to_unlock: :own)
+      expect(updated_deps.length).to eq(1)
+      expect(updated_deps[0].version).to eq("1.1.0")
+      expect(updated_deps[0].name).to eq("is-stream")
+    end
+  end
 end
diff --git a/terraform/lib/dependabot/terraform/metadata_finder.rb b/terraform/lib/dependabot/terraform/metadata_finder.rb
@@ -21,13 +21,7 @@ def look_up_source
       end
 
       def new_source_type
-        sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
-
-        return "default" if sources.empty?
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first[:type] || sources.first.fetch("type")
+        dependency.source_type
       end
 
       def find_source_from_git_url

diff --git a/terraform/lib/dependabot/terraform/update_checker.rb b/terraform/lib/dependabot/terraform/update_checker.rb
@@ -169,11 +169,7 @@ def provider_dependency?
       end
 
       def dependency_source_details
-        sources = eligible_sources_from(dependency.requirements)
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
-
-        sources.first
+        dependency.source_details(allowed_types: ELIGIBLE_SOURCE_TYPES)
       end
 
       def git_dependency?
@@ -189,13 +185,6 @@ def git_commit_checker
             raise_on_ignored: raise_on_ignored
           )
       end
-
-      def eligible_sources_from(requirements)
-        requirements.
-          map { |r| r.fetch(:source) }.
-          select { |source| ELIGIBLE_SOURCE_TYPES.include?(source[:type].to_s) }.
-          uniq.compact
-      end
     end
   end
 end