dependabot-npm_and_yarn 0.125.3 → 0.126.0

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -73,7 +73,7 @@ module Dependabot
               next unless semver_version_for(details["version"])
               next if alias_package?(req)
 
-              # Note: The DependencySet will de-dupe our dependencies, so they
+              # NOTE: The DependencySet will de-dupe our dependencies, so they
               # end up unique by name. That's not a perfect representation of
               # the nested nature of JS resolution, but it makes everything work
               # comparably to other flat-resolution strategies
@@ -92,7 +92,7 @@ module Dependabot
         def package_lock_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
 
-          # Note: The DependencySet will de-dupe our dependencies, so they
+          # NOTE: The DependencySet will de-dupe our dependencies, so they
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
@@ -108,7 +108,7 @@ module Dependabot
         def shrinkwrap_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
 
-          # Note: The DependencySet will de-dupe our dependencies, so they
+          # NOTE: The DependencySet will de-dupe our dependencies, so they
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -286,7 +286,7 @@ module Dependabot
                                                                lockfile)
           lockfile_dir = Pathname.new(lockfile.name).dirname
           modules_path = lockfile_dir.join("node_modules")
-          # Note: don't include the dependency names to prevent opening
+          # NOTE: don't include the dependency names to prevent opening
           # multiple issues for each dependency that fails because we unique
           # issues on the error message (issue detail) on the backend
           #

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -43,7 +43,7 @@ module Dependabot
 
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
-        # Note: we currently don't resolve transitive/sub-dependencies as
+        # NOTE: we currently don't resolve transitive/sub-dependencies as
         # npm/yarn don't provide any control over updating to a specific
         # sub-dependency
         return latest_resolvable_version unless dependency.top_level?

data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb

@@ -36,16 +36,22 @@ module Dependabot
             )
             dependency_files_builder.write_temporary_dependency_files
 
-            if dependency_files_builder.yarn_locks.any?
+            # TODO: Look into using npm/arborist for parsing yarn lockfiles (there's currently partial yarn support)
+            #
+            # Prefer the npm conflicting dependency parser if there's both a npm lockfile and a yarn.lock file as the
+            # npm parser handles edge cases where the package.json is out of sync with the lockfile, something the yarn
+            # parser doesn't deal with at the moment.
+            if dependency_files_builder.package_locks.any? ||
+               dependency_files_builder.shrinkwraps.any?
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
-                function: "yarn:findConflictingDependencies",
+                function: "npm:findConflictingDependencies",
                 args: [Dir.pwd, dependency.name, target_version.to_s]
               )
             else
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
-                function: "npm:findConflictingDependencies",
+                function: "yarn:findConflictingDependencies",
                 args: [Dir.pwd, dependency.name, target_version.to_s]
               )
             end

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -361,7 +361,9 @@ module Dependabot
               idempotent: true,
               **SharedHelpers.excon_defaults
             )
-            return web_response.body.include?("Forgot password?")
+            # NOTE: returns 429 when the login page is rate limited
+            return web_response.body.include?("Forgot password?") ||
+                   web_response.status == 429
           end
 
           true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.125.3
+  version: 0.126.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-16 00:00:00.000000000 Z
+date: 2020-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.3
+        version: 0.126.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.125.3
+        version: 0.126.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -100,28 +100,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.5.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.93.0
+        version: 1.5.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.0
+        version: 0.20.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -204,6 +204,15 @@ files:
 - helpers/test/npm/fixtures/updater/updated/package-lock.json
 - helpers/test/npm/helpers.js
 - helpers/test/npm/updater.test.js
+- helpers/test/yarn/conflicting-dependency-parser.test.js
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/dev-dependencies/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/dev-dependencies/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/nested/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/nested/yarn.lock
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/simple/package.json
+- helpers/test/yarn/fixtures/conflicting-dependency-parser/simple/yarn.lock
 - helpers/test/yarn/fixtures/updater/original/package.json
 - helpers/test/yarn/fixtures/updater/original/yarn.lock
 - helpers/test/yarn/fixtures/updater/updated/yarn.lock