Throwing an appropriate error, when private registry response with 20…

…0 status and empty array response (#11095) * Added check for Hash, unless not to proceed. * Adding Rspec test and Sorbet Check. * Adding Rspec test and Sorbet Check. * Adding Rspec test. * rubocop error fixes * rubocop fixes added. * As per the standup discussion decided to throw git_dependencies_not_reachable --------- Co-authored-by: “Thavachelvam <“[email protected]”>
dependabot · Dec 11, 2024 · 2aa0485 · 2aa0485
1 parent e1024fb
commit 2aa0485
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb b/composer/lib/dependabot/composer/update_checker/latest_version_finder.rb
@@ -144,9 +144,17 @@ def parse_registry_response(response, url)
 
           listing = JSON.parse(response.body)
           return [] if listing.nil?
+          return [] unless listing.is_a?(Hash)
           return [] if listing.fetch("packages", []) == []
           return [] unless listing.dig("packages", dependency.name.downcase)
 
+          extract_versions(listing)
+        rescue JSON::ParserError
+          msg = "'#{url}' does not contain valid JSON"
+          raise DependencyFileNotResolvable, msg
+        end
+
+        def extract_versions(listing)
           # Packagist's Metadata API format:
           # v1: "packages": {<package name>: {<version_number>: {hash of metadata for a particular release version}}}
           # v2: "packages": {<package name>: [{hash of metadata for a particular release version}]}
@@ -164,9 +172,6 @@ def parse_registry_response(response, url)
           else
             []
           end
-        rescue JSON::ParserError
-          msg = "'#{url}' does not contain valid JSON"
-          raise DependencyFileNotResolvable, msg
         end
 
         def registry_credentials

diff --git a/composer/spec/dependabot/composer/update_checker/latest_version_finder_spec.rb b/composer/spec/dependabot/composer/update_checker/latest_version_finder_spec.rb
@@ -394,4 +394,17 @@
 
     it { is_expected.to eq(Gem::Version.new("1.12.0")) }
   end
+
+  context "when the response status is 200 && the body is an empty array" do
+    let(:url) { "https://example.com/packages.json" }
+    let(:response) { instance_double(Excon::Response, status: 200, body: "[]") }
+
+    before do
+      allow(Dependabot::RegistryClient).to receive(:get).and_return(response)
+    end
+
+    it "returns an empty array" do
+      expect(finder.send(:fetch_registry_versions_from_url, url)).to eq([])
+    end
+  end
 end