Enable lints to understand short-form git-dependencies

This will fix the case where insecure git-dependencies are not caught when using the short-form git-dependencies. https://github.com/dart-lang/linter/pull/3087/files#diff-b58e5cf5db10a02c5191e3240563bdbb9fc04727327ad709e406ac6ec4366532R25 Change-Id: I83826df588b1df4e29df1fec9d65c9ab7f62b57d Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/221945 Auto-Submit: Jonas Jensen <jonasfj@google.com> Commit-Queue: Phil Quitslund <pquitslund@google.com> Reviewed-by: Phil Quitslund <pquitslund@google.com>
2024-10-07 08:50:47 +00:00 · 2021-12-06 21:36:16 +00:00 · 2021-12-06 21:36:16 +00:00 · ad9e6d2ec3
parent 4a51fffe45
commit ad9e6d2ec3
2 changed files with 51 additions and 0 deletions
--- a/pkg/analyzer/lib/src/lint/pub.dart
+++ b/pkg/analyzer/lib/src/lint/pub.dart
@ -37,6 +37,12 @@ PSDependencyList? _processDependencies(

 PSGitRepo? _processGitRepo(
    YamlScalar key, YamlNode v, ResourceProvider? resourceProvider) {
+  if (v is YamlScalar) {
+    _PSGitRepo repo = _PSGitRepo();
+    repo.token = _PSNode(key, resourceProvider);
+    repo.url = PSEntry(repo.token, _PSNode(v, resourceProvider));
+    return repo;
+  }
  if (v is! YamlMap) {
    return null;
  }
@ -130,9 +136,44 @@ class PSEntry {
  String toString() => '${key != null ? (key.toString() + ': ') : ''}$value';
 }

+/// Representation of git-dependency in `pubspec.yaml`.
+///
+/// **Example** of a git-dependency:
+/// ```yaml
+/// dependencies:
+///   foo:
+///     git: # <-- this is the [token] property
+///       url: https://github.com/example/example
+///       ref: main # ref is optional
+/// ```
+///
+/// This may also be written in the form:
+/// ```yaml
+/// dependencies:
+///   foo:
+///     git:       https://github.com/example/example
+///     # ^-token  ^--url
+///     # In this case [ref] is `null`.
+/// ```
 abstract class PSGitRepo {
+  /// [PSEntry] for `ref: main` where [PSEntry.key] is `ref` and [PSEntry.value]
+  /// is `main`.
  PSEntry? get ref;
+
+  /// The `'git'` from the `pubspec.yaml`, this is the key that indicates this
+  /// is a git-dependency.
  PSNode? get token;
+
+  /// [PSEntry] for `url: https://...` or `git: https://`, where [PSEntry.key]
+  /// is either `url` or `git`, and [PSEntry.key] is the URL.
+  ///
+  /// If the git-dependency is given in the form:
+  /// ```yaml
+  /// dependencies:
+  ///   foo:
+  ///     git:       https://github.com/example/example
+  /// ```
+  /// Then [token] and [url.key] will be the same object.
  PSEntry? get url;
 }

--- a/pkg/analyzer/test/src/lint/pub_test.dart
+++ b/pkg/analyzer/test/src/lint/pub_test.dart
@ -48,6 +48,8 @@ dependencies:
 dev_dependencies:
  markdown: '>=0.7.1+2 <0.8.0'
  unittest: '>=0.11.0 <0.12.0'
+  kittens2:
+    git: git://github.com/munificent/kittens2.git
 dependency_overrides:
  foo: 1.2.0
 repository: https://github.com/dart-lang/linter
@ -148,6 +150,14 @@ issue_tracker: https://github.com/dart-lang/linter/issues
        testValue(
            'url', git.url, equals('git://github.com/munificent/kittens.git'));
      });
+
+      group('git (short form)', () {
+        PSDependency dep = findDependency(ps.devDependencies, name: 'kittens2');
+        PSGitRepo git = dep.git!;
+        test('ref', () => expect(git.ref, isNull));
+        testValue(
+            'url', git.url, equals('git://github.com/munificent/kittens2.git'));
+      });
    });
 //    group('visiting', () {
 //      test('smoke', () {