dependabot-bun 0.296.0 → 0.296.2

data/lib/dependabot/javascript/shared/metadata_finder.rb

@@ -0,0 +1,209 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "time"
+
+module Dependabot
+  module Javascript
+    module Shared
+      class MetadataFinder < Dependabot::MetadataFinders::Base
+        def homepage_url
+          # Attempt to use version_listing first, as fetching the entire listing
+          # array can be slow (if it's large)
+          return latest_version_listing["homepage"] if latest_version_listing["homepage"]
+
+          listing = all_version_listings.find { |_, l| l["homepage"] }
+          listing&.last&.fetch("homepage", nil) || super
+        end
+
+        def maintainer_changes
+          return unless npm_releaser
+          return unless npm_listing.dig("time", dependency.version)
+          return if previous_releasers.include?(npm_releaser)
+
+          "This version was pushed to npm by " \
+            "[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new " \
+            "releaser for #{dependency.name} since your current version."
+        end
+
+        private
+
+        def look_up_source
+          return find_source_from_registry if new_source.nil?
+
+          source_type = new_source[:type] || new_source.fetch("type")
+
+          case source_type
+          when "git" then find_source_from_git_url
+          when "registry" then find_source_from_registry
+          else raise "Unexpected source type: #{source_type}"
+          end
+        end
+
+        def npm_releaser
+          all_version_listings
+            .find { |v, _| v == dependency.version }
+            &.last&.fetch("_npmUser", nil)&.fetch("name", nil)
+        end
+
+        def previous_releasers
+          times = npm_listing.fetch("time")
+
+          cutoff =
+            if dependency.previous_version && times[dependency.previous_version]
+              Time.parse(times[dependency.previous_version])
+            elsif times[dependency.version]
+              Time.parse(times[dependency.version]) - 1
+            end
+          return unless cutoff
+
+          all_version_listings
+            .reject { |v, _| Time.parse(times[v]) > cutoff }
+            .filter_map { |_, d| d.fetch("_npmUser", nil)&.fetch("name", nil) }
+        end
+
+        def find_source_from_registry
+          # Attempt to use version_listing first, as fetching the entire listing
+          # array can be slow (if it's large)
+          potential_sources =
+            [
+              get_source(latest_version_listing["repository"]),
+              get_source(latest_version_listing["homepage"]),
+              get_source(latest_version_listing["bugs"])
+            ].compact
+
+          return potential_sources.first if potential_sources.any?
+
+          potential_sources =
+            all_version_listings.flat_map do |_, listing|
+              [
+                get_source(listing["repository"]),
+                get_source(listing["homepage"]),
+                get_source(listing["bugs"])
+              ]
+            end.compact
+
+          potential_sources.first
+        end
+
+        def new_source
+          sources = dependency.requirements
+                              .map { |r| r.fetch(:source) }.uniq.compact
+                              .sort_by do |source|
+                                UpdateChecker::RegistryFinder.central_registry?(source[:url]) ? 1 : 0
+                              end
+
+          sources.first
+        end
+
+        def get_source(details)
+          potential_url = get_url(details)
+          return unless potential_url
+
+          potential_source = Source.from_url(potential_url)
+          return unless potential_source
+
+          potential_source.directory = get_directory(details)
+          potential_source
+        end
+
+        def get_url(details)
+          url =
+            case details
+            when String then details
+            when Hash then details.fetch("url", nil)
+            end
+          return url unless url&.match?(%r{^[\w.-]+/[\w.-]+$})
+
+          "https://github.com/" + url
+        end
+
+        def get_directory(details)
+          # Only return a directory if it is explicitly specified
+          return unless details.is_a?(Hash)
+
+          details.fetch("directory", nil)
+        end
+
+        def find_source_from_git_url
+          url = new_source[:url] || new_source.fetch("url")
+          Source.from_url(url)
+        end
+
+        def latest_version_listing
+          return @latest_version_listing if defined?(@latest_version_listing)
+
+          response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest", headers: registry_auth_headers)
+          return @latest_version_listing = JSON.parse(response.body) if response.status == 200
+
+          @latest_version_listing = {}
+        rescue JSON::ParserError, Excon::Error::Timeout
+          @latest_version_listing = {}
+        end
+
+        def all_version_listings
+          return [] if npm_listing["versions"].nil?
+
+          npm_listing["versions"]
+            .reject { |_, details| details["deprecated"] }
+            .sort_by { |version, _| Version.new(version) }
+            .reverse
+        end
+
+        def npm_listing
+          return @npm_listing unless @npm_listing.nil?
+
+          response = Dependabot::RegistryClient.get(url: dependency_url, headers: registry_auth_headers)
+          return @npm_listing = {} if response.status >= 500
+
+          begin
+            @npm_listing = JSON.parse(response.body)
+          rescue JSON::ParserError
+            raise unless non_standard_registry?
+
+            @npm_listing = {}
+          end
+        rescue Excon::Error::Timeout
+          @npm_listing = {}
+        end
+
+        def dependency_url
+          registry_url =
+            if new_source.nil? then "https://registry.npmjs.org"
+            else
+              new_source.fetch(:url)
+            end
+
+          # NPM registries expect slashes to be escaped
+          escaped_dependency_name = dependency.name.gsub("/", "%2F")
+          "#{registry_url}/#{escaped_dependency_name}"
+        end
+
+        def registry_auth_headers
+          return {} unless auth_token
+
+          { "Authorization" => "Bearer #{auth_token}" }
+        end
+
+        def dependency_registry
+          if new_source.nil? then "registry.npmjs.org"
+          else
+            new_source.fetch(:url).gsub("https://", "").gsub("http://", "")
+          end
+        end
+
+        def auth_token
+          credentials
+            .select { |cred| cred["type"] == "npm_registry" }
+            .find { |cred| cred["registry"] == dependency_registry }
+            &.fetch("token", nil)
+        end
+
+        def non_standard_registry?
+          dependency_registry != "registry.npmjs.org"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/native_helpers.rb

@@ -0,0 +1,21 @@
+# typed: true
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      module NativeHelpers
+        def self.helper_path
+          "node #{File.join(native_helpers_root, 'run.js')}"
+        end
+
+        def self.native_helpers_root
+          helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
+          return File.join(helpers_root, "javascript", "shared") unless helpers_root.nil?
+
+          File.join(__dir__, "../../../helpers")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/package_manager_detector.rb

@@ -0,0 +1,72 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      class PackageManagerDetector
+        extend T::Sig
+        extend T::Helpers
+
+        sig do
+          params(
+            lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+            package_json: T.nilable(T::Hash[String, T.untyped])
+          ).void
+        end
+        def initialize(lockfiles, package_json)
+          @lockfiles = lockfiles
+          @package_json = package_json
+          @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
+          @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, {}), T::Hash[String, T.untyped])
+        end
+
+        # Returns npm, yarn, or pnpm based on the lockfiles, package.json, and engines
+        # Defaults to npm if no package manager is detected
+        sig { returns(String) }
+        def detect_package_manager
+          package_manager = name_from_lockfiles ||
+                            name_from_package_manager_attr ||
+                            name_from_engines
+
+          if package_manager
+            Dependabot.logger.info("Detected package manager: #{package_manager}")
+          else
+            package_manager = DEFAULT_PACKAGE_MANAGER
+            Dependabot.logger.info("Default package manager used: #{package_manager}")
+          end
+          package_manager
+        rescue StandardError => e
+          Dependabot.logger.error("Error detecting package manager: #{e.message}")
+          DEFAULT_PACKAGE_MANAGER
+        end
+
+        private
+
+        sig { returns(T.nilable(String)) }
+        def name_from_lockfiles
+          PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find { |manager_name| @lockfiles[manager_name.to_sym] }
+        end
+
+        sig { returns(T.nilable(String)) }
+        def name_from_package_manager_attr
+          return unless @manifest_package_manager
+
+          PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find do |manager_name|
+            @manifest_package_manager.start_with?("#{manager_name}@")
+          end
+        end
+
+        sig { returns(T.nilable(String)) }
+        def name_from_engines
+          return unless @engines.is_a?(Hash)
+
+          PACKAGE_MANAGER_CLASSES.each_key do |manager_name|
+            return manager_name if @engines[manager_name]
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/package_name.rb

@@ -0,0 +1,118 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      class PackageName
+        extend T::Sig
+
+        # NPM package naming rules are defined by the following projects:
+        # - https://github.com/npm/npm-user-validate
+        # - https://github.com/npm/validate-npm-package-name
+        PACKAGE_NAME_REGEX = %r{
+          \A                                          # beginning of string
+          (?=.{1,214}\z)                              # enforce length (1 - 214)
+          (@(?<scope>                                 # capture 'scope' if present
+            [a-z0-9\-\_\.\!\~\*\'\(\)]+               # URL-safe characters in scope
+          )\/)?                                       # scope must be followed by slash
+          (?<name>                                    # capture package name
+            (?(<scope>)                               # if scope is present
+              [a-z0-9\-\_\.\!\~\*\'\(\)]+             # scoped names can start with any URL-safe character
+            |                                         # if no scope
+              [a-z0-9\-\!\~\*\'\(\)]                  # non-scoped names cannot start with . or _
+              [a-z0-9\-\_\.\!\~\*\'\(\)]*             # subsequent characters can be any URL-safe character
+            )
+          )
+          \z                                          # end of string
+        }xi # multi-line/case-insensitive
+
+        TYPES_PACKAGE_NAME_REGEX = %r{
+            \A                                          # beginning of string
+            @types\/                                    # starts with @types/
+            ((?<scope>.+)__)?                           # capture scope
+            (?<name>.+)                                 # capture name
+            \z                                          # end of string
+        }xi # multi-line/case-insensitive
+
+        class InvalidPackageName < StandardError; end
+
+        sig { params(string: String).void }
+        def initialize(string)
+          match = PACKAGE_NAME_REGEX.match(string.to_s)
+          raise InvalidPackageName unless match
+
+          @scope = T.let(match[:scope], T.nilable(String))
+          @name = T.let(match[:name], T.nilable(String))
+        end
+
+        sig { returns(String) }
+        def to_s
+          if scoped?
+            "@#{@scope}/#{@name}"
+          else
+            @name.to_s
+          end
+        end
+
+        sig { params(other: PackageName).returns(T::Boolean) }
+        def eql?(other)
+          self.class == other.class && to_s == other.to_s
+        end
+
+        sig { returns(Integer) }
+        def hash
+          to_s.downcase.hash
+        end
+
+        sig { params(other: PackageName).returns(T.nilable(Integer)) }
+        def <=>(other)
+          to_s.casecmp(other.to_s)
+        end
+
+        sig { returns(T.nilable(PackageName)) }
+        def library_name
+          return unless types_package?
+          return @library_name if defined?(@library_name)
+
+          lib_name =
+            begin
+              match = T.must(TYPES_PACKAGE_NAME_REGEX.match(to_s))
+              if match[:scope]
+                self.class.new("@#{match[:scope]}/#{match[:name]}")
+              else
+                self.class.new(match[:name].to_s)
+              end
+            end
+
+          @library_name ||= T.let(lib_name, T.nilable(PackageName))
+        end
+
+        sig { returns(T.nilable(PackageName)) }
+        def types_package_name
+          return if types_package?
+
+          @types_package_name ||= T.let(
+            if scoped?
+              self.class.new("@types/#{@scope}__#{@name}")
+            else
+              self.class.new("@types/#{@name}")
+            end, T.nilable(PackageName)
+          )
+        end
+
+        private
+
+        sig { returns(T::Boolean) }
+        def scoped?
+          !@scope.nil?
+        end
+
+        sig { returns(T.nilable(T::Boolean)) }
+        def types_package?
+          "types".casecmp?(@scope)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/registry_helper.rb

@@ -0,0 +1,190 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "dependabot/dependency_file"
+require "sorbet-runtime"
+
+module Dependabot
+  module Javascript
+    module Shared
+      class RegistryHelper
+        extend T::Sig
+
+        # Keys for configurations
+        REGISTRY_KEY = "registry"
+        AUTH_KEY = "authToken"
+
+        # Yarn-specific keys
+        NPM_AUTH_TOKEN_KEY_FOR_YARN = "npmAuthToken"
+        NPM_SCOPE_KEY_FOR_YARN = "npmScopes"
+        NPM_REGISTER_KEY_FOR_YARN = "npmRegistryServer"
+
+        # Environment variable keys
+        COREPACK_NPM_REGISTRY_ENV = "COREPACK_NPM_REGISTRY"
+        COREPACK_NPM_TOKEN_ENV = "COREPACK_NPM_TOKEN"
+
+        sig do
+          params(
+            registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+            credentials: T.nilable(T::Array[Dependabot::Credential])
+          ).void
+        end
+        def initialize(registry_config_files, credentials)
+          @registry_config_files = T.let(registry_config_files, T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
+          @credentials = T.let(credentials, T.nilable(T::Array[Dependabot::Credential]))
+        end
+
+        sig { returns(T::Hash[String, String]) }
+        def find_corepack_env_variables
+          registry_info = find_registry_and_token
+
+          env_variables = {}
+          env_variables[COREPACK_NPM_REGISTRY_ENV] = registry_info[:registry] if registry_info[:registry]
+          env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
+
+          env_variables
+        end
+
+        private
+
+        sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+        def find_registry_and_token
+          # Step 1: Check dependabot.yml configuration
+          dependabot_config = config_npm_registry_and_token
+          return dependabot_config if dependabot_config[:registry]
+
+          # Step 2: Check .npmrc
+          npmrc_config = @registry_config_files[:npmrc]
+          npmrc_result = parse_registry_from_npmrc_yarnrc(npmrc_config, "=", "npm")
+
+          return npmrc_result if npmrc_result[:registry]
+
+          # Step 3: Check .yarnrc
+          yarnrc_config = @registry_config_files[:yarnrc]
+          yarnrc_result = parse_registry_from_npmrc_yarnrc(yarnrc_config, " ", "npm")
+          return yarnrc_result if yarnrc_result[:registry]
+
+          # Step 4: Check yarnrc.yml
+          yarnrc_yml_config = @registry_config_files[:yarnrc_yml]
+          yarnrc_yml_result = parse_npm_from_yarnrc_yml(yarnrc_yml_config)
+          return yarnrc_yml_result if yarnrc_yml_result[:registry]
+
+          # Default values if no registry is found
+          {}
+        end
+
+        sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+        def config_npm_registry_and_token
+          registries = {}
+
+          return registries unless @credentials&.any?
+
+          @credentials.each do |cred|
+            next unless cred["type"] == "npm_registry" # Skip if not an npm registry
+            next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
+
+            # Set the registry if it's not already set
+            registries[:registry] ||= cred["registry"]
+
+            # Set the token if it's not already set
+            registries[:auth_token] ||= cred["token"]
+          end
+          registries
+        end
+
+        # Find registry and token in .npmrc or .yarnrc file
+        sig do
+          params(
+            file: T.nilable(Dependabot::DependencyFile),
+            separator: String
+          ).returns(T::Hash[Symbol, T.nilable(String)])
+        end
+        def parse_npm_from_npm_or_yarn_rc(file, separator = "=")
+          parse_registry_from_npmrc_yarnrc(file, separator, "npm")
+        end
+
+        # Find registry and token in .npmrc or .yarnrc file
+        sig do
+          params(
+            file: T.nilable(Dependabot::DependencyFile),
+            separator: String,
+            scope: T.nilable(String)
+          ).returns(T::Hash[Symbol, T.nilable(String)])
+        end
+        def parse_registry_from_npmrc_yarnrc(file, separator = "=", scope = nil)
+          content = file&.content
+          return { registry: nil, auth_token: nil } unless content
+
+          global_registry = T.let(nil, T.nilable(String))
+          scoped_registry = T.let(nil, T.nilable(String))
+          auth_token = T.let(nil, T.nilable(String))
+
+          content.split("\n").each do |line|
+            # Split using the provided separator
+            key, value = line.strip.split(separator, 2)
+            next unless key && value
+
+            # Remove surrounding quotes from keys and values
+            cleaned_key = key.strip.gsub(/\A["']|["']\z/, "")
+            cleaned_value = value.strip.gsub(/\A["']|["']\z/, "")
+
+            case cleaned_key
+            when "registry"
+              # Case 1: Found a global registry
+              global_registry = cleaned_value
+            when "_authToken"
+              # Case 2: Found an auth token
+              auth_token = cleaned_value
+            else
+              # Handle scoped registry if a scope is provided
+              scoped_registry = cleaned_value if scope && cleaned_key == "@#{scope}:registry"
+            end
+          end
+
+          # Determine the registry to return (global first, fallback to scoped)
+          registry = global_registry || scoped_registry
+
+          { registry: registry, auth_token: auth_token }
+        end
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T::Hash[Symbol, T.nilable(String)]) }
+        def parse_npm_from_yarnrc_yml(file)
+          content = file&.content
+          return { registry: nil, auth_token: nil } unless content
+
+          result = {}
+          yaml_data = safe_load_yaml(content)
+
+          # Step 1: Extract global registry and auth token
+          result[:registry] = yaml_data[NPM_REGISTER_KEY_FOR_YARN] if yaml_data.key?(NPM_REGISTER_KEY_FOR_YARN)
+          result[:auth_token] = yaml_data[NPM_AUTH_TOKEN_KEY_FOR_YARN] if yaml_data.key?(NPM_AUTH_TOKEN_KEY_FOR_YARN)
+
+          # Step 2: Fallback to any scoped registry and auth token if global is missing
+          if result[:registry].nil? && yaml_data.key?(NPM_SCOPE_KEY_FOR_YARN)
+            yaml_data[NPM_SCOPE_KEY_FOR_YARN].each do |_current_scope, config|
+              next unless config.is_a?(Hash)
+
+              result[:registry] ||= config[NPM_REGISTER_KEY_FOR_YARN]
+              result[:auth_token] ||= config[NPM_AUTH_TOKEN_KEY_FOR_YARN]
+            end
+          end
+
+          result
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        # Safely loads the YAML content and logs any parsing errors
+        sig { params(content: String).returns(T::Hash[String, T.untyped]) }
+        def safe_load_yaml(content)
+          YAML.safe_load(content, permitted_classes: [Symbol, String]) || {}
+        rescue Psych::SyntaxError => e
+          # Log the error instead of raising it
+          Dependabot.logger.error("YAML parsing error: #{e.message}")
+          {}
+        end
+      end
+    end
+  end
+end