From 984a26743d943da6f2e62a69b285750471d303b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Rodr=C3=ADguez?= Date: Tue, 8 Nov 2022 18:43:14 +0100 Subject: [PATCH] Fix updating GitHub Actions with mixed versions --- .../file_parsers/base/dependency_set.rb | 31 ++++++++++++------- .../file_parsers/base/dependency_set_spec.rb | 4 +-- .../github_actions/update_checker.rb | 3 +- .../spec/dependabot/maven/file_parser_spec.rb | 2 +- .../dependabot/npm_and_yarn/helpers_spec.rb | 2 +- .../spec/dependabot/nuget/file_parser_spec.rb | 2 +- 6 files changed, 25 insertions(+), 19 deletions(-) diff --git a/common/lib/dependabot/file_parsers/base/dependency_set.rb b/common/lib/dependabot/file_parsers/base/dependency_set.rb index ee466fe3b9..f4dce87c42 100644 --- a/common/lib/dependabot/file_parsers/base/dependency_set.rb +++ b/common/lib/dependabot/file_parsers/base/dependency_set.rb @@ -117,19 +117,10 @@ def <<(dep) # Produces a new dependency by merging the attributes of `old_dep` with those of # `new_dep`. Requirements and subdependency metadata will be combined and deduped. - # The version of the combined dependency is determined by the logic below. + # The version of the combined dependency is determined by the + # `#combined_version` method below. def combined_dependency(old_dep, new_dep) - version = if old_dep.top_level? # Prefer a direct dependency over a transitive one - old_dep.version || new_dep.version - elsif !version_class.correct?(new_dep.version) - old_dep.version - elsif !version_class.correct?(old_dep.version) - new_dep.version - elsif version_class.new(new_dep.version) > version_class.new(old_dep.version) - old_dep.version - else - new_dep.version - end + version = combined_version(old_dep, new_dep) requirements = (old_dep.requirements + new_dep.requirements).uniq subdependency_metadata = ( (old_dep.subdependency_metadata || []) + @@ -145,6 +136,22 @@ def combined_dependency(old_dep, new_dep) ) end + def combined_version(old_dep, new_dep) + if old_dep.version.nil? ^ new_dep.version.nil? + [old_dep, new_dep].find(&:version).version + elsif old_dep.top_level? ^ new_dep.top_level? # Prefer a direct dependency over a transitive one + [old_dep, new_dep].find(&:top_level?).version + elsif !version_class.correct?(new_dep.version) + old_dep.version + elsif !version_class.correct?(old_dep.version) + new_dep.version + elsif version_class.new(new_dep.version) > version_class.new(old_dep.version) + old_dep.version + else + new_dep.version + end + end + def version_class @version_class ||= Utils.version_class_for_package_manager(@combined.package_manager) end diff --git a/common/spec/dependabot/file_parsers/base/dependency_set_spec.rb b/common/spec/dependabot/file_parsers/base/dependency_set_spec.rb index f6c4b0161b..fe516fdee4 100644 --- a/common/spec/dependabot/file_parsers/base/dependency_set_spec.rb +++ b/common/spec/dependabot/file_parsers/base/dependency_set_spec.rb @@ -301,7 +301,7 @@ expect(dependency_set.dependency_for_name("foo")).to eq( Dependabot::Dependency.new( name: "foo", - version: "1.0", + version: "1.1", requirements: ( foo_v1.requirements + foo_sha.requirements + @@ -325,7 +325,7 @@ expect(combined_set.dependency_for_name("foo")).to eq( Dependabot::Dependency.new( name: "foo", - version: "1.0", + version: "1.1", requirements: ( foo_v1.requirements + foo_sha.requirements + diff --git a/github_actions/lib/dependabot/github_actions/update_checker.rb b/github_actions/lib/dependabot/github_actions/update_checker.rb index 722587f393..6a4a589333 100644 --- a/github_actions/lib/dependabot/github_actions/update_checker.rb +++ b/github_actions/lib/dependabot/github_actions/update_checker.rb @@ -33,10 +33,9 @@ def lowest_resolvable_security_fix_version lowest_security_fix_version end - def updated_requirements # rubocop:disable Metrics/PerceivedComplexity + def updated_requirements previous = dependency_source_details updated = updated_source - return dependency.requirements if updated == previous # Maintain a short git hash only if it matches the latest if previous[:type] == "git" && diff --git a/maven/spec/dependabot/maven/file_parser_spec.rb b/maven/spec/dependabot/maven/file_parser_spec.rb index e023668c2e..f892b0f4ca 100644 --- a/maven/spec/dependabot/maven/file_parser_spec.rb +++ b/maven/spec/dependabot/maven/file_parser_spec.rb @@ -628,7 +628,7 @@ expect(dependency).to be_a(Dependabot::Dependency) expect(dependency.name). to eq("org.apache.maven.plugins:maven-javadoc-plugin") - expect(dependency.version).to eq("3.0.0-M1") + expect(dependency.version).to eq("2.10.4") expect(dependency.requirements).to eq( [{ requirement: "3.0.0-M1", diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/helpers_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/helpers_spec.rb index 478f154acc..0838f5d744 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/helpers_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/helpers_spec.rb @@ -143,7 +143,7 @@ ), Dependabot::Dependency.new( name: "bar", - version: "0.2.3", + version: "0.2.1", requirements: (bar_c.requirements + bar_b.requirements + bar_a.requirements).uniq, package_manager: "npm_and_yarn", metadata: { all_versions: [bar_c, bar_b, bar_a] } diff --git a/nuget/spec/dependabot/nuget/file_parser_spec.rb b/nuget/spec/dependabot/nuget/file_parser_spec.rb index ac4192a7ff..c00047a199 100644 --- a/nuget/spec/dependabot/nuget/file_parser_spec.rb +++ b/nuget/spec/dependabot/nuget/file_parser_spec.rb @@ -80,7 +80,7 @@ it "has the right details" do expect(dependency).to be_a(Dependabot::Dependency) expect(dependency.name).to eq("Microsoft.Extensions.DependencyModel") - expect(dependency.version).to eq("1.1.1") + expect(dependency.version).to eq("1.0.1") expect(dependency.requirements).to eq( [{ requirement: "1.1.1",