Merge branch 'main' into abdulapopoola-patch-5

dependabot · Jun 12, 2024 · f6acbea · f6acbea
2 parents 3a06685 + 09263a6
commit f6acbea
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 54 deletions.
diff --git a/composer/helpers/v2/src/UpdateChecker.php b/composer/helpers/v2/src/UpdateChecker.php
@@ -14,7 +14,7 @@ final class UpdateChecker
 {
     public static function getLatestResolvableVersion(array $args): ?string
     {
-        [$workingDirectory, $dependencyName, $gitCredentials, $registryCredentials] = $args;
+        [$workingDirectory, $dependencyName, $gitCredentials, $registryCredentials, $latestAllowableVersion] = $args;
 
         $httpBasicCredentials = [];
 
@@ -75,7 +75,8 @@ public static function getLatestResolvableVersion(array $args): ?string
         // if no lock is present, we do not do a partial update as
         // this is not supported by the Installer
         if ($composer->getLocker()->isLocked()) {
-            $install->setUpdateAllowList([$dependencyName]);
+            $dependencyNameWithVersion = $dependencyName . ':' . $latestAllowableVersion;
+            $install->setUpdateAllowList([$dependencyNameWithVersion]);
         }
 
         $install->run();

diff --git a/composer/lib/dependabot/composer/update_checker/version_resolver.rb b/composer/lib/dependabot/composer/update_checker/version_resolver.rb
@@ -148,7 +148,8 @@ def run_update_checker
                 Dir.pwd,
                 dependency.name.downcase,
                 git_credentials,
-                registry_credentials
+                registry_credentials,
+                @latest_allowable_version.to_s
               ]
             )
           end

diff --git a/composer/spec/dependabot/composer/update_checker/version_resolver_spec.rb b/composer/spec/dependabot/composer/update_checker/version_resolver_spec.rb
@@ -60,7 +60,7 @@
       let(:dependency_version) { "2.0.4" }
       let(:string_req) { "2.0.4" }
 
-      it { is_expected.to eq(Dependabot::Composer::Version.new("3.3.2")) }
+      it { is_expected.to eq(Dependabot::Composer::Version.new("2.0.4")) }
     end
 
     context "with an application using a >= PHP constraint" do
@@ -118,7 +118,7 @@
       let(:dependency_version) { "1.0.2" }
       let(:requirements_to_unlock) { :none }
 
-      it { is_expected.to eq(Dependabot::Composer::Version.new("1.25.1")) }
+      it { is_expected.to eq(Dependabot::Composer::Version.new("1.0.2")) }
     end
 
     context "with a library that requires itself" do
@@ -266,12 +266,8 @@
         }]
       end
 
-      it "raises a Dependabot::GitDependenciesNotReachable error" do
-        expect { resolver.latest_resolvable_version }
-          .to raise_error(Dependabot::GitDependenciesNotReachable) do |error|
-            expect(error.dependency_urls)
-              .to eq(["https://github.com/no-exist-sorry/monolog.git"])
-          end
+      it "does not raises an Dependabot::GitDependenciesNotReachable error, as there is no update." do
+        expect(subject).to eq(Dependabot::Composer::Version.new("1.0.1"))
       end
     end
 

diff --git a/composer/spec/dependabot/composer/update_checker_spec.rb b/composer/spec/dependabot/composer/update_checker_spec.rb
@@ -198,7 +198,7 @@
       expect(latest_resolvable_version.segments.count).to eq(3)
     end
 
-    it { is_expected.to be >= Gem::Version.new("1.22.0") }
+    it { is_expected.to be >= Gem::Version.new("1.0.0") }
 
     context "with a composer v1 lockfile" do
       let(:project_name) { "v1/exact_version" }
@@ -209,11 +209,11 @@
     context "when the user is ignoring the latest version" do
       let(:ignored_versions) { [">= 1.22.0.a, < 4.0"] }
 
-      it { is_expected.to eq(Gem::Version.new("1.21.0")) }
+      it { is_expected.to eq(Gem::Version.new("1.0.1")) }
     end
 
     context "without a lockfile" do
-      it { is_expected.to be >= Gem::Version.new("1.22.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
 
       context "when there are conflicts at the version specified" do
         let(:project_name) { "conflicts" }
@@ -288,7 +288,7 @@
     context "with a dev dependency" do
       let(:project_name) { "development_dependencies" }
 
-      it { is_expected.to be >= Gem::Version.new("1.22.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
     end
 
     context "with a path source" do
@@ -300,7 +300,7 @@
       end
 
       context "when it is not the dependency we're checking" do
-        it { is_expected.to be >= Gem::Version.new("1.22.0") }
+        it { is_expected.to be >= Gem::Version.new("1.0.2") }
       end
 
       context "when it is the dependency we're checking" do
@@ -377,13 +377,8 @@
           }]
         end
 
-        it "raises a helpful error message" do
-          expect { checker.latest_resolvable_version }
-            .to raise_error do |error|
-              expect(error)
-                .to be_a(Dependabot::PrivateSourceAuthenticationFailure)
-              expect(error.source).to eq("php.fury.io")
-            end
+        it "does not raise an error as there is no request for version update" do
+          expect(latest_resolvable_version).to be >= Gem::Version.new("2.1.0")
         end
       end
 
@@ -397,13 +392,8 @@
           }]
         end
 
-        it "raises a helpful error message" do
-          expect { checker.latest_resolvable_version }
-            .to raise_error do |error|
-              expect(error)
-                .to be_a(Dependabot::PrivateSourceAuthenticationFailure)
-              expect(error.source).to eq("php.fury.io")
-            end
+        it "does not raise an error, as there is no update to the dependency" do
+          expect(latest_resolvable_version).to be >= Gem::Version.new("2.1.0")
         end
       end
     end
@@ -489,7 +479,7 @@
       let(:ignored_versions) { [">= 2.8.0"] }
 
       it "is the highest resolvable version" do
-        expect(latest_resolvable_version).to eq(Gem::Version.new("2.1.7"))
+        expect(latest_resolvable_version).to eq(Gem::Version.new("2.1.5"))
       end
 
       context "when the blocking dependency is a git dependency" do
@@ -598,7 +588,7 @@
         }]
       end
 
-      it { is_expected.to be >= Gem::Version.new("1.3.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
     end
 
     context "with a git source dependency that's not the dependency we're checking with an alias" do
@@ -614,7 +604,7 @@
         }]
       end
 
-      it { is_expected.to be >= Gem::Version.new("1.3.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
     end
 
     context "with a git source dependency that's not the dependency we're checking with a stability flag" do
@@ -655,7 +645,7 @@
       # fine - the below is just what we get with Composer at the moment
       # because we disabled downloading the files in
       # DependabotInstallationManager.
-      it { is_expected.to be >= Gem::Version.new("1.3.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
     end
 
     context "with a git source dependency that's not the dependency we're checking with a git URL" do
@@ -671,7 +661,7 @@
         }]
       end
 
-      it { is_expected.to be >= Gem::Version.new("1.3.0") }
+      it { is_expected.to be >= Gem::Version.new("1.0.1") }
     end
 
     context "with a git source dependency that's not the dependency we're checking that is unreachable" do
@@ -687,25 +677,15 @@
         }]
       end
 
-      it "raises a helpful error" do
-        expect { checker.latest_resolvable_version }
-          .to raise_error do |error|
-            expect(error).to be_a(Dependabot::GitDependenciesNotReachable)
-            expect(error.dependency_urls)
-              .to eq(["https://github.com/no-exist-sorry/monolog.git"])
-          end
+      it "does not raise an error as there is no request for dependency version update." do
+        expect(subject).to be >= Gem::Version.new("1.0.1")
       end
 
       context "with a git URL" do
         let(:project_name) { "git_source_unreachable_git_url" }
 
-        it "raises a helpful error" do
-          expect { checker.latest_resolvable_version }
-            .to raise_error do |error|
-              expect(error).to be_a(Dependabot::GitDependenciesNotReachable)
-              expect(error.dependency_urls)
-                .to eq(["git@github.com:no-exist-sorry/monolog"])
-            end
+        it "does not raise an error as there is no request for dependency version update." do
+          expect(subject).to be >= Gem::Version.new("1.0.1")
         end
       end
     end
@@ -731,7 +711,7 @@
           )
       end
 
-      it { is_expected.to be >= Gem::Version.new("3.0.2") }
+      it { is_expected.to be_nil }
     end
 
     context "when an autoload is specified" do
@@ -747,7 +727,7 @@
         }]
       end
 
-      it { is_expected.to be >= Gem::Version.new("5.2.30") }
+      it { is_expected.to be >= Gem::Version.new("5.2.7") }
     end
 
     context "when a sub-dependency would block the update" do
@@ -764,7 +744,7 @@
       end
 
       # 5.5.0 series and up require an update to illuminate/contracts
-      it { is_expected.to be >= Gem::Version.new("5.6.23") }
+      it { is_expected.to be >= Gem::Version.new("5.2.0") }
     end
 
     context "with an invalid composer.json file" do
@@ -781,7 +761,7 @@
 
     let(:ignored_versions) { [">= 1.22.0.a, < 4.0"] }
 
-    it { is_expected.to eq(Gem::Version.new("1.21.0")) }
+    it { is_expected.to eq(Gem::Version.new("1.0.1")) }
 
     context "with an insecure version" do
       let(:dependency_version) { "1.0.1" }
@@ -795,7 +775,7 @@
         ]
       end
 
-      it { is_expected.to eq(Gem::Version.new("1.16.0")) }
+      it { is_expected.to eq(Gem::Version.new("1.0.1")) }
     end
   end