dependabot-bun 0.381.0 → 0.382.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/pnpm/lockfile-parser.js +1 -1
- data/helpers/test/pnpm/fixtures/parser/lockfile_v9/pnpm-lock.yaml +23 -0
- data/helpers/test/pnpm/lockfile-parser.test.js +17 -0
- data/lib/dependabot/bun/registry_parser.rb +52 -16
- data/lib/dependabot/bun/update_checker.rb +10 -8
- metadata +5 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7d5fede6dbe516bce6f4872b3594e7b563060a41e5c3339b976074157e5d9a2c
|
|
4
|
+
data.tar.gz: 7f23ed14942549352db6a020e42fcc5e080d69225bdbb99b5e0406a4587c6049
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dabbe51b19f87e3db4f6bdc678d414e19f50d137285269e76be2aa594fe6bb4f53250814eee0ed1369deada39f2a05a9fe3a3b25329e6c3a1a51234a2847ad83
|
|
7
|
+
data.tar.gz: 7ad8d0cd4a368b556a9ddfc4e52fb61a7fc5c0d26a5c42fc1458989c4f4f93b406d91f0589bd83ae6c925507a2f406aa7b58ddeddc2882fec0de2e42e9518874
|
|
@@ -72,7 +72,7 @@ function nameVerDevFromPkgSnapshot(depPath, pkgSnapshot, projectSnapshots) {
|
|
|
72
72
|
return {
|
|
73
73
|
name: name,
|
|
74
74
|
version: version,
|
|
75
|
-
resolved: pkgSnapshot.resolution
|
|
75
|
+
resolved: pkgSnapshot.resolution?.tarball,
|
|
76
76
|
dev: pkgSnapshot.dev,
|
|
77
77
|
specifiers: specifiers,
|
|
78
78
|
aliased: aliased
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
lockfileVersion: '9.0'
|
|
2
|
+
|
|
3
|
+
settings:
|
|
4
|
+
autoInstallPeers: true
|
|
5
|
+
excludeLinksFromLockfile: false
|
|
6
|
+
|
|
7
|
+
importers:
|
|
8
|
+
|
|
9
|
+
.:
|
|
10
|
+
devDependencies:
|
|
11
|
+
etag:
|
|
12
|
+
specifier: ^1.0.0
|
|
13
|
+
version: 1.8.1
|
|
14
|
+
|
|
15
|
+
packages:
|
|
16
|
+
|
|
17
|
+
etag@1.8.1:
|
|
18
|
+
resolution: {integrity: sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==}
|
|
19
|
+
engines: {node: '>= 0.6'}
|
|
20
|
+
|
|
21
|
+
snapshots:
|
|
22
|
+
|
|
23
|
+
etag@1.8.1: {}
|
|
@@ -59,4 +59,21 @@ describe("generates an updated pnpm lock for the original file", () => {
|
|
|
59
59
|
expect(result.length).toEqual(9);
|
|
60
60
|
})
|
|
61
61
|
|
|
62
|
+
// pnpm v9+ lockfiles don't have resolution.tarball for npm packages
|
|
63
|
+
it("that uses lockfileVersion 9.0 format without resolution.tarball", async () =>{
|
|
64
|
+
copyDependencies("lockfile_v9", tempDir);
|
|
65
|
+
const result = await parseLockfile(tempDir);
|
|
66
|
+
|
|
67
|
+
expect(result).toEqual([
|
|
68
|
+
{
|
|
69
|
+
name: 'etag',
|
|
70
|
+
version: '1.8.1',
|
|
71
|
+
resolved: undefined,
|
|
72
|
+
dev: undefined,
|
|
73
|
+
specifiers: [ '^1.0.0' ],
|
|
74
|
+
aliased: false
|
|
75
|
+
}
|
|
76
|
+
]);
|
|
77
|
+
})
|
|
78
|
+
|
|
62
79
|
})
|
|
@@ -6,6 +6,8 @@ require "sorbet-runtime"
|
|
|
6
6
|
module Dependabot
|
|
7
7
|
module Bun
|
|
8
8
|
class RegistryParser
|
|
9
|
+
# NOTE: npm_and_yarn has an equivalent implementation in
|
|
10
|
+
# npm_and_yarn/registry_parser.rb. Keep both in sync.
|
|
9
11
|
extend T::Sig
|
|
10
12
|
|
|
11
13
|
sig { params(resolved_url: String, credentials: T::Array[Dependabot::Credential]).void }
|
|
@@ -60,34 +62,68 @@ module Dependabot
|
|
|
60
62
|
sig { returns(T::Array[Dependabot::Credential]) }
|
|
61
63
|
attr_reader :credentials
|
|
62
64
|
|
|
63
|
-
# rubocop:disable Metrics/PerceivedComplexity
|
|
64
65
|
sig { returns(T.nilable(String)) }
|
|
65
66
|
def url_for_relevant_cred
|
|
66
|
-
|
|
67
|
+
resolved_uri = URI(resolved_url)
|
|
67
68
|
|
|
68
69
|
credential_matching_url =
|
|
69
70
|
credentials
|
|
70
71
|
.select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
|
|
71
72
|
.sort_by { |cred| cred.fetch("registry").length }
|
|
72
|
-
.find
|
|
73
|
-
next true if resolved_url_host == details["registry"]
|
|
74
|
-
|
|
75
|
-
uri = if details["registry"]&.include?("://")
|
|
76
|
-
URI(details.fetch("registry"))
|
|
77
|
-
else
|
|
78
|
-
URI("https://#{details['registry']}")
|
|
79
|
-
end
|
|
80
|
-
resolved_url_host == uri.host && resolved_url.include?(details.fetch("registry"))
|
|
81
|
-
end
|
|
73
|
+
.find { |details| credential_matches?(details, resolved_uri: resolved_uri) }
|
|
82
74
|
|
|
83
75
|
return unless credential_matching_url
|
|
84
76
|
|
|
85
|
-
# Trim the resolved URL so that it ends at the same point as the
|
|
86
|
-
# credential registry
|
|
87
77
|
reg = credential_matching_url.fetch("registry")
|
|
88
|
-
|
|
78
|
+
# When the credential registry already includes an explicit scheme, return
|
|
79
|
+
# it directly — the gsub pattern would not match and would produce a
|
|
80
|
+
# malformed string if it ran.
|
|
81
|
+
return reg if reg.include?("://")
|
|
82
|
+
|
|
83
|
+
build_registry_url(registry: reg, resolved_uri: resolved_uri)
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
sig { params(registry: String, resolved_uri: URI::Generic).returns(String) }
|
|
87
|
+
def build_registry_url(registry:, resolved_uri:)
|
|
88
|
+
credential_uri = URI("https://#{registry}")
|
|
89
|
+
normalized_path = credential_uri.path.to_s.chomp("/")
|
|
90
|
+
|
|
91
|
+
"#{resolved_uri.scheme}://#{resolved_uri.authority}#{normalized_path}"
|
|
92
|
+
end
|
|
93
|
+
|
|
94
|
+
# Enforce npm registry credential boundaries by matching on host, optional
|
|
95
|
+
# explicit scheme, and full path segments so sibling paths on the same host
|
|
96
|
+
# cannot inherit credentials configured for a different registry scope.
|
|
97
|
+
sig { params(details: Dependabot::Credential, resolved_uri: URI::Generic).returns(T::Boolean) }
|
|
98
|
+
def credential_matches?(details, resolved_uri:)
|
|
99
|
+
resolved_url_host = resolved_uri.host
|
|
100
|
+
return true if resolved_url_host == details["registry"]
|
|
101
|
+
|
|
102
|
+
registry_has_scheme = details["registry"]&.include?("://")
|
|
103
|
+
uri = if registry_has_scheme
|
|
104
|
+
URI(details.fetch("registry"))
|
|
105
|
+
else
|
|
106
|
+
URI("https://#{details['registry']}")
|
|
107
|
+
end
|
|
108
|
+
return false unless resolved_url_host == uri.host
|
|
109
|
+
# When the credential includes an explicit scheme, require scheme
|
|
110
|
+
# equality so we do not attribute a URL to credentials configured for
|
|
111
|
+
# a different transport protocol.
|
|
112
|
+
return false if registry_has_scheme && resolved_uri.scheme != uri.scheme
|
|
113
|
+
|
|
114
|
+
# Use path-segment-aware matching to prevent credentials configured
|
|
115
|
+
# for one path-scoped registry from being applied to sibling paths
|
|
116
|
+
# on the same host (e.g., /victim-npm should not match /victim-npm-evil).
|
|
117
|
+
credential_path_match?(uri: uri, resolved_url_path: resolved_uri.path.to_s)
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
sig { params(uri: URI::Generic, resolved_url_path: String).returns(T::Boolean) }
|
|
121
|
+
def credential_path_match?(uri:, resolved_url_path:)
|
|
122
|
+
registry_path = uri.path.to_s.chomp("/")
|
|
123
|
+
registry_path.empty? ||
|
|
124
|
+
resolved_url_path.start_with?("#{registry_path}/") ||
|
|
125
|
+
resolved_url_path == registry_path
|
|
89
126
|
end
|
|
90
|
-
# rubocop:enable Metrics/PerceivedComplexity
|
|
91
127
|
end
|
|
92
128
|
end
|
|
93
129
|
end
|
|
@@ -51,7 +51,7 @@ module Dependabot
|
|
|
51
51
|
)
|
|
52
52
|
@latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
|
|
53
53
|
@latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
|
|
54
|
-
@updated_requirements = T.let(nil, T.nilable(T::Array[
|
|
54
|
+
@updated_requirements = T.let(nil, T.nilable(T::Array[Dependabot::DependencyRequirement]))
|
|
55
55
|
@vulnerability_audit = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
|
|
56
56
|
@vulnerable_versions = T.let(nil, T.nilable(T::Array[T.any(String, Gem::Version)]))
|
|
57
57
|
|
|
@@ -161,7 +161,7 @@ module Dependabot
|
|
|
161
161
|
T.unsafe(version_resolver.latest_resolvable_previous_version(updated_version))
|
|
162
162
|
end
|
|
163
163
|
|
|
164
|
-
sig { override.returns(T::Array[
|
|
164
|
+
sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
|
|
165
165
|
def updated_requirements
|
|
166
166
|
resolvable_version =
|
|
167
167
|
if preferred_resolvable_version.is_a?(version_class)
|
|
@@ -176,12 +176,14 @@ module Dependabot
|
|
|
176
176
|
end
|
|
177
177
|
|
|
178
178
|
@updated_requirements ||=
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
179
|
+
wrap_requirements(
|
|
180
|
+
RequirementsUpdater.new(
|
|
181
|
+
requirements: dependency.requirements,
|
|
182
|
+
updated_source: updated_source,
|
|
183
|
+
latest_resolvable_version: resolvable_version,
|
|
184
|
+
update_strategy: T.must(requirements_update_strategy)
|
|
185
|
+
).updated_requirements
|
|
186
|
+
)
|
|
185
187
|
end
|
|
186
188
|
|
|
187
189
|
sig { returns(T::Boolean) }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-bun
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.382.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.382.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.382.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -282,6 +282,7 @@ files:
|
|
|
282
282
|
- helpers/test/npm6/helpers.js
|
|
283
283
|
- helpers/test/npm6/updater.test.js
|
|
284
284
|
- helpers/test/pnpm/fixtures/parser/empty_version/pnpm-lock.yaml
|
|
285
|
+
- helpers/test/pnpm/fixtures/parser/lockfile_v9/pnpm-lock.yaml
|
|
285
286
|
- helpers/test/pnpm/fixtures/parser/no_lockfile_change/pnpm-lock.yaml
|
|
286
287
|
- helpers/test/pnpm/fixtures/parser/only_dev_dependencies/pnpm-lock.yaml
|
|
287
288
|
- helpers/test/pnpm/fixtures/parser/peer_disambiguation/pnpm-lock.yaml
|
|
@@ -349,7 +350,7 @@ licenses:
|
|
|
349
350
|
- MIT
|
|
350
351
|
metadata:
|
|
351
352
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
352
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
353
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
|
|
353
354
|
rdoc_options: []
|
|
354
355
|
require_paths:
|
|
355
356
|
- lib
|