dependabot-bun 0.296.2 → 0.296.3

data/lib/dependabot/javascript/bun/update_checker/version_resolver.rb

@@ -1,525 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-
-module Dependabot
-  module Javascript
-    module Bun
-      class UpdateChecker
-        class VersionResolver # rubocop:disable Metrics/ClassLength
-          extend T::Sig
-
-          require_relative "latest_version_finder"
-
-          TIGHTLY_COUPLED_MONOREPOS = {
-            "vue" => %w(vue vue-template-compiler)
-          }.freeze
-
-          def initialize(dependency:, credentials:, dependency_files:,
-                         latest_allowable_version:, latest_version_finder:, repo_contents_path:, dependency_group: nil)
-            @dependency               = dependency
-            @credentials              = credentials
-            @dependency_files         = dependency_files
-            @latest_allowable_version = latest_allowable_version
-            @dependency_group = dependency_group
-
-            @latest_version_finder = {}
-            @latest_version_finder[dependency] = latest_version_finder
-            @repo_contents_path = repo_contents_path
-          end
-
-          def latest_resolvable_version
-            return latest_allowable_version if git_dependency?(dependency)
-            return if part_of_tightly_locked_monorepo?
-            return if types_update_available?
-            return if original_package_update_available?
-
-            return latest_allowable_version unless relevant_unmet_peer_dependencies.any?
-
-            satisfying_versions.first
-          end
-
-          def latest_version_resolvable_with_full_unlock?
-            return false if dependency_updates_from_full_unlock.nil?
-
-            true
-          end
-
-          def latest_resolvable_previous_version(updated_version)
-            resolve_latest_previous_version(dependency, updated_version)
-          end
-
-          # rubocop:disable Metrics/PerceivedComplexity
-          def dependency_updates_from_full_unlock
-            return if git_dependency?(dependency)
-            return updated_monorepo_dependencies if part_of_tightly_locked_monorepo?
-            return if newly_broken_peer_reqs_from_dep.any?
-            return if original_package_update_available?
-
-            updates = [{
-              dependency: dependency,
-              version: latest_allowable_version,
-              previous_version: latest_resolvable_previous_version(
-                latest_allowable_version
-              )
-            }]
-            newly_broken_peer_reqs_on_dep.each do |peer_req|
-              dep_name = peer_req.fetch(:requiring_dep_name)
-              dep = top_level_dependencies.find { |d| d.name == dep_name }
-
-              # Can't handle reqs from sub-deps or git source deps (yet)
-              return nil if dep.nil?
-              return nil if git_dependency?(dep)
-
-              updated_version =
-                latest_version_of_dep_with_satisfied_peer_reqs(dep)
-              return nil unless updated_version
-
-              updates << {
-                dependency: dep,
-                version: updated_version,
-                previous_version: resolve_latest_previous_version(
-                  dep, updated_version
-                )
-              }
-            end
-            updates += updated_types_dependencies if types_update_available?
-            updates.uniq
-          end
-          # rubocop:enable Metrics/PerceivedComplexity
-
-          private
-
-          sig { returns(Dependabot::Dependency) }
-          attr_reader :dependency
-          attr_reader :credentials
-          attr_reader :dependency_files
-          attr_reader :latest_allowable_version
-          attr_reader :repo_contents_path
-          attr_reader :dependency_group
-
-          def latest_version_finder(dep)
-            @latest_version_finder[dep] ||=
-              LatestVersionFinder.new(
-                dependency: dep,
-                credentials: credentials,
-                dependency_files: dependency_files,
-                ignored_versions: [],
-                security_advisories: []
-              )
-          end
-
-          # rubocop:disable Metrics/PerceivedComplexity
-          def resolve_latest_previous_version(dep, updated_version)
-            return dep.version if dep.version
-
-            @resolve_latest_previous_version ||= {}
-            @resolve_latest_previous_version[dep] ||= begin
-              relevant_versions = latest_version_finder(dependency)
-                                  .possible_previous_versions_with_details
-                                  .map(&:first)
-              reqs = dep.requirements.filter_map { |r| r[:requirement] }
-                        .map { |r| requirement_class.requirements_array(r) }
-
-              # Pick the lowest version from the max possible version from all
-              # requirements. This matches the logic when combining the same
-              # dependency in DependencySet from multiple manifest files where we
-              # pick the lowest version from the duplicates.
-              latest_previous_version = reqs.flat_map do |req|
-                relevant_versions.select do |version|
-                  req.any? { |r| r.satisfied_by?(version) }
-                end.max
-              end.min&.to_s
-
-              # Handle cases where the latest resolvable previous version is the
-              # latest version. This often happens if you don't have lockfiles and
-              # have requirements update strategy set to bump_versions, where an
-              # update might go from ^1.1.1 to ^1.1.2 (both resolve to 1.1.2).
-              if updated_version.to_s == latest_previous_version
-                nil
-              else
-                latest_previous_version
-              end
-            end
-          end
-          # rubocop:enable Metrics/PerceivedComplexity
-
-          def part_of_tightly_locked_monorepo?
-            monorepo_dep_names =
-              TIGHTLY_COUPLED_MONOREPOS.values
-                                       .find { |deps| deps.include?(dependency.name) }
-            return false unless monorepo_dep_names
-
-            deps_to_update =
-              top_level_dependencies
-              .select { |d| monorepo_dep_names.include?(d.name) }
-
-            deps_to_update.count > 1
-          end
-
-          def updated_monorepo_dependencies
-            monorepo_dep_names =
-              TIGHTLY_COUPLED_MONOREPOS.values
-                                       .find { |deps| deps.include?(dependency.name) }
-
-            deps_to_update =
-              top_level_dependencies
-              .select { |d| monorepo_dep_names.include?(d.name) }
-
-            updates = []
-            deps_to_update.each do |dep|
-              next if git_dependency?(dep)
-              next if dep.version &&
-                      version_class.new(dep.version) >= latest_allowable_version
-
-              updated_version =
-                latest_version_finder(dep)
-                .possible_versions
-                .find { |v| v == latest_allowable_version }
-              next unless updated_version
-
-              updates << {
-                dependency: dep,
-                version: updated_version,
-                previous_version: resolve_latest_previous_version(
-                  dep, updated_version
-                )
-              }
-            end
-
-            updates
-          end
-
-          def types_package
-            @types_package ||= begin
-              types_package_name = Dependabot::Javascript::Shared::PackageName.new(dependency.name).types_package_name
-              top_level_dependencies.find { |d| types_package_name.to_s == d.name } if types_package_name
-            end
-          end
-
-          def original_package
-            @original_package ||= begin
-              original_package_name = Dependabot::Javascript::Shared::PackageName.new(dependency.name).library_name
-              top_level_dependencies.find { |d| original_package_name.to_s == d.name } if original_package_name
-            end
-          end
-
-          def latest_types_package_version
-            @latest_types_package_version ||= latest_version_finder(types_package).latest_version_from_registry
-          end
-
-          def types_update_available?
-            return false if types_package.nil?
-
-            return false if latest_types_package_version.nil?
-
-            return false unless latest_allowable_version.backwards_compatible_with?(latest_types_package_version)
-
-            return false unless version_class.correct?(types_package.version)
-
-            current_types_package_version = version_class.new(types_package.version)
-
-            return false unless current_types_package_version < latest_types_package_version
-
-            true
-          end
-
-          def original_package_update_available?
-            return false if original_package.nil?
-
-            return false unless version_class.correct?(original_package.version)
-
-            original_package_version = version_class.new(original_package.version)
-
-            latest_version = latest_version_finder(original_package).latest_version_from_registry
-
-            # If the latest version is within the scope of the current requirements,
-            # latest_version will be nil. In such cases, there is no update available.
-            return false if latest_version.nil?
-
-            original_package_version < latest_version
-          end
-
-          def updated_types_dependencies
-            [{
-              dependency: types_package,
-              version: latest_types_package_version,
-              previous_version: resolve_latest_previous_version(
-                types_package, latest_types_package_version
-              )
-            }]
-          end
-
-          def peer_dependency_errors
-            return @peer_dependency_errors if @peer_dependency_errors_checked
-
-            @peer_dependency_errors_checked = true
-
-            @peer_dependency_errors =
-              fetch_peer_dependency_errors(version: latest_allowable_version)
-          end
-
-          def old_peer_dependency_errors
-            return @old_peer_dependency_errors if @old_peer_dependency_errors_checked
-
-            @old_peer_dependency_errors_checked = true
-
-            version = version_for_dependency(dependency)
-
-            @old_peer_dependency_errors =
-              fetch_peer_dependency_errors(version: version)
-          end
-
-          def fetch_peer_dependency_errors(version:)
-            # TODO: Add all of the error handling that the FileUpdater does
-            # here (since problematic repos will be resolved here before they're
-            # seen by the FileUpdater)
-            base_dir = dependency_files.first.directory
-            SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-              dependency_files_builder.write_temporary_dependency_files
-
-              paths_requiring_update_check.flat_map do |path|
-                run_checker(path: path, version: version)
-              end.compact
-            end
-          rescue SharedHelpers::HelperSubprocessFailed
-            # Fall back to allowing the version through. Whatever error
-            # occurred should be properly handled by the FileUpdater. We
-            # can slowly migrate error handling to this class over time.
-            []
-          end
-
-          def unmet_peer_dependencies
-            peer_dependency_errors
-              .map { |captures| error_details_from_captures(captures) }
-          end
-
-          def old_unmet_peer_dependencies
-            old_peer_dependency_errors
-              .map { |captures| error_details_from_captures(captures) }
-          end
-
-          def error_details_from_captures(captures)
-            return {} unless captures.is_a?(Hash)
-
-            required_dep_captures  = captures.fetch("required_dep")
-            requiring_dep_captures = captures.fetch("requiring_dep")
-            return {} unless required_dep_captures && requiring_dep_captures
-
-            {
-              requirement_name: required_dep_captures.sub(/@[^@]+$/, ""),
-              requirement_version: required_dep_captures.split("@").last.delete('"'),
-              requiring_dep_name: requiring_dep_captures.sub(/@[^@]+$/, "")
-            }
-          end
-
-          def relevant_unmet_peer_dependencies
-            relevant_unmet_peer_dependencies =
-              unmet_peer_dependencies.select do |dep|
-                dep[:requirement_name] == dependency.name ||
-                  dep[:requiring_dep_name] == dependency.name
-              end
-
-            unless dependency_group.nil?
-              # Ignore unmet peer dependencies that are in the dependency group because
-              # the update is also updating those dependencies.
-              relevant_unmet_peer_dependencies.reject! do |dep|
-                dependency_group.dependencies.any? do |group_dep|
-                  dep[:requirement_name] == group_dep.name ||
-                    dep[:requiring_dep_name] == group_dep.name
-                end
-              end
-            end
-
-            return [] if relevant_unmet_peer_dependencies.empty?
-
-            # Prune out any pre-existing warnings
-            relevant_unmet_peer_dependencies.reject do |issue|
-              old_unmet_peer_dependencies.any? do |old_issue|
-                old_issue.slice(:requirement_name, :requiring_dep_name) ==
-                  issue.slice(:requirement_name, :requiring_dep_name)
-              end
-            end
-          end
-
-          # rubocop:disable Metrics/PerceivedComplexity
-          def satisfying_versions
-            latest_version_finder(dependency)
-              .possible_versions_with_details
-              .select do |version, details|
-                next false unless satisfies_peer_reqs_on_dep?(version)
-                next true unless details["peerDependencies"]
-                next true if version == version_for_dependency(dependency)
-
-                details["peerDependencies"].all? do |dep, req|
-                  dep = top_level_dependencies.find { |d| d.name == dep }
-                  next false unless dep
-                  next git_dependency?(dep) if req.include?("/")
-
-                  reqs = requirement_class.requirements_array(req)
-                  next false unless version_for_dependency(dep)
-
-                  reqs.any? { |r| r.satisfied_by?(version_for_dependency(dep)) }
-                rescue Gem::Requirement::BadRequirementError
-                  false
-                end
-              end
-              .map(&:first)
-          end
-
-          # rubocop:enable Metrics/PerceivedComplexity
-
-          def satisfies_peer_reqs_on_dep?(version)
-            newly_broken_peer_reqs_on_dep.all? do |peer_req|
-              req = peer_req.fetch(:requirement_version)
-
-              # Git requirements can't be satisfied by a version
-              next false if req.include?("/")
-
-              reqs = requirement_class.requirements_array(req)
-              reqs.any? { |r| r.satisfied_by?(version) }
-            rescue Gem::Requirement::BadRequirementError
-              false
-            end
-          end
-
-          def latest_version_of_dep_with_satisfied_peer_reqs(dep)
-            latest_version_finder(dep)
-              .possible_versions_with_details
-              .find do |version, details|
-                next false unless version > version_for_dependency(dep)
-                next true unless details["peerDependencies"]
-
-                details["peerDependencies"].all? do |peer_dep_name, req|
-                  # Can't handle multiple peer dependencies
-                  next false unless peer_dep_name == dependency.name
-                  next git_dependency?(dependency) if req.include?("/")
-
-                  reqs = requirement_class.requirements_array(req)
-
-                  reqs.any? { |r| r.satisfied_by?(latest_allowable_version) }
-                rescue Gem::Requirement::BadRequirementError
-                  false
-                end
-              end
-              &.first
-          end
-
-          def git_dependency?(dep)
-            # ignored_version/raise_on_ignored are irrelevant.
-            GitCommitChecker
-              .new(dependency: dep, credentials: credentials)
-              .git_dependency?
-          end
-
-          def newly_broken_peer_reqs_on_dep
-            relevant_unmet_peer_dependencies
-              .select { |dep| dep[:requirement_name] == dependency.name }
-          end
-
-          def newly_broken_peer_reqs_from_dep
-            relevant_unmet_peer_dependencies
-              .select { |dep| dep[:requiring_dep_name] == dependency.name }
-          end
-
-          def lockfiles_for_path(lockfiles:, path:)
-            lockfiles.select do |lockfile|
-              File.dirname(lockfile.name) == File.dirname(path)
-            end
-          end
-
-          def run_checker(path:, version:)
-            bun_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.bun_locks, path: path)
-            return run_bun_checker(path: path, version: version) if bun_lockfiles.any?
-
-            root_bun_lock = dependency_files_builder.root_bun_lock
-            run_bun_checker(path: path, version: version) if root_bun_lock
-          end
-
-          def run_bun_checker(path:, version:)
-            SharedHelpers.with_git_configured(credentials: credentials) do
-              Dir.chdir(path) do
-                Helpers.run_bun_command(
-                  "update #{dependency.name}@#{version} --save-text-lockfile",
-                  fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
-                )
-              end
-            end
-          end
-
-          def version_install_arg(version:)
-            git_source = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
-
-            if git_source
-              "#{dependency.name}@#{git_source[:source][:url]}##{version}"
-            else
-              "#{dependency.name}@#{version}"
-            end
-          end
-
-          def requirements_for_path(requirements, path)
-            return requirements if path.to_s == "."
-
-            requirements.filter_map do |r|
-              next unless r[:file].start_with?("#{path}/")
-
-              r.merge(file: r[:file].gsub(/^#{Regexp.quote("#{path}/")}/, ""))
-            end
-          end
-
-          # Top level dependencies are required in the peer dep checker
-          # to fetch the manifests for all top level deps which may contain
-          # "peerDependency" requirements
-          def top_level_dependencies
-            @top_level_dependencies ||= Bun::FileParser.new(
-              dependency_files: dependency_files,
-              source: nil,
-              credentials: credentials
-            ).parse.select(&:top_level?)
-          end
-
-          def paths_requiring_update_check
-            @paths_requiring_update_check ||=
-              Dependabot::Javascript::Shared::DependencyFilesFilterer.new(
-                dependency_files: dependency_files,
-                updated_dependencies: [dependency],
-                lockfile_parser_class: FileParser::LockfileParser
-              ).paths_requiring_update_check
-          end
-
-          def dependency_files_builder
-            @dependency_files_builder ||=
-              DependencyFilesBuilder.new(
-                dependency: dependency,
-                dependency_files: dependency_files,
-                credentials: credentials
-              )
-          end
-
-          def version_for_dependency(dep)
-            return version_class.new(dep.version) if dep.version && version_class.correct?(dep.version)
-
-            dep.requirements.filter_map { |r| r[:requirement] }
-               .reject { |req_string| req_string.start_with?("<") }
-               .select { |req_string| req_string.match?(version_regex) }
-               .map { |req_string| req_string.match(version_regex) }
-               .select { |version| version_class.correct?(version.to_s) }
-               .map { |version| version_class.new(version.to_s) }
-               .max
-          end
-
-          def version_class
-            dependency.version_class
-          end
-
-          def requirement_class
-            dependency.requirement_class
-          end
-
-          def version_regex
-            Dependabot::Javascript::Shared::Version::VERSION_PATTERN
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/bun/update_checker/vulnerability_auditor.rb

@@ -1,165 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-
-require "stringio"
-
-module Dependabot
-  module Javascript
-    module Bun
-      class UpdateChecker
-        class VulnerabilityAuditor
-          def initialize(dependency_files:, credentials:)
-            @dependency_files = dependency_files
-            @credentials = credentials
-          end
-
-          # rubocop:disable Metrics/MethodLength
-          # Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have
-          # a subdependency on the given dependency that is locked to a vuln version range.
-          #
-          # NOTE: yarn is currently not supported.
-          #
-          # @param dependency [Dependabot::Dependency] the dependency to check
-          # @param security_advisories [Array<Dependabot::SecurityAdvisory>] advisories for the dependency
-          # @return [Hash<String, [String, Array<Hash<String, String>>]>] the audit results
-          #   * :dependency_name [String] the name of the dependency
-          #   * :fix_available [Boolean] whether a fix is available
-          #   * :current_version [String] the version of the dependency
-          #   * :target_version [String] the version of the dependency after the fix
-          #   * :fix_updates [Array<Hash<String, String>>] a list of dependencies to update in order to fix
-          #     * :dependency_name [String] the name of the blocking dependency
-          #     * :current_version [String] the current version of the blocking dependency
-          #     * :target_version [String] the target version of the blocking dependency
-          #     * :top_level_ancestors [Array<String>] the names of top-level dependencies with a transitive
-          #       dependency on the blocking dependency
-          #   * :top_level_ancestors [Array<String>] the names of all top-level dependencies with a transitive
-          #     dependency on the dependency
-          #   * :explanation [String] an explanation for why the project failed the vulnerability auditor run
-          def audit(dependency:, security_advisories:)
-            Dependabot.logger.info("VulnerabilityAuditor: starting audit")
-
-            fix_unavailable = {
-              "dependency_name" => dependency.name,
-              "fix_available" => false,
-              "fix_updates" => [],
-              "top_level_ancestors" => []
-            }
-
-            SharedHelpers.in_a_temporary_directory do
-              dependency_files_builder = DependencyFilesBuilder.new(
-                dependency: dependency,
-                dependency_files: dependency_files,
-                credentials: credentials
-              )
-              dependency_files_builder.write_temporary_dependency_files
-
-              # `npm-shrinkwrap.js`, if present, takes precedence over `package-lock.js`.
-              # Both files use the same format. See https://bit.ly/3lDIAJV for more.
-              lockfile = dependency_files_builder.lockfiles.first
-              unless lockfile
-                Dependabot.logger.info("VulnerabilityAuditor: missing lockfile")
-                return fix_unavailable
-              end
-
-              vuln_versions = security_advisories.map do |a|
-                {
-                  dependency_name: a.dependency_name,
-                  affected_versions: a.vulnerable_version_strings
-                }
-              end
-
-              audit_result = SharedHelpers.run_helper_subprocess(
-                command: Dependabot::Javascript::Shared::NativeHelpers.helper_path,
-                function: "npm:vulnerabilityAuditor",
-                args: [Dir.pwd, vuln_versions]
-              )
-
-              validation_result = validate_audit_result(audit_result, security_advisories)
-              if validation_result != :viable
-                Dependabot.logger.info("VulnerabilityAuditor: audit result not viable: #{validation_result}")
-                fix_unavailable["explanation"] = explain_fix_unavailable(validation_result, dependency)
-                return fix_unavailable
-              end
-
-              Dependabot.logger.info("VulnerabilityAuditor: audit result viable")
-              audit_result
-            end
-          rescue SharedHelpers::HelperSubprocessFailed => e
-            log_helper_subprocess_failure(dependency, e)
-            fix_unavailable
-          end
-          # rubocop:enable Metrics/MethodLength
-
-          private
-
-          attr_reader :dependency_files
-          attr_reader :credentials
-
-          def explain_fix_unavailable(validation_result, dependency)
-            case validation_result
-            when :fix_unavailable, :dependency_still_vulnerable, :downgrades_dependencies
-              "No patched version available for #{dependency.name}"
-            when :fix_incomplete
-              "The lockfile might be out of sync?"
-            end
-          end
-
-          def validate_audit_result(audit_result, security_advisories)
-            return :fix_unavailable unless audit_result["fix_available"]
-            return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
-            return :downgrades_dependencies if downgrades_dependencies?(audit_result)
-            return :fix_incomplete if fix_incomplete?(audit_result)
-
-            :viable
-          end
-
-          def dependency_still_vulnerable?(audit_result, security_advisories)
-            # vulnerable dependency is removed if the target version is nil
-            return false unless audit_result["target_version"]
-
-            version = Version.new(audit_result["target_version"])
-            security_advisories.any? { |a| a.vulnerable?(version) }
-          end
-
-          def downgrades_dependencies?(audit_result)
-            return true if downgrades_version?(audit_result["current_version"], audit_result["target_version"])
-
-            audit_result["fix_updates"].any? do |update|
-              downgrades_version?(update["current_version"], update["target_version"])
-            end
-          end
-
-          def downgrades_version?(current_version, target_version)
-            return false unless target_version
-
-            current = Version.new(current_version)
-            target = Version.new(target_version)
-            current > target
-          end
-
-          def fix_incomplete?(audit_result)
-            audit_result["fix_updates"].any? { |update| !update.key?("target_version") } ||
-              audit_result["fix_updates"].empty?
-          end
-
-          def log_helper_subprocess_failure(dependency, error)
-            # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context
-            context = error.error_context || {}
-
-            builder = ::StringIO.new
-            builder << "VulnerabilityAuditor: "
-            builder << "#{context[:function]} " if context[:function]
-            builder << "failed"
-            builder << " after #{context[:time_taken].truncate(2)}s" if context[:time_taken]
-            builder << " while auditing #{dependency.name}: "
-            builder << error.message
-            builder << "\n" << context[:trace]
-
-            msg = builder.string
-            Dependabot.logger.info(msg) # TODO: is this the right log level?
-          end
-        end
-      end
-    end
-  end
-end