Merge pull request #7817 from dependabot/jurre/dont-attempt-to-group-…

…git-deps-as-semver Do not attempt to group git dependencies as semver
dependabot · Aug 15, 2023 · 77e002c · 77e002c
2 parents f1e240f + 31c4c30
commit 77e002c
Show file tree

Hide file tree

Showing 4 changed files with 545 additions and 1 deletion.
diff --git a/updater/lib/dependabot/updater/group_update_creation.rb b/updater/lib/dependabot/updater/group_update_creation.rb
@@ -205,6 +205,9 @@ def semver_rules_allow_grouping?(group, dependency, checker)
         # There are no group rules defined, so this dependency can be included in the group.
         return true unless group.rules["update-types"]
 
+        # git dependencies are not SemVer compatible so we cannot include them in the group
+        return false if git_dependency?(dependency)
+
         version = Dependabot::Utils.version_class_for_package_manager(job.package_manager).new(dependency.version.to_s)
         # Not every version class implements .major, .minor, .patch so we calculate it here from the segments
         latest = semver_segments(checker.latest_version)
@@ -238,6 +241,13 @@ def requirements_to_unlock(checker)
         end
       end
 
+      def git_dependency?(dependency)
+        GitCommitChecker.new(
+          dependency: dependency,
+          credentials: job.credentials
+        ).git_dependency?
+      end
+
       def log_requirements_for_update(requirements_to_unlock, checker)
         Dependabot.logger.info("Requirements to unlock #{requirements_to_unlock}")
 

diff --git a/updater/lib/dependabot/updater/operations/refresh_group_update_pull_request.rb b/updater/lib/dependabot/updater/operations/refresh_group_update_pull_request.rb
@@ -101,7 +101,7 @@ def upsert_pull_request_with_error_handling(dependency_change)
         # Having created the dependency_change, we need to determine the right strategy to apply it to the project:
         # - Replace existing PR if the dependencies involved have changed
         # - Update the existing PR if the dependencies and the target versions remain the same
-        # - Supersede the existing PR if the dependencies are the same but the target verisons have changed
+        # - Supersede the existing PR if the dependencies are the same but the target versions have changed
         def upsert_pull_request(dependency_change)
           if dependency_change.should_replace_existing_pr?
             Dependabot.logger.info("Dependencies have changed, closing existing Pull Request")

diff --git a/updater/spec/dependabot/updater/operations/group_update_all_versions_spec.rb b/updater/spec/dependabot/updater/operations/group_update_all_versions_spec.rb
@@ -262,6 +262,35 @@
     end
   end
 
+  context "when the snapshot contains a git dependency" do
+    let(:job_definition) do
+      job_definition_fixture("bundler/version_updates/group_update_all_semver_grouping")
+    end
+
+    let(:dependency_files) do
+      original_bundler_files(fixture: "bundler_git")
+    end
+
+    it "creates individual PRs since git dependencies cannot be grouped as semver",
+       vcr: { allow_unused_http_interactions: true } do
+      expect(mock_service).to receive(:create_pull_request).with(
+        an_object_having_attributes(
+          dependency_group: nil,
+          updated_dependencies: [
+            an_object_having_attributes(
+              name: "dummy-git-dependency",
+              version: "c0e25c2eb332122873f73acb3b61fb2e261cfd8f",
+              previous_version: "20151f9b67c8a04461fa0ee28385b6187b86587b"
+            )
+          ]
+        ),
+        "mock-sha"
+      )
+
+      group_update_all.perform
+    end
+  end
+
   context "when the snapshot is only grouping minor- and patch-level changes", :vcr do
     let(:job_definition) do
       job_definition_fixture("bundler/version_updates/group_update_all_semver_grouping")