dependabot-core 0.76.1

data/helpers/python/requirements.txt

@@ -0,0 +1,9 @@
+pip==18.1
+pip-tools==3.1.0
+hashin==0.14.0
+pipenv==2018.11.26
+pipfile==0.0.2
+poetry==0.12.10
+
+# Some dependencies will only install if Cython is present
+Cython==0.29.1

data/helpers/python/run.py

@@ -0,0 +1,18 @@
+import sys
+import json
+
+from lib import parser, hasher
+
+if __name__ == "__main__":
+    args = json.loads(sys.stdin.read())
+
+    if args["function"] == "parse_requirements":
+        print(parser.parse_requirements(args["args"][0]))
+    if args["function"] == "parse_setup":
+        print(parser.parse_setup(args["args"][0]))
+    elif args["function"] == "get_dependency_hash":
+        print(hasher.get_dependency_hash(*args["args"]))
+    elif args["function"] == "get_pipfile_hash":
+        print(hasher.get_pipfile_hash(*args["args"]))
+    elif args["function"] == "get_pyproject_hash":
+        print(hasher.get_pyproject_hash(*args["args"]))

data/helpers/test/run.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "json"
+
+request = JSON.parse($stdin.read)
+case request["function"]
+when "error"
+  $stdout.write(JSON.dump(error: "Something went wrong"))
+  exit 1
+when "hard_error"
+  puts "Oh no!"
+  exit 0
+else
+  $stdout.write(JSON.dump(result: request))
+end

data/helpers/utils/git-credential-store-immutable

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require "shellwords"
+
+# Valid commands are: `get`, `store`, `erase`. We only want to let `get`
+# through, as the others mutate the credential store.
+if ARGV.include?("get")
+  args = ARGV.map { |arg| Shellwords.escape(arg) }.join(" ")
+  exec "git credential-store #{args}"
+end

data/helpers/yarn/.agignore

@@ -0,0 +1 @@
+node_modules/

data/helpers/yarn/.envrc

@@ -0,0 +1,2 @@
+PATH_add node_modules/.bin
+export LOCAL_VIMRC=true

data/helpers/yarn/.eslintrc

@@ -0,0 +1,14 @@
+{
+  "plugins": [
+    "prettier"
+  ],
+  "rules": {
+    "prettier/prettier": "error"
+  },
+  "env": {
+    "node": true
+  },
+  "parserOptions": {
+    "ecmaVersion": 8
+  }
+}

data/helpers/yarn/.nvimrc

@@ -0,0 +1,7 @@
+augroup fmt
+  autocmd!
+  autocmd BufWritePre * Neoformat
+augroup END
+
+let test#javascript#jest#file_pattern = '\.test\.js'
+let test#javascript#mocha#file_pattern = 'mocha'

data/helpers/yarn/bin/run.js

@@ -0,0 +1,36 @@
+const lockfileParser = require("../lib/lockfile-parser");
+const updater = require("../lib/updater");
+const subdependencyUpdater = require("../lib/subdependency-updater");
+const peerDependencyChecker = require("../lib/peer-dependency-checker");
+
+const functionMap = {
+  parseLockfile: lockfileParser.parse,
+  update: updater.updateDependencyFiles,
+  updateSubdependency: subdependencyUpdater.updateDependencyFile,
+  checkPeerDependencies: peerDependencyChecker.checkPeerDependencies
+};
+
+function output(obj) {
+  process.stdout.write(JSON.stringify(obj));
+}
+
+const input = [];
+process.stdin.on("data", data => input.push(data));
+process.stdin.on("end", () => {
+  const request = JSON.parse(input.join(""));
+  const func = functionMap[request.function];
+  if (!func) {
+    output({ error: `Invalid function ${request.function}` });
+    process.exit(1);
+  }
+
+  func
+    .apply(null, request.args)
+    .then(result => {
+      output({ result: result });
+    })
+    .catch(error => {
+      output({ error: error.message });
+      process.exit(1);
+    });
+});

data/helpers/yarn/lib/fix-duplicates.js

@@ -0,0 +1,53 @@
+const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
+const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
+  .default;
+const semver = require("semver");
+
+// Inspired by yarn-tools. Altered to ensure the latest version is always used
+// for version ranges which allow it.
+module.exports = (data, includePackages = []) => {
+  const json = parse(data).object;
+  const enableLockfileVersions = Boolean(data.match(/^# yarn v/m));
+  const noHeader = !Boolean(data.match(/^# THIS IS AN AU/m));
+
+  const packages = {};
+  const re = /^(.*)@([^@]*?)$/;
+
+  Object.entries(json).forEach(([name, pkg]) => {
+    if (name.match(re)) {
+      const [_, packageName, requestedVersion] = name.match(re);
+      packages[packageName] = packages[packageName] || [];
+      packages[packageName].push(
+        Object.assign({}, { name, pkg, packageName, requestedVersion })
+      );
+    }
+  });
+
+  Object.entries(packages)
+    .filter(([name]) => {
+      if (includePackages.length === 0) return true;
+      return includePackages.includes(name);
+    })
+    .forEach(([name, packages]) => {
+      // Reverse sort, so we'll find the maximum satisfying version first
+      const versions = packages.map(p => p.pkg.version).sort(semver.rcompare);
+      const ranges = packages.map(p => p.requestedVersion);
+
+      // Dedup each package to its maxSatisfying version
+      packages.forEach(p => {
+        const targetVersion = semver.maxSatisfying(
+          versions,
+          p.requestedVersion
+        );
+        if (targetVersion === null) return;
+        if (targetVersion !== p.pkg.version) {
+          const dedupedPackage = packages.find(
+            p => p.pkg.version === targetVersion
+          );
+          json[`${name}@${p.requestedVersion}`] = dedupedPackage.pkg;
+        }
+      });
+    });
+
+  return stringify(json, noHeader, enableLockfileVersions);
+};

data/helpers/yarn/lib/helpers.js

@@ -0,0 +1,5 @@
+function isString(value) {
+  return Object.prototype.toString.call(value) === "[object String]";
+}
+
+module.exports = { isString };

data/helpers/yarn/lib/lockfile-parser.js

@@ -0,0 +1,21 @@
+/* YARN.LOCK PARSER
+ *
+ * Inputs:
+ *  - directory containing a yarn.lock
+ *
+ * Outputs:
+ *  - JSON formatted yarn.lock
+ */
+const fs = require("fs");
+const path = require("path");
+const parseLockfile = require("@dependabot/yarn-lib/lib/lockfile/parse")
+  .default;
+
+async function parse(directory) {
+  const readFile = fileName =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  const data = readFile("yarn.lock");
+  return parseLockfile(data).object;
+}
+
+module.exports = { parse };

data/helpers/yarn/lib/peer-dependency-checker.js

@@ -0,0 +1,130 @@
+/* PEER DEPENDENCY CHECKER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - new dependency version
+ *  - requirements for this dependency
+ *
+ * Outputs:
+ *  - successful completion, or an error if there are peer dependency warnings
+ */
+const path = require("path");
+const { Add } = require("@dependabot/yarn-lib/lib/cli/commands/add");
+const Config = require("@dependabot/yarn-lib/lib/config").default;
+const { BufferReporter } = require("@dependabot/yarn-lib/lib/reporters");
+const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
+const { isString } = require("./helpers");
+const fetcher = require("@dependabot/yarn-lib/lib/package-fetcher.js");
+
+// Check peer dependencies without downloading node_modules or updating
+// package/lockfiles
+//
+// Logic copied from the import command
+class LightweightAdd extends Add {
+  async bailout() {
+    const manifests = await fetcher.fetch(
+      this.resolver.getManifests(),
+      this.config
+    );
+    this.resolver.updateManifests(manifests);
+    await this.linker.resolvePeerModules();
+    return true;
+  }
+}
+
+function devRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("devDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+
+function optionalRequirement(requirements) {
+  const groups = requirements.groups;
+  return (
+    groups.indexOf("optionalDependencies") > -1 &&
+    groups.indexOf("dependencies") == -1
+  );
+}
+
+function installArgsWithVersion(depName, desiredVersion, requirements) {
+  const source =
+    "source" in requirements
+      ? requirements.source
+      : (requirements.find(req => req.source) || {}).source;
+  const req =
+    "requirement" in requirements
+      ? requirements.requirement
+      : (requirements.find(req => req.requirement) || {}).requirement;
+
+  if (source && source.type === "git") {
+    if (desiredVersion) {
+      return [`${depName}@${source.url}#${desiredVersion}`];
+    } else {
+      return [`${depName}@${source.url}`];
+    }
+  } else {
+    return [`${depName}@${desiredVersion || req}`];
+  }
+}
+
+async function checkPeerDependencies(
+  directory,
+  depName,
+  desiredVersion,
+  requirements
+) {
+  for (let req of requirements) {
+    await checkPeerDepsForReq(directory, depName, desiredVersion, req);
+  }
+}
+
+async function checkPeerDepsForReq(
+  directory,
+  depName,
+  desiredVersion,
+  requirement
+) {
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true,
+    dev: devRequirement(requirement),
+    optional: optionalRequirement(requirement)
+  };
+  const reporter = new BufferReporter();
+  const config = new Config(reporter);
+
+  await config.init({
+    cwd: path.join(directory, path.dirname(requirement.file)),
+    nonInteractive: true,
+    enableDefaultRc: true
+  });
+
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+
+  // Returns dep name and version for yarn add, example: ["react@16.6.0"]
+  let args = installArgsWithVersion(depName, desiredVersion, requirement);
+
+  // Just as if we'd run `yarn add package@version`, but using our lightweight
+  // implementation of Add that doesn't actually download and install packages
+  const add = new LightweightAdd(args, flags, config, reporter, lockfile);
+
+  await add.init();
+
+  const eventBuffer = reporter.getBuffer();
+  const peerDependencyWarnings = eventBuffer
+    .map(({ data }) => data)
+    .filter(data => {
+      // Guard against event.data sometimes being an object
+      return isString(data) && data.match(/(unmet|incorrect) peer dependency/);
+    });
+
+  if (peerDependencyWarnings.length) {
+    throw new Error(peerDependencyWarnings.join("\n"));
+  }
+}
+
+module.exports = { checkPeerDependencies };

data/helpers/yarn/lib/replace-lockfile-declaration.js

@@ -0,0 +1,45 @@
+const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
+const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
+  .default;
+
+// Get an array of a dependency's requested version ranges from a lockfile
+function getRequestedVersions(depName, lockfileJson) {
+  const requestedVersions = [];
+  const re = /^(.*)@([^@]*?)$/;
+
+  Object.entries(lockfileJson).forEach(([name, _]) => {
+    if (name.match(re)) {
+      const [_, packageName, requestedVersion] = name.match(re);
+      if (packageName === depName) {
+        requestedVersions.push(requestedVersion);
+      }
+    }
+  });
+
+  return requestedVersions;
+}
+
+module.exports = (oldLockfileContent, newLockfileContent, depName, newReq) => {
+  const oldJson = parse(oldLockfileContent).object;
+  const newJson = parse(newLockfileContent).object;
+
+  const enableLockfileVersions = Boolean(
+    oldLockfileContent.match(/^# yarn v/m)
+  );
+  const noHeader = !Boolean(oldLockfileContent.match(/^# THIS IS AN AU/m));
+
+  const oldPackageReqs = getRequestedVersions(depName, oldJson);
+  const newPackageReqs = getRequestedVersions(depName, newJson);
+
+  const reqToReplace = newPackageReqs.find(pattern => {
+    return !oldPackageReqs.includes(pattern);
+  });
+
+  if (reqToReplace) {
+    newJson[`${depName}@${newReq || oldPackageReqs[0]}`] =
+      newJson[`${depName}@${reqToReplace}`];
+    delete newJson[`${depName}@${reqToReplace}`];
+  }
+
+  return stringify(newJson, noHeader, enableLockfileVersions);
+};

data/helpers/yarn/lib/subdependency-updater.js

@@ -0,0 +1,69 @@
+/* DEPENDENCY FILE UPDATER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *
+ * Outputs:
+ *  - yarn.lock file
+ *
+ * Update the sub-dependency versions for this dependency to that latest
+ * possible versions, without unlocking any other dependencies
+ */
+const fs = require("fs");
+const path = require("path");
+const { Install } = require("@dependabot/yarn-lib/lib/cli/commands/install");
+const Config = require("@dependabot/yarn-lib/lib/config").default;
+const { EventReporter } = require("@dependabot/yarn-lib/lib/reporters");
+const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
+
+class LightweightInstall extends Install {
+  async bailout(patterns, workspaceLayout) {
+    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
+    return true;
+  }
+}
+
+// Replace the version comments in the new lockfile with the ones from the old
+// lockfile. If they weren't present in the old lockfile, delete them.
+function recoverVersionComments(oldLockfile, newLockfile) {
+  const yarnRegex = /^# yarn v(\S+)\n/gm;
+  const nodeRegex = /^# node v(\S+)\n/gm;
+  const oldMatch = regex => [].concat(oldLockfile.match(regex))[0];
+  return newLockfile
+    .replace(yarnRegex, () => oldMatch(yarnRegex) || "")
+    .replace(nodeRegex, () => oldMatch(nodeRegex) || "");
+}
+
+async function updateDependencyFile(directory, lockfileName) {
+  const readFile = fileName =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+  const originalYarnLock = readFile(lockfileName);
+
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true
+  };
+  const reporter = new EventReporter();
+  const config = new Config(reporter);
+  await config.init({
+    cwd: directory,
+    nonInteractive: true,
+    enableDefaultRc: true
+  });
+  config.enableLockfileVersions = Boolean(originalYarnLock.match(/^# yarn v/m));
+
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+  const install = new LightweightInstall(flags, config, reporter, lockfile);
+  await install.init();
+  var updatedYarnLock = readFile(lockfileName);
+
+  updatedYarnLock = recoverVersionComments(originalYarnLock, updatedYarnLock);
+
+  return {
+    [lockfileName]: updatedYarnLock
+  };
+}
+
+module.exports = { updateDependencyFile };