dependabot-bun 0.296.2 → 0.296.3

data/helpers/lib/npm6/subdependency-updater.js

@@ -0,0 +1,78 @@
+const fs = require("fs");
+const path = require("path");
+const npm = require("npm");
+const installer = require("npm/lib/install");
+const detectIndent = require("detect-indent");
+const removeDependenciesFromLockfile = require("./remove-dependencies-from-lockfile");
+
+const { muteStderr, runAsync } = require("./helpers.js");
+
+async function updateDependencyFile(directory, lockfileName, dependencies) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+
+  const lockfile = readFile(lockfileName);
+  const indent = detectIndent(lockfile).indent || "  ";
+  const lockfileObject = JSON.parse(lockfile);
+  // Remove the dependency we want to update from the lockfile and let
+  // npm find the latest resolvable version and fix the lockfile
+  const updatedLockfileObject = removeDependenciesFromLockfile(
+    lockfileObject,
+    dependencies.map((dep) => dep.name)
+  );
+  fs.writeFileSync(
+    path.join(directory, lockfileName),
+    JSON.stringify(updatedLockfileObject, null, indent)
+  );
+
+  // `force: true` ignores checks for platform (os, cpu) and engines
+  // in npm/lib/install/validate-args.js
+  // Platform is checked and raised from (EBADPLATFORM):
+  // https://github.com/npm/npm-install-checks
+  //
+  // `'prefer-offline': true` sets fetch() cache key to `force-cache`
+  // https://github.com/npm/npm-registry-fetch
+  //
+  // `'ignore-scripts': true` used to disable prepare and prepack scripts
+  // which are run when installing git dependencies
+  await runAsync(npm, npm.load, [
+    {
+      loglevel: "silent",
+      force: true,
+      audit: false,
+      "prefer-offline": true,
+      "ignore-scripts": true,
+    },
+  ]);
+
+  const dryRun = true;
+  const initialInstaller = new installer.Installer(directory, dryRun, [], {
+    packageLockOnly: true,
+  });
+
+  // A bug in npm means the initial install will remove any git dependencies
+  // from the lockfile. A subsequent install with no arguments fixes this.
+  const cleanupInstaller = new installer.Installer(directory, dryRun, [], {
+    packageLockOnly: true,
+  });
+
+  // Skip printing the success message
+  initialInstaller.printInstalled = (cb) => cb();
+  cleanupInstaller.printInstalled = (cb) => cb();
+
+  // There are some hard-to-prevent bits of output.
+  // This is horrible, but works.
+  const unmute = muteStderr();
+  try {
+    await runAsync(initialInstaller, initialInstaller.run, []);
+    await runAsync(cleanupInstaller, cleanupInstaller.run, []);
+  } finally {
+    unmute();
+  }
+
+  const updatedLockfile = readFile(lockfileName);
+
+  return { [lockfileName]: updatedLockfile };
+}
+
+module.exports = { updateDependencyFile };

data/helpers/lib/npm6/updater.js

@@ -0,0 +1,199 @@
+/* DEPENDENCY FILE UPDATER
+ *
+ * Inputs:
+ *  - directory containing an up-to-date package.json and a package-lock.json
+ *    to be updated
+ *  - name of the dependency to be updated
+ *  - new dependency version
+ *  - previous requirements for this dependency
+ *  - the name of the lockfile (package-lock.json or npm-shrinkwrap.json)
+ *
+ * Outputs:
+ *  - updated package.json and package-lock.json files
+ *
+ * Update the dependency to the version specified and rewrite the package.json
+ * and package-lock.json files.
+ */
+const fs = require("fs");
+const path = require("path");
+const npm = require("npm");
+const installer = require("npm/lib/install");
+const detectIndent = require("detect-indent");
+const { muteStderr, runAsync } = require("./helpers.js");
+
+async function updateDependencyFiles(directory, lockfileName, dependencies) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+
+  // `force: true` ignores checks for platform (os, cpu) and engines
+  // in npm/lib/install/validate-args.js
+  // Platform is checked and raised from (EBADPLATFORM):
+  // https://github.com/npm/npm-install-checks
+  //
+  // `'prefer-offline': true` sets fetch() cache key to `force-cache`
+  // https://github.com/npm/npm-registry-fetch
+  //
+  // `'ignore-scripts': true` used to disable prepare and prepack scripts
+  // which are run when installing git dependencies
+  await runAsync(npm, npm.load, [
+    {
+      loglevel: "silent",
+      force: true,
+      audit: false,
+      "prefer-offline": true,
+      "ignore-scripts": true,
+    },
+  ]);
+  const manifest = JSON.parse(readFile("package.json"));
+
+  const dryRun = true;
+  const flattenedDependencies = flattenAllDependencies(manifest);
+  const args = dependencies.map((dependency) => {
+    const existingVersionRequirement = flattenedDependencies[dependency.name];
+    return installArgs(
+      dependency.name,
+      dependency.version,
+      dependency.requirements,
+      existingVersionRequirement
+    );
+  });
+  const initialInstaller = new installer.Installer(directory, dryRun, args, {
+    packageLockOnly: true,
+  });
+
+  // A bug in npm means the initial install will remove any git dependencies
+  // from the lockfile. A subsequent install with no arguments fixes this.
+  const cleanupInstaller = new installer.Installer(directory, dryRun, [], {
+    packageLockOnly: true,
+  });
+
+  // Skip printing the success message
+  initialInstaller.printInstalled = (cb) => cb();
+  cleanupInstaller.printInstalled = (cb) => cb();
+
+  // There are some hard-to-prevent bits of output.
+  // This is horrible, but works.
+  const unmute = muteStderr();
+  try {
+    // Fix already present git sub-dependency with invalid "from" and "requires"
+    updateLockfileWithValidGitUrls(path.join(directory, lockfileName));
+
+    await runAsync(initialInstaller, initialInstaller.run, []);
+
+    // Fix npm5 lockfiles where invalid "from" is introduced after first install
+    updateLockfileWithValidGitUrls(path.join(directory, lockfileName));
+
+    await runAsync(cleanupInstaller, cleanupInstaller.run, []);
+  } finally {
+    unmute();
+  }
+
+  const updatedLockfile = readFile(lockfileName);
+
+  return { [lockfileName]: updatedLockfile };
+}
+
+function updateLockfileWithValidGitUrls(lockfilePath) {
+  const lockfile = fs.readFileSync(lockfilePath).toString();
+  const indent = detectIndent(lockfile).indent || "  ";
+  const updatedLockfileObject = removeInvalidGitUrls(JSON.parse(lockfile));
+  fs.writeFileSync(
+    lockfilePath,
+    JSON.stringify(updatedLockfileObject, null, indent)
+  );
+}
+
+function flattenAllDependencies(manifest) {
+  return Object.assign(
+    {},
+    manifest.optionalDependencies,
+    manifest.peerDependencies,
+    manifest.devDependencies,
+    manifest.dependencies
+  );
+}
+
+// NOTE: Reused in npm 7 updater
+function installArgs(
+  depName,
+  desiredVersion,
+  requirements,
+  existingVersionRequirement
+) {
+  const source = (requirements.find((req) => req.source) || {}).source;
+
+  if (source && source.type === "git") {
+    if (!existingVersionRequirement) {
+      existingVersionRequirement = source.url;
+    }
+
+    // Git is configured to auth over https while updating
+    existingVersionRequirement = existingVersionRequirement.replace(
+      /git\+ssh:\/\/git@(.*?)[:/]/,
+      "git+https://$1/"
+    );
+
+    // Keep any semver range that has already been updated in the package
+    // requirement when installing the new version
+    if (existingVersionRequirement.match(desiredVersion)) {
+      return `${depName}@${existingVersionRequirement}`;
+    } else if (!existingVersionRequirement.includes("#")) {
+      return `${depName}@${existingVersionRequirement}`;
+    } else {
+      return `${depName}@${existingVersionRequirement.replace(
+        /#.*/,
+        ""
+      )}#${desiredVersion}`;
+    }
+  } else {
+    return `${depName}@${desiredVersion}`;
+  }
+}
+
+// Note: Fixes bugs introduced in npm 6.6.0 for the following cases:
+//
+// - Fails when a sub-dependency has a "from" field that includes the dependency
+//   name for git dependencies (e.g. "bignumber.js@git+https://gi...)
+// - Fails when updating a npm@5 lockfile with git sub-dependencies, resulting
+//   in invalid "requires" that include the dependency name for git dependencies
+//   (e.g. "bignumber.js": "bignumber.js@git+https://gi...)
+function removeInvalidGitUrls(lockfile) {
+  if (!lockfile.dependencies) return lockfile;
+
+  const dependencies = Object.keys(lockfile.dependencies).reduce((acc, key) => {
+    let value = removeInvalidGitUrlsInFrom(lockfile.dependencies[key], key);
+    value = removeInvalidGitUrlsInRequires(value);
+    acc[key] = removeInvalidGitUrls(value);
+    return acc;
+  }, {});
+
+  return Object.assign({}, lockfile, { dependencies });
+}
+
+function removeInvalidGitUrlsInFrom(value, dependencyName) {
+  const matchKey = new RegExp(`^${dependencyName}@`);
+  let from = value.from;
+  if (value.from && value.from.match(matchKey)) {
+    from = value.from.replace(matchKey, "");
+  }
+
+  return Object.assign({}, value, { from });
+}
+
+function removeInvalidGitUrlsInRequires(value) {
+  if (!value.requires) return value;
+
+  const requires = Object.keys(value.requires).reduce((acc, reqKey) => {
+    let reqValue = value.requires[reqKey];
+    const requiresMatchKey = new RegExp(`^${reqKey}@`);
+    if (reqValue && reqValue.match(requiresMatchKey)) {
+      reqValue = reqValue.replace(requiresMatchKey, "");
+    }
+    acc[reqKey] = reqValue;
+    return acc;
+  }, {});
+
+  return Object.assign({}, value, { requires });
+}
+
+module.exports = { updateDependencyFiles };

data/helpers/lib/pnpm/index.js

@@ -0,0 +1,5 @@
+const lockfileParser = require("./lockfile-parser");
+
+module.exports = {
+  parseLockfile: lockfileParser.parse,
+};

data/helpers/lib/pnpm/lockfile-parser.js

@@ -0,0 +1,82 @@
+/* PNPM-LOCK.YAML PARSER
+ *
+ * Inputs:
+ *  - directory containing a pnpm-lock.yaml file
+ *
+ * Outputs:
+ *  - JSON formatted information of dependencies (name, version, dependency-type)
+ */
+const { readWantedLockfile } = require("@pnpm/lockfile-file");
+const dependencyPath = require("@pnpm/dependency-path");
+
+async function parse(directory) {
+  const lockfile = await readWantedLockfile(directory, {
+    ignoreIncompatible: true
+  });
+
+  return Object.entries(lockfile.packages ?? {})
+    .filter(([depPath, pkgSnapshot]) => {
+      let dp = dependencyPath.parse(depPath);
+      return dp && dp.name // null or undefined checked for dependency path (dp) and empty name dps are filtered.
+    })
+    .map(([depPath, pkgSnapshot]) => nameVerDevFromPkgSnapshot(depPath, pkgSnapshot, Object.values(lockfile.importers)))
+}
+
+function nameVerDevFromPkgSnapshot(depPath, pkgSnapshot, projectSnapshots) {
+  let name;
+  let version;
+
+  if (!pkgSnapshot.name) {
+    const pkgInfo = dependencyPath.parse(depPath);
+    name = pkgInfo.name;
+    version = pkgInfo.version;
+  } else {
+    name = pkgSnapshot.name;
+    version = pkgSnapshot.version;
+  }
+
+  let specifiers = [];
+  let aliased = false;
+
+  projectSnapshots.every(projectSnapshot => {
+    const projectSpecifiers = projectSnapshot.specifiers;
+
+    if (Object.values(projectSpecifiers).some(specifier => specifier.startsWith(`npm:${name}@`) || specifier == `npm:${name}`)) {
+      aliased = true;
+      return false;
+    }
+
+    currentSpecifier = projectSpecifiers[name];
+
+    if (!currentSpecifier) {
+      return true;
+    }
+
+    let specifierVersion = currentSpecifier.version;
+
+    if (!currentSpecifier.version) {
+      specifierVersion = projectSnapshot.dependencies?.[name] || projectSnapshot.devDependencies?.[name] || projectSnapshot.optionalDependencies?.[name]
+    }
+
+    if (
+      specifierVersion == version ||
+      specifierVersion.startsWith(`${version}_`) || // lockfileVersion 5.4
+      specifierVersion.startsWith(`${version}(`)    // lockfileVersion 6.0
+    ) {
+      specifiers.push(currentSpecifier.specifier || currentSpecifier);
+    }
+
+    return true;
+  });
+
+  return {
+    name: name,
+    version: version,
+    resolved: pkgSnapshot.resolution.tarball,
+    dev: pkgSnapshot.dev,
+    specifiers: specifiers,
+    aliased: aliased
+  }
+}
+
+module.exports = { parse };

data/helpers/lib/yarn/conflicting-dependency-parser.js

@@ -0,0 +1,176 @@
+/* Conflicting dependency parser for yarn
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - target dependency version
+ *
+ * Outputs:
+ *  - An array of objects with conflicting dependencies
+ */
+
+const fs = require("fs");
+const path = require("path");
+const semver = require("semver");
+const { parse } = require("./lockfile-parser");
+const { LOCKFILE_ENTRY_REGEX } = require("./helpers");
+
+async function findConflictingDependencies(directory, depName, targetVersion) {
+  const lockfileJson = await parse(directory);
+  const packageJson = fs
+    .readFileSync(path.join(directory, "package.json"))
+    .toString();
+  const dependencyTypes = [
+    "dependencies",
+    "devDependencies",
+    "optionalDependencies",
+  ];
+  const topLevelDependencies = dependencyTypes.flatMap((type) => {
+    return Object.entries(JSON.parse(packageJson)[type] || {});
+  });
+
+  const conflictingParents = topLevelDependencies.flatMap(
+    ([topLevelDepName, topLevelRequirement]) => {
+      const topLevelSpec = {
+        name: topLevelDepName,
+        requirement: topLevelRequirement,
+      };
+
+      return Array.from(
+        findConflictingParentDependencies(
+          topLevelDepName,
+          topLevelRequirement,
+          depName,
+          targetVersion,
+          topLevelSpec,
+          lockfileJson
+        ).values()
+      );
+    }
+  );
+
+  return conflictingParents.map((parentSpec) => {
+    const explanation = buildExplanation(parentSpec, depName);
+    return {
+      explanation: explanation,
+      name: parentSpec.name,
+      version: parentSpec.version,
+      requirement: parentSpec.requirement,
+    };
+  });
+}
+
+function buildExplanation(parentSpec, targetDepName) {
+  if (
+    parentSpec.name === parentSpec.topLevelSpec.name &&
+    parentSpec.version === parentSpec.topLevelSpec.version
+  ) {
+    // The nodes parent is top-level
+    return (
+      `${parentSpec.name}@${parentSpec.version} requires ${targetDepName}` +
+      `@${parentSpec.requirement}`
+    );
+  } else if (
+    parentSpec.transitiveSpec.name === parentSpec.topLevelSpec.name &&
+    parentSpec.transitiveSpec.version === parentSpec.topLevelSpec.version
+  ) {
+    // The nodes parent is a direct dependency of the top-level dependency
+    return (
+      `${parentSpec.topLevelSpec.name}@${parentSpec.topLevelSpec.version} requires ` +
+      `${targetDepName}@${parentSpec.requirement} ` +
+      `via ${parentSpec.name}@${parentSpec.version}`
+    );
+  } else {
+    // The nodes parent is a transitive dependency of the top-level dependency
+    return (
+      `${parentSpec.topLevelSpec.name}@${parentSpec.topLevelSpec.version} requires ` +
+      `${targetDepName}@${parentSpec.requirement} ` +
+      `via a transitive dependency on ${parentSpec.name}@${parentSpec.version}`
+    );
+  }
+}
+
+function findConflictingParentDependencies(
+  dependency,
+  requirement,
+  targetDep,
+  targetversion,
+  topLevelSpec,
+  lockfileJson,
+  transitiveSpec = {},
+  checkedEntries = new Set(),
+  conflictingParents = new Map()
+) {
+  // Prevent infinite loops for circular dependencies by only checking each
+  // lockfile entry once
+  const checkedEntry = [dependency, requirement].join("@");
+  if (checkedEntries.has(checkedEntry)) {
+    return conflictingParents;
+  }
+
+  checkedEntries.add(checkedEntry);
+
+  for (const [entry, pkg] of Object.entries(lockfileJson)) {
+    const [_, parentDepName, parentDepRequirement] = entry.match(
+      LOCKFILE_ENTRY_REGEX
+    );
+    // Decorate the top-level dependency spec with an installed version as we
+    // only have the requirement from the package.json manifest
+    if (
+      topLevelSpec.name == parentDepName &&
+      topLevelSpec.requirement == parentDepRequirement
+    ) {
+      topLevelSpec.version = pkg.version;
+    }
+
+    if (
+      pkg.dependencies &&
+      dependency == parentDepName &&
+      requirement == parentDepRequirement
+    ) {
+      // Recursive check for sub-dependencies finding dependencies that don't
+      // allow the target version of the vulnerable dependency to be installed
+      for (const [subDepName, spec] of Object.entries(pkg.dependencies)) {
+        if (
+          subDepName === targetDep &&
+          !semver.satisfies(targetversion, spec)
+        ) {
+          // Only add the conflicting parent once per version preventing
+          // duplicate dependencies from circular graphs
+          const key = [parentDepName, pkg.version].join("@");
+          conflictingParents.set(key, {
+            name: parentDepName,
+            version: pkg.version,
+            requirement: spec,
+            transitiveSpec,
+            topLevelSpec,
+          });
+        } else {
+          // Keep track of the parent dependency as a way to check if the
+          // conflicting dependency ends up being a direct dependency of a
+          // top-level dependency
+          transitiveSpec = {
+            name: parentDepName,
+            version: pkg.version,
+            requirement: parentDepRequirement,
+          };
+          findConflictingParentDependencies(
+            subDepName,
+            spec,
+            targetDep,
+            targetversion,
+            topLevelSpec,
+            lockfileJson,
+            transitiveSpec,
+            checkedEntries,
+            conflictingParents
+          );
+        }
+      }
+    }
+  }
+
+  return conflictingParents;
+}
+
+module.exports = { findConflictingDependencies };

data/helpers/lib/yarn/fix-duplicates.js

@@ -0,0 +1,80 @@
+const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
+const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
+  .default;
+const semver = require("semver");
+const { LOCKFILE_ENTRY_REGEX } = require("./helpers");
+
+function flattenIndirectDependencies(packages) {
+  return (packages || []).reduce((acc, { pkg }) => {
+    if ("dependencies" in pkg) {
+      return acc.concat(Object.keys(pkg.dependencies));
+    }
+    return acc;
+  }, []);
+}
+
+// Inspired by yarn-deduplicate. Altered to ensure the latest version is always used
+// for version ranges which allow it.
+module.exports = (data, updatedDependencyName) => {
+  if (!updatedDependencyName) {
+    throw new Error("Yarn fix duplicates: must provide dependency name");
+  }
+
+  const json = parse(data).object;
+  const enableLockfileVersions = Boolean(data.match(/^# yarn v/m));
+  const noHeader = !Boolean(data.match(/^# THIS IS AN AU/m));
+
+  const packages = {};
+
+  Object.entries(json).forEach(([name, pkg]) => {
+    if (name.match(LOCKFILE_ENTRY_REGEX)) {
+      const [_, packageName, requestedVersion] = name.match(
+        LOCKFILE_ENTRY_REGEX
+      );
+      packages[packageName] = packages[packageName] || [];
+      packages[packageName].push(
+        Object.assign({}, { name, pkg, packageName, requestedVersion })
+      );
+    }
+  });
+
+  const packageEntries = Object.entries(packages);
+
+  const updatedPackageEntry = packageEntries.filter(([name]) => {
+    return updatedDependencyName === name;
+  });
+
+  const updatedDependencyPackage =
+    updatedPackageEntry[0] && updatedPackageEntry[0][1];
+
+  const indirectDependencies = flattenIndirectDependencies(
+    updatedDependencyPackage
+  );
+
+  const packagesToDedupe = [updatedDependencyName, ...indirectDependencies];
+
+  packageEntries
+    .filter(([name]) => packagesToDedupe.includes(name))
+    .forEach(([name, packages]) => {
+      // Reverse sort, so we'll find the maximum satisfying version first
+      const versions = packages.map((p) => p.pkg.version).sort(semver.rcompare);
+      const ranges = packages.map((p) => p.requestedVersion);
+
+      // Dedup each package to its maxSatisfying version
+      packages.forEach((p) => {
+        const targetVersion = semver.maxSatisfying(
+          versions,
+          p.requestedVersion
+        );
+        if (targetVersion === null) return;
+        if (targetVersion !== p.pkg.version) {
+          const dedupedPackage = packages.find(
+            (p) => p.pkg.version === targetVersion
+          );
+          json[`${name}@${p.requestedVersion}`] = dedupedPackage.pkg;
+        }
+      });
+    });
+
+  return stringify(json, noHeader, enableLockfileVersions);
+};

data/helpers/lib/yarn/helpers.js

@@ -0,0 +1,54 @@
+const { Add } = require("@dependabot/yarn-lib/lib/cli/commands/add");
+const { Install } = require("@dependabot/yarn-lib/lib/cli/commands/install");
+
+function isString(value) {
+  return Object.prototype.toString.call(value) === "[object String]";
+}
+
+// Add is a subclass of the Install CLI command, which is responsible for
+// adding packages to a package.json and yarn.lock. Upgrading a package is
+// exactly the same as adding, except the package already exists in the
+// manifests.
+//
+// Usually, calling Add.init() would execute a series of steps: resolve, fetch,
+// link, run lifecycle scripts, cleanup, then save new manifest (package.json).
+// We only care about the first and last steps: resolve, then save the new
+// manifest. Fortunately, overriding bailout() gives us an opportunity to skip
+// over the intermediate steps in a relatively painless fashion.
+class LightweightAdd extends Add {
+  // This method is called by init() at the end of the resolve step, and is
+  // responsible for checking if any dependencies need to be updated locally.
+  // If everything is up to date, it'll save a new lockfile and return true,
+  // which causes init() to skip over the next few steps (fetching and
+  // installing packages). If there are packages that need updating, it'll
+  // return false, and init() will continue on to the fetching and installing
+  // steps.
+  //
+  // Add overrides Install's implementation to always return false - meaning
+  // that it will always continue to the fetch and install steps. We want to
+  // do the opposite - just save the new lockfile and stop there.
+  async bailout(patterns, workspaceLayout) {
+    // This is the only part of the original bailout implementation that
+    // matters: saving the new lockfile
+    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
+
+    // Skip over the unnecessary steps - fetching and linking packages, etc.
+    return true;
+  }
+}
+
+class LightweightInstall extends Install {
+  async bailout(patterns, workspaceLayout) {
+    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
+    return true;
+  }
+}
+
+const LOCKFILE_ENTRY_REGEX = /^(.*)@([^@]*?)$/;
+
+module.exports = {
+  isString,
+  LightweightAdd,
+  LightweightInstall,
+  LOCKFILE_ENTRY_REGEX,
+};

data/helpers/lib/yarn/index.js

@@ -0,0 +1,14 @@
+const lockfileParser = require("./lockfile-parser");
+const updater = require("./updater");
+const subdependencyUpdater = require("./subdependency-updater");
+const peerDependencyChecker = require("./peer-dependency-checker");
+const conflictingDependencyParser = require("./conflicting-dependency-parser");
+
+module.exports = {
+  parseLockfile: lockfileParser.parse,
+  update: updater.updateDependencyFiles,
+  updateSubdependency: subdependencyUpdater.updateDependencyFile,
+  checkPeerDependencies: peerDependencyChecker.checkPeerDependencies,
+  findConflictingDependencies:
+    conflictingDependencyParser.findConflictingDependencies,
+};