Fix lockfile-only versioning strategy not creating some updates that are expected (v2)

bin/dry-run.rb

@@ -115,7 +115,6 @@
   cache_steps: [],
   write: false,
   clone: false,
-  lockfile_only: false,
   reject_external_code: false,
   requirements_update_strategy: nil,
   commit: nil,
@@ -186,15 +185,11 @@
     $options[:write] = true
   end
 
-  opts.on("--lockfile-only", "Only update the lockfile") do |_value|
-    $options[:lockfile_only] = true
-  end
-
   opts.on("--reject-external-code", "Reject external code") do |_value|
     $options[:reject_external_code] = true
   end
 
-  opts_req_desc = "Options: auto, widen_ranges, bump_versions or " \
+  opts_req_desc = "Options: lockfile_only, auto, widen_ranges, bump_versions or " \
                   "bump_versions_if_necessary"
   opts.on("--requirements-update-strategy STRATEGY", opts_req_desc) do |value|
     value = nil if value == "auto"
@@ -695,7 +690,7 @@ def security_fix?(dependency)
   puts " => latest allowed version is #{latest_allowed_version || dep.version}"
 
   requirements_to_unlock =
-    if $options[:lockfile_only] || !checker.requirements_unlocked_or_can_be?
+    if !checker.requirements_unlocked_or_can_be?
       if checker.can_update?(requirements_to_unlock: :none) then :none
       else
         :update_not_possible

bundler/lib/dependabot/bundler/update_checker.rb

@@ -73,8 +73,10 @@ def updated_requirements
       end
 
       def requirements_unlocked_or_can_be?
-        dependency.requirements.
-          select { |r| requirement_class.new(r[:requirement]).specific? }.
+        return true if requirements_unlocked?
+        return false if requirements_update_strategy == :lockfile_only
+
+        dependency.specific_requirements.
           all? do |req|
             file = dependency_files.find { |f| f.name == req.fetch(:file) }
             updated = FileUpdater::RequirementReplacer.new(
@@ -109,6 +111,10 @@ def conflicting_dependencies
 
       private
 
+      def requirements_unlocked?
+        dependency.specific_requirements.none?
+      end
+
       def latest_version_resolvable_with_full_unlock?
         return false unless latest_version
 

bundler/lib/dependabot/bundler/update_checker/requirements_updater.rb

@@ -9,7 +9,7 @@ class RequirementsUpdater
         class UnfixableRequirement < StandardError; end
 
         ALLOWED_UPDATE_STRATEGIES =
-          %i(bump_versions bump_versions_if_necessary).freeze
+          %i(lockfile_only bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, update_strategy:, updated_source:,
                        latest_version:, latest_resolvable_version:)
@@ -27,6 +27,8 @@ def initialize(requirements:, update_strategy:, updated_source:,
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
+
           requirements.map do |req|
             if req[:file].include?(".gemspec")
               update_gemspec_requirement(req)

bundler/spec/dependabot/bundler/update_checker/requirements_updater_spec.rb

@@ -505,5 +505,13 @@
         end
       end
     end
+
+    context "when lockfile_only configured" do
+      let(:update_strategy) { :lockfile_only }
+
+      it "does not change any requirements" do
+        expect(updated_requirements).to eq(requirements)
+      end
+    end
   end
 end

bundler/spec/dependabot/bundler/update_checker_spec.rb

@@ -16,7 +16,8 @@
       dependency_files: dependency_files,
       credentials: credentials,
       ignored_versions: ignored_versions,
-      security_advisories: security_advisories
+      security_advisories: security_advisories,
+      requirements_update_strategy: requirements_update_strategy
     )
   end
   let(:credentials) do
@@ -33,6 +34,7 @@
   let(:directory) { "/" }
   let(:ignored_versions) { [] }
   let(:security_advisories) { [] }
+  let(:requirements_update_strategy) { nil }
 
   let(:dependency) do
     Dependabot::Dependency.new(
@@ -1795,6 +1797,12 @@
       end
 
       it { is_expected.to eq(true) }
+
+      context "and with the lockfile-only requirements update strategy set" do
+        let(:requirements_update_strategy) { :lockfile_only }
+
+        it { is_expected.to eq(true) }
+      end
     end
 
     context "with a sub-dependency" do
@@ -1821,6 +1829,12 @@
 
         it { is_expected.to eq(true) }
       end
+
+      context "but with the lockfile-only requirements update strategy set" do
+        let(:requirements_update_strategy) { :lockfile_only }
+
+        it { is_expected.to eq(false) }
+      end
     end
 
     # For now we always let git dependencies through

cargo/lib/dependabot/cargo/update_checker.rb

@@ -75,7 +75,15 @@ def updated_requirements
         ).updated_requirements
       end
 
+      def requirements_unlocked_or_can_be?
+        requirements_update_strategy != :lockfile_only
+      end
+
       def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        return @requirements_update_strategy.to_sym if @requirements_update_strategy
+
+        # Otherwise, widen ranges for libraries and bump versions for apps
         library? ? :bump_versions_if_necessary : :bump_versions
       end
 

cargo/lib/dependabot/cargo/update_checker/requirements_updater.rb

@@ -18,7 +18,7 @@ class UnfixableRequirement < StandardError; end
 
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-*]+)*/
         ALLOWED_UPDATE_STRATEGIES =
-          %i(bump_versions bump_versions_if_necessary).freeze
+          %i(lockfile_only bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, updated_source:, update_strategy:,
                        target_version:)
@@ -34,6 +34,8 @@ def initialize(requirements:, updated_source:, update_strategy:,
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
+
           # NOTE: Order is important here. The FileUpdater needs the updated
           # requirement at index `i` to correspond to the previous requirement
           # at the same index.

cargo/spec/dependabot/cargo/update_checker/requirements_updater_spec.rb

@@ -363,5 +363,13 @@
         end
       end
     end
+
+    context "for a lockfile_only strategy" do
+      let(:update_strategy) { :lockfile_only }
+
+      it "does not change any requirements" do
+        expect(updater.updated_requirements).to eq(requirements)
+      end
+    end
   end
 end

cargo/spec/dependabot/cargo/update_checker_spec.rb

@@ -23,13 +23,15 @@
       credentials: credentials,
       ignored_versions: ignored_versions,
       raise_on_ignored: raise_on_ignored,
-      security_advisories: security_advisories
+      security_advisories: security_advisories,
+      requirements_update_strategy: requirements_update_strategy
     )
   end
 
   let(:ignored_versions) { [] }
   let(:raise_on_ignored) { false }
   let(:security_advisories) { [] }
+  let(:requirements_update_strategy) { nil }
   let(:credentials) do
     [{
       "type" => "git_source",
@@ -483,4 +485,16 @@
       end
     end
   end
+
+  context "#requirements_unlocked_or_can_be?" do
+    subject { checker.requirements_unlocked_or_can_be? }
+
+    it { is_expected.to eq(true) }
+
+    context "with the lockfile-only requirements update strategy set" do
+      let(:requirements_update_strategy) { :lockfile_only }
+
+      it { is_expected.to eq(false) }
+    end
+  end
 end

common/lib/dependabot/dependency.rb

@@ -199,6 +199,10 @@ def eql?(other)
       self == other
     end
 
+    def specific_requirements
+      requirements.select { |r| requirement_class.new(r[:requirement]).specific? }
+    end
+
     def requirement_class
       Utils.requirement_class_for_package_manager(package_manager)
     end

composer/lib/dependabot/composer/update_checker.rb

@@ -68,6 +68,10 @@ def updated_requirements
         ).updated_requirements
       end
 
+      def requirements_unlocked_or_can_be?
+        requirements_update_strategy != :lockfile_only
+      end
+
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy.to_sym if @requirements_update_strategy

composer/lib/dependabot/composer/update_checker/requirements_updater.rb

@@ -19,7 +19,7 @@ class RequirementsUpdater
         OR_SEPARATOR = /(?<=[a-zA-Z0-9*])[\s,]*\|\|?\s*/
         SEPARATOR = /(?:#{AND_SEPARATOR})|(?:#{OR_SEPARATOR})/
         ALLOWED_UPDATE_STRATEGIES =
-          %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+          %i(lockfile_only widen_ranges bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, update_strategy:,
                        latest_resolvable_version:)
@@ -35,6 +35,7 @@ def initialize(requirements:, update_strategy:,
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
           return requirements unless latest_resolvable_version
 
           requirements.map { |req| updated_requirement(req) }

composer/spec/dependabot/composer/update_checker/requirements_updater_spec.rb

@@ -705,5 +705,13 @@
         end
       end
     end
+
+    context "with lockfile_only as the update strategy" do
+      let(:update_strategy) { :lockfile_only }
+
+      it "does not update any requirements" do
+        expect(updater.updated_requirements).to eq(requirements)
+      end
+    end
   end
 end

composer/spec/dependabot/composer/update_checker_spec.rb

@@ -16,7 +16,8 @@
       credentials: credentials,
       ignored_versions: ignored_versions,
       raise_on_ignored: raise_on_ignored,
-      security_advisories: security_advisories
+      security_advisories: security_advisories,
+      requirements_update_strategy: requirements_update_strategy
     )
   end
 
@@ -31,6 +32,7 @@
   let(:ignored_versions) { [] }
   let(:raise_on_ignored) { false }
   let(:security_advisories) { [] }
+  let(:requirements_update_strategy) { nil }
   let(:dependency_name) { "monolog/monolog" }
   let(:dependency_version) { "1.0.1" }
   let(:requirements) do
@@ -871,4 +873,16 @@
       end
     end
   end
+
+  context "#requirements_unlocked_or_can_be?" do
+    subject { checker.requirements_unlocked_or_can_be? }
+
+    it { is_expected.to eq(true) }
+
+    context "with the lockfile-only requirements update strategy set" do
+      let(:requirements_update_strategy) { :lockfile_only }
+
+      it { is_expected.to eq(false) }
+    end
+  end
 end

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -102,6 +102,10 @@ def updated_requirements
           ).updated_requirements
       end
 
+      def requirements_unlocked_or_can_be?
+        requirements_update_strategy != :lockfile_only
+      end
+
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy.to_sym if @requirements_update_strategy

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb

@@ -15,7 +15,7 @@ class UpdateChecker
       class RequirementsUpdater
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
         SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
-        ALLOWED_UPDATE_STRATEGIES = %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+        ALLOWED_UPDATE_STRATEGIES = %i(lockfile_only widen_ranges bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, updated_source:, update_strategy:,
                        latest_resolvable_version:)
@@ -32,6 +32,8 @@ def initialize(requirements:, updated_source:, update_strategy:,
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
+
           requirements.map do |req|
             req = req.merge(source: updated_source)
             next req unless latest_resolvable_version

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/requirements_updater_spec.rb

@@ -606,5 +606,13 @@
         end
       end
     end
+
+    context "for a requirement being left alone" do
+      let(:update_strategy) { :lockfile_only }
+
+      it "does not update any requirements" do
+        expect(updater.updated_requirements).to eq(requirements)
+      end
+    end
   end
 end

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb

@@ -30,11 +30,13 @@
       credentials: credentials,
       ignored_versions: ignored_versions,
       security_advisories: security_advisories,
+      requirements_update_strategy: requirements_update_strategy,
       options: options
     )
   end
   let(:ignored_versions) { [] }
   let(:security_advisories) { [] }
+  let(:requirements_update_strategy) { nil }
   let(:dependency_files) { project_dependency_files("npm6/no_lockfile") }
   let(:options) { {} }
 
@@ -1214,6 +1216,18 @@
     end
   end
 
+  context "#requirements_unlocked_or_can_be?" do
+    subject { checker.requirements_unlocked_or_can_be? }
+
+    it { is_expected.to eq(true) }
+
+    context "with the lockfile-only requirements update strategy set" do
+      let(:requirements_update_strategy) { :lockfile_only }
+
+      it { is_expected.to eq(false) }
+    end
+  end
+
   context "#updated_dependencies_after_full_unlock" do
     let(:dependency_files) { project_dependency_files("npm6/no_lockfile") }
     let(:dependency) do

python/lib/dependabot/python/update_checker.rb

@@ -78,6 +78,10 @@ def updated_requirements
         ).updated_requirements
       end
 
+      def requirements_unlocked_or_can_be?
+        requirements_update_strategy != :lockfile_only
+      end
+
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy.to_sym if @requirements_update_strategy

python/lib/dependabot/python/update_checker/requirements_updater.rb

@@ -30,6 +30,8 @@ def initialize(requirements:, update_strategy:, has_lockfile:,
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
+
           requirements.map do |req|
             case req[:file]
             when /setup\.(?:py|cfg)$/ then updated_setup_requirement(req)