RubyGems - dependabot-bun - Versions diffs - 0.296.2 → 0.296.3 - Mend

dependabot-bun 0.296.2 → 0.296.3

Files changed (144) hide show

data/helpers/lib/yarn/lockfile-parser.js ADDED Viewed

@@ -0,0 +1,21 @@
+/* YARN.LOCK PARSER
+ *
+ * Inputs:
+ *  - directory containing a yarn.lock
+ *
+ * Outputs:
+ *  - JSON formatted yarn.lock
+ */
+const fs = require("fs");
+const path = require("path");
+const parseLockfile = require("@dependabot/yarn-lib/lib/lockfile/parse")
+  .default;
+async function parse(directory) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  const data = readFile("yarn.lock");
+  return parseLockfile(data).object;
+}
+module.exports = { parse };

data/helpers/lib/yarn/peer-dependency-checker.js ADDED Viewed

@@ -0,0 +1,132 @@
+/* PEER DEPENDENCY CHECKER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - new dependency version
+ *  - requirements for this dependency
+ *
+ * Outputs:
+ *  - successful completion, or an error if there are peer dependency warnings
+ */
+const path = require("path");
+const { Add } = require("@dependabot/yarn-lib/lib/cli/commands/add");
+const Config = require("@dependabot/yarn-lib/lib/config").default;
+const { BufferReporter } = require("@dependabot/yarn-lib/lib/reporters");
+const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
+const { isString } = require("./helpers");
+const fetcher = require("@dependabot/yarn-lib/lib/package-fetcher.js");
+// Check peer dependencies without downloading node_modules or updating
+// package/lockfiles
+//
+// Logic copied from the import command
+class LightweightAdd extends Add {
+  async bailout() {
+    const manifests = await fetcher.fetch(
+      this.resolver.getManifests(),
+      this.config
+    );
+    this.resolver.updateManifests(manifests);
+    await this.linker.resolvePeerModules();
+    return true;
+  }
+}
+function devRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("devDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+function optionalRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("optionalDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+function installArgsWithVersion(depName, desiredVersion, requirements) {
+  const source =
+    "source" in requirements
+      ? requirements.source
+      : (requirements.find((req) => req.source) || {}).source;
+  const req =
+    "requirement" in requirements
+      ? requirements.requirement
+      : (requirements.find((req) => req.requirement) || {}).requirement;
+  if (source && source.type === "git") {
+    if (desiredVersion) {
+      return [`${depName}@${source.url}#${desiredVersion}`];
+    } else {
+      return [`${depName}@${source.url}`];
+    }
+  } else {
+    return [`${depName}@${desiredVersion || req}`];
+  }
+}
+async function checkPeerDependencies(
+  directory,
+  depName,
+  desiredVersion,
+  requirements
+) {
+  for (let req of requirements) {
+    await checkPeerDepsForReq(directory, depName, desiredVersion, req);
+  }
+}
+async function checkPeerDepsForReq(
+  directory,
+  depName,
+  desiredVersion,
+  requirement
+) {
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true,
+    ignorePlatform: true,
+    dev: devRequirement(requirement),
+    optional: optionalRequirement(requirement),
+  };
+  const reporter = new BufferReporter();
+  const config = new Config(reporter);
+  await config.init({
+    cwd: path.join(directory, path.dirname(requirement.file)),
+    nonInteractive: true,
+    enableDefaultRc: true,
+    extraneousYarnrcFiles: [".yarnrc"],
+  });
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+  // Returns dep name and version for yarn add, example: ["react@16.6.0"]
+  let args = installArgsWithVersion(depName, desiredVersion, requirement);
+  // Just as if we'd run `yarn add package@version`, but using our lightweight
+  // implementation of Add that doesn't actually download and install packages
+  const add = new LightweightAdd(args, flags, config, reporter, lockfile);
+  await add.init();
+  const eventBuffer = reporter.getBuffer();
+  const peerDependencyWarnings = eventBuffer
+    .map(({ data }) => data)
+    .filter((data) => {
+      // Guard against event.data sometimes being an object
+      return isString(data) && data.match(/(unmet|incorrect) peer dependency/);
+    });
+  if (peerDependencyWarnings.length) {
+    throw new Error(peerDependencyWarnings.join("\n"));
+  }
+}
+module.exports = { checkPeerDependencies };

data/helpers/lib/yarn/replace-lockfile-declaration.js ADDED Viewed

@@ -0,0 +1,57 @@
+const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
+const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
+  .default;
+// Get an array of a dependency's requested version ranges from a lockfile
+function getRequestedVersions(depName, lockfileJson) {
+  const requestedVersions = [];
+  // Matching dependency name and version requirements which could be a full url:
+  // dep@version, @private-dep@version, private-dep@https:://token@gh.com...#ref
+  const re = /^(.[^@]*)@(.*?)$/;
+  Object.entries(lockfileJson).forEach(([name, _]) => {
+    if (name.match(re)) {
+      const [_, packageName, requestedVersion] = name.match(re);
+      if (packageName === depName) {
+        requestedVersions.push(requestedVersion);
+      }
+    }
+  });
+  return requestedVersions;
+}
+module.exports = (
+  oldLockfileContent,
+  newLockfileContent,
+  depName,
+  newVersionRequirement,
+  existingVersionRequirement
+) => {
+  const oldJson = parse(oldLockfileContent).object;
+  const newJson = parse(newLockfileContent).object;
+  const enableLockfileVersions = Boolean(
+    oldLockfileContent.match(/^# yarn v/m)
+  );
+  const noHeader = !Boolean(oldLockfileContent.match(/^# THIS IS AN AU/m));
+  const oldPackageReqs = getRequestedVersions(depName, oldJson);
+  const newPackageReqs = getRequestedVersions(depName, newJson);
+  const reqToReplace = newPackageReqs.find((pattern) => {
+    return !oldPackageReqs.includes(pattern);
+  });
+  // If the new lockfile has entries that don't exist in the old lockfile,
+  // replace these version requirements with a range (will currently be an
+  // exact version because we tell yarn to install a specific version)
+  if (reqToReplace) {
+    newJson[
+      `${depName}@${newVersionRequirement || existingVersionRequirement}`
+    ] = newJson[`${depName}@${reqToReplace}`];
+    delete newJson[`${depName}@${reqToReplace}`];
+  }
+  return stringify(newJson, noHeader, enableLockfileVersions);
+};

data/helpers/lib/yarn/subdependency-updater.js ADDED Viewed

@@ -0,0 +1,83 @@
+const fs = require("fs");
+const os = require("os");
+const path = require("path");
+const Config = require("@dependabot/yarn-lib/lib/config").default;
+const { EventReporter } = require("@dependabot/yarn-lib/lib/reporters");
+const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
+const fixDuplicates = require("./fix-duplicates");
+const { LightweightInstall, LOCKFILE_ENTRY_REGEX } = require("./helpers");
+const { parse } = require("./lockfile-parser");
+const stringify =
+  require("@dependabot/yarn-lib/lib/lockfile/stringify").default;
+// Replace the version comments in the new lockfile with the ones from the old
+// lockfile. If they weren't present in the old lockfile, delete them.
+function recoverVersionComments(oldLockfile, newLockfile) {
+  const yarnRegex = /^# yarn v(\S+)\n/gm;
+  const nodeRegex = /^# node v(\S+)\n/gm;
+  const oldMatch = (regex) => [].concat(oldLockfile.match(regex))[0];
+  return newLockfile
+    .replace(yarnRegex, () => oldMatch(yarnRegex) || "")
+    .replace(nodeRegex, () => oldMatch(nodeRegex) || "");
+}
+async function updateDependencyFile(
+  directory,
+  lockfileName,
+  dependencies
+) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  const originalYarnLock = readFile(lockfileName);
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true,
+  };
+  const reporter = new EventReporter();
+  const config = new Config(reporter);
+  await config.init({
+    cwd: directory,
+    nonInteractive: true,
+    enableDefaultRc: true,
+    extraneousYarnrcFiles: [".yarnrc"],
+  });
+  const noHeader = !Boolean(originalYarnLock.match(/^# THIS IS AN AU/m));
+  config.enableLockfileVersions = Boolean(originalYarnLock.match(/^# yarn v/m));
+  // SubDependencyVersionResolver relies on the install finding the latest
+  // version of a sub-dependency that's been removed from the lockfile
+  // YarnLockFileUpdater passes a specific version to be updated
+  const lockfileObject = await parse(directory);
+  for (const [entry, pkg] of Object.entries(lockfileObject)) {
+    const [_, depName] = entry.match(
+      LOCKFILE_ENTRY_REGEX
+    );
+    if (dependencies.some(dependency => dependency.name === depName)) {
+      delete lockfileObject[entry];
+    }
+  }
+  let newLockFileContent = await stringify(lockfileObject, noHeader, config.enableLockfileVersions);
+  for (const dependency of dependencies) {
+    newLockFileContent = fixDuplicates(newLockFileContent, dependency.name);
+  }
+  fs.writeFileSync(path.join(directory, lockfileName), newLockFileContent);
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+  const install = new LightweightInstall(flags, config, reporter, lockfile);
+  await install.init();
+  const updatedYarnLock = readFile(lockfileName);
+  const updatedYarnLockWithVersion = recoverVersionComments(
+    originalYarnLock,
+    updatedYarnLock
+  );
+  return {
+    [lockfileName]: updatedYarnLockWithVersion,
+  };
+}
+module.exports = { updateDependencyFile };

data/helpers/lib/yarn/updater.js ADDED Viewed

@@ -0,0 +1,209 @@
+/* DEPENDENCY FILE UPDATER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - new dependency version
+ *  - new requirements for this dependency
+ *
+ * Outputs:
+ *  - updated package.json and yarn.lock files
+ *
+ * Update the dependency to the version specified and rewrite the package.json
+ * and yarn.lock files.
+ */
+const fs = require("fs");
+const path = require("path");
+const { Add } = require("@dependabot/yarn-lib/lib/cli/commands/add");
+const { Install } = require("@dependabot/yarn-lib/lib/cli/commands/install");
+const {
+  cleanLockfile,
+} = require("@dependabot/yarn-lib/lib/cli/commands/upgrade");
+const Config = require("@dependabot/yarn-lib/lib/config").default;
+const { EventReporter } = require("@dependabot/yarn-lib/lib/reporters");
+const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
+const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
+const fixDuplicates = require("./fix-duplicates");
+const replaceDeclaration = require("./replace-lockfile-declaration");
+const { LightweightAdd, LightweightInstall } = require("./helpers");
+function flattenAllDependencies(manifest) {
+  return Object.assign(
+    {},
+    manifest.optionalDependencies,
+    manifest.peerDependencies,
+    manifest.devDependencies,
+    manifest.dependencies
+  );
+}
+// Replace the version comments in the new lockfile with the ones from the old
+// lockfile. If they weren't present in the old lockfile, delete them.
+function recoverVersionComments(oldLockfile, newLockfile) {
+  const yarnRegex = /^# yarn v(\S+)\n/gm;
+  const nodeRegex = /^# node v(\S+)\n/gm;
+  const oldMatch = (regex) => [].concat(oldLockfile.match(regex))[0];
+  return newLockfile
+    .replace(yarnRegex, (match) => oldMatch(yarnRegex) || "")
+    .replace(nodeRegex, (match) => oldMatch(nodeRegex) || "");
+}
+function devRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("devDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+function optionalRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("optionalDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+function installArgsWithVersion(
+  depName,
+  desiredVersion,
+  requirements,
+  existingVersionRequirement
+) {
+  const source = requirements.source;
+  if (source && source.type === "git") {
+    if (!existingVersionRequirement) {
+      existingVersionRequirement = source.url;
+    }
+    // Git is configured to auth over https while updating
+    existingVersionRequirement = existingVersionRequirement.replace(
+      /git\+ssh:\/\/git@(.*?)[:/]/,
+      "git+https://$1/"
+    );
+    // Keep any semver range that has already been updated in the package
+    // requirement when installing the new version
+    if (existingVersionRequirement.match(desiredVersion)) {
+      return [`${depName}@${existingVersionRequirement}`];
+    } else {
+      return [
+        `${depName}@${existingVersionRequirement.replace(
+          /#.*/,
+          ""
+        )}#${desiredVersion}`,
+      ];
+    }
+  } else {
+    return [`${depName}@${desiredVersion}`];
+  }
+}
+async function updateDependencyFiles(directory, dependencies) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  let updateRunResults = { "yarn.lock": readFile("yarn.lock") };
+  let requiredVersions = [];
+  for (let dep of dependencies) {
+    for (let reqs of dep.requirements) {
+      if (requiredVersions.indexOf(reqs.requirement) > -1) {
+          continue;
+      }
+      updateRunResults = Object.assign(
+        updateRunResults,
+        await updateDependencyFile(directory, dep.name, dep.version, reqs)
+      );
+      requiredVersions.push(reqs.requirement);
+    }
+  }
+  return updateRunResults;
+}
+async function updateDependencyFile(
+  directory,
+  depName,
+  desiredVersion,
+  requirements
+) {
+  const readFile = (fileName) =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  const originalYarnLock = readFile("yarn.lock");
+  const originalPackageJson = readFile(requirements.file);
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true,
+    ignorePlatform: true,
+    dev: devRequirement(requirements),
+    optional: optionalRequirement(requirements),
+  };
+  const reporter = new EventReporter();
+  const config = new Config(reporter);
+  await config.init({
+    cwd: path.join(directory, path.dirname(requirements.file)),
+    nonInteractive: true,
+    enableDefaultRc: true,
+    extraneousYarnrcFiles: [".yarnrc"],
+  });
+  config.enableLockfileVersions = Boolean(originalYarnLock.match(/^# yarn v/m));
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+  // Just as if we'd run `yarn add package@version`, but using our lightweight
+  // implementation of Add that doesn't actually download and install packages
+  const manifest = await config.readRootManifest();
+  const existingVersionRequirement = flattenAllDependencies(manifest)[depName];
+  const args = installArgsWithVersion(
+    depName,
+    desiredVersion,
+    requirements,
+    existingVersionRequirement
+  );
+  const add = new LightweightAdd(args, flags, config, reporter, lockfile);
+  // Despite the innocent-sounding name, this actually does all the hard work
+  await add.init();
+  const dedupedYarnLock = fixDuplicates(readFile("yarn.lock"), depName);
+  const newVersionRequirement = requirements.requirement;
+  // Replace the version requirement in the lockfile (which will currently be an
+  // exact version, not a requirement range)
+  // If we don't have new requirement (e.g. git source) use the existing version
+  // requirement from the package manifest
+  const replacedDeclarationYarnLock = replaceDeclaration(
+    originalYarnLock,
+    dedupedYarnLock,
+    depName,
+    newVersionRequirement,
+    existingVersionRequirement
+  );
+  // Do a normal install to ensure the lockfile doesn't change when we do
+  fs.writeFileSync(
+    path.join(directory, "yarn.lock"),
+    replacedDeclarationYarnLock
+  );
+  fs.writeFileSync(
+    path.join(directory, requirements.file),
+    originalPackageJson
+  );
+  const lockfile2 = await Lockfile.fromDirectory(directory, reporter);
+  const install2 = new LightweightInstall(flags, config, reporter, lockfile2);
+  await install2.init();
+  let updatedYarnLock = readFile("yarn.lock");
+  updatedYarnLock = recoverVersionComments(originalYarnLock, updatedYarnLock);
+  return {
+    "yarn.lock": updatedYarnLock,
+  };
+}
+module.exports = { updateDependencyFiles };