dependabot-deno 0.381.0 → 0.382.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f09b4597272a584e27bbc50f868f2b0f7f7a6fb9c42322a1e05bc4b88de5e81
-  data.tar.gz: 9a42fd39d620f3f933f17a6fbf4e27ca55eb1a95d83f5e9f8db6174c65e6dc7d
+  metadata.gz: 259ff22154909455999bff4c6341ce93bb6cecfdf5ec644535420a0db458c8bf
+  data.tar.gz: 7f9fb9b1e67cbbf2daeb3bf0aa6b708cae04976ec26267abdb68d83f0d824511
 SHA512:
-  metadata.gz: 406e6856fcf2dc844967f3ccbc027d3800e9e63d5cb9e6d26cc03c8ae6eeefa86ccb4602135b017b483c60119ae94fffa24c78efb29ebe059b35d4aca18b9a47
-  data.tar.gz: 63ddff74163ba395d05394a791a45f47b7f7d1d00a427f49370493550766eba3b39996133dec8f7984cb727821726083188affc09151de4d6a163e245ab5211d
+  metadata.gz: 647e202253c8265d0c294619494a0919aeb4b392e8b0e5f21beef34e8f69f9f76b35e0b1f379f24857f98a42b51931945b8733bb944128b60353b99479b95fe9
+  data.tar.gz: c6e93dcfe555ad1ca77a7939289c020166abc0ec959dc34c82c9be969161b6cfd051189026e3988ce9dab43d5d2e27fd4f697bb2f02ff25075b0c2edb8d61c8e

data/lib/dependabot/deno/file_fetcher.rb

@@ -1,8 +1,9 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/deno/helpers"
 
 module Dependabot
   module Deno
@@ -25,8 +26,9 @@ module Dependabot
       def fetch_files
         fetched_files = []
         fetched_files << manifest_file
+        fetched_files.concat(workspace_member_files)
         fetched_files << lockfile if lockfile
-        fetched_files
+        fetched_files.uniq(&:name)
       end
 
       sig { override.returns(T.nilable(T::Hash[Symbol, T.untyped])) }
@@ -56,6 +58,100 @@ module Dependabot
           T.nilable(DependencyFile)
         )
       end
+
+      # Fetches the deno.json/deno.jsonc of every workspace member declared in the
+      # root manifest's "workspace" field. Members with neither file (e.g.
+      # package.json-only members) are skipped.
+      sig { returns(T::Array[DependencyFile]) }
+      def workspace_member_files
+        @workspace_member_files ||= T.let(
+          workspace_member_dirs.filter_map { |dir| fetch_member_manifest(dir) },
+          T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      sig { params(dir: String).returns(T.nilable(DependencyFile)) }
+      def fetch_member_manifest(dir)
+        MANIFEST_FILENAMES.filter_map { |f| fetch_file_if_present(File.join(dir, f)) }.first
+      end
+
+      # Resolves the "workspace" field into a concrete list of member directory
+      # paths (relative to the repo directory), expanding glob patterns and
+      # applying "!" negations. Supports both the array form (["./a", "./b"]) and
+      # the legacy object form ({ "members": [...] }).
+      sig { returns(T::Array[String]) }
+      def workspace_member_dirs
+        members = workspace_members
+        return [] if members.empty?
+
+        includes, excludes = members.partition { |m| !m.start_with?("!") }
+        excluded = excludes.flat_map { |m| expand_member(m.delete_prefix("!")) }
+
+        includes
+          .flat_map { |m| expand_member(m) }
+          .uniq
+          .reject { |dir| excluded.include?(dir) }
+          # Member paths come from manifest content; never fetch from an absolute
+          # path or one that traverses out of the repo via "..".
+          .select { |dir| Helpers.safe_relative_path?(dir) }
+      end
+
+      sig { returns(T::Array[String]) }
+      def workspace_members
+        workspace = Helpers.parse_json_or_jsonc(manifest_file.content).fetch("workspace", nil)
+
+        case workspace
+        when Array then workspace.map(&:to_s)
+        when Hash then Array(workspace["members"]).map(&:to_s)
+        else []
+        end
+      end
+
+      # Expands a single member entry to directory paths. Plain paths are
+      # normalised; glob entries (containing "*") are matched against the repo
+      # tree, honouring Deno's literal depth semantics (each "/*" = one level).
+      sig { params(member: String).returns(T::Array[String]) }
+      def expand_member(member)
+        normalised = normalise_member_path(member)
+        return [normalised] unless normalised.include?("*")
+
+        expand_glob(normalised)
+      end
+
+      sig { params(member: String).returns(String) }
+      def normalise_member_path(member)
+        member.delete_prefix("./").delete_suffix("/")
+      end
+
+      # Expands a glob like "packages/*" or "examples/*/*" by walking the repo one
+      # directory level per "*" segment. Only directories are kept.
+      sig { params(pattern: String).returns(T::Array[String]) }
+      def expand_glob(pattern)
+        segments = pattern.split("/")
+        dirs = T.let([""], T::Array[String])
+
+        segments.each do |segment|
+          dirs = dirs.flat_map do |base|
+            if segment == "*"
+              child_directories(base)
+            else
+              child = base.empty? ? segment : File.join(base, segment)
+              [child]
+            end
+          end
+        end
+
+        dirs.reject(&:empty?)
+      end
+
+      sig { params(dir: String).returns(T::Array[String]) }
+      def child_directories(dir)
+        contents = repo_contents(dir: dir.empty? ? "." : dir, raise_errors: false)
+        contents.select { |entry| entry.type == "dir" }
+                .map { |entry| dir.empty? ? entry.name : File.join(dir, entry.name) }
+      rescue Dependabot::DependencyFileNotFound, Dependabot::DirectoryNotFound
+        []
+      end
     end
   end
 end

data/lib/dependabot/deno/file_parser.rb

@@ -5,6 +5,7 @@ require "json"
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/deno/helpers"
 require "dependabot/deno/version"
 
 module Dependabot
@@ -20,17 +21,6 @@ module Dependabot
       JSR_SPECIFIER = %r{\Ajsr:(?<name>@[^@/]+/[^@/]+)(?:@(?<constraint>[^/]+))?(?:/[^\s]*)?\z}
       NPM_SPECIFIER = %r{\Anpm:(?<name>(?:@[^/]+/)?[^@/]+)(?:@(?<constraint>[^/]+))?(?:/[^\s]*)?\z}
 
-      # Matches either a JSON string literal (with escapes), a line comment, a
-      # block comment, or a trailing comma. The alternation lets gsub preserve
-      # strings while stripping the JSONC-only constructs, so e.g. "//" inside a
-      # URL value is not mistaken for the start of a comment.
-      JSONC_TOKEN = %r{
-        ("(?:\\.|[^"\\])*")    # JSON string literal
-        | //[^\n]*             # line comment
-        | /\*.*?\*/            # block comment
-        | ,(?=\s*[\}\]])       # trailing comma
-      }mx
-
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         # Multiple import aliases can reference the same underlying package
@@ -43,22 +33,24 @@ module Dependabot
         # can update them all.
         deps_by_key = {}
 
-        imports.each do |_alias_name, specifier|
-          dep = parse_specifier(specifier.to_s)
-          next unless dep
-
-          key = [dep.name, T.must(dep.requirements.first)[:source][:type]]
-          existing = deps_by_key[key]
-          deps_by_key[key] = if existing
-                               Dependabot::Dependency.new(
-                                 name: existing.name,
-                                 version: existing.version,
-                                 requirements: (existing.requirements + dep.requirements).uniq,
-                                 package_manager: existing.package_manager
-                               )
-                             else
-                               dep
-                             end
+        manifest_files.each do |file|
+          imports_for(file).each do |_alias_name, specifier|
+            dep = parse_specifier(specifier.to_s, file)
+            next unless dep
+
+            key = [dep.name, T.must(dep.requirements.first)[:source][:type]]
+            existing = deps_by_key[key]
+            deps_by_key[key] = if existing
+                                 Dependabot::Dependency.new(
+                                   name: existing.name,
+                                   version: existing.version,
+                                   requirements: (existing.requirements + dep.requirements).uniq,
+                                   package_manager: existing.package_manager
+                                 )
+                               else
+                                 dep
+                               end
+          end
         end
 
         deps_by_key.values.sort_by(&:name)
@@ -68,51 +60,55 @@ module Dependabot
 
       sig { override.void }
       def check_required_files
-        return if manifest_file
+        return if manifest_files.any?
 
         raise "No deno.json or deno.jsonc found!"
       end
 
-      sig { returns(T::Hash[String, T.untyped]) }
-      def imports
-        parsed_manifest.fetch("imports", {})
-      end
-
-      sig { returns(T::Hash[String, T.untyped]) }
-      def parsed_manifest
-        @parsed_manifest ||= T.let(
-          parse_json_or_jsonc(T.must(manifest_file).content),
-          T.nilable(T::Hash[String, T.untyped])
+      # The root manifest plus every workspace member manifest. Members are
+      # fetched relative to the root (e.g. "packages/foo/deno.json"), so match
+      # on basename rather than the full path.
+      sig { returns(T::Array[DependencyFile]) }
+      def manifest_files
+        @manifest_files ||= T.let(
+          dependency_files.select { |f| MANIFEST_FILENAMES.include?(File.basename(f.name)) },
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
-      sig { returns(T.nilable(DependencyFile)) }
-      def manifest_file
-        @manifest_file ||= T.let(
-          MANIFEST_FILENAMES.filter_map { |f| get_original_file(f) }.first,
-          T.nilable(DependencyFile)
-        )
+      sig { params(file: DependencyFile).returns(T::Hash[String, T.untyped]) }
+      def imports_for(file)
+        Helpers.parse_json_or_jsonc(file.content).fetch("imports", {})
       end
 
-      sig { params(specifier: String).returns(T.nilable(Dependabot::Dependency)) }
-      def parse_specifier(specifier)
+      sig { params(specifier: String, file: DependencyFile).returns(T.nilable(Dependabot::Dependency)) }
+      def parse_specifier(specifier, file)
         if (match = JSR_SPECIFIER.match(specifier))
           build_dependency(
             name: T.must(match[:name]),
             constraint: match[:constraint],
-            source_type: "jsr"
+            source_type: "jsr",
+            file: file
           )
         elsif (match = NPM_SPECIFIER.match(specifier))
           build_dependency(
             name: T.must(match[:name]),
             constraint: match[:constraint],
-            source_type: "npm"
+            source_type: "npm",
+            file: file
           )
         end
       end
 
-      sig { params(name: String, constraint: T.nilable(String), source_type: String).returns(Dependabot::Dependency) }
-      def build_dependency(name:, constraint:, source_type:)
+      sig do
+        params(
+          name: String,
+          constraint: T.nilable(String),
+          source_type: String,
+          file: DependencyFile
+        ).returns(Dependabot::Dependency)
+      end
+      def build_dependency(name:, constraint:, source_type:, file:)
         version = constraint ? extract_version(constraint) : nil
 
         Dependabot::Dependency.new(
@@ -120,7 +116,7 @@ module Dependabot
           version: version,
           requirements: [{
             requirement: constraint,
-            file: T.must(manifest_file).name,
+            file: file.name,
             groups: ["imports"],
             source: { type: source_type }
           }],
@@ -135,15 +131,6 @@ module Dependabot
 
         nil
       end
-
-      sig { params(content: T.nilable(String)).returns(T::Hash[String, T.untyped]) }
-      def parse_json_or_jsonc(content)
-        return {} unless content
-
-        cleaned = content.gsub(JSONC_TOKEN) { ::Regexp.last_match(1) || "" }
-
-        JSON.parse(cleaned)
-      end
     end
   end
 end

data/lib/dependabot/deno/file_updater/lockfile_updater.rb

@@ -1,6 +1,7 @@
 # typed: strong
 # frozen_string_literal: true
 
+require "fileutils"
 require "json"
 require "sorbet-runtime"
 
@@ -89,20 +90,35 @@ module Dependabot
 
         sig { params(dir: String).void }
         def write_temporary_files(dir)
-          File.write(File.join(dir, manifest.name), updated_manifest_content)
+          manifest_files.each do |file|
+            # Defence in depth: manifest names ultimately derive from workspace
+            # member paths in repo content. Refuse to write through an absolute
+            # name or one containing ".." so lockfile regeneration can't become a
+            # write primitive outside the temporary directory.
+            unless Helpers.safe_relative_path?(file.name)
+              raise Dependabot::DependencyFileNotResolvable,
+                    "Unsafe manifest path: #{file.name}"
+            end
+
+            path = File.join(dir, file.name)
+            FileUtils.mkdir_p(File.dirname(path))
+            File.write(path, updated_manifest_content(file))
+          end
           File.write(File.join(dir, LOCKFILE_FILENAME), T.must(lockfile.content))
         end
 
-        sig { returns(String) }
-        def updated_manifest_content
-          ManifestUpdater.new(dependencies: dependencies, manifest: manifest).updated_manifest_content
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
+        def updated_manifest_content(file)
+          ManifestUpdater.new(dependencies: dependencies, manifest: file).updated_manifest_content
         end
 
-        sig { returns(Dependabot::DependencyFile) }
-        def manifest
-          @manifest ||= T.let(
-            T.must(dependency_files.find { |f| FileUpdater::MANIFEST_FILENAMES.include?(f.name) }),
-            T.nilable(Dependabot::DependencyFile)
+        # The root manifest plus every workspace member manifest. Members are
+        # fetched relative to the root, so match on basename rather than path.
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def manifest_files
+          @manifest_files ||= T.let(
+            dependency_files.select { |f| FileUpdater::MANIFEST_FILENAMES.include?(File.basename(f.name)) },
+            T.nilable(T::Array[Dependabot::DependencyFile])
           )
         end
 

data/lib/dependabot/deno/file_updater.rb

@@ -19,7 +19,7 @@ module Dependabot
         updated_files = []
 
         dependency_files.each do |file|
-          next unless MANIFEST_FILENAMES.include?(file.name)
+          next unless MANIFEST_FILENAMES.include?(File.basename(file.name))
 
           new_content = update_manifest_content(file)
           next if new_content == file.content
@@ -41,7 +41,7 @@ module Dependabot
 
       sig { override.void }
       def check_required_files
-        return if dependency_files.any? { |f| MANIFEST_FILENAMES.include?(f.name) }
+        return if dependency_files.any? { |f| MANIFEST_FILENAMES.include?(File.basename(f.name)) }
 
         raise "No deno.json or deno.jsonc found!"
       end

data/lib/dependabot/deno/helpers.rb

@@ -1,6 +1,8 @@
-# typed: strong
+# typed: strict
 # frozen_string_literal: true
 
+require "json"
+require "pathname"
 require "sorbet-runtime"
 
 require "dependabot/shared_helpers"
@@ -10,6 +12,47 @@ module Dependabot
     module Helpers
       extend T::Sig
 
+      # Matches either a JSON string literal (with escapes), a line comment, a
+      # block comment, or a trailing comma. The alternation lets gsub preserve
+      # strings while stripping the JSONC-only constructs, so e.g. "//" inside a
+      # URL value is not mistaken for the start of a comment.
+      JSONC_TOKEN = T.let(
+        %r{
+          ("(?:\\.|[^"\\])*")    # JSON string literal
+          | //[^\n]*             # line comment
+          | /\*.*?\*/            # block comment
+          | ,(?=\s*[\}\]])       # trailing comma
+        }mx,
+        Regexp
+      )
+
+      sig { params(content: T.nilable(String)).returns(T::Hash[String, T.untyped]) }
+      def self.parse_json_or_jsonc(content)
+        return {} unless content
+
+        cleaned = content.gsub(JSONC_TOKEN) { ::Regexp.last_match(1) || "" }
+
+        parsed = JSON.parse(cleaned)
+        # A deno.json(c) must be a JSON object. Guard here so a malformed manifest
+        # (e.g. a top-level array) surfaces as a clear parse error rather than an
+        # opaque sorbet-runtime type error at the call site.
+        raise JSON::ParserError, "Expected a JSON object, got #{parsed.class}" unless parsed.is_a?(Hash)
+
+        parsed
+      end
+
+      # True when `path` is a repo-relative path with no traversal. Workspace
+      # member paths are derived from manifest content, so absolute paths
+      # ("/etc") or ".." segments must never be used as fetch/write targets —
+      # File.join would otherwise escape the repo checkout or temp directory.
+      sig { params(path: String).returns(T::Boolean) }
+      def self.safe_relative_path?(path)
+        return false if path.empty?
+        return false if Pathname.new(path).absolute?
+
+        Pathname.new(path).each_filename.none?("..")
+      end
+
       # Wraps `deno <args>` via Dependabot's standard subprocess helper, so
       # failures surface as Dependabot::SharedHelpers::HelperSubprocessFailed
       # (consistent with cargo / bun / npm_and_yarn). DENO_DIR is scoped to

data/lib/dependabot/deno/update_checker.rb

@@ -28,13 +28,14 @@ module Dependabot
         dependency.version
       end
 
-      sig { override.returns(T::Array[T::Hash[Symbol, T.untyped]]) }
+      sig { override.returns(T::Array[Dependabot::DependencyRequirement]) }
       def updated_requirements
         return dependency.requirements unless latest_version
 
-        dependency.requirements.map do |req|
+        updated = dependency.requirements.map do |req|
           req.merge(requirement: updated_constraint(req[:requirement]))
         end
+        wrap_requirements(updated)
       end
 
       private

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-deno
 version: !ruby/object:Gem::Version
-  version: 0.381.0
+  version: 0.382.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.381.0
+        version: 0.382.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.381.0
+        version: 0.382.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -259,7 +259,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.382.0
 rdoc_options: []
 require_paths:
 - lib