dependabot-javascript 0.296.1

data/lib/dependabot/javascript/bun/update_checker/library_detector.rb

@@ -0,0 +1,76 @@
+# typed: true
+# frozen_string_literal: true
+
+require "excon"
+
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker
+        class LibraryDetector
+          def initialize(package_json_file:, credentials:, dependency_files:)
+            @package_json_file = package_json_file
+            @credentials = credentials
+            @dependency_files = dependency_files
+          end
+
+          def library?
+            return false unless package_json_may_be_for_library?
+
+            npm_response_matches_package_json?
+          end
+
+          private
+
+          attr_reader :package_json_file
+          attr_reader :credentials
+          attr_reader :dependency_files
+
+          def package_json_may_be_for_library?
+            return false unless project_name
+            return false if project_name.match?(/\{\{.*\}\}/)
+            return false unless parsed_package_json["version"]
+            return false if parsed_package_json["private"]
+
+            true
+          end
+
+          def npm_response_matches_package_json?
+            project_description = parsed_package_json["description"]
+            return false unless project_description
+
+            # Check if the project is listed on npm. If it is, it's a library
+            url = "#{registry.chomp('/')}/#{escaped_project_name}"
+            @project_npm_response ||= Dependabot::RegistryClient.get(url: url)
+            return false unless @project_npm_response.status == 200
+
+            @project_npm_response.body.dup.force_encoding("UTF-8").encode
+                                 .include?(project_description)
+          rescue Excon::Error::Socket, Excon::Error::Timeout, URI::InvalidURIError
+            false
+          end
+
+          def project_name
+            parsed_package_json.fetch("name", nil)
+          end
+
+          def escaped_project_name
+            project_name&.gsub("/", "%2F")
+          end
+
+          def parsed_package_json
+            @parsed_package_json ||= JSON.parse(package_json_file.content)
+          end
+
+          def registry
+            Dependabot::Javascript::Shared::UpdateChecker::RegistryFinder.new(
+              dependency: nil,
+              credentials: credentials,
+              rc_file: dependency_files.find { |f| f.name.end_with?(".npmrc") }
+            ).registry_from_rc(project_name)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/update_checker/requirements_updater.rb

@@ -0,0 +1,203 @@
+# typed: true
+# frozen_string_literal: true
+
+################################################################################
+# For more details on npm version constraints, see:                            #
+# https://docs.npmjs.com/misc/semver                                           #
+################################################################################
+
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker
+        class RequirementsUpdater
+          VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
+          SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
+          ALLOWED_UPDATE_STRATEGIES = T.let(
+            [
+              RequirementsUpdateStrategy::LockfileOnly,
+              RequirementsUpdateStrategy::WidenRanges,
+              RequirementsUpdateStrategy::BumpVersions,
+              RequirementsUpdateStrategy::BumpVersionsIfNecessary
+            ].freeze,
+            T::Array[Dependabot::RequirementsUpdateStrategy]
+          )
+
+          def initialize(requirements:, updated_source:, update_strategy:,
+                         latest_resolvable_version:)
+            @requirements = requirements
+            @updated_source = updated_source
+            @update_strategy = update_strategy
+
+            check_update_strategy
+
+            return unless latest_resolvable_version
+
+            @latest_resolvable_version =
+              version_class.new(latest_resolvable_version)
+          end
+
+          def updated_requirements
+            return requirements if update_strategy.lockfile_only?
+
+            requirements.map do |req|
+              req = req.merge(source: updated_source)
+              next req unless latest_resolvable_version
+              next initial_req_after_source_change(req) unless req[:requirement]
+              next req if req[:requirement].match?(/^([A-Za-uw-z]|v[^\d])/)
+
+              case update_strategy
+              when RequirementsUpdateStrategy::WidenRanges then widen_requirement(req)
+              when RequirementsUpdateStrategy::BumpVersions then update_version_requirement(req)
+              when RequirementsUpdateStrategy::BumpVersionsIfNecessary
+                update_version_requirement_if_needed(req)
+              else raise "Unexpected update strategy: #{update_strategy}"
+              end
+            end
+          end
+
+          private
+
+          attr_reader :requirements
+          attr_reader :updated_source
+          attr_reader :update_strategy
+          attr_reader :latest_resolvable_version
+
+          def check_update_strategy
+            return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+            raise "Unknown update strategy: #{update_strategy}"
+          end
+
+          def updating_from_git_to_npm?
+            return false unless updated_source.nil?
+
+            original_source = requirements.filter_map { |r| r[:source] }.first
+            original_source&.fetch(:type) == "git"
+          end
+
+          def initial_req_after_source_change(req)
+            return req unless updating_from_git_to_npm?
+            return req unless req[:requirement].nil?
+
+            req.merge(requirement: "^#{latest_resolvable_version}")
+          end
+
+          def update_version_requirement(req)
+            current_requirement = req[:requirement]
+
+            if current_requirement.match?(/(<|-\s)/i)
+              ruby_req = ruby_requirements(current_requirement).first
+              return req if ruby_req.satisfied_by?(latest_resolvable_version)
+
+              updated_req = update_range_requirement(current_requirement)
+              return req.merge(requirement: updated_req)
+            end
+
+            reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+            req.merge(requirement: update_version_string(reqs.first))
+          end
+
+          def update_version_requirement_if_needed(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+            return req if current_requirement.strip == ""
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+            update_version_requirement(req)
+          end
+
+          def widen_requirement(req)
+            current_requirement = req[:requirement]
+            version = latest_resolvable_version
+            return req if current_requirement.strip == ""
+
+            ruby_reqs = ruby_requirements(current_requirement)
+            return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+            reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+
+            updated_requirement =
+              if reqs.any? { |r| r.match?(/(<|-\s)/i) }
+                update_range_requirement(current_requirement)
+              elsif current_requirement.strip.split(SEPARATOR).count == 1
+                update_version_string(current_requirement)
+              else
+                current_requirement
+              end
+
+            req.merge(requirement: updated_requirement)
+          end
+
+          def ruby_requirements(requirement_string)
+            Dependabot::Javascript::Shared::Requirement
+              .requirements_array(requirement_string)
+          end
+
+          def update_range_requirement(req_string)
+            range_requirements =
+              req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
+
+            if range_requirements.count == 1
+              range_requirement = range_requirements.first
+              versions = range_requirement.scan(VERSION_REGEX)
+              upper_bound = versions.map { |v| version_class.new(v) }.max
+              new_upper_bound = update_greatest_version(
+                upper_bound,
+                latest_resolvable_version
+              )
+
+              req_string.sub(
+                upper_bound.to_s,
+                new_upper_bound.to_s
+              )
+            else
+              req_string + " || ^#{latest_resolvable_version}"
+            end
+          end
+
+          def update_version_string(req_string)
+            req_string
+              .sub(VERSION_REGEX) do |old_version|
+                if old_version.match?(/\d-/) ||
+                   latest_resolvable_version.to_s.match?(/\d-/)
+                  latest_resolvable_version.to_s
+                else
+                  old_parts = old_version.split(".")
+                  new_parts = latest_resolvable_version.to_s.split(".")
+                                                       .first(old_parts.count)
+                  new_parts.map.with_index do |part, i|
+                    old_parts[i].match?(/^x\b/) ? "x" : part
+                  end.join(".")
+                end
+              end
+          end
+
+          def update_greatest_version(old_version, version_to_be_permitted)
+            version = version_class.new(old_version)
+            version = version.release if version.prerelease?
+
+            index_to_update =
+              version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+            version.segments.map.with_index do |_, index|
+              if index < index_to_update
+                version_to_be_permitted.segments[index]
+              elsif index == index_to_update
+                version_to_be_permitted.segments[index] + 1
+              else
+                0
+              end
+            end.join(".")
+          end
+
+          def version_class
+            Dependabot::Javascript::Shared::Version
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/javascript/bun/update_checker/subdependency_version_resolver.rb

@@ -0,0 +1,144 @@
+# typed: true
+# frozen_string_literal: true
+
+module Dependabot
+  module Javascript
+    module Bun
+      class UpdateChecker
+        class SubdependencyVersionResolver
+          def initialize(dependency:, credentials:, dependency_files:,
+                         ignored_versions:, latest_allowable_version:, repo_contents_path:)
+            @dependency = dependency
+            @credentials = credentials
+            @dependency_files = dependency_files
+            @ignored_versions = ignored_versions
+            @latest_allowable_version = latest_allowable_version
+            @repo_contents_path = repo_contents_path
+          end
+
+          def latest_resolvable_version
+            raise "Not a subdependency!" if dependency.requirements.any?
+            return if bundled_dependency?
+
+            base_dir = dependency_files.first.directory
+            SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+              dependency_files_builder.write_temporary_dependency_files
+
+              updated_lockfiles = filtered_lockfiles.map do |lockfile|
+                updated_content = update_subdependency_in_lockfile(lockfile)
+                updated_lockfile = lockfile.dup
+                updated_lockfile.content = updated_content
+                updated_lockfile
+              end
+
+              version_from_updated_lockfiles(updated_lockfiles)
+            end
+          rescue SharedHelpers::HelperSubprocessFailed
+            # TODO: Move error handling logic from the FileUpdater to this class
+
+            # Return nil (no update possible) if an unknown error occurred
+            nil
+          end
+
+          private
+
+          attr_reader :dependency
+          attr_reader :credentials
+          attr_reader :dependency_files
+          attr_reader :ignored_versions
+          attr_reader :latest_allowable_version
+          attr_reader :repo_contents_path
+
+          def update_subdependency_in_lockfile(lockfile)
+            lockfile_name = Pathname.new(lockfile.name).basename.to_s
+            path = Pathname.new(lockfile.name).dirname.to_s
+
+            updated_files = run_bun_updater(path, lockfile_name) if lockfile.name.end_with?("bun.lock")
+
+            updated_files.fetch(lockfile_name)
+          end
+
+          def version_from_updated_lockfiles(updated_lockfiles)
+            updated_files = dependency_files -
+                            dependency_files_builder.lockfiles +
+                            updated_lockfiles
+
+            updated_version = NpmAndYarn::FileParser.new(
+              dependency_files: updated_files,
+              source: nil,
+              credentials: credentials
+            ).parse.find { |d| d.name == dependency.name }&.version
+            return unless updated_version
+
+            version_class.new(updated_version)
+          end
+
+          def run_bun_updater(path, lockfile_name)
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              Dir.chdir(path) do
+                Helpers.run_bun_command(
+                  "update #{dependency.name} --save-text-lockfile",
+                  fingerprint: "update <dependency_name> --save-text-lockfile"
+                )
+                { lockfile_name => File.read(lockfile_name) }
+              end
+            end
+          end
+
+          def version_class
+            dependency.version_class
+          end
+
+          def updated_dependency
+            Dependabot::Dependency.new(
+              name: dependency.name,
+              version: latest_allowable_version,
+              previous_version: dependency.version,
+              requirements: [],
+              package_manager: dependency.package_manager
+            )
+          end
+
+          def filtered_lockfiles
+            @filtered_lockfiles ||=
+              Dependabot::Javascript::Shared::SubDependencyFilesFilterer.new(
+                dependency_files: dependency_files,
+                updated_dependencies: [updated_dependency]
+              ).files_requiring_update
+          end
+
+          def dependency_files_builder
+            @dependency_files_builder ||=
+              DependencyFilesBuilder.new(
+                dependency: dependency,
+                dependency_files: dependency_files,
+                credentials: credentials
+              )
+          end
+
+          # TODO: We should try and fix this by updating the parent that's not
+          # bundled. For this case: `chokidar > fsevents > node-pre-gyp > tar` we
+          # would need to update `fsevents`
+          #
+          # We shouldn't update bundled sub-dependencies as they have been bundled
+          # into the release at an exact version by a parent using
+          # `bundledDependencies`.
+          #
+          # For example, fsevents < 2 bundles node-pre-gyp meaning all it's
+          # sub-dependencies get bundled into the release tarball at publish time
+          # so you always get the same sub-dependency versions if you re-install a
+          # specific version of fsevents.
+          #
+          # Updating the sub-dependency by deleting the entry works but it gets
+          # removed from the bundled set of dependencies and moved top level
+          # resulting in a bunch of package duplication which is pretty confusing.
+          def bundled_dependency?
+            dependency.subdependency_metadata
+                      &.any? { |h| h.fetch(:npm_bundled, false) } ||
+              false
+          end
+        end
+      end
+    end
+  end
+end