dependabot-bun 0.296.0 → 0.296.3

data/lib/dependabot/bun/update_checker/dependency_files_builder.rb

@@ -0,0 +1,79 @@
+# typed: true
+# frozen_string_literal: true
+
+require "dependabot/bun/file_updater/npmrc_builder"
+require "dependabot/bun/file_updater/package_json_preparer"
+
+module Dependabot
+  module Bun
+    class UpdateChecker
+      class DependencyFilesBuilder
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def write_temporary_dependency_files
+          write_lockfiles
+
+          File.write(".npmrc", npmrc_content)
+
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, prepared_package_json_content(file))
+          end
+        end
+
+        def bun_locks
+          @bun_locks ||=
+            dependency_files
+            .select { |f| f.name.end_with?("bun.lock") }
+        end
+
+        def root_bun_lock
+          @root_bun_lock ||=
+            dependency_files
+            .find { |f| f.name == "bun.lock" }
+        end
+
+        def lockfiles
+          [*bun_locks]
+        end
+
+        def package_files
+          @package_files ||=
+            dependency_files
+            .select { |f| f.name.end_with?("package.json") }
+        end
+
+        private
+
+        attr_reader :dependency
+        attr_reader :dependency_files
+        attr_reader :credentials
+
+        def write_lockfiles
+          bun_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, f.content)
+          end
+        end
+
+        def prepared_package_json_content(file)
+          Bun::FileUpdater::PackageJsonPreparer.new(
+            package_json_content: file.content
+          ).prepared_content
+        end
+
+        def npmrc_content
+          Bun::FileUpdater::NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bun/update_checker/latest_version_finder.rb

@@ -0,0 +1,448 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/bun/update_checker"
+require "dependabot/update_checkers/version_filters"
+require "dependabot/bun/update_checker/registry_finder"
+require "dependabot/bun/version"
+require "dependabot/bun/requirement"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bun
+    class UpdateChecker
+      class LatestVersionFinder
+        extend T::Sig
+
+        def initialize(dependency:, credentials:, dependency_files:,
+                       ignored_versions:, security_advisories:,
+                       raise_on_ignored: false)
+          @dependency          = dependency
+          @credentials         = credentials
+          @dependency_files    = dependency_files
+          @ignored_versions    = ignored_versions
+          @raise_on_ignored    = raise_on_ignored
+          @security_advisories = security_advisories
+        end
+
+        def latest_version_from_registry
+          return unless valid_npm_details?
+          return version_from_dist_tags if version_from_dist_tags
+          return if specified_dist_tag_requirement?
+
+          possible_versions.find { |v| !yanked?(v) }
+        rescue Excon::Error::Socket, Excon::Error::Timeout, RegistryError
+          raise if dependency_registry == "registry.npmjs.org"
+          # Custom registries can be flaky. We don't want to make that
+          # our problem, so we quietly return `nil` here.
+        end
+
+        def latest_version_with_no_unlock
+          return unless valid_npm_details?
+          return version_from_dist_tags if specified_dist_tag_requirement?
+
+          in_range_versions = filter_out_of_range_versions(possible_versions)
+          in_range_versions.find { |version| !yanked?(version) }
+        rescue Excon::Error::Socket, Excon::Error::Timeout
+          raise if dependency_registry == "registry.npmjs.org"
+          # Sometimes custom registries are flaky. We don't want to make that
+          # our problem, so we quietly return `nil` here.
+        end
+
+        def lowest_security_fix_version
+          return unless valid_npm_details?
+
+          secure_versions =
+            if specified_dist_tag_requirement?
+              [version_from_dist_tags].compact
+            else
+              possible_versions(filter_ignored: false)
+            end
+
+          secure_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(secure_versions,
+                                                                                                  security_advisories)
+          secure_versions = filter_ignored_versions(secure_versions)
+          secure_versions = filter_lower_versions(secure_versions)
+
+          secure_versions.reverse.find { |version| !yanked?(version) }
+        rescue Excon::Error::Socket, Excon::Error::Timeout
+          raise if dependency_registry == "registry.npmjs.org"
+          # Sometimes custom registries are flaky. We don't want to make that
+          # our problem, so we quietly return `nil` here.
+        end
+
+        def possible_previous_versions_with_details
+          @possible_previous_versions_with_details ||= npm_details.fetch("versions", {})
+                                                                  .transform_keys { |k| version_class.new(k) }
+                                                                  .reject do |v, _|
+                                                                    v.prerelease? && !related_to_current_pre?(v)
+                                                                  end
+                                                                  .sort_by(&:first).reverse
+        end
+
+        def possible_versions_with_details(filter_ignored: true)
+          versions = possible_previous_versions_with_details
+                     .reject { |_, details| details["deprecated"] }
+
+          return filter_ignored_versions(versions) if filter_ignored
+
+          versions
+        end
+
+        def possible_versions(filter_ignored: true)
+          possible_versions_with_details(filter_ignored: filter_ignored)
+            .map(&:first)
+        end
+
+        private
+
+        attr_reader :dependency
+        attr_reader :credentials
+        attr_reader :dependency_files
+        attr_reader :ignored_versions
+        attr_reader :security_advisories
+
+        def valid_npm_details?
+          !npm_details&.fetch("dist-tags", nil).nil?
+        end
+
+        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        def filter_ignored_versions(versions_array)
+          filtered = versions_array.reject do |v, _|
+            ignore_requirements.any? { |r| r.satisfied_by?(v) }
+          end
+
+          if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
+            raise AllVersionsIgnored
+          end
+
+          if versions_array.count > filtered.count
+            diff = versions_array.count - filtered.count
+            Dependabot.logger.info("Filtered out #{diff} ignored versions")
+          end
+
+          filtered
+        end
+
+        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        def filter_out_of_range_versions(versions_array)
+          reqs = dependency.requirements.filter_map do |r|
+            Bun::Requirement.requirements_array(r.fetch(:requirement))
+          end
+
+          versions_array
+            .select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
+        end
+
+        sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        def filter_lower_versions(versions_array)
+          return versions_array unless dependency.numeric_version
+
+          versions_array
+            .select { |version, _| version > dependency.numeric_version }
+        end
+
+        def version_from_dist_tags
+          dist_tags = npm_details["dist-tags"].keys
+
+          # Check if a dist tag was specified as a requirement. If it was, and
+          # it exists, use it.
+          dist_tag_req = dependency.requirements
+                                   .find { |r| dist_tags.include?(r[:requirement]) }
+                                   &.fetch(:requirement)
+
+          if dist_tag_req
+            tag_vers =
+              version_class.new(npm_details["dist-tags"][dist_tag_req])
+            return tag_vers unless yanked?(tag_vers)
+          end
+
+          # Use the latest dist tag unless there's a reason not to
+          return nil unless npm_details["dist-tags"]["latest"]
+
+          latest = version_class.new(npm_details["dist-tags"]["latest"])
+
+          wants_latest_dist_tag?(latest) ? latest : nil
+        end
+
+        def related_to_current_pre?(version)
+          current_version = dependency.numeric_version
+          if current_version&.prerelease? &&
+             current_version&.release == version.release
+            return true
+          end
+
+          dependency.requirements.any? do |req|
+            next unless req[:requirement]&.match?(/\d-[A-Za-z]/)
+
+            Bun::Requirement
+              .requirements_array(req.fetch(:requirement))
+              .any? do |r|
+                r.requirements.any? { |a| a.last.release == version.release }
+              end
+          rescue Gem::Requirement::BadRequirementError
+            false
+          end
+        end
+
+        def specified_dist_tag_requirement?
+          dependency.requirements.any? do |req|
+            next false if req[:requirement].nil?
+            next false unless req[:requirement].match?(/^[A-Za-z]/)
+
+            !req[:requirement].match?(/^v\d/i)
+          end
+        end
+
+        def wants_latest_dist_tag?(latest_version)
+          ver = latest_version
+          return false if related_to_current_pre?(ver) ^ ver.prerelease?
+          return false if current_version_greater_than?(ver)
+          return false if current_requirement_greater_than?(ver)
+          return false if ignore_requirements.any? { |r| r.satisfied_by?(ver) }
+          return false if yanked?(ver)
+
+          true
+        end
+
+        def current_version_greater_than?(version)
+          return false unless dependency.numeric_version
+
+          dependency.numeric_version > version
+        end
+
+        def current_requirement_greater_than?(version)
+          dependency.requirements.any? do |req|
+            next false unless req[:requirement]
+
+            req_version = req[:requirement].sub(/^\^|~|>=?/, "")
+            next false unless version_class.correct?(req_version)
+
+            version_class.new(req_version) > version
+          end
+        end
+
+        def yanked?(version)
+          @yanked ||= {}
+          return @yanked[version] if @yanked.key?(version)
+
+          @yanked[version] =
+            begin
+              if dependency_registry == "registry.npmjs.org"
+                status = Dependabot::RegistryClient.head(
+                  url: registry_finder.tarball_url(version),
+                  headers: registry_auth_headers
+                ).status
+              else
+                status = Dependabot::RegistryClient.get(
+                  url: dependency_url + "/#{version}",
+                  headers: registry_auth_headers
+                ).status
+
+                if status == 404
+                  # Some registries don't handle escaped package names properly
+                  status = Dependabot::RegistryClient.get(
+                    url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                    headers: registry_auth_headers
+                  ).status
+                end
+              end
+
+              version_not_found = status == 404
+              version_not_found && version_endpoint_working?
+            rescue Excon::Error::Timeout, Excon::Error::Socket
+              # Give the benefit of the doubt if the registry is playing up
+              false
+            end
+        end
+
+        def version_endpoint_working?
+          return true if dependency_registry == "registry.npmjs.org"
+
+          return @version_endpoint_working if defined?(@version_endpoint_working)
+
+          @version_endpoint_working =
+            begin
+              Dependabot::RegistryClient.get(
+                url: dependency_url + "/latest",
+                headers: registry_auth_headers
+              ).status < 400
+            rescue Excon::Error::Timeout, Excon::Error::Socket
+              # Give the benefit of the doubt if the registry is playing up
+              true
+            end
+        end
+
+        def npm_details
+          return @npm_details if defined?(@npm_details)
+
+          @npm_details = fetch_npm_details
+        end
+
+        def fetch_npm_details
+          npm_response = fetch_npm_response
+
+          check_npm_response(npm_response)
+          JSON.parse(npm_response.body)
+        rescue JSON::ParserError,
+               Excon::Error::Timeout,
+               Excon::Error::Socket,
+               RegistryError => e
+          if git_dependency?
+            nil
+          else
+            raise_npm_details_error(e)
+          end
+        end
+
+        def fetch_npm_response
+          response = Dependabot::RegistryClient.get(
+            url: dependency_url,
+            headers: registry_auth_headers
+          )
+          return response unless response.status == 500
+          return response unless registry_auth_headers["Authorization"]
+
+          auth = registry_auth_headers["Authorization"]
+          return response unless auth.start_with?("Basic")
+
+          decoded_token = Base64.decode64(auth.gsub("Basic ", ""))
+          return unless decoded_token.include?(":")
+
+          username, password = decoded_token.split(":")
+          Dependabot::RegistryClient.get(
+            url: dependency_url,
+            options: {
+              user: username,
+              password: password
+            }
+          )
+        rescue URI::InvalidURIError => e
+          raise DependencyFileNotResolvable, e.message
+        end
+
+        def check_npm_response(npm_response)
+          return if git_dependency?
+
+          if private_dependency_not_reachable?(npm_response)
+            raise PrivateSourceAuthenticationFailure, dependency_registry
+          end
+
+          # handles scenario when private registry returns a server error 5xx
+          if private_dependency_server_error?(npm_response)
+            msg = "Server error #{npm_response.status} returned while accessing registry" \
+                  " #{dependency_registry}."
+            raise DependencyFileNotResolvable, msg
+          end
+
+          status = npm_response.status
+
+          # handles issue when status 200 is returned from registry but with an invalid JSON object
+          if status.to_s.start_with?("2") && response_invalid_json?(npm_response)
+            msg = "Invalid JSON object returned from registry #{dependency_registry}."
+            Dependabot.logger.warn("#{msg} Response body (truncated) : #{npm_response.body[0..500]}...")
+            raise DependencyFileNotResolvable, msg
+          end
+
+          return if status.to_s.start_with?("2")
+
+          # Ignore 404s from the registry for updates where a lockfile doesn't
+          # need to be generated. The 404 won't cause problems later.
+          return if status == 404 && dependency.version.nil?
+
+          msg = "Got #{status} response with body #{npm_response.body}"
+          raise RegistryError.new(status, msg)
+        end
+
+        def raise_npm_details_error(error)
+          raise if dependency_registry == "registry.npmjs.org"
+          raise unless error.is_a?(Excon::Error::Timeout)
+
+          raise PrivateSourceTimedOut, dependency_registry
+        end
+
+        def private_dependency_not_reachable?(npm_response)
+          return true if npm_response.body.start_with?(/user ".*?" is not a /)
+          return false unless [401, 402, 403, 404].include?(npm_response.status)
+
+          # Check whether this dependency is (likely to be) private
+          if dependency_registry == "registry.npmjs.org"
+            return false unless dependency.name.start_with?("@")
+
+            web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
+            # NOTE: returns 429 when the login page is rate limited
+            return web_response.body.include?("Forgot password?") ||
+                   web_response.status == 429
+          end
+
+          true
+        end
+
+        def private_dependency_server_error?(npm_response)
+          if [500, 501, 502, 503].include?(npm_response.status)
+            Dependabot.logger.warn("#{dependency_registry} returned code #{npm_response.status} with " \
+                                   "body #{npm_response.body}.")
+            return true
+          end
+          false
+        end
+
+        def response_invalid_json?(npm_response)
+          result = JSON.parse(npm_response.body)
+          result.is_a?(Hash) || result.is_a?(Array)
+          false
+        rescue JSON::ParserError, TypeError
+          true
+        end
+
+        def dependency_url
+          registry_finder.dependency_url
+        end
+
+        def dependency_registry
+          registry_finder.registry
+        end
+
+        def registry_auth_headers
+          registry_finder.auth_headers
+        end
+
+        def registry_finder
+          @registry_finder ||= RegistryFinder.new(
+            dependency: dependency,
+            credentials: credentials,
+            npmrc_file: npmrc_file
+          )
+        end
+
+        def ignore_requirements
+          ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+        end
+
+        def version_class
+          dependency.version_class
+        end
+
+        def requirement_class
+          dependency.requirement_class
+        end
+
+        def npmrc_file
+          dependency_files.find { |f| f.name.end_with?(".npmrc") }
+        end
+
+        # TODO: Remove need for me
+        def git_dependency?
+          # ignored_version/raise_on_ignored are irrelevant.
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          ).git_dependency?
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bun/update_checker/library_detector.rb

@@ -0,0 +1,76 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/bun/update_checker"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Bun
+    class UpdateChecker
+      class LibraryDetector
+        def initialize(package_json_file:, credentials:, dependency_files:)
+          @package_json_file = package_json_file
+          @credentials = credentials
+          @dependency_files = dependency_files
+        end
+
+        def library?
+          return false unless package_json_may_be_for_library?
+
+          npm_response_matches_package_json?
+        end
+
+        private
+
+        attr_reader :package_json_file
+        attr_reader :credentials
+        attr_reader :dependency_files
+
+        def package_json_may_be_for_library?
+          return false unless project_name
+          return false if project_name.match?(/\{\{.*\}\}/)
+          return false unless parsed_package_json["version"]
+          return false if parsed_package_json["private"]
+
+          true
+        end
+
+        def npm_response_matches_package_json?
+          project_description = parsed_package_json["description"]
+          return false unless project_description
+
+          # Check if the project is listed on npm. If it is, it's a library
+          url = "#{registry.chomp('/')}/#{escaped_project_name}"
+          @project_npm_response ||= Dependabot::RegistryClient.get(url: url)
+          return false unless @project_npm_response.status == 200
+
+          @project_npm_response.body.dup.force_encoding("UTF-8").encode
+                               .include?(project_description)
+        rescue Excon::Error::Socket, Excon::Error::Timeout, URI::InvalidURIError
+          false
+        end
+
+        def project_name
+          parsed_package_json.fetch("name", nil)
+        end
+
+        def escaped_project_name
+          project_name&.gsub("/", "%2F")
+        end
+
+        def parsed_package_json
+          @parsed_package_json ||= JSON.parse(package_json_file.content)
+        end
+
+        def registry
+          Bun::UpdateChecker::RegistryFinder.new(
+            dependency: nil,
+            credentials: credentials,
+            npmrc_file: dependency_files.find { |f| f.name.end_with?(".npmrc") }
+          ).registry_from_rc(project_name)
+        end
+      end
+    end
+  end
+end