dependabot-bun 0.296.2 → 0.296.3

data/lib/dependabot/javascript/shared/file_parser.rb

@@ -1,454 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-
-# See https://docs.npmjs.com/files/package.json for package.json format docs.
-
-module Dependabot
-  module Javascript
-    module Shared
-      class FileParser < Dependabot::FileParsers::Base
-        extend T::Sig
-
-        abstract!
-
-        DEPENDENCY_TYPES = T.let(%w(dependencies devDependencies optionalDependencies).freeze, T::Array[String])
-        GIT_URL_REGEX = %r{
-          (?<git_prefix>^|^git.*?|^github:|^bitbucket:|^gitlab:|github\.com/)
-          (?<username>[a-z0-9-]+)/
-          (?<repo>[a-z0-9_.-]+)
-          (
-            (?:\#semver:(?<semver>.+))|
-            (?:\#(?=[\^~=<>*])(?<semver>.+))|
-            (?:\#(?<ref>.+))
-          )?$
-        }ix
-        RC_FILENAME = T.let(".npmrc", String)
-
-        sig do
-          params(
-            json: T::Hash[String, T.untyped],
-            _block: T.proc.params(arg0: String, arg1: String, arg2: String).void
-          )
-            .void
-        end
-        def self.each_dependency(json, &_block)
-          DEPENDENCY_TYPES.each do |type|
-            deps = json[type] || {}
-            deps.each do |name, requirement|
-              yield(name, requirement, type)
-            end
-          end
-        end
-
-        sig { override.returns(T::Array[Dependency]) }
-        def parse # rubocop:disable Metrics/PerceivedComplexity
-          dependency_set = DependencySet.new
-          dependency_set += manifest_dependencies
-          dependency_set += lockfile_dependencies
-          dependency_set += workspace_catalog_dependencies if pnpm_workspace_yml
-
-          dependencies = self.class.dependencies_with_all_versions_metadata(dependency_set)
-
-          dependencies.reject do |dep|
-            reqs = dep.requirements
-
-            # Ignore dependencies defined in support files, since we don't want PRs for those
-            support_reqs = reqs.select { |r| support_package_files.any? { |f| f.name == r[:file] } }
-            next true if support_reqs.any?
-
-            # TODO: Currently, Dependabot can't handle dependencies that have both
-            # a git source *and* a non-git source. Fix that!
-            git_reqs = reqs.select { |r| r.dig(:source, :type) == "git" }
-            next false if git_reqs.none?
-            next true if git_reqs.map { |r| r.fetch(:source) }.uniq.count > 1
-
-            dep.requirements.any? { |r| r.dig(:source, :type) != "git" }
-          end
-        end
-
-        sig { abstract.returns(Ecosystem) }
-        def ecosystem; end
-
-        sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).returns(T::Array[Dependency]) }
-        def self.dependencies_with_all_versions_metadata(dependency_set)
-          dependency_set.dependencies.map do |dependency|
-            dependency.metadata[:all_versions] = dependency_set.all_versions_for_name(dependency.name)
-            dependency
-          end
-        end
-
-        private
-
-        sig { abstract.returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
-        def lockfiles; end
-
-        sig { abstract.returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
-        def registry_config_files; end
-
-        sig { returns(T.untyped) }
-        def parsed_package_json
-          JSON.parse(T.must(package_json.content))
-        rescue JSON::ParserError
-          raise Dependabot::DependencyFileNotParseable, package_json.path
-        end
-
-        sig { returns(Dependabot::DependencyFile) }
-        def package_json
-          # Declare the instance variable with T.let and the correct type
-          @package_json ||= T.let(
-            T.must(dependency_files.find { |f| f.name == MANIFEST_FILENAME }),
-            T.nilable(Dependabot::DependencyFile)
-          )
-        end
-
-        sig { returns(T.nilable(Dependabot::DependencyFile)) }
-        def npmrc
-          @npmrc ||= T.let(dependency_files.find do |f|
-            f.name.end_with?(RC_FILENAME)
-          end, T.nilable(Dependabot::DependencyFile))
-        end
-
-        sig { returns(T.nilable(Dependabot::DependencyFile)) }
-        def pnpm_workspace_yml
-          nil
-        end
-
-        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-        def manifest_dependencies
-          dependency_set = DependencySet.new
-
-          package_files.each do |file|
-            json = JSON.parse(T.must(file.content))
-
-            # TODO: Currently, Dependabot can't handle flat dependency files
-            # (and will error at the FileUpdater stage, because the
-            # UpdateChecker doesn't take account of flat resolution).
-            next if json["flat"]
-
-            self.class.each_dependency(json) do |name, requirement, type|
-              next unless requirement.is_a?(String)
-
-              # Skip dependencies using Yarn workspace cross-references as requirements
-              next if requirement.start_with?("workspace:", "catalog:")
-
-              requirement = "*" if requirement == ""
-              dep = build_dependency(
-                file: file, type: type, name: name, requirement: requirement
-              )
-              dependency_set << dep if dep
-            end
-          end
-
-          dependency_set
-        end
-
-        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-        def workspace_catalog_dependencies
-          dependency_set = DependencySet.new
-          workspace_config = YAML.safe_load(T.must(pnpm_workspace_yml&.content), aliases: true)
-
-          workspace_config["catalog"]&.each do |name, version|
-            dep = build_dependency(
-              file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
-            )
-            dependency_set << dep if dep
-          end
-
-          workspace_config["catalogs"]&.each do |_, group_depenencies|
-            group_depenencies.each do |name, version|
-              dep = build_dependency(
-                file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
-              )
-              dependency_set << dep if dep
-            end
-          end
-
-          dependency_set
-        end
-
-        sig { abstract.returns(FileParser::LockfileParser) }
-        def lockfile_parser; end
-
-        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
-        def lockfile_dependencies
-          lockfile_parser.parse_set
-        end
-
-        sig do
-          params(file: DependencyFile, type: T.untyped, name: String, requirement: String)
-            .returns(T.nilable(Dependency))
-        end
-        def build_dependency(file:, type:, name:, requirement:)
-          lockfile_details = lockfile_parser.lockfile_details(
-            dependency_name: name,
-            requirement: requirement,
-            manifest_name: file.name
-          )
-          version = version_for(requirement, lockfile_details)
-          converted_version = T.let(if version.nil?
-                                      nil
-                                    elsif version.is_a?(String)
-                                      version
-                                    else
-                                      Dependabot::Version.new(version)
-                                    end, T.nilable(T.any(String, Dependabot::Version)))
-
-          return if lockfile_details && !version
-          return if ignore_requirement?(requirement)
-          return if workspace_package_names.include?(name)
-
-          # TODO: Handle aliased packages:
-          # https://github.com/dependabot/dependabot-core/pull/1115
-          #
-          # Ignore dependencies with an alias in the name
-          # Example: "my-fetch-factory@npm:fetch-factory"
-          return if aliased_package_name?(name)
-
-          Dependency.new(
-            name: name,
-            version: converted_version,
-            package_manager: ecosystem.name,
-            requirements: [{
-              requirement: requirement_for(requirement),
-              file: file.name,
-              groups: [type],
-              source: source_for(name, requirement, lockfile_details)
-            }]
-          )
-        end
-
-        sig { override.void }
-        def check_required_files
-          return if get_original_file(MANIFEST_FILENAME)
-
-          raise DependencyFileNotFound.new(nil,
-                                           "#{MANIFEST_FILENAME} not found.")
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def ignore_requirement?(requirement)
-          return true if local_path?(requirement)
-          return true if non_git_url?(requirement)
-
-          # TODO: Handle aliased packages:
-          # https://github.com/dependabot/dependabot-core/pull/1115
-          alias_package?(requirement)
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def local_path?(requirement)
-          requirement.start_with?("link:", "file:", "/", "./", "../", "~/")
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def alias_package?(requirement)
-          requirement.start_with?("npm:")
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def non_git_url?(requirement)
-          requirement.include?("://") && !git_url?(requirement)
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def git_url?(requirement)
-          requirement.match?(GIT_URL_REGEX)
-        end
-
-        sig { params(requirement: String).returns(T::Boolean) }
-        def git_url_with_semver?(requirement)
-          return false unless git_url?(requirement)
-
-          !T.must(requirement.match(GIT_URL_REGEX)).named_captures.fetch("semver").nil?
-        end
-
-        sig { params(name: String).returns(T::Boolean) }
-        def aliased_package_name?(name)
-          name.include?("@npm:")
-        end
-
-        sig { returns(T::Array[String]) }
-        def workspace_package_names
-          @workspace_package_names ||= T.let(package_files.filter_map do |f|
-            JSON.parse(T.must(f.content))["name"]
-          end, T.nilable(T::Array[String]))
-        end
-
-        sig do
-          params(requirement: String, lockfile_details: T.nilable(T::Hash[String, T.untyped]))
-            .returns(T.nilable(T.any(String, Integer, Gem::Version)))
-        end
-        def version_for(requirement, lockfile_details)
-          if git_url_with_semver?(requirement)
-            semver_version = lockfile_version_for(lockfile_details)
-            return semver_version if semver_version
-
-            git_revision = git_revision_for(lockfile_details)
-            version_from_git_revision(requirement, git_revision) || git_revision
-          elsif git_url?(requirement)
-            git_revision_for(lockfile_details)
-          elsif lockfile_details
-            lockfile_version_for(lockfile_details)
-          else
-            exact_version = exact_version_for(requirement)
-            return unless exact_version
-
-            semver_version_for(exact_version)
-          end
-        end
-
-        sig { params(lockfile_details: T.nilable(T::Hash[String, T.untyped])).returns(T.nilable(String)) }
-        def git_revision_for(lockfile_details)
-          version = T.cast(lockfile_details&.fetch("version", nil), T.nilable(String))
-          resolved = T.cast(lockfile_details&.fetch("resolved", nil), T.nilable(String))
-          [
-            version&.split("#")&.last,
-            resolved&.split("#")&.last,
-            resolved&.split("/")&.last
-          ].find { |str| commit_sha?(str) }
-        end
-
-        sig { params(string: T.nilable(String)).returns(T::Boolean) }
-        def commit_sha?(string)
-          return false unless string.is_a?(String)
-
-          string.match?(/^[0-9a-f]{40}$/)
-        end
-
-        sig { params(requirement: String, git_revision: T.nilable(String)).returns(T.nilable(String)) }
-        def version_from_git_revision(requirement, git_revision)
-          tags =
-            Dependabot::GitMetadataFetcher.new(
-              url: git_source_for(requirement).fetch(:url),
-              credentials: credentials
-            ).tags
-                                          .select { |t| [t.commit_sha, t.tag_sha].include?(git_revision) }
-
-          tags.each do |t|
-            next unless t.name.match?(Dependabot::GitCommitChecker::VERSION_REGEX)
-
-            version = T.must(t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX))
-                       .named_captures.fetch("version")
-            next unless version_class.correct?(version)
-
-            return version
-          end
-
-          nil
-        rescue Dependabot::GitDependenciesNotReachable
-          nil
-        end
-
-        sig do
-          params(lockfile_details: T.nilable(T::Hash[String, T.untyped]))
-            .returns(T.nilable(T.any(String, Integer, Gem::Version)))
-        end
-        def lockfile_version_for(lockfile_details)
-          semver_version_for(lockfile_details&.fetch("version", ""))
-        end
-
-        sig { params(version: T.nilable(String)).returns(T.nilable(T.any(String, Integer, Gem::Version))) }
-        def semver_version_for(version)
-          version_class.semver_for(version)
-        end
-
-        sig { params(requirement: String).returns(T.nilable(String)) }
-        def exact_version_for(requirement)
-          req = requirement_class.new([requirement])
-          return unless req.exact?
-
-          req.requirements.first.last.to_s
-        rescue Gem::Requirement::BadRequirementError
-          # If it doesn't parse, it's definitely not exact
-        end
-
-        sig do
-          params(name: String, requirement: String, lockfile_details: T.nilable(T::Hash[String, T.untyped]))
-            .returns(T.nilable(T::Hash[Symbol, T.untyped]))
-        end
-        def source_for(name, requirement, lockfile_details)
-          return git_source_for(requirement) if git_url?(requirement)
-
-          resolved_url = lockfile_details&.fetch("resolved", nil)
-
-          resolution = lockfile_details&.fetch("resolution", nil)
-          package_match = resolution&.match(/__archiveUrl=(?<package_url>.+)/)
-          resolved_url = CGI.unescape(package_match.named_captures.fetch("package_url", "")) if package_match
-
-          return unless resolved_url
-          return unless resolved_url.start_with?("http")
-          return if resolved_url.match?(/(?<!pkg\.)github/)
-
-          RegistryParser.new(
-            resolved_url: resolved_url,
-            credentials: credentials
-          ).registry_source_for(name)
-        end
-
-        sig { params(requirement: String).returns(T.nilable(String)) }
-        def requirement_for(requirement)
-          return requirement unless git_url?(requirement)
-
-          details = T.must(requirement.match(GIT_URL_REGEX)).named_captures
-          details["semver"]
-        end
-
-        sig { params(requirement: String).returns(T::Hash[Symbol, T.untyped]) }
-        def git_source_for(requirement)
-          details = T.must(requirement.match(GIT_URL_REGEX)).named_captures
-          prefix = T.must(details.fetch("git_prefix"))
-
-          host = if prefix.include?("git@") || prefix.include?("://")
-                   T.must(prefix.split("git@").last)
-                    .sub(%r{.*?://}, "")
-                    .sub(%r{[:/]$}, "")
-                    .split("#").first
-                 elsif prefix.include?("bitbucket") then "bitbucket.org"
-                 elsif prefix.include?("gitlab") then "gitlab.com"
-                 else
-                   "github.com"
-                 end
-
-          {
-            type: "git",
-            url: "https://#{host}/#{details['username']}/#{details['repo']}",
-            branch: nil,
-            ref: details["ref"] || "master"
-          }
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def support_package_files
-          @support_package_files ||= T.let(sub_package_files.select(&:support_file?),
-                                           T.nilable(T::Array[DependencyFile]))
-        end
-
-        sig { returns(T::Array[Dependabot::DependencyFile]) }
-        def sub_package_files
-          return T.must(@sub_package_files) if defined?(@sub_package_files)
-
-          files = dependency_files.select { |f| f.name.end_with?(MANIFEST_FILENAME) }
-                                  .reject { |f| f.name == MANIFEST_FILENAME }
-                                  .reject { |f| f.name.include?("node_modules/") }
-          @sub_package_files ||= T.let(files, T.nilable(T::Array[Dependabot::DependencyFile]))
-        end
-
-        sig { returns(T::Array[DependencyFile]) }
-        def package_files
-          @package_files ||= T.let(
-            [
-              dependency_files.find { |f| f.name == MANIFEST_FILENAME },
-              *sub_package_files
-            ].compact, T.nilable(T::Array[DependencyFile])
-          )
-        end
-
-        sig { abstract.returns(T.class_of(Version)) }
-        def version_class; end
-
-        sig { abstract.returns(T.class_of(Requirement)) }
-        def requirement_class; end
-      end
-    end
-  end
-end