Merge branch 'main' into patch-13

dependabot · Apr 12, 2024 · e4b971c · e4b971c
2 parents 5ccfaf0 + e74e7f4
commit e4b971c
Show file tree

Hide file tree

Showing 211 changed files with 7,210 additions and 4,524 deletions.
diff --git a/.github/workflows/smoke.yml b/.github/workflows/smoke.yml
@@ -84,7 +84,7 @@ jobs:
       - name: Download test
         if: steps.cache-smoke-test.outputs.cache-hit != 'true'
         run: |
-          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests/${{ matrix.suite.name }}
+          URL=https://api.github.com/repos/dependabot/smoke-tests/contents/tests/${{ matrix.suite.name }}?ref=jorobich/update-nuget-tests
           curl $(gh api $URL --jq .download_url) -o smoke.yaml
 
       - name: Cache Smoke Test

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,19 +1,20 @@
 PATH
   remote: bundler
   specs:
-    dependabot-bundler (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-bundler (0.252.0)
+      dependabot-common (= 0.252.0)
+      parallel (~> 1.24)
 
 PATH
   remote: cargo
   specs:
-    dependabot-cargo (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-cargo (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: common
   specs:
-    dependabot-common (0.248.0)
+    dependabot-common (0.252.0)
       aws-sdk-codecommit (~> 1.28)
       aws-sdk-ecr (~> 1.5)
       bundler (>= 1.16, < 3.0.0)
@@ -35,107 +36,107 @@ PATH
 PATH
   remote: composer
   specs:
-    dependabot-composer (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-composer (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: devcontainers
   specs:
-    dependabot-devcontainers (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-devcontainers (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: docker
   specs:
-    dependabot-docker (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-docker (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: elm
   specs:
-    dependabot-elm (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-elm (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: git_submodules
   specs:
-    dependabot-git_submodules (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-git_submodules (0.252.0)
+      dependabot-common (= 0.252.0)
       parseconfig (~> 1.0, < 1.1.0)
 
 PATH
   remote: github_actions
   specs:
-    dependabot-github_actions (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-github_actions (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: go_modules
   specs:
-    dependabot-go_modules (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-go_modules (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: gradle
   specs:
-    dependabot-gradle (0.248.0)
-      dependabot-common (= 0.248.0)
-      dependabot-maven (= 0.248.0)
+    dependabot-gradle (0.252.0)
+      dependabot-common (= 0.252.0)
+      dependabot-maven (= 0.252.0)
 
 PATH
   remote: hex
   specs:
-    dependabot-hex (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-hex (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: maven
   specs:
-    dependabot-maven (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-maven (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: npm_and_yarn
   specs:
-    dependabot-npm_and_yarn (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-npm_and_yarn (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: nuget
   specs:
-    dependabot-nuget (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-nuget (0.252.0)
+      dependabot-common (= 0.252.0)
       rubyzip (>= 2.3.2, < 3.0)
 
 PATH
   remote: pub
   specs:
-    dependabot-pub (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-pub (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: python
   specs:
-    dependabot-python (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-python (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: silent
   specs:
-    dependabot-silent (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-silent (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: swift
   specs:
-    dependabot-swift (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-swift (0.252.0)
+      dependabot-common (= 0.252.0)
 
 PATH
   remote: terraform
   specs:
-    dependabot-terraform (0.248.0)
-      dependabot-common (= 0.248.0)
+    dependabot-terraform (0.252.0)
+      dependabot-common (= 0.252.0)
 
 GEM
   remote: https://rubygems.org/

diff --git a/bundler/dependabot-bundler.gemspec b/bundler/dependabot-bundler.gemspec
@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.files        = []
 
   spec.add_dependency "dependabot-common", Dependabot::VERSION
+  spec.add_dependency "parallel", "~> 1.24"
 
   common_gemspec.development_dependencies.each do |dep|
     spec.add_development_dependency dep.name, *dep.requirement.as_list

diff --git a/bundler/lib/dependabot/bundler/cached_lockfile_parser.rb b/bundler/lib/dependabot/bundler/cached_lockfile_parser.rb
@@ -0,0 +1,24 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+require "digest"
+require "digest/sha2"
+require "bundler/lockfile_parser"
+
+module Dependabot
+  module Bundler
+    class CachedLockfileParser
+      extend T::Sig
+
+      sig { params(lockfile_content: String).returns(::Bundler::LockfileParser) }
+      def self.parse(lockfile_content)
+        lockfile_hash = Digest::SHA2.hexdigest(lockfile_content)
+        @cache ||= T.let({}, T.nilable(T::Hash[String, ::Bundler::LockfileParser]))
+        return T.must(@cache[lockfile_hash]) if @cache.key?(lockfile_hash)
+
+        @cache[lockfile_hash] = ::Bundler::LockfileParser.new(lockfile_content)
+      end
+    end
+  end
+end
diff --git a/bundler/lib/dependabot/bundler/file_fetcher.rb b/bundler/lib/dependabot/bundler/file_fetcher.rb
@@ -5,6 +5,7 @@
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/bundler/file_updater/lockfile_updater"
+require "dependabot/bundler/cached_lockfile_parser"
 require "dependabot/errors"
 
 module Dependabot
@@ -162,8 +163,7 @@ def fetch_gemspecs_from_directory(dir_path)
 
       def fetch_path_gemspec_paths
         if lockfile
-          parsed_lockfile = ::Bundler::LockfileParser
-                            .new(sanitized_lockfile_content)
+          parsed_lockfile = CachedLockfileParser.parse(sanitized_lockfile_content)
           parsed_lockfile.specs
                          .select { |s| s.source.instance_of?(::Bundler::Source::Path) }
                          .map { |s| s.source.path }.uniq

diff --git a/bundler/lib/dependabot/bundler/file_parser.rb b/bundler/lib/dependabot/bundler/file_parser.rb
@@ -1,13 +1,15 @@
 # typed: true
 # frozen_string_literal: true
 
+require "parallel"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
 require "dependabot/bundler/file_updater/lockfile_updater"
 require "dependabot/bundler/native_helpers"
 require "dependabot/bundler/helpers"
 require "dependabot/bundler/version"
+require "dependabot/bundler/cached_lockfile_parser"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 
@@ -73,17 +75,21 @@ def gemfile_dependencies
         dependencies
       end
 
-      def gemspec_dependencies
-        dependencies = DependencySet.new
+      def gemspec_dependencies # rubocop:disable Metrics/PerceivedComplexity
+        return @gemspec_dependencies if defined?(@gemspec_dependencies)
 
-        gemspecs.each do |gemspec|
-          gemspec_declaration_finder = GemspecDeclarationFinder.new(gemspec: gemspec)
+        queue = Queue.new
 
-          parsed_gemspec(gemspec).each do |dependency|
-            next unless gemspec_declaration_finder.gemspec_includes_dependency?(dependency)
+        SharedHelpers.in_a_temporary_repo_directory(base_directory, repo_contents_path) do
+          write_temporary_dependency_files
 
-            dependencies <<
-              Dependency.new(
+          Parallel.map(gemspecs, in_threads: 4) do |gemspec|
+            gemspec_declaration_finder = GemspecDeclarationFinder.new(gemspec: gemspec)
+
+            parsed_gemspec(gemspec).each do |dependency|
+              next unless gemspec_declaration_finder.gemspec_includes_dependency?(dependency)
+
+              queue << Dependency.new(
                 name: dependency.fetch("name"),
                 version: dependency_version(dependency.fetch("name"))&.to_s,
                 requirements: [{
@@ -98,10 +104,13 @@ def gemspec_dependencies
                 }],
                 package_manager: "bundler"
               )
+            end
           end
         end
 
-        dependencies
+        dependency_set = DependencySet.new
+        dependency_set << queue.pop(true) while queue.size.positive?
+        @gemspec_dependencies ||= dependency_set
       end
 
       def lockfile_dependencies
@@ -161,23 +170,16 @@ def handle_eval_error(err)
       end
 
       def parsed_gemspec(file)
-        @parsed_gemspecs ||= {}
-        @parsed_gemspecs[file.name] ||=
-          SharedHelpers.in_a_temporary_repo_directory(base_directory,
-                                                      repo_contents_path) do
-            write_temporary_dependency_files
-
-            NativeHelpers.run_bundler_subprocess(
-              bundler_version: bundler_version,
-              function: "parsed_gemspec",
-              options: options,
-              args: {
-                gemspec_name: file.name,
-                lockfile_name: lockfile&.name,
-                dir: Dir.pwd
-              }
-            )
-          end
+        NativeHelpers.run_bundler_subprocess(
+          bundler_version: bundler_version,
+          function: "parsed_gemspec",
+          options: options,
+          args: {
+            gemspec_name: file.name,
+            lockfile_name: lockfile&.name,
+            dir: Dir.pwd
+          }
+        )
       rescue SharedHelpers::HelperSubprocessFailed => e
         msg = e.error_class + " with message: " + e.message
         raise Dependabot::DependencyFileNotEvaluatable, msg
@@ -255,8 +257,7 @@ def lockfile
       end
 
       def parsed_lockfile
-        @parsed_lockfile ||=
-          ::Bundler::LockfileParser.new(sanitized_lockfile_content)
+        @parsed_lockfile ||= CachedLockfileParser.parse(sanitized_lockfile_content)
       end
 
       def production_dep_names

diff --git a/bundler/lib/dependabot/bundler/file_updater/lockfile_updater.rb b/bundler/lib/dependabot/bundler/file_updater/lockfile_updater.rb
@@ -6,6 +6,7 @@
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/bundler/file_updater"
+require "dependabot/bundler/cached_lockfile_parser"
 require "dependabot/bundler/native_helpers"
 require "dependabot/bundler/helpers"
 
@@ -216,8 +217,8 @@ def replacement_version_for_gemspec(path, gemspec_content)
                                        .dependency_name || File.basename(path, ".gemspec")
 
           gemspec_specs =
-            ::Bundler::LockfileParser.new(sanitized_lockfile_body).specs
-                                     .select { |s| s.name == gem_name && gemspec_sources.include?(s.source.class) }
+            CachedLockfileParser.parse(sanitized_lockfile_body).specs
+                                .select { |s| s.name == gem_name && gemspec_sources.include?(s.source.class) }
 
           gemspec_specs.first&.version || "0.0.1"
         end

diff --git a/bundler/lib/dependabot/bundler/helpers.rb b/bundler/lib/dependabot/bundler/helpers.rb
@@ -30,9 +30,9 @@ def self.detected_bundler_version(lockfile)
         return "unknown" unless lockfile
 
         if (matches = lockfile.content.match(BUNDLER_MAJOR_VERSION_REGEX))
-          matches[:version]
+          matches[:version].to_i.to_s
         else
-          "1"
+          "unspecified"
         end
       end
     end

diff --git a/bundler/lib/dependabot/bundler/update_checker/file_preparer.rb b/bundler/lib/dependabot/bundler/update_checker/file_preparer.rb
@@ -3,6 +3,7 @@
 
 require "dependabot/dependency_file"
 require "dependabot/bundler/update_checker"
+require "dependabot/bundler/cached_lockfile_parser"
 require "dependabot/bundler/file_updater/gemspec_sanitizer"
 require "dependabot/bundler/file_updater/git_pin_replacer"
 require "dependabot/bundler/file_updater/git_source_remover"
@@ -268,8 +269,8 @@ def replacement_version_for_gemspec(gemspec_content)
           return "0.0.1" unless lockfile
 
           gemspec_specs =
-            ::Bundler::LockfileParser.new(sanitized_lockfile_content).specs
-                                     .select { |s| gemspec_sources.include?(s.source.class) }
+            CachedLockfileParser.parse(sanitized_lockfile_content).specs
+                                .select { |s| gemspec_sources.include?(s.source.class) }
 
           gem_name =
             FileUpdater::GemspecDependencyNameFinder