dependabot-bun 0.296.0 → 0.296.3

data/lib/dependabot/bun/file_updater/package_json_updater.rb

@@ -0,0 +1,378 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/bun/file_updater"
+
+module Dependabot
+  module Bun
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class PackageJsonUpdater
+        extend T::Sig
+
+        LOCAL_PACKAGE = T.let([/portal:/, /file:/].freeze, T::Array[Regexp])
+
+        PATCH_PACKAGE = T.let([/patch:/].freeze, T::Array[Regexp])
+
+        sig do
+          params(
+            package_json: Dependabot::DependencyFile,
+            dependencies: T::Array[Dependabot::Dependency]
+          ).void
+        end
+        def initialize(package_json:, dependencies:)
+          @package_json = package_json
+          @dependencies = dependencies
+        end
+
+        sig { returns(Dependabot::DependencyFile) }
+        def updated_package_json
+          updated_file = package_json.dup
+          updated_file.content = updated_package_json_content
+          updated_file
+        end
+
+        private
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :package_json
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        # rubocop:disable Metrics/PerceivedComplexity
+
+        sig { returns(T.nilable(String)) }
+        def updated_package_json_content
+          # checks if we are updating single dependency in package.json
+          unique_deps_count = dependencies.map(&:name).to_a.uniq.compact.length
+
+          dependencies.reduce(package_json.content.dup) do |content, dep|
+            updated_requirements(dep)&.each do |new_req|
+              old_req = old_requirement(dep, new_req)
+
+              new_content = update_package_json_declaration(
+                package_json_content: T.must(content),
+                dependency_name: dep.name,
+                old_req: old_req,
+                new_req: new_req
+              )
+
+              if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
+                 (content == new_content && unique_deps_count > 1)
+
+                # (we observed that) package.json does not always contains the same dependencies compared to
+                # "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"
+                # and "dev" => "1.0.1" while package.json can only contain "dep" => "1.0.0",the other dependency is
+                # not present in package.json so we don't have to update it, this is most likely (as observed)
+                # a transitive dependency which only needs update in lockfile, So we avoid throwing exception and let
+                # the update continue.
+
+                Dependabot.logger.info("experiment: avoid_duplicate_updates_package_json.
+                Updating package.json for #{dep.name} ")
+
+                raise "Expected content to change!"
+              end
+
+              if !Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) && (content == new_content)
+                raise "Expected content to change!"
+              end
+
+              content = new_content
+            end
+
+            new_requirements(dep).each do |new_req|
+              old_req = old_requirement(dep, new_req)
+
+              content = update_package_json_resolutions(
+                package_json_content: T.must(content),
+                new_req: new_req,
+                dependency: dep,
+                old_req: old_req
+              )
+            end
+
+            content
+          end
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            new_requirement: T::Hash[Symbol, T.untyped]
+          )
+            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
+        end
+        def old_requirement(dependency, new_requirement)
+          T.must(dependency.previous_requirements)
+           .select { |r| r[:file] == package_json.name }
+           .find { |r| r[:groups] == new_requirement[:groups] }
+        end
+
+        sig { params(dependency: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+        def new_requirements(dependency)
+          dependency.requirements.select { |r| r[:file] == package_json.name }
+        end
+
+        sig { params(dependency: Dependabot::Dependency).returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
+        def updated_requirements(dependency)
+          return unless dependency.previous_requirements
+
+          preliminary_check_for_update(dependency)
+
+          updated_requirement_pairs =
+            dependency.requirements.zip(T.must(dependency.previous_requirements))
+                      .reject do |new_req, old_req|
+              next true if new_req == old_req
+              next false unless old_req&.fetch(:source).nil?
+
+              new_req[:requirement] == old_req&.fetch(:requirement)
+            end
+
+          updated_requirement_pairs
+            .map(&:first)
+            .select { |r| r[:file] == package_json.name }
+        end
+
+        sig do
+          params(
+            package_json_content: String,
+            new_req: T::Hash[Symbol, T.untyped],
+            dependency_name: String,
+            old_req: T.nilable(T::Hash[Symbol, T.untyped])
+          )
+            .returns(String)
+        end
+        def update_package_json_declaration(package_json_content:, new_req:, dependency_name:, old_req:)
+          original_line = declaration_line(
+            dependency_name: dependency_name,
+            dependency_req: old_req,
+            content: package_json_content
+          )
+
+          replacement_line = replacement_declaration_line(
+            original_line: original_line,
+            old_req: old_req,
+            new_req: new_req
+          )
+
+          groups = new_req.fetch(:groups)
+
+          update_package_json_sections(
+            groups,
+            package_json_content,
+            original_line,
+            replacement_line
+          )
+        end
+
+        # For full details on how Yarn resolutions work, see
+        # https://github.com/yarnpkg/rfcs/blob/master/implemented/
+        # 0000-selective-versions-resolutions.md
+        sig do
+          params(
+            package_json_content: String,
+            new_req: T::Hash[Symbol, T.untyped],
+            dependency: Dependabot::Dependency,
+            old_req: T.nilable(T::Hash[Symbol, T.untyped])
+          )
+            .returns(String)
+        end
+        def update_package_json_resolutions(package_json_content:, new_req:, dependency:, old_req:)
+          dep = dependency
+          parsed_json_content = JSON.parse(package_json_content)
+          resolutions =
+            parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {})
+                               .reject { |_, v| v != old_req && v != dep.previous_version }
+                               .select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
+
+          return package_json_content unless resolutions.any?
+
+          content = package_json_content
+          resolutions.each do |_, resolution|
+            original_line = declaration_line(
+              dependency_name: dep.name,
+              dependency_req: { requirement: resolution },
+              content: content
+            )
+
+            new_resolution = resolution == old_req ? new_req : dep.version
+
+            replacement_line = replacement_declaration_line(
+              original_line: original_line,
+              old_req: { requirement: resolution },
+              new_req: { requirement: new_resolution }
+            )
+
+            content = update_package_json_sections(
+              %w(resolutions overrides), content, original_line, replacement_line
+            )
+          end
+          content
+        end
+
+        sig do
+          params(
+            dependency_name: String,
+            dependency_req: T.nilable(T::Hash[Symbol, T.untyped]),
+            content: String
+          )
+            .returns(String)
+        end
+        def declaration_line(dependency_name:, dependency_req:, content:)
+          git_dependency = dependency_req&.dig(:source, :type) == "git"
+
+          unless git_dependency
+            requirement = dependency_req&.fetch(:requirement)
+            return content.match(/"#{Regexp.escape(dependency_name)}"\s*:\s*
+                                  "#{Regexp.escape(requirement)}"/x).to_s
+          end
+
+          username, repo =
+            dependency_req&.dig(:source, :url)&.split("/")&.last(2)
+
+          content.match(
+            %r{"#{Regexp.escape(dependency_name)}"\s*:\s*
+               ".*?#{Regexp.escape(username)}/#{Regexp.escape(repo)}.*"}x
+          ).to_s
+        end
+
+        sig do
+          params(
+            original_line: String,
+            old_req: T.nilable(T::Hash[Symbol, T.untyped]),
+            new_req: T::Hash[Symbol, T.untyped]
+          )
+            .returns(String)
+        end
+        def replacement_declaration_line(original_line:, old_req:, new_req:)
+          was_git_dependency = old_req&.dig(:source, :type) == "git"
+          now_git_dependency = new_req.dig(:source, :type) == "git"
+
+          unless was_git_dependency
+            return original_line.gsub(
+              %("#{old_req&.fetch(:requirement)}"),
+              %("#{new_req.fetch(:requirement)}")
+            )
+          end
+
+          unless now_git_dependency
+            return original_line.gsub(
+              /(?<=\s").*[^\\](?=")/,
+              new_req.fetch(:requirement)
+            )
+          end
+
+          if original_line.match?(/#[\^~=<>]|semver:/)
+            return update_git_semver_requirement(
+              original_line: original_line,
+              old_req: old_req,
+              new_req: new_req
+            )
+          end
+
+          original_line.gsub(
+            %(##{old_req&.dig(:source, :ref)}"),
+            %(##{new_req.dig(:source, :ref)}")
+          )
+        end
+
+        sig do
+          params(
+            original_line: String,
+            old_req: T.nilable(T::Hash[Symbol, String]),
+            new_req: T::Hash[Symbol, String]
+          )
+            .returns(String)
+        end
+        def update_git_semver_requirement(original_line:, old_req:, new_req:)
+          if original_line.include?("semver:")
+            return original_line.gsub(
+              %(semver:#{old_req&.fetch(:requirement)}"),
+              %(semver:#{new_req.fetch(:requirement)}")
+            )
+          end
+
+          raise "Not a semver req!" unless original_line.match?(/#[\^~=<>]/)
+
+          original_line.gsub(
+            %(##{old_req&.fetch(:requirement)}"),
+            %(##{new_req.fetch(:requirement)}")
+          )
+        end
+
+        sig do
+          params(
+            sections: T::Array[String],
+            content: String,
+            old_line: String,
+            new_line: String
+          )
+            .returns(String)
+        end
+        def update_package_json_sections(sections, content, old_line, new_line)
+          # Currently, Dependabot doesn't update peerDependencies. However,
+          # if a development dependency is being updated and its requirement
+          # matches the requirement on a peer dependency we probably want to
+          # update the peer too.
+          #
+          # TODO: Move this logic to the UpdateChecker (and parse peer deps)
+          sections += ["peerDependencies"]
+          sections_regex = /#{sections.join('|')}/
+
+          declaration_blocks = T.let([], T::Array[String])
+
+          content.scan(/['"]#{sections_regex}['"]\s*:\s*\{/m) do
+            mtch = T.must(Regexp.last_match)
+            declaration_blocks <<
+              (mtch.to_s + T.must(mtch.post_match[0..closing_bracket_index(mtch.post_match)]))
+          end
+
+          declaration_blocks.reduce(content.dup) do |new_content, block|
+            updated_block = block.sub(old_line, new_line)
+            new_content.sub(block, updated_block)
+          end
+        end
+
+        sig { params(string: String).returns(Integer) }
+        def closing_bracket_index(string)
+          closes_required = 1
+
+          string.chars.each_with_index do |char, index|
+            closes_required += 1 if char == "{"
+            closes_required -= 1 if char == "}"
+            return index if closes_required.zero?
+          end
+
+          0
+        end
+
+        sig { params(dependency: Dependabot::Dependency).void }
+        def preliminary_check_for_update(dependency)
+          T.must(dependency.previous_requirements).each do |req, _dep|
+            next if req.fetch(:requirement).nil?
+
+            # some deps are patched with local patches, we don't need to update them
+            if req.fetch(:requirement).match?(Regexp.union(PATCH_PACKAGE))
+              Dependabot.logger.info("Func: updated_requirements. dependency patched #{dependency.name}," \
+                                     " Requirement: '#{req.fetch(:requirement)}'")
+
+              raise DependencyFileNotResolvable,
+                    "Dependency is patched locally, Update not required."
+            end
+
+            # some deps are added as local packages, we don't need to update them as they are referred to a local path
+            next unless req.fetch(:requirement).match?(Regexp.union(LOCAL_PACKAGE))
+
+            Dependabot.logger.info("Func: updated_requirements. local package #{dependency.name}," \
+                                   " Requirement: '#{req.fetch(:requirement)}'")
+
+            raise DependencyFileNotResolvable,
+                  "Local package, Update not required."
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bun/file_updater.rb

@@ -0,0 +1,203 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+require "dependabot/file_updaters/vendor_updater"
+require "dependabot/file_updaters/artifact_updater"
+require "dependabot/bun/dependency_files_filterer"
+require "dependabot/bun/sub_dependency_files_filterer"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bun
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      extend T::Sig
+
+      require_relative "file_updater/package_json_updater"
+      require_relative "file_updater/bun_lockfile_updater"
+
+      class NoChangeError < StandardError
+        extend T::Sig
+
+        sig { params(message: String, error_context: T::Hash[Symbol, T.untyped]).void }
+        def initialize(message:, error_context:)
+          super(message)
+          @error_context = error_context
+        end
+
+        sig { returns(T::Hash[Symbol, T.untyped]) }
+        def sentry_context
+          { extra: @error_context }
+        end
+      end
+
+      sig { override.returns(T::Array[Regexp]) }
+      def self.updated_files_regex
+        [
+          %r{^(?:.*/)?package\.json$},
+          %r{^(?:.*/)?\.pnp\.(?:js|cjs)$} # Matches .pnp.js or .pnp.cjs files
+        ]
+      end
+
+      sig { override.returns(T::Array[DependencyFile]) }
+      def updated_dependency_files
+        updated_files = T.let([], T::Array[DependencyFile])
+
+        updated_files += updated_manifest_files
+        updated_files += updated_lockfiles
+
+        if updated_files.none?
+
+          raise NoChangeError.new(
+            message: "No files were updated!",
+            error_context: error_context(updated_files: updated_files)
+          )
+        end
+
+        sorted_updated_files = updated_files.sort_by(&:name)
+        if sorted_updated_files == filtered_dependency_files.sort_by(&:name)
+          raise NoChangeError.new(
+            message: "Updated files are unchanged!",
+            error_context: error_context(updated_files: updated_files)
+          )
+        end
+
+        vendor_updated_files(updated_files)
+      end
+
+      private
+
+      sig { params(updated_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
+      def vendor_updated_files(updated_files)
+        base_dir = T.must(updated_files.first).directory
+        pnp_updater.updated_files(base_directory: base_dir, only_paths: [".pnp.cjs", ".pnp.data.json"]).each do |file|
+          updated_files << file
+        end
+
+        updated_files
+      end
+
+      sig { returns(Dependabot::FileUpdaters::ArtifactUpdater) }
+      def pnp_updater
+        Dependabot::FileUpdaters::ArtifactUpdater.new(
+          repo_contents_path: repo_contents_path,
+          target_directory: "./"
+        )
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def filtered_dependency_files
+        @filtered_dependency_files ||= T.let(
+          if dependencies.any?(&:top_level?)
+            DependencyFilesFilterer.new(
+              dependency_files: dependency_files,
+              updated_dependencies: dependencies
+            ).files_requiring_update
+          else
+            SubDependencyFilesFilterer.new(
+              dependency_files: dependency_files,
+              updated_dependencies: dependencies
+            ).files_requiring_update
+          end, T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      sig { override.void }
+      def check_required_files
+        raise DependencyFileNotFound.new(nil, "package.json not found.") unless get_original_file("package.json")
+      end
+
+      sig { params(updated_files: T::Array[DependencyFile]).returns(T::Hash[Symbol, T.untyped]) }
+      def error_context(updated_files:)
+        {
+          dependencies: dependencies.map(&:to_h),
+          updated_files: updated_files.map(&:name),
+          dependency_files: dependency_files.map(&:name)
+        }
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def bun_locks
+        @bun_locks ||= T.let(
+          filtered_dependency_files
+          .select { |f| f.name.end_with?("bun.lock") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def package_files
+        @package_files ||= T.let(
+          filtered_dependency_files.select do |f|
+            f.name.end_with?("package.json")
+          end, T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(T::Boolean) }
+      def bun_lock_changed?(bun_lock)
+        bun_lock.content != updated_bun_lock_content(bun_lock)
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_manifest_files
+        package_files.filter_map do |file|
+          updated_content = updated_package_json_content(file)
+          next if updated_content == file.content
+
+          updated_file(file: file, content: T.must(updated_content))
+        end
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_lockfiles
+        updated_files = []
+
+        bun_locks.each do |bun_lock|
+          next unless bun_lock_changed?(bun_lock)
+
+          updated_files << updated_file(
+            file: bun_lock,
+            content: updated_bun_lock_content(bun_lock)
+          )
+        end
+
+        updated_files
+      end
+
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
+      def updated_bun_lock_content(bun_lock)
+        @updated_bun_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_bun_lock_content[bun_lock.name] ||=
+          bun_lockfile_updater.updated_bun_lock_content(bun_lock)
+      end
+
+      sig { returns(Dependabot::Bun::FileUpdater::BunLockfileUpdater) }
+      def bun_lockfile_updater
+        @bun_lockfile_updater ||= T.let(
+          BunLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            repo_contents_path: repo_contents_path,
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::Bun::FileUpdater::BunLockfileUpdater)
+        )
+      end
+
+      sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
+      def updated_package_json_content(file)
+        @updated_package_json_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_package_json_content[file.name] ||=
+          PackageJsonUpdater.new(
+            package_json: file,
+            dependencies: dependencies
+          ).updated_package_json.content
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters
+  .register("bun", Dependabot::Bun::FileUpdater)

data/lib/dependabot/bun/helpers.rb

@@ -1,6 +1,12 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "dependabot/dependency"
+require "dependabot/file_parsers"
+require "dependabot/file_parsers/base"
+require "dependabot/shared_helpers"
+require "sorbet-runtime"
+
 module Dependabot
   module Bun
     module Helpers
@@ -15,9 +21,43 @@ module Dependabot
         BUN_DEFAULT_VERSION
       end
 
+      sig { returns(T.nilable(String)) }
+      def self.node_version
+        version = run_node_command("-v", fingerprint: "-v").strip
+
+        # Validate the output format (e.g., "v20.18.1" or "20.18.1")
+        if version.match?(/^v?\d+(\.\d+){2}$/)
+          version.strip.delete_prefix("v") # Remove the "v" prefix if present
+        end
+      rescue StandardError => e
+        Dependabot.logger.error("Error retrieving Node.js version: #{e.message}")
+        nil
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_node_command(command, fingerprint: nil)
+        full_command = "node #{command}"
+
+        Dependabot.logger.info("Running node command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "node #{fingerprint || command}"
+        )
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running node command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+
       sig { returns(T.nilable(String)) }
       def self.bun_version
-        run_bun_command("--version", fingerprint: "--version").strip
+        version = run_bun_command("--version", fingerprint: "--version").strip
+        if version.include?("+")
+          version.split("+").first # Remove build info, if present
+        end
       rescue StandardError => e
         Dependabot.logger.error("Error retrieving Bun version: #{e.message}")
         nil
@@ -41,34 +81,8 @@ module Dependabot
         raise
       end
 
-      # Fetch the currently installed version of the package manager directly
-      # from the system
-      sig { params(name: String).returns(String) }
-      def self.local_package_manager_version(name)
-        Dependabot::SharedHelpers.run_shell_command(
-          "#{name} -v",
-          fingerprint: "#{name} -v"
-        ).strip
-      end
-
-      # Run single command on package manager returning stdout/stderr
-      sig do
-        params(
-          name: String,
-          command: String,
-          fingerprint: T.nilable(String)
-        ).returns(String)
-      end
-      def self.package_manager_run_command(name, command, fingerprint: nil)
-        return run_bun_command(command, fingerprint: fingerprint) if name == PackageManager::NAME
-
-        # TODO: remove this method and just use the one in the PackageManager class
-        "noop"
-      end
-
       sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).returns(T::Array[Dependency]) }
       def self.dependencies_with_all_versions_metadata(dependency_set)
-        # TODO: Check if we still need this method
         dependency_set.dependencies.map do |dependency|
           dependency.metadata[:all_versions] = dependency_set.all_versions_for_name(dependency.name)
           dependency

data/lib/dependabot/bun/language.rb

@@ -1,7 +1,7 @@
 # typed: strong
 # frozen_string_literal: true
 
-require "dependabot/npm_and_yarn/package_manager"
+require "dependabot/bun/package_manager"
 
 module Dependabot
   module Bun
@@ -17,7 +17,7 @@ module Dependabot
         params(
           detected_version: T.nilable(String),
           raw_version: T.nilable(String),
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+          requirement: T.nilable(Dependabot::Bun::Requirement)
         ).void
       end
       def initialize(detected_version: nil, raw_version: nil, requirement: nil)