dependabot-bun 0.334.0 → 0.336.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 39414457e86cb0cae8938453e97141bcdf4fdac15481ede878fd42dc17a75b10
-  data.tar.gz: b8d3a89a900b410b940d6fe57a0f39c4bd5fe442fdc0d04ae9e5603d8c802d45
+  metadata.gz: 3953e6714135ca7e3d22256533cae81ecc1d98906df0da2c1d56b21c072ccda6
+  data.tar.gz: 2c17ff1677bc68e0278cb647cdd33bd0d6b51aad9682154c9e340df4b735d41e
 SHA512:
-  metadata.gz: 06a26fadbe36d46a6f49c3754a5688572fe4f52de323d8694f5ebc55ee7cdeaea62995c377bca2f7fe7b2540d7e39555ed15597cb234e81f81333952f962a94e
-  data.tar.gz: 0c0eed5a6922f0fd4a2bbf38688c79d5a46d2866129df2632f3e1f57b1fe40ec86f1a0c0b4b18e06f7943a1ae95db1866c3343bee7906a67e75f9703d04486d7
+  metadata.gz: 6cf54c28a53c407ddc12ebb2fcfaffc65a8d486956cc0835e85144da5907bc01cdae4a36e4d39d0bbec535af49c0226f466dee41102b5865f47b000e315ccfbb
+  data.tar.gz: 3ff413c98a5181fdf82c2c85e1ada5d2ce1db8c879dfe3cd4fd175e39f46e34bfdd1ed4e1aa70d7928b31ed8c93d6232e24ea4481e450b3a98c898ea6dd2f5c9

data/helpers/package-lock.json

@@ -15636,10 +15636,9 @@
       }
     },
     "node_modules/tar-fs": {
-      "version": "1.16.5",
-      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-1.16.5.tgz",
-      "integrity": "sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ==",
-      "license": "MIT",
+      "version": "1.16.6",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-1.16.6.tgz",
+      "integrity": "sha512-JkOgFt3FxM/2v2CNpAVHqMW2QASjc/Hxo7IGfNd3MHaDYSW/sBFiS7YVmmhmr8x6vwN1VFQDQGdT2MWpmIuVKA==",
       "dependencies": {
         "chownr": "^1.0.1",
         "mkdirp": "^0.5.1",
@@ -28005,9 +28004,9 @@
       }
     },
     "tar-fs": {
-      "version": "1.16.5",
-      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-1.16.5.tgz",
-      "integrity": "sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ==",
+      "version": "1.16.6",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-1.16.6.tgz",
+      "integrity": "sha512-JkOgFt3FxM/2v2CNpAVHqMW2QASjc/Hxo7IGfNd3MHaDYSW/sBFiS7YVmmhmr8x6vwN1VFQDQGdT2MWpmIuVKA==",
       "requires": {
         "chownr": "^1.0.1",
         "mkdirp": "^0.5.1",

data/lib/dependabot/bun/constraint_helper.rb

@@ -20,11 +20,14 @@ module Dependabot
 
       # Base regex for SemVer (major.minor.patch[-prerelease][+build])
       # This pattern extracts valid semantic versioning strings based on the SemVer 2.0 specification.
-      SEMVER_REGEX = T.let(/
-        (?<version>\d+\.\d+\.\d+)               # Match major.minor.patch (e.g., 1.2.3)
-        (?:-(?<prerelease>[a-zA-Z0-9.-]+))?     # Optional prerelease (e.g., -alpha.1, -rc.1, -beta.5)
-        (?:\+(?<build>[a-zA-Z0-9.-]+))?         # Optional build metadata (e.g., +build.20231101, +exp.sha.5114f85)
-      /x, Regexp)
+      SEMVER_REGEX = T.let(
+        /
+          (?<version>\d+\.\d+\.\d+)               # Match major.minor.patch (e.g., 1.2.3)
+          (?:-(?<prerelease>[a-zA-Z0-9.-]+))?     # Optional prerelease (e.g., -alpha.1, -rc.1, -beta.5)
+          (?:\+(?<build>[a-zA-Z0-9.-]+))?         # Optional build metadata (e.g., +build.20231101, +exp.sha.5114f85)
+        /x,
+        Regexp
+      )
 
       # Full SemVer validation regex (ensures the entire string is a valid SemVer)
       # This ensures the entire input strictly follows SemVer, without extra characters before/after.
@@ -32,11 +35,14 @@ module Dependabot
 
       # SemVer constraint regex (supports package.json version constraints)
       # This pattern ensures proper parsing of SemVer versions with optional operators.
-      SEMVER_CONSTRAINT_REGEX = T.let(/
-        (?: (>=|<=|>|<|=|~|\^)\s*)?  # Make operators optional (e.g., >=, ^, ~)
-        (\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)  # Match full SemVer versions
-        | (\*|latest) # Match wildcard (*) or 'latest'
-      /x, Regexp)
+      SEMVER_CONSTRAINT_REGEX = T.let(
+        /
+                (?: (>=|<=|>|<|=|~|\^)\s*)?  # Make operators optional (e.g., >=, ^, ~)
+                (\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)  # Match full SemVer versions
+                | (\*|latest) # Match wildcard (*) or 'latest'
+              /x,
+        Regexp
+      )
 
       # /(>=|<=|>|<|=|~|\^)\s*(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)|(\*|latest)/
 
@@ -55,17 +61,20 @@ module Dependabot
       SEMVER_CONSTANTS = ["*", "latest"].freeze
 
       # Unified Regex for Valid Constraints
-      VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
-        CARET_CONSTRAINT_REGEX,
-        TILDE_CONSTRAINT_REGEX,
-        EXACT_CONSTRAINT_REGEX,
-        GREATER_THAN_EQUAL_REGEX,
-        LESS_THAN_EQUAL_REGEX,
-        GREATER_THAN_REGEX,
-        LESS_THAN_REGEX,
-        WILDCARD_REGEX,
-        LATEST_REGEX
-      ).freeze, Regexp)
+      VALID_CONSTRAINT_REGEX = T.let(
+        Regexp.union(
+          CARET_CONSTRAINT_REGEX,
+          TILDE_CONSTRAINT_REGEX,
+          EXACT_CONSTRAINT_REGEX,
+          GREATER_THAN_EQUAL_REGEX,
+          LESS_THAN_EQUAL_REGEX,
+          GREATER_THAN_REGEX,
+          LESS_THAN_REGEX,
+          WILDCARD_REGEX,
+          LATEST_REGEX
+        ).freeze,
+        Regexp
+      )
 
       # Extract unique constraints from the given constraint expression.
       # @param constraint_expression [T.nilable(String)] The semver constraint expression.

data/lib/dependabot/bun/dependency_files_filterer.rb

@@ -31,7 +31,8 @@ module Dependabot
             package_files_requiring_update.include?(file) ||
               package_required_lockfile?(file) ||
               workspaces_lockfile?(file)
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
@@ -40,7 +41,8 @@ module Dependabot
         @package_files_requiring_update ||= T.let(
           dependency_files.select do |file|
             dependency_manifest_requirements.include?(file.name)
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
@@ -67,7 +69,8 @@ module Dependabot
         @dependency_manifest_requirements ||= T.let(
           updated_dependencies.flat_map do |dep|
             dep.requirements.map { |requirement| requirement[:file] }
-          end, T.nilable(T::Array[String])
+          end,
+          T.nilable(T::Array[String])
         )
       end
 
@@ -96,7 +99,8 @@ module Dependabot
         @root_lockfile ||= T.let(
           lockfiles.find do |file|
             File.dirname(file.name) == "."
-          end, T.nilable(DependencyFile)
+          end,
+          T.nilable(DependencyFile)
         )
       end
 
@@ -105,7 +109,8 @@ module Dependabot
         @lockfiles ||= T.let(
           dependency_files.select do |file|
             lockfile?(file)
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
@@ -115,7 +120,8 @@ module Dependabot
           begin
             package = T.must(dependency_files.find { |f| f.name == "package.json" })
             JSON.parse(T.must(package.content))
-          end, T.nilable(T::Hash[String, T.untyped])
+          end,
+          T.nilable(T::Hash[String, T.untyped])
         )
       end
 

data/lib/dependabot/bun/file_fetcher/path_dependency_builder.rb

@@ -23,8 +23,13 @@ module Dependabot
           )
             .void
         end
-        def initialize(dependency_name:, path:, directory:, package_lock:,
-                       yarn_lock:)
+        def initialize(
+          dependency_name:,
+          path:,
+          directory:,
+          package_lock:,
+          yarn_lock:
+        )
           @dependency_name = dependency_name
           @path = path
           @directory = directory
@@ -154,17 +159,20 @@ module Dependabot
           return unless yarn_lock
           return @parsed_yarn_lock if defined?(@parsed_yarn_lock)
 
-          parsed = T.cast(SharedHelpers.in_a_temporary_directory do
-            File.write("yarn.lock", T.must(yarn_lock).content)
-
-            SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
-              function: "yarn:parseLockfile",
-              args: [Dir.pwd]
-            )
-          rescue SharedHelpers::HelperSubprocessFailed
-            raise Dependabot::DependencyFileNotParseable, T.must(yarn_lock).path
-          end, T::Hash[String, T.untyped])
+          parsed = T.cast(
+            SharedHelpers.in_a_temporary_directory do
+              File.write("yarn.lock", T.must(yarn_lock).content)
+
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "yarn:parseLockfile",
+                args: [Dir.pwd]
+              )
+            rescue SharedHelpers::HelperSubprocessFailed
+              raise Dependabot::DependencyFileNotParseable, T.must(yarn_lock).path
+            end,
+            T::Hash[String, T.untyped]
+          )
           @parsed_yarn_lock = T.let(parsed, T.nilable(T::Hash[String, T.untyped]))
         end
 

data/lib/dependabot/bun/file_fetcher.rb

@@ -28,8 +28,10 @@ module Dependabot
       # when it specifies a path. Only include Yarn "link:"'s that start with a
       # path and ignore symlinked package names that have been registered with
       # "yarn link", e.g. "link:react"
-      PATH_DEPENDENCY_STARTS = T.let(%w(file: link:. link:/ link:~/ / ./ ../ ~/).freeze,
-                                     [String, String, String, String, String, String, String, String])
+      PATH_DEPENDENCY_STARTS = T.let(
+        %w(file: link:. link:/ link:~/ / ./ ../ ~/).freeze,
+        [String, String, String, String, String, String, String, String]
+      )
       PATH_DEPENDENCY_CLEAN_REGEX = /^file:|^link:/
       DEFAULT_NPM_REGISTRY = "https://registry.npmjs.org"
 
@@ -118,7 +120,8 @@ module Dependabot
             lockfiles,
             registry_config_files,
             credentials
-          ), T.nilable(PackageManagerHelper)
+          ),
+          T.nilable(PackageManagerHelper)
         )
       end
 
@@ -250,8 +253,10 @@ module Dependabot
           # skip dependencies that contain invalid values such as inline comments, null, etc.
 
           unless value.is_a?(String)
-            Dependabot.logger.warn("File fetcher: Skipping dependency \"#{path}\" " \
-                                   "with value: \"#{value}\"")
+            Dependabot.logger.warn(
+              "File fetcher: Skipping dependency \"#{path}\" " \
+              "with value: \"#{value}\""
+            )
 
             next
           end

data/lib/dependabot/bun/file_parser.rb

@@ -101,7 +101,8 @@ module Dependabot
             lockfiles,
             registry_config_files,
             credentials
-          ), T.nilable(PackageManagerHelper)
+          ),
+          T.nilable(PackageManagerHelper)
         )
       end
 
@@ -137,16 +138,22 @@ module Dependabot
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def bun_lock
-        @bun_lock ||= T.let(dependency_files.find do |f|
-          f.name.end_with?(BunPackageManager::LOCKFILE_NAME)
-        end, T.nilable(Dependabot::DependencyFile))
+        @bun_lock ||= T.let(
+          dependency_files.find do |f|
+            f.name.end_with?(BunPackageManager::LOCKFILE_NAME)
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def npmrc
-        @npmrc ||= T.let(dependency_files.find do |f|
-          f.name.end_with?(BunPackageManager::RC_FILENAME)
-        end, T.nilable(Dependabot::DependencyFile))
+        @npmrc ||= T.let(
+          dependency_files.find do |f|
+            f.name.end_with?(BunPackageManager::RC_FILENAME)
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
@@ -183,7 +190,8 @@ module Dependabot
         @lockfile_parser ||= T.let(
           LockfileParser.new(
             dependency_files: dependency_files
-          ), T.nilable(Dependabot::Bun::FileParser::LockfileParser)
+          ),
+          T.nilable(Dependabot::Bun::FileParser::LockfileParser)
         )
       end
 
@@ -203,13 +211,16 @@ module Dependabot
           manifest_name: file.name
         )
         version = version_for(requirement, lockfile_details)
-        converted_version = T.let(if version.nil?
-                                    nil
-                                  elsif version.is_a?(String)
-                                    version
-                                  else
-                                    Dependabot::Version.new(version)
-                                  end, T.nilable(T.any(String, Dependabot::Version)))
+        converted_version = T.let(
+          if version.nil?
+            nil
+          elsif version.is_a?(String)
+            version
+          else
+            Dependabot::Version.new(version)
+          end,
+          T.nilable(T.any(String, Dependabot::Version))
+        )
 
         return if lockfile_details && !version
         return if ignore_requirement?(requirement)
@@ -239,8 +250,10 @@ module Dependabot
       def check_required_files
         return if get_original_file(MANIFEST_FILENAME)
 
-        raise DependencyFileNotFound.new(nil,
-                                         "#{MANIFEST_FILENAME} not found.")
+        raise DependencyFileNotFound.new(
+          nil,
+          "#{MANIFEST_FILENAME} not found."
+        )
       end
 
       sig { params(requirement: String).returns(T::Boolean) }
@@ -287,9 +300,12 @@ module Dependabot
 
       sig { returns(T::Array[String]) }
       def workspace_package_names
-        @workspace_package_names ||= T.let(package_files.filter_map do |f|
-          JSON.parse(T.must(f.content))["name"]
-        end, T.nilable(T::Array[String]))
+        @workspace_package_names ||= T.let(
+          package_files.filter_map do |f|
+            JSON.parse(T.must(f.content))["name"]
+          end,
+          T.nilable(T::Array[String])
+        )
       end
 
       sig do
@@ -456,7 +472,8 @@ module Dependabot
           [
             dependency_files.find { |f| f.name == MANIFEST_FILENAME },
             *sub_package_files
-          ].compact, T.nilable(T::Array[DependencyFile])
+          ].compact,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 

data/lib/dependabot/bun/file_updater/package_json_updater.rb

@@ -69,8 +69,10 @@ module Dependabot
                 # a transitive dependency which only needs update in lockfile, So we avoid throwing exception and let
                 # the update continue.
 
-                Dependabot.logger.info("experiment: avoid_duplicate_updates_package_json.
-                Updating package.json for #{dep.name} ")
+                Dependabot.logger.info(
+                  "experiment: avoid_duplicate_updates_package_json.
+                Updating package.json for #{dep.name} "
+                )
 
                 raise "Expected content to change!"
               end
@@ -225,8 +227,10 @@ module Dependabot
 
           unless git_dependency
             requirement = dependency_req&.fetch(:requirement)
-            return content.match(/"#{Regexp.escape(dependency_name)}"\s*:\s*
-                                  "#{Regexp.escape(requirement)}"/x).to_s
+            return content.match(
+              /"#{Regexp.escape(dependency_name)}"\s*:\s*
+                                                "#{Regexp.escape(requirement)}"/x
+            ).to_s
           end
 
           username, repo =
@@ -355,8 +359,10 @@ module Dependabot
 
             # some deps are patched with local patches, we don't need to update them
             if req.fetch(:requirement).match?(Regexp.union(PATCH_PACKAGE))
-              Dependabot.logger.info("Func: updated_requirements. dependency patched #{dependency.name}," \
-                                     " Requirement: '#{req.fetch(:requirement)}'")
+              Dependabot.logger.info(
+                "Func: updated_requirements. dependency patched #{dependency.name}," \
+                " Requirement: '#{req.fetch(:requirement)}'"
+              )
 
               raise DependencyFileNotResolvable,
                     "Dependency is patched locally, Update not required."
@@ -365,8 +371,10 @@ module Dependabot
             # some deps are added as local packages, we don't need to update them as they are referred to a local path
             next unless req.fetch(:requirement).match?(Regexp.union(LOCAL_PACKAGE))
 
-            Dependabot.logger.info("Func: updated_requirements. local package #{dependency.name}," \
-                                   " Requirement: '#{req.fetch(:requirement)}'")
+            Dependabot.logger.info(
+              "Func: updated_requirements. local package #{dependency.name}," \
+              " Requirement: '#{req.fetch(:requirement)}'"
+            )
 
             raise DependencyFileNotResolvable,
                   "Local package, Update not required."

data/lib/dependabot/bun/file_updater.rb

@@ -99,7 +99,8 @@ module Dependabot
               dependency_files: dependency_files,
               updated_dependencies: dependencies
             ).files_requiring_update
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
@@ -131,7 +132,8 @@ module Dependabot
         @package_files ||= T.let(
           filtered_dependency_files.select do |f|
             f.name.end_with?("package.json")
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 

data/lib/dependabot/bun/metadata_finder.rb

@@ -162,8 +162,10 @@ module Dependabot
       def latest_version_listing
         return @latest_version_listing unless @latest_version_listing.nil?
 
-        response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest",
-                                                  headers: registry_auth_headers)
+        response = Dependabot::RegistryClient.get(
+          url: "#{dependency_url}/latest",
+          headers: registry_auth_headers
+        )
         return @latest_version_listing = {} if response.status >= 500
 
         begin

data/lib/dependabot/bun/package/registry_finder.rb

@@ -35,8 +35,13 @@ module Dependabot
             yarnrc_yml_file: T.nilable(Dependabot::DependencyFile)
           ).void
         end
-        def initialize(dependency:, credentials:, npmrc_file: nil,
-                       yarnrc_file: nil, yarnrc_yml_file: nil)
+        def initialize(
+          dependency:,
+          credentials:,
+          npmrc_file: nil,
+          yarnrc_file: nil,
+          yarnrc_yml_file: nil
+        )
           @dependency = dependency
           @credentials = credentials
           @npmrc_file = npmrc_file
@@ -103,10 +108,13 @@ module Dependabot
 
         sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :npmrc_file
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :yarnrc_file
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :yarnrc_yml_file
 

data/lib/dependabot/bun/package_name.rb

@@ -98,7 +98,8 @@ module Dependabot
             self.class.new("@types/#{@scope}__#{@name}")
           else
             self.class.new("@types/#{@name}")
-          end, T.nilable(PackageName)
+          end,
+          T.nilable(PackageName)
         )
       end
 

data/lib/dependabot/bun/pnpm_package_manager.rb

@@ -16,11 +16,14 @@ module Dependabot
       PNPM_V8 = "8"
       PNPM_V9 = "9"
 
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PNPM_V7),
-        Version.new(PNPM_V8),
-        Version.new(PNPM_V9)
-      ].freeze, T::Array[Dependabot::Version])
+      SUPPORTED_VERSIONS = T.let(
+        [
+          Version.new(PNPM_V7),
+          Version.new(PNPM_V8),
+          Version.new(PNPM_V9)
+        ].freeze,
+        T::Array[Dependabot::Version]
+      )
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 

data/lib/dependabot/bun/update_checker/requirements_updater.rb

@@ -40,8 +40,12 @@ module Dependabot
           )
             .void
         end
-        def initialize(requirements:, updated_source:, update_strategy:,
-                       latest_resolvable_version:)
+        def initialize(
+          requirements:,
+          updated_source:,
+          update_strategy:,
+          latest_resolvable_version:
+        )
           @requirements = requirements
           @updated_source = updated_source
           @update_strategy = update_strategy

data/lib/dependabot/bun/update_checker/subdependency_version_resolver.rb

@@ -49,8 +49,14 @@ module Dependabot
             repo_contents_path: T.nilable(String)
           ).void
         end
-        def initialize(dependency:, credentials:, dependency_files:,
-                       ignored_versions:, latest_allowable_version:, repo_contents_path:)
+        def initialize(
+          dependency:,
+          credentials:,
+          dependency_files:,
+          ignored_versions:,
+          latest_allowable_version:,
+          repo_contents_path:
+        )
           @dependency = dependency
           @credentials = credentials
           @dependency_files = dependency_files

data/lib/dependabot/bun/update_checker/version_resolver.rb

@@ -27,9 +27,12 @@ module Dependabot
 
         require_relative "latest_version_finder"
 
-        TIGHTLY_COUPLED_MONOREPOS = T.let({
-          "vue" => %w(vue vue-template-compiler)
-        }.freeze, T::Hash[String, T::Array[String]])
+        TIGHTLY_COUPLED_MONOREPOS = T.let(
+          {
+            "vue" => %w(vue vue-template-compiler)
+          }.freeze,
+          T::Hash[String, T::Array[String]]
+        )
 
         # Error message returned by `npm install` (for NPM 6):
         # react-dom@15.2.0 requires a peer of react@^15.2.0 \
@@ -68,10 +71,15 @@ module Dependabot
           ).void
         end
         def initialize( # rubocop:disable Metrics/AbcSize
-          dependency:, dependency_files:, credentials:,
-          latest_allowable_version:, latest_version_finder:,
-          repo_contents_path:, dependency_group: nil,
-          raise_on_ignored: false, update_cooldown: nil
+          dependency:,
+          dependency_files:,
+          credentials:,
+          latest_allowable_version:,
+          latest_version_finder:,
+          repo_contents_path:,
+          dependency_group: nil,
+          raise_on_ignored: false,
+          update_cooldown: nil
         )
           @dependency               = dependency
           @dependency_files         = dependency_files
@@ -170,22 +178,29 @@ module Dependabot
 
         sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
         sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
         sig { returns(T.nilable(T.any(String, Gem::Version))) }
         attr_reader :latest_allowable_version
+
         sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
         sig { returns(T.nilable(Dependabot::DependencyGroup)) }
         attr_reader :dependency_group
+
         sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
         attr_reader :update_cooldown
+
         sig { returns(T::Boolean) }
         attr_reader :raise_on_ignored
 
-        sig { params(dep: Dependabot::Dependency) .returns(PackageLatestVersionFinder) }
+        sig { params(dep: Dependabot::Dependency).returns(PackageLatestVersionFinder) }
         def latest_version_finder(dep)
           @latest_version_finder[dep] ||=
             PackageLatestVersionFinder.new(

data/lib/dependabot/bun/update_checker/vulnerability_auditor.rb

@@ -192,8 +192,10 @@ module Dependabot
         end
 
         sig do
-          params(dependency: Dependabot::Dependency,
-                 error: Dependabot::SharedHelpers::HelperSubprocessFailed).void
+          params(
+            dependency: Dependabot::Dependency,
+            error: Dependabot::SharedHelpers::HelperSubprocessFailed
+          ).void
         end
         def log_helper_subprocess_failure(dependency, error)
           # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context

data/lib/dependabot/bun/update_checker.rb

@@ -36,11 +36,19 @@ module Dependabot
         )
           .void
       end
-      def initialize(dependency:, dependency_files:, credentials:, # rubocop:disable Metrics/AbcSize
-                     repo_contents_path: nil, ignored_versions: [],
-                     raise_on_ignored: false, security_advisories: [],
-                     requirements_update_strategy: nil, dependency_group: nil,
-                     update_cooldown: nil, options: {})
+      def initialize( # rubocop:disable Metrics/AbcSize
+        dependency:,
+        dependency_files:,
+        credentials:,
+        repo_contents_path: nil,
+        ignored_versions: [],
+        raise_on_ignored: false,
+        security_advisories: [],
+        requirements_update_strategy: nil,
+        dependency_group: nil,
+        update_cooldown: nil,
+        options: {}
+      )
         @latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
         @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
         @updated_requirements = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
@@ -385,8 +393,10 @@ module Dependabot
       def latest_version_for_git_dependency
         @latest_version_for_git_dependency ||=
           if version_class.correct?(dependency.version)
-            T.unsafe(latest_git_version_details[:version] &&
-              version_class.new(latest_git_version_details[:version]))
+            T.unsafe(
+              latest_git_version_details[:version] &&
+                            version_class.new(latest_git_version_details[:version])
+            )
           else
             latest_git_version_details[:sha]
           end

data/lib/dependabot/bun/version.rb

@@ -21,20 +21,23 @@ module Dependabot
 
       # These are possible npm versioning tags that can be used in place of a version.
       # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
-      VERSION_TAGS = T.let([
-        "alpha",        # Alpha version, early testing phase
-        "beta",         # Beta version, more stable than alpha
-        "canary",       # Canary version, often used for cutting-edge builds
-        "dev",          # Development version, ongoing development
-        "experimental", # Experimental version, unstable and new features
-        "latest",       # Latest stable version, used by npm to identify the current version of a package
-        "legacy",       # Legacy version, older version maintained for compatibility
-        "next",         # Next version, used by some projects to identify the upcoming version
-        "nightly",      # Nightly build, daily builds often including latest changes
-        "rc",           # Release candidate, potential final version
-        "release",      # General release version
-        "stable"        # Stable version, thoroughly tested and stable
-      ].freeze.map(&:freeze), T::Array[String])
+      VERSION_TAGS = T.let(
+        [
+          "alpha", # Alpha version, early testing phase
+          "beta",         # Beta version, more stable than alpha
+          "canary",       # Canary version, often used for cutting-edge builds
+          "dev",          # Development version, ongoing development
+          "experimental", # Experimental version, unstable and new features
+          "latest",       # Latest stable version, used by npm to identify the current version of a package
+          "legacy",       # Legacy version, older version maintained for compatibility
+          "next",         # Next version, used by some projects to identify the upcoming version
+          "nightly",      # Nightly build, daily builds often including latest changes
+          "rc",           # Release candidate, potential final version
+          "release",      # General release version
+          "stable"        # Stable version, thoroughly tested and stable
+        ].freeze.map(&:freeze),
+        T::Array[String]
+      )
 
       VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/

data/lib/dependabot/bun.rb

@@ -166,186 +166,189 @@ module Dependabot
     end
 
     # Group of patterns to validate error message and raise specific error
-    VALIDATION_GROUP_PATTERNS = T.let([
-      {
-        patterns: [INVALID_NAME_IN_PACKAGE_JSON],
-        handler: lambda { |message, _error, _params|
-          Dependabot::DependencyFileNotResolvable.new(message)
+    VALIDATION_GROUP_PATTERNS = T.let(
+      [
+        {
+          patterns: [INVALID_NAME_IN_PACKAGE_JSON],
+          handler: lambda { |message, _error, _params|
+            Dependabot::DependencyFileNotResolvable.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        # Check if sub dependency is using local path and raise a resolvability error
-        patterns: [INVALID_PACKAGE_REGEX, SUB_DEP_LOCAL_PATH_TEXT],
-        handler: lambda { |message, _error, params|
-          Dependabot::DependencyFileNotResolvable.new(
-            Utils.sanitize_resolvability_message(
-              message,
-              params[:dependencies],
-              params[:yarn_lock]
+        {
+          # Check if sub dependency is using local path and raise a resolvability error
+          patterns: [INVALID_PACKAGE_REGEX, SUB_DEP_LOCAL_PATH_TEXT],
+          handler: lambda { |message, _error, params|
+            Dependabot::DependencyFileNotResolvable.new(
+              Utils.sanitize_resolvability_message(
+                message,
+                params[:dependencies],
+                params[:yarn_lock]
+              )
             )
-          )
-        },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [NODE_MODULES_STATE_FILE_NOT_FOUND],
-        handler: lambda { |message, _error, _params|
-          Dependabot::MisconfiguredTooling.new("Yarn", message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: true,
-        matchfn: nil
-      },
-      {
-        patterns: [TARBALL_IS_NOT_IN_NETWORK],
-        handler: lambda { |message, _error, _params|
-          Dependabot::DependencyFileNotResolvable.new(message)
+        {
+          patterns: [NODE_MODULES_STATE_FILE_NOT_FOUND],
+          handler: lambda { |message, _error, _params|
+            Dependabot::MisconfiguredTooling.new("Yarn", message)
+          },
+          in_usage: true,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [NODE_VERSION_NOT_SATISFY_REGEX],
-        handler: lambda { |message, _error, _params|
-          versions = Utils.extract_node_versions(message)
-          current_version = versions[:current_version]
-          required_version = versions[:required_version]
-
-          return Dependabot::DependabotError.new(message) unless current_version && required_version
-
-          Dependabot::ToolVersionNotSupported.new("Yarn", current_version, required_version)
+        {
+          patterns: [TARBALL_IS_NOT_IN_NETWORK],
+          handler: lambda { |message, _error, _params|
+            Dependabot::DependencyFileNotResolvable.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED,
-                   AUTHENTICATION_HEADER_NOT_PROVIDED],
-        handler: lambda { |message, _error, _params|
-          Dependabot::PrivateSourceAuthenticationFailure.new(message)
+        {
+          patterns: [NODE_VERSION_NOT_SATISFY_REGEX],
+          handler: lambda { |message, _error, _params|
+            versions = Utils.extract_node_versions(message)
+            current_version = versions[:current_version]
+            required_version = versions[:required_version]
+
+            return Dependabot::DependabotError.new(message) unless current_version && required_version
+
+            Dependabot::ToolVersionNotSupported.new("Yarn", current_version, required_version)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [DEPENDENCY_FILE_NOT_RESOLVABLE],
-        handler: lambda { |message, _error, _params|
-          DependencyFileNotResolvable.new(message)
+        {
+          patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED,
+                     AUTHENTICATION_HEADER_NOT_PROVIDED],
+          handler: lambda { |message, _error, _params|
+            Dependabot::PrivateSourceAuthenticationFailure.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [ENV_VAR_NOT_RESOLVABLE],
-        handler: lambda { |message, _error, _params|
-          var = Utils.extract_var(message)
-
-          Dependabot::MissingEnvironmentVariable.new(var, message)
+        {
+          patterns: [DEPENDENCY_FILE_NOT_RESOLVABLE],
+          handler: lambda { |message, _error, _params|
+            DependencyFileNotResolvable.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [ONLY_PRIVATE_WORKSPACE_TEXT],
-        handler: lambda { |message, _error, _params|
-          Dependabot::DependencyFileNotEvaluatable.new(message)
+        {
+          patterns: [ENV_VAR_NOT_RESOLVABLE],
+          handler: lambda { |message, _error, _params|
+            var = Utils.extract_var(message)
+
+            Dependabot::MissingEnvironmentVariable.new(var, message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [UNREACHABLE_GIT_CHECK_REGEX],
-        handler: lambda { |message, _error, _params|
-          dependency_url = message.match(UNREACHABLE_GIT_CHECK_REGEX).named_captures.fetch(URL_CAPTURE)
-
-          Dependabot::GitDependenciesNotReachable.new(dependency_url)
+        {
+          patterns: [ONLY_PRIVATE_WORKSPACE_TEXT],
+          handler: lambda { |message, _error, _params|
+            Dependabot::DependencyFileNotEvaluatable.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [SOCKET_HANG_UP],
-        handler: lambda { |message, _error, _params|
-          url = message.match(SOCKET_HANG_UP).named_captures.fetch(URL_CAPTURE)
-
-          Dependabot::PrivateSourceTimedOut.new(url.gsub(HTTP_CHECK_REGEX, ""))
+        {
+          patterns: [UNREACHABLE_GIT_CHECK_REGEX],
+          handler: lambda { |message, _error, _params|
+            dependency_url = message.match(UNREACHABLE_GIT_CHECK_REGEX).named_captures.fetch(URL_CAPTURE)
+
+            Dependabot::GitDependenciesNotReachable.new(dependency_url)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [ESOCKETTIMEDOUT],
-        handler: lambda { |message, _error, _params|
-          package_req = message.match(ESOCKETTIMEDOUT).named_captures.fetch("package")
-
-          Dependabot::PrivateSourceTimedOut.new(package_req.gsub(HTTP_CHECK_REGEX, ""))
+        {
+          patterns: [SOCKET_HANG_UP],
+          handler: lambda { |message, _error, _params|
+            url = message.match(SOCKET_HANG_UP).named_captures.fetch(URL_CAPTURE)
+
+            Dependabot::PrivateSourceTimedOut.new(url.gsub(HTTP_CHECK_REGEX, ""))
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [OUT_OF_DISKSPACE],
-        handler: lambda { |message, _error, _params|
-          Dependabot::OutOfDisk.new(message)
+        {
+          patterns: [ESOCKETTIMEDOUT],
+          handler: lambda { |message, _error, _params|
+            package_req = message.match(ESOCKETTIMEDOUT).named_captures.fetch("package")
+
+            Dependabot::PrivateSourceTimedOut.new(package_req.gsub(HTTP_CHECK_REGEX, ""))
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [YARN_PACKAGE_NOT_FOUND_CODE, YARN_PACKAGE_NOT_FOUND_CODE_1, YARN_PACKAGE_NOT_FOUND_CODE_2],
-        handler: lambda { |message, _error, _params|
-          msg = message.match(YARN_PACKAGE_NOT_FOUND_CODE) || message.match(YARN_PACKAGE_NOT_FOUND_CODE_1) ||
-          message.match(YARN_PACKAGE_NOT_FOUND_CODE_2)
-
-          Dependabot::DependencyFileNotResolvable.new(msg)
+        {
+          patterns: [OUT_OF_DISKSPACE],
+          handler: lambda { |message, _error, _params|
+            Dependabot::OutOfDisk.new(message)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [REQUEST_ERROR_E403, AUTH_REQUIRED_ERROR, PERMISSION_DENIED, BAD_REQUEST],
-        handler: lambda { |message, _error, _params|
-          dependency_url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
-
-          Dependabot::PrivateSourceAuthenticationFailure.new(dependency_url)
+        {
+          patterns: [YARN_PACKAGE_NOT_FOUND_CODE, YARN_PACKAGE_NOT_FOUND_CODE_1, YARN_PACKAGE_NOT_FOUND_CODE_2],
+          handler: lambda { |message, _error, _params|
+            msg = message.match(YARN_PACKAGE_NOT_FOUND_CODE) || message.match(YARN_PACKAGE_NOT_FOUND_CODE_1) ||
+            message.match(YARN_PACKAGE_NOT_FOUND_CODE_2)
+
+            Dependabot::DependencyFileNotResolvable.new(msg)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [MANIFEST_NOT_FOUND],
-        handler: lambda { |message, _error, _params|
-          msg = message.match(MANIFEST_NOT_FOUND)
-          Dependabot::DependencyFileNotResolvable.new(msg)
+        {
+          patterns: [REQUEST_ERROR_E403, AUTH_REQUIRED_ERROR, PERMISSION_DENIED, BAD_REQUEST],
+          handler: lambda { |message, _error, _params|
+            dependency_url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
+
+            Dependabot::PrivateSourceAuthenticationFailure.new(dependency_url)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [INTERNAL_SERVER_ERROR],
-        handler: lambda { |message, _error, _params|
-          msg = message.match(INTERNAL_SERVER_ERROR)
-          Dependabot::DependencyFileNotResolvable.new(msg)
+        {
+          patterns: [MANIFEST_NOT_FOUND],
+          handler: lambda { |message, _error, _params|
+            msg = message.match(MANIFEST_NOT_FOUND)
+            Dependabot::DependencyFileNotResolvable.new(msg)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      },
-      {
-        patterns: [REGISTRY_NOT_REACHABLE],
-        handler: lambda { |message, _error, _params|
-          msg = message.match(REGISTRY_NOT_REACHABLE)
-          Dependabot::DependencyFileNotResolvable.new(msg)
+        {
+          patterns: [INTERNAL_SERVER_ERROR],
+          handler: lambda { |message, _error, _params|
+            msg = message.match(INTERNAL_SERVER_ERROR)
+            Dependabot::DependencyFileNotResolvable.new(msg)
+          },
+          in_usage: false,
+          matchfn: nil
         },
-        in_usage: false,
-        matchfn: nil
-      }
-    ].freeze, T::Array[{
-      patterns: T::Array[T.any(String, Regexp)],
-      handler: ErrorHandler,
-      in_usage: T.nilable(T::Boolean),
-      matchfn: T.nilable(T.proc.params(usage: String, message: String).returns(T::Boolean))
-    }])
+        {
+          patterns: [REGISTRY_NOT_REACHABLE],
+          handler: lambda { |message, _error, _params|
+            msg = message.match(REGISTRY_NOT_REACHABLE)
+            Dependabot::DependencyFileNotResolvable.new(msg)
+          },
+          in_usage: false,
+          matchfn: nil
+        }
+      ].freeze,
+      T::Array[{
+        patterns: T::Array[T.any(String, Regexp)],
+        handler: ErrorHandler,
+        in_usage: T.nilable(T::Boolean),
+        matchfn: T.nilable(T.proc.params(usage: String, message: String).returns(T::Boolean))
+      }]
+    )
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-bun
 version: !ruby/object:Gem::Version
-  version: 0.334.0
+  version: 0.336.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.334.0
+        version: 0.336.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.334.0
+        version: 0.336.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -113,56 +113,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.67'
+        version: '1.80'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.67'
+        version: '1.80'
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.22'
+        version: '1.26'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.22'
+        version: '1.26'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.29'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.29'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rubocop-sorbet
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '0.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -347,7 +347,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.334.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.336.0
 rdoc_options: []
 require_paths:
 - lib