dependabot-bun 0.332.0 → 0.333.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/bun/bun_package_manager.rb +1 -0
- data/lib/dependabot/bun/file_fetcher.rb +13 -1
- data/lib/dependabot/bun/file_updater/bun_lockfile_updater.rb +60 -19
- data/lib/dependabot/bun/file_updater/package_json_preparer.rb +16 -4
- data/lib/dependabot/bun/file_updater/package_json_updater.rb +1 -1
- data/lib/dependabot/bun/file_updater.rb +2 -2
- data/lib/dependabot/bun/language.rb +1 -0
- data/lib/dependabot/bun/metadata_finder.rb +1 -1
- data/lib/dependabot/bun/native_helpers.rb +7 -1
- data/lib/dependabot/bun/pnpm_package_manager.rb +1 -0
- data/lib/dependabot/bun/requirement.rb +22 -8
- data/lib/dependabot/bun/update_checker/conflicting_dependency_resolver.rb +29 -5
- data/lib/dependabot/bun/update_checker/dependency_files_builder.rb +39 -8
- data/lib/dependabot/bun/update_checker/library_detector.rb +35 -5
- data/lib/dependabot/bun/update_checker/requirements_updater.rb +61 -23
- data/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb +57 -15
- data/lib/dependabot/bun/update_checker/vulnerability_auditor.rb +60 -7
- data/lib/dependabot/bun/update_checker.rb +2 -2
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0eb056be9654d428163d857882cad03f7efb23a1e73462218712ba9847673f88
|
|
4
|
+
data.tar.gz: b8d3a89a900b410b940d6fe57a0f39c4bd5fe442fdc0d04ae9e5603d8c802d45
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5716bd87728a019983e174575e729a6a8631625d7d23c24e4bfb59dc572cd03946c2e2e360580dfda81cb9f0d9729c0fc3f83cf47e3c247a9c3998be9e19f61a
|
|
7
|
+
data.tar.gz: 0c0eed5a6922f0fd4a2bbf38688c79d5a46d2866129df2632f3e1f57b1fe40ec86f1a0c0b4b18e06f7943a1ae95db1866c3343bee7906a67e75f9703d04486d7
|
|
@@ -11,6 +11,7 @@ require "dependabot/bun/helpers"
|
|
|
11
11
|
require "dependabot/bun/package_manager"
|
|
12
12
|
require "dependabot/bun/file_parser"
|
|
13
13
|
require "dependabot/bun/file_parser/lockfile_parser"
|
|
14
|
+
require "dependabot/file_filtering"
|
|
14
15
|
|
|
15
16
|
module Dependabot
|
|
16
17
|
module Bun
|
|
@@ -81,7 +82,12 @@ module Dependabot
|
|
|
81
82
|
fetched_files += workspace_package_jsons
|
|
82
83
|
fetched_files += path_dependencies(fetched_files)
|
|
83
84
|
|
|
84
|
-
|
|
85
|
+
# Filter excluded files from final collection
|
|
86
|
+
filtered_files = fetched_files.uniq.reject do |file|
|
|
87
|
+
Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
|
|
88
|
+
end
|
|
89
|
+
|
|
90
|
+
filtered_files
|
|
85
91
|
end
|
|
86
92
|
|
|
87
93
|
private
|
|
@@ -185,6 +191,9 @@ module Dependabot
|
|
|
185
191
|
cleaned_name = Pathname.new(filename).cleanpath.to_path
|
|
186
192
|
next if fetched_files.map(&:name).include?(cleaned_name)
|
|
187
193
|
|
|
194
|
+
# Skip excluded path dependencies
|
|
195
|
+
next if Dependabot::FileFiltering.should_exclude_path?(cleaned_name, "path dependency file", @exclude_paths)
|
|
196
|
+
|
|
188
197
|
begin
|
|
189
198
|
file = fetch_file_from_host(filename, fetch_submodules: true)
|
|
190
199
|
package_json_files << file
|
|
@@ -291,6 +300,9 @@ module Dependabot
|
|
|
291
300
|
return [] unless parsed_package_json["workspaces"]
|
|
292
301
|
|
|
293
302
|
workspace_paths(parsed_package_json["workspaces"]).filter_map do |workspace|
|
|
303
|
+
# Skip excluded workspace directories
|
|
304
|
+
next if Dependabot::FileFiltering.should_exclude_path?(workspace, "workspace directory", @exclude_paths)
|
|
305
|
+
|
|
294
306
|
fetch_package_json_if_present(workspace)
|
|
295
307
|
end
|
|
296
308
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/bun/helpers"
|
|
5
7
|
require "dependabot/bun/package/registry_finder"
|
|
6
8
|
require "dependabot/bun/registry_parser"
|
|
@@ -10,9 +12,20 @@ module Dependabot
|
|
|
10
12
|
module Bun
|
|
11
13
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
12
14
|
class BunLockfileUpdater
|
|
15
|
+
extend T::Sig
|
|
16
|
+
|
|
13
17
|
require_relative "npmrc_builder"
|
|
14
18
|
require_relative "package_json_updater"
|
|
15
19
|
|
|
20
|
+
sig do
|
|
21
|
+
params(
|
|
22
|
+
dependencies: T::Array[Dependabot::Dependency],
|
|
23
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
24
|
+
repo_contents_path: String,
|
|
25
|
+
credentials: T::Array[Dependabot::Credential]
|
|
26
|
+
)
|
|
27
|
+
.void
|
|
28
|
+
end
|
|
16
29
|
def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
|
|
17
30
|
@dependencies = dependencies
|
|
18
31
|
@dependency_files = dependency_files
|
|
@@ -20,9 +33,10 @@ module Dependabot
|
|
|
20
33
|
@credentials = credentials
|
|
21
34
|
end
|
|
22
35
|
|
|
36
|
+
sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
|
|
23
37
|
def updated_bun_lock_content(bun_lock)
|
|
24
|
-
@updated_bun_lock_content ||= {}
|
|
25
|
-
return @updated_bun_lock_content[bun_lock.name] if @updated_bun_lock_content[bun_lock.name]
|
|
38
|
+
@updated_bun_lock_content ||= T.let({}, T.nilable(T::Hash[String, String]))
|
|
39
|
+
return T.must(@updated_bun_lock_content[bun_lock.name]) if @updated_bun_lock_content[bun_lock.name]
|
|
26
40
|
|
|
27
41
|
new_content = run_bun_update(bun_lock: bun_lock)
|
|
28
42
|
@updated_bun_lock_content[bun_lock.name] = new_content
|
|
@@ -32,19 +46,30 @@ module Dependabot
|
|
|
32
46
|
|
|
33
47
|
private
|
|
34
48
|
|
|
49
|
+
sig { returns(T::Array[Dependabot::Dependency]) }
|
|
35
50
|
attr_reader :dependencies
|
|
51
|
+
|
|
52
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
36
53
|
attr_reader :dependency_files
|
|
54
|
+
|
|
55
|
+
sig { returns(String) }
|
|
37
56
|
attr_reader :repo_contents_path
|
|
38
|
-
attr_reader :credentials
|
|
39
57
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
/installfailed cloning repository/i => Dependabot::DependencyNotFound,
|
|
43
|
-
/file:.* failed to resolve/i => Dependabot::DependencyNotFound,
|
|
44
|
-
/no version matching/i => Dependabot::DependencyFileNotResolvable,
|
|
45
|
-
/failed to resolve/i => Dependabot::DependencyFileNotResolvable
|
|
46
|
-
}.freeze
|
|
58
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
59
|
+
attr_reader :credentials
|
|
47
60
|
|
|
61
|
+
ERR_PATTERNS = T.let(
|
|
62
|
+
{
|
|
63
|
+
/get .* 404/i => Dependabot::DependencyNotFound,
|
|
64
|
+
/installfailed cloning repository/i => Dependabot::DependencyNotFound,
|
|
65
|
+
/file:.* failed to resolve/i => Dependabot::DependencyNotFound,
|
|
66
|
+
/no version matching/i => Dependabot::DependencyFileNotResolvable,
|
|
67
|
+
/failed to resolve/i => Dependabot::DependencyFileNotResolvable
|
|
68
|
+
}.freeze,
|
|
69
|
+
T::Hash[Regexp, Dependabot::DependabotError]
|
|
70
|
+
)
|
|
71
|
+
|
|
72
|
+
sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
|
|
48
73
|
def run_bun_update(bun_lock:)
|
|
49
74
|
SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
|
|
50
75
|
File.write(".npmrc", npmrc_content(bun_lock))
|
|
@@ -61,6 +86,7 @@ module Dependabot
|
|
|
61
86
|
end
|
|
62
87
|
end
|
|
63
88
|
|
|
89
|
+
sig { void }
|
|
64
90
|
def run_bun_updater
|
|
65
91
|
dependency_updates = dependencies.map do |d|
|
|
66
92
|
"#{d.name}@#{d.version}"
|
|
@@ -72,14 +98,16 @@ module Dependabot
|
|
|
72
98
|
)
|
|
73
99
|
end
|
|
74
100
|
|
|
101
|
+
sig { void }
|
|
75
102
|
def run_bun_install
|
|
76
103
|
Helpers.run_bun_command(
|
|
77
104
|
"install --save-text-lockfile"
|
|
78
105
|
)
|
|
79
106
|
end
|
|
80
107
|
|
|
108
|
+
sig { params(lockfile: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
|
|
81
109
|
def lockfile_dependencies(lockfile)
|
|
82
|
-
@lockfile_dependencies ||= {}
|
|
110
|
+
@lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependabot::Dependency]]))
|
|
83
111
|
@lockfile_dependencies[lockfile.name] ||=
|
|
84
112
|
Bun::FileParser.new(
|
|
85
113
|
dependency_files: [lockfile, *package_files],
|
|
@@ -88,6 +116,7 @@ module Dependabot
|
|
|
88
116
|
).parse
|
|
89
117
|
end
|
|
90
118
|
|
|
119
|
+
sig { params(error: Dependabot::DependabotError, _bun_lock: Dependabot::DependencyFile).returns(T.noreturn) }
|
|
91
120
|
def handle_bun_lock_updater_error(error, _bun_lock)
|
|
92
121
|
error_message = error.message
|
|
93
122
|
|
|
@@ -98,6 +127,7 @@ module Dependabot
|
|
|
98
127
|
raise error
|
|
99
128
|
end
|
|
100
129
|
|
|
130
|
+
sig { void }
|
|
101
131
|
def write_final_package_json_files
|
|
102
132
|
package_files.each do |file|
|
|
103
133
|
path = file.name
|
|
@@ -106,6 +136,7 @@ module Dependabot
|
|
|
106
136
|
end
|
|
107
137
|
end
|
|
108
138
|
|
|
139
|
+
sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
|
|
109
140
|
def npmrc_content(bun_lock)
|
|
110
141
|
NpmrcBuilder.new(
|
|
111
142
|
credentials: credentials,
|
|
@@ -114,27 +145,37 @@ module Dependabot
|
|
|
114
145
|
).npmrc_content
|
|
115
146
|
end
|
|
116
147
|
|
|
148
|
+
sig { params(file: Dependabot::DependencyFile).returns(String) }
|
|
117
149
|
def updated_package_json_content(file)
|
|
118
|
-
@updated_package_json_content ||= {}
|
|
150
|
+
@updated_package_json_content ||= T.let({}, T.nilable(T::Hash[String, String]))
|
|
119
151
|
@updated_package_json_content[file.name] ||=
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
152
|
+
T.must(
|
|
153
|
+
PackageJsonUpdater.new(
|
|
154
|
+
package_json: file,
|
|
155
|
+
dependencies: dependencies
|
|
156
|
+
).updated_package_json.content
|
|
157
|
+
)
|
|
124
158
|
end
|
|
125
159
|
|
|
160
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
126
161
|
def package_files
|
|
127
|
-
@package_files ||=
|
|
162
|
+
@package_files ||= T.let(
|
|
163
|
+
dependency_files.select { |f| f.name.end_with?("package.json") },
|
|
164
|
+
T.nilable(T::Array[Dependabot::DependencyFile])
|
|
165
|
+
)
|
|
128
166
|
end
|
|
129
167
|
|
|
168
|
+
sig { returns(String) }
|
|
130
169
|
def base_dir
|
|
131
|
-
dependency_files.first.directory
|
|
170
|
+
T.must(dependency_files.first).directory
|
|
132
171
|
end
|
|
133
172
|
|
|
173
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
134
174
|
def npmrc_file
|
|
135
175
|
dependency_files.find { |f| f.name == ".npmrc" }
|
|
136
176
|
end
|
|
137
177
|
|
|
178
|
+
sig { params(message: String).returns(String) }
|
|
138
179
|
def sanitize_message(message)
|
|
139
180
|
message.gsub(/"|\[|\]|\}|\{/, "")
|
|
140
181
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/bun/file_updater"
|
|
5
7
|
require "dependabot/bun/file_parser"
|
|
6
8
|
|
|
@@ -8,10 +10,14 @@ module Dependabot
|
|
|
8
10
|
module Bun
|
|
9
11
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
10
12
|
class PackageJsonPreparer
|
|
13
|
+
extend T::Sig
|
|
14
|
+
|
|
15
|
+
sig { params(package_json_content: String).void }
|
|
11
16
|
def initialize(package_json_content:)
|
|
12
17
|
@package_json_content = package_json_content
|
|
13
18
|
end
|
|
14
19
|
|
|
20
|
+
sig { returns(String) }
|
|
15
21
|
def prepared_content
|
|
16
22
|
content = package_json_content
|
|
17
23
|
content = replace_ssh_sources(content)
|
|
@@ -20,6 +26,7 @@ module Dependabot
|
|
|
20
26
|
content
|
|
21
27
|
end
|
|
22
28
|
|
|
29
|
+
sig { params(content: String).returns(String) }
|
|
23
30
|
def replace_ssh_sources(content)
|
|
24
31
|
updated_content = content
|
|
25
32
|
|
|
@@ -33,6 +40,7 @@ module Dependabot
|
|
|
33
40
|
|
|
34
41
|
# A bug prevents Yarn recognising that a directory is part of a
|
|
35
42
|
# workspace if it is specified with a `./` prefix.
|
|
43
|
+
sig { params(content: String).returns(String) }
|
|
36
44
|
def remove_workspace_path_prefixes(content)
|
|
37
45
|
json = JSON.parse(content)
|
|
38
46
|
return content unless json.key?("workspaces")
|
|
@@ -52,6 +60,7 @@ module Dependabot
|
|
|
52
60
|
JSON.pretty_generate(json)
|
|
53
61
|
end
|
|
54
62
|
|
|
63
|
+
sig { params(content: String).returns(String) }
|
|
55
64
|
def remove_invalid_characters(content)
|
|
56
65
|
content
|
|
57
66
|
.gsub(/\{\{[^\}]*?\}\}/, "something") # {{ nm }} syntax not allowed
|
|
@@ -59,28 +68,31 @@ module Dependabot
|
|
|
59
68
|
.gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
|
60
69
|
end
|
|
61
70
|
|
|
71
|
+
sig { returns(T::Array[String]) }
|
|
62
72
|
def swapped_ssh_requirements
|
|
63
73
|
git_ssh_requirements_to_swap
|
|
64
74
|
end
|
|
65
75
|
|
|
66
76
|
private
|
|
67
77
|
|
|
78
|
+
sig { returns(String) }
|
|
68
79
|
attr_reader :package_json_content
|
|
69
80
|
|
|
81
|
+
sig { returns(T::Array[String]) }
|
|
70
82
|
def git_ssh_requirements_to_swap
|
|
71
83
|
return @git_ssh_requirements_to_swap if @git_ssh_requirements_to_swap
|
|
72
84
|
|
|
73
|
-
@git_ssh_requirements_to_swap = []
|
|
85
|
+
@git_ssh_requirements_to_swap = T.let([], T.nilable(T::Array[String]))
|
|
74
86
|
|
|
75
87
|
Bun::FileParser.each_dependency(JSON.parse(package_json_content)) do |_, req, _t|
|
|
76
88
|
next unless req.is_a?(String)
|
|
77
89
|
next unless req.start_with?("git+ssh:")
|
|
78
90
|
|
|
79
91
|
req = req.split("#").first
|
|
80
|
-
@git_ssh_requirements_to_swap << req
|
|
92
|
+
T.must(@git_ssh_requirements_to_swap) << T.must(req)
|
|
81
93
|
end
|
|
82
94
|
|
|
83
|
-
@git_ssh_requirements_to_swap
|
|
95
|
+
T.must(@git_ssh_requirements_to_swap)
|
|
84
96
|
end
|
|
85
97
|
end
|
|
86
98
|
end
|
|
@@ -60,7 +60,7 @@ module Dependabot
|
|
|
60
60
|
)
|
|
61
61
|
|
|
62
62
|
if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
|
|
63
|
-
|
|
63
|
+
content == new_content && unique_deps_count > 1
|
|
64
64
|
|
|
65
65
|
# (we observed that) package.json does not always contains the same dependencies compared to
|
|
66
66
|
# "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/file_updaters"
|
|
@@ -179,7 +179,7 @@ module Dependabot
|
|
|
179
179
|
BunLockfileUpdater.new(
|
|
180
180
|
dependencies: dependencies,
|
|
181
181
|
dependency_files: dependency_files,
|
|
182
|
-
repo_contents_path: repo_contents_path,
|
|
182
|
+
repo_contents_path: T.must(repo_contents_path),
|
|
183
183
|
credentials: credentials
|
|
184
184
|
),
|
|
185
185
|
T.nilable(Dependabot::Bun::FileUpdater::BunLockfileUpdater)
|
|
@@ -73,7 +73,7 @@ module Dependabot
|
|
|
73
73
|
|
|
74
74
|
all_version_listings
|
|
75
75
|
.reject { |v, _| Time.parse(times[v]) > cutoff }
|
|
76
|
-
.filter_map { |_, d| d.
|
|
76
|
+
.filter_map { |_, d| d.dig("_npmUser", "name") }
|
|
77
77
|
end
|
|
78
78
|
|
|
79
79
|
sig { returns(T.nilable(Source)) }
|
|
@@ -1,13 +1,19 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
module Dependabot
|
|
5
7
|
module Bun
|
|
6
8
|
module NativeHelpers
|
|
9
|
+
extend T::Sig
|
|
10
|
+
|
|
11
|
+
sig { returns(String) }
|
|
7
12
|
def self.helper_path
|
|
8
13
|
"node #{File.join(native_helpers_root, 'run.js')}"
|
|
9
14
|
end
|
|
10
15
|
|
|
16
|
+
sig { returns(String) }
|
|
11
17
|
def self.native_helpers_root
|
|
12
18
|
helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
|
|
13
19
|
return File.join(helpers_root, "bun") unless helpers_root.nil?
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "sorbet-runtime"
|
|
@@ -12,16 +12,22 @@ module Dependabot
|
|
|
12
12
|
class Requirement < Dependabot::Requirement
|
|
13
13
|
extend T::Sig
|
|
14
14
|
|
|
15
|
-
AND_SEPARATOR = /(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])
|
|
16
|
-
OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s
|
|
15
|
+
AND_SEPARATOR = T.let(/(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])/, Regexp)
|
|
16
|
+
OR_SEPARATOR = T.let(/(?<=[a-zA-Z0-9*])\s*\|+/, Regexp)
|
|
17
17
|
|
|
18
18
|
# Override the version pattern to allow a 'v' prefix
|
|
19
19
|
quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
|
|
20
20
|
version_pattern = "v?#{Bun::Version::VERSION_PATTERN}"
|
|
21
21
|
|
|
22
|
-
PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze
|
|
23
|
-
PATTERN = /\A#{PATTERN_RAW}\z
|
|
22
|
+
PATTERN_RAW = T.let("\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze, String)
|
|
23
|
+
PATTERN = T.let(/\A#{PATTERN_RAW}\z/, Regexp)
|
|
24
24
|
|
|
25
|
+
sig do
|
|
26
|
+
params(
|
|
27
|
+
obj: T.any(String, Gem::Version)
|
|
28
|
+
)
|
|
29
|
+
.returns(T::Array[T.any(String, T.nilable(Bun::Version))])
|
|
30
|
+
end
|
|
25
31
|
def self.parse(obj)
|
|
26
32
|
return ["=", nil] if obj.is_a?(String) && Version::VERSION_TAGS.include?(obj.strip)
|
|
27
33
|
return ["=", Bun::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
|
|
@@ -52,9 +58,10 @@ module Dependabot
|
|
|
52
58
|
end
|
|
53
59
|
end
|
|
54
60
|
|
|
61
|
+
sig { params(requirements: T.nilable(T.any(String, T::Array[String]))).void }
|
|
55
62
|
def initialize(*requirements)
|
|
56
63
|
requirements = requirements.flatten
|
|
57
|
-
.flat_map { |req_string| req_string.split(",").map(&:strip) }
|
|
64
|
+
.flat_map { |req_string| T.must(req_string).split(",").map(&:strip) }
|
|
58
65
|
.flat_map { |req_string| convert_js_constraint_to_ruby_constraint(req_string) }
|
|
59
66
|
|
|
60
67
|
super(requirements)
|
|
@@ -62,6 +69,7 @@ module Dependabot
|
|
|
62
69
|
|
|
63
70
|
private
|
|
64
71
|
|
|
72
|
+
sig { params(req_string: String).returns(T.any(String, T::Array[String])) }
|
|
65
73
|
def convert_js_constraint_to_ruby_constraint(req_string)
|
|
66
74
|
return req_string if req_string.match?(/^([A-Za-uw-z]|v[^\d])/)
|
|
67
75
|
|
|
@@ -79,6 +87,7 @@ module Dependabot
|
|
|
79
87
|
end
|
|
80
88
|
end
|
|
81
89
|
|
|
90
|
+
sig { params(req_string: String).returns(String) }
|
|
82
91
|
def convert_tilde_req(req_string)
|
|
83
92
|
version = req_string.gsub(/^~\>?[\s=]*/, "")
|
|
84
93
|
parts = version.split(".")
|
|
@@ -86,8 +95,11 @@ module Dependabot
|
|
|
86
95
|
"~> #{parts.join('.')}"
|
|
87
96
|
end
|
|
88
97
|
|
|
98
|
+
sig { params(req_string: String).returns(T::Array[String]) }
|
|
89
99
|
def convert_hyphen_req(req_string)
|
|
90
|
-
|
|
100
|
+
parts = req_string.split(/\s+-\s+/)
|
|
101
|
+
lower_bound = T.must(parts[0])
|
|
102
|
+
upper_bound = T.must(parts[1])
|
|
91
103
|
lower_bound_parts = lower_bound.split(".")
|
|
92
104
|
lower_bound_parts.fill("0", lower_bound_parts.length...3)
|
|
93
105
|
|
|
@@ -105,6 +117,7 @@ module Dependabot
|
|
|
105
117
|
[">= #{lower_bound_parts.join('.')}", upper_bound_range]
|
|
106
118
|
end
|
|
107
119
|
|
|
120
|
+
sig { params(req_string: String).returns(String) }
|
|
108
121
|
def ruby_range(req_string)
|
|
109
122
|
parts = req_string.split(".")
|
|
110
123
|
# If we have three or more parts then this is an exact match
|
|
@@ -115,13 +128,14 @@ module Dependabot
|
|
|
115
128
|
"~> #{parts.join('.')}"
|
|
116
129
|
end
|
|
117
130
|
|
|
131
|
+
sig { params(req_string: String).returns(T::Array[String]) }
|
|
118
132
|
def convert_caret_req(req_string)
|
|
119
133
|
version = req_string.gsub(/^\^[\s=]*/, "")
|
|
120
134
|
parts = version.split(".")
|
|
121
135
|
parts.fill("x", parts.length...3)
|
|
122
136
|
first_non_zero = parts.find { |d| d != "0" }
|
|
123
137
|
first_non_zero_index =
|
|
124
|
-
first_non_zero ? parts.index(first_non_zero) : parts.count - 1
|
|
138
|
+
first_non_zero ? T.must(parts.index(first_non_zero)) : parts.count - 1
|
|
125
139
|
# If the requirement has a blank minor or patch version increment the
|
|
126
140
|
# previous index value with 1
|
|
127
141
|
first_non_zero_index -= 1 if first_non_zero == "x"
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/dependency"
|
|
5
7
|
require "dependabot/errors"
|
|
6
8
|
require "dependabot/logger"
|
|
@@ -15,6 +17,15 @@ module Dependabot
|
|
|
15
17
|
module Bun
|
|
16
18
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
17
19
|
class ConflictingDependencyResolver
|
|
20
|
+
extend T::Sig
|
|
21
|
+
|
|
22
|
+
sig do
|
|
23
|
+
params(
|
|
24
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
25
|
+
credentials: T::Array[Dependabot::Credential]
|
|
26
|
+
)
|
|
27
|
+
.void
|
|
28
|
+
end
|
|
18
29
|
def initialize(dependency_files:, credentials:)
|
|
19
30
|
@dependency_files = dependency_files
|
|
20
31
|
@credentials = credentials
|
|
@@ -30,6 +41,13 @@ module Dependabot
|
|
|
30
41
|
# * name [String] the blocking dependencies name
|
|
31
42
|
# * version [String] the version of the blocking dependency
|
|
32
43
|
# * requirement [String] the requirement on the target_dependency
|
|
44
|
+
sig do
|
|
45
|
+
params(
|
|
46
|
+
dependency: Dependabot::Dependency,
|
|
47
|
+
target_version: T.nilable(T.any(String, Dependabot::Version))
|
|
48
|
+
)
|
|
49
|
+
.returns(T::Array[T::Hash[String, String]])
|
|
50
|
+
end
|
|
33
51
|
def conflicting_dependencies(dependency:, target_version:)
|
|
34
52
|
SharedHelpers.in_a_temporary_directory do
|
|
35
53
|
dependency_files_builder = DependencyFilesBuilder.new(
|
|
@@ -39,10 +57,13 @@ module Dependabot
|
|
|
39
57
|
)
|
|
40
58
|
dependency_files_builder.write_temporary_dependency_files
|
|
41
59
|
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
60
|
+
T.cast(
|
|
61
|
+
SharedHelpers.run_helper_subprocess(
|
|
62
|
+
command: NativeHelpers.helper_path,
|
|
63
|
+
function: "yarn:findConflictingDependencies",
|
|
64
|
+
args: [Dir.pwd, dependency.name, target_version.to_s]
|
|
65
|
+
),
|
|
66
|
+
T::Array[T::Hash[String, String]]
|
|
46
67
|
)
|
|
47
68
|
end
|
|
48
69
|
rescue SharedHelpers::HelperSubprocessFailed
|
|
@@ -51,7 +72,10 @@ module Dependabot
|
|
|
51
72
|
|
|
52
73
|
private
|
|
53
74
|
|
|
75
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
54
76
|
attr_reader :dependency_files
|
|
77
|
+
|
|
78
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
55
79
|
attr_reader :credentials
|
|
56
80
|
end
|
|
57
81
|
end
|
|
@@ -1,6 +1,8 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strong
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
|
+
require "sorbet-runtime"
|
|
5
|
+
|
|
4
6
|
require "dependabot/bun/file_updater/npmrc_builder"
|
|
5
7
|
require "dependabot/bun/file_updater/package_json_preparer"
|
|
6
8
|
|
|
@@ -8,12 +10,23 @@ module Dependabot
|
|
|
8
10
|
module Bun
|
|
9
11
|
class UpdateChecker
|
|
10
12
|
class DependencyFilesBuilder
|
|
13
|
+
extend T::Sig
|
|
14
|
+
|
|
15
|
+
sig do
|
|
16
|
+
params(
|
|
17
|
+
dependency: Dependabot::Dependency,
|
|
18
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
19
|
+
credentials: T::Array[Dependabot::Credential]
|
|
20
|
+
)
|
|
21
|
+
.void
|
|
22
|
+
end
|
|
11
23
|
def initialize(dependency:, dependency_files:, credentials:)
|
|
12
24
|
@dependency = dependency
|
|
13
25
|
@dependency_files = dependency_files
|
|
14
26
|
@credentials = credentials
|
|
15
27
|
end
|
|
16
28
|
|
|
29
|
+
sig { void }
|
|
17
30
|
def write_temporary_dependency_files
|
|
18
31
|
write_lockfiles
|
|
19
32
|
|
|
@@ -26,34 +39,50 @@ module Dependabot
|
|
|
26
39
|
end
|
|
27
40
|
end
|
|
28
41
|
|
|
42
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
29
43
|
def bun_locks
|
|
30
|
-
@bun_locks ||=
|
|
44
|
+
@bun_locks ||= T.let(
|
|
31
45
|
dependency_files
|
|
32
|
-
.select { |f| f.name.end_with?("bun.lock") }
|
|
46
|
+
.select { |f| f.name.end_with?("bun.lock") },
|
|
47
|
+
T.nilable(T::Array[Dependabot::DependencyFile])
|
|
48
|
+
)
|
|
33
49
|
end
|
|
34
50
|
|
|
51
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
35
52
|
def root_bun_lock
|
|
36
|
-
@root_bun_lock ||=
|
|
53
|
+
@root_bun_lock ||= T.let(
|
|
37
54
|
dependency_files
|
|
38
|
-
.find { |f| f.name == "bun.lock" }
|
|
55
|
+
.find { |f| f.name == "bun.lock" },
|
|
56
|
+
T.nilable(Dependabot::DependencyFile)
|
|
57
|
+
)
|
|
39
58
|
end
|
|
40
59
|
|
|
60
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
41
61
|
def lockfiles
|
|
42
62
|
[*bun_locks]
|
|
43
63
|
end
|
|
44
64
|
|
|
65
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
45
66
|
def package_files
|
|
46
|
-
@package_files ||=
|
|
67
|
+
@package_files ||= T.let(
|
|
47
68
|
dependency_files
|
|
48
|
-
.select { |f| f.name.end_with?("package.json") }
|
|
69
|
+
.select { |f| f.name.end_with?("package.json") },
|
|
70
|
+
T.nilable(T::Array[Dependabot::DependencyFile])
|
|
71
|
+
)
|
|
49
72
|
end
|
|
50
73
|
|
|
51
74
|
private
|
|
52
75
|
|
|
76
|
+
sig { returns(Dependabot::Dependency) }
|
|
53
77
|
attr_reader :dependency
|
|
78
|
+
|
|
79
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
54
80
|
attr_reader :dependency_files
|
|
81
|
+
|
|
82
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
55
83
|
attr_reader :credentials
|
|
56
84
|
|
|
85
|
+
sig { void }
|
|
57
86
|
def write_lockfiles
|
|
58
87
|
bun_locks.each do |f|
|
|
59
88
|
FileUtils.mkdir_p(Pathname.new(f.name).dirname)
|
|
@@ -61,12 +90,14 @@ module Dependabot
|
|
|
61
90
|
end
|
|
62
91
|
end
|
|
63
92
|
|
|
93
|
+
sig { params(file: Dependabot::DependencyFile).returns(String) }
|
|
64
94
|
def prepared_package_json_content(file)
|
|
65
95
|
Bun::FileUpdater::PackageJsonPreparer.new(
|
|
66
|
-
package_json_content: file.content
|
|
96
|
+
package_json_content: T.must(file.content)
|
|
67
97
|
).prepared_content
|
|
68
98
|
end
|
|
69
99
|
|
|
100
|
+
sig { returns(String) }
|
|
70
101
|
def npmrc_content
|
|
71
102
|
Bun::FileUpdater::NpmrcBuilder.new(
|
|
72
103
|
credentials: credentials,
|