dependabot-bun 0.296.2 → 0.296.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0eb8192cb230095bd5c5c41ca47242ba70625b32e7e77eda267893b9984dc4ff
-  data.tar.gz: 4036b1f4381b20a6d797f5a7afa0d50d8dc1850acb10293835675132dceedbeb
+  metadata.gz: 02ce7a49ca717ce8cf12b669fc7caf8d2a685bc00cfe9f8d45771b1839b01abb
+  data.tar.gz: f56292f958d22f40a726b649000e2ccbc7d6f87bc869579f62e4d77c7ca458f0
 SHA512:
-  metadata.gz: c2559a11a91f31650bf5dc84a5d418c7280d55bab80b659986df71c9893cb9b494ccb8ec29f5bb1f9a3c154ee0b122919bc29021fc7ad1fb134e4d3c2230428d
-  data.tar.gz: 5433aab5f7fae6978db3f4d85ad18d0e91e37a725d9c2158b0b547247103b626e4fd41993f2be76d832dd2e7b89aeb975dd92bfc29b233e8db9be19a6d5a82c2
+  metadata.gz: ccff16321a7243441dc13cf525a69eb0bffc9413537fdd7d7131f185d366d0a8dfd1ec28980d2805740e8af4bb671615bf7ec7ba1ef0a415b96d8dcd2f9065c9
+  data.tar.gz: 86b243daf58eb0912265c8f04f9677173b5dd60f183bb6ea62186d31cb0862be133abdb855a55eab6153f90c2b5e5f865c77030b9847ea78af7df73a2287bf65

data/helpers/.eslintrc

@@ -0,0 +1,11 @@
+{
+  "extends": [
+    "prettier"
+  ],
+  "env": {
+    "node": true
+  },
+  "parserOptions": {
+    "ecmaVersion": "latest"
+  }
+}

data/helpers/README.md

@@ -0,0 +1,29 @@
+Native JavaScript helpers
+-------------------------
+
+This directory contains helper functions for npm and yarn, natively written in
+Javascript so that we can utilize the package managers internal APIs and other
+native tooling for these ecosystems.
+
+These helpers are called from the Ruby code via `run.js`, they are passed
+arguments via stdin and return JSON data to stdout.
+
+## Testing
+
+When working on these helpers, it's convenient to write some high level tests in
+JavaScript to make it easier to debug the code.
+
+You can now run the tests from this directory by running:
+
+```
+yarn test path/to/test.js
+```
+
+### Debugging
+
+In order to run an interactive debugger:
+
+- `node --inspect-brk node_modules/.bin/jest --runInBand path/to/test/test.js`
+- In Chrome, navigate to `chrome://inspect`
+- Click `Open dedicated DevTools for Node`
+- You'll now be able to interactively debug using the Chrome dev tools.

data/helpers/build

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ -z "$DEPENDABOT_NATIVE_HELPERS_PATH" ]; then
+  echo "Unable to build, DEPENDABOT_NATIVE_HELPERS_PATH is not set"
+  exit 1
+fi
+
+install_dir="$DEPENDABOT_NATIVE_HELPERS_PATH/bun"
+mkdir -p "$install_dir"
+
+helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
+cp -r \
+  "$helpers_dir/lib" \
+  "$helpers_dir/test" \
+  "$helpers_dir/run.js" \
+  "$helpers_dir/.eslintrc" \
+  "$helpers_dir/jest.config.js" \
+  "$helpers_dir/package.json" \
+  "$helpers_dir/package-lock.json" \
+  "$helpers_dir/patches" \
+  "$install_dir"
+
+cd "$install_dir"
+npm ci --no-audit --fetch-timeout=600000 --fetch-retries=5 --no-dry-run --no-ignore-scripts

data/helpers/jest.config.js

@@ -0,0 +1,5 @@
+module.exports = {
+  verbose: true,
+  rootDir: "test",
+  testEnvironment: "node",
+};

data/helpers/lib/npm/conflicting-dependency-parser.js

@@ -0,0 +1,78 @@
+/* Conflicting dependency parser for npm
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - target dependency version
+ *
+ * Outputs:
+ *  - An array of objects with conflicting dependencies
+ */
+
+const Arborist = require("@npmcli/arborist");
+const semver = require("semver");
+
+async function findConflictingDependencies(directory, depName, targetVersion) {
+  const arb = new Arborist({
+    path: directory,
+    dryRun: true,
+    ignoreScripts: true,
+  });
+
+  return await arb.loadVirtual().then((tree) => {
+    const parents = [];
+    for (const node of tree.inventory.query("name", depName)) {
+      for (const edge of node.edgesIn) {
+        if (!semver.satisfies(targetVersion, edge.spec)) {
+          findTopLevelEdges(edge).forEach((topLevel) => {
+            explanation = buildExplanation(node, edge, topLevel);
+
+            parents.push({
+              explanation: explanation,
+              name: edge.from.name,
+              version: edge.from.version,
+              requirement: edge.spec,
+            });
+          });
+        }
+      }
+    }
+
+    return parents;
+  });
+}
+
+function buildExplanation(node, directEdge, topLevelEdge) {
+  if (directEdge.from === topLevelEdge.to) {
+    // The nodes parent is top-level
+    return `${directEdge.from.name}@${directEdge.from.version} requires ${directEdge.to.name}@${directEdge.spec}`;
+  } else if (topLevelEdge.to.edgesOut.has(directEdge.from.name)) {
+    // The nodes parent is a direct dependency of the top-level dependency
+    return (
+      `${topLevelEdge.to.name}@${topLevelEdge.to.version} requires ${directEdge.to.name}@${directEdge.spec} ` +
+      `via ${directEdge.from.name}@${directEdge.from.version}`
+    );
+  } else {
+    // The nodes parent is a transitive dependency of the top-level dependency
+    return (
+      `${topLevelEdge.to.name}@${topLevelEdge.to.version} requires ${directEdge.to.name}@${directEdge.spec} ` +
+      `via a transitive dependency on ${directEdge.from.name}@${directEdge.from.version}`
+    );
+  }
+}
+
+function findTopLevelEdges(edge, parents = []) {
+  edge.from.edgesIn.forEach((parent) => {
+    if (parent.from.edgesIn.size === 0) {
+      if (!parents.includes(parent)) {
+        parents.push(parent);
+      }
+    } else {
+      findTopLevelEdges(parent, parents);
+    }
+  });
+
+  return parents;
+}
+
+module.exports = { findConflictingDependencies };

data/helpers/lib/npm/index.js

@@ -0,0 +1,9 @@
+const conflictingDependencyParser = require("./conflicting-dependency-parser");
+const vulnerabilityAuditor = require("./vulnerability-auditor");
+
+module.exports = {
+  findConflictingDependencies:
+    conflictingDependencyParser.findConflictingDependencies,
+  vulnerabilityAuditor:
+    vulnerabilityAuditor.findVulnerableDependencies,
+};

data/helpers/lib/npm/vulnerability-auditor.js

@@ -0,0 +1,291 @@
+/* Vulnerability auditor for npm
+ *
+ * Inputs:
+ *  - path to directory containing a package.json and a package-lock.json
+ *  - array of security advisories to audit for,
+ *      [
+ *        { dependency_name: string, affected_versions: [string, ...] },
+ *        ...
+ *      ]
+ *
+ * Outputs:
+ *  - object indicating whether a fix is available and how to achieve it,
+ *      {
+ *        dependency_name: string,
+ *        current_version: string,
+ *        target_version: string,
+ *        fix_available: boolean | object,
+ *        fix_updates: [
+ *          {
+ *            dependency_name: string,
+ *            current_version: string,
+ *            target_version: string
+ *          },
+ *          ...
+ *        ]
+ *      }
+ */
+
+const Arborist = require('@npmcli/arborist')
+const nock = require('nock')
+const { promisify } = require('util');
+const exec = promisify(require('child_process').exec)
+
+async function findVulnerableDependencies(directory, advisories) {
+  const npmConfig = await loadNpmConfig()
+  const caCerts = loadCACerts(npmConfig)
+  const registryOpts = extractRegistryOptions(npmConfig)
+  const registryCreds = loadNpmConfigCredentials(directory)
+
+  const arb = new Arborist({
+    path: directory,
+    auditRegistry: 'http://localhost:9999',
+    ca: caCerts,
+    force: true,
+    dryRun: true,
+    ignoreScripts: true,
+    ...registryOpts,
+    ...registryCreds,
+  })
+
+  const scope = nock('http://localhost:9999')
+    .persist()
+    .post('/-/npm/v1/security/advisories/bulk')
+    .reply(200, convertAdvisoriesToRegistryBulkFormat(advisories))
+
+  if (!nock.isActive()) {
+    nock.activate()
+  }
+
+  try {
+    const name = advisories[0].dependency_name
+    const response = {
+      dependency_name: name,
+      fix_updates: [],
+      top_level_ancestors: [],
+    }
+    const auditReport = await arb.audit()
+    if (!auditReport.has(name)) {
+      if (auditReport.tree.children.has(name)) {
+        response.current_version = auditReport.tree.children.get(name).version
+      }
+      response.fix_available = false
+      return response
+    }
+    const vuln = auditReport.get(name)
+    const version = [...vuln.nodes][0].version
+    const fixAvailable = vuln.fixAvailable
+
+    response.current_version = version
+    response.fix_available = Boolean(fixAvailable)
+
+    if (!Boolean(fixAvailable)) {
+      return response
+    }
+
+    const chains = buildDependencyChains(auditReport, name)
+
+    // In order for the vuln dependency in question to be considered fixable,
+    // all dependency chains originating from it must be fixable.
+    if (chains.some((chain) => !Boolean(chain.fixAvailable))) {
+      response.fix_available = false
+      return response
+    }
+
+    const groupedFixUpdateChains = groupBy(chains, (chain) => chain.nodes[0].pkgid)
+    let topLevelAncestors = new Set()
+
+    for (const group of groupedFixUpdateChains.values()) {
+      const fixUpdateNode = group[0].nodes[0]
+      const groupTopLevelAncestors = group.reduce((ancestor, chain) => {
+        const topLevelNode = chain.nodes[chain.nodes.length - 1]
+        return ancestor.add(topLevelNode.name)
+      }, new Set())
+
+      // Add group's top-level ancestors to the set of all top-level ancestors of
+      // the vuln dependency in question.
+      topLevelAncestors = new Set([...topLevelAncestors, ...groupTopLevelAncestors])
+
+      // If a chain consists of only one node, chain.nodes[0].name == chain.nodes[chain.nodes.length-1].name.
+      // In such cases, don't include the fix update node as an ancestor of itself.
+      const fixUpdateNodeTopLevelAncestors =
+        [...groupTopLevelAncestors].filter((nodeName) => nodeName !== fixUpdateNode.name).sort()
+
+      response.fix_updates.push({
+        dependency_name: fixUpdateNode.name,
+        current_version: fixUpdateNode.version,
+        top_level_ancestors: fixUpdateNodeTopLevelAncestors,
+      })
+    }
+
+    response.top_level_ancestors = [...topLevelAncestors].sort()
+
+    const fixTree = await arb.audit({
+      fix: true,
+    })
+
+    response.target_version = fixTree.children.get(name)?.version
+
+    for (const update of response.fix_updates) {
+      update.target_version =
+        fixTree.children.get(update.dependency_name)?.version
+    }
+
+    return response
+  } finally {
+    nock.cleanAll()
+    nock.restore()
+  }
+}
+
+function convertAdvisoriesToRegistryBulkFormat(advisories) {
+  return advisories.reduce((formattedAdvisories, advisory) => {
+    if (!formattedAdvisories[advisory.dependency_name]) {
+      formattedAdvisories[advisory.dependency_name] = []
+    }
+    let formattedVersions =
+      advisory.affected_versions.reduce((memo, version) => {
+        memo.push({
+          id: Math.floor(Math.random() * Number.MAX_SAFE_INTEGER),
+          vulnerable_versions: version
+        })
+        return memo
+      }, [])
+    formattedAdvisories[advisory.dependency_name].push(...formattedVersions)
+    return formattedAdvisories
+  }, {})
+}
+
+/* Returns an array of dependency chains rooted in the named dependency,
+ *   [
+ *    {
+ *      fixAvailable: true | false | object,
+ *      nodes: [
+ *        ArboristNode {
+ *          name: 'foo',
+ *          version: '1.0.0',
+ *          ...
+ *        },
+ *        ...
+ *      ]
+ *    },
+ *    ...
+ *   ]
+ *
+ * The first node in each chain is the innermost dependency affected by the vuln;
+ * the `fixAvailable` field applies to this dependency. The last node in each
+ * chain is always a top-level dependency.
+ */
+function buildDependencyChains(auditReport, name) {
+  const helper = (node, chain, visited) => {
+    if (!node) {
+      return []
+    }
+    if (visited.has(node.name)) {
+      // We've already seen this node; end path.
+      return []
+    }
+    if (auditReport.has(node.name)) {
+      const vuln = auditReport.get(node.name)
+      if (vuln.isVulnerable(node)) {
+        return [{ fixAvailable: vuln.fixAvailable, nodes: [node, ...chain.nodes] }]
+      } else if (node.name == name) {
+        // This is a non-vulnerable version of the advisory dependency; end path.
+        return []
+      }
+    }
+    if (!node.edgesOut.size) {
+      // This is a leaf node that is unaffected by the vuln; end path.
+      return []
+    }
+    return [...node.edgesOut.values()].reduce((chains, { to }) => {
+      // Only prepend current node to chain/visited if it's not the project root.
+      const newChain = node.isProjectRoot ? chain : { nodes: [node, ...chain.nodes] }
+      const newVisited = node.isProjectRoot ? visited : new Set([node.name, ...visited])
+      return chains.concat(helper(to, newChain, newVisited))
+    }, [])
+  }
+  return helper(auditReport.tree, { nodes: [] }, new Set())
+}
+
+function groupBy(elems, fn) {
+  const groups = new Map()
+  for (const [index, elem] of [...elems].entries()) {
+    const key = fn(elem, index, elems)
+    groups.set(key, (groups.get(key) || []).concat([elem]))
+  }
+  return groups
+}
+
+async function loadNpmConfig() {
+  const configOutput = await exec('npm config ls --json')
+  return JSON.parse(configOutput.stdout)
+}
+
+function extractRegistryOptions(npmConfig) {
+  const opts = []
+  for (const [key, value] of Object.entries(npmConfig)) {
+    if (key == "registry" || key.endsWith(":registry")) {
+      opts.push([key, value])
+    }
+  }
+  return Object.fromEntries(opts)
+}
+
+// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
+// Dependabot will have written them to the project's .npmrc file.
+const ini = require('ini')
+const path = require('path')
+
+const credKeys = ['token', '_authToken', '_auth']
+
+function loadNpmConfigCredentials(projectDir) {
+  const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
+  if (!projectNpmrc) {
+    return {}
+  }
+
+  const credentials = []
+  const config = ini.parse(projectNpmrc)
+  for (const [key, value] of Object.entries(config)) {
+    if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
+      credentials.push([key, value])
+    }
+  }
+  return Object.fromEntries(credentials)
+}
+
+// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
+const fs = require('fs')
+const maybeReadFile = file => {
+  try {
+    return fs.readFileSync(file, 'utf8')
+  } catch (er) {
+    if (er.code !== 'ENOENT') {
+      throw er
+    }
+    return null
+  }
+}
+
+function loadCACerts(npmConfig) {
+  if (npmConfig.ca) {
+    return npmConfig.ca
+  }
+
+  if (!npmConfig.cafile) {
+    return
+  }
+
+  const raw = maybeReadFile(npmConfig.cafile)
+  if (!raw) {
+    return
+  }
+
+  const delim = '-----END CERTIFICATE-----'
+  return raw.replace(/\r\n/g, '\n').split(delim)
+    .filter(section => section.trim())
+    .map(section => section.trimStart() + delim)
+}
+
+module.exports = { findVulnerableDependencies }

data/helpers/lib/npm6/helpers.js

@@ -0,0 +1,25 @@
+function runAsync(obj, method, args) {
+  return new Promise((resolve, reject) => {
+    const cb = (err, ...returnValues) => {
+      if (err) {
+        reject(err);
+      } else {
+        resolve(returnValues);
+      }
+    };
+    method.apply(obj, [...args, cb]);
+  });
+}
+
+function muteStderr() {
+  const original = process.stderr.write;
+  process.stderr.write = () => {};
+  return () => {
+    process.stderr.write = original;
+  };
+}
+
+module.exports = {
+  runAsync,
+  muteStderr,
+};

data/helpers/lib/npm6/index.js

@@ -0,0 +1,9 @@
+const updater = require("./updater");
+const peerDependencyChecker = require("./peer-dependency-checker");
+const subdependencyUpdater = require("./subdependency-updater");
+
+module.exports = {
+  update: updater.updateDependencyFiles,
+  updateSubdependency: subdependencyUpdater.updateDependencyFile,
+  checkPeerDependencies: peerDependencyChecker.checkPeerDependencies,
+};

data/helpers/lib/npm6/peer-dependency-checker.js

@@ -0,0 +1,111 @@
+/* PEER DEPENDENCY CHECKER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - new dependency version
+ *  - requirements for this dependency
+ *
+ * Outputs:
+ *  - successful completion, or an error if there are peer dependency warnings
+ */
+
+const npm = require("npm");
+const installer = require("npm/lib/install");
+const { muteStderr, runAsync } = require("./helpers.js");
+
+function installArgsWithVersion(depName, desiredVersion, reqs) {
+  const source = (reqs.find((req) => req.source) || {}).source;
+
+  if (source && source.type === "git") {
+    return [`${depName}@${source.url}#${desiredVersion}`];
+  } else {
+    return [`${depName}@${desiredVersion}`];
+  }
+}
+
+async function checkPeerDependencies(
+  directory,
+  depName,
+  desiredVersion,
+  requirements,
+  topLevelDependencies
+) {
+  // `force: true` ignores checks for platform (os, cpu) and engines
+  // in npm/lib/install/validate-args.js
+  // Platform is checked and raised from (EBADPLATFORM):
+  // https://github.com/npm/npm-install-checks
+  //
+  // `'prefer-offline': true` sets fetch() cache key to `force-cache`
+  // https://github.com/npm/npm-registry-fetch
+  //
+  // `'ignore-scripts': true` used to disable prepare and prepack scripts
+  // which are run when installing git dependencies
+  await runAsync(npm, npm.load, [
+    {
+      loglevel: "silent",
+      force: true,
+      audit: false,
+      "prefer-offline": true,
+      "ignore-scripts": true,
+      save: false,
+    },
+  ]);
+
+  const dryRun = true;
+
+  // Returns dep name and version for npm install, example: ["react@16.6.0"]
+  let args = installArgsWithVersion(depName, desiredVersion, requirements);
+
+  // To check peer dependencies requirements in all top level dependencies we
+  // need to explicitly tell npm to fetch all manifests by specifying the
+  // existing dependency name and version in npm install
+
+  // For example, if we have "react@15.6.2" and "react-dom@15.6.2" installed
+  // and we want to install react@16.6.0, we need get the existing version of
+  // react-dom and pass this to npm install along with the new version react,
+  // this way npm fetches the manifest for react-dom and determines that we
+  // can't install react@16.6.0 due to the peer dependency requirement in
+  // react-dom
+
+  // If we only pass the new dep@version to npm install, e.g. "react@16.6.0" npm
+  // will only fetch the manifest for react and not know that react-dom enforces
+  // a peerDependency on react
+
+  // Returns dep name and version for npm install, example: ["react-dom@15.6.2"]
+  // - given react and react-dom in top level deps
+  const otherDeps = (topLevelDependencies || [])
+    .filter((dep) => dep.name !== depName && dep.version)
+    .map((dep) =>
+      installArgsWithVersion(dep.name, dep.version, dep.requirements)
+    )
+    .reduce((acc, dep) => acc.concat(dep), []);
+
+  args = args.concat(otherDeps);
+
+  const initialInstaller = new installer.Installer(directory, dryRun, args, {
+    packageLockOnly: true,
+  });
+
+  // Skip printing the success message
+  initialInstaller.printInstalled = (cb) => cb();
+
+  // There are some hard-to-prevent bits of output.
+  // This is horrible, but works.
+  const unmute = muteStderr();
+  try {
+    await runAsync(initialInstaller, initialInstaller.run, []);
+  } finally {
+    unmute();
+  }
+
+  const peerDependencyWarnings = initialInstaller.idealTree.warnings
+    .filter((warning) => warning.code === "EPEERINVALID")
+    .map((warning) => warning.message);
+
+  if (peerDependencyWarnings.length) {
+    throw new Error(peerDependencyWarnings.join("\n"));
+  }
+}
+
+module.exports = { checkPeerDependencies };

data/helpers/lib/npm6/remove-dependencies-from-lockfile.js

@@ -0,0 +1,22 @@
+// Recursively removes all dependencies matching on name
+function removeDependenciesFromLockfile(lockfile, dependencyNames) {
+  if (!lockfile.dependencies) return lockfile;
+
+  const dependencies = Object.entries(lockfile.dependencies).reduce(
+    (acc, [depName, packageValue]) => {
+      if (!dependencyNames.includes(depName)) {
+        acc[depName] = removeDependenciesFromLockfile(
+          packageValue,
+          dependencyNames
+        );
+      }
+
+      return acc;
+    },
+    {}
+  );
+
+  return Object.assign({}, lockfile, { dependencies });
+}
+
+module.exports = removeDependenciesFromLockfile;