RubyGems - dependabot-bun - Versions diffs - 0.296.2 → 0.296.3 - Mend

dependabot-bun 0.296.2 → 0.296.3

Files changed (144) hide show

data/lib/dependabot/javascript/shared/metadata_finder.rb DELETED Viewed

@@ -1,209 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-require "excon"
-require "time"
-module Dependabot
-  module Javascript
-    module Shared
-      class MetadataFinder < Dependabot::MetadataFinders::Base
-        def homepage_url
-          # Attempt to use version_listing first, as fetching the entire listing
-          # array can be slow (if it's large)
-          return latest_version_listing["homepage"] if latest_version_listing["homepage"]
-          listing = all_version_listings.find { |_, l| l["homepage"] }
-          listing&.last&.fetch("homepage", nil) || super
-        end
-        def maintainer_changes
-          return unless npm_releaser
-          return unless npm_listing.dig("time", dependency.version)
-          return if previous_releasers.include?(npm_releaser)
-          "This version was pushed to npm by " \
-            "[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new " \
-            "releaser for #{dependency.name} since your current version."
-        end
-        private
-        def look_up_source
-          return find_source_from_registry if new_source.nil?
-          source_type = new_source[:type] || new_source.fetch("type")
-          case source_type
-          when "git" then find_source_from_git_url
-          when "registry" then find_source_from_registry
-          else raise "Unexpected source type: #{source_type}"
-          end
-        end
-        def npm_releaser
-          all_version_listings
-            .find { |v, _| v == dependency.version }
-            &.last&.fetch("_npmUser", nil)&.fetch("name", nil)
-        end
-        def previous_releasers
-          times = npm_listing.fetch("time")
-          cutoff =
-            if dependency.previous_version && times[dependency.previous_version]
-              Time.parse(times[dependency.previous_version])
-            elsif times[dependency.version]
-              Time.parse(times[dependency.version]) - 1
-            end
-          return unless cutoff
-          all_version_listings
-            .reject { |v, _| Time.parse(times[v]) > cutoff }
-            .filter_map { |_, d| d.fetch("_npmUser", nil)&.fetch("name", nil) }
-        end
-        def find_source_from_registry
-          # Attempt to use version_listing first, as fetching the entire listing
-          # array can be slow (if it's large)
-          potential_sources =
-            [
-              get_source(latest_version_listing["repository"]),
-              get_source(latest_version_listing["homepage"]),
-              get_source(latest_version_listing["bugs"])
-            ].compact
-          return potential_sources.first if potential_sources.any?
-          potential_sources =
-            all_version_listings.flat_map do |_, listing|
-              [
-                get_source(listing["repository"]),
-                get_source(listing["homepage"]),
-                get_source(listing["bugs"])
-              ]
-            end.compact
-          potential_sources.first
-        end
-        def new_source
-          sources = dependency.requirements
-                              .map { |r| r.fetch(:source) }.uniq.compact
-                              .sort_by do |source|
-                                UpdateChecker::RegistryFinder.central_registry?(source[:url]) ? 1 : 0
-                              end
-          sources.first
-        end
-        def get_source(details)
-          potential_url = get_url(details)
-          return unless potential_url
-          potential_source = Source.from_url(potential_url)
-          return unless potential_source
-          potential_source.directory = get_directory(details)
-          potential_source
-        end
-        def get_url(details)
-          url =
-            case details
-            when String then details
-            when Hash then details.fetch("url", nil)
-            end
-          return url unless url&.match?(%r{^[\w.-]+/[\w.-]+$})
-          "https://github.com/" + url
-        end
-        def get_directory(details)
-          # Only return a directory if it is explicitly specified
-          return unless details.is_a?(Hash)
-          details.fetch("directory", nil)
-        end
-        def find_source_from_git_url
-          url = new_source[:url] || new_source.fetch("url")
-          Source.from_url(url)
-        end
-        def latest_version_listing
-          return @latest_version_listing if defined?(@latest_version_listing)
-          response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest", headers: registry_auth_headers)
-          return @latest_version_listing = JSON.parse(response.body) if response.status == 200
-          @latest_version_listing = {}
-        rescue JSON::ParserError, Excon::Error::Timeout
-          @latest_version_listing = {}
-        end
-        def all_version_listings
-          return [] if npm_listing["versions"].nil?
-          npm_listing["versions"]
-            .reject { |_, details| details["deprecated"] }
-            .sort_by { |version, _| Version.new(version) }
-            .reverse
-        end
-        def npm_listing
-          return @npm_listing unless @npm_listing.nil?
-          response = Dependabot::RegistryClient.get(url: dependency_url, headers: registry_auth_headers)
-          return @npm_listing = {} if response.status >= 500
-          begin
-            @npm_listing = JSON.parse(response.body)
-          rescue JSON::ParserError
-            raise unless non_standard_registry?
-            @npm_listing = {}
-          end
-        rescue Excon::Error::Timeout
-          @npm_listing = {}
-        end
-        def dependency_url
-          registry_url =
-            if new_source.nil? then "https://registry.npmjs.org"
-            else
-              new_source.fetch(:url)
-            end
-          # NPM registries expect slashes to be escaped
-          escaped_dependency_name = dependency.name.gsub("/", "%2F")
-          "#{registry_url}/#{escaped_dependency_name}"
-        end
-        def registry_auth_headers
-          return {} unless auth_token
-          { "Authorization" => "Bearer #{auth_token}" }
-        end
-        def dependency_registry
-          if new_source.nil? then "registry.npmjs.org"
-          else
-            new_source.fetch(:url).gsub("https://", "").gsub("http://", "")
-          end
-        end
-        def auth_token
-          credentials
-            .select { |cred| cred["type"] == "npm_registry" }
-            .find { |cred| cred["registry"] == dependency_registry }
-            &.fetch("token", nil)
-        end
-        def non_standard_registry?
-          dependency_registry != "registry.npmjs.org"
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/native_helpers.rb DELETED Viewed

@@ -1,21 +0,0 @@
-# typed: true
-# frozen_string_literal: true
-module Dependabot
-  module Javascript
-    module Shared
-      module NativeHelpers
-        def self.helper_path
-          "node #{File.join(native_helpers_root, 'run.js')}"
-        end
-        def self.native_helpers_root
-          helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
-          return File.join(helpers_root, "javascript", "shared") unless helpers_root.nil?
-          File.join(__dir__, "../../../helpers")
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/package_manager_detector.rb DELETED Viewed

@@ -1,72 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-module Dependabot
-  module Javascript
-    module Shared
-      class PackageManagerDetector
-        extend T::Sig
-        extend T::Helpers
-        sig do
-          params(
-            lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
-            package_json: T.nilable(T::Hash[String, T.untyped])
-          ).void
-        end
-        def initialize(lockfiles, package_json)
-          @lockfiles = lockfiles
-          @package_json = package_json
-          @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
-          @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, {}), T::Hash[String, T.untyped])
-        end
-        # Returns npm, yarn, or pnpm based on the lockfiles, package.json, and engines
-        # Defaults to npm if no package manager is detected
-        sig { returns(String) }
-        def detect_package_manager
-          package_manager = name_from_lockfiles ||
-                            name_from_package_manager_attr ||
-                            name_from_engines
-          if package_manager
-            Dependabot.logger.info("Detected package manager: #{package_manager}")
-          else
-            package_manager = DEFAULT_PACKAGE_MANAGER
-            Dependabot.logger.info("Default package manager used: #{package_manager}")
-          end
-          package_manager
-        rescue StandardError => e
-          Dependabot.logger.error("Error detecting package manager: #{e.message}")
-          DEFAULT_PACKAGE_MANAGER
-        end
-        private
-        sig { returns(T.nilable(String)) }
-        def name_from_lockfiles
-          PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find { |manager_name| @lockfiles[manager_name.to_sym] }
-        end
-        sig { returns(T.nilable(String)) }
-        def name_from_package_manager_attr
-          return unless @manifest_package_manager
-          PACKAGE_MANAGER_CLASSES.keys.map(&:to_s).find do |manager_name|
-            @manifest_package_manager.start_with?("#{manager_name}@")
-          end
-        end
-        sig { returns(T.nilable(String)) }
-        def name_from_engines
-          return unless @engines.is_a?(Hash)
-          PACKAGE_MANAGER_CLASSES.each_key do |manager_name|
-            return manager_name if @engines[manager_name]
-          end
-          nil
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/package_name.rb DELETED Viewed

@@ -1,118 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-module Dependabot
-  module Javascript
-    module Shared
-      class PackageName
-        extend T::Sig
-        # NPM package naming rules are defined by the following projects:
-        # - https://github.com/npm/npm-user-validate
-        # - https://github.com/npm/validate-npm-package-name
-        PACKAGE_NAME_REGEX = %r{
-          \A                                          # beginning of string
-          (?=.{1,214}\z)                              # enforce length (1 - 214)
-          (@(?<scope>                                 # capture 'scope' if present
-            [a-z0-9\-\_\.\!\~\*\'\(\)]+               # URL-safe characters in scope
-          )\/)?                                       # scope must be followed by slash
-          (?<name>                                    # capture package name
-            (?(<scope>)                               # if scope is present
-              [a-z0-9\-\_\.\!\~\*\'\(\)]+             # scoped names can start with any URL-safe character
-            |                                         # if no scope
-              [a-z0-9\-\!\~\*\'\(\)]                  # non-scoped names cannot start with . or _
-              [a-z0-9\-\_\.\!\~\*\'\(\)]*             # subsequent characters can be any URL-safe character
-            )
-          )
-          \z                                          # end of string
-        }xi # multi-line/case-insensitive
-        TYPES_PACKAGE_NAME_REGEX = %r{
-            \A                                          # beginning of string
-            @types\/                                    # starts with @types/
-            ((?<scope>.+)__)?                           # capture scope
-            (?<name>.+)                                 # capture name
-            \z                                          # end of string
-        }xi # multi-line/case-insensitive
-        class InvalidPackageName < StandardError; end
-        sig { params(string: String).void }
-        def initialize(string)
-          match = PACKAGE_NAME_REGEX.match(string.to_s)
-          raise InvalidPackageName unless match
-          @scope = T.let(match[:scope], T.nilable(String))
-          @name = T.let(match[:name], T.nilable(String))
-        end
-        sig { returns(String) }
-        def to_s
-          if scoped?
-            "@#{@scope}/#{@name}"
-          else
-            @name.to_s
-          end
-        end
-        sig { params(other: PackageName).returns(T::Boolean) }
-        def eql?(other)
-          self.class == other.class && to_s == other.to_s
-        end
-        sig { returns(Integer) }
-        def hash
-          to_s.downcase.hash
-        end
-        sig { params(other: PackageName).returns(T.nilable(Integer)) }
-        def <=>(other)
-          to_s.casecmp(other.to_s)
-        end
-        sig { returns(T.nilable(PackageName)) }
-        def library_name
-          return unless types_package?
-          return @library_name if defined?(@library_name)
-          lib_name =
-            begin
-              match = T.must(TYPES_PACKAGE_NAME_REGEX.match(to_s))
-              if match[:scope]
-                self.class.new("@#{match[:scope]}/#{match[:name]}")
-              else
-                self.class.new(match[:name].to_s)
-              end
-            end
-          @library_name ||= T.let(lib_name, T.nilable(PackageName))
-        end
-        sig { returns(T.nilable(PackageName)) }
-        def types_package_name
-          return if types_package?
-          @types_package_name ||= T.let(
-            if scoped?
-              self.class.new("@types/#{@scope}__#{@name}")
-            else
-              self.class.new("@types/#{@name}")
-            end, T.nilable(PackageName)
-          )
-        end
-        private
-        sig { returns(T::Boolean) }
-        def scoped?
-          !@scope.nil?
-        end
-        sig { returns(T.nilable(T::Boolean)) }
-        def types_package?
-          "types".casecmp?(@scope)
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/registry_helper.rb DELETED Viewed

@@ -1,190 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-require "yaml"
-require "dependabot/dependency_file"
-require "sorbet-runtime"
-module Dependabot
-  module Javascript
-    module Shared
-      class RegistryHelper
-        extend T::Sig
-        # Keys for configurations
-        REGISTRY_KEY = "registry"
-        AUTH_KEY = "authToken"
-        # Yarn-specific keys
-        NPM_AUTH_TOKEN_KEY_FOR_YARN = "npmAuthToken"
-        NPM_SCOPE_KEY_FOR_YARN = "npmScopes"
-        NPM_REGISTER_KEY_FOR_YARN = "npmRegistryServer"
-        # Environment variable keys
-        COREPACK_NPM_REGISTRY_ENV = "COREPACK_NPM_REGISTRY"
-        COREPACK_NPM_TOKEN_ENV = "COREPACK_NPM_TOKEN"
-        sig do
-          params(
-            registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
-            credentials: T.nilable(T::Array[Dependabot::Credential])
-          ).void
-        end
-        def initialize(registry_config_files, credentials)
-          @registry_config_files = T.let(registry_config_files, T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
-          @credentials = T.let(credentials, T.nilable(T::Array[Dependabot::Credential]))
-        end
-        sig { returns(T::Hash[String, String]) }
-        def find_corepack_env_variables
-          registry_info = find_registry_and_token
-          env_variables = {}
-          env_variables[COREPACK_NPM_REGISTRY_ENV] = registry_info[:registry] if registry_info[:registry]
-          env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
-          env_variables
-        end
-        private
-        sig { returns(T::Hash[Symbol, T.nilable(String)]) }
-        def find_registry_and_token
-          # Step 1: Check dependabot.yml configuration
-          dependabot_config = config_npm_registry_and_token
-          return dependabot_config if dependabot_config[:registry]
-          # Step 2: Check .npmrc
-          npmrc_config = @registry_config_files[:npmrc]
-          npmrc_result = parse_registry_from_npmrc_yarnrc(npmrc_config, "=", "npm")
-          return npmrc_result if npmrc_result[:registry]
-          # Step 3: Check .yarnrc
-          yarnrc_config = @registry_config_files[:yarnrc]
-          yarnrc_result = parse_registry_from_npmrc_yarnrc(yarnrc_config, " ", "npm")
-          return yarnrc_result if yarnrc_result[:registry]
-          # Step 4: Check yarnrc.yml
-          yarnrc_yml_config = @registry_config_files[:yarnrc_yml]
-          yarnrc_yml_result = parse_npm_from_yarnrc_yml(yarnrc_yml_config)
-          return yarnrc_yml_result if yarnrc_yml_result[:registry]
-          # Default values if no registry is found
-          {}
-        end
-        sig { returns(T::Hash[Symbol, T.nilable(String)]) }
-        def config_npm_registry_and_token
-          registries = {}
-          return registries unless @credentials&.any?
-          @credentials.each do |cred|
-            next unless cred["type"] == "npm_registry" # Skip if not an npm registry
-            next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
-            # Set the registry if it's not already set
-            registries[:registry] ||= cred["registry"]
-            # Set the token if it's not already set
-            registries[:auth_token] ||= cred["token"]
-          end
-          registries
-        end
-        # Find registry and token in .npmrc or .yarnrc file
-        sig do
-          params(
-            file: T.nilable(Dependabot::DependencyFile),
-            separator: String
-          ).returns(T::Hash[Symbol, T.nilable(String)])
-        end
-        def parse_npm_from_npm_or_yarn_rc(file, separator = "=")
-          parse_registry_from_npmrc_yarnrc(file, separator, "npm")
-        end
-        # Find registry and token in .npmrc or .yarnrc file
-        sig do
-          params(
-            file: T.nilable(Dependabot::DependencyFile),
-            separator: String,
-            scope: T.nilable(String)
-          ).returns(T::Hash[Symbol, T.nilable(String)])
-        end
-        def parse_registry_from_npmrc_yarnrc(file, separator = "=", scope = nil)
-          content = file&.content
-          return { registry: nil, auth_token: nil } unless content
-          global_registry = T.let(nil, T.nilable(String))
-          scoped_registry = T.let(nil, T.nilable(String))
-          auth_token = T.let(nil, T.nilable(String))
-          content.split("\n").each do |line|
-            # Split using the provided separator
-            key, value = line.strip.split(separator, 2)
-            next unless key && value
-            # Remove surrounding quotes from keys and values
-            cleaned_key = key.strip.gsub(/\A["']|["']\z/, "")
-            cleaned_value = value.strip.gsub(/\A["']|["']\z/, "")
-            case cleaned_key
-            when "registry"
-              # Case 1: Found a global registry
-              global_registry = cleaned_value
-            when "_authToken"
-              # Case 2: Found an auth token
-              auth_token = cleaned_value
-            else
-              # Handle scoped registry if a scope is provided
-              scoped_registry = cleaned_value if scope && cleaned_key == "@#{scope}:registry"
-            end
-          end
-          # Determine the registry to return (global first, fallback to scoped)
-          registry = global_registry || scoped_registry
-          { registry: registry, auth_token: auth_token }
-        end
-        # rubocop:disable Metrics/PerceivedComplexity
-        sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T::Hash[Symbol, T.nilable(String)]) }
-        def parse_npm_from_yarnrc_yml(file)
-          content = file&.content
-          return { registry: nil, auth_token: nil } unless content
-          result = {}
-          yaml_data = safe_load_yaml(content)
-          # Step 1: Extract global registry and auth token
-          result[:registry] = yaml_data[NPM_REGISTER_KEY_FOR_YARN] if yaml_data.key?(NPM_REGISTER_KEY_FOR_YARN)
-          result[:auth_token] = yaml_data[NPM_AUTH_TOKEN_KEY_FOR_YARN] if yaml_data.key?(NPM_AUTH_TOKEN_KEY_FOR_YARN)
-          # Step 2: Fallback to any scoped registry and auth token if global is missing
-          if result[:registry].nil? && yaml_data.key?(NPM_SCOPE_KEY_FOR_YARN)
-            yaml_data[NPM_SCOPE_KEY_FOR_YARN].each do |_current_scope, config|
-              next unless config.is_a?(Hash)
-              result[:registry] ||= config[NPM_REGISTER_KEY_FOR_YARN]
-              result[:auth_token] ||= config[NPM_AUTH_TOKEN_KEY_FOR_YARN]
-            end
-          end
-          result
-        end
-        # rubocop:enable Metrics/PerceivedComplexity
-        # Safely loads the YAML content and logs any parsing errors
-        sig { params(content: String).returns(T::Hash[String, T.untyped]) }
-        def safe_load_yaml(content)
-          YAML.safe_load(content, permitted_classes: [Symbol, String]) || {}
-        rescue Psych::SyntaxError => e
-          # Log the error instead of raising it
-          Dependabot.logger.error("YAML parsing error: #{e.message}")
-          {}
-        end
-      end
-    end
-  end
-end