dependabot-npm_and_yarn 0.125.0 → 0.125.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +2 -6
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +1 -3
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +2 -6
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +5 -15
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -9
- data/lib/dependabot/npm_and_yarn/requirement.rb +2 -6
- data/lib/dependabot/npm_and_yarn/update_checker.rb +4 -12
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -6
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +1 -3
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +4 -12
- data/lib/dependabot/npm_and_yarn/version.rb +1 -3
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 65dfd24b6ebd21aecc0ca0e3b729df18dbba9a06e0e45634b3c8b162710c567e
|
|
4
|
+
data.tar.gz: a44ac914df569143c14632f921b89c7da81f64b53a194f8113ab6822f6c923a2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6f0521114bc5e902ff20bb60721128b99bd7082966186f1e787810cea0d76e45ae6df35ece0158a06bb99843daf304eb02f74233230209d98fd7bbf08bf894cd
|
|
7
|
+
data.tar.gz: 2c24652f44989903e0cdf20a9d7a319387eba7095d467b4377e21c0c805789b355b567681f7bad0b4938d8f2c46940b8593bb2c33f5590a5eae0b6b9e9d2619b
|
|
@@ -123,9 +123,7 @@ module Dependabot
|
|
|
123
123
|
filename = path
|
|
124
124
|
# NPM/Yarn support loading path dependencies from tarballs:
|
|
125
125
|
# https://docs.npmjs.com/cli/pack.html
|
|
126
|
-
unless filename.end_with?(".tgz")
|
|
127
|
-
filename = File.join(filename, "package.json")
|
|
128
|
-
end
|
|
126
|
+
filename = File.join(filename, "package.json") unless filename.end_with?(".tgz")
|
|
129
127
|
cleaned_name = Pathname.new(filename).cleanpath.to_path
|
|
130
128
|
next if fetched_files.map(&:name).include?(cleaned_name)
|
|
131
129
|
|
|
@@ -185,9 +183,7 @@ module Dependabot
|
|
|
185
183
|
resolution_objects = parsed_manifest.values_at("resolutions").compact
|
|
186
184
|
manifest_objects = dependency_objects + resolution_objects
|
|
187
185
|
|
|
188
|
-
unless manifest_objects.all? { |o| o.is_a?(Hash) }
|
|
189
|
-
raise Dependabot::DependencyFileNotParseable, file.path
|
|
190
|
-
end
|
|
186
|
+
raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all? { |o| o.is_a?(Hash) }
|
|
191
187
|
|
|
192
188
|
resolution_deps = resolution_objects.flat_map(&:to_a).
|
|
193
189
|
map do |path, value|
|
|
@@ -328,9 +328,7 @@ module Dependabot
|
|
|
328
328
|
|
|
329
329
|
def resolvable_before_update?(lockfile)
|
|
330
330
|
@resolvable_before_update ||= {}
|
|
331
|
-
if @resolvable_before_update.key?(lockfile.name)
|
|
332
|
-
return @resolvable_before_update[lockfile.name]
|
|
333
|
-
end
|
|
331
|
+
return @resolvable_before_update[lockfile.name] if @resolvable_before_update.key?(lockfile.name)
|
|
334
332
|
|
|
335
333
|
@resolvable_before_update[lockfile.name] =
|
|
336
334
|
begin
|
|
@@ -50,9 +50,7 @@ module Dependabot
|
|
|
50
50
|
next false if CENTRAL_REGISTRIES.include?(cred["registry"])
|
|
51
51
|
|
|
52
52
|
# If all the URLs include this registry, it's global
|
|
53
|
-
if dependency_urls.all? { |url| url.include?(cred["registry"]) }
|
|
54
|
-
next true
|
|
55
|
-
end
|
|
53
|
+
next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
|
|
56
54
|
|
|
57
55
|
# If any unscoped URLs include this registry, it's global
|
|
58
56
|
dependency_urls.
|
|
@@ -120,9 +118,7 @@ module Dependabot
|
|
|
120
118
|
match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
|
|
121
119
|
named_captures&.fetch("registry")
|
|
122
120
|
|
|
123
|
-
if yarnrc_global_registry
|
|
124
|
-
return "registry = #{yarnrc_global_registry}\n"
|
|
125
|
-
end
|
|
121
|
+
return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
|
|
126
122
|
|
|
127
123
|
build_npmrc_content_from_lockfile
|
|
128
124
|
end
|
|
@@ -23,9 +23,7 @@ module Dependabot
|
|
|
23
23
|
|
|
24
24
|
def updated_yarn_lock_content(yarn_lock)
|
|
25
25
|
@updated_yarn_lock_content ||= {}
|
|
26
|
-
if @updated_yarn_lock_content[yarn_lock.name]
|
|
27
|
-
return @updated_yarn_lock_content[yarn_lock.name]
|
|
28
|
-
end
|
|
26
|
+
return @updated_yarn_lock_content[yarn_lock.name] if @updated_yarn_lock_content[yarn_lock.name]
|
|
29
27
|
|
|
30
28
|
new_content = updated_yarn_lock(yarn_lock)
|
|
31
29
|
|
|
@@ -235,16 +233,12 @@ module Dependabot
|
|
|
235
233
|
raise Dependabot::GitDependenciesNotReachable, dependency_url
|
|
236
234
|
end
|
|
237
235
|
|
|
238
|
-
if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
|
|
239
|
-
handle_timeout(error_message, yarn_lock)
|
|
240
|
-
end
|
|
236
|
+
handle_timeout(error_message, yarn_lock) if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
|
|
241
237
|
|
|
242
238
|
if error_message.start_with?("Couldn't find any versions") ||
|
|
243
239
|
error_message.include?(": Not found")
|
|
244
240
|
|
|
245
|
-
unless resolvable_before_update?(yarn_lock)
|
|
246
|
-
raise_resolvability_error(error_message, yarn_lock)
|
|
247
|
-
end
|
|
241
|
+
raise_resolvability_error(error_message, yarn_lock) unless resolvable_before_update?(yarn_lock)
|
|
248
242
|
|
|
249
243
|
# Dependabot has probably messed something up with the update and we
|
|
250
244
|
# want to hear about it
|
|
@@ -259,9 +253,7 @@ module Dependabot
|
|
|
259
253
|
|
|
260
254
|
def resolvable_before_update?(yarn_lock)
|
|
261
255
|
@resolvable_before_update ||= {}
|
|
262
|
-
if @resolvable_before_update.key?(yarn_lock.name)
|
|
263
|
-
return @resolvable_before_update[yarn_lock.name]
|
|
264
|
-
end
|
|
256
|
+
return @resolvable_before_update[yarn_lock.name] if @resolvable_before_update.key?(yarn_lock.name)
|
|
265
257
|
|
|
266
258
|
@resolvable_before_update[yarn_lock.name] =
|
|
267
259
|
begin
|
|
@@ -392,9 +384,7 @@ module Dependabot
|
|
|
392
384
|
'https://\1/'
|
|
393
385
|
)
|
|
394
386
|
|
|
395
|
-
if remove_integrity_lines?
|
|
396
|
-
updated_content = remove_integrity_lines(updated_content)
|
|
397
|
-
end
|
|
387
|
+
updated_content = remove_integrity_lines(updated_content) if remove_integrity_lines?
|
|
398
388
|
|
|
399
389
|
updated_content
|
|
400
390
|
end
|
|
@@ -14,9 +14,7 @@ module Dependabot
|
|
|
14
14
|
def homepage_url
|
|
15
15
|
# Attempt to use version_listing first, as fetching the entire listing
|
|
16
16
|
# array can be slow (if it's large)
|
|
17
|
-
if latest_version_listing["homepage"]
|
|
18
|
-
return latest_version_listing["homepage"]
|
|
19
|
-
end
|
|
17
|
+
return latest_version_listing["homepage"] if latest_version_listing["homepage"]
|
|
20
18
|
|
|
21
19
|
listing = all_version_listings.find { |_, l| l["homepage"] }
|
|
22
20
|
listing&.last&.fetch("homepage", nil) || super
|
|
@@ -136,9 +134,7 @@ module Dependabot
|
|
|
136
134
|
# Special case DefinitelyTyped, which has predictable URLs.
|
|
137
135
|
# This can be removed once this PR is merged:
|
|
138
136
|
# https://github.com/Microsoft/types-publisher/pull/578
|
|
139
|
-
if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
|
|
140
|
-
return dependency.name.gsub(/^@/, "")
|
|
141
|
-
end
|
|
137
|
+
return dependency.name.gsub(/^@/, "") if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
|
|
142
138
|
|
|
143
139
|
# Only return a directory if it is explicitly specified
|
|
144
140
|
return unless details.is_a?(Hash)
|
|
@@ -160,9 +156,7 @@ module Dependabot
|
|
|
160
156
|
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
|
161
157
|
)
|
|
162
158
|
|
|
163
|
-
if response.status == 200
|
|
164
|
-
return @latest_version_listing = JSON.parse(response.body)
|
|
165
|
-
end
|
|
159
|
+
return @latest_version_listing = JSON.parse(response.body) if response.status == 200
|
|
166
160
|
|
|
167
161
|
@latest_version_listing = {}
|
|
168
162
|
rescue JSON::ParserError, Excon::Error::Timeout
|
|
@@ -17,9 +17,7 @@ module Dependabot
|
|
|
17
17
|
PATTERN = /\A#{PATTERN_RAW}\z/.freeze
|
|
18
18
|
|
|
19
19
|
def self.parse(obj)
|
|
20
|
-
if obj.is_a?(Gem::Version)
|
|
21
|
-
return ["=", NpmAndYarn::Version.new(obj.to_s)]
|
|
22
|
-
end
|
|
20
|
+
return ["=", NpmAndYarn::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
|
|
23
21
|
|
|
24
22
|
unless (matches = PATTERN.match(obj.to_s))
|
|
25
23
|
msg = "Illformed requirement [#{obj.inspect}]"
|
|
@@ -88,9 +86,7 @@ module Dependabot
|
|
|
88
86
|
upper_bound_range =
|
|
89
87
|
if upper_bound_parts.length < 3
|
|
90
88
|
# When upper bound is a partial version treat these as an X-range
|
|
91
|
-
if upper_bound_parts[-1].to_i.positive?
|
|
92
|
-
upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1
|
|
93
|
-
end
|
|
89
|
+
upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
|
|
94
90
|
upper_bound_parts.fill("0", upper_bound_parts.length...3)
|
|
95
91
|
"< #{upper_bound_parts.join('.')}.a"
|
|
96
92
|
else
|
|
@@ -54,9 +54,7 @@ module Dependabot
|
|
|
54
54
|
def latest_resolvable_version_with_no_unlock
|
|
55
55
|
return latest_resolvable_version unless dependency.top_level?
|
|
56
56
|
|
|
57
|
-
if git_dependency?
|
|
58
|
-
return latest_resolvable_version_with_no_unlock_for_git_dependency
|
|
59
|
-
end
|
|
57
|
+
return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?
|
|
60
58
|
|
|
61
59
|
latest_version_finder.latest_version_with_no_unlock
|
|
62
60
|
end
|
|
@@ -89,9 +87,7 @@ module Dependabot
|
|
|
89
87
|
|
|
90
88
|
def requirements_update_strategy
|
|
91
89
|
# If passed in as an option (in the base class) honour that option
|
|
92
|
-
if @requirements_update_strategy
|
|
93
|
-
return @requirements_update_strategy.to_sym
|
|
94
|
-
end
|
|
90
|
+
return @requirements_update_strategy.to_sym if @requirements_update_strategy
|
|
95
91
|
|
|
96
92
|
# Otherwise, widen ranges for libraries and bump versions for apps
|
|
97
93
|
library? ? :widen_ranges : :bump_versions
|
|
@@ -188,9 +184,7 @@ module Dependabot
|
|
|
188
184
|
def git_branch_or_ref_in_latest_release?
|
|
189
185
|
return false unless latest_released_version
|
|
190
186
|
|
|
191
|
-
if defined?(@git_branch_or_ref_in_latest_release)
|
|
192
|
-
return @git_branch_or_ref_in_latest_release
|
|
193
|
-
end
|
|
187
|
+
return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
|
|
194
188
|
|
|
195
189
|
@git_branch_or_ref_in_latest_release ||=
|
|
196
190
|
git_commit_checker.branch_or_ref_in_release?(latest_released_version)
|
|
@@ -261,9 +255,7 @@ module Dependabot
|
|
|
261
255
|
|
|
262
256
|
# Otherwise, if the gem isn't pinned, the latest version is just the
|
|
263
257
|
# latest commit for the specified branch.
|
|
264
|
-
unless git_commit_checker.pinned?
|
|
265
|
-
return { sha: git_commit_checker.head_commit_for_current_branch }
|
|
266
|
-
end
|
|
258
|
+
return { sha: git_commit_checker.head_commit_for_current_branch } unless git_commit_checker.pinned?
|
|
267
259
|
|
|
268
260
|
# If the dependency is pinned to a tag that doesn't look like a
|
|
269
261
|
# version then there's nothing we can do.
|
|
@@ -111,9 +111,7 @@ module Dependabot
|
|
|
111
111
|
ignore_reqs.any? { |r| r.satisfied_by?(v) }
|
|
112
112
|
end
|
|
113
113
|
|
|
114
|
-
if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
115
|
-
raise AllVersionsIgnored
|
|
116
|
-
end
|
|
114
|
+
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
117
115
|
|
|
118
116
|
filtered
|
|
119
117
|
end
|
|
@@ -261,9 +259,7 @@ module Dependabot
|
|
|
261
259
|
def version_endpoint_working?
|
|
262
260
|
return true if dependency_registry == "registry.npmjs.org"
|
|
263
261
|
|
|
264
|
-
if defined?(@version_endpoint_working)
|
|
265
|
-
return @version_endpoint_working
|
|
266
|
-
end
|
|
262
|
+
return @version_endpoint_working if defined?(@version_endpoint_working)
|
|
267
263
|
|
|
268
264
|
@version_endpoint_working =
|
|
269
265
|
begin
|
|
@@ -216,9 +216,7 @@ module Dependabot
|
|
|
216
216
|
|
|
217
217
|
# If there are multiple source types, or multiple source URLs, then
|
|
218
218
|
# it's unclear how we should proceed
|
|
219
|
-
if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
|
|
220
|
-
raise "Multiple sources! #{sources.join(', ')}"
|
|
221
|
-
end
|
|
219
|
+
raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
|
|
222
220
|
|
|
223
221
|
# Otherwise we just take the URL of the first private registry
|
|
224
222
|
sources.find { |s| s[:type] == "private_registry" }&.fetch(:url)
|
|
@@ -60,9 +60,7 @@ module Dependabot
|
|
|
60
60
|
return latest_allowable_version if git_dependency?(dependency)
|
|
61
61
|
return if part_of_tightly_locked_monorepo?
|
|
62
62
|
|
|
63
|
-
unless relevant_unmet_peer_dependencies.any?
|
|
64
|
-
return latest_allowable_version
|
|
65
|
-
end
|
|
63
|
+
return latest_allowable_version unless relevant_unmet_peer_dependencies.any?
|
|
66
64
|
|
|
67
65
|
satisfying_versions.first
|
|
68
66
|
end
|
|
@@ -79,9 +77,7 @@ module Dependabot
|
|
|
79
77
|
|
|
80
78
|
def dependency_updates_from_full_unlock
|
|
81
79
|
return if git_dependency?(dependency)
|
|
82
|
-
if part_of_tightly_locked_monorepo?
|
|
83
|
-
return updated_monorepo_dependencies
|
|
84
|
-
end
|
|
80
|
+
return updated_monorepo_dependencies if part_of_tightly_locked_monorepo?
|
|
85
81
|
return if newly_broken_peer_reqs_from_dep.any?
|
|
86
82
|
|
|
87
83
|
updates = [{
|
|
@@ -219,9 +215,7 @@ module Dependabot
|
|
|
219
215
|
end
|
|
220
216
|
|
|
221
217
|
def old_peer_dependency_errors
|
|
222
|
-
if @old_peer_dependency_errors_checked
|
|
223
|
-
return @old_peer_dependency_errors
|
|
224
|
-
end
|
|
218
|
+
return @old_peer_dependency_errors if @old_peer_dependency_errors_checked
|
|
225
219
|
|
|
226
220
|
@old_peer_dependency_errors_checked = true
|
|
227
221
|
|
|
@@ -534,9 +528,7 @@ module Dependabot
|
|
|
534
528
|
end
|
|
535
529
|
|
|
536
530
|
def version_for_dependency(dep)
|
|
537
|
-
if dep.version && version_class.correct?(dep.version)
|
|
538
|
-
return version_class.new(dep.version)
|
|
539
|
-
end
|
|
531
|
+
return version_class.new(dep.version) if dep.version && version_class.correct?(dep.version)
|
|
540
532
|
|
|
541
533
|
dep.requirements.map { |r| r[:requirement] }.compact.
|
|
542
534
|
reject { |req_string| req_string.start_with?("<") }.
|
|
@@ -29,9 +29,7 @@ module Dependabot
|
|
|
29
29
|
@version_string = version.to_s
|
|
30
30
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
31
31
|
|
|
32
|
-
if version.to_s.include?("+")
|
|
33
|
-
version, @build_info = version.to_s.split("+")
|
|
34
|
-
end
|
|
32
|
+
version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
|
|
35
33
|
|
|
36
34
|
super
|
|
37
35
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.125.
|
|
4
|
+
version: 0.125.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.125.
|
|
19
|
+
version: 0.125.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.125.
|
|
26
|
+
version: 0.125.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|