RubyGems - dependabot-javascript - Versions diffs - 0.296.1 - Mend

dependabot-javascript 0.296.1

Files changed (45) hide show

data/lib/dependabot/javascript/bun/helpers.rb ADDED Viewed

@@ -0,0 +1,72 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Bun
+      module Helpers
+        extend T::Sig
+        # BUN Version Constants
+        BUN_V1 = 1
+        BUN_DEFAULT_VERSION = BUN_V1
+        sig { params(_bun_lock: T.nilable(DependencyFile)).returns(Integer) }
+        def self.bun_version_numeric(_bun_lock)
+          BUN_DEFAULT_VERSION
+        end
+        sig { returns(T.nilable(String)) }
+        def self.bun_version
+          run_bun_command("--version", fingerprint: "--version").strip
+        rescue StandardError => e
+          Dependabot.logger.error("Error retrieving Bun version: #{e.message}")
+          nil
+        end
+        sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+        def self.run_bun_command(command, fingerprint: nil)
+          full_command = "bun #{command}"
+          Dependabot.logger.info("Running bun command: #{full_command}")
+          result = Dependabot::SharedHelpers.run_shell_command(
+            full_command,
+            fingerprint: "bun #{fingerprint || command}"
+          )
+          Dependabot.logger.info("Command executed successfully: #{full_command}")
+          result
+        rescue StandardError => e
+          Dependabot.logger.error("Error running bun command: #{full_command}, Error: #{e.message}")
+          raise
+        end
+        # Fetch the currently installed version of the package manager directly
+        # from the system
+        sig { params(name: String).returns(String) }
+        def self.local_package_manager_version(name)
+          Dependabot::SharedHelpers.run_shell_command(
+            "#{name} -v",
+            fingerprint: "#{name} -v"
+          ).strip
+        end
+        # Run single command on package manager returning stdout/stderr
+        sig do
+          params(
+            name: String,
+            command: String,
+            fingerprint: T.nilable(String)
+          ).returns(String)
+        end
+        def self.package_manager_run_command(name, command, fingerprint: nil)
+          return run_bun_command(command, fingerprint: fingerprint) if name == PackageManager::NAME
+          # TODO: remove this method and just use the one in the PackageManager class
+          "noop"
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/package_manager.rb ADDED Viewed

@@ -0,0 +1,48 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Bun
+      class PackageManager < Ecosystem::VersionManager
+        extend T::Sig
+        NAME = "bun"
+        LOCKFILE_NAME = "bun.lock"
+        # In Bun 1.1.39, the lockfile format was changed from a binary bun.lockb to a text-based bun.lock.
+        # https://bun.sh/blog/bun-lock-text-lockfile
+        MIN_SUPPORTED_VERSION = T.let(Version.new("1.1.39"), Dependabot::Version)
+        SUPPORTED_VERSIONS = T.let([MIN_SUPPORTED_VERSION].freeze, T::Array[Dependabot::Version])
+        DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Version])
+        sig do
+          params(
+            detected_version: T.nilable(String),
+            raw_version: T.nilable(String),
+            requirement: T.nilable(Requirement)
+          ).void
+        end
+        def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+          super(
+            name: NAME,
+            detected_version: detected_version ? Version.new(detected_version) : nil,
+            version: raw_version ? Version.new(raw_version) : nil,
+            deprecated_versions: DEPRECATED_VERSIONS,
+            supported_versions: SUPPORTED_VERSIONS,
+            requirement: requirement
+          )
+        end
+        sig { override.returns(T::Boolean) }
+        def deprecated?
+          false
+        end
+        sig { override.returns(T::Boolean) }
+        def unsupported?
+          false
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/requirement.rb ADDED Viewed

@@ -0,0 +1,11 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Bun
+      class Requirement < Dependabot::Javascript::Shared::Requirement
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/update_checker/conflicting_dependency_resolver.rb ADDED Viewed

@@ -0,0 +1,64 @@
+# typed: true
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker < Dependabot::UpdateCheckers::Base
+        class ConflictingDependencyResolver
+          def initialize(dependency_files:, credentials:)
+            @dependency_files = dependency_files
+            @credentials = credentials
+          end
+          # Finds any dependencies in the `yarn.lock` or `package-lock.json` that
+          # have a subdependency on the given dependency that does not satisfly
+          # the target_version.
+          #
+          # @param dependency [Dependabot::Dependency] the dependency to check
+          # @param target_version [String] the version to check
+          # @return [Array<Hash{String => String}]
+          #   * name [String] the blocking dependencies name
+          #   * version [String] the version of the blocking dependency
+          #   * requirement [String] the requirement on the target_dependency
+          def conflicting_dependencies(dependency:, target_version:)
+            SharedHelpers.in_a_temporary_directory do
+              dependency_files_builder = DependencyFilesBuilder.new(
+                dependency: dependency,
+                dependency_files: dependency_files,
+                credentials: credentials
+              )
+              dependency_files_builder.write_temporary_dependency_files
+              # TODO: Look into using npm/arborist for parsing yarn lockfiles (there's currently partial yarn support)
+              #
+              # Prefer the npm conflicting dependency parser if there's both a npm lockfile and a yarn.lock file as the
+              # npm parser handles edge cases where the package.json is out of sync with the lockfile,
+              # something the yarn parser doesn't deal with at the moment.
+              if dependency_files_builder.lockfiles.any?
+                SharedHelpers.run_helper_subprocess(
+                  command: Dependabot::Javascript::Shared::NativeHelpers.helper_path,
+                  function: "npm:findConflictingDependencies",
+                  args: [Dir.pwd, dependency.name, target_version.to_s]
+                )
+              else
+                SharedHelpers.run_helper_subprocess(
+                  command: Dependabot::Javascript::Shared::NativeHelpers.helper_path,
+                  function: "yarn:findConflictingDependencies",
+                  args: [Dir.pwd, dependency.name, target_version.to_s]
+                )
+              end
+            end
+          rescue SharedHelpers::HelperSubprocessFailed
+            []
+          end
+          private
+          attr_reader :dependency_files
+          attr_reader :credentials
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/update_checker/dependency_files_builder.rb ADDED Viewed

@@ -0,0 +1,47 @@
+# typed: strong
+# frozen_string_literal: true
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker
+        class DependencyFilesBuilder < Shared::UpdateChecker::DependencyFilesBuilder
+          extend T::Sig
+          sig { returns(T::Array[Dependabot::DependencyFile]) }
+          def bun_locks
+            @bun_locks ||= T.let(
+              dependency_files
+              .select { |f| f.name.end_with?("bun.lock") },
+              T.nilable(T::Array[Dependabot::DependencyFile])
+            )
+          end
+          sig { returns(T.nilable(Dependabot::DependencyFile)) }
+          def root_bun_lock
+            @root_bun_lock ||= T.let(
+              dependency_files
+              .find { |f| f.name == "bun.lock" },
+              T.nilable(Dependabot::DependencyFile)
+            )
+          end
+          sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+          def lockfiles
+            [*bun_locks]
+          end
+          private
+          sig { override.returns(T::Array[Dependabot::DependencyFile]) }
+          def write_lockfiles
+            [*bun_locks].each do |f|
+              FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+              File.write(f.name, f.content)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/update_checker/latest_version_finder.rb ADDED Viewed

@@ -0,0 +1,450 @@
+# typed: true
+# frozen_string_literal: true
+require "excon"
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker
+        class LatestVersionFinder
+          extend T::Sig
+          def initialize(dependency:, credentials:, dependency_files:,
+                         ignored_versions:, security_advisories:,
+                         raise_on_ignored: false)
+            @dependency          = dependency
+            @credentials         = credentials
+            @dependency_files    = dependency_files
+            @ignored_versions    = ignored_versions
+            @raise_on_ignored    = raise_on_ignored
+            @security_advisories = security_advisories
+          end
+          def latest_version_from_registry
+            return unless valid_npm_details?
+            return version_from_dist_tags if version_from_dist_tags
+            return if specified_dist_tag_requirement?
+            possible_versions.find { |v| !yanked?(v) }
+          rescue Excon::Error::Socket, Excon::Error::Timeout, RegistryError
+            raise if dependency_registry == "registry.npmjs.org"
+            # Custom registries can be flaky. We don't want to make that
+            # our problem, so we quietly return `nil` here.
+          end
+          def latest_version_with_no_unlock
+            return unless valid_npm_details?
+            return version_from_dist_tags if specified_dist_tag_requirement?
+            in_range_versions = filter_out_of_range_versions(possible_versions)
+            in_range_versions.find { |version| !yanked?(version) }
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            raise if dependency_registry == "registry.npmjs.org"
+            # Sometimes custom registries are flaky. We don't want to make that
+            # our problem, so we quietly return `nil` here.
+          end
+          def lowest_security_fix_version
+            return unless valid_npm_details?
+            secure_versions =
+              if specified_dist_tag_requirement?
+                [version_from_dist_tags].compact
+              else
+                possible_versions(filter_ignored: false)
+              end
+            secure_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(secure_versions,
+                                                                                                    security_advisories)
+            secure_versions = filter_ignored_versions(secure_versions)
+            secure_versions = filter_lower_versions(secure_versions)
+            secure_versions.reverse.find { |version| !yanked?(version) }
+          rescue Excon::Error::Socket, Excon::Error::Timeout
+            raise if dependency_registry == "registry.npmjs.org"
+            # Sometimes custom registries are flaky. We don't want to make that
+            # our problem, so we quietly return `nil` here.
+          end
+          def possible_previous_versions_with_details
+            @possible_previous_versions_with_details ||= npm_details.fetch("versions", {})
+                                                                    .transform_keys { |k| version_class.new(k) }
+                                                                    .reject do |v, _|
+                                                                      v.prerelease? && !related_to_current_pre?(v)
+                                                                    end
+                                                                    .sort_by(&:first).reverse
+          end
+          def possible_versions_with_details(filter_ignored: true)
+            versions = possible_previous_versions_with_details
+                       .reject { |_, details| details["deprecated"] }
+            return filter_ignored_versions(versions) if filter_ignored
+            versions
+          end
+          def possible_versions(filter_ignored: true)
+            possible_versions_with_details(filter_ignored: filter_ignored)
+              .map(&:first)
+          end
+          private
+          attr_reader :dependency
+          attr_reader :credentials
+          attr_reader :dependency_files
+          attr_reader :ignored_versions
+          attr_reader :security_advisories
+          def valid_npm_details?
+            !npm_details&.fetch("dist-tags", nil).nil?
+          end
+          sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+          def filter_ignored_versions(versions_array)
+            filtered = versions_array.reject do |v, _|
+              ignore_requirements.any? { |r| r.satisfied_by?(v) }
+            end
+            if @raise_on_ignored && filter_lower_versions(filtered).empty? && filter_lower_versions(versions_array).any?
+              raise AllVersionsIgnored
+            end
+            if versions_array.count > filtered.count
+              diff = versions_array.count - filtered.count
+              Dependabot.logger.info("Filtered out #{diff} ignored versions")
+            end
+            filtered
+          end
+          sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+          def filter_out_of_range_versions(versions_array)
+            reqs = dependency.requirements.filter_map do |r|
+              NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
+            end
+            versions_array
+              .select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
+          end
+          sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+          def filter_lower_versions(versions_array)
+            return versions_array unless dependency.numeric_version
+            versions_array
+              .select { |version, _| version > dependency.numeric_version }
+          end
+          def version_from_dist_tags
+            dist_tags = npm_details["dist-tags"].keys
+            # Check if a dist tag was specified as a requirement. If it was, and
+            # it exists, use it.
+            dist_tag_req = dependency.requirements
+                                     .find { |r| dist_tags.include?(r[:requirement]) }
+                                     &.fetch(:requirement)
+            if dist_tag_req
+              tag_vers =
+                version_class.new(npm_details["dist-tags"][dist_tag_req])
+              return tag_vers unless yanked?(tag_vers)
+            end
+            # Use the latest dist tag unless there's a reason not to
+            return nil unless npm_details["dist-tags"]["latest"]
+            latest = version_class.new(npm_details["dist-tags"]["latest"])
+            wants_latest_dist_tag?(latest) ? latest : nil
+          end
+          def related_to_current_pre?(version)
+            current_version = dependency.numeric_version
+            if current_version&.prerelease? &&
+               current_version&.release == version.release
+              return true
+            end
+            dependency.requirements.any? do |req|
+              next unless req[:requirement]&.match?(/\d-[A-Za-z]/)
+              NpmAndYarn::Requirement
+                .requirements_array(req.fetch(:requirement))
+                .any? do |r|
+                  r.requirements.any? { |a| a.last.release == version.release }
+                end
+            rescue Gem::Requirement::BadRequirementError
+              false
+            end
+          end
+          def specified_dist_tag_requirement?
+            dependency.requirements.any? do |req|
+              next false if req[:requirement].nil?
+              next false unless req[:requirement].match?(/^[A-Za-z]/)
+              !req[:requirement].match?(/^v\d/i)
+            end
+          end
+          def wants_latest_dist_tag?(latest_version)
+            ver = latest_version
+            return false if related_to_current_pre?(ver) ^ ver.prerelease?
+            return false if current_version_greater_than?(ver)
+            return false if current_requirement_greater_than?(ver)
+            return false if ignore_requirements.any? { |r| r.satisfied_by?(ver) }
+            return false if yanked?(ver)
+            true
+          end
+          def current_version_greater_than?(version)
+            return false unless dependency.numeric_version
+            dependency.numeric_version > version
+          end
+          def current_requirement_greater_than?(version)
+            dependency.requirements.any? do |req|
+              next false unless req[:requirement]
+              req_version = req[:requirement].sub(/^\^|~|>=?/, "")
+              next false unless version_class.correct?(req_version)
+              version_class.new(req_version) > version
+            end
+          end
+          def yanked?(version)
+            @yanked ||= {}
+            return @yanked[version] if @yanked.key?(version)
+            @yanked[version] =
+              begin
+                if dependency_registry == "registry.npmjs.org"
+                  status = Dependabot::RegistryClient.head(
+                    url: registry_finder.tarball_url(version),
+                    headers: registry_auth_headers
+                  ).status
+                else
+                  status = Dependabot::RegistryClient.get(
+                    url: dependency_url + "/#{version}",
+                    headers: registry_auth_headers
+                  ).status
+                  if status == 404
+                    # Some registries don't handle escaped package names properly
+                    status = Dependabot::RegistryClient.get(
+                      url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                      headers: registry_auth_headers
+                    ).status
+                  end
+                end
+                version_not_found = status == 404
+                version_not_found && version_endpoint_working?
+              rescue Excon::Error::Timeout, Excon::Error::Socket
+                # Give the benefit of the doubt if the registry is playing up
+                false
+              end
+          end
+          def version_endpoint_working?
+            return true if dependency_registry == "registry.npmjs.org"
+            return @version_endpoint_working if defined?(@version_endpoint_working)
+            @version_endpoint_working =
+              begin
+                Dependabot::RegistryClient.get(
+                  url: dependency_url + "/latest",
+                  headers: registry_auth_headers
+                ).status < 400
+              rescue Excon::Error::Timeout, Excon::Error::Socket
+                # Give the benefit of the doubt if the registry is playing up
+                true
+              end
+          end
+          def npm_details
+            return @npm_details if defined?(@npm_details)
+            @npm_details = fetch_npm_details
+          end
+          def fetch_npm_details
+            npm_response = fetch_npm_response
+            check_npm_response(npm_response)
+            JSON.parse(npm_response.body)
+          rescue JSON::ParserError,
+                 Excon::Error::Timeout,
+                 Excon::Error::Socket,
+                 RegistryError => e
+            if git_dependency?
+              nil
+            else
+              raise_npm_details_error(e)
+            end
+          end
+          def fetch_npm_response
+            response = Dependabot::RegistryClient.get(
+              url: dependency_url,
+              headers: registry_auth_headers
+            )
+            return response unless response.status == 500
+            return response unless registry_auth_headers["Authorization"]
+            auth = registry_auth_headers["Authorization"]
+            return response unless auth.start_with?("Basic")
+            decoded_token = Base64.decode64(auth.gsub("Basic ", ""))
+            return unless decoded_token.include?(":")
+            username, password = decoded_token.split(":")
+            Dependabot::RegistryClient.get(
+              url: dependency_url,
+              options: {
+                user: username,
+                password: password
+              }
+            )
+          rescue URI::InvalidURIError => e
+            raise DependencyFileNotResolvable, e.message
+          end
+          def check_npm_response(npm_response)
+            return if git_dependency?
+            if private_dependency_not_reachable?(npm_response)
+              raise PrivateSourceAuthenticationFailure, dependency_registry
+            end
+            # handles scenario when private registry returns a server error 5xx
+            if private_dependency_server_error?(npm_response)
+              msg = "Server error #{npm_response.status} returned while accessing registry" \
+                    " #{dependency_registry}."
+              raise DependencyFileNotResolvable, msg
+            end
+            status = npm_response.status
+            # handles issue when status 200 is returned from registry but with an invalid JSON object
+            if status.to_s.start_with?("2") && response_invalid_json?(npm_response)
+              msg = "Invalid JSON object returned from registry #{dependency_registry}."
+              Dependabot.logger.warn("#{msg} Response body (truncated) : #{npm_response.body[0..500]}...")
+              raise DependencyFileNotResolvable, msg
+            end
+            return if status.to_s.start_with?("2")
+            # Ignore 404s from the registry for updates where a lockfile doesn't
+            # need to be generated. The 404 won't cause problems later.
+            return if status == 404 && dependency.version.nil?
+            msg = "Got #{status} response with body #{npm_response.body}"
+            raise RegistryError.new(status, msg)
+          end
+          def raise_npm_details_error(error)
+            raise if dependency_registry == "registry.npmjs.org"
+            raise unless error.is_a?(Excon::Error::Timeout)
+            raise PrivateSourceTimedOut, dependency_registry
+          end
+          def private_dependency_not_reachable?(npm_response)
+            return true if npm_response.body.start_with?(/user ".*?" is not a /)
+            return false unless [401, 402, 403, 404].include?(npm_response.status)
+            # Check whether this dependency is (likely to be) private
+            if dependency_registry == "registry.npmjs.org"
+              return false unless dependency.name.start_with?("@")
+              web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
+              # NOTE: returns 429 when the login page is rate limited
+              return web_response.body.include?("Forgot password?") ||
+                     web_response.status == 429
+            end
+            true
+          end
+          def private_dependency_server_error?(npm_response)
+            if [500, 501, 502, 503].include?(npm_response.status)
+              Dependabot.logger.warn("#{dependency_registry} returned code #{npm_response.status} with " \
+                                     "body #{npm_response.body}.")
+              return true
+            end
+            false
+          end
+          def response_invalid_json?(npm_response)
+            result = JSON.parse(npm_response.body)
+            result.is_a?(Hash) || result.is_a?(Array)
+            false
+          rescue JSON::ParserError, TypeError
+            true
+          end
+          def dependency_url
+            registry_finder.dependency_url
+          end
+          def dependency_registry
+            registry_finder.registry
+          end
+          def registry_auth_headers
+            registry_finder.auth_headers
+          end
+          def registry_finder
+            @registry_finder ||= Dependabot::Javascript::Shared::UpdateChecker::RegistryFinder.new(
+              dependency: dependency,
+              credentials: credentials,
+              rc_file: npmrc_file
+            )
+          end
+          def ignore_requirements
+            ignored_versions.flat_map { |req| requirement_class.requirements_array(req) }
+          end
+          def version_class
+            dependency.version_class
+          end
+          def requirement_class
+            dependency.requirement_class
+          end
+          def npmrc_file
+            dependency_files.find { |f| f.name.end_with?(".npmrc") }
+          end
+          def yarnrc_file
+            dependency_files.find { |f| f.name.end_with?(".yarnrc") }
+          end
+          def yarnrc_yml_file
+            dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
+          end
+          # TODO: Remove need for me
+          def git_dependency?
+            # ignored_version/raise_on_ignored are irrelevant.
+            GitCommitChecker.new(
+              dependency: dependency,
+              credentials: credentials
+            ).git_dependency?
+          end
+        end
+      end
+    end
+  end
+end