dependabot-core 0.87.5 → 0.87.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -11
- data/helpers/yarn/lib/fix-duplicates.js +32 -7
- data/lib/dependabot/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7ac6c5bd2bbf26b5dac19a512e8bc4f7713d389d0f29cbc2642d0862141f8c50
|
4
|
+
data.tar.gz: 8285dc609f5a040f3747933a024a6272f931528aaba60a2119ca91e3d0e8833d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f6c2d5f02ea25d5a4aea0d06471e66d764ae2f70d406e169a219a1174133e21ce806d9f0269e4a0537d18277d78695bc915104696be4938571c0de205fd604d4
|
7
|
+
data.tar.gz: 63ec2baaac7661fba5eb0ca7f853d5df2a747794a7e635e2f0e7d22ce999c23062280da5839642d6c0919cc61594f963d4c92659b30e64e00d71053a691426b6
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
## v0.87.6, 4 January 2019
|
2
|
+
|
3
|
+
- Yarn: de-duplicate indirect dependencies
|
4
|
+
|
1
5
|
## v0.87.5, 4 January 2019
|
2
6
|
|
3
7
|
- Handle empty versions properly when a build or local version is possible
|
@@ -835,7 +839,7 @@
|
|
835
839
|
|
836
840
|
## v0.75.16, 6 November 2018
|
837
841
|
|
838
|
-
- Python:
|
842
|
+
- Python: Bump poetry from 0.12.5 to 0.12.6
|
839
843
|
- JS: Handle version resolution for sub-dependencies when not updating manifest
|
840
844
|
- Add a common interface for provider client (thanks @codisart)
|
841
845
|
|
@@ -1015,7 +1019,7 @@
|
|
1015
1019
|
|
1016
1020
|
## v0.74.6, 25 October 2018
|
1017
1021
|
|
1018
|
-
- JS: Don't update the
|
1022
|
+
- JS: Don't update the attribute for git dependencies in npm6 lockfiles
|
1019
1023
|
- Rust: Guard against trying to update dependencies with multiple source types
|
1020
1024
|
|
1021
1025
|
## v0.74.5, 25 October 2018
|
@@ -1868,7 +1872,7 @@
|
|
1868
1872
|
- JS: Bump npm from 6.4.0 to 6.4.1
|
1869
1873
|
- Python: Fetch setup.cfg if present
|
1870
1874
|
- Python: Check whether setup.py is using pbr
|
1871
|
-
- Python: Handle setup.py files that use a
|
1875
|
+
- Python: Handle setup.py files that use a **name** == '**main**' structure
|
1872
1876
|
|
1873
1877
|
## v0.69.4, 29 August 2018
|
1874
1878
|
|
@@ -2393,7 +2397,7 @@
|
|
2393
2397
|
## v0.61.90, 20 July 2018
|
2394
2398
|
|
2395
2399
|
- JS: Store version as git SHA for git dependencies using Yarn
|
2396
|
-
- JS: Fall back to
|
2400
|
+
- JS: Fall back to when an updated version can't be found
|
2397
2401
|
|
2398
2402
|
## v0.61.89, 20 July 2018
|
2399
2403
|
|
@@ -3269,7 +3273,7 @@
|
|
3269
3273
|
|
3270
3274
|
- BREAKING: Require a type attribute for git source credentials
|
3271
3275
|
- BREAKING: Require a hostname when specifying an api_endpoint for a
|
3272
|
-
|
3276
|
+
Dependabot::Source
|
3273
3277
|
- PHP: Set credentials for all known git sources (means private Bitbucket and
|
3274
3278
|
Gitlab repos are now supported)
|
3275
3279
|
- Rust: Set credentials for all known git sources (means private Bitbucket and
|
@@ -5326,7 +5330,7 @@
|
|
5326
5330
|
|
5327
5331
|
## v0.38.2, 13 December 2017
|
5328
5332
|
|
5329
|
-
- Python: Handle
|
5333
|
+
- Python: Handle \* version strings in UpdateChecker
|
5330
5334
|
|
5331
5335
|
## v0.38.1, 13 December 2017
|
5332
5336
|
|
@@ -6659,20 +6663,19 @@
|
|
6659
6663
|
|
6660
6664
|
## v0.3.2, 09 May 2017
|
6661
6665
|
|
6662
|
-
-
|
6666
|
+
- Don't discard DependencyFile details when updating (#24)
|
6663
6667
|
|
6664
6668
|
## v0.3.1, 09 May 2017
|
6665
6669
|
|
6666
|
-
-
|
6667
|
-
|
6670
|
+
- Support fetching dependency files from a specified directory (#23)
|
6668
6671
|
|
6669
6672
|
## v0.3.0, 09 May 2017
|
6670
6673
|
|
6671
|
-
-
|
6674
|
+
- BREAKING: Rename Node to JavaScript everywhere (#22)
|
6672
6675
|
|
6673
6676
|
## v0.2.1, 03 May 2017
|
6674
6677
|
|
6675
|
-
-
|
6678
|
+
- Store the failed git command on GitCommandError (#21)
|
6676
6679
|
|
6677
6680
|
## v0.2.0, 02 May 2017
|
6678
6681
|
|
@@ -3,9 +3,22 @@ const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
|
|
3
3
|
.default;
|
4
4
|
const semver = require("semver");
|
5
5
|
|
6
|
-
|
6
|
+
function flattenIndirectDependencies(packages) {
|
7
|
+
return (packages || []).reduce((acc, { pkg }) => {
|
8
|
+
if ("dependencies" in pkg) {
|
9
|
+
return acc.concat(Object.keys(pkg.dependencies));
|
10
|
+
}
|
11
|
+
return acc;
|
12
|
+
}, []);
|
13
|
+
}
|
14
|
+
|
15
|
+
// Inspired by yarn-deduplicate. Altered to ensure the latest version is always used
|
7
16
|
// for version ranges which allow it.
|
8
|
-
module.exports = (data,
|
17
|
+
module.exports = (data, updatedDependencyName) => {
|
18
|
+
if (!updatedDependencyName) {
|
19
|
+
throw new Error("Yarn fix duplicates: must provide dependency name");
|
20
|
+
}
|
21
|
+
|
9
22
|
const json = parse(data).object;
|
10
23
|
const enableLockfileVersions = Boolean(data.match(/^# yarn v/m));
|
11
24
|
const noHeader = !Boolean(data.match(/^# THIS IS AN AU/m));
|
@@ -23,11 +36,23 @@ module.exports = (data, includePackages = []) => {
|
|
23
36
|
}
|
24
37
|
});
|
25
38
|
|
26
|
-
Object.entries(packages)
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
39
|
+
const packageEntries = Object.entries(packages);
|
40
|
+
|
41
|
+
const updatedPackageEntry = packageEntries.filter(([name]) => {
|
42
|
+
return updatedDependencyName === name;
|
43
|
+
});
|
44
|
+
|
45
|
+
const updatedDependencyPackage =
|
46
|
+
updatedPackageEntry[0] && updatedPackageEntry[0][1];
|
47
|
+
|
48
|
+
const indirectDependencies = flattenIndirectDependencies(
|
49
|
+
updatedDependencyPackage
|
50
|
+
);
|
51
|
+
|
52
|
+
const packagesToDedupe = [updatedDependencyName, ...indirectDependencies];
|
53
|
+
|
54
|
+
packageEntries
|
55
|
+
.filter(([name]) => packagesToDedupe.includes(name))
|
31
56
|
.forEach(([name, packages]) => {
|
32
57
|
// Reverse sort, so we'll find the maximum satisfying version first
|
33
58
|
const versions = packages.map(p => p.pkg.version).sort(semver.rcompare);
|
data/lib/dependabot/version.rb
CHANGED