dependabot-javascript 0.296.1

data/lib/dependabot/javascript/shared/registry_parser.rb

@@ -0,0 +1,93 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      class RegistryParser
+        extend T::Sig
+
+        sig { params(resolved_url: String, credentials: T::Array[Dependabot::Credential]).void }
+        def initialize(resolved_url:, credentials:)
+          @resolved_url = resolved_url
+          @credentials = credentials
+        end
+
+        sig { params(name: String).returns(T::Hash[Symbol, T.untyped]) }
+        def registry_source_for(name)
+          url =
+            if resolved_url.include?("/~/")
+              # Gemfury format
+              resolved_url.split("/~/").first
+            elsif resolved_url.include?("/#{name}/-/#{name}")
+              # MyGet / Bintray format
+              T.must(resolved_url.split("/#{name}/-/#{name}").first)
+               .gsub("dl.bintray.com//", "api.bintray.com/npm/").
+                # GitLab format
+                gsub(%r{\/projects\/\d+}, "")
+            elsif resolved_url.include?("/#{name}/-/#{name.split('/').last}")
+              # Sonatype Nexus / Artifactory JFrog format
+              resolved_url.split("/#{name}/-/#{name.split('/').last}").first
+            elsif (cred_url = url_for_relevant_cred) then cred_url
+            else
+              T.must(resolved_url.split("/")[0..2]).join("/")
+            end
+
+          { type: "registry", url: url }
+        end
+
+        sig { returns(String) }
+        def dependency_name
+          url_base = if resolved_url.include?("/-/")
+                       T.must(resolved_url.split("/-/").first)
+                     else
+                       resolved_url
+                     end
+
+          package_name = url_base.gsub("%2F", "/").match(%r{@.*/})
+
+          return T.must(url_base.gsub("%2F", "/").split("/").last) unless package_name
+
+          "#{package_name}#{T.must(url_base.gsub('%2F', '/').split('/').last)}"
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :resolved_url
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        # rubocop:disable Metrics/PerceivedComplexity
+        sig { returns(T.nilable(String)) }
+        def url_for_relevant_cred
+          resolved_url_host = URI(resolved_url).host
+
+          credential_matching_url =
+            credentials
+            .select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
+            .sort_by { |cred| cred.fetch("registry").length }
+            .find do |details|
+              next true if resolved_url_host == details["registry"]
+
+              uri = if details["registry"]&.include?("://")
+                      URI(details.fetch("registry"))
+                    else
+                      URI("https://#{details['registry']}")
+                    end
+              resolved_url_host == uri.host && resolved_url.include?(details.fetch("registry"))
+            end
+
+          return unless credential_matching_url
+
+          # Trim the resolved URL so that it ends at the same point as the
+          # credential registry
+          reg = credential_matching_url.fetch("registry")
+          resolved_url.gsub(/#{Regexp.quote(reg)}.*/, "") + reg
+        end
+        # rubocop:enable Metrics/PerceivedComplexity
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/requirement.rb

@@ -0,0 +1,144 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      class Requirement < Dependabot::Requirement
+        extend T::Sig
+
+        AND_SEPARATOR = /(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])/
+        OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/
+
+        # Override the version pattern to allow a 'v' prefix
+        quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+        version_pattern = "v?#{Version::VERSION_PATTERN}"
+
+        PATTERN_RAW = T.let("\\s*(#{quoted})?\\s*(#{version_pattern})\\s*".freeze, String)
+        PATTERN = /\A#{PATTERN_RAW}\z/
+
+        sig { params(obj: T.untyped).returns(T::Array[T.untyped]) }
+        def self.parse(obj)
+          return ["=", nil] if obj.is_a?(String) && Version::VERSION_TAGS.include?(obj.strip)
+          return ["=", Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
+
+          unless (matches = PATTERN.match(obj.to_s))
+            msg = "Illformed requirement [#{obj.inspect}]"
+            raise BadRequirementError, msg
+          end
+
+          return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+          [matches[1] || "=", Version.new(T.must(matches[2]))]
+        end
+
+        # Returns an array of requirements. At least one requirement from the
+        # returned array must be satisfied for a version to be valid.
+        sig { override.params(requirement_string: T.nilable(String)).returns(T::Array[Requirement]) }
+        def self.requirements_array(requirement_string)
+          return [new([])] if requirement_string.nil?
+
+          # Removing parentheses is technically wrong but they are extremely
+          # rarely used.
+          # TODO: Handle complicated parenthesised requirements
+          requirement_string = requirement_string.gsub(/[()]/, "")
+          requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+            requirements = req_string.strip.split(AND_SEPARATOR)
+            new(requirements)
+          end
+        end
+
+        sig { params(requirements: T.any(String, T::Array[String])).void }
+        def initialize(*requirements)
+          requirements = requirements.flatten
+                                     .flat_map { |req_string| req_string.split(",").map(&:strip) }
+                                     .flat_map { |req_string| convert_js_constraint_to_ruby_constraint(req_string) }
+
+          super(requirements)
+        end
+
+        private
+
+        sig { params(req_string: String).returns(T.any(String, T::Array[String])) }
+        def convert_js_constraint_to_ruby_constraint(req_string)
+          return req_string if req_string.match?(/^([A-Za-uw-z]|v[^\d])/)
+
+          req_string = req_string.gsub(/(?:\.|^)[xX*]/, "")
+
+          if req_string.empty? then ">= 0"
+          elsif req_string.start_with?("~>") then req_string
+          elsif req_string.start_with?("=") then req_string.gsub(/^=*/, "")
+          elsif req_string.start_with?("~") then convert_tilde_req(req_string)
+          elsif req_string.start_with?("^") then convert_caret_req(req_string)
+          elsif req_string.include?(" - ") then convert_hyphen_req(req_string)
+          elsif req_string.match?(/[<>]/) then req_string
+          else
+            ruby_range(req_string)
+          end
+        end
+
+        sig { params(req_string: String).returns(String) }
+        def convert_tilde_req(req_string)
+          version = req_string.gsub(/^~\>?[\s=]*/, "")
+          parts = version.split(".")
+          parts << "0" if parts.count < 3
+          "~> #{parts.join('.')}"
+        end
+
+        sig { params(req_string: String).returns(T::Array[String]) }
+        def convert_hyphen_req(req_string)
+          lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+          lower_bound_parts = lower_bound&.split(".")
+          lower_bound_parts&.fill("0", lower_bound_parts.length...3)
+
+          upper_bound_parts = upper_bound&.split(".")
+          upper_bound_range =
+            if upper_bound_parts && upper_bound_parts.length < 3
+              # When upper bound is a partial version treat these as an X-range
+              upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
+              upper_bound_parts.fill("0", upper_bound_parts.length...3)
+              "< #{upper_bound_parts.join('.')}.a"
+            else
+              "<= #{upper_bound_parts&.join('.')}"
+            end
+
+          [">= #{lower_bound_parts&.join('.')}", upper_bound_range]
+        end
+
+        sig { params(req_string: String).returns(String) }
+        def ruby_range(req_string)
+          parts = req_string.split(".")
+          # If we have three or more parts then this is an exact match
+          return req_string if parts.count >= 3
+
+          # If we have fewer than three parts we do a partial match
+          parts << "0"
+          "~> #{parts.join('.')}"
+        end
+
+        sig { params(req_string: String).returns(T::Array[String]) }
+        def convert_caret_req(req_string) # rubocop:disable Metrics/PerceivedComplexity
+          version = req_string.gsub(/^\^[\s=]*/, "")
+          parts = version.split(".")
+          parts.fill("x", parts.length...3)
+          first_non_zero = parts.find { |d| d != "0" }
+          first_non_zero_index =
+            first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+          # If the requirement has a blank minor or patch version increment the
+          # previous index value with 1
+          first_non_zero_index -= 1 if first_non_zero_index && first_non_zero == "x"
+          upper_bound = parts.map.with_index do |part, i|
+            if i < T.must(first_non_zero_index) then part
+            elsif i == first_non_zero_index then (part.to_i + 1).to_s
+            elsif i > T.must(first_non_zero_index) && i == 2 then "0.a"
+            else
+              0
+            end
+          end.join(".")
+
+          [">= #{version}", "< #{upper_bound}"]
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/sub_dependency_files_filterer.rb

@@ -0,0 +1,79 @@
+# typed: strong
+# frozen_string_literal: true
+
+# Used in the sub dependency version resolver and file updater to only run
+# yarn/npm helpers on dependency files that require updates. This is useful for
+# large monorepos with lots of sub-projects that don't all have the same
+# dependencies.
+module Dependabot
+  module Javascript
+    module Shared
+      class SubDependencyFilesFilterer
+        extend T::Sig
+
+        sig { params(dependency_files: T::Array[DependencyFile], updated_dependencies: T::Array[Dependency]).void }
+        def initialize(dependency_files:, updated_dependencies:)
+          @dependency_files = dependency_files
+          @updated_dependencies = updated_dependencies
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def files_requiring_update
+          return T.must(@files_requiring_update) if defined? @files_requiring_update
+
+          files_requiring_update =
+            lockfiles.select do |lockfile|
+              lockfile_dependencies(lockfile).any? do |sub_dep|
+                updated_dependencies.any? do |updated_dep|
+                  next false unless sub_dep.name == updated_dep.name
+
+                  version_class.new(updated_dep.version) >
+                    version_class.new(sub_dep.version)
+                end
+              end
+            end
+
+          @files_requiring_update ||= T.let(files_requiring_update, T.nilable(T::Array[DependencyFile]))
+        end
+
+        private
+
+        sig { returns(T::Array[DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependency]) }
+        attr_reader :updated_dependencies
+
+        sig { params(lockfile: DependencyFile).returns(T::Array[Dependabot::Dependency]) }
+        def lockfile_dependencies(lockfile)
+          @lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependency]]))
+          @lockfile_dependencies[lockfile.name] ||=
+            NpmAndYarn::FileParser::LockfileParser.new(
+              dependency_files: [lockfile]
+            ).parse
+        end
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        def lockfiles
+          dependency_files.select { |file| lockfile?(file) }
+        end
+
+        sig { params(file: DependencyFile).returns(T::Boolean) }
+        def lockfile?(file)
+          file.name.end_with?(
+            "package-lock.json",
+            "yarn.lock",
+            "npm-shrinkwrap.json",
+            "bun.lock",
+            "pnpm-lock.yaml"
+          )
+        end
+
+        sig { returns(T.class_of(Dependabot::NpmAndYarn::Version)) }
+        def version_class
+          NpmAndYarn::Version
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/update_checker/dependency_files_builder.rb

@@ -0,0 +1,87 @@
+# typed: strict
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Shared
+      module UpdateChecker
+        class DependencyFilesBuilder
+          extend T::Helpers
+          extend T::Sig
+
+          abstract!
+
+          Credentials = T.type_alias { T::Array[Credential] }
+
+          sig do
+            params(
+              dependency: Dependency,
+              dependency_files: T::Array[DependencyFile],
+              credentials: Credentials
+            )
+              .void
+          end
+          def initialize(dependency:, dependency_files:, credentials:)
+            @dependency = T.let(dependency, Dependency)
+            @dependency_files = T.let(dependency_files, T::Array[DependencyFile])
+            @credentials = T.let(credentials, Credentials)
+          end
+
+          sig { void }
+          def write_temporary_dependency_files
+            write_lockfiles
+
+            File.write(".npmrc", npmrc_content)
+
+            package_files.each do |file|
+              path = file.name
+              FileUtils.mkdir_p(Pathname.new(path).dirname)
+              File.write(file.name, prepared_package_json_content(file))
+            end
+          end
+
+          sig { abstract.returns(T::Array[DependencyFile]) }
+          def lockfiles; end
+
+          sig { returns(T::Array[DependencyFile]) }
+          def package_files
+            @package_files ||= T.let(
+              dependency_files
+              .select { |f| f.name.end_with?("package.json") },
+              T.nilable(T::Array[DependencyFile])
+            )
+          end
+
+          private
+
+          sig { returns(Dependency) }
+          attr_reader :dependency
+
+          sig { returns(T::Array[DependencyFile]) }
+          attr_reader :dependency_files
+
+          sig { returns(Credentials) }
+          attr_reader :credentials
+
+          sig { abstract.returns(T::Array[DependencyFile]) }
+          def write_lockfiles; end
+
+          sig { params(file: DependencyFile).returns(String) }
+          def prepared_package_json_content(file)
+            FileUpdater::PackageJsonPreparer.new(
+              package_json_content: file.content
+            ).prepared_content
+          end
+
+          sig { returns(String) }
+          def npmrc_content
+            FileUpdater::NpmrcBuilder.new(
+              credentials: credentials,
+              dependency_files: dependency_files
+            ).npmrc_content
+          end
+        end
+      end
+    end
+  end
+end