Merge branch 'main' into main

Gemfile.lock

@@ -1,20 +1,20 @@
 PATH
   remote: bundler
   specs:
-    dependabot-bundler (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-bundler (0.295.0)
+      dependabot-common (= 0.295.0)
       parallel (~> 1.24)
 
 PATH
   remote: cargo
   specs:
-    dependabot-cargo (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-cargo (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: common
   specs:
-    dependabot-common (0.294.0)
+    dependabot-common (0.295.0)
       aws-sdk-codecommit (~> 1.28)
       aws-sdk-ecr (~> 1.5)
       bundler (>= 1.16, < 3.0.0)
@@ -38,113 +38,113 @@ PATH
 PATH
   remote: composer
   specs:
-    dependabot-composer (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-composer (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: devcontainers
   specs:
-    dependabot-devcontainers (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-devcontainers (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: docker
   specs:
-    dependabot-docker (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-docker (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: dotnet_sdk
   specs:
-    dependabot-dotnet_sdk (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-dotnet_sdk (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: elm
   specs:
-    dependabot-elm (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-elm (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: git_submodules
   specs:
-    dependabot-git_submodules (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-git_submodules (0.295.0)
+      dependabot-common (= 0.295.0)
       parseconfig (~> 1.0, < 1.1.0)
 
 PATH
   remote: github_actions
   specs:
-    dependabot-github_actions (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-github_actions (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: go_modules
   specs:
-    dependabot-go_modules (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-go_modules (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: gradle
   specs:
-    dependabot-gradle (0.294.0)
-      dependabot-common (= 0.294.0)
-      dependabot-maven (= 0.294.0)
+    dependabot-gradle (0.295.0)
+      dependabot-common (= 0.295.0)
+      dependabot-maven (= 0.295.0)
 
 PATH
   remote: hex
   specs:
-    dependabot-hex (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-hex (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: maven
   specs:
-    dependabot-maven (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-maven (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: npm_and_yarn
   specs:
-    dependabot-npm_and_yarn (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-npm_and_yarn (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: nuget
   specs:
-    dependabot-nuget (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-nuget (0.295.0)
+      dependabot-common (= 0.295.0)
       rubyzip (>= 2.3.2, < 3.0)
 
 PATH
   remote: pub
   specs:
-    dependabot-pub (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-pub (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: python
   specs:
-    dependabot-python (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-python (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: silent
   specs:
-    dependabot-silent (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-silent (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: swift
   specs:
-    dependabot-swift (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-swift (0.295.0)
+      dependabot-common (= 0.295.0)
 
 PATH
   remote: terraform
   specs:
-    dependabot-terraform (0.294.0)
-      dependabot-common (= 0.294.0)
+    dependabot-terraform (0.295.0)
+      dependabot-common (= 0.295.0)
 
 GEM
   remote: https://rubygems.org/

bundler/lib/dependabot/bundler/file_updater/gemspec_dependency_name_finder.rb

@@ -10,7 +10,7 @@ class FileUpdater
       class GemspecDependencyNameFinder
         extend T::Sig
 
-        ChildNode = T.type_alias { T.nilable(T.any(Parser::AST::Node, Symbol, String)) }
+        ChildNode = T.type_alias { T.nilable(T.any(Parser::AST::Node, Symbol, String, Integer, Float)) }
 
         sig { returns(String) }
         attr_reader :gemspec_content

common/lib/dependabot.rb

@@ -2,5 +2,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.294.0"
+  VERSION = "0.295.0"
 end

common/lib/dependabot/errors.rb

@@ -220,6 +220,11 @@ def self.updater_error_details(error)
           "file-path": error.file_path
         }
       }
+    when Dependabot::DependencyFileNotSupported
+      {
+        "error-type": "dependency_file_not_supported",
+        "error-detail": { message: error.message }
+      }
     when Dependabot::GitDependenciesNotReachable
       {
         "error-type": "git_dependencies_not_reachable",
@@ -616,6 +621,8 @@ class DependencyFileNotEvaluatable < DependabotError; end
 
   class DependencyFileNotResolvable < DependabotError; end
 
+  class DependencyFileNotSupported < DependabotError; end
+
   class BadRequirementError < Gem::Requirement::BadRequirementError; end
 
   #######################

devcontainers/spec/dependabot/devcontainers/file_parser_spec.rb

@@ -234,7 +234,7 @@
       it "returns the correct package manager" do
         expect(package_manager.name).to eq "devcontainers"
         expect(package_manager.requirement).to be_nil
-        expect(package_manager.version.to_s).to eq "0.72.0"
+        expect(package_manager.version.to_s).to match(/\d+.\d+.\d+/)
       end
     end
 
@@ -244,7 +244,7 @@
       it "returns the correct language" do
         expect(language.name).to eq "node"
         expect(language.requirement).to be_nil
-        expect(language.version.to_s).to eq "18.20.6"
+        expect(language.version.to_s).to match(/\d+.\d+.\d+/)
       end
     end
   end

docker/lib/dependabot/docker/update_checker.rb

@@ -300,17 +300,30 @@ def docker_repo_name
         "library/#{dependency.name}"
       end
 
+      # Defaults from https://github.com/deitch/docker_registry2/blob/bfde04144f0b7fd63c156a1aca83efe19ee78ffd/lib/registry/registry.rb#L26-L27
+      DEFAULT_DOCKER_OPEN_TIMEOUT_IN_SECONDS = 2
+      DEFAULT_DOCKER_READ_TIMEOUT_IN_SECONDS = 5
+
       def docker_registry_client
         @docker_registry_client ||=
           DockerRegistry2::Registry.new(
             "https://#{registry_hostname}",
             user: registry_credentials&.fetch("username", nil),
             password: registry_credentials&.fetch("password", nil),
-            read_timeout: 10,
+            read_timeout: docker_read_timeout_in_seconds,
+            open_timeout: docker_open_timeout_in_seconds,
             http_options: { proxy: ENV.fetch("HTTPS_PROXY", nil) }
           )
       end
 
+      def docker_open_timeout_in_seconds
+        ENV.fetch("DEPENDABOT_DOCKER_OPEN_TIMEOUT_IN_SECONDS", DEFAULT_DOCKER_OPEN_TIMEOUT_IN_SECONDS).to_i
+      end
+
+      def docker_read_timeout_in_seconds
+        ENV.fetch("DEPENDABOT_DOCKER_READ_TIMEOUT_IN_SECONDS", DEFAULT_DOCKER_READ_TIMEOUT_IN_SECONDS).to_i
+      end
+
       def sort_tags(candidate_tags, version_tag)
         candidate_tags.sort do |tag_a, tag_b|
           if comparable_version_from(tag_a) > comparable_version_from(tag_b)

docker/spec/dependabot/docker/update_checker_spec.rb

@@ -1433,6 +1433,40 @@ def stub_tag_with_no_digest(tag)
     end
   end
 
+  describe ".docker_read_timeout_in_seconds" do
+    context "when DEPENDABOT_DOCKER_READ_TIMEOUT_IN_SECONDS is set" do
+      it "returns the provided value" do
+        override_value = 10
+        stub_const("ENV", ENV.to_hash.merge("DEPENDABOT_DOCKER_READ_TIMEOUT_IN_SECONDS" => override_value))
+        expect(checker.send(:docker_read_timeout_in_seconds)).to eq(override_value)
+      end
+    end
+
+    context "when ENV does not provide an override" do
+      it "falls back to a default value" do
+        expect(checker.send(:docker_read_timeout_in_seconds))
+          .to eq(Dependabot::Docker::UpdateChecker::DEFAULT_DOCKER_READ_TIMEOUT_IN_SECONDS)
+      end
+    end
+  end
+
+  describe ".docker_open_timeout_in_seconds" do
+    context "when DEPENDABOT_DOCKER_OPEN_TIMEOUT_IN_SECONDS is set" do
+      it "returns the provided value" do
+        override_value = 10
+        stub_const("ENV", ENV.to_hash.merge("DEPENDABOT_DOCKER_OPEN_TIMEOUT_IN_SECONDS" => override_value))
+        expect(checker.send(:docker_open_timeout_in_seconds)).to eq(override_value)
+      end
+    end
+
+    context "when ENV does not provide an override" do
+      it "falls back to a default value" do
+        expect(checker.send(:docker_open_timeout_in_seconds))
+          .to eq(Dependabot::Docker::UpdateChecker::DEFAULT_DOCKER_OPEN_TIMEOUT_IN_SECONDS)
+      end
+    end
+  end
+
   private
 
   def stub_same_sha_for(*tags)

maven/lib/dependabot/maven/update_checker/version_finder.rb

@@ -203,8 +203,18 @@ def fetch_dependency_metadata(repository_details)
         rescue URI::InvalidURIError
           nil
         rescue Excon::Error::Socket, Excon::Error::Timeout,
-               Excon::Error::TooManyRedirects
-          raise if central_repo_urls.include?(repository_details["url"])
+               Excon::Error::TooManyRedirects => e
+
+          if central_repo_urls.include?(repository_details["url"])
+            response_status = response&.status || 0
+            response_body = if response
+                              "RegistryError: #{response.status} response status with body #{response.body}"
+                            else
+                              "RegistryError: #{e.message}"
+                            end
+
+            raise RegistryError.new(response_status, response_body)
+          end
 
           nil
         end

maven/spec/dependabot/maven/update_checker/version_finder_spec.rb

@@ -524,6 +524,18 @@
       end
     end
 
+    context "with an invalid repository url specified" do
+      let(:dependency_files) { project_dependency_files("invalid_repository_url") }
+
+      before do
+        stub_request(:get, maven_central_metadata_url).to_raise(Excon::Error::Timeout)
+      end
+
+      it "raises a helpful error" do
+        expect { latest_version_details }.to raise_error(Dependabot::RegistryError)
+      end
+    end
+
     context "with a custom repository" do
       let(:pom_fixture_name) { "custom_repositories_pom.xml" }
 

npm_and_yarn/lib/dependabot/npm_and_yarn.rb

@@ -146,6 +146,10 @@ module NpmAndYarn
     # if not package found with specified version
     YARN_PACKAGE_NOT_FOUND = /MessageError: Couldn't find any versions for "(?<pkg>.*?)" that matches "(?<ver>.*?)"/
 
+    YN0001_DEPS_RESOLUTION_FAILED = T.let({
+      DEPS_INCORRECT_MET: /peer dependencies are incorrectly met/
+    }.freeze, T::Hash[String, Regexp])
+
     YN0001_FILE_NOT_RESOLVED_CODES = T.let({
       FIND_PACKAGE_LOCATION: /YN0001:(.*?)UsageError: Couldn't find the (?<pkg>.*) state file/,
       NO_CANDIDATE_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): No candidates found/,
@@ -229,6 +233,12 @@ def self.sanitize_resolvability_message(error_message, dependencies, yarn_lock)
             end
           end
 
+          YN0001_DEPS_RESOLUTION_FAILED.each do |(_yn0001_key, yn0001_regex)|
+            if (msg = message.match(yn0001_regex))
+              return Dependabot::DependencyFileNotResolvable.new(msg)
+            end
+          end
+
           Dependabot::DependabotError.new(message)
         }
       },

npm_and_yarn/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -18,6 +18,8 @@ module ConstraintHelper
       # Matches semantic versions:
       VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
 
+      VERSION_REGEX = T.let(/\A#{VERSION}\z/o, Regexp)
+
       # SemVer regex: major.minor.patch[-prerelease][+build]
       SEMVER_REGEX = /^(?<version>\d+\.\d+\.\d+)(?:-(?<prerelease>[a-zA-Z0-9.-]+))?(?:\+(?<build>[a-zA-Z0-9.-]+))?$/