dependabot-core 0.76.1

data/lib/dependabot/update_checkers/java_script/npm_and_yarn/library_detector.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/update_checkers/java_script/npm_and_yarn"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module UpdateCheckers
+    module JavaScript
+      class NpmAndYarn
+        class LibraryDetector
+          def initialize(package_json_file:)
+            @package_json_file = package_json_file
+          end
+
+          def library?
+            return false unless package_json_may_be_for_library?
+
+            npm_response_matches_package_json?
+          end
+
+          private
+
+          attr_reader :package_json_file
+
+          def package_json_may_be_for_library?
+            return false unless project_name
+            return false if project_name.match?(/\{\{.*\}\}/)
+            return false unless parsed_package_json["version"]
+            return false if parsed_package_json["private"]
+
+            true
+          end
+
+          def npm_response_matches_package_json?
+            project_description = parsed_package_json["description"]
+            return false unless project_description
+
+            # Check if the project is listed on npm. If it is, it's a library
+            @project_npm_response ||= Excon.get(
+              "https://registry.npmjs.org/#{escaped_project_name}",
+              idempotent: true,
+              **SharedHelpers.excon_defaults
+            )
+
+            return false unless @project_npm_response.status == 200
+
+            @project_npm_response.body.force_encoding("UTF-8").encode.
+              include?(project_description)
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            false
+          end
+
+          def project_name
+            parsed_package_json.fetch("name", nil)
+          end
+
+          def escaped_project_name
+            project_name&.gsub("/", "%2F")
+          end
+
+          def parsed_package_json
+            @parsed_package_json ||= JSON.parse(package_json_file.content)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java_script/npm_and_yarn/registry_finder.rb

@@ -0,0 +1,226 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/update_checkers/java_script/npm_and_yarn"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module UpdateCheckers
+    module JavaScript
+      class NpmAndYarn
+        class RegistryFinder
+          NPM_AUTH_TOKEN_REGEX =
+            %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}.freeze
+          NPM_GLOBAL_REGISTRY_REGEX =
+            /^registry\s*=\s*(?<registry>.*)$/.freeze
+          YARN_GLOBAL_REGISTRY_REGEX =
+            /^registry\s+['"](?<registry>.*)['"]/.freeze
+
+          def initialize(dependency:, credentials:, npmrc_file: nil,
+                         yarnrc_file: nil)
+            @dependency = dependency
+            @credentials = credentials
+            @npmrc_file = npmrc_file
+            @yarnrc_file = yarnrc_file
+          end
+
+          def registry
+            locked_registry || first_registry_with_dependency_details
+          end
+
+          def auth_headers
+            auth_header_for(auth_token)
+          end
+
+          def dependency_url
+            "#{registry_url.gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
+          end
+
+          private
+
+          attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file
+
+          def first_registry_with_dependency_details
+            @first_registry_with_dependency_details ||=
+              known_registries.find do |details|
+                Excon.get(
+                  "https://#{details['registry'].gsub(%r{/+$}, '')}/"\
+                  "#{escaped_dependency_name}",
+                  headers: auth_header_for(details["token"]),
+                  idempotent: true,
+                  **SharedHelpers.excon_defaults
+                ).status < 400
+              rescue Excon::Error::Timeout, Excon::Error::Socket
+                nil
+              end&.fetch("registry")
+
+            @first_registry_with_dependency_details ||= global_registry
+          end
+
+          def registry_url
+            protocol =
+              if private_registry_source_url
+                private_registry_source_url.split("://").first
+              else
+                "https"
+              end
+
+            "#{protocol}://#{registry}"
+          end
+
+          def auth_header_for(token)
+            return {} unless token
+
+            if token.include?(":")
+              encoded_token = Base64.encode64(token).delete("\n")
+              { "Authorization" => "Basic #{encoded_token}" }
+            elsif Base64.decode64(token).ascii_only? &&
+                  Base64.decode64(token).include?(":")
+              { "Authorization" => "Basic #{token.delete("\n")}" }
+            else
+              { "Authorization" => "Bearer #{token}" }
+            end
+          end
+
+          def auth_token
+            known_registries.
+              find { |cred| cred["registry"] == registry }&.
+              fetch("token")
+          end
+
+          def locked_registry
+            return unless private_registry_source_url
+
+            lockfile_registry =
+              private_registry_source_url.
+              gsub("https://", "").
+              gsub("http://", "")
+            detailed_registry =
+              known_registries.
+              find { |h| h["registry"].include?(lockfile_registry) }&.
+              fetch("registry")
+
+            detailed_registry || lockfile_registry
+          end
+
+          def known_registries
+            @known_registries ||=
+              begin
+                registries = []
+                registries += credentials.
+                              select { |cred| cred["type"] == "npm_registry" }
+                registries += npmrc_registries
+                registries += yarnrc_registries
+
+                unique_registries(registries)
+              end
+          end
+
+          def npmrc_registries
+            return [] unless npmrc_file
+
+            registries = []
+            npmrc_file.content.scan(NPM_AUTH_TOKEN_REGEX) do
+              next if Regexp.last_match[:registry].include?("${")
+
+              registries << {
+                "type" => "npm_registry",
+                "registry" => Regexp.last_match[:registry],
+                "token" => Regexp.last_match[:token]
+              }
+            end
+
+            npmrc_file.content.scan(NPM_GLOBAL_REGISTRY_REGEX) do
+              next if Regexp.last_match[:registry].include?("${")
+
+              registry = Regexp.last_match[:registry].strip.
+                         sub(%r{/+$}, "").
+                         sub(%r{^.*?//}, "")
+              next if registries.map { |r| r["registry"] }.include?(registry)
+
+              registries << {
+                "type" => "npm_registry",
+                "registry" => registry,
+                "token" => nil
+              }
+            end
+
+            registries
+          end
+
+          def yarnrc_registries
+            return [] unless yarnrc_file
+
+            registries = []
+            yarnrc_file.content.scan(YARN_GLOBAL_REGISTRY_REGEX) do
+              next if Regexp.last_match[:registry].include?("${")
+
+              registry = Regexp.last_match[:registry].strip.
+                         sub(%r{/+$}, "").
+                         sub(%r{^.*?//}, "")
+              registries << {
+                "type" => "npm_registry",
+                "registry" => registry,
+                "token" => nil
+              }
+            end
+
+            registries
+          end
+
+          def unique_registries(registries)
+            registries.uniq.reject do |registry|
+              next if registry["token"]
+
+              # Reject this entry if an identical one with a token exists
+              registries.any? do |r|
+                r["token"] && r["registry"] == registry["registry"]
+              end
+            end
+          end
+
+          def global_registry
+            npmrc_file&.content.to_s.scan(NPM_GLOBAL_REGISTRY_REGEX) do
+              next if Regexp.last_match[:registry].include?("${")
+
+              registry = Regexp.last_match[:registry].strip.
+                         sub(%r{/+$}, "").
+                         sub(%r{^.*?//}, "")
+              return registry
+            end
+
+            yarnrc_file&.content.to_s.scan(YARN_GLOBAL_REGISTRY_REGEX) do
+              next if Regexp.last_match[:registry].include?("${")
+
+              registry = Regexp.last_match[:registry].strip.
+                         sub(%r{/+$}, "").
+                         sub(%r{^.*?//}, "")
+              return registry
+            end
+
+            "registry.npmjs.org"
+          end
+
+          # npm registries expect slashes to be escaped
+          def escaped_dependency_name
+            dependency.name.gsub("/", "%2F")
+          end
+
+          def private_registry_source_url
+            sources = dependency.requirements.
+                      map { |r| r.fetch(:source) }.uniq.compact
+
+            # If there are multiple source types, or multiple source URLs, then
+            # it's unclear how we should proceed
+            if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
+              raise "Multiple sources! #{sources.join(', ')}"
+            end
+
+            # Otherwise we just take the URL of the first private registry
+            sources.find { |s| s[:type] == "private_registry" }&.fetch(:url)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/update_checkers/java_script/npm_and_yarn/requirements_updater.rb

@@ -0,0 +1,197 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on npm version constraints, see:                            #
+# https://docs.npmjs.com/misc/semver                                           #
+################################################################################
+
+require "dependabot/update_checkers/java_script/npm_and_yarn"
+require "dependabot/utils/java_script/version"
+require "dependabot/utils/java_script/requirement"
+
+module Dependabot
+  module UpdateCheckers
+    module JavaScript
+      class NpmAndYarn
+        class RequirementsUpdater
+          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
+          SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/.freeze
+          ALLOWED_UPDATE_STRATEGIES =
+            %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+
+          def initialize(requirements:, updated_source:, update_strategy:,
+                         latest_version:, latest_resolvable_version:)
+            @requirements = requirements
+            @updated_source = updated_source
+            @update_strategy = update_strategy
+
+            check_update_strategy
+
+            if latest_version
+              @latest_version = version_class.new(latest_version)
+            end
+
+            return unless latest_resolvable_version
+
+            @latest_resolvable_version =
+              version_class.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            requirements.map do |req|
+              req = req.merge(source: updated_source)
+              next req unless latest_resolvable_version
+              next initial_req_after_source_change(req) unless req[:requirement]
+              next req if req[:requirement].match?(/^([A-Za-uw-z]|v[^\d])/)
+
+              case update_strategy
+              when :widen_ranges then widen_requirement(req)
+              when :bump_versions then update_version_requirement(req)
+              when :bump_versions_if_necessary
+                update_version_requirement_if_needed(req)
+              else raise "Unexpected update strategy: #{update_strategy}"
+              end
+            end
+          end
+
+          private
+
+          attr_reader :requirements, :updated_source, :update_strategy,
+                      :latest_version, :latest_resolvable_version
+
+          def check_update_strategy
+            return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+            raise "Unknown update strategy: #{update_strategy}"
+          end
+
+          def updating_from_git_to_npm?
+            return false unless updated_source.nil?
+
+            original_source = requirements.map { |r| r[:source] }.compact.first
+            original_source&.fetch(:type) == "git"
+          end
+
+          def initial_req_after_source_change(req)
+            return req unless updating_from_git_to_npm?
+            return req unless req[:requirement].nil?
+
+            req.merge(requirement: "^#{latest_resolvable_version}")
+          end
+
+          def update_version_requirement(req)
+            current_requirement = req[:requirement]
+
+            if current_requirement.match?(/(<|-\s)/i)
+              ruby_req = ruby_requirements(current_requirement).first
+              return req if ruby_req.satisfied_by?(latest_resolvable_version)
+
+              updated_req = update_range_requirement(current_requirement)
+              return req.merge(requirement: updated_req)
+            end
+
+            req.merge(requirement: update_version_string(current_requirement))
+          end
+
+          def update_version_requirement_if_needed(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+            return req if current_requirement.strip == ""
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+            update_version_requirement(req)
+          end
+
+          def widen_requirement(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+            return req if current_requirement.strip == ""
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+            reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+
+            updated_requirement =
+              if reqs.any? { |r| r.match?(/(<|-\s)/i) }
+                update_range_requirement(current_requirement)
+              elsif current_requirement.strip.split(SEPARATOR).count == 1
+                update_version_string(current_requirement)
+              else
+                current_requirement
+              end
+
+            req.merge(requirement: updated_requirement)
+          end
+
+          def ruby_requirements(requirement_string)
+            Utils::JavaScript::Requirement.
+              requirements_array(requirement_string)
+          end
+
+          def update_range_requirement(req_string)
+            range_requirements =
+              req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
+
+            if range_requirements.count == 1
+              range_requirement = range_requirements.first
+              versions = range_requirement.scan(VERSION_REGEX)
+              upper_bound = versions.map { |v| version_class.new(v) }.max
+              new_upper_bound = update_greatest_version(
+                upper_bound,
+                latest_resolvable_version
+              )
+
+              req_string.sub(
+                upper_bound.to_s,
+                new_upper_bound.to_s
+              )
+            else
+              req_string + " || ^#{latest_resolvable_version}"
+            end
+          end
+
+          def update_version_string(req_string)
+            req_string.
+              sub(VERSION_REGEX) do |old_version|
+                if old_version.match?(/\d-/) ||
+                   latest_resolvable_version.to_s.match?(/\d-/)
+                  latest_resolvable_version.to_s
+                else
+                  old_parts = old_version.split(".")
+                  new_parts = latest_resolvable_version.to_s.split(".").
+                              first(old_parts.count)
+                  new_parts.map.with_index do |part, i|
+                    old_parts[i].match?(/^x\b/) ? "x" : part
+                  end.join(".")
+                end
+              end
+          end
+
+          def update_greatest_version(old_version, version_to_be_permitted)
+            version = version_class.new(old_version)
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else 0
+              end
+            end.join(".")
+          end
+
+          def version_class
+            Utils::JavaScript::Version
+          end
+        end
+      end
+    end
+  end
+end