dependabot-npm_and_yarn 0.125.0 → 0.125.5

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -123,9 +123,7 @@ module Dependabot
           filename = path
           # NPM/Yarn support loading path dependencies from tarballs:
           # https://docs.npmjs.com/cli/pack.html
-          unless filename.end_with?(".tgz")
-            filename = File.join(filename, "package.json")
-          end
+          filename = File.join(filename, "package.json") unless filename.end_with?(".tgz")
           cleaned_name = Pathname.new(filename).cleanpath.to_path
           next if fetched_files.map(&:name).include?(cleaned_name)
 
@@ -185,9 +183,7 @@ module Dependabot
         resolution_objects = parsed_manifest.values_at("resolutions").compact
         manifest_objects = dependency_objects + resolution_objects
 
-        unless manifest_objects.all? { |o| o.is_a?(Hash) }
-          raise Dependabot::DependencyFileNotParseable, file.path
-        end
+        raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all? { |o| o.is_a?(Hash) }
 
         resolution_deps = resolution_objects.flat_map(&:to_a).
                           map do |path, value|

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -328,9 +328,7 @@ module Dependabot
 
         def resolvable_before_update?(lockfile)
           @resolvable_before_update ||= {}
-          if @resolvable_before_update.key?(lockfile.name)
-            return @resolvable_before_update[lockfile.name]
-          end
+          return @resolvable_before_update[lockfile.name] if @resolvable_before_update.key?(lockfile.name)
 
           @resolvable_before_update[lockfile.name] =
             begin

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -50,9 +50,7 @@ module Dependabot
               next false if CENTRAL_REGISTRIES.include?(cred["registry"])
 
               # If all the URLs include this registry, it's global
-              if dependency_urls.all? { |url| url.include?(cred["registry"]) }
-                next true
-              end
+              next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
 
               # If any unscoped URLs include this registry, it's global
               dependency_urls.
@@ -120,9 +118,7 @@ module Dependabot
             match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
             named_captures&.fetch("registry")
 
-          if yarnrc_global_registry
-            return "registry = #{yarnrc_global_registry}\n"
-          end
+          return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
 
           build_npmrc_content_from_lockfile
         end

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -23,9 +23,7 @@ module Dependabot
 
         def updated_yarn_lock_content(yarn_lock)
           @updated_yarn_lock_content ||= {}
-          if @updated_yarn_lock_content[yarn_lock.name]
-            return @updated_yarn_lock_content[yarn_lock.name]
-          end
+          return @updated_yarn_lock_content[yarn_lock.name] if @updated_yarn_lock_content[yarn_lock.name]
 
           new_content = updated_yarn_lock(yarn_lock)
 
@@ -235,16 +233,12 @@ module Dependabot
             raise Dependabot::GitDependenciesNotReachable, dependency_url
           end
 
-          if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
-            handle_timeout(error_message, yarn_lock)
-          end
+          handle_timeout(error_message, yarn_lock) if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
 
           if error_message.start_with?("Couldn't find any versions") ||
              error_message.include?(": Not found")
 
-            unless resolvable_before_update?(yarn_lock)
-              raise_resolvability_error(error_message, yarn_lock)
-            end
+            raise_resolvability_error(error_message, yarn_lock) unless resolvable_before_update?(yarn_lock)
 
             # Dependabot has probably messed something up with the update and we
             # want to hear about it
@@ -259,9 +253,7 @@ module Dependabot
 
         def resolvable_before_update?(yarn_lock)
           @resolvable_before_update ||= {}
-          if @resolvable_before_update.key?(yarn_lock.name)
-            return @resolvable_before_update[yarn_lock.name]
-          end
+          return @resolvable_before_update[yarn_lock.name] if @resolvable_before_update.key?(yarn_lock.name)
 
           @resolvable_before_update[yarn_lock.name] =
             begin
@@ -392,9 +384,7 @@ module Dependabot
             'https://\1/'
           )
 
-          if remove_integrity_lines?
-            updated_content = remove_integrity_lines(updated_content)
-          end
+          updated_content = remove_integrity_lines(updated_content) if remove_integrity_lines?
 
           updated_content
         end

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -14,9 +14,7 @@ module Dependabot
       def homepage_url
         # Attempt to use version_listing first, as fetching the entire listing
         # array can be slow (if it's large)
-        if latest_version_listing["homepage"]
-          return latest_version_listing["homepage"]
-        end
+        return latest_version_listing["homepage"] if latest_version_listing["homepage"]
 
         listing = all_version_listings.find { |_, l| l["homepage"] }
         listing&.last&.fetch("homepage", nil) || super
@@ -136,9 +134,7 @@ module Dependabot
         # Special case DefinitelyTyped, which has predictable URLs.
         # This can be removed once this PR is merged:
         # https://github.com/Microsoft/types-publisher/pull/578
-        if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
-          return dependency.name.gsub(/^@/, "")
-        end
+        return dependency.name.gsub(/^@/, "") if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
 
         # Only return a directory if it is explicitly specified
         return unless details.is_a?(Hash)
@@ -160,9 +156,7 @@ module Dependabot
           **SharedHelpers.excon_defaults(headers: registry_auth_headers)
         )
 
-        if response.status == 200
-          return @latest_version_listing = JSON.parse(response.body)
-        end
+        return @latest_version_listing = JSON.parse(response.body) if response.status == 200
 
         @latest_version_listing = {}
       rescue JSON::ParserError, Excon::Error::Timeout

data/lib/dependabot/npm_and_yarn/requirement.rb

@@ -17,9 +17,7 @@ module Dependabot
       PATTERN = /\A#{PATTERN_RAW}\z/.freeze
 
       def self.parse(obj)
-        if obj.is_a?(Gem::Version)
-          return ["=", NpmAndYarn::Version.new(obj.to_s)]
-        end
+        return ["=", NpmAndYarn::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
 
         unless (matches = PATTERN.match(obj.to_s))
           msg = "Illformed requirement [#{obj.inspect}]"
@@ -88,9 +86,7 @@ module Dependabot
         upper_bound_range =
           if upper_bound_parts.length < 3
             # When upper bound is a partial version treat these as an X-range
-            if upper_bound_parts[-1].to_i.positive?
-              upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1
-            end
+            upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
             upper_bound_parts.fill("0", upper_bound_parts.length...3)
             "< #{upper_bound_parts.join('.')}.a"
           else

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -13,6 +13,7 @@ module Dependabot
       require_relative "update_checker/latest_version_finder"
       require_relative "update_checker/version_resolver"
       require_relative "update_checker/subdependency_version_resolver"
+      require_relative "update_checker/conflicting_dependency_resolver"
 
       def latest_version
         @latest_version ||=
@@ -54,9 +55,7 @@ module Dependabot
       def latest_resolvable_version_with_no_unlock
         return latest_resolvable_version unless dependency.top_level?
 
-        if git_dependency?
-          return latest_resolvable_version_with_no_unlock_for_git_dependency
-        end
+        return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?
 
         latest_version_finder.latest_version_with_no_unlock
       end
@@ -89,14 +88,22 @@ module Dependabot
 
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
-        if @requirements_update_strategy
-          return @requirements_update_strategy.to_sym
-        end
+        return @requirements_update_strategy.to_sym if @requirements_update_strategy
 
         # Otherwise, widen ranges for libraries and bump versions for apps
         library? ? :widen_ranges : :bump_versions
       end
 
+      def conflicting_dependencies
+        ConflictingDependencyResolver.new(
+          dependency_files: dependency_files,
+          credentials: credentials
+        ).conflicting_dependencies(
+          dependency: dependency,
+          target_version: lowest_security_fix_version
+        )
+      end
+
       private
 
       def latest_version_resolvable_with_full_unlock?
@@ -188,9 +195,7 @@ module Dependabot
       def git_branch_or_ref_in_latest_release?
         return false unless latest_released_version
 
-        if defined?(@git_branch_or_ref_in_latest_release)
-          return @git_branch_or_ref_in_latest_release
-        end
+        return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
 
         @git_branch_or_ref_in_latest_release ||=
           git_commit_checker.branch_or_ref_in_release?(latest_released_version)
@@ -261,9 +266,7 @@ module Dependabot
 
         # Otherwise, if the gem isn't pinned, the latest version is just the
         # latest commit for the specified branch.
-        unless git_commit_checker.pinned?
-          return { sha: git_commit_checker.head_commit_for_current_branch }
-        end
+        return { sha: git_commit_checker.head_commit_for_current_branch } unless git_commit_checker.pinned?
 
         # If the dependency is pinned to a tag that doesn't look like a
         # version then there's nothing we can do.

data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/native_helpers"
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/update_checker/dependency_files_builder"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class ConflictingDependencyResolver
+        def initialize(dependency_files:, credentials:)
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        # Finds any dependencies in the `yarn.lock` or `package-lock.json` that
+        # have a subdependency on the given dependency that does not satisfly
+        # the target_version.
+        #
+        # @param dependency [Dependabot::Dependency] the dependency to check
+        # @param target_version [String] the version to check
+        # @return [Array<Hash{String => String}]
+        #   * name [String] the blocking dependencies name
+        #   * version [String] the version of the blocking dependency
+        #   * requirement [String] the requirement on the target_dependency
+        def conflicting_dependencies(dependency:, target_version:)
+          SharedHelpers.in_a_temporary_directory do
+            dependency_files_builder = DependencyFilesBuilder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
+            dependency_files_builder.write_temporary_dependency_files
+
+            # TODO: Look into using npm/arborist for parsing yarn lockfiles (there's currently partial yarn support)
+            #
+            # Prefer the npm conflicting dependency parser if there's both a npm lockfile and a yarn.lock file as the
+            # npm parser handles edge cases where the package.json is out of sync with the lockfile, something the yarn
+            # parser doesn't deal with at the moment.
+            if dependency_files_builder.package_locks.any? ||
+               dependency_files_builder.shrinkwraps.any?
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "npm:findConflictingDependencies",
+                args: [Dir.pwd, dependency.name, target_version.to_s]
+              )
+            else
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "yarn:findConflictingDependencies",
+                args: [Dir.pwd, dependency.name, target_version.to_s]
+              )
+            end
+          end
+        rescue SharedHelpers::HelperSubprocessFailed
+          []
+        end
+
+        private
+
+        attr_reader :dependency_files, :credentials
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
+require "dependabot/npm_and_yarn/file_updater/package_json_preparer"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker
+      class DependencyFilesBuilder
+        def initialize(dependency:, dependency_files:, credentials:)
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def write_temporary_dependency_files
+          write_lock_files
+
+          File.write(".npmrc", npmrc_content)
+
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, prepared_package_json_content(file))
+          end
+        end
+
+        def package_locks
+          @package_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package-lock.json") }
+        end
+
+        def yarn_locks
+          @yarn_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("yarn.lock") }
+        end
+
+        def shrinkwraps
+          @shrinkwraps ||=
+            dependency_files.
+            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+        end
+
+        def lockfiles
+          [*package_locks, *shrinkwraps, *yarn_locks]
+        end
+
+        def package_files
+          @package_files ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package.json") }
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :credentials
+
+        def write_lock_files
+          yarn_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, prepared_yarn_lockfile_content(f.content))
+          end
+
+          [*package_locks, *shrinkwraps].each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, f.content)
+          end
+        end
+
+        # Duplicated in NpmLockfileUpdater
+        # Remove the dependency we want to update from the lockfile and let
+        # yarn find the latest resolvable version and fix the lockfile
+        def prepared_yarn_lockfile_content(content)
+          content.gsub(/^#{Regexp.quote(dependency.name)}\@.*?\n\n/m, "")
+        end
+
+        def prepared_package_json_content(file)
+          NpmAndYarn::FileUpdater::PackageJsonPreparer.new(
+            package_json_content: file.content
+          ).prepared_content
+        end
+
+        def npmrc_content
+          NpmAndYarn::FileUpdater::NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -111,9 +111,7 @@ module Dependabot
             ignore_reqs.any? { |r| r.satisfied_by?(v) }
           end
 
-          if @raise_on_ignored && filtered.empty? && versions_array.any?
-            raise AllVersionsIgnored
-          end
+          raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
 
           filtered
         end
@@ -261,9 +259,7 @@ module Dependabot
         def version_endpoint_working?
           return true if dependency_registry == "registry.npmjs.org"
 
-          if defined?(@version_endpoint_working)
-            return @version_endpoint_working
-          end
+          return @version_endpoint_working if defined?(@version_endpoint_working)
 
           @version_endpoint_working =
             begin

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

@@ -216,9 +216,7 @@ module Dependabot
 
           # If there are multiple source types, or multiple source URLs, then
           # it's unclear how we should proceed
-          if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
-            raise "Multiple sources! #{sources.join(', ')}"
-          end
+          raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
 
           # Otherwise we just take the URL of the first private registry
           sources.find { |s| s[:type] == "private_registry" }&.fetch(:url)

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -1,15 +1,16 @@
 # frozen_string_literal: true
 
 require "dependabot/dependency"
-require "dependabot/shared_helpers"
 require "dependabot/errors"
-require "dependabot/npm_and_yarn/update_checker"
 require "dependabot/npm_and_yarn/file_parser"
-require "dependabot/npm_and_yarn/version"
-require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
 require "dependabot/npm_and_yarn/file_updater/package_json_preparer"
+require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/sub_dependency_files_filterer"
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/update_checker/dependency_files_builder"
+require "dependabot/npm_and_yarn/version"
+require "dependabot/shared_helpers"
 
 module Dependabot
   module NpmAndYarn
@@ -29,7 +30,7 @@ module Dependabot
           return if bundled_dependency?
 
           SharedHelpers.in_a_temporary_directory do
-            write_temporary_dependency_files
+            dependency_files_builder.write_temporary_dependency_files
 
             updated_lockfiles = filtered_lockfiles.map do |lockfile|
               updated_content = update_subdependency_in_lockfile(lockfile)
@@ -67,9 +68,9 @@ module Dependabot
 
         def version_from_updated_lockfiles(updated_lockfiles)
           updated_files = dependency_files -
-                          yarn_locks -
-                          package_locks -
-                          shrinkwraps +
+                          dependency_files_builder.yarn_locks -
+                          dependency_files_builder.package_locks -
+                          dependency_files_builder.shrinkwraps +
                           updated_lockfiles
 
           updated_version = NpmAndYarn::FileParser.new(
@@ -118,84 +119,10 @@ module Dependabot
           end
         end
 
-        def write_temporary_dependency_files
-          write_lock_files
-
-          File.write(".npmrc", npmrc_content)
-
-          package_files.each do |file|
-            path = file.name
-            FileUtils.mkdir_p(Pathname.new(path).dirname)
-            File.write(file.name, prepared_package_json_content(file))
-          end
-        end
-
-        def write_lock_files
-          yarn_locks.each do |f|
-            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-            File.write(f.name, prepared_yarn_lockfile_content(f.content))
-          end
-
-          [*package_locks, *shrinkwraps].each do |f|
-            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-            File.write(f.name, f.content)
-          end
-        end
-
-        # Duplicated in NpmLockfileUpdater
-        # Remove the dependency we want to update from the lockfile and let
-        # yarn find the latest resolvable version and fix the lockfile
-        def prepared_yarn_lockfile_content(content)
-          content.gsub(/^#{Regexp.quote(dependency.name)}\@.*?\n\n/m, "")
-        end
-
-        def prepared_package_json_content(file)
-          NpmAndYarn::FileUpdater::PackageJsonPreparer.new(
-            package_json_content: file.content
-          ).prepared_content
-        end
-
-        def npmrc_content
-          NpmAndYarn::FileUpdater::NpmrcBuilder.new(
-            credentials: credentials,
-            dependency_files: dependency_files
-          ).npmrc_content
-        end
-
         def version_class
           NpmAndYarn::Version
         end
 
-        def package_locks
-          @package_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("package-lock.json") }
-        end
-
-        def yarn_locks
-          @yarn_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("yarn.lock") }
-        end
-
-        def shrinkwraps
-          @shrinkwraps ||=
-            dependency_files.
-            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
-        end
-
-        def lockfiles
-          [*package_locks, *shrinkwraps, *yarn_locks]
-        end
-
-        def filtered_lockfiles
-          @filtered_lockfiles ||=
-            SubDependencyFilesFilterer.new(
-              dependency_files: dependency_files,
-              updated_dependencies: [updated_dependency]
-            ).files_requiring_update
-        end
-
         def updated_dependency
           Dependabot::Dependency.new(
             name: dependency.name,
@@ -206,10 +133,21 @@ module Dependabot
           )
         end
 
-        def package_files
-          @package_files ||=
-            dependency_files.
-            select { |f| f.name.end_with?("package.json") }
+        def filtered_lockfiles
+          @filtered_lockfiles ||=
+            SubDependencyFilesFilterer.new(
+              dependency_files: dependency_files,
+              updated_dependencies: [updated_dependency]
+            ).files_requiring_update
+        end
+
+        def dependency_files_builder
+          @dependency_files_builder ||=
+            DependencyFilesBuilder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
         end
 
         # TODO: We should try and fix this by updating the parent that's not