dependabot-npm_and_yarn 0.101.0 → 0.101.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1cf6617f329cb9987316bd94cfa8d5015ee5c2385e843f94a6c07195af7c9d81
|
|
4
|
+
data.tar.gz: 258fa046ee0b0e3435b0a9c16a5bda624c77917ece08d3772701138ebeb6cad9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f889d16cc3e211ac41d5d4fb4154ea084a371bfbe7341fc8b8d4c616a1688d5743615e93d02a8fe27aff8933287d8e5d2b625cf315925cab44aed1567c5b2820
|
|
7
|
+
data.tar.gz: 734982d233f792584c01832efa2b8379fd30552986fcf879ed2df435681fd4e1b5660c546fca86900ee11166232289698effd34f168fa9a97141689e70e15c38
|
|
@@ -24,36 +24,24 @@ module Dependabot
|
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
def latest_version_details_from_registry
|
|
27
|
-
return
|
|
27
|
+
return unless valid_npm_details?
|
|
28
|
+
return { version: version_from_dist_tags } if version_from_dist_tags
|
|
29
|
+
return if specified_dist_tag_requirement?
|
|
28
30
|
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
return nil if specified_dist_tag_requirement?
|
|
32
|
-
|
|
33
|
-
{ version: version_from_versions_array }
|
|
31
|
+
version = possible_versions.find { |v| !yanked?(v) }
|
|
32
|
+
{ version: version }
|
|
34
33
|
rescue Excon::Error::Socket, Excon::Error::Timeout, RegistryError
|
|
35
34
|
raise if dependency_registry == "registry.npmjs.org"
|
|
36
35
|
# Custom registries can be flaky. We don't want to make that
|
|
37
36
|
# our problem, so we quietly return `nil` here.
|
|
38
37
|
end
|
|
39
38
|
|
|
40
|
-
def
|
|
41
|
-
return unless
|
|
42
|
-
|
|
43
|
-
if specified_dist_tag_requirement?
|
|
44
|
-
return version_from_dist_tags(npm_details)
|
|
45
|
-
end
|
|
39
|
+
def latest_version_with_no_unlock
|
|
40
|
+
return unless valid_npm_details?
|
|
41
|
+
return version_from_dist_tags if specified_dist_tag_requirement?
|
|
46
42
|
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
requirements_array(r.fetch(:requirement))
|
|
50
|
-
end.compact
|
|
51
|
-
|
|
52
|
-
possible_versions.
|
|
53
|
-
find do |version|
|
|
54
|
-
reqs.all? { |r| r.any? { |opt| opt.satisfied_by?(version) } } &&
|
|
55
|
-
!yanked?(version)
|
|
56
|
-
end
|
|
43
|
+
in_range_versions = filter_out_of_range_versions(possible_versions)
|
|
44
|
+
in_range_versions.find { |version| !yanked?(version) }
|
|
57
45
|
rescue Excon::Error::Socket, Excon::Error::Timeout
|
|
58
46
|
raise if dependency_registry == "registry.npmjs.org"
|
|
59
47
|
# Sometimes custom registries are flaky. We don't want to make that
|
|
@@ -61,12 +49,7 @@ module Dependabot
|
|
|
61
49
|
end
|
|
62
50
|
|
|
63
51
|
def possible_versions
|
|
64
|
-
|
|
65
|
-
reject { |_, details| details["deprecated"] }.
|
|
66
|
-
keys.map { |v| version_class.new(v) }.
|
|
67
|
-
reject { |v| v.prerelease? && !related_to_current_pre?(v) }.
|
|
68
|
-
reject { |v| ignore_reqs.any? { |r| r.satisfied_by?(v) } }.
|
|
69
|
-
sort.reverse
|
|
52
|
+
possible_versions_with_details.map(&:first)
|
|
70
53
|
end
|
|
71
54
|
|
|
72
55
|
def possible_versions_with_details
|
|
@@ -83,7 +66,20 @@ module Dependabot
|
|
|
83
66
|
attr_reader :dependency, :credentials, :dependency_files,
|
|
84
67
|
:ignored_versions
|
|
85
68
|
|
|
86
|
-
def
|
|
69
|
+
def valid_npm_details?
|
|
70
|
+
!npm_details&.fetch("dist-tags", nil).nil?
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def filter_out_of_range_versions(possible_versions)
|
|
74
|
+
reqs = dependency.requirements.map do |r|
|
|
75
|
+
NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
|
|
76
|
+
end.compact
|
|
77
|
+
|
|
78
|
+
possible_versions.
|
|
79
|
+
select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
|
80
|
+
end
|
|
81
|
+
|
|
82
|
+
def version_from_dist_tags
|
|
87
83
|
dist_tags = npm_details["dist-tags"].keys
|
|
88
84
|
|
|
89
85
|
# Check if a dist tag was specified as a requirement. If it was, and
|
|
@@ -166,10 +162,6 @@ module Dependabot
|
|
|
166
162
|
end
|
|
167
163
|
end
|
|
168
164
|
|
|
169
|
-
def version_from_versions_array
|
|
170
|
-
possible_versions.find { |version| !yanked?(version) }
|
|
171
|
-
end
|
|
172
|
-
|
|
173
165
|
def yanked?(version)
|
|
174
166
|
@yanked ||= {}
|
|
175
167
|
return @yanked[version] if @yanked.key?(version)
|
|
@@ -178,20 +170,18 @@ module Dependabot
|
|
|
178
170
|
begin
|
|
179
171
|
status = Excon.get(
|
|
180
172
|
dependency_url + "/#{version}",
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
)
|
|
173
|
+
headers: registry_auth_headers,
|
|
174
|
+
idempotent: true,
|
|
175
|
+
**SharedHelpers.excon_defaults
|
|
185
176
|
).status
|
|
186
177
|
|
|
187
178
|
if status == 404 && dependency_registry != "registry.npmjs.org"
|
|
188
179
|
# Some registries don't handle escaped package names properly
|
|
189
180
|
status = Excon.get(
|
|
190
181
|
dependency_url.gsub("%2F", "/") + "/#{version}",
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
)
|
|
182
|
+
headers: registry_auth_headers,
|
|
183
|
+
idempotent: true,
|
|
184
|
+
**SharedHelpers.excon_defaults
|
|
195
185
|
).status
|
|
196
186
|
end
|
|
197
187
|
|
|
@@ -214,10 +204,9 @@ module Dependabot
|
|
|
214
204
|
begin
|
|
215
205
|
Excon.get(
|
|
216
206
|
dependency_url + "/latest",
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
)
|
|
207
|
+
headers: registry_auth_headers,
|
|
208
|
+
idempotent: true,
|
|
209
|
+
**SharedHelpers.excon_defaults
|
|
221
210
|
).status < 400
|
|
222
211
|
rescue Excon::Error::Timeout
|
|
223
212
|
# Give the benefit of the doubt if the registry is playing up
|
|
@@ -248,10 +237,9 @@ module Dependabot
|
|
|
248
237
|
def fetch_npm_response
|
|
249
238
|
response = Excon.get(
|
|
250
239
|
dependency_url,
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
)
|
|
240
|
+
headers: registry_auth_headers,
|
|
241
|
+
idempotent: true,
|
|
242
|
+
**SharedHelpers.excon_defaults
|
|
255
243
|
)
|
|
256
244
|
|
|
257
245
|
return response unless response.status == 500
|
|
@@ -266,11 +254,10 @@ module Dependabot
|
|
|
266
254
|
username, password = decoded_token.split(":")
|
|
267
255
|
Excon.get(
|
|
268
256
|
dependency_url,
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
)
|
|
257
|
+
user: username,
|
|
258
|
+
password: password,
|
|
259
|
+
idempotent: true,
|
|
260
|
+
**SharedHelpers.excon_defaults
|
|
274
261
|
)
|
|
275
262
|
end
|
|
276
263
|
|
|
@@ -330,26 +317,34 @@ module Dependabot
|
|
|
330
317
|
end
|
|
331
318
|
|
|
332
319
|
def registry_finder
|
|
333
|
-
@registry_finder ||=
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
yarnrc_file: dependency_files.
|
|
340
|
-
find { |f| f.name.end_with?(".yarnrc") }
|
|
341
|
-
)
|
|
320
|
+
@registry_finder ||= RegistryFinder.new(
|
|
321
|
+
dependency: dependency,
|
|
322
|
+
credentials: credentials,
|
|
323
|
+
npmrc_file: npmrc_file,
|
|
324
|
+
yarnrc_file: yarnrc_file
|
|
325
|
+
)
|
|
342
326
|
end
|
|
343
327
|
|
|
344
328
|
def ignore_reqs
|
|
345
|
-
ignored_versions.
|
|
346
|
-
map { |req| NpmAndYarn::Requirement.new(req.split(",")) }
|
|
329
|
+
ignored_versions.map { |req| requirement_class.new(req.split(",")) }
|
|
347
330
|
end
|
|
348
331
|
|
|
349
332
|
def version_class
|
|
350
333
|
NpmAndYarn::Version
|
|
351
334
|
end
|
|
352
335
|
|
|
336
|
+
def requirement_class
|
|
337
|
+
NpmAndYarn::Requirement
|
|
338
|
+
end
|
|
339
|
+
|
|
340
|
+
def npmrc_file
|
|
341
|
+
dependency_files.find { |f| f.name.end_with?(".npmrc") }
|
|
342
|
+
end
|
|
343
|
+
|
|
344
|
+
def yarnrc_file
|
|
345
|
+
dependency_files.find { |f| f.name.end_with?(".yarnrc") }
|
|
346
|
+
end
|
|
347
|
+
|
|
353
348
|
# TODO: Remove need for me
|
|
354
349
|
def git_dependency?
|
|
355
350
|
GitCommitChecker.new(
|
|
@@ -50,13 +50,15 @@ module Dependabot
|
|
|
50
50
|
return latest_resolvable_version_with_no_unlock_for_git_dependency
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
latest_version_finder.
|
|
53
|
+
latest_version_finder.latest_version_with_no_unlock
|
|
54
54
|
end
|
|
55
55
|
|
|
56
56
|
def updated_requirements
|
|
57
57
|
resolvable_version =
|
|
58
|
-
if
|
|
59
|
-
preferred_resolvable_version
|
|
58
|
+
if preferred_resolvable_version.is_a?(version_class)
|
|
59
|
+
preferred_resolvable_version.to_s
|
|
60
|
+
elsif preferred_resolvable_version.nil?
|
|
61
|
+
nil
|
|
60
62
|
else
|
|
61
63
|
# If the preferred_resolvable_version came back as anything other
|
|
62
64
|
# than a version class or `nil` it must be because this is a git
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.101.
|
|
4
|
+
version: 0.101.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.101.
|
|
19
|
+
version: 0.101.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.101.
|
|
26
|
+
version: 0.101.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|