dependabot-core 0.90.7 → 0.91.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca60b68edf72500bf556b4ea4b94ab4093d82875f3f5c7b7b2288963d851f912
-  data.tar.gz: e10201ca4d2305895f933d1f0e49d483c5eff50fc454988f3ac917a66c6ef31a
+  metadata.gz: af11b25d9b115415c088f9c77543e4bd51f6ef6b954b49e7b9da9f51d3b4b1a0
+  data.tar.gz: 9bc66fd6c7a5f0f1d28f4a475efe9a90caf58604e6c49b14d81841e30a18c3de
 SHA512:
-  metadata.gz: dc0e0c73bcf8274c7df438b838797d88d7162773dff4d6d0bac5431bedad00337d270804bb1be60c35ed8079fe0976b08ccade6625552f36c3d0249724e80d9b
-  data.tar.gz: 3d146909da2fd0409a44f214f4271d4912f742481a9128f0d675c7252fb2fd66645799c54d1cf754dc83f2784f77fa971d68077afa9aef3c658d124c0988c497
+  metadata.gz: 3f0e5292567bb9cfe3ff1950e20de8cea7cff7cc5c9b2657fd4e55b86c19f422189c100b623432fa1b7a0257f738957527070d30bfe09675a61e3df3b26949c4
+  data.tar.gz: 7c859a7345af7998aa474edaff439ff0d969d6bc5d870a11e2c854080acd134cdb01728723cd63019f4a25c94e000b5ebf06e3b1ce63dcdf8a06dff0ecb89ab9

data/CHANGELOG.md

@@ -1,3 +1,36 @@
+## v0.91.0, 17 January 2019
+
+- Relax Elixir spec
+- Update paths for JS helpers in config file
+- Another JS fix
+- Add back JS installers so linters can be run
+- Install hex helpers after npm_and_yarn helpers
+- Fix JS specs
+- Remove unnecessary install step
+- Disable problematic spec
+- Elixir: require fully released version of jason
+- Merge pull request #911 from dependabot/old-master
+- Remove possibly redundant check that npm lockfile has changed
+- Better uniqing of Rust files
+- More reduction of `type` use
+- Use DependencyFile#type more sparingly
+- JS: Add error context when no files where updated
+- Merge pull request #906 from dependabot/reorg-js
+- Update and fix the license
+- Fix MessageBuilder test
+- Add build script
+- Merge pull request #908 from bai/typo-fix
+- Fix README typo
+- Update CircleCI config
+- Move fixture files and get specs passing (pending helpers work)
+- Fix gitignore
+- Fix require lines
+- Fix rubocops
+- Namespace change
+- Initial move
+- Initial setup
+- Dep: Ignore indirect dependencies in latest_resolvable_version_with_no_unlock
+
 ## v0.90.7, 15 January 2019
 
 - Dep: Ignore indirect dependencies more robustly

data/LICENSE

@@ -1,16 +1,17 @@
-The Prosperity Public License 1.0.1
+The Prosperity Public License 2.0.0
 
-Copyright Notice: {Licensor Name}
+Contributor: Dependabot Ltd
 
-Source Notice: {https://example.com/project}
+Source Code: https://github.com/dependabot/dependabot-core
 
 This license lets you use and share this software for free,
 with a trial-length time limit on commercial use. Specifically:
 
 If you follow the rules below, you may do everything with this
-software that would otherwise infringe my copyright in it or any
-patent claim I can license that covers this software as of my
-latest contribution.
+software that would otherwise infringe either the contributor's
+copyright in it, any patent claim the contributor can license
+that covers this software as of the contributor's latest
+contribution, or both.
 
 1. You must limit use of this software in any manner primarily
    intended for or directed toward commercial advantage or
@@ -19,19 +20,20 @@ latest contribution.
    developing feedback, modifications, or extensions that you
    contribute back to those giving this license.
 
-2. Ensure everyone who gets a copy of this software from you,
-   in source code or any other form, gets the text of this
-   license and the copyright and source notices above.
+2. Ensure everyone who gets a copy of this software from you, in
+   source code or any other form, gets the text of this license
+   and the contributor and source code lines above.
 
-3. Do not make any legal claim against anyone for infringing
-   any patent claim they would infringe by using this software
-   alone, accusing this software, with or without changes,
-   alone or as part of a larger program.
+3. Do not make any legal claim against anyone for infringing any
+   patent claim they would infringe by using this software alone,
+   accusing this software, with or without changes, alone or as
+   part of a larger application.
 
 You are excused for unknowingly breaking rule 1 if you stop
 doing anything requiring this license within 30 days of
 learning you broke the rule.
 
 **This software comes as is, without any warranty at all. As far
-as the law allows, I will not be liable for any damages related
-to this software or this license, for any kind of legal claim.**
+as the law allows, the contributor will not be liable for any
+damages related to this software or this license, for any kind of
+legal claim.**

data/README.md

@@ -86,7 +86,7 @@ If you use Dependabot Core then we'd love to hear what you build!
 
 We use the License Zero Prosperity Public License, which essentially enshrines
 the following:
-- If you would like to use Dependabot Core for non-commerical purposes, such as
+- If you would like to use Dependabot Core for non-commercial purposes, such as
   to host a bot at your workplace, then we give you full permission to do so. In
   fact, we'd love you to, and will help and support you however we can.
 - If you would like to add Dependabot's functionality to your for-profit

data/lib/dependabot/dependency_file.rb

@@ -11,8 +11,14 @@ module Dependabot
       @name = name
       @content = content
       @directory = clean_directory(directory)
-      @type = type
       @support_file = support_file
+
+      # Type is used *very* sparingly. It lets the git_modules updater know that
+      # a "file" is actually a submodule, and lets our Go updaters know which
+      # file represents the main.go.
+      # New use cases should be avoided if at all possible (and use the
+      # support_file flag instead)
+      @type = type
     end
 
     def to_h

data/lib/dependabot/file_fetchers.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/file_fetchers/ruby/bundler"
-require "dependabot/file_fetchers/java_script/npm_and_yarn"
 
 module Dependabot
   module FileFetchers
     @file_fetchers = {
-      "bundler" => FileFetchers::Ruby::Bundler,
-      "npm_and_yarn" => FileFetchers::JavaScript::NpmAndYarn
+      "bundler" => FileFetchers::Ruby::Bundler
     }
 
     def self.for_package_manager(package_manager)

data/lib/dependabot/file_parsers.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/file_parsers/ruby/bundler"
-require "dependabot/file_parsers/java_script/npm_and_yarn"
 
 module Dependabot
   module FileParsers
     @file_parsers = {
-      "bundler" => FileParsers::Ruby::Bundler,
-      "npm_and_yarn" => FileParsers::JavaScript::NpmAndYarn
+      "bundler" => FileParsers::Ruby::Bundler
     }
 
     def self.for_package_manager(package_manager)

data/lib/dependabot/file_updaters.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/file_updaters/ruby/bundler"
-require "dependabot/file_updaters/java_script/npm_and_yarn"
 
 module Dependabot
   module FileUpdaters
     @file_updaters = {
-      "bundler" => FileUpdaters::Ruby::Bundler,
-      "npm_and_yarn" => FileUpdaters::JavaScript::NpmAndYarn
+      "bundler" => FileUpdaters::Ruby::Bundler
     }
 
     def self.for_package_manager(package_manager)

data/lib/dependabot/metadata_finders.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/metadata_finders/ruby/bundler"
-require "dependabot/metadata_finders/java_script/npm_and_yarn"
 
 module Dependabot
   module MetadataFinders
     @metadata_finders = {
-      "bundler" => MetadataFinders::Ruby::Bundler,
-      "npm_and_yarn" => MetadataFinders::JavaScript::NpmAndYarn
+      "bundler" => MetadataFinders::Ruby::Bundler
     }
 
     def self.for_package_manager(package_manager)

data/lib/dependabot/update_checkers.rb

@@ -1,13 +1,11 @@
 # frozen_string_literal: true
 
 require "dependabot/update_checkers/ruby/bundler"
-require "dependabot/update_checkers/java_script/npm_and_yarn"
 
 module Dependabot
   module UpdateCheckers
     @update_checkers = {
-      "bundler" => UpdateCheckers::Ruby::Bundler,
-      "npm_and_yarn" => UpdateCheckers::JavaScript::NpmAndYarn
+      "bundler" => UpdateCheckers::Ruby::Bundler
     }
 
     def self.for_package_manager(package_manager)

data/lib/dependabot/utils.rb

@@ -1,8 +1,5 @@
 # frozen_string_literal: true
 
-require "dependabot/utils/java_script/version"
-
-require "dependabot/utils/java_script/requirement"
 require "dependabot/utils/ruby/requirement"
 
 # TODO: in due course, these "registries" should live in a wrapper gem, not
@@ -12,8 +9,7 @@ module Dependabot
     @version_classes = {
       "bundler" => Gem::Version,
       "submodules" => Gem::Version,
-      "docker" => Gem::Version,
-      "npm_and_yarn" => Utils::JavaScript::Version
+      "docker" => Gem::Version
     }
 
     def self.version_class_for_package_manager(package_manager)
@@ -30,8 +26,7 @@ module Dependabot
     @requirement_classes = {
       "bundler" => Utils::Ruby::Requirement,
       "submodules" => Utils::Ruby::Requirement,
-      "docker" => Utils::Ruby::Requirement,
-      "npm_and_yarn" => Utils::JavaScript::Requirement
+      "docker" => Utils::Ruby::Requirement
     }
 
     def self.requirement_class_for_package_manager(package_manager)

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.90.7"
+  VERSION = "0.91.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.90.7
+  version: 0.91.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-15 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ecr
@@ -298,43 +298,8 @@ files:
 - CHANGELOG.md
 - LICENSE
 - README.md
-- helpers/npm/.eslintrc
-- helpers/npm/bin/run.js
-- helpers/npm/lib/helpers.js
-- helpers/npm/lib/peer-dependency-checker.js
-- helpers/npm/lib/subdependency-updater.js
-- helpers/npm/lib/updater.js
-- helpers/npm/package-lock.json
-- helpers/npm/package.json
-- helpers/npm/test/fixtures/npm-left-pad.json
-- helpers/npm/test/fixtures/updater/original/package-lock.json
-- helpers/npm/test/fixtures/updater/original/package.json
-- helpers/npm/test/fixtures/updater/updated/package-lock.json
-- helpers/npm/test/helpers.js
-- helpers/npm/test/updater.test.js
-- helpers/npm/yarn.lock
 - helpers/test/run.rb
 - helpers/utils/git-credential-store-immutable
-- helpers/yarn/.eslintrc
-- helpers/yarn/bin/run.js
-- helpers/yarn/lib/fix-duplicates.js
-- helpers/yarn/lib/helpers.js
-- helpers/yarn/lib/lockfile-parser.js
-- helpers/yarn/lib/peer-dependency-checker.js
-- helpers/yarn/lib/replace-lockfile-declaration.js
-- helpers/yarn/lib/subdependency-updater.js
-- helpers/yarn/lib/updater.js
-- helpers/yarn/package.json
-- helpers/yarn/test/fixtures/updater/original/package.json
-- helpers/yarn/test/fixtures/updater/original/yarn.lock
-- helpers/yarn/test/fixtures/updater/updated/yarn.lock
-- helpers/yarn/test/fixtures/updater/with-version-comments/package.json
-- helpers/yarn/test/fixtures/updater/with-version-comments/yarn.lock
-- helpers/yarn/test/fixtures/yarnpkg-is-positive.json
-- helpers/yarn/test/fixtures/yarnpkg-left-pad.json
-- helpers/yarn/test/helpers.js
-- helpers/yarn/test/updater.test.js
-- helpers/yarn/yarn.lock
 - lib/bundler_definition_bundler_version_patch.rb
 - lib/bundler_definition_ruby_version_patch.rb
 - lib/bundler_git_source_patch.rb
@@ -348,8 +313,6 @@ files:
 - lib/dependabot/file_fetchers.rb
 - lib/dependabot/file_fetchers/README.md
 - lib/dependabot/file_fetchers/base.rb
-- lib/dependabot/file_fetchers/java_script/npm_and_yarn.rb
-- lib/dependabot/file_fetchers/java_script/npm_and_yarn/path_dependency_builder.rb
 - lib/dependabot/file_fetchers/ruby/bundler.rb
 - lib/dependabot/file_fetchers/ruby/bundler/child_gemfile_finder.rb
 - lib/dependabot/file_fetchers/ruby/bundler/gemspec_finder.rb
@@ -359,19 +322,12 @@ files:
 - lib/dependabot/file_parsers/README.md
 - lib/dependabot/file_parsers/base.rb
 - lib/dependabot/file_parsers/base/dependency_set.rb
-- lib/dependabot/file_parsers/java_script/npm_and_yarn.rb
 - lib/dependabot/file_parsers/ruby/bundler.rb
 - lib/dependabot/file_parsers/ruby/bundler/file_preparer.rb
 - lib/dependabot/file_parsers/ruby/bundler/gemfile_checker.rb
 - lib/dependabot/file_updaters.rb
 - lib/dependabot/file_updaters/README.md
 - lib/dependabot/file_updaters/base.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn/npm_lockfile_updater.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn/npmrc_builder.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_preparer.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn/package_json_updater.rb
-- lib/dependabot/file_updaters/java_script/npm_and_yarn/yarn_lockfile_updater.rb
 - lib/dependabot/file_updaters/ruby/bundler.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemfile_updater.rb
 - lib/dependabot/file_updaters/ruby/bundler/gemspec_dependency_name_finder.rb
@@ -389,7 +345,6 @@ files:
 - lib/dependabot/metadata_finders/base/changelog_pruner.rb
 - lib/dependabot/metadata_finders/base/commits_finder.rb
 - lib/dependabot/metadata_finders/base/release_finder.rb
-- lib/dependabot/metadata_finders/java_script/npm_and_yarn.rb
 - lib/dependabot/metadata_finders/ruby/bundler.rb
 - lib/dependabot/pull_request_creator.rb
 - lib/dependabot/pull_request_creator/branch_namer.rb
@@ -405,13 +360,6 @@ files:
 - lib/dependabot/update_checkers.rb
 - lib/dependabot/update_checkers/README.md
 - lib/dependabot/update_checkers/base.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/latest_version_finder.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/library_detector.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/registry_finder.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/requirements_updater.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/subdependency_version_resolver.rb
-- lib/dependabot/update_checkers/java_script/npm_and_yarn/version_resolver.rb
 - lib/dependabot/update_checkers/ruby/bundler.rb
 - lib/dependabot/update_checkers/ruby/bundler/file_preparer.rb
 - lib/dependabot/update_checkers/ruby/bundler/force_updater.rb
@@ -421,8 +369,6 @@ files:
 - lib/dependabot/update_checkers/ruby/bundler/shared_bundler_helpers.rb
 - lib/dependabot/update_checkers/ruby/bundler/version_resolver.rb
 - lib/dependabot/utils.rb
-- lib/dependabot/utils/java_script/requirement.rb
-- lib/dependabot/utils/java_script/version.rb
 - lib/dependabot/utils/ruby/requirement.rb
 - lib/dependabot/version.rb
 - lib/rubygems_version_patch.rb

data/helpers/npm/.eslintrc

@@ -1,14 +0,0 @@
-{
-  "plugins": [
-    "prettier"
-  ],
-  "rules": {
-    "prettier/prettier": "error"
-  },
-  "env": {
-    "node": true
-  },
-  "parserOptions": {
-    "ecmaVersion": 8
-  }
-}

data/helpers/npm/bin/run.js

@@ -1,34 +0,0 @@
-const updater = require("../lib/updater");
-const peerDependencyChecker = require("../lib/peer-dependency-checker");
-const subdependencyUpdater = require("../lib/subdependency-updater");
-
-const functionMap = {
-  update: updater.updateDependencyFiles,
-  updateSubdependency: subdependencyUpdater.updateDependencyFile,
-  checkPeerDependencies: peerDependencyChecker.checkPeerDependencies
-};
-
-function output(obj) {
-  process.stdout.write(JSON.stringify(obj));
-}
-
-const input = [];
-process.stdin.on("data", data => input.push(data));
-process.stdin.on("end", () => {
-  const request = JSON.parse(input.join(""));
-  const func = functionMap[request.function];
-  if (!func) {
-    output({ error: `Invalid function ${request.function}` });
-    process.exit(1);
-  }
-
-  func
-    .apply(null, request.args)
-    .then(result => {
-      output({ result: result });
-    })
-    .catch(error => {
-      output({ error: error.message });
-      process.exit(1);
-    });
-});

data/helpers/npm/lib/helpers.js

@@ -1,25 +0,0 @@
-function runAsync(obj, method, args) {
-  return new Promise((resolve, reject) => {
-    const cb = (err, ...returnValues) => {
-      if (err) {
-        reject(err);
-      } else {
-        resolve(returnValues);
-      }
-    };
-    method.apply(obj, [...args, cb]);
-  });
-}
-
-function muteStderr() {
-  const original = process.stderr.write;
-  process.stderr.write = () => {};
-  return () => {
-    process.stderr.write = original;
-  };
-}
-
-module.exports = {
-  runAsync,
-  muteStderr
-};

data/helpers/npm/lib/peer-dependency-checker.js

@@ -1,102 +0,0 @@
-/* PEER DEPENDENCY CHECKER
- *
- * Inputs:
- *  - directory containing a package.json and a yarn.lock
- *  - dependency name
- *  - new dependency version
- *  - requirements for this dependency
- *
- * Outputs:
- *  - successful completion, or an error if there are peer dependency warnings
- */
-
-const npm = require("npm");
-const installer = require("npm/lib/install");
-const { muteStderr, runAsync } = require("./helpers.js");
-
-function installArgsWithVersion(depName, desiredVersion, requirements) {
-  const source = (requirements.find(req => req.source) || {}).source;
-
-  if (source && source.type === "git") {
-    return [`${depName}@${source.url}#${desiredVersion}`];
-  } else {
-    return [`${depName}@${desiredVersion}`];
-  }
-}
-
-async function checkPeerDependencies(
-  directory,
-  depName,
-  desiredVersion,
-  requirements,
-  topLevelDependencies
-) {
-  // `force: true` ignores checks for platform (os, cpu) and engines
-  // in npm/lib/install/validate-args.js
-  // Platform is checked and raised from (EBADPLATFORM):
-  // https://github.com/npm/npm-install-checks
-  await runAsync(npm, npm.load, [{ loglevel: "silent", force: true }]);
-
-  const dryRun = true;
-
-  // Returns dep name and version for npm install, example: ["react@16.6.0"]
-  let args = installArgsWithVersion(depName, desiredVersion, requirements);
-
-  // To check peer dependencies requirements in all top level dependencies we
-  // need to explicitly tell npm to fetch all manifests by specifying the
-  // existing dependency name and version in npm install
-
-  // For exampele, if we have "react@15.6.2" and "react-dom@15.6.2" installed
-  // and we want to install react@16.6.0, we need get the existing version of
-  // react-dom and pass this to npm install along with the new version react,
-  // this way npm fetches the manifest for react-dom and determines that we
-  // can't install react@16.6.0 due to the peer dependency requirement in
-  // react-dom
-
-  // If we only pass the new dep@version to npm install, e.g. "react@16.6.0" npm
-  // will only fetch the manifest for react and not know that react-dom enforces
-  // a peerDependency on react
-
-  // Returns dep name and version for npm install, example: ["react-dom@15.6.2"]
-  // - given react and react-dom in top level deps
-  const otherDeps = (topLevelDependencies || [])
-    .filter(dep => dep.name !== depName && dep.version)
-    .map(dep => installArgsWithVersion(dep.name, dep.version, dep.requirements))
-    .reduce((acc, dep) => acc.concat(dep), []);
-
-  args = args.concat(otherDeps);
-
-  const initialInstaller = new installer.Installer(directory, dryRun, args, {
-    packageLockOnly: true
-  });
-
-  // A bug in npm means the initial install will remove any git dependencies
-  // from the lockfile. A subsequent install with no arguments fixes this.
-  const cleanupInstaller = new installer.Installer(directory, dryRun, [], {
-    packageLockOnly: true
-  });
-
-  // Skip printing the success message
-  initialInstaller.printInstalled = cb => cb();
-  cleanupInstaller.printInstalled = cb => cb();
-
-  // There are some hard-to-prevent bits of output.
-  // This is horrible, but works.
-  const unmute = muteStderr();
-  try {
-    await runAsync(initialInstaller, initialInstaller.run, []);
-    await runAsync(cleanupInstaller, cleanupInstaller.run, []);
-  } finally {
-    unmute();
-  }
-
-  const peerDependencyWarnings = initialInstaller.idealTree.warnings
-    .filter(warning => warning.code === "EPEERINVALID")
-    .map(warning => warning.message);
-
-  if (peerDependencyWarnings.length) {
-    throw new Error(peerDependencyWarnings.join("\n"));
-  }
-}
-
-module.exports = { checkPeerDependencies };