RubyGems - dependabot-bun - Versions diffs - 0.296.0 - Mend

dependabot-bun 0.296.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +7 -0
data/lib/dependabot/bun/file_fetcher.rb +97 -0
data/lib/dependabot/bun/file_parser/bun_lock.rb +148 -0
data/lib/dependabot/bun/helpers.rb +79 -0
data/lib/dependabot/bun/language.rb +45 -0
data/lib/dependabot/bun/package_manager.rb +46 -0
data/lib/dependabot/bun/requirement.rb +14 -0
data/lib/dependabot/bun/version.rb +12 -0
data/lib/dependabot/bun.rb +39 -0
data/lib/dependabot/javascript/file_fetcher_helper.rb +245 -0
data/lib/dependabot/javascript/requirement.rb +141 -0
data/lib/dependabot/javascript/version.rb +135 -0
data/lib/dependabot/javascript.rb +8 -0
metadata +296 -0

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: aec5d70543afebc798276a80ab116a1375a90395a66815467b48ffc778f1287c
+  data.tar.gz: f44ddcdc48fee485db9e56d97c06040e9bcf597b42b057be8a98ca4eadbc7665
+SHA512:
+  metadata.gz: ad382c4264db5281a25cd912a5379316e175efef2c4188e89d05699eeffc753d6114fd9046ba7fafe5bf979fd83c7ad5ec7cc2bec3237aa477d42bb19dd3b7c8
+  data.tar.gz: fd61ab1f24b72c1306b2b187728cfc45581740515d7000a6026bde6c5313b3e7bf3e05af3ce0e77a3d0af530e4a09a3f5b26ab518c577ef4fef5176431e44fe3

data/lib/dependabot/bun/file_fetcher.rb ADDED Viewed

@@ -0,0 +1,97 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Bun
+    class FileFetcher < Dependabot::FileFetchers::Base
+      include Javascript::FileFetcherHelper
+      extend T::Sig
+      extend T::Helpers
+      sig { override.params(filenames: T::Array[String]).returns(T::Boolean) }
+      def self.required_files_in?(filenames)
+        filenames.include?("package.json")
+      end
+      sig { override.returns(String) }
+      def self.required_files_message
+        "Repo must contain a package.json."
+      end
+      sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
+      def ecosystem_versions
+        return unknown_ecosystem_versions unless ecosystem_enabled?
+        {
+          package_managers: {
+            "bun" => 1
+          }
+        }
+      end
+      sig { override.returns(T::Array[DependencyFile]) }
+      def fetch_files
+        fetched_files = T.let([], T::Array[DependencyFile])
+        fetched_files << package_json(self)
+        fetched_files += bun_files if ecosystem_enabled?
+        fetched_files += workspace_package_jsons(self)
+        fetched_files += path_dependencies(self, fetched_files)
+        fetched_files.uniq
+      end
+      sig { params(filename: String, fetch_submodules: T::Boolean).returns(DependencyFile) }
+      def fetch_file(filename, fetch_submodules: false)
+        fetch_file_from_host(filename, fetch_submodules: fetch_submodules)
+      end
+      sig do
+        params(
+          dir: T.any(Pathname, String),
+          ignore_base_directory: T::Boolean,
+          raise_errors: T::Boolean,
+          fetch_submodules: T::Boolean
+        )
+          .returns(T::Array[T.untyped])
+      end
+      def fetch_repo_contents(dir: ".", ignore_base_directory: false, raise_errors: true, fetch_submodules: false)
+        repo_contents(dir: dir, ignore_base_directory:, raise_errors:, fetch_submodules:)
+      end
+      private
+      sig { returns(T::Array[DependencyFile]) }
+      def bun_files
+        [bun_lock].compact
+      end
+      sig { returns(T.nilable(DependencyFile)) }
+      def bun_lock
+        return @bun_lock if defined?(@bun_lock)
+        @bun_lock ||= T.let(fetch_file_if_present(PackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
+        return @bun_lock if @bun_lock || directory == "/"
+        @bun_lock = fetch_file_from_parent_directories(self, PackageManager::LOCKFILE_NAME)
+      end
+      sig { returns(T::Boolean) }
+      def ecosystem_enabled?
+        allow_beta_ecosystems? && Experiments.enabled?(:enable_bun_ecosystem)
+      end
+      sig { returns(T::Hash[Symbol, String]) }
+      def unknown_ecosystem_versions
+        {
+          package_managers: {
+            "unknown" => 0
+          }
+        }
+      end
+    end
+  end
+end
+Dependabot::FileFetchers
+  .register(Dependabot::Bun::ECOSYSTEM, Dependabot::Bun::FileFetcher)

data/lib/dependabot/bun/file_parser/bun_lock.rb ADDED Viewed

@@ -0,0 +1,148 @@
+# typed: strict
+# frozen_string_literal: true
+require "yaml"
+require "sorbet-runtime"
+module Dependabot
+  module Bun
+    class FileParser < Dependabot::FileParsers::Base
+      class BunLock
+        extend T::Sig
+        sig { params(dependency_file: DependencyFile).void }
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed
+          @parsed ||= begin
+            content = begin
+              # Since bun.lock is a JSONC file, which is a subset of YAML, we can use YAML to parse it
+              YAML.load(T.must(@dependency_file.content))
+            rescue Psych::SyntaxError => e
+              raise_invalid!("malformed JSONC at line #{e.line}, column #{e.column}")
+            end
+            raise_invalid!("expected to be an object") unless content.is_a?(Hash)
+            version = content["lockfileVersion"]
+            raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
+            raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
+            T.let(content, T.untyped)
+          end
+        end
+        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+        def dependencies
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+          # bun.lock v0 format:
+          # https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
+          packages = parsed["packages"]
+          raise_invalid!("expected 'packages' to be an object") unless packages.is_a?(Hash)
+          packages.each do |key, details|
+            raise_invalid!("expected 'packages.#{key}' to be an array") unless details.is_a?(Array)
+            resolution = details.first
+            raise_invalid!("expected 'packages.#{key}[0]' to be a string") unless resolution.is_a?(String)
+            name, version = resolution.split(/(?<=\w)\@/)
+            next if name.empty?
+            semver = Version.semver_for(version)
+            next unless semver
+            dependency_set << Dependency.new(
+              name: name,
+              version: semver.to_s,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            )
+          end
+          dependency_set
+        end
+        sig do
+          params(dependency_name: String, requirement: T.untyped, _manifest_name: String)
+            .returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def details(dependency_name, requirement, _manifest_name)
+          packages = parsed["packages"]
+          return unless packages.is_a?(Hash)
+          candidates =
+            packages
+            .select { |name, _| name == dependency_name }
+            .values
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if candidates.one?
+            parse_details(candidates.first)
+          else
+            candidate = candidates.find do |label, _|
+              label.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
+            end&.last
+            parse_details(candidate)
+          end
+        end
+        private
+        sig { params(message: String).void }
+        def raise_invalid!(message)
+          raise Dependabot::DependencyFileNotParseable.new(@dependency_file.path, "Invalid bun.lock file: #{message}")
+        end
+        sig do
+          params(entry: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def parse_details(entry)
+          return unless entry.is_a?(Array)
+          # Either:
+          # - "{name}@{version}", registry, details, integrity
+          # - "{name}@{resolution}", details
+          resolution = entry.first
+          return unless resolution.is_a?(String)
+          name, version = resolution.split(/(?<=\w)\@/)
+          semver = Version.semver_for(version)
+          if semver
+            registry, details, integrity = entry[1..3]
+            {
+              "name" => name,
+              "version" => semver.to_s,
+              "registry" => registry,
+              "details" => details,
+              "integrity" => integrity
+            }
+          else
+            details = entry[1]
+            {
+              "name" => name,
+              "resolution" => version,
+              "details" => details
+            }
+          end
+        end
+      end
+      sig { override.returns(T::Array[Dependabot::Dependency]) }
+      def parse
+        []
+      end
+      private
+      sig { override.void }
+      def check_required_files; end
+    end
+  end
+end

data/lib/dependabot/bun/helpers.rb ADDED Viewed

@@ -0,0 +1,79 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Bun
+    module Helpers
+      extend T::Sig
+      # BUN Version Constants
+      BUN_V1 = 1
+      BUN_DEFAULT_VERSION = BUN_V1
+      sig { params(_bun_lock: T.nilable(DependencyFile)).returns(Integer) }
+      def self.bun_version_numeric(_bun_lock)
+        BUN_DEFAULT_VERSION
+      end
+      sig { returns(T.nilable(String)) }
+      def self.bun_version
+        run_bun_command("--version", fingerprint: "--version").strip
+      rescue StandardError => e
+        Dependabot.logger.error("Error retrieving Bun version: #{e.message}")
+        nil
+      end
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_bun_command(command, fingerprint: nil)
+        full_command = "bun #{command}"
+        Dependabot.logger.info("Running bun command: #{full_command}")
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "bun #{fingerprint || command}"
+        )
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running bun command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+      # Fetch the currently installed version of the package manager directly
+      # from the system
+      sig { params(name: String).returns(String) }
+      def self.local_package_manager_version(name)
+        Dependabot::SharedHelpers.run_shell_command(
+          "#{name} -v",
+          fingerprint: "#{name} -v"
+        ).strip
+      end
+      # Run single command on package manager returning stdout/stderr
+      sig do
+        params(
+          name: String,
+          command: String,
+          fingerprint: T.nilable(String)
+        ).returns(String)
+      end
+      def self.package_manager_run_command(name, command, fingerprint: nil)
+        return run_bun_command(command, fingerprint: fingerprint) if name == PackageManager::NAME
+        # TODO: remove this method and just use the one in the PackageManager class
+        "noop"
+      end
+      sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).returns(T::Array[Dependency]) }
+      def self.dependencies_with_all_versions_metadata(dependency_set)
+        # TODO: Check if we still need this method
+        dependency_set.dependencies.map do |dependency|
+          dependency.metadata[:all_versions] = dependency_set.all_versions_for_name(dependency.name)
+          dependency
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bun/language.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module Bun
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/bun/package_manager.rb ADDED Viewed

@@ -0,0 +1,46 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Bun
+    class PackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "bun"
+      LOCKFILE_NAME = "bun.lock"
+      # In Bun 1.1.39, the lockfile format was changed from a binary bun.lockb to a text-based bun.lock.
+      # https://bun.sh/blog/bun-lock-text-lockfile
+      MIN_SUPPORTED_VERSION = T.let(Version.new("1.1.39"), Javascript::Version)
+      SUPPORTED_VERSIONS = T.let([MIN_SUPPORTED_VERSION].freeze, T::Array[Javascript::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/bun/requirement.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Bun
+    class Requirement < Dependabot::Javascript::Requirement
+    end
+  end
+end
+Dependabot::Utils.register_requirement_class(
+  "bun",
+  Dependabot::Bun::Requirement
+)

data/lib/dependabot/bun/version.rb ADDED Viewed

@@ -0,0 +1,12 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Bun
+    class Version < Dependabot::Javascript::Version
+    end
+  end
+end
+Dependabot::Utils
+  .register_version_class("bun", Dependabot::Bun::Version)

data/lib/dependabot/bun.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# typed: strong
+# frozen_string_literal: true
+require "zeitwerk"
+loader = Zeitwerk::Loader.new
+# Set autoload paths for common/lib, excluding files whose content does not match the filename
+loader.push_dir(File.join(__dir__, "../../../common/lib"))
+loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/errors.rb"))
+loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/logger.rb"))
+loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/notices.rb"))
+loader.ignore(File.join(__dir__, "../../../common/lib/dependabot/clients/codecommit.rb"))
+loader.push_dir(File.join(__dir__, ".."))
+loader.ignore("#{__dir__}/../script", "#{__dir__}/../spec", "#{__dir__}/../dependabot-bun.gemspec")
+loader.on_load do |_file|
+  require "json"
+  require "sorbet-runtime"
+  require "dependabot/errors"
+  require "dependabot/logger"
+  require "dependabot/notices"
+  require "dependabot/clients/codecommit"
+end
+loader.log! if ENV["DEBUG"]
+loader.setup
+Dependabot::PullRequestCreator::Labeler
+  .register_label_details("bun", name: "javascript", colour: "168700")
+Dependabot::Dependency.register_production_check("bun", ->(_) { true })
+module Dependabot
+  module Bun
+    ECOSYSTEM = "bun"
+  end
+end

data/lib/dependabot/javascript/file_fetcher_helper.rb ADDED Viewed

@@ -0,0 +1,245 @@
+# typed: strict
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module FileFetcherHelper
+      include Kernel
+      extend T::Sig
+      PATH_DEPENDENCY_STARTS = T.let(%w(file: / ./ ../ ~/).freeze, [String, String, String, String, String])
+      PATH_DEPENDENCY_CLEAN_REGEX = /^file:|^link:/
+      DEPENDENCY_TYPES = T.let(%w(dependencies devDependencies optionalDependencies).freeze, T::Array[String])
+      sig { params(instance: Dependabot::Bun::FileFetcher).returns(T::Array[DependencyFile]) }
+      def workspace_package_jsons(instance)
+        @workspace_package_jsons ||= T.let(fetch_workspace_package_jsons(instance), T.nilable(T::Array[DependencyFile]))
+      end
+      sig do
+        params(instance: Dependabot::Bun::FileFetcher, fetched_files: T::Array[DependencyFile])
+          .returns(T::Array[DependencyFile])
+      end
+      def path_dependencies(instance, fetched_files)
+        package_json_files = T.let([], T::Array[DependencyFile])
+        path_dependency_details(instance, fetched_files).each do |name, path|
+          # This happens with relative paths in the package-lock. Skipping it since it results
+          # in /package.json which is outside of the project directory.
+          next if path == "file:"
+          path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
+          raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/")
+          filename = path
+          filename = File.join(filename, MANIFEST_FILENAME)
+          cleaned_name = Pathname.new(filename).cleanpath.to_path
+          next if fetched_files.map(&:name).include?(cleaned_name)
+          file = instance.fetch_file(filename, fetch_submodules: true)
+          package_json_files << file
+        end
+        if package_json_files.any?
+          package_json_files +=
+            path_dependencies(instance, fetched_files + package_json_files)
+        end
+        package_json_files.tap { |fs| fs.each { |f| f.support_file = true } }
+      end
+      sig do
+        params(instance: Dependabot::Bun::FileFetcher, fetched_files: T::Array[DependencyFile])
+          .returns(T::Array[[String, String]])
+      end
+      def path_dependency_details(instance, fetched_files)
+        package_json_path_deps = T.let([], T::Array[[String, String]])
+        fetched_files.each do |file|
+          package_json_path_deps +=
+            path_dependency_details_from_manifest(instance, file)
+        end
+        [
+          *package_json_path_deps
+        ].uniq
+      end
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      sig { params(instance: Dependabot::Bun::FileFetcher, file: DependencyFile).returns(T::Array[[String, String]]) }
+      def path_dependency_details_from_manifest(instance, file)
+        return [] unless file.name.end_with?(MANIFEST_FILENAME)
+        current_dir = file.name.rpartition("/").first
+        current_dir = nil if current_dir == ""
+        current_depth = File.join(instance.directory, file.name).split("/").count { |path| !path.empty? }
+        path_to_directory = "../" * current_depth
+        dep_types = DEPENDENCY_TYPES # TODO: Is this needed?
+        parsed_manifest = JSON.parse(T.must(file.content))
+        dependency_objects = parsed_manifest.values_at(*dep_types).compact
+        # Fetch yarn "file:" path "resolutions" so the lockfile can be resolved
+        resolution_objects = parsed_manifest.values_at("resolutions").compact
+        manifest_objects = dependency_objects + resolution_objects
+        raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all?(Hash)
+        resolution_deps = resolution_objects.flat_map(&:to_a)
+                                            .map do |path, value|
+          # skip dependencies that contain invalid values such as inline comments, null, etc.
+          unless value.is_a?(String)
+            Dependabot.logger.warn("File fetcher: Skipping dependency \"#{path}\" " \
+                                   "with value: \"#{value}\"")
+            next
+          end
+          convert_dependency_path_to_name(path, value)
+        end
+        path_starts = PATH_DEPENDENCY_STARTS
+        (dependency_objects.flat_map(&:to_a) + resolution_deps)
+          .select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }
+          .map do |name, path|
+            path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
+            raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/", "#{path_to_directory}..")
+            path = File.join(current_dir, path) unless current_dir.nil?
+            [name, Pathname.new(path).cleanpath.to_path]
+          end
+      rescue JSON::ParserError
+        raise Dependabot::DependencyFileNotParseable, file.path
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
+      # Re-write the glob name to the targeted dependency name (which is used
+      # in the lockfile), for example "parent-package/**/sub-dep/target-dep" >
+      # "target-dep"
+      sig { params(path: String, value: String).returns([String, String]) }
+      def convert_dependency_path_to_name(path, value)
+        # Picking the last two parts that might include a scope
+        parts = path.split("/").last(2)
+        parts.shift if parts.count == 2 && !T.must(parts.first).start_with?("@")
+        [parts.join("/"), value]
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher).returns(T::Array[DependencyFile]) }
+      def fetch_workspace_package_jsons(instance)
+        parsed_manifest = parsed_package_json(instance)
+        return [] unless parsed_manifest["workspaces"]
+        workspace_paths(instance, parsed_manifest["workspaces"]).filter_map do |workspace|
+          fetch_package_json_if_present(instance, workspace)
+        end
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, workspace_object: T.untyped).returns(T::Array[String]) }
+      def workspace_paths(instance, workspace_object)
+        paths_array =
+          if workspace_object.is_a?(Hash)
+            workspace_object.values_at("packages", "nohoist").flatten.compact
+          elsif workspace_object.is_a?(Array) then workspace_object
+          else
+            [] # Invalid lerna.json, which must not be in use
+          end
+        paths_array.flat_map { |path| recursive_find_directories(instance, path) }
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, glob: String).returns(T::Array[String]) }
+      def find_directories(instance, glob)
+        return [glob] unless glob.include?("*")
+        unglobbed_path =
+          glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+              .split("*")
+              .first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
+        dir = instance.directory.gsub(%r{(^/|/$)}, "")
+        paths =
+          instance.fetch_repo_contents(dir: unglobbed_path, raise_errors: false)
+                  .select { |file| file.type == "dir" }
+                  .map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
+        matching_paths(glob, paths)
+      end
+      sig { params(glob: String, paths: T::Array[String]).returns(T::Array[String]) }
+      def matching_paths(glob, paths)
+        glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+        glob = "#{glob}/*" if glob.end_with?("**")
+        paths.select { |filename| File.fnmatch?(glob, filename, File::FNM_PATHNAME) }
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, glob: String, prefix: String).returns(T::Array[String]) }
+      def recursive_find_directories(instance, glob, prefix = "")
+        return [prefix + glob] unless glob.include?("*")
+        glob = glob.gsub(%r{^\./}, "")
+        glob_parts = glob.split("/")
+        current_glob = glob_parts.first
+        paths = find_directories(instance, prefix + T.must(current_glob))
+        next_parts = current_glob == "**" ? glob_parts : glob_parts.drop(1)
+        return paths if next_parts.empty?
+        paths += paths.flat_map do |expanded_path|
+          recursive_find_directories(instance, next_parts.join("/"), "#{expanded_path}/")
+        end
+        matching_paths(prefix + glob, paths)
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, workspace: String).returns(T.nilable(DependencyFile)) }
+      def fetch_package_json_if_present(instance, workspace)
+        file = File.join(workspace, MANIFEST_FILENAME)
+        begin
+          instance.fetch_file(file)
+        rescue Dependabot::DependencyFileNotFound
+          # Not all paths matched by a workspace glob may contain a package.json
+          # file. Ignore if that's the case
+          nil
+        end
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher).returns(DependencyFile) }
+      def package_json(instance)
+        @package_json ||= T.let(instance.fetch_file(Javascript::MANIFEST_FILENAME), T.nilable(DependencyFile))
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher).returns(T.untyped) }
+      def parsed_package_json(instance)
+        manifest_file = package_json(instance)
+        parsed = JSON.parse(T.must(manifest_file.content))
+        raise Dependabot::DependencyFileNotParseable, manifest_file.path unless parsed.is_a?(Hash)
+        parsed
+      rescue JSON::ParserError
+        raise Dependabot::DependencyFileNotParseable, T.must(manifest_file).path
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_with_support(instance, filename)
+        instance.fetch_file(filename).tap { |f| f.support_file = true }
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+      sig { params(instance: Dependabot::Bun::FileFetcher, filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_from_parent_directories(instance, filename)
+        (1..instance.directory.split("/").count).each do |i|
+          file = fetch_file_with_support(instance, ("../" * i) + filename)
+          return file if file
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/requirement.rb ADDED Viewed

@@ -0,0 +1,141 @@
+# typed: true
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/requirement"
+require "dependabot/utils"
+require "dependabot/npm_and_yarn/version"
+module Dependabot
+  module Javascript
+    class Requirement < Dependabot::Requirement
+      extend T::Sig
+      AND_SEPARATOR = /(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])/
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/
+      # Override the version pattern to allow a 'v' prefix
+      quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = "v?#{Javascript::Version::VERSION_PATTERN}"
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze
+      PATTERN = /\A#{PATTERN_RAW}\z/
+      def self.parse(obj)
+        return ["=", nil] if obj.is_a?(String) && Version::VERSION_TAGS.include?(obj.strip)
+        return ["=", Javascript::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+        [matches[1] || "=", Javascript::Version.new(T.must(matches[2]))]
+      end
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+      def self.requirements_array(requirement_string)
+        return [new(nil)] if requirement_string.nil?
+        # Removing parentheses is technically wrong but they are extremely
+        # rarely used.
+        # TODO: Handle complicated parenthesised requirements
+        requirement_string = requirement_string.gsub(/[()]/, "")
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          requirements = req_string.strip.split(AND_SEPARATOR)
+          new(requirements)
+        end
+      end
+      def initialize(*requirements)
+        requirements = requirements.flatten
+                                   .flat_map { |req_string| req_string.split(",").map(&:strip) }
+                                   .flat_map { |req_string| convert_js_constraint_to_ruby_constraint(req_string) }
+        super(requirements)
+      end
+      private
+      def convert_js_constraint_to_ruby_constraint(req_string)
+        return req_string if req_string.match?(/^([A-Za-uw-z]|v[^\d])/)
+        req_string = req_string.gsub(/(?:\.|^)[xX*]/, "")
+        if req_string.empty? then ">= 0"
+        elsif req_string.start_with?("~>") then req_string
+        elsif req_string.start_with?("=") then req_string.gsub(/^=*/, "")
+        elsif req_string.start_with?("~") then convert_tilde_req(req_string)
+        elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.include?(" - ") then convert_hyphen_req(req_string)
+        elsif req_string.match?(/[<>]/) then req_string
+        else
+          ruby_range(req_string)
+        end
+      end
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~\>?[\s=]*/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+      def convert_hyphen_req(req_string)
+        lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+        lower_bound_parts = lower_bound.split(".")
+        lower_bound_parts.fill("0", lower_bound_parts.length...3)
+        upper_bound_parts = upper_bound.split(".")
+        upper_bound_range =
+          if upper_bound_parts.length < 3
+            # When upper bound is a partial version treat these as an X-range
+            upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
+            upper_bound_parts.fill("0", upper_bound_parts.length...3)
+            "< #{upper_bound_parts.join('.')}.a"
+          else
+            "<= #{upper_bound_parts.join('.')}"
+          end
+        [">= #{lower_bound_parts.join('.')}", upper_bound_range]
+      end
+      def ruby_range(req_string)
+        parts = req_string.split(".")
+        # If we have three or more parts then this is an exact match
+        return req_string if parts.count >= 3
+        # If we have fewer than three parts we do a partial match
+        parts << "0"
+        "~> #{parts.join('.')}"
+      end
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^[\s=]*/, "")
+        parts = version.split(".")
+        parts.fill("x", parts.length...3)
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        # If the requirement has a blank minor or patch version increment the
+        # previous index value with 1
+        first_non_zero_index -= 1 if first_non_zero == "x"
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          elsif i > first_non_zero_index && i == 2 then "0.a"
+          else
+            0
+          end
+        end.join(".")
+        [">= #{version}", "< #{upper_bound}"]
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/version.rb ADDED Viewed

@@ -0,0 +1,135 @@
+# typed: strict
+# frozen_string_literal: true
+require "dependabot/version"
+require "dependabot/utils"
+require "sorbet-runtime"
+# JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+#
+# See https://semver.org/ for details of node's version syntax.
+module Dependabot
+  module Javascript
+    class Version < Dependabot::Version
+      extend T::Sig
+      sig { returns(T.nilable(String)) }
+      attr_reader :build_info
+      # These are possible npm versioning tags that can be used in place of a version.
+      # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
+      VERSION_TAGS = T.let([
+        "alpha",        # Alpha version, early testing phase
+        "beta",         # Beta version, more stable than alpha
+        "canary",       # Canary version, often used for cutting-edge builds
+        "dev",          # Development version, ongoing development
+        "experimental", # Experimental version, unstable and new features
+        "latest",       # Latest stable version, used by npm to identify the current version of a package
+        "legacy",       # Legacy version, older version maintained for compatibility
+        "next",         # Next version, used by some projects to identify the upcoming version
+        "nightly",      # Nightly build, daily builds often including latest changes
+        "rc",           # Release candidate, potential final version
+        "release",      # General release version
+        "stable"        # Stable version, thoroughly tested and stable
+      ].freeze.map(&:freeze), T::Array[String])
+      VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+      sig { override.params(version: VersionParameter).returns(T::Boolean) }
+      def self.correct?(version)
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+        return false if version.nil?
+        version.to_s.match?(ANCHORED_VERSION_PATTERN)
+      end
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def self.semver_for(version)
+        # The next two lines are to guard against improperly formatted
+        # versions in a lockfile, such as an empty string or additional
+        # characters. NPM/yarn fixes these when running an update, so we can
+        # safely ignore these versions.
+        return if version == ""
+        return unless correct?(version)
+        version
+      end
+      sig { override.params(version: VersionParameter).void }
+      def initialize(version)
+        version = clean_version(version)
+        @version_string = T.let(version.to_s, String)
+        @build_info = T.let(nil, T.nilable(String))
+        version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
+        super(T.must(version))
+      end
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def clean_version(version)
+        # Check if version is a string before attempting to match
+        if version.is_a?(String)
+          # Matches @ followed by x.y.z (digits separated by dots)
+          if (match = version.match(/@(\d+\.\d+\.\d+)/))
+            version = match[1] # Just "4.5.3"
+          # Extract version in case the output contains Corepack verbose data
+          elsif version.include?("Corepack")
+            version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
+          end
+          version = version&.gsub(/^v/, "")
+        end
+        version
+      end
+      sig { override.params(version: VersionParameter).returns(Dependabot::Javascript::Version) }
+      def self.new(version)
+        T.cast(super, Dependabot::Javascript::Version)
+      end
+      sig { returns(Integer) }
+      def major
+        @major ||= T.let(segments[0].to_i, T.nilable(Integer))
+      end
+      sig { returns(Integer) }
+      def minor
+        @minor ||= T.let(segments[1].to_i, T.nilable(Integer))
+      end
+      sig { returns(Integer) }
+      def patch
+        @patch ||= T.let(segments[2].to_i, T.nilable(Integer))
+      end
+      sig { params(other: Dependabot::Javascript::Version).returns(T::Boolean) }
+      def backwards_compatible_with?(other)
+        case major
+        when 0
+          self == other
+        else
+          major == other.major && minor >= other.minor
+        end
+      end
+      sig { override.returns(String) }
+      def to_s
+        @version_string
+      end
+      sig { override.returns(String) }
+      def inspect
+        "#<#{self.class} #{@version_string}>"
+      end
+    end
+  end
+end

data/lib/dependabot/javascript.rb ADDED Viewed

@@ -0,0 +1,8 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    MANIFEST_FILENAME = "package.json"
+  end
+end

metadata ADDED Viewed

@@ -0,0 +1,296 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-bun
+version: !ruby/object:Gem::Version
+  version: 0.296.0
+platform: ruby
+authors:
+- Dependabot
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2025-02-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-common
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.296.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.296.0
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+- !ruby/object:Gem::Dependency
+  name: gpgme
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rspec-sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.67.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.67.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.22.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.22.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.29.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.29.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.5
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.22.0
+- !ruby/object:Gem::Dependency
+  name: turbo_tests
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.18'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
+description: Dependabot-bun provides support for bumping Javascript libraries using
+  bun via Dependabot. If you want support for multiple package managers, you probably
+  want the meta-gem dependabot-omnibus.
+email: opensource@github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/dependabot/bun.rb
+- lib/dependabot/bun/file_fetcher.rb
+- lib/dependabot/bun/file_parser/bun_lock.rb
+- lib/dependabot/bun/helpers.rb
+- lib/dependabot/bun/language.rb
+- lib/dependabot/bun/package_manager.rb
+- lib/dependabot/bun/requirement.rb
+- lib/dependabot/bun/version.rb
+- lib/dependabot/javascript.rb
+- lib/dependabot/javascript/file_fetcher_helper.rb
+- lib/dependabot/javascript/requirement.rb
+- lib/dependabot/javascript/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- MIT
+metadata:
+  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.296.0
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Provides Dependabot support for Bun
+test_files: []