dependabot-core 0.87.5 → 0.87.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71f676293872268388934f5fbcdcc20e8b9061bdec7346031eeebcb5fcb3d9a8
-  data.tar.gz: 0e1c56cf730fca2cdce80928d637d35b34e3c1fe5feae211eaf8bd0aaeecb388
+  metadata.gz: 7ac6c5bd2bbf26b5dac19a512e8bc4f7713d389d0f29cbc2642d0862141f8c50
+  data.tar.gz: 8285dc609f5a040f3747933a024a6272f931528aaba60a2119ca91e3d0e8833d
 SHA512:
-  metadata.gz: dc24eb4ee2e13cdb5db0ed246dcf4b65f0272cce77479096418a85e6143b7bedc585dba5686fc511d21b0144d2ebb3ac595b0e3887479e7a23266ef7be820d74
-  data.tar.gz: b2797b6359638cb3ef846774267b9324fb7364fcc187678e2d5fd1fb398276039cd2516d9692bcd79735f423e8b9e55ffa91105ccb06bba92dec42b04b3a64d4
+  metadata.gz: f6c2d5f02ea25d5a4aea0d06471e66d764ae2f70d406e169a219a1174133e21ce806d9f0269e4a0537d18277d78695bc915104696be4938571c0de205fd604d4
+  data.tar.gz: 63ec2baaac7661fba5eb0ca7f853d5df2a747794a7e635e2f0e7d22ce999c23062280da5839642d6c0919cc61594f963d4c92659b30e64e00d71053a691426b6

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## v0.87.6, 4 January 2019
+
+- Yarn: de-duplicate indirect dependencies
+
 ## v0.87.5, 4 January 2019
 
 - Handle empty versions properly when a build or local version is possible
@@ -835,7 +839,7 @@
 
 ## v0.75.16, 6 November 2018
 
-- Python:  Bump poetry from 0.12.5 to 0.12.6
+- Python: Bump poetry from 0.12.5 to 0.12.6
 - JS: Handle version resolution for sub-dependencies when not updating manifest
 - Add a common interface for provider client (thanks @codisart)
 
@@ -1015,7 +1019,7 @@
 
 ## v0.74.6, 25 October 2018
 
-- JS: Don't update the  attribute for git dependencies in npm6 lockfiles
+- JS: Don't update the attribute for git dependencies in npm6 lockfiles
 - Rust: Guard against trying to update dependencies with multiple source types
 
 ## v0.74.5, 25 October 2018
@@ -1868,7 +1872,7 @@
 - JS: Bump npm from 6.4.0 to 6.4.1
 - Python: Fetch setup.cfg if present
 - Python: Check whether setup.py is using pbr
-- Python: Handle setup.py files that use a __name__ == '__main__' structure
+- Python: Handle setup.py files that use a **name** == '**main**' structure
 
 ## v0.69.4, 29 August 2018
 
@@ -2393,7 +2397,7 @@
 ## v0.61.90, 20 July 2018
 
 - JS: Store version as git SHA for git dependencies using Yarn
-- JS: Fall back to  when an updated version can't be found
+- JS: Fall back to when an updated version can't be found
 
 ## v0.61.89, 20 July 2018
 
@@ -3269,7 +3273,7 @@
 
 - BREAKING: Require a type attribute for git source credentials
 - BREAKING: Require a hostname when specifying an api_endpoint for a
-            Dependabot::Source
+  Dependabot::Source
 - PHP: Set credentials for all known git sources (means private Bitbucket and
   Gitlab repos are now supported)
 - Rust: Set credentials for all known git sources (means private Bitbucket and
@@ -5326,7 +5330,7 @@
 
 ## v0.38.2, 13 December 2017
 
-- Python: Handle * version strings in UpdateChecker
+- Python: Handle \* version strings in UpdateChecker
 
 ## v0.38.1, 13 December 2017
 
@@ -6659,20 +6663,19 @@
 
 ## v0.3.2, 09 May 2017
 
--  Don't discard DependencyFile details when updating (#24)
+- Don't discard DependencyFile details when updating (#24)
 
 ## v0.3.1, 09 May 2017
 
--  Support fetching dependency files from a specified directory (#23)
-
+- Support fetching dependency files from a specified directory (#23)
 
 ## v0.3.0, 09 May 2017
 
--  BREAKING: Rename Node to JavaScript everywhere (#22)
+- BREAKING: Rename Node to JavaScript everywhere (#22)
 
 ## v0.2.1, 03 May 2017
 
--  Store the failed git command on GitCommandError (#21)
+- Store the failed git command on GitCommandError (#21)
 
 ## v0.2.0, 02 May 2017
 

data/helpers/yarn/lib/fix-duplicates.js

@@ -3,9 +3,22 @@ const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
   .default;
 const semver = require("semver");
 
-// Inspired by yarn-tools. Altered to ensure the latest version is always used
+function flattenIndirectDependencies(packages) {
+  return (packages || []).reduce((acc, { pkg }) => {
+    if ("dependencies" in pkg) {
+      return acc.concat(Object.keys(pkg.dependencies));
+    }
+    return acc;
+  }, []);
+}
+
+// Inspired by yarn-deduplicate. Altered to ensure the latest version is always used
 // for version ranges which allow it.
-module.exports = (data, includePackages = []) => {
+module.exports = (data, updatedDependencyName) => {
+  if (!updatedDependencyName) {
+    throw new Error("Yarn fix duplicates: must provide dependency name");
+  }
+
   const json = parse(data).object;
   const enableLockfileVersions = Boolean(data.match(/^# yarn v/m));
   const noHeader = !Boolean(data.match(/^# THIS IS AN AU/m));
@@ -23,11 +36,23 @@ module.exports = (data, includePackages = []) => {
     }
   });
 
-  Object.entries(packages)
-    .filter(([name]) => {
-      if (includePackages.length === 0) return true;
-      return includePackages.includes(name);
-    })
+  const packageEntries = Object.entries(packages);
+
+  const updatedPackageEntry = packageEntries.filter(([name]) => {
+    return updatedDependencyName === name;
+  });
+
+  const updatedDependencyPackage =
+    updatedPackageEntry[0] && updatedPackageEntry[0][1];
+
+  const indirectDependencies = flattenIndirectDependencies(
+    updatedDependencyPackage
+  );
+
+  const packagesToDedupe = [updatedDependencyName, ...indirectDependencies];
+
+  packageEntries
+    .filter(([name]) => packagesToDedupe.includes(name))
     .forEach(([name, packages]) => {
       // Reverse sort, so we'll find the maximum satisfying version first
       const versions = packages.map(p => p.pkg.version).sort(semver.rcompare);

data/lib/dependabot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dependabot
-  VERSION = "0.87.5"
+  VERSION = "0.87.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-core
 version: !ruby/object:Gem::Version
-  version: 0.87.5
+  version: 0.87.6
 platform: ruby
 authors:
 - Dependabot