dependabot-npm_and_yarn 0.101.2 → 0.102.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e065249385d5d40fa7a235a1f3eae13f38cc1e3f4da10599f195b4701cdc5421
|
|
4
|
+
data.tar.gz: 8e02e117d6956a77d0ee4af6f7468ea40638d3a4889cd82d84e5b2151b57b003
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7d4c25c44cc1b8e03508f635a9c74cc91930191214f42782786110b2fabc832a1c8199381eddb5832898783c770e31c31c6b210498de24a079f0c6f4b95708ee
|
|
7
|
+
data.tar.gz: 6e9205e22f72554828eb6c86d9ac9020c0189caed145f19abf7be4f434c6052d8512b4acab5daa247f9a2f56b06f81c4ccd8324e0688bc24d5b1ec79731cbaff
|
|
@@ -39,8 +39,8 @@ module Dependabot
|
|
|
39
39
|
def lowest_resolvable_security_fix_version
|
|
40
40
|
raise "Dependency not vulnerable!" unless vulnerable?
|
|
41
41
|
|
|
42
|
-
# TODO:
|
|
43
|
-
|
|
42
|
+
# TODO: Might want to check resolvability here?
|
|
43
|
+
latest_version_finder.lowest_security_fix_version
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
def latest_resolvable_version_with_no_unlock
|
|
@@ -70,8 +70,6 @@ module Dependabot
|
|
|
70
70
|
RequirementsUpdater.new(
|
|
71
71
|
requirements: dependency.requirements,
|
|
72
72
|
updated_source: updated_source,
|
|
73
|
-
latest_version:
|
|
74
|
-
latest_version_details&.fetch(:version, nil)&.to_s,
|
|
75
73
|
latest_resolvable_version: resolvable_version,
|
|
76
74
|
update_strategy: requirements_update_strategy
|
|
77
75
|
).updated_requirements
|
|
@@ -112,7 +110,6 @@ module Dependabot
|
|
|
112
110
|
requirements: RequirementsUpdater.new(
|
|
113
111
|
requirements: original_dep.requirements,
|
|
114
112
|
updated_source: original_dep == dependency ? updated_source : nil,
|
|
115
|
-
latest_version: update_details[:version].to_s,
|
|
116
113
|
latest_resolvable_version: update_details[:version].to_s,
|
|
117
114
|
update_strategy: requirements_update_strategy
|
|
118
115
|
).updated_requirements,
|
|
@@ -48,6 +48,24 @@ module Dependabot
|
|
|
48
48
|
# our problem, so we quietly return `nil` here.
|
|
49
49
|
end
|
|
50
50
|
|
|
51
|
+
def lowest_security_fix_version
|
|
52
|
+
return unless valid_npm_details?
|
|
53
|
+
|
|
54
|
+
versions_array =
|
|
55
|
+
if specified_dist_tag_requirement?
|
|
56
|
+
[version_from_dist_tags].compact
|
|
57
|
+
else possible_versions
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
secure_versions = filter_vulnerable_versions(versions_array)
|
|
61
|
+
secure_versions = filter_lower_versions(secure_versions)
|
|
62
|
+
secure_versions.reverse.find { |version| !yanked?(version) }
|
|
63
|
+
rescue Excon::Error::Socket, Excon::Error::Timeout
|
|
64
|
+
raise if dependency_registry == "registry.npmjs.org"
|
|
65
|
+
# Sometimes custom registries are flaky. We don't want to make that
|
|
66
|
+
# our problem, so we quietly return `nil` here.
|
|
67
|
+
end
|
|
68
|
+
|
|
51
69
|
def possible_versions_with_details
|
|
52
70
|
npm_details.fetch("versions", {}).
|
|
53
71
|
reject { |_, details| details["deprecated"] }.
|
|
@@ -70,15 +88,32 @@ module Dependabot
|
|
|
70
88
|
!npm_details&.fetch("dist-tags", nil).nil?
|
|
71
89
|
end
|
|
72
90
|
|
|
73
|
-
def filter_out_of_range_versions(
|
|
91
|
+
def filter_out_of_range_versions(versions_array)
|
|
74
92
|
reqs = dependency.requirements.map do |r|
|
|
75
93
|
NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
|
|
76
94
|
end.compact
|
|
77
95
|
|
|
78
|
-
|
|
96
|
+
versions_array.
|
|
79
97
|
select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
|
80
98
|
end
|
|
81
99
|
|
|
100
|
+
def filter_vulnerable_versions(versions_array)
|
|
101
|
+
updated_versions_array = versions_array
|
|
102
|
+
|
|
103
|
+
security_advisories.each do |advisory|
|
|
104
|
+
updated_versions_array =
|
|
105
|
+
updated_versions_array.
|
|
106
|
+
reject { |v| advisory.vulnerable?(v) }
|
|
107
|
+
end
|
|
108
|
+
|
|
109
|
+
updated_versions_array
|
|
110
|
+
end
|
|
111
|
+
|
|
112
|
+
def filter_lower_versions(versions_array)
|
|
113
|
+
versions_array.
|
|
114
|
+
select { |version| version > version_class.new(dependency.version) }
|
|
115
|
+
end
|
|
116
|
+
|
|
82
117
|
def version_from_dist_tags
|
|
83
118
|
dist_tags = npm_details["dist-tags"].keys
|
|
84
119
|
|
|
@@ -19,14 +19,13 @@ module Dependabot
|
|
|
19
19
|
%i(widen_ranges bump_versions bump_versions_if_necessary).freeze
|
|
20
20
|
|
|
21
21
|
def initialize(requirements:, updated_source:, update_strategy:,
|
|
22
|
-
|
|
22
|
+
latest_resolvable_version:)
|
|
23
23
|
@requirements = requirements
|
|
24
24
|
@updated_source = updated_source
|
|
25
25
|
@update_strategy = update_strategy
|
|
26
26
|
|
|
27
27
|
check_update_strategy
|
|
28
28
|
|
|
29
|
-
@latest_version = version_class.new(latest_version) if latest_version
|
|
30
29
|
return unless latest_resolvable_version
|
|
31
30
|
|
|
32
31
|
@latest_resolvable_version =
|
|
@@ -53,7 +52,7 @@ module Dependabot
|
|
|
53
52
|
private
|
|
54
53
|
|
|
55
54
|
attr_reader :requirements, :updated_source, :update_strategy,
|
|
56
|
-
:
|
|
55
|
+
:latest_resolvable_version
|
|
57
56
|
|
|
58
57
|
def check_update_strategy
|
|
59
58
|
return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.102.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.102.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.102.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|