Merge branch 'tinglesoftware:main' into main

updater/bin/update_script.rb

@@ -49,8 +49,8 @@
 require "tinglesoftware/dependabot/clients/azure"
 require "tinglesoftware/dependabot/vulnerabilities"
 
-# Fixes for NuGet feed auth issues
-# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
+# Overrides to fix various authentication related issues with private feeds
+# TODO: Remove these workarounds once auth can be moved out to the "proxy" component, like dependabot-cli does
 require "tinglesoftware/azure/artifacts_credential_provider"
 require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers"
 require "tinglesoftware/dependabot/overrides/npm_and_yarn/update_checker/npmrc_builder"

updater/lib/tinglesoftware/azure/artifacts_credential_provider.rb

@@ -15,7 +15,7 @@
 # See README.md (Credentials for private registries and feeds) for more details.
 #
 
-# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
+# TODO: Remove this once auth can be moved out to the "proxy" component, like dependabot-cli does
 
 module TingleSoftware
   module Azure
@@ -28,16 +28,18 @@ def self.install_if_private_nuget_feeds_are_configured
           "VSS_NUGET_EXTERNAL_FEED_ENDPOINTS",
           JSON.dump({
             "endpointCredentials" => private_nuget_feeds.map do |cred|
+              token_parts = cred["token"]&.split(":", 2)&.reject(&:empty?) || []
               {
                 "endpoint" => cred["url"],
                 # Use username/password auth if provided, otherwise fallback to token auth.
                 # This provides maximum compatibility with Azure DevOps, DevOps Server, and other third-party feeds.
                 # When using DevOps PATs, the token is split into username/password parts; Username is not significant.
                 # e.g. token "PAT:12345" --> { "username": "PAT", "password": "12345" }
-                #            ":12345"    --> { "username": "", "password": "12345" }
-                #            "12345"     --> { "username": "12345", "password": "12345" }
-                "username" => cred["username"] || cred["token"]&.split(":")&.first,
-                "password" => cred["password"] || cred["token"]&.split(":")&.last
+                #            ":12345"    --> { "username": "unused", "password": "12345" }
+                #            "12345"     --> { "username": "unused", "password": "12345" }
+                #            ""          --> { "username": "unused", "password": "" }
+                "username" => cred["username"] || token_parts.length > 1 ? token_parts.first : "unused",
+                "password" => cred["password"] || token_parts.last
               }
             end
           })

updater/lib/tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers.rb

@@ -20,7 +20,7 @@
 # See README.md (Credentials for private registries and feeds) for more details.
 #
 
-# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
+# TODO: Remove this once auth can be moved out to the "proxy" component, like dependabot-cli does
 
 module Dependabot
   module Nuget
@@ -74,15 +74,12 @@ def self.package_source_credentials_xml_lines(credentials) # rubocop:disable Met
           # This provides maximum compatibility with Azure DevOps, DevOps Server, and other third-party feeds.
           # When using DevOps PATs, the token is split into username/password parts; Username is not significant.
           # e.g. token "PAT:12345" --> { "username": "PAT", "password": "12345" }
-          #            ":12345"    --> { "username": "", "password": "12345" }
-          #            "12345"     --> { "username": "12345", "password": "12345" } # username gets redacted to "user"
-          source_username = c["username"] || c["token"]&.split(":")&.first
-          source_password = c["password"] || c["token"]&.split(":")&.last
-          # NuGet.exe will log the username in plain text to the console, which is not great for security!
-          # If the username and password are the same value, we can assume that "token" auth is being used and that the
-          # username is not significant, so redact it to something generic to avoid leaking sensitive information.
-          # e.g. { "username": "12345", "password": "12345" } --> { "username": "user", "password": "12345" }
-          source_username = "user" if source_username == source_password
+          #            ":12345"    --> { "username": "unused", "password": "12345" }
+          #            "12345"     --> { "username": "unused", "password": "12345" }
+          #            ""          --> { "username": "unused", "password": "" }
+          source_token_parts = c["token"]&.split(":", 2)&.reject(&:empty?) || []
+          source_username = c["username"] || source_token_parts.length > 1 ? source_token_parts.first : "unused"
+          source_password = c["password"] || source_token_parts.last
           [
             "<#{source_key}>",
             "  <add key=\"Username\" value=\"#{source_username}\" />",

updater/lib/tinglesoftware/dependabot/setup.rb

@@ -67,8 +67,8 @@
 # Overrides for dependabot core functionality that are currently not extensible
 require "tinglesoftware/dependabot/overrides/pull_request_creator/pr_name_prefixer"
 
-# Fixes for NuGet feed auth issues
-# TODO: Remove this once https://github.com/dependabot/dependabot-core/pull/8927 is resolved or auth works natively.
+# Overrides to fix various authentication related issues with private feeds
+# TODO: Remove these workarounds once auth can be moved out to the "proxy" component, like dependabot-cli does
 require "tinglesoftware/dependabot/overrides/nuget/nuget_config_credential_helpers"
 require "tinglesoftware/azure/artifacts_credential_provider"
 require "tinglesoftware/dependabot/overrides/npm_and_yarn/update_checker/npmrc_builder"