RubyGems - dependabot-bun - Versions diffs - 0.296.2 → 0.296.3 - Mend

dependabot-bun 0.296.2 → 0.296.3

Files changed (144) hide show

data/lib/dependabot/bun/pnpm_package_manager.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/bun/package_manager"
+module Dependabot
+  module Bun
+    class PNPMPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "pnpm"
+      LOCKFILE_NAME = "pnpm-lock.yaml"
+      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
+      PNPM_V7 = "7"
+      PNPM_V8 = "8"
+      PNPM_V9 = "9"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PNPM_V7),
+        Version.new(PNPM_V8),
+        Version.new(PNPM_V9)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::Bun::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/bun/registry_helper.rb ADDED Viewed

@@ -0,0 +1,188 @@
+# typed: strict
+# frozen_string_literal: true
+require "yaml"
+require "dependabot/dependency_file"
+require "sorbet-runtime"
+module Dependabot
+  module Bun
+    class RegistryHelper
+      extend T::Sig
+      # Keys for configurations
+      REGISTRY_KEY = "registry"
+      AUTH_KEY = "authToken"
+      # Yarn-specific keys
+      NPM_AUTH_TOKEN_KEY_FOR_YARN = "npmAuthToken"
+      NPM_SCOPE_KEY_FOR_YARN = "npmScopes"
+      NPM_REGISTER_KEY_FOR_YARN = "npmRegistryServer"
+      # Environment variable keys
+      COREPACK_NPM_REGISTRY_ENV = "COREPACK_NPM_REGISTRY"
+      COREPACK_NPM_TOKEN_ENV = "COREPACK_NPM_TOKEN"
+      sig do
+        params(
+          registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          credentials: T.nilable(T::Array[Dependabot::Credential])
+        ).void
+      end
+      def initialize(registry_config_files, credentials)
+        @registry_config_files = T.let(registry_config_files, T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
+        @credentials = T.let(credentials, T.nilable(T::Array[Dependabot::Credential]))
+      end
+      sig { returns(T::Hash[String, String]) }
+      def find_corepack_env_variables
+        registry_info = find_registry_and_token
+        env_variables = {}
+        env_variables[COREPACK_NPM_REGISTRY_ENV] = registry_info[:registry] if registry_info[:registry]
+        env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
+        env_variables
+      end
+      private
+      sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+      def find_registry_and_token
+        # Step 1: Check dependabot.yml configuration
+        dependabot_config = config_npm_registry_and_token
+        return dependabot_config if dependabot_config[:registry]
+        # Step 2: Check .npmrc
+        npmrc_config = @registry_config_files[:npmrc]
+        npmrc_result = parse_registry_from_npmrc_yarnrc(npmrc_config, "=", "npm")
+        return npmrc_result if npmrc_result[:registry]
+        # Step 3: Check .yarnrc
+        yarnrc_config = @registry_config_files[:yarnrc]
+        yarnrc_result = parse_registry_from_npmrc_yarnrc(yarnrc_config, " ", "npm")
+        return yarnrc_result if yarnrc_result[:registry]
+        # Step 4: Check yarnrc.yml
+        yarnrc_yml_config = @registry_config_files[:yarnrc_yml]
+        yarnrc_yml_result = parse_npm_from_yarnrc_yml(yarnrc_yml_config)
+        return yarnrc_yml_result if yarnrc_yml_result[:registry]
+        # Default values if no registry is found
+        {}
+      end
+      sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+      def config_npm_registry_and_token
+        registries = {}
+        return registries unless @credentials&.any?
+        @credentials.each do |cred|
+          next unless cred["type"] == "npm_registry" # Skip if not an npm registry
+          next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
+          # Set the registry if it's not already set
+          registries[:registry] ||= cred["registry"]
+          # Set the token if it's not already set
+          registries[:auth_token] ||= cred["token"]
+        end
+        registries
+      end
+      # Find registry and token in .npmrc or .yarnrc file
+      sig do
+        params(
+          file: T.nilable(Dependabot::DependencyFile),
+          separator: String
+        ).returns(T::Hash[Symbol, T.nilable(String)])
+      end
+      def parse_npm_from_npm_or_yarn_rc(file, separator = "=")
+        parse_registry_from_npmrc_yarnrc(file, separator, "npm")
+      end
+      # Find registry and token in .npmrc or .yarnrc file
+      sig do
+        params(
+          file: T.nilable(Dependabot::DependencyFile),
+          separator: String,
+          scope: T.nilable(String)
+        ).returns(T::Hash[Symbol, T.nilable(String)])
+      end
+      def parse_registry_from_npmrc_yarnrc(file, separator = "=", scope = nil)
+        content = file&.content
+        return { registry: nil, auth_token: nil } unless content
+        global_registry = T.let(nil, T.nilable(String))
+        scoped_registry = T.let(nil, T.nilable(String))
+        auth_token = T.let(nil, T.nilable(String))
+        content.split("\n").each do |line|
+          # Split using the provided separator
+          key, value = line.strip.split(separator, 2)
+          next unless key && value
+          # Remove surrounding quotes from keys and values
+          cleaned_key = key.strip.gsub(/\A["']|["']\z/, "")
+          cleaned_value = value.strip.gsub(/\A["']|["']\z/, "")
+          case cleaned_key
+          when "registry"
+            # Case 1: Found a global registry
+            global_registry = cleaned_value
+          when "_authToken"
+            # Case 2: Found an auth token
+            auth_token = cleaned_value
+          else
+            # Handle scoped registry if a scope is provided
+            scoped_registry = cleaned_value if scope && cleaned_key == "@#{scope}:registry"
+          end
+        end
+        # Determine the registry to return (global first, fallback to scoped)
+        registry = global_registry || scoped_registry
+        { registry: registry, auth_token: auth_token }
+      end
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T::Hash[Symbol, T.nilable(String)]) }
+      def parse_npm_from_yarnrc_yml(file)
+        content = file&.content
+        return { registry: nil, auth_token: nil } unless content
+        result = {}
+        yaml_data = safe_load_yaml(content)
+        # Step 1: Extract global registry and auth token
+        result[:registry] = yaml_data[NPM_REGISTER_KEY_FOR_YARN] if yaml_data.key?(NPM_REGISTER_KEY_FOR_YARN)
+        result[:auth_token] = yaml_data[NPM_AUTH_TOKEN_KEY_FOR_YARN] if yaml_data.key?(NPM_AUTH_TOKEN_KEY_FOR_YARN)
+        # Step 2: Fallback to any scoped registry and auth token if global is missing
+        if result[:registry].nil? && yaml_data.key?(NPM_SCOPE_KEY_FOR_YARN)
+          yaml_data[NPM_SCOPE_KEY_FOR_YARN].each do |_current_scope, config|
+            next unless config.is_a?(Hash)
+            result[:registry] ||= config[NPM_REGISTER_KEY_FOR_YARN]
+            result[:auth_token] ||= config[NPM_AUTH_TOKEN_KEY_FOR_YARN]
+          end
+        end
+        result
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+      # Safely loads the YAML content and logs any parsing errors
+      sig { params(content: String).returns(T::Hash[String, T.untyped]) }
+      def safe_load_yaml(content)
+        YAML.safe_load(content, permitted_classes: [Symbol, String]) || {}
+      rescue Psych::SyntaxError => e
+        # Log the error instead of raising it
+        Dependabot.logger.error("YAML parsing error: #{e.message}")
+        {}
+      end
+    end
+  end
+end

data/lib/dependabot/bun/registry_parser.rb ADDED Viewed

@@ -0,0 +1,93 @@
+# typed: strict
+# frozen_string_literal: true
+require "sorbet-runtime"
+module Dependabot
+  module Bun
+    class RegistryParser
+      extend T::Sig
+      sig { params(resolved_url: String, credentials: T::Array[Dependabot::Credential]).void }
+      def initialize(resolved_url:, credentials:)
+        @resolved_url = resolved_url
+        @credentials = credentials
+      end
+      sig { params(name: String).returns(T::Hash[Symbol, T.untyped]) }
+      def registry_source_for(name)
+        url =
+          if resolved_url.include?("/~/")
+            # Gemfury format
+            resolved_url.split("/~/").first
+          elsif resolved_url.include?("/#{name}/-/#{name}")
+            # MyGet / Bintray format
+            T.must(resolved_url.split("/#{name}/-/#{name}").first)
+             .gsub("dl.bintray.com//", "api.bintray.com/npm/").
+              # GitLab format
+              gsub(%r{\/projects\/\d+}, "")
+          elsif resolved_url.include?("/#{name}/-/#{name.split('/').last}")
+            # Sonatype Nexus / Artifactory JFrog format
+            resolved_url.split("/#{name}/-/#{name.split('/').last}").first
+          elsif (cred_url = url_for_relevant_cred) then cred_url
+          else
+            T.must(resolved_url.split("/")[0..2]).join("/")
+          end
+        { type: "registry", url: url }
+      end
+      sig { returns(String) }
+      def dependency_name
+        url_base = if resolved_url.include?("/-/")
+                     T.must(resolved_url.split("/-/").first)
+                   else
+                     resolved_url
+                   end
+        package_name = url_base.gsub("%2F", "/").match(%r{@.*/})
+        return T.must(url_base.gsub("%2F", "/").split("/").last) unless package_name
+        "#{package_name}#{T.must(url_base.gsub('%2F', '/').split('/').last)}"
+      end
+      private
+      sig { returns(String) }
+      attr_reader :resolved_url
+      sig { returns(T::Array[Dependabot::Credential]) }
+      attr_reader :credentials
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { returns(T.nilable(String)) }
+      def url_for_relevant_cred
+        resolved_url_host = URI(resolved_url).host
+        credential_matching_url =
+          credentials
+          .select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
+          .sort_by { |cred| cred.fetch("registry").length }
+          .find do |details|
+            next true if resolved_url_host == details["registry"]
+            uri = if details["registry"]&.include?("://")
+                    URI(details.fetch("registry"))
+                  else
+                    URI("https://#{details['registry']}")
+                  end
+            resolved_url_host == uri.host && resolved_url.include?(details.fetch("registry"))
+          end
+        return unless credential_matching_url
+        # Trim the resolved URL so that it ends at the same point as the
+        # credential registry
+        reg = credential_matching_url.fetch("registry")
+        resolved_url.gsub(/#{Regexp.quote(reg)}.*/, "") + reg
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+    end
+  end
+end

data/lib/dependabot/bun/requirement.rb ADDED Viewed

@@ -0,0 +1,146 @@
+# typed: true
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/requirement"
+require "dependabot/utils"
+require "dependabot/bun/version"
+module Dependabot
+  module Bun
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+      AND_SEPARATOR = /(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])/
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/
+      # Override the version pattern to allow a 'v' prefix
+      quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = "v?#{Bun::Version::VERSION_PATTERN}"
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze
+      PATTERN = /\A#{PATTERN_RAW}\z/
+      def self.parse(obj)
+        return ["=", nil] if obj.is_a?(String) && Version::VERSION_TAGS.include?(obj.strip)
+        return ["=", Bun::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+        [matches[1] || "=", Bun::Version.new(T.must(matches[2]))]
+      end
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      def self.requirements_array(requirement_string)
+        return [new(nil)] if requirement_string.nil?
+        # Removing parentheses is technically wrong but they are extremely
+        # rarely used.
+        # TODO: Handle complicated parenthesised requirements
+        requirement_string = requirement_string.gsub(/[()]/, "")
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          requirements = req_string.strip.split(AND_SEPARATOR)
+          new(requirements)
+        end
+      end
+      def initialize(*requirements)
+        requirements = requirements.flatten
+                                   .flat_map { |req_string| req_string.split(",").map(&:strip) }
+                                   .flat_map { |req_string| convert_js_constraint_to_ruby_constraint(req_string) }
+        super(requirements)
+      end
+      private
+      def convert_js_constraint_to_ruby_constraint(req_string)
+        return req_string if req_string.match?(/^([A-Za-uw-z]|v[^\d])/)
+        req_string = req_string.gsub(/(?:\.|^)[xX*]/, "")
+        if req_string.empty? then ">= 0"
+        elsif req_string.start_with?("~>") then req_string
+        elsif req_string.start_with?("=") then req_string.gsub(/^=*/, "")
+        elsif req_string.start_with?("~") then convert_tilde_req(req_string)
+        elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.include?(" - ") then convert_hyphen_req(req_string)
+        elsif req_string.match?(/[<>]/) then req_string
+        else
+          ruby_range(req_string)
+        end
+      end
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~\>?[\s=]*/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+      def convert_hyphen_req(req_string)
+        lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+        lower_bound_parts = lower_bound.split(".")
+        lower_bound_parts.fill("0", lower_bound_parts.length...3)
+        upper_bound_parts = upper_bound.split(".")
+        upper_bound_range =
+          if upper_bound_parts.length < 3
+            # When upper bound is a partial version treat these as an X-range
+            upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
+            upper_bound_parts.fill("0", upper_bound_parts.length...3)
+            "< #{upper_bound_parts.join('.')}.a"
+          else
+            "<= #{upper_bound_parts.join('.')}"
+          end
+        [">= #{lower_bound_parts.join('.')}", upper_bound_range]
+      end
+      def ruby_range(req_string)
+        parts = req_string.split(".")
+        # If we have three or more parts then this is an exact match
+        return req_string if parts.count >= 3
+        # If we have fewer than three parts we do a partial match
+        parts << "0"
+        "~> #{parts.join('.')}"
+      end
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^[\s=]*/, "")
+        parts = version.split(".")
+        parts.fill("x", parts.length...3)
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        # If the requirement has a blank minor or patch version increment the
+        # previous index value with 1
+        first_non_zero_index -= 1 if first_non_zero == "x"
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          elsif i > first_non_zero_index && i == 2 then "0.a"
+          else
+            0
+          end
+        end.join(".")
+        [">= #{version}", "< #{upper_bound}"]
+      end
+    end
+  end
+end
+Dependabot::Utils.register_requirement_class(
+  "bun",
+  Dependabot::Bun::Requirement
+)

data/lib/dependabot/bun/sub_dependency_files_filterer.rb ADDED Viewed

@@ -0,0 +1,82 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/utils"
+require "dependabot/bun/version"
+require "dependabot/bun/file_parser/lockfile_parser"
+require "sorbet-runtime"
+# Used in the sub dependency version resolver and file updater to only run
+# yarn/npm helpers on dependency files that require updates. This is useful for
+# large monorepos with lots of sub-projects that don't all have the same
+# dependencies.
+module Dependabot
+  module Bun
+    class SubDependencyFilesFilterer
+      extend T::Sig
+      sig { params(dependency_files: T::Array[DependencyFile], updated_dependencies: T::Array[Dependency]).void }
+      def initialize(dependency_files:, updated_dependencies:)
+        @dependency_files = dependency_files
+        @updated_dependencies = updated_dependencies
+      end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def files_requiring_update
+        return T.must(@files_requiring_update) if defined? @files_requiring_update
+        files_requiring_update =
+          lockfiles.select do |lockfile|
+            lockfile_dependencies(lockfile).any? do |sub_dep|
+              updated_dependencies.any? do |updated_dep|
+                next false unless sub_dep.name == updated_dep.name
+                version_class.new(updated_dep.version) >
+                  version_class.new(sub_dep.version)
+              end
+            end
+          end
+        @files_requiring_update ||= T.let(files_requiring_update, T.nilable(T::Array[DependencyFile]))
+      end
+      private
+      sig { returns(T::Array[DependencyFile]) }
+      attr_reader :dependency_files
+      sig { returns(T::Array[Dependency]) }
+      attr_reader :updated_dependencies
+      sig { params(lockfile: DependencyFile).returns(T::Array[Dependabot::Dependency]) }
+      def lockfile_dependencies(lockfile)
+        @lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependency]]))
+        @lockfile_dependencies[lockfile.name] ||=
+          Bun::FileParser::LockfileParser.new(
+            dependency_files: [lockfile]
+          ).parse
+      end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def lockfiles
+        dependency_files.select { |file| lockfile?(file) }
+      end
+      sig { params(file: DependencyFile).returns(T::Boolean) }
+      def lockfile?(file)
+        file.name.end_with?(
+          "package-lock.json",
+          "yarn.lock",
+          "npm-shrinkwrap.json",
+          "bun.lock",
+          "pnpm-lock.yaml"
+        )
+      end
+      sig { returns(T.class_of(Dependabot::Bun::Version)) }
+      def version_class
+        Bun::Version
+      end
+    end
+  end
+end

data/lib/dependabot/bun/update_checker/conflicting_dependency_resolver.rb ADDED Viewed

@@ -0,0 +1,59 @@
+# typed: true
+# frozen_string_literal: true
+require "dependabot/dependency"
+require "dependabot/errors"
+require "dependabot/logger"
+require "dependabot/bun/file_parser"
+require "dependabot/bun/helpers"
+require "dependabot/bun/native_helpers"
+require "dependabot/bun/update_checker"
+require "dependabot/bun/update_checker/dependency_files_builder"
+require "dependabot/shared_helpers"
+module Dependabot
+  module Bun
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class ConflictingDependencyResolver
+        def initialize(dependency_files:, credentials:)
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+        # Finds any dependencies in the `yarn.lock` or `package-lock.json` that
+        # have a subdependency on the given dependency that does not satisfly
+        # the target_version.
+        #
+        # @param dependency [Dependabot::Dependency] the dependency to check
+        # @param target_version [String] the version to check
+        # @return [Array<Hash{String => String}]
+        #   * name [String] the blocking dependencies name
+        #   * version [String] the version of the blocking dependency
+        #   * requirement [String] the requirement on the target_dependency
+        def conflicting_dependencies(dependency:, target_version:)
+          SharedHelpers.in_a_temporary_directory do
+            dependency_files_builder = DependencyFilesBuilder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
+            dependency_files_builder.write_temporary_dependency_files
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "yarn:findConflictingDependencies",
+              args: [Dir.pwd, dependency.name, target_version.to_s]
+            )
+          end
+        rescue SharedHelpers::HelperSubprocessFailed
+          []
+        end
+        private
+        attr_reader :dependency_files
+        attr_reader :credentials
+      end
+    end
+  end
+end