RubyGems - dependabot-bun - Versions diffs - 0.296.2 → 0.296.3 - Mend

dependabot-bun 0.296.2 → 0.296.3

Files changed (144) hide show

data/lib/dependabot/javascript/shared/update_checker/registry_finder.rb DELETED Viewed

@@ -1,358 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-require "excon"
-module Dependabot
-  module Javascript
-    module Shared
-      module UpdateChecker
-        class RegistryFinder
-          extend T::Sig
-          CENTRAL_REGISTRIES = %w(
-            https://registry.npmjs.org
-            http://registry.npmjs.org
-            https://registry.yarnpkg.com
-            http://registry.yarnpkg.com
-          ).freeze
-          NPM_AUTH_TOKEN_REGEX = %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}
-          NPM_GLOBAL_REGISTRY_REGEX = /^registry\s*=\s*['"]?(?<registry>.*?)['"]?$/
-          YARN_GLOBAL_REGISTRY_REGEX = /^(?:--)?registry\s+((['"](?<registry>.*)['"])|(?<registry>.*))/
-          NPM_SCOPED_REGISTRY_REGEX = /^(?<scope>@[^:]+)\s*:registry\s*=\s*['"]?(?<registry>.*?)['"]?$/
-          YARN_SCOPED_REGISTRY_REGEX = /['"](?<scope>@[^:]+):registry['"]\s((['"](?<registry>.*)['"])|(?<registry>.*))/
-          Registry = T.type_alias { String }
-          RegistrySyntax = T.type_alias { T.any(Regexp, String) }
-          sig do
-            params(
-              dependency: T.nilable(Dependency),
-              credentials: T::Array[Credential],
-              rc_file: T.nilable(DependencyFile)
-            ).void
-          end
-          def initialize(dependency:, credentials:, rc_file:)
-            @dependency = dependency
-            @credentials = credentials
-            @rc_file = rc_file
-            @npmrc_file = T.let(
-              rc_file&.name&.end_with?(".npmrc") ? rc_file : nil,
-              T.nilable(DependencyFile)
-            )
-          end
-          sig { returns(T.nilable(Registry)) }
-          def registry
-            @registry ||= T.let(
-              locked_registry || configured_registry || first_registry_with_dependency_details,
-              T.nilable(Registry)
-            )
-          end
-          sig { returns(T::Hash[String, String]) }
-          def auth_headers
-            auth_header_for(auth_token)
-          end
-          sig { returns(String) }
-          def dependency_url
-            "#{registry_url}/#{escaped_dependency_name}"
-          end
-          sig { params(version: Version).returns(String) }
-          def tarball_url(version)
-            version_without_build_metadata = version.to_s.gsub(/\+.*/, "")
-            # Dependency name needs to be unescaped since tarball URLs don't always work with escaped slashes
-            "#{registry_url}/#{dependency&.name}/-/#{scopeless_name}-#{version_without_build_metadata}.tgz"
-          end
-          sig { params(registry: String).returns(T::Boolean) }
-          def self.central_registry?(registry)
-            CENTRAL_REGISTRIES.any? do |r|
-              r.include?(registry)
-            end
-          end
-          sig { params(dependency_name: String).returns(T.nilable(String)) }
-          def registry_from_rc(dependency_name)
-            explicit_registry_from_rc(dependency_name) || global_registry
-          end
-          private
-          sig { returns(T.nilable(Dependency)) }
-          attr_reader :dependency
-          sig { returns(T::Array[Credential]) }
-          attr_reader :credentials
-          sig { returns(T.nilable(DependencyFile)) }
-          attr_reader :rc_file
-          sig { returns(T.nilable(DependencyFile)) }
-          attr_reader :npmrc_file
-          sig { params(dependency_name: T.nilable(String)).returns(T.nilable(String)) }
-          def explicit_registry_from_rc(dependency_name)
-            if dependency_name&.start_with?("@") && dependency_name.include?("/")
-              scope = dependency_name.split("/").first
-              scoped_registry(scope) || configured_global_registry
-            else
-              configured_global_registry
-            end
-          end
-          sig { returns(T.nilable(Registry)) }
-          def first_registry_with_dependency_details
-            @first_registry_with_dependency_details ||= T.let(
-              known_registries.find do |details|
-                url = "#{details['registry'].gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
-                url = "https://#{url}" unless url.start_with?("http")
-                response = Dependabot::RegistryClient.get(
-                  url: url,
-                  headers: auth_header_for(details["token"])
-                )
-                response.status < 400 && JSON.parse(response.body)
-              rescue Excon::Error::Timeout,
-                     Excon::Error::Socket,
-                     JSON::ParserError
-                nil
-              rescue URI::InvalidURIError => e
-                raise DependencyFileNotResolvable, e.message
-              end&.fetch("registry"),
-              T.nilable(Registry)
-            )
-            @first_registry_with_dependency_details ||= global_registry.to_s.sub(%r{/+$}, "").sub(%r{^.*?//}, "")
-          end
-          sig { returns(T.nilable(String)) }
-          def registry_url
-            url =
-              if registry&.start_with?("http")
-                registry
-              else
-                protocol =
-                  if registry_source_url
-                    registry_source_url&.split("://")&.first
-                  else
-                    "https"
-                  end
-                "#{protocol}://#{registry}"
-              end
-            url&.gsub(%r{/+$}, "")
-          end
-          sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
-          def auth_header_for(token)
-            return {} unless token
-            if token.include?(":")
-              encoded_token = Base64.encode64(token).delete("\n")
-              { "Authorization" => "Basic #{encoded_token}" }
-            elsif Base64.decode64(token).ascii_only? &&
-                  Base64.decode64(token).include?(":")
-              { "Authorization" => "Basic #{token.delete("\n")}" }
-            else
-              { "Authorization" => "Bearer #{token}" }
-            end
-          end
-          sig { returns(T.nilable(String)) }
-          def auth_token
-            known_registries
-              .find { |cred| cred["registry"] == registry }
-              &.fetch("token", nil)
-          end
-          sig { returns(T.nilable(Registry)) }
-          def locked_registry
-            return unless registry_source_url
-            lockfile_registry =
-              T.must(registry_source_url)
-               .gsub("https://", "")
-               .gsub("http://", "")
-            detailed_registry =
-              known_registries
-              .find { |h| h["registry"].include?(lockfile_registry) }
-              &.fetch("registry")
-            detailed_registry || lockfile_registry
-          end
-          sig { returns(T.nilable(String)) }
-          def configured_registry
-            configured_registry_url = explicit_registry_from_rc(dependency&.name)
-            return unless configured_registry_url
-            normalize_configured_registry(configured_registry_url)
-          end
-          sig { returns(T::Array[T::Hash[String, T.untyped]]) }
-          def known_registries
-            @known_registries ||= T.let(
-              begin
-                registries = []
-                registries += credentials
-                              .select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
-                              .tap { |arr| arr.each { |c| c["token"] ||= nil } }
-                registries += npmrc_registries
-                unique_registries(registries)
-              end,
-              T.nilable(T::Array[T::Hash[String, T.untyped]])
-            )
-          end
-          sig { returns(T::Array[T::Hash[String, T.untyped]]) }
-          def npmrc_registries
-            return [] unless npmrc_file
-            registries = []
-            T.must(npmrc_file).content&.scan(NPM_AUTH_TOKEN_REGEX) do
-              next if Regexp.last_match&.[](:registry)&.include?("${")
-              registry = T.must(Regexp.last_match)[:registry]
-              token = T.must(Regexp.last_match)[:token]&.strip
-              registries << {
-                "type" => "npm_registry",
-                "registry" => registry&.gsub(/\s+/, "%20"),
-                "token" => token
-              }
-            end
-            registries += npmrc_global_registries
-          end
-          sig { params(registries: T::Array[T::Hash[String, T.untyped]]).returns(T::Array[T::Hash[String, T.untyped]]) }
-          def unique_registries(registries)
-            registries.uniq.reject do |registry|
-              next if registry["token"]
-              # Reject this entry if an identical one with a token exists
-              registries.any? do |r|
-                r["token"] && r["registry"] == registry["registry"]
-              end
-            end
-          end
-          sig { returns(T.nilable(String)) }
-          def global_registry
-            return @global_registry if defined? @global_registry
-            @global_registry ||= T.let(configured_global_registry || "https://registry.npmjs.org", T.nilable(String))
-          end
-          sig { returns(T.nilable(String)) }
-          def configured_global_registry
-            return @configured_global_registry if defined? @configured_global_registry
-            @configured_global_registry = T.let(
-              npmrc_file && npmrc_global_registries.first&.fetch("url"),
-              T.nilable(String)
-            )
-            return @configured_global_registry if @configured_global_registry
-            replaces_base = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
-            if replaces_base
-              registry = replaces_base["registry"]
-              registry = "https://#{registry}" unless registry&.start_with?("http")
-              return @configured_global_registry = registry
-            end
-            @configured_global_registry = nil
-          end
-          sig { returns(T::Array[T::Hash[String, T.nilable(String)]]) }
-          def npmrc_global_registries
-            return [] unless npmrc_file
-            global_rc_registries(T.must(npmrc_file), syntax: NPM_GLOBAL_REGISTRY_REGEX)
-          end
-          sig { params(scope: T.nilable(String)).returns(T.nilable(String)) }
-          def scoped_registry(scope)
-            scoped_rc_registry(npmrc_file, syntax: NPM_SCOPED_REGISTRY_REGEX, scope: scope)
-          end
-          sig do
-            params(file: DependencyFile, syntax: RegistrySyntax)
-              .returns(T::Array[T::Hash[String, T.nilable(String)]])
-          end
-          def global_rc_registries(file, syntax:)
-            registries = []
-            file.content&.scan(syntax) do
-              next if Regexp.last_match&.[](:registry)&.include?("${")
-              url = T.must(T.must(Regexp.last_match)[:registry]).strip
-              registry = normalize_configured_registry(url)
-              registries << {
-                "type" => "npm_registry",
-                "registry" => registry,
-                "url" => url,
-                "token" => nil
-              }
-            end
-            registries
-          end
-          sig do
-            params(file: T.nilable(DependencyFile), syntax: RegistrySyntax, scope: T.nilable(String))
-              .returns(T.nilable(String))
-          end
-          def scoped_rc_registry(file, syntax:, scope:)
-            file&.content.to_s.scan(syntax) do
-              next if Regexp.last_match&.[](:registry)&.include?("${") || Regexp.last_match&.[](:scope) != scope
-              return T.must(T.must(Regexp.last_match)[:registry]).strip
-            end
-            nil
-          end
-          # npm registries expect slashes to be escaped
-          sig { returns(T.nilable(String)) }
-          def escaped_dependency_name
-            return unless dependency
-            T.must(dependency).name.gsub("/", "%2F")
-          end
-          sig { returns(T.nilable(String)) }
-          def scopeless_name
-            return unless dependency
-            T.must(dependency).name.split("/").last
-          end
-          sig { returns(T.nilable(String)) }
-          def registry_source_url
-            return unless dependency
-            sources = T.must(dependency).requirements
-                       .map { |r| r.fetch(:source) }.uniq.compact
-                       .sort_by { |source| self.class.central_registry?(source[:url]) ? 1 : 0 }
-            sources.find { |s| s[:type] == "registry" }&.fetch(:url)
-          end
-          sig { params(url: String).returns(String) }
-          def normalize_configured_registry(url)
-            url.sub(%r{/+$}, "")
-               .sub(%r{^.*?//}, "")
-               .gsub(/\s+/, "%20")
-          end
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/version.rb DELETED Viewed

@@ -1,133 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-# JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
-# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
-# alteration.
-#
-# See https://semver.org/ for details of node's version syntax.
-module Dependabot
-  module Javascript
-    module Shared
-      class Version < Dependabot::Version
-        extend T::Sig
-        sig { returns(T.nilable(String)) }
-        attr_reader :build_info
-        # These are possible npm versioning tags that can be used in place of a version.
-        # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
-        VERSION_TAGS = T.let([
-          "alpha",        # Alpha version, early testing phase
-          "beta",         # Beta version, more stable than alpha
-          "canary",       # Canary version, often used for cutting-edge builds
-          "dev",          # Development version, ongoing development
-          "experimental", # Experimental version, unstable and new features
-          "latest",       # Latest stable version, used by npm to identify the current version of a package
-          "legacy",       # Legacy version, older version maintained for compatibility
-          "next",         # Next version, used by some projects to identify the upcoming version
-          "nightly",      # Nightly build, daily builds often including latest changes
-          "rc",           # Release candidate, potential final version
-          "release",      # General release version
-          "stable"        # Stable version, thoroughly tested and stable
-        ].freeze.map(&:freeze), T::Array[String])
-        VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
-        ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
-        sig { override.params(version: VersionParameter).returns(T::Boolean) }
-        def self.correct?(version)
-          version = version.gsub(/^v/, "") if version.is_a?(String)
-          return false if version.nil?
-          version.to_s.match?(ANCHORED_VERSION_PATTERN)
-        end
-        sig { params(version: VersionParameter).returns(VersionParameter) }
-        def self.semver_for(version)
-          # The next two lines are to guard against improperly formatted
-          # versions in a lockfile, such as an empty string or additional
-          # characters. NPM/yarn fixes these when running an update, so we can
-          # safely ignore these versions.
-          return if version == ""
-          return unless correct?(version)
-          version
-        end
-        sig { override.params(version: VersionParameter).void }
-        def initialize(version)
-          version = clean_version(version)
-          @version_string = T.let(version.to_s, String)
-          @build_info = T.let(nil, T.nilable(String))
-          version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
-          super(T.must(version))
-        end
-        sig { params(version: VersionParameter).returns(VersionParameter) }
-        def clean_version(version)
-          # Check if version is a string before attempting to match
-          if version.is_a?(String)
-            # Matches @ followed by x.y.z (digits separated by dots)
-            if (match = version.match(/@(\d+\.\d+\.\d+)/))
-              version = match[1] # Just "4.5.3"
-            # Extract version in case the output contains Corepack verbose data
-            elsif version.include?("Corepack")
-              version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
-            end
-            version = version&.gsub(/^v/, "")
-          end
-          version
-        end
-        sig { override.params(version: VersionParameter).returns(Version) }
-        def self.new(version)
-          T.cast(super, Version)
-        end
-        sig { returns(Integer) }
-        def major
-          @major ||= T.let(segments[0].to_i, T.nilable(Integer))
-        end
-        sig { returns(Integer) }
-        def minor
-          @minor ||= T.let(segments[1].to_i, T.nilable(Integer))
-        end
-        sig { returns(Integer) }
-        def patch
-          @patch ||= T.let(segments[2].to_i, T.nilable(Integer))
-        end
-        sig { params(other: Version).returns(T::Boolean) }
-        def backwards_compatible_with?(other)
-          case major
-          when 0
-            self == other
-          else
-            major == other.major && minor >= other.minor
-          end
-        end
-        sig { override.returns(String) }
-        def to_s
-          @version_string
-        end
-        sig { override.returns(String) }
-        def inspect
-          "#<#{self.class} #{@version_string}>"
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript/shared/version_selector.rb DELETED Viewed

@@ -1,60 +0,0 @@
-# typed: strict
-# frozen_string_literal: true
-module Dependabot
-  module Javascript
-    module Shared
-      class VersionSelector
-        extend T::Sig
-        extend T::Helpers
-        # For limited testing, allowing only specific versions defined in engines in package.json
-        # such as "20.8.7", "8.1.2", "8.21.2",
-        NODE_ENGINE_SUPPORTED_REGEX = /^\d+(?:\.\d+)*$/
-        # Sets up engine versions from the given manifest JSON.
-        #
-        # @param manifest_json [Hash] The manifest JSON containing version information.
-        # @param name [String] The engine name to match.
-        # @return [Hash] A hash with selected versions, if found.
-        sig do
-          params(
-            manifest_json: T::Hash[String, T.untyped],
-            name: String,
-            dependabot_versions: T.nilable(T::Array[Dependabot::Version])
-          )
-            .returns(T::Hash[Symbol, T.untyped])
-        end
-        def setup(manifest_json, name, dependabot_versions = nil)
-          engine_versions = manifest_json["engines"]
-          # Return an empty hash if no engine versions are specified
-          return {} if engine_versions.nil?
-          versions = {}
-          if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
-            engine_versions.each do |engine, value|
-              next unless engine.to_s.match(name)
-              versions[name] = ConstraintHelper.find_highest_version_from_constraint_expression(
-                value, dependabot_versions
-              )
-            end
-          else
-            versions = engine_versions.select do |engine, value|
-              engine.to_s.match(name) && valid_extracted_version?(value)
-            end
-          end
-          versions
-        end
-        sig { params(version: String).returns(T::Boolean) }
-        def valid_extracted_version?(version)
-          version.match?(NODE_ENGINE_SUPPORTED_REGEX)
-        end
-      end
-    end
-  end
-end

data/lib/dependabot/javascript.rb DELETED Viewed

@@ -1,39 +0,0 @@
-# typed: strong
-# frozen_string_literal: true
-require "dependabot/bun"
-module Dependabot
-  module Javascript
-    DEFAULT_PACKAGE_MANAGER = "npm"
-    ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"
-    MANIFEST_ENGINES_KEY = "engines"
-    MANIFEST_FILENAME = "package.json"
-    MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
-    # Define a type alias for the expected class interface
-    JavascriptPackageManagerClassType = T.type_alias do
-      T.class_of(Bun::PackageManager)
-    end
-    PACKAGE_MANAGER_CLASSES = T.let({
-      Bun::PackageManager::NAME => Bun::PackageManager
-    }.freeze, T::Hash[String, JavascriptPackageManagerClassType])
-    PACKAGE_MANAGER_VERSION_REGEX = /
-      ^                        # Start of string
-      (?<major>\d+)            # Major version (required, numeric)
-      \.                       # Separator between major and minor versions
-      (?<minor>\d+)            # Minor version (required, numeric)
-      \.                       # Separator between minor and patch versions
-      (?<patch>\d+)            # Patch version (required, numeric)
-      (                        # Start pre-release section
-        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional, alphanumeric or dot-separated)
-      )?
-      (                        # Start build metadata section
-        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional, alphanumeric or dot-separated)
-      )?
-      $                        # End of string
-    /x # Extended mode for readability
-  end
-end