Merge branch 'main' into mctofu/go-v1.16

.github/workflows/ci.yml

@@ -102,6 +102,11 @@ jobs:
         run: |
           docker run --rm "$CORE_CI_IMAGE" bash -c "cd /opt/npm_and_yarn && npm run lint"
           docker run --rm "$CORE_CI_IMAGE" bash -c "cd /opt/npm_and_yarn && npm test"
+      - name: Run bundler v1 native helper specs
+        if: matrix.suite == 'bundler'
+        run: |
+          docker run --rm "$CORE_CI_IMAGE" bash -c \
+            "cd /home/dependabot/dependabot-core/bundler/helpers/v1 && BUNDLER_VERSION=1 bundle install && BUNDLER_VERSION=1 bundle exec rspec spec"
       - name: Run ${{ matrix.suite }} tests with rspec
         run: |
           docker run --env "CI=true" --env "DEPENDABOT_TEST_ACCESS_TOKEN=$DEPENDABOT_TEST_ACCESS_TOKEN" --rm "$CORE_CI_IMAGE" bash -c \

CHANGELOG.md

@@ -1,3 +1,17 @@
+## v0.137.1, 15 March 2021
+
+- Bundler: Install dependabot-core's gems using Bundler v2 (unused for updates)
+
+## v0.137.0, 15 March 2021
+
+- Bump npm from 7.5.4 to 7.6.1
+- Python: Add python versions 3.9.2, 3.8.8, 3.7.10 and 3.6.13
+- Bundler: Run v1 native helpers with bundler v1
+- Bump composer/composer from 2.0.10 to 2.0.11 in /composer/helpers/v2
+- Bump eslint-config-prettier from 8.0.0 to 8.1.0 in /npm_and_yarn/helpers
+- Bump phpstan/phpstan from 0.12.78 to 0.12.81 in /composer/helpers/v2
+- Bump phpstan/phpstan from 0.12.78 to 0.12.81 in /composer/helpers/v1
+
 ## v0.136.0, 8 March 2021
 
 - Bundler: Run Bundler v1 native helpers with an explicit version setting the

Dockerfile

@@ -54,12 +54,13 @@ RUN apt-get update \
 
 # Install Ruby 2.6.6, update RubyGems, and install Bundler
 ENV BUNDLE_SILENCE_ROOT_WARNING=1
-RUN apt-get install -y software-properties-common \
+RUN apt-get update && apt-get install -y software-properties-common \
   && apt-add-repository ppa:brightbox/ruby-ng \
   && apt-get update \
   && apt-get install -y ruby2.6 ruby2.6-dev \
-  && gem update --system 3.0.3 \
-  && gem install bundler -v 1.17.3 --no-document
+  && gem update --system 3.2.14 \
+  && gem install bundler -v 1.17.3 --no-document \
+  && gem install bundler -v 2.2.11 --no-document
 
 
 ### PYTHON
@@ -68,10 +69,10 @@ RUN apt-get install -y software-properties-common \
 ENV PYENV_ROOT=/usr/local/.pyenv \
   PATH="/usr/local/.pyenv/bin:$PATH"
 RUN git clone https://github.com/pyenv/pyenv.git /usr/local/.pyenv \
-  && cd /usr/local/.pyenv && git checkout v1.2.22 && cd - \
-  && pyenv install 3.9.1 \
+  && cd /usr/local/.pyenv && git checkout 9ee109b66148bc39a685926050b7b56cb4bb184b && cd - \
+  && pyenv install 3.9.2 \
   && pyenv install 2.7.18 \
-  && pyenv global 3.9.1
+  && pyenv global 3.9.2
 
 
 ### JAVASCRIPT
@@ -94,7 +95,7 @@ RUN npm install elm@0.18.0 \
 
 # NOTE: This is a hack to get around the fact that elm 18 fails to install with
 # npm 7, we should look into deprecating elm 18
-RUN npm install -g npm@v7.5.4
+RUN npm install -g npm@v7.6.1
 
 
 ### PHP

bundler/helpers/v1/Gemfile

@@ -2,6 +2,11 @@
 
 source "https://rubygems.org"
 
-# NOTE: This is intentionally left blank as it's currently only used to force
-# bundler to use v1 when executing native helpers by pointing the BUNDLE_GEMFILE
-# env to this Gemfile in Dependabot::Bundler::NativeHelpers
+# NOTE: Used to run native helper specs
+group :test do
+  gem "byebug", "11.1.3"
+  gem "rspec", "3.10.0"
+  gem "rspec-its", "1.3.0"
+  gem "vcr", "6.0.0"
+  gem "webmock", "3.12.1"
+end

bundler/helpers/v1/build

@@ -20,5 +20,5 @@ cp -r \
 cd "$install_dir"
 
 # NOTE: Sets `BUNDLED WITH` to match the installed v1 version in Gemfile.lock
-# forcing specs and native helpers to run with the same version
-BUNDLER_VERSION=1 bundle install
+# forcing native helpers to run with the same version
+BUNDLER_VERSION=1 bundle install --without test

bundler/spec/native_helpers/functions/conflicting_dependency_resolver_spec.rb → bundler/helpers/v1/spec/functions/conflicting_dependency_resolver_spec.rb

@@ -10,15 +10,14 @@
     described_class.new(
       dependency_name: dependency_name,
       target_version: target_version,
-      lockfile_name: lockfile_name
+      lockfile_name: "Gemfile.lock"
     )
   end
 
   let(:dependency_name) { "dummy-pkg-a" }
   let(:target_version) { "2.0.0" }
 
-  let(:gemfile_fixture_name) { "blocked_by_subdep" }
-  let(:lockfile_fixture_name) { "blocked_by_subdep.lock" }
+  let(:project_name) { "blocked_by_subdep" }
 
   describe "#conflicting_dependencies" do
     subject(:conflicting_dependencies) do
@@ -37,8 +36,7 @@
     end
 
     context "for nested transitive dependencies" do
-      let(:gemfile_fixture_name) { "transitive_blocking" }
-      let(:lockfile_fixture_name) { "transitive_blocking.lock" }
+      let(:project_name) { "transitive_blocking" }
       let(:dependency_name) { "activesupport" }
       let(:target_version) { "6.0.0" }
 
@@ -96,8 +94,7 @@
       let(:dependency_name) { "activesupport" }
       let(:current_version) { "5.0.0" }
       let(:target_version) { "6.0.0" }
-      let(:gemfile_fixture_name) { "multiple_blocking" }
-      let(:lockfile_fixture_name) { "multiple_blocking.lock" }
+      let(:project_name) { "multiple_blocking" }
 
       it "returns all of the blocking dependencies" do
         expect(conflicting_dependencies).to match_array(

bundler/spec/native_helpers/functions/dependency_source_spec.rb → bundler/helpers/v1/spec/functions/dependency_source_spec.rb

@@ -8,14 +8,14 @@
 
   let(:dependency_source) do
     described_class.new(
-      gemfile_name: gemfile_name,
+      gemfile_name: "Gemfile",
       dependency_name: dependency_name
     )
   end
 
   let(:dependency_name) { "business" }
 
-  let(:gemfile_fixture_name) { "specified_source" }
+  let(:project_name) { "specified_source_no_lockfile" }
   let(:registry_url) { "https://repo.fury.io/greysteil/" }
   let(:gemfury_business_url) do
     "https://repo.fury.io/greysteil/api/v1/dependencies?gems=business"
@@ -47,7 +47,7 @@
     end
 
     context "specified as the default source" do
-      let(:gemfile_fixture_name) { "specified_default_source" }
+      let(:project_name) { "specified_default_source_no_lockfile" }
 
       it "returns all versions from the private source" do
         is_expected.to eq([
@@ -152,7 +152,7 @@
     end
 
     context "that only implements the old Bundler index format..." do
-      let(:gemfile_fixture_name) { "sidekiq_pro" }
+      let(:project_name) { "sidekiq_pro" }
       let(:dependency_name) { "sidekiq-pro" }
       let(:registry_url) { "https://gems.contribsys.com/" }
 

bundler/spec/native_helpers/functions/file_parser_spec.rb → bundler/helpers/v1/spec/functions/file_parser_spec.rb

@@ -12,8 +12,7 @@
     )
   end
 
-  let(:gemfile_fixture_name) { "Gemfile" }
-  let(:lockfile_fixture_name) { "Gemfile.lock" }
+  let(:project_name) { "gemfile" }
 
   describe "#parsed_gemfile" do
     subject(:parsed_gemfile) do

bundler/spec/native_helpers/functions/version_resolver_spec.rb → bundler/helpers/v1/spec/functions/version_resolver_spec.rb

@@ -3,8 +3,6 @@
 require "native_spec_helper"
 require "shared_contexts"
 
-require "dependabot/dependency"
-
 RSpec.describe Functions::VersionResolver do
   include_context "in a temporary bundler directory"
   include_context "stub rubygems compact index"
@@ -13,8 +11,8 @@
     described_class.new(
       dependency_name: dependency_name,
       dependency_requirements: dependency_requirements,
-      gemfile_name: gemfile_name,
-      lockfile_name: lockfile_name
+      gemfile_name: "Gemfile",
+      lockfile_name: "Gemfile.lock"
     )
   end
 
@@ -37,8 +35,7 @@
       in_tmp_folder { version_resolver.version_details }
     end
 
-    let(:gemfile_fixture_name) { "Gemfile" }
-    let(:lockfile_fixture_name) { "Gemfile.lock" }
+    let(:project_name) { "gemfile" }
     let(:requirement_string) { " >= 0" }
 
     its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
@@ -47,8 +44,7 @@
     context "with a private gemserver source" do
       include_context "stub rubygems compact index"
 
-      let(:gemfile_fixture_name) { "specified_source" }
-      let(:lockfile_fixture_name) { "specified_source.lock" }
+      let(:project_name) { "specified_source" }
       let(:requirement_string) { ">= 0" }
 
       before do
@@ -72,8 +68,7 @@
     end
 
     context "with a git source" do
-      let(:gemfile_fixture_name) { "git_source" }
-      let(:lockfile_fixture_name) { "git_source.lock" }
+      let(:project_name) { "git_source" }
 
       its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) }
       its([:fetcher]) { is_expected.to be_nil }

bundler/helpers/v1/spec/native_spec_helper.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "rspec/its"
+require "webmock/rspec"
+require "byebug"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+$LOAD_PATH.unshift(File.expand_path("../monkey_patches", __dir__))
+
+# Bundler monkey patches
+require "definition_ruby_version_patch"
+require "definition_bundler_version_patch"
+require "git_source_patch"
+
+require "functions"
+
+RSpec.configure do |config|
+  config.color = true
+  config.order = :rand
+  config.mock_with(:rspec) { |mocks| mocks.verify_partial_doubles = true }
+  config.raise_errors_for_deprecations!
+end
+
+# Duplicated in lib/dependabot/bundler/file_updater/lockfile_updater.rb
+# TODO: Stop sanitizing the lockfile once we have bundler 2 installed
+LOCKFILE_ENDING = /(?<ending>\s*(?:RUBY VERSION|BUNDLED WITH).*)/m.freeze
+
+def project_dependency_files(project)
+  project_path = File.expand_path(File.join("../../spec/fixtures/projects/bundler1", project))
+  Dir.chdir(project_path) do
+    # NOTE: Include dotfiles (e.g. .npmrc)
+    files = Dir.glob("**/*", File::FNM_DOTMATCH)
+    files = files.select { |f| File.file?(f) }
+    files.map do |filename|
+      content = File.read(filename)
+      if filename == "Gemfile.lock"
+        content = content.gsub(LOCKFILE_ENDING, "")
+      end
+      {
+        name: filename,
+        content: content
+      }
+    end
+  end
+end
+
+def fixture(*name)
+  File.read(File.join("../../spec/fixtures", File.join(*name)))
+end

bundler/helpers/v1/spec/shared_contexts.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "bundler/compact_index_client"
+require "bundler/compact_index_client/updater"
+
+TMP_DIR_PATH = File.expand_path("../tmp", __dir__)
+
+RSpec.shared_context "in a temporary bundler directory" do
+  let(:project_name) { "gemfile" }
+
+  let(:tmp_path) do
+    Dir.mkdir(TMP_DIR_PATH) unless Dir.exist?(TMP_DIR_PATH)
+    dir = Dir.mktmpdir("native_helper_spec_", TMP_DIR_PATH)
+    Pathname.new(dir).expand_path
+  end
+
+  before do
+    project_dependency_files(project_name).each do |file|
+      File.write(File.join(tmp_path, file[:name]), file[:content])
+    end
+  end
+
+  def in_tmp_folder(&block)
+    Dir.chdir(tmp_path, &block)
+  end
+end
+
+RSpec.shared_context "without caching rubygems" do
+  before do
+    # Stub Bundler to stop it using a cached versions of Rubygems
+    allow_any_instance_of(Bundler::CompactIndexClient::Updater).
+      to receive(:etag_for).and_return("")
+  end
+end
+
+RSpec.shared_context "stub rubygems compact index" do
+  include_context "without caching rubygems"
+
+  before do
+    # Stub the Rubygems index
+    stub_request(:get, "https://index.rubygems.org/versions").
+      to_return(
+        status: 200,
+        body: fixture("ruby", "rubygems_responses", "index")
+      )
+
+    # Stub the Rubygems response for each dependency we have a fixture for
+    fixtures =
+      Dir[File.join("../../spec", "fixtures", "ruby", "rubygems_responses", "info-*")]
+    fixtures.each do |path|
+      dep_name = path.split("/").last.gsub("info-", "")
+      stub_request(:get, "https://index.rubygems.org/info/#{dep_name}").
+        to_return(
+          status: 200,
+          body: fixture("ruby", "rubygems_responses", "info-#{dep_name}")
+        )
+    end
+  end
+end

bundler/spec/dependabot/bundler/update_checker/version_resolver_spec.rb

@@ -252,7 +252,10 @@
         let(:current_version) { "1.4.0" }
 
         let(:dependency_files) { project_dependency_files("bundler1/git_source_circular") }
-        its([:version]) { is_expected.to eq(Gem::Version.new("2.2.0")) }
+
+        it "unlocks the version" do
+          expect(resolver.latest_resolvable_version_details[:version].canonical_segments.first).to eq(2)
+        end
       end
 
       context "with a ruby exec command that fails" do
@@ -339,8 +342,7 @@
       end
 
       it "unlocks the latest version" do
-        expect(resolver.latest_resolvable_version_details[:version]).
-          to eq(Gem::Version.new("2.2.0"))
+        expect(resolver.latest_resolvable_version_details[:version].canonical_segments.first).to eq(2)
       end
 
       context "with an upper bound that is lower than the current req" do

bundler/spec/fixtures/projects/bundler1/multiple_blocking/Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "activesupport", "5.0.0"
+gem "actionview", "5.0.0"
+gem "actionmailer", "5.0.0"