RubyGems - dependabot-javascript - Versions diffs - 0.296.1 - Mend

dependabot-javascript 0.296.1

Files changed (45) hide show

data/lib/dependabot/javascript/shared/update_checker/registry_finder.rb ADDED Viewed

@@ -0,0 +1,358 @@
+# typed: strict
+# frozen_string_literal: true
+require "excon"
+module Dependabot
+  module Javascript
+    module Shared
+      module UpdateChecker
+        class RegistryFinder
+          extend T::Sig
+          CENTRAL_REGISTRIES = %w(
+            https://registry.npmjs.org
+            http://registry.npmjs.org
+            https://registry.yarnpkg.com
+            http://registry.yarnpkg.com
+          ).freeze
+          NPM_AUTH_TOKEN_REGEX = %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}
+          NPM_GLOBAL_REGISTRY_REGEX = /^registry\s*=\s*['"]?(?<registry>.*?)['"]?$/
+          YARN_GLOBAL_REGISTRY_REGEX = /^(?:--)?registry\s+((['"](?<registry>.*)['"])|(?<registry>.*))/
+          NPM_SCOPED_REGISTRY_REGEX = /^(?<scope>@[^:]+)\s*:registry\s*=\s*['"]?(?<registry>.*?)['"]?$/
+          YARN_SCOPED_REGISTRY_REGEX = /['"](?<scope>@[^:]+):registry['"]\s((['"](?<registry>.*)['"])|(?<registry>.*))/
+          Registry = T.type_alias { String }
+          RegistrySyntax = T.type_alias { T.any(Regexp, String) }
+          sig do
+            params(
+              dependency: T.nilable(Dependency),
+              credentials: T::Array[Credential],
+              rc_file: T.nilable(DependencyFile)
+            ).void
+          end
+          def initialize(dependency:, credentials:, rc_file:)
+            @dependency = dependency
+            @credentials = credentials
+            @rc_file = rc_file
+            @npmrc_file = T.let(
+              rc_file&.name&.end_with?(".npmrc") ? rc_file : nil,
+              T.nilable(DependencyFile)
+            )
+          end
+          sig { returns(T.nilable(Registry)) }
+          def registry
+            @registry ||= T.let(
+              locked_registry || configured_registry || first_registry_with_dependency_details,
+              T.nilable(Registry)
+            )
+          end
+          sig { returns(T::Hash[String, String]) }
+          def auth_headers
+            auth_header_for(auth_token)
+          end
+          sig { returns(String) }
+          def dependency_url
+            "#{registry_url}/#{escaped_dependency_name}"
+          end
+          sig { params(version: Version).returns(String) }
+          def tarball_url(version)
+            version_without_build_metadata = version.to_s.gsub(/\+.*/, "")
+            # Dependency name needs to be unescaped since tarball URLs don't always work with escaped slashes
+            "#{registry_url}/#{dependency&.name}/-/#{scopeless_name}-#{version_without_build_metadata}.tgz"
+          end
+          sig { params(registry: String).returns(T::Boolean) }
+          def self.central_registry?(registry)
+            CENTRAL_REGISTRIES.any? do |r|
+              r.include?(registry)
+            end
+          end
+          sig { params(dependency_name: String).returns(T.nilable(String)) }
+          def registry_from_rc(dependency_name)
+            explicit_registry_from_rc(dependency_name) || global_registry
+          end
+          private
+          sig { returns(T.nilable(Dependency)) }
+          attr_reader :dependency
+          sig { returns(T::Array[Credential]) }
+          attr_reader :credentials
+          sig { returns(T.nilable(DependencyFile)) }
+          attr_reader :rc_file
+          sig { returns(T.nilable(DependencyFile)) }
+          attr_reader :npmrc_file
+          sig { params(dependency_name: T.nilable(String)).returns(T.nilable(String)) }
+          def explicit_registry_from_rc(dependency_name)
+            if dependency_name&.start_with?("@") && dependency_name.include?("/")
+              scope = dependency_name.split("/").first
+              scoped_registry(scope) || configured_global_registry
+            else
+              configured_global_registry
+            end
+          end
+          sig { returns(T.nilable(Registry)) }
+          def first_registry_with_dependency_details
+            @first_registry_with_dependency_details ||= T.let(
+              known_registries.find do |details|
+                url = "#{details['registry'].gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
+                url = "https://#{url}" unless url.start_with?("http")
+                response = Dependabot::RegistryClient.get(
+                  url: url,
+                  headers: auth_header_for(details["token"])
+                )
+                response.status < 400 && JSON.parse(response.body)
+              rescue Excon::Error::Timeout,
+                     Excon::Error::Socket,
+                     JSON::ParserError
+                nil
+              rescue URI::InvalidURIError => e
+                raise DependencyFileNotResolvable, e.message
+              end&.fetch("registry"),
+              T.nilable(Registry)
+            )
+            @first_registry_with_dependency_details ||= global_registry.to_s.sub(%r{/+$}, "").sub(%r{^.*?//}, "")
+          end
+          sig { returns(T.nilable(String)) }
+          def registry_url
+            url =
+              if registry&.start_with?("http")
+                registry
+              else
+                protocol =
+                  if registry_source_url
+                    registry_source_url&.split("://")&.first
+                  else
+                    "https"
+                  end
+                "#{protocol}://#{registry}"
+              end
+            url&.gsub(%r{/+$}, "")
+          end
+          sig { params(token: T.nilable(String)).returns(T::Hash[String, String]) }
+          def auth_header_for(token)
+            return {} unless token
+            if token.include?(":")
+              encoded_token = Base64.encode64(token).delete("\n")
+              { "Authorization" => "Basic #{encoded_token}" }
+            elsif Base64.decode64(token).ascii_only? &&
+                  Base64.decode64(token).include?(":")
+              { "Authorization" => "Basic #{token.delete("\n")}" }
+            else
+              { "Authorization" => "Bearer #{token}" }
+            end
+          end
+          sig { returns(T.nilable(String)) }
+          def auth_token
+            known_registries
+              .find { |cred| cred["registry"] == registry }
+              &.fetch("token", nil)
+          end
+          sig { returns(T.nilable(Registry)) }
+          def locked_registry
+            return unless registry_source_url
+            lockfile_registry =
+              T.must(registry_source_url)
+               .gsub("https://", "")
+               .gsub("http://", "")
+            detailed_registry =
+              known_registries
+              .find { |h| h["registry"].include?(lockfile_registry) }
+              &.fetch("registry")
+            detailed_registry || lockfile_registry
+          end
+          sig { returns(T.nilable(String)) }
+          def configured_registry
+            configured_registry_url = explicit_registry_from_rc(dependency&.name)
+            return unless configured_registry_url
+            normalize_configured_registry(configured_registry_url)
+          end
+          sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+          def known_registries
+            @known_registries ||= T.let(
+              begin
+                registries = []
+                registries += credentials
+                              .select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
+                              .tap { |arr| arr.each { |c| c["token"] ||= nil } }
+                registries += npmrc_registries
+                unique_registries(registries)
+              end,
+              T.nilable(T::Array[T::Hash[String, T.untyped]])
+            )
+          end
+          sig { returns(T::Array[T::Hash[String, T.untyped]]) }
+          def npmrc_registries
+            return [] unless npmrc_file
+            registries = []
+            T.must(npmrc_file).content&.scan(NPM_AUTH_TOKEN_REGEX) do
+              next if Regexp.last_match&.[](:registry)&.include?("${")
+              registry = T.must(Regexp.last_match)[:registry]
+              token = T.must(Regexp.last_match)[:token]&.strip
+              registries << {
+                "type" => "npm_registry",
+                "registry" => registry&.gsub(/\s+/, "%20"),
+                "token" => token
+              }
+            end
+            registries += npmrc_global_registries
+          end
+          sig { params(registries: T::Array[T::Hash[String, T.untyped]]).returns(T::Array[T::Hash[String, T.untyped]]) }
+          def unique_registries(registries)
+            registries.uniq.reject do |registry|
+              next if registry["token"]
+              # Reject this entry if an identical one with a token exists
+              registries.any? do |r|
+                r["token"] && r["registry"] == registry["registry"]
+              end
+            end
+          end
+          sig { returns(T.nilable(String)) }
+          def global_registry
+            return @global_registry if defined? @global_registry
+            @global_registry ||= T.let(configured_global_registry || "https://registry.npmjs.org", T.nilable(String))
+          end
+          sig { returns(T.nilable(String)) }
+          def configured_global_registry
+            return @configured_global_registry if defined? @configured_global_registry
+            @configured_global_registry = T.let(
+              npmrc_file && npmrc_global_registries.first&.fetch("url"),
+              T.nilable(String)
+            )
+            return @configured_global_registry if @configured_global_registry
+            replaces_base = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
+            if replaces_base
+              registry = replaces_base["registry"]
+              registry = "https://#{registry}" unless registry&.start_with?("http")
+              return @configured_global_registry = registry
+            end
+            @configured_global_registry = nil
+          end
+          sig { returns(T::Array[T::Hash[String, T.nilable(String)]]) }
+          def npmrc_global_registries
+            return [] unless npmrc_file
+            global_rc_registries(T.must(npmrc_file), syntax: NPM_GLOBAL_REGISTRY_REGEX)
+          end
+          sig { params(scope: T.nilable(String)).returns(T.nilable(String)) }
+          def scoped_registry(scope)
+            scoped_rc_registry(npmrc_file, syntax: NPM_SCOPED_REGISTRY_REGEX, scope: scope)
+          end
+          sig do
+            params(file: DependencyFile, syntax: RegistrySyntax)
+              .returns(T::Array[T::Hash[String, T.nilable(String)]])
+          end
+          def global_rc_registries(file, syntax:)
+            registries = []
+            file.content&.scan(syntax) do
+              next if Regexp.last_match&.[](:registry)&.include?("${")
+              url = T.must(T.must(Regexp.last_match)[:registry]).strip
+              registry = normalize_configured_registry(url)
+              registries << {
+                "type" => "npm_registry",
+                "registry" => registry,
+                "url" => url,
+                "token" => nil
+              }
+            end
+            registries
+          end
+          sig do
+            params(file: T.nilable(DependencyFile), syntax: RegistrySyntax, scope: T.nilable(String))
+              .returns(T.nilable(String))
+          end
+          def scoped_rc_registry(file, syntax:, scope:)
+            file&.content.to_s.scan(syntax) do
+              next if Regexp.last_match&.[](:registry)&.include?("${") || Regexp.last_match&.[](:scope) != scope
+              return T.must(T.must(Regexp.last_match)[:registry]).strip
+            end
+            nil
+          end
+          # npm registries expect slashes to be escaped
+          sig { returns(T.nilable(String)) }
+          def escaped_dependency_name
+            return unless dependency
+            T.must(dependency).name.gsub("/", "%2F")
+          end
+          sig { returns(T.nilable(String)) }
+          def scopeless_name
+            return unless dependency
+            T.must(dependency).name.split("/").last
+          end
+          sig { returns(T.nilable(String)) }
+          def registry_source_url
+            return unless dependency
+            sources = T.must(dependency).requirements
+                       .map { |r| r.fetch(:source) }.uniq.compact
+                       .sort_by { |source| self.class.central_registry?(source[:url]) ? 1 : 0 }
+            sources.find { |s| s[:type] == "registry" }&.fetch(:url)
+          end
+          sig { params(url: String).returns(String) }
+          def normalize_configured_registry(url)
+            url.sub(%r{/+$}, "")
+               .sub(%r{^.*?//}, "")
+               .gsub(/\s+/, "%20")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/version.rb ADDED Viewed

@@ -0,0 +1,133 @@
+# typed: strict
+# frozen_string_literal: true
+# JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+#
+# See https://semver.org/ for details of node's version syntax.
+module Dependabot
+  module Javascript
+    module Shared
+      class Version < Dependabot::Version
+        extend T::Sig
+        sig { returns(T.nilable(String)) }
+        attr_reader :build_info
+        # These are possible npm versioning tags that can be used in place of a version.
+        # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
+        VERSION_TAGS = T.let([
+          "alpha",        # Alpha version, early testing phase
+          "beta",         # Beta version, more stable than alpha
+          "canary",       # Canary version, often used for cutting-edge builds
+          "dev",          # Development version, ongoing development
+          "experimental", # Experimental version, unstable and new features
+          "latest",       # Latest stable version, used by npm to identify the current version of a package
+          "legacy",       # Legacy version, older version maintained for compatibility
+          "next",         # Next version, used by some projects to identify the upcoming version
+          "nightly",      # Nightly build, daily builds often including latest changes
+          "rc",           # Release candidate, potential final version
+          "release",      # General release version
+          "stable"        # Stable version, thoroughly tested and stable
+        ].freeze.map(&:freeze), T::Array[String])
+        VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
+        ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
+        sig { override.params(version: VersionParameter).returns(T::Boolean) }
+        def self.correct?(version)
+          version = version.gsub(/^v/, "") if version.is_a?(String)
+          return false if version.nil?
+          version.to_s.match?(ANCHORED_VERSION_PATTERN)
+        end
+        sig { params(version: VersionParameter).returns(VersionParameter) }
+        def self.semver_for(version)
+          # The next two lines are to guard against improperly formatted
+          # versions in a lockfile, such as an empty string or additional
+          # characters. NPM/yarn fixes these when running an update, so we can
+          # safely ignore these versions.
+          return if version == ""
+          return unless correct?(version)
+          version
+        end
+        sig { override.params(version: VersionParameter).void }
+        def initialize(version)
+          version = clean_version(version)
+          @version_string = T.let(version.to_s, String)
+          @build_info = T.let(nil, T.nilable(String))
+          version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
+          super(T.must(version))
+        end
+        sig { params(version: VersionParameter).returns(VersionParameter) }
+        def clean_version(version)
+          # Check if version is a string before attempting to match
+          if version.is_a?(String)
+            # Matches @ followed by x.y.z (digits separated by dots)
+            if (match = version.match(/@(\d+\.\d+\.\d+)/))
+              version = match[1] # Just "4.5.3"
+            # Extract version in case the output contains Corepack verbose data
+            elsif version.include?("Corepack")
+              version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
+            end
+            version = version&.gsub(/^v/, "")
+          end
+          version
+        end
+        sig { override.params(version: VersionParameter).returns(Version) }
+        def self.new(version)
+          T.cast(super, Version)
+        end
+        sig { returns(Integer) }
+        def major
+          @major ||= T.let(segments[0].to_i, T.nilable(Integer))
+        end
+        sig { returns(Integer) }
+        def minor
+          @minor ||= T.let(segments[1].to_i, T.nilable(Integer))
+        end
+        sig { returns(Integer) }
+        def patch
+          @patch ||= T.let(segments[2].to_i, T.nilable(Integer))
+        end
+        sig { params(other: Version).returns(T::Boolean) }
+        def backwards_compatible_with?(other)
+          case major
+          when 0
+            self == other
+          else
+            major == other.major && minor >= other.minor
+          end
+        end
+        sig { override.returns(String) }
+        def to_s
+          @version_string
+        end
+        sig { override.returns(String) }
+        def inspect
+          "#<#{self.class} #{@version_string}>"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/shared/version_selector.rb ADDED Viewed

@@ -0,0 +1,60 @@
+# typed: strict
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Shared
+      class VersionSelector
+        extend T::Sig
+        extend T::Helpers
+        # For limited testing, allowing only specific versions defined in engines in package.json
+        # such as "20.8.7", "8.1.2", "8.21.2",
+        NODE_ENGINE_SUPPORTED_REGEX = /^\d+(?:\.\d+)*$/
+        # Sets up engine versions from the given manifest JSON.
+        #
+        # @param manifest_json [Hash] The manifest JSON containing version information.
+        # @param name [String] The engine name to match.
+        # @return [Hash] A hash with selected versions, if found.
+        sig do
+          params(
+            manifest_json: T::Hash[String, T.untyped],
+            name: String,
+            dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+          )
+            .returns(T::Hash[Symbol, T.untyped])
+        end
+        def setup(manifest_json, name, dependabot_versions = nil)
+          engine_versions = manifest_json["engines"]
+          # Return an empty hash if no engine versions are specified
+          return {} if engine_versions.nil?
+          versions = {}
+          if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+            engine_versions.each do |engine, value|
+              next unless engine.to_s.match(name)
+              versions[name] = ConstraintHelper.find_highest_version_from_constraint_expression(
+                value, dependabot_versions
+              )
+            end
+          else
+            versions = engine_versions.select do |engine, value|
+              engine.to_s.match(name) && valid_extracted_version?(value)
+            end
+          end
+          versions
+        end
+        sig { params(version: String).returns(T::Boolean) }
+        def valid_extracted_version?(version)
+          version.match?(NODE_ENGINE_SUPPORTED_REGEX)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript.rb ADDED Viewed

@@ -0,0 +1,39 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/bun"
+module Dependabot
+  module Javascript
+    DEFAULT_PACKAGE_MANAGER = "npm"
+    ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"
+    MANIFEST_ENGINES_KEY = "engines"
+    MANIFEST_FILENAME = "package.json"
+    MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
+    # Define a type alias for the expected class interface
+    JavascriptPackageManagerClassType = T.type_alias do
+      T.class_of(Bun::PackageManager)
+    end
+    PACKAGE_MANAGER_CLASSES = T.let({
+      Bun::PackageManager::NAME => Bun::PackageManager
+    }.freeze, T::Hash[String, JavascriptPackageManagerClassType])
+    PACKAGE_MANAGER_VERSION_REGEX = /
+      ^                        # Start of string
+      (?<major>\d+)            # Major version (required, numeric)
+      \.                       # Separator between major and minor versions
+      (?<minor>\d+)            # Minor version (required, numeric)
+      \.                       # Separator between minor and patch versions
+      (?<patch>\d+)            # Patch version (required, numeric)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional, alphanumeric or dot-separated)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional, alphanumeric or dot-separated)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
+  end
+end