RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.125.2 → 0.125.7 - Mend

dependabot-npm_and_yarn 0.125.2 → 0.125.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb CHANGED

@@ -73,7 +73,7 @@ module Dependabot
               next unless semver_version_for(details["version"])
               next if alias_package?(req)
-              # Note: The DependencySet will de-dupe our dependencies, so they
+              # NOTE: The DependencySet will de-dupe our dependencies, so they
               # end up unique by name. That's not a perfect representation of
               # the nested nature of JS resolution, but it makes everything work
               # comparably to other flat-resolution strategies
@@ -92,7 +92,7 @@ module Dependabot
         def package_lock_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-          # Note: The DependencySet will de-dupe our dependencies, so they
+          # NOTE: The DependencySet will de-dupe our dependencies, so they
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
@@ -108,7 +108,7 @@ module Dependabot
         def shrinkwrap_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-          # Note: The DependencySet will de-dupe our dependencies, so they
+          # NOTE: The DependencySet will de-dupe our dependencies, so they
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED

@@ -286,7 +286,7 @@ module Dependabot
                                                                lockfile)
           lockfile_dir = Pathname.new(lockfile.name).dirname
           modules_path = lockfile_dir.join("node_modules")
-          # Note: don't include the dependency names to prevent opening
+          # NOTE: don't include the dependency names to prevent opening
           # multiple issues for each dependency that fails because we unique
           # issues on the error message (issue detail) on the backend
           #

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED

@@ -43,7 +43,7 @@ module Dependabot
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
-        # Note: we currently don't resolve transitive/sub-dependencies as
+        # NOTE: we currently don't resolve transitive/sub-dependencies as
         # npm/yarn don't provide any control over updating to a specific
         # sub-dependency
         return latest_resolvable_version unless dependency.top_level?

data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb CHANGED

@@ -36,16 +36,22 @@ module Dependabot
             )
             dependency_files_builder.write_temporary_dependency_files
-            if dependency_files_builder.yarn_locks.any?
+            # TODO: Look into using npm/arborist for parsing yarn lockfiles (there's currently partial yarn support)
+            #
+            # Prefer the npm conflicting dependency parser if there's both a npm lockfile and a yarn.lock file as the
+            # npm parser handles edge cases where the package.json is out of sync with the lockfile, something the yarn
+            # parser doesn't deal with at the moment.
+            if dependency_files_builder.package_locks.any? ||
+               dependency_files_builder.shrinkwraps.any?
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
-                function: "yarn:findConflictingDependencies",
+                function: "npm:findConflictingDependencies",
                 args: [Dir.pwd, dependency.name, target_version.to_s]
               )
             else
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
-                function: "npm:findConflictingDependencies",
+                function: "yarn:findConflictingDependencies",
                 args: [Dir.pwd, dependency.name, target_version.to_s]
               )
             end

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb CHANGED

@@ -361,7 +361,9 @@ module Dependabot
               idempotent: true,
               **SharedHelpers.excon_defaults
             )
-            return web_response.body.include?("Forgot password?")
+            # NOTE: returns 429 when the login page is rate limited
+            return web_response.body.include?("Forgot password?") ||
+                   web_response.status == 429
           end
           true

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.125.2
+  version: 0.125.7
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-11 00:00:00.000000000 Z
+date: 2020-11-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.2
+        version: 0.125.7
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.2
+        version: 0.125.7
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,42 +100,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.4.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.4.2
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.2
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -172,6 +172,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - helpers/.eslintrc
+- helpers/README.md
 - helpers/build
 - helpers/lib/npm/conflicting-dependency-parser.js
 - helpers/lib/npm/helpers.js
@@ -191,11 +192,27 @@ files:
 - helpers/lib/yarn/updater.js
 - helpers/package.json
 - helpers/run.js
+- helpers/test/npm/conflicting-dependency-parser.test.js
+- helpers/test/npm/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json
+- helpers/test/npm/fixtures/conflicting-dependency-parser/deeply-nested/package.json
+- helpers/test/npm/fixtures/conflicting-dependency-parser/nested/package-lock.json
+- helpers/test/npm/fixtures/conflicting-dependency-parser/nested/package.json
+- helpers/test/npm/fixtures/conflicting-dependency-parser/simple/package-lock.json
+- helpers/test/npm/fixtures/conflicting-dependency-parser/simple/package.json
 - helpers/test/npm/fixtures/updater/original/package-lock.json
 - helpers/test/npm/fixtures/updater/original/package.json
 - helpers/test/npm/fixtures/updater/updated/package-lock.json
 - helpers/test/npm/helpers.js
 - helpers/test/npm/updater.test.js
+- helpers/test/yarn/conflicting-dependency-parser.test.js
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/dev-dependencies/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/dev-dependencies/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/nested/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/nested/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/simple/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/simple/yarn.lock
 - helpers/test/yarn/fixtures/updater/original/package.json
 - helpers/test/yarn/fixtures/updater/original/yarn.lock
 - helpers/test/yarn/fixtures/updater/updated/yarn.lock