Merge branch 'main' into markhallen/strict-type-logger-formats

dependabot · Feb 4, 2025 · 8edd365 · 8edd365
2 parents d3026c6 + fc8025f
commit 8edd365
Show file tree

Hide file tree

Showing 22 changed files with 223 additions and 4 deletions.
diff --git a/.github/ci-filters.yml b/.github/ci-filters.yml
@@ -45,6 +45,9 @@ gradle:
 hex:
   - *shared
   - 'hex/**'
+javascript:
+  - *shared
+  - 'javascript/**'
 maven:
   - *shared
   - 'maven/**'

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -40,7 +40,9 @@
 
 "L: javascript":
 - changed-files:
-  - any-glob-to-any-file: npm_and_yarn/**
+  - any-glob-to-any-file:
+    - javascript/**
+    - npm_and_yarn/**
 
 "L: java:gradle":
 - changed-files:

diff --git a/.github/smoke-filters.yml b/.github/smoke-filters.yml
@@ -38,6 +38,9 @@ gradle:
 hex:
   - *common
   - 'hex/**'
+javascript:
+  - *common
+  - 'javascript/**'
 maven:
   - *common
   - 'maven/**'

diff --git a/Dockerfile.updater-core b/Dockerfile.updater-core
@@ -94,6 +94,7 @@ COPY --chown=dependabot:dependabot github_actions/.bundle github_actions/dependa
 COPY --chown=dependabot:dependabot go_modules/.bundle go_modules/dependabot-go_modules.gemspec go_modules/
 COPY --chown=dependabot:dependabot gradle/.bundle gradle/dependabot-gradle.gemspec gradle/
 COPY --chown=dependabot:dependabot hex/.bundle hex/dependabot-hex.gemspec hex/
+COPY --chown=dependabot:dependabot javascript/.bundle javascript/dependabot-bun.gemspec javascript/
 COPY --chown=dependabot:dependabot maven/.bundle maven/dependabot-maven.gemspec maven/
 COPY --chown=dependabot:dependabot npm_and_yarn/.bundle npm_and_yarn/dependabot-npm_and_yarn.gemspec npm_and_yarn/
 COPY --chown=dependabot:dependabot nuget/.bundle nuget/dependabot-nuget.gemspec nuget/
@@ -104,7 +105,7 @@ COPY --chown=dependabot:dependabot swift/.bundle swift/dependabot-swift.gemspec
 COPY --chown=dependabot:dependabot terraform/.bundle terraform/dependabot-terraform.gemspec terraform/
 
 # prevent having all the source in every ecosystem image
-RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk; do \
+RUN for ecosystem in git_submodules terraform github_actions hex elm docker nuget maven gradle cargo composer go_modules python pub npm_and_yarn bundler silent swift devcontainers dotnet_sdk javascript; do \
     mkdir -p $ecosystem/lib/dependabot; \
     touch $ecosystem/lib/dependabot/$ecosystem.rb; \
   done

diff --git a/Rakefile b/Rakefile
@@ -35,6 +35,7 @@ GEMSPECS = %w(
   swift/dependabot-swift.gemspec
   devcontainers/dependabot-devcontainers.gemspec
   dotnet_sdk/dependabot-dotnet_sdk.gemspec
+  javascript/dependabot-bun.gemspec
 ).freeze
 
 def run_command(command)

diff --git a/bin/docker-dev-shell b/bin/docker-dev-shell
@@ -190,6 +190,12 @@ docker run --rm -ti \
   -v "$(pwd)/hex/lib:$CODE_DIR/hex/lib" \
   -v "$(pwd)/hex/script:$CODE_DIR/hex/script" \
   -v "$(pwd)/hex/spec:$CODE_DIR/hex/spec" \
+  -v "$(pwd)/javascript/.rubocop.yml:$CODE_DIR/javascript/.rubocop.yml" \
+  -v "$(pwd)/javascript/dependabot-javascript.gemspec:$CODE_DIR/javascript/dependabot-javascript.gemspec" \
+  -v "$(pwd)/javascript/helpers:$CODE_DIR/javascript/helpers" \
+  -v "$(pwd)/javascript/lib:$CODE_DIR/javascript/lib" \
+  -v "$(pwd)/javascript/script:$CODE_DIR/javascript/script" \
+  -v "$(pwd)/javascript/spec:$CODE_DIR/javascript/spec" \
   -v "$(pwd)/maven/.rubocop.yml:$CODE_DIR/maven/.rubocop.yml" \
   -v "$(pwd)/maven/dependabot-maven.gemspec:$CODE_DIR/maven/dependabot-maven.gemspec" \
   -v "$(pwd)/maven/lib:$CODE_DIR/maven/lib" \

diff --git a/bin/dry-run.rb b/bin/dry-run.rb
@@ -37,6 +37,7 @@
 # - swift
 # - devcontainers
 # - dotnet_sdk
+# - bun
 
 # rubocop:disable Style/GlobalVars
 
@@ -63,6 +64,7 @@
 $LOAD_PATH << "./go_modules/lib"
 $LOAD_PATH << "./gradle/lib"
 $LOAD_PATH << "./hex/lib"
+$LOAD_PATH << "./javascript/lib"
 $LOAD_PATH << "./maven/lib"
 $LOAD_PATH << "./npm_and_yarn/lib"
 $LOAD_PATH << "./nuget/lib"
@@ -109,6 +111,7 @@
 require "dependabot/go_modules"
 require "dependabot/gradle"
 require "dependabot/hex"
+require "dependabot/javascript"
 require "dependabot/maven"
 require "dependabot/npm_and_yarn"
 require "dependabot/nuget"

diff --git a/common/lib/dependabot/config/file.rb b/common/lib/dependabot/config/file.rb
@@ -58,6 +58,7 @@ def self.parse(config)
       private
 
       PACKAGE_MANAGER_LOOKUP = T.let({
+        "bun" => "bun",
         "bundler" => "bundler",
         "cargo" => "cargo",
         "composer" => "composer",

diff --git a/common/lib/dependabot/errors.rb b/common/lib/dependabot/errors.rb
@@ -251,6 +251,11 @@ def self.updater_error_details(error)
           "file-path": error.file_path
         }
       }
+    when Dependabot::DependencyFileContentNotChanged
+      {
+        "error-type": "dependency_file_content_not_changed",
+        "error-detail": { message: error.message }
+      }
     when Dependabot::ToolVersionNotSupported
       {
         "error-type": "tool_version_not_supported",
@@ -641,6 +646,8 @@ class DependencyFileNotResolvable < DependabotError; end
 
   class DependencyFileNotSupported < DependabotError; end
 
+  class DependencyFileContentNotChanged < DependabotError; end
+
   class BadRequirementError < Gem::Requirement::BadRequirementError; end
 
   #######################

diff --git a/dotnet_sdk/spec/spec_helper.rb b/dotnet_sdk/spec/spec_helper.rb
@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 def common_dir

diff --git a/javascript/.bundle/config b/javascript/.bundle/config
@@ -0,0 +1 @@
+BUNDLE_GEMFILE: "../dependabot-updater/Gemfile"
diff --git a/javascript/.gitignore b/javascript/.gitignore
@@ -0,0 +1,7 @@
+.bundle/*
+!.bundle/config
+/.env
+/tmp
+/dependabot-*.gem
+/helpers/node_modules
+/helpers/install-dir
diff --git a/javascript/.rubocop.yml b/javascript/.rubocop.yml
@@ -0,0 +1 @@
+inherit_from: ../.rubocop.yml
diff --git a/javascript/Dockerfile b/javascript/Dockerfile
@@ -0,0 +1,66 @@
+FROM ghcr.io/dependabot/dependabot-updater-core
+
+# Check for updates at https://github.com/nodejs/corepack/releases
+ARG COREPACK_VERSION=0.30.0
+
+# Check for updates at https://github.com/pnpm/pnpm/releases
+ARG PNPM_VERSION=9.15.3
+
+# Check for updates at https://github.com/yarnpkg/berry/releases
+ARG YARN_VERSION=4.5.3
+
+# Check for updates at https://github.com/oven-sh/bun/releases
+ARG BUN_VERSION=1.2
+
+# See https://github.com/nodesource/distributions#installation-instructions
+ARG NODEJS_VERSION=20
+
+# Check for updates at https://github.com/npm/cli/releases
+# This version should be compatible with the Node.js version declared above. See https://nodejs.org/en/download/releases as well
+# TODO: Upgrade to 9.6.7 depending on the outcome of https://github.com/npm/cli/issues/6742
+ARG NPM_VERSION=9.6.5
+
+# Install Node and npm
+RUN mkdir -p /etc/apt/keyrings \
+  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
+  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODEJS_VERSION}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends \
+  nodejs \
+  && rm -rf /var/lib/apt/lists/* \
+  && npm install -g corepack@$COREPACK_VERSION \
+  && npm install -g corepack@$COREPACK_VERSION bun@$BUN_VERSION \
+  && rm -rf ~/.npm
+
+USER dependabot
+
+# Install pnpm and set it to a stable version
+RUN corepack install pnpm@$PNPM_VERSION --global
+
+# Install yarn berry and set it to a stable version
+RUN corepack install yarn@$YARN_VERSION --global
+
+# Install npm and set it to a stable version
+RUN corepack install npm@$NPM_VERSION --global
+
+ENV DEPENDABOT_NATIVE_HELPERS_PATH="/opt"
+COPY --chown=dependabot:dependabot npm_and_yarn/helpers /opt/npm_and_yarn/helpers
+RUN bash /opt/npm_and_yarn/helpers/build
+
+# START: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
+
+# TODO: Remove these hacks once we've deprecated npm 6 support as it no longer
+# spawns a child process to npm install git dependencies.
+
+# Create the config file manually instead of using yarn/npm config set as this
+# executes the package manager outputs to every job log
+COPY --chown=dependabot:dependabot updater/config/.yarnrc updater/config/.npmrc $DEPENDABOT_HOME/
+
+# For Yarn Berry we can set this via an environment variable
+ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+
+# END: HACKY WORKAROUND FOR NPM GIT INSTALLS SPAWNING CHILD PROCESS
+
+COPY --chown=dependabot:dependabot npm_and_yarn $DEPENDABOT_HOME/npm_and_yarn
+COPY --chown=dependabot:dependabot common $DEPENDABOT_HOME/common
+COPY --chown=dependabot:dependabot updater $DEPENDABOT_HOME/dependabot-updater
diff --git a/javascript/README.md b/javascript/README.md
@@ -0,0 +1,18 @@
+## `dependabot-bun`
+
+Bun support for [`dependabot-core`][core-repo].
+
+### Running locally
+
+1. Start a development shell
+
+  ```
+  $ bin/docker-dev-shell javascript
+  ```
+
+2. Run tests
+   ```
+   [dependabot-core-dev] ~ $ cd javascript && rspec
+   ```
+
+[core-repo]: https://github.com/dependabot/dependabot-core
diff --git a/javascript/dependabot-bun.gemspec b/javascript/dependabot-bun.gemspec
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+Gem::Specification.new do |spec|
+  common_gemspec =
+    Bundler.load_gemspec_uncached("../common/dependabot-common.gemspec")
+
+  spec.name         = "dependabot-bun"
+  spec.summary      = "Provides Dependabot support for Bun"
+  spec.description  = "Dependabot-bun provides support for bumping Javascript libraries using bun via " \
+                      "Dependabot. " \
+                      "If you want support for multiple package managers, you probably want the meta-gem " \
+                      "dependabot-omnibus."
+
+  spec.author       = common_gemspec.author
+  spec.email        = common_gemspec.email
+  spec.homepage     = common_gemspec.homepage
+  spec.license      = common_gemspec.license
+
+  spec.metadata = {
+    "bug_tracker_uri" => common_gemspec.metadata["bug_tracker_uri"],
+    "changelog_uri" => common_gemspec.metadata["changelog_uri"]
+  }
+
+  spec.version = common_gemspec.version
+  spec.required_ruby_version = common_gemspec.required_ruby_version
+  spec.required_rubygems_version = common_gemspec.required_ruby_version
+
+  spec.require_path = "lib"
+  spec.files        = []
+
+  spec.add_dependency "dependabot-common", Dependabot::VERSION
+  spec.add_dependency "zeitwerk", "~> 2.7"
+
+  common_gemspec.development_dependencies.each do |dep|
+    spec.add_development_dependency dep.name, *dep.requirement.as_list
+  end
+
+  next unless File.exist?("../.gitignore")
+
+  spec.files += `git -C #{__dir__} ls-files lib helpers -z`.split("\x0")
+end
diff --git a/javascript/script/ci-test b/javascript/script/ci-test
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -e
+
+bundle install
+bundle exec turbo_tests --verbose
diff --git a/javascript/spec/spec_helper.rb b/javascript/spec/spec_helper.rb
@@ -0,0 +1,18 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+extend T::Sig # rubocop:disable Style/MixinUsage
+
+sig { returns(String) }
+def common_dir
+  @common_dir ||= T.let(Gem::Specification.find_by_name("dependabot-common").gem_dir, T.nilable(String))
+end
+
+sig { params(path: String).void }
+def require_common_spec(path)
+  require "#{common_dir}/spec/dependabot/#{path}"
+end
+
+require "#{common_dir}/spec/spec_helper.rb"
diff --git a/python/lib/dependabot/python/file_updater/poetry_file_updater.rb b/python/lib/dependabot/python/file_updater/poetry_file_updater.rb
@@ -73,7 +73,7 @@ def updated_pyproject_content
             updated_content = replace_dep(dependency, updated_content, new_r, old_r)
           end
 
-          raise "Content did not change!" if content == updated_content
+          raise DependencyFileContentNotChanged, "Content did not change!" if content == updated_content
 
           updated_content
         end

diff --git a/python/spec/dependabot/python/file_updater/poetry_file_updater_spec.rb b/python/spec/dependabot/python/file_updater/poetry_file_updater_spec.rb
@@ -729,6 +729,36 @@
           end
         end
       end
+
+      context "when the requirement has not changed" do
+        let(:pyproject_fixture_name) { "caret_version.toml" }
+        let(:dependency) do
+          Dependabot::Dependency.new(
+            name: dependency_name,
+            version: "2.19.1",
+            previous_version: nil,
+            package_manager: "pip",
+            requirements: [{
+              requirement: "^2.19.1",
+              file: "pyproject.toml",
+              source: nil,
+              groups: ["dependencies"]
+            }],
+            previous_requirements: [{
+              requirement: ">=2.19.1",
+              file: "pyproject.toml",
+              source: nil,
+              groups: ["dependencies"]
+            }]
+          )
+        end
+
+        it "raises the correct error" do
+          expect do
+            updated_files.map(&:name)
+          end.to raise_error(Dependabot::DependencyFileContentNotChanged, "Content did not change!")
+        end
+      end
     end
 
     context "with a poetry.lock" do

diff --git a/updater/Gemfile b/updater/Gemfile
@@ -40,6 +40,8 @@ gem "terminal-table", "~> 3.0.2"
 
 gem "flamegraph", "~> 0.9.5"
 
+gem "zeitwerk", "~> 2.7"
+
 group :test do
   common_gemspec = File.expand_path("../common/dependabot-common.gemspec", __dir__)
 

diff --git a/updater/Gemfile.lock b/updater/Gemfile.lock
@@ -405,6 +405,7 @@ GEM
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.8.2)
+    zeitwerk (2.7.1)
 
 PLATFORMS
   ruby
@@ -460,6 +461,7 @@ DEPENDENCIES
   vcr (~> 6.1)
   webmock (~> 3.18)
   webrick (>= 1.7)
+  zeitwerk (~> 2.7)
 
 BUNDLED WITH
    2.6.3
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		BUNDLE_GEMFILE: "../dependabot-updater/Gemfile"