dependabot-bun 0.296.2 → 0.296.3

data/lib/dependabot/bun/version.rb

@@ -0,0 +1,138 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/version"
+require "dependabot/utils"
+require "sorbet-runtime"
+
+# JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+#
+# See https://semver.org/ for details of node's version syntax.
+
+module Dependabot
+  module Bun
+    class Version < Dependabot::Version
+      extend T::Sig
+
+      sig { returns(T.nilable(String)) }
+      attr_reader :build_info
+
+      # These are possible npm versioning tags that can be used in place of a version.
+      # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
+      VERSION_TAGS = T.let([
+        "alpha",        # Alpha version, early testing phase
+        "beta",         # Beta version, more stable than alpha
+        "canary",       # Canary version, often used for cutting-edge builds
+        "dev",          # Development version, ongoing development
+        "experimental", # Experimental version, unstable and new features
+        "latest",       # Latest stable version, used by npm to identify the current version of a package
+        "legacy",       # Legacy version, older version maintained for compatibility
+        "next",         # Next version, used by some projects to identify the upcoming version
+        "nightly",      # Nightly build, daily builds often including latest changes
+        "rc",           # Release candidate, potential final version
+        "release",      # General release version
+        "stable"        # Stable version, thoroughly tested and stable
+      ].freeze.map(&:freeze), T::Array[String])
+
+      VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
+      def self.correct?(version)
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+
+        return false if version.nil?
+
+        version.to_s.match?(ANCHORED_VERSION_PATTERN)
+      end
+
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def self.semver_for(version)
+        # The next two lines are to guard against improperly formatted
+        # versions in a lockfile, such as an empty string or additional
+        # characters. NPM/yarn fixes these when running an update, so we can
+        # safely ignore these versions.
+        return if version == ""
+        return unless correct?(version)
+
+        version
+      end
+
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        version = clean_version(version)
+
+        @version_string = T.let(version.to_s, String)
+
+        @build_info = T.let(nil, T.nilable(String))
+
+        version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
+
+        super(T.must(version))
+      end
+
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def clean_version(version)
+        # Check if version is a string before attempting to match
+        if version.is_a?(String)
+          # Matches @ followed by x.y.z (digits separated by dots)
+          if (match = version.match(/@(\d+\.\d+\.\d+)/))
+            version = match[1] # Just "4.5.3"
+
+          # Extract version in case the output contains Corepack verbose data
+          elsif version.include?("Corepack")
+            version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
+          end
+          version = version&.gsub(/^v/, "")
+        end
+
+        version
+      end
+
+      sig { override.params(version: VersionParameter).returns(Dependabot::Bun::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Bun::Version)
+      end
+
+      sig { returns(Integer) }
+      def major
+        @major ||= T.let(segments[0].to_i, T.nilable(Integer))
+      end
+
+      sig { returns(Integer) }
+      def minor
+        @minor ||= T.let(segments[1].to_i, T.nilable(Integer))
+      end
+
+      sig { returns(Integer) }
+      def patch
+        @patch ||= T.let(segments[2].to_i, T.nilable(Integer))
+      end
+
+      sig { params(other: Dependabot::Bun::Version).returns(T::Boolean) }
+      def backwards_compatible_with?(other)
+        case major
+        when 0
+          self == other
+        else
+          major == other.major && minor >= other.minor
+        end
+      end
+
+      sig { override.returns(String) }
+      def to_s
+        @version_string
+      end
+
+      sig { override.returns(String) }
+      def inspect
+        "#<#{self.class} #{@version_string}>"
+      end
+    end
+  end
+end
+
+Dependabot::Utils
+  .register_version_class("bun", Dependabot::Bun::Version)

data/lib/dependabot/bun/version_selector.rb

@@ -0,0 +1,61 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/bun/constraint_helper"
+
+module Dependabot
+  module Bun
+    class VersionSelector
+      extend T::Sig
+      extend T::Helpers
+
+      # For limited testing, allowing only specific versions defined in engines in package.json
+      # such as "20.8.7", "8.1.2", "8.21.2",
+      NODE_ENGINE_SUPPORTED_REGEX = /^\d+(?:\.\d+)*$/
+
+      # Sets up engine versions from the given manifest JSON.
+      #
+      # @param manifest_json [Hash] The manifest JSON containing version information.
+      # @param name [String] The engine name to match.
+      # @return [Hash] A hash with selected versions, if found.
+      sig do
+        params(
+          manifest_json: T::Hash[String, T.untyped],
+          name: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
+      def setup(manifest_json, name, dependabot_versions = nil)
+        engine_versions = manifest_json["engines"]
+
+        # Return an empty hash if no engine versions are specified
+        return {} if engine_versions.nil?
+
+        versions = {}
+
+        if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+          engine_versions.each do |engine, value|
+            next unless engine.to_s.match(name)
+
+            versions[name] = ConstraintHelper.find_highest_version_from_constraint_expression(
+              value, dependabot_versions
+            )
+          end
+        else
+          versions = engine_versions.select do |engine, value|
+            engine.to_s.match(name) && valid_extracted_version?(value)
+          end
+        end
+
+        versions
+      end
+
+      sig { params(version: String).returns(T::Boolean) }
+      def valid_extracted_version?(version)
+        version.match?(NODE_ENGINE_SUPPORTED_REGEX)
+      end
+    end
+  end
+end

data/lib/dependabot/bun.rb

@@ -1,49 +1,351 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
-require "zeitwerk"
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/bun/file_fetcher"
+require "dependabot/bun/file_parser"
+require "dependabot/bun/update_checker"
+require "dependabot/bun/file_updater"
+require "dependabot/bun/metadata_finder"
+require "dependabot/bun/requirement"
+require "dependabot/bun/version"
 
-loader = Zeitwerk::Loader.new
+require "dependabot/pull_request_creator/labeler"
+Dependabot::PullRequestCreator::Labeler
+  .register_label_details("bun", name: "javascript", colour: "168700")
 
-# Set autoload paths for common/lib, excluding files whose content does not match the filename
-loader.push_dir(File.join(__dir__, "../../../common/lib"))
-loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/errors.rb"))
-loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/logger.rb"))
-loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/notices.rb"))
-loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/clients/codecommit.rb"))
+require "dependabot/dependency"
+Dependabot::Dependency.register_production_check(
+  "bun",
+  lambda do |groups|
+    return true if groups.empty?
+    return true if groups.include?("optionalDependencies")
 
-loader.push_dir(File.join(__dir__, ".."))
-loader.ignore("#{__dir__}/../script", "#{__dir__}/../spec", "#{__dir__}/../dependabot-bun.gemspec")
+    groups.include?("dependencies")
+  end
+)
 
-loader.on_load do |_file|
-  require "json"
-  require "sorbet-runtime"
-  require "dependabot/errors"
-  require "dependabot/logger"
-  require "dependabot/notices"
-  require "dependabot/clients/codecommit"
+## A type used for defining a proc that creates a new error object
+ErrorHandler = T.type_alias do
+  T.proc
+   .params(message: String, error: Dependabot::DependabotError, params: T::Hash[Symbol, T.untyped])
+   .returns(Dependabot::DependabotError)
 end
 
-loader.log! if ENV["DEBUG"]
-loader.setup
+module Dependabot
+  module Bun
+    NODE_VERSION_NOT_SATISFY_REGEX = /The current Node version (?<current_version>v?\d+\.\d+\.\d+) does not satisfy the required version (?<required_version>v?\d+\.\d+\.\d+)\./ # rubocop:disable Layout/LineLength
 
-Dependabot::PullRequestCreator::Labeler
-  .register_label_details("bun", name: "javascript", colour: "168700")
+    # Used to check if package manager registry is public npm registry
+    NPM_REGISTRY = "registry.npmjs.org"
 
-Dependabot::Dependency.register_production_check("bun", ->(_) { true })
+    # Used to check if url is http or https
+    HTTP_CHECK_REGEX = %r{https?://}
 
-module Dependabot
-  module Javascript
-    module Bun
-      ECOSYSTEM = "bun"
+    # Used to check capture url match in regex capture group
+    URL_CAPTURE = "url"
+
+    # When package name contains package.json name cannot contain characters like empty string or @.
+    INVALID_NAME_IN_PACKAGE_JSON = "Name contains illegal characters"
+
+    # Used to identify error messages indicating a package is missing, unreachable,
+    # or there are network issues (e.g., ENOBUFS, ETIMEDOUT, registry down).
+    PACKAGE_MISSING_REGEX = /(ENOBUFS|ETIMEDOUT|The registry may be down)/
+
+    # Used to check if error message contains timeout fetching package
+    TIMEOUT_FETCHING_PACKAGE_REGEX = %r{(?<url>.+)/(?<package>[^/]+): ETIMEDOUT}
+
+    ESOCKETTIMEDOUT = /(?<package>.*?): ESOCKETTIMEDOUT/
+
+    SOCKET_HANG_UP = /(?<url>.*?): socket hang up/
+
+    # Misc errors
+    EEXIST = /EEXIST: file already exists, mkdir '(?<regis>.*)'/
+
+    # registry access errors
+    REQUEST_ERROR_E403 = /Request "(?<url>.*)" returned a 403/ # Forbidden access to the URL.
+    AUTH_REQUIRED_ERROR = /(?<url>.*): authentication required/ # Authentication is required for the URL.
+    PERMISSION_DENIED = /(?<url>.*): Permission denied/ # Lack of permission to access the URL.
+    BAD_REQUEST = /(?<url>.*): bad_request/ # Inconsistent request while accessing resource.
+    INTERNAL_SERVER_ERROR = /Request failed "500 Internal Server Error"/ # Server error response by remote registry.
+
+    # Used to identify git unreachable error
+    UNREACHABLE_GIT_CHECK_REGEX = /ls-remote --tags --heads (?<url>.*)/
+
+    # Used to check if yarn workspace is enabled in non-private workspace
+    ONLY_PRIVATE_WORKSPACE_TEXT = "Workspaces can only be enabled in priva"
+
+    # Used to identify local path error in yarn when installing sub-dependency
+    SUB_DEP_LOCAL_PATH_TEXT = "refers to a non-existing file"
+
+    # Used to identify invalid package error when package is not found in registry
+    INVALID_PACKAGE_REGEX = /Can't add "[\w\-.]+": invalid/
+
+    # Used to identify error if package not found in registry
+    PACKAGE_NOT_FOUND = "Couldn't find package"
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_REGEX = /package "(?<package_req>.*?)"/
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE = "package_req"
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE_SPLIT_REGEX = /(?<=\w)\@/
+
+    YARN_PACKAGE_NOT_FOUND_CODE = /npm package "(?<dep>.*)" does not exist under owner "(?<regis>.*)"/
+    YARN_PACKAGE_NOT_FOUND_CODE_1 = /Couldn't find package "[^@].*(?<dep>.*)" on the "(?<regis>.*)" registry./
+    YARN_PACKAGE_NOT_FOUND_CODE_2 = /Couldn't find package "[^@].*(?<dep>.*)" required by "(?<pkg>.*)" on the "(?<regis>.*)" registry./ # rubocop:disable Layout/LineLength
+
+    PACKAGE_NOT_FOUND2 = %r{/[^/]+: Not found}
+    PACKAGE_NOT_FOUND2_PACKAGE_NAME_REGEX = %r{/(?<package_name>[^/]+): Not found}
+    PACKAGE_NOT_FOUND2_PACKAGE_NAME_CAPTURE = "package_name"
+
+    # Used to identify error if package not found in registry
+    DEPENDENCY_VERSION_NOT_FOUND = "Couldn't find any versions"
+    DEPENDENCY_NOT_FOUND = ": Not found"
+    DEPENDENCY_MATCH_NOT_FOUND = "Couldn't find match for"
+
+    DEPENDENCY_NO_VERSION_FOUND = "Couldn't find any versions"
+
+    # Manifest not found
+    MANIFEST_NOT_FOUND = /Cannot read properties of undefined \(reading '(?<file>.*)'\)/
+
+    # Used to identify error if node_modules state file not resolved
+    NODE_MODULES_STATE_FILE_NOT_FOUND = "Couldn't find the node_modules state file"
+
+    # Used to find error message in yarn error output
+    YARN_USAGE_ERROR_TEXT = "Usage Error:"
+
+    # Used to identify error if tarball is not in network
+    TARBALL_IS_NOT_IN_NETWORK = "Tarball is not in network and can not be located in cache"
+
+    # Used to identify if authentication failure error
+    AUTHENTICATION_TOKEN_NOT_PROVIDED = "authentication token not provided"
+    AUTHENTICATION_IS_NOT_CONFIGURED = "No authentication configured for request"
+    AUTHENTICATION_HEADER_NOT_PROVIDED = "Unauthenticated: request did not include an Authorization header."
+
+    # Used to identify if error message is related to yarn workspaces
+    DEPENDENCY_FILE_NOT_RESOLVABLE = "conflicts with direct dependency"
+
+    ENV_VAR_NOT_RESOLVABLE = /Failed to replace env in config: \$\{(?<var>.*)\}/
+
+    OUT_OF_DISKSPACE = / Out of diskspace/
+
+    # registry returns malformed response
+    REGISTRY_NOT_REACHABLE = /Received malformed response from registry for "(?<ver>.*)". The registry may be down./
+
+    class Utils
+      extend T::Sig
+
+      sig { params(error_message: String).returns(T::Hash[Symbol, String]) }
+      def self.extract_node_versions(error_message)
+        match_data = error_message.match(NODE_VERSION_NOT_SATISFY_REGEX)
+        return {} unless match_data
+
+        {
+          current_version: match_data[:current_version],
+          required_version: match_data[:required_version]
+        }
+      end
+
+      sig { params(error_message: String).returns(String) }
+      def self.extract_var(error_message)
+        match_data = T.must(error_message.match(ENV_VAR_NOT_RESOLVABLE)).named_captures["var"]
+        return "" unless match_data
+
+        match_data
+      end
+
+      sig do
+        params(
+          error_message: String,
+          dependencies: T::Array[Dependabot::Dependency],
+          yarn_lock: Dependabot::DependencyFile
+        ).returns(String)
+      end
+      def self.sanitize_resolvability_message(error_message, dependencies, yarn_lock)
+        dependency_names = dependencies.map(&:name).join(", ")
+        "Error whilst updating #{dependency_names} in #{yarn_lock.path}:\n#{error_message}"
+      end
     end
+
+    # Group of patterns to validate error message and raise specific error
+    VALIDATION_GROUP_PATTERNS = T.let([
+      {
+        patterns: [INVALID_NAME_IN_PACKAGE_JSON],
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        # Check if sub dependency is using local path and raise a resolvability error
+        patterns: [INVALID_PACKAGE_REGEX, SUB_DEP_LOCAL_PATH_TEXT],
+        handler: lambda { |message, _error, params|
+          Dependabot::DependencyFileNotResolvable.new(
+            Utils.sanitize_resolvability_message(
+              message,
+              params[:dependencies],
+              params[:yarn_lock]
+            )
+          )
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [NODE_MODULES_STATE_FILE_NOT_FOUND],
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        },
+        in_usage: true,
+        matchfn: nil
+      },
+      {
+        patterns: [TARBALL_IS_NOT_IN_NETWORK],
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [NODE_VERSION_NOT_SATISFY_REGEX],
+        handler: lambda { |message, _error, _params|
+          versions = Utils.extract_node_versions(message)
+          current_version = versions[:current_version]
+          required_version = versions[:required_version]
+
+          return Dependabot::DependabotError.new(message) unless current_version && required_version
+
+          Dependabot::ToolVersionNotSupported.new("Yarn", current_version, required_version)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED,
+                   AUTHENTICATION_HEADER_NOT_PROVIDED],
+        handler: lambda { |message, _error, _params|
+          Dependabot::PrivateSourceAuthenticationFailure.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [DEPENDENCY_FILE_NOT_RESOLVABLE],
+        handler: lambda { |message, _error, _params|
+          DependencyFileNotResolvable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ENV_VAR_NOT_RESOLVABLE],
+        handler: lambda { |message, _error, _params|
+          var = Utils.extract_var(message)
+
+          Dependabot::MissingEnvironmentVariable.new(var, message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ONLY_PRIVATE_WORKSPACE_TEXT],
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotEvaluatable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [UNREACHABLE_GIT_CHECK_REGEX],
+        handler: lambda { |message, _error, _params|
+          dependency_url = message.match(UNREACHABLE_GIT_CHECK_REGEX).named_captures.fetch(URL_CAPTURE)
+
+          Dependabot::GitDependenciesNotReachable.new(dependency_url)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [SOCKET_HANG_UP],
+        handler: lambda { |message, _error, _params|
+          url = message.match(SOCKET_HANG_UP).named_captures.fetch(URL_CAPTURE)
+
+          Dependabot::PrivateSourceTimedOut.new(url.gsub(HTTP_CHECK_REGEX, ""))
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ESOCKETTIMEDOUT],
+        handler: lambda { |message, _error, _params|
+          package_req = message.match(ESOCKETTIMEDOUT).named_captures.fetch("package")
+
+          Dependabot::PrivateSourceTimedOut.new(package_req.gsub(HTTP_CHECK_REGEX, ""))
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [OUT_OF_DISKSPACE],
+        handler: lambda { |message, _error, _params|
+          Dependabot::OutOfDisk.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [YARN_PACKAGE_NOT_FOUND_CODE, YARN_PACKAGE_NOT_FOUND_CODE_1, YARN_PACKAGE_NOT_FOUND_CODE_2],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(YARN_PACKAGE_NOT_FOUND_CODE) || message.match(YARN_PACKAGE_NOT_FOUND_CODE_1) ||
+          message.match(YARN_PACKAGE_NOT_FOUND_CODE_2)
+
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [REQUEST_ERROR_E403, AUTH_REQUIRED_ERROR, PERMISSION_DENIED, BAD_REQUEST],
+        handler: lambda { |message, _error, _params|
+          dependency_url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
+
+          Dependabot::PrivateSourceAuthenticationFailure.new(dependency_url)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [MANIFEST_NOT_FOUND],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(MANIFEST_NOT_FOUND)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [INTERNAL_SERVER_ERROR],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(INTERNAL_SERVER_ERROR)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [REGISTRY_NOT_REACHABLE],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(REGISTRY_NOT_REACHABLE)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      }
+    ].freeze, T::Array[{
+      patterns: T::Array[T.any(String, Regexp)],
+      handler: ErrorHandler,
+      in_usage: T.nilable(T::Boolean),
+      matchfn: T.nilable(T.proc.params(usage: String, message: String).returns(T::Boolean))
+    }])
   end
 end
-
-Dependabot::FileFetchers.register("bun", Dependabot::Javascript::Bun::FileFetcher)
-Dependabot::FileParsers.register("bun", Dependabot::Javascript::Bun::FileParser)
-Dependabot::FileUpdaters.register("bun", Dependabot::Javascript::Bun::FileUpdater)
-Dependabot::UpdateCheckers.register("bun", Dependabot::Javascript::Bun::UpdateChecker)
-Dependabot::MetadataFinders.register("bun", Dependabot::Javascript::Shared::MetadataFinder)
-Dependabot::Utils.register_requirement_class("bun", Dependabot::Javascript::Bun::Requirement)
-Dependabot::Utils.register_version_class("bun", Dependabot::Javascript::Bun::Version)