dependabot-npm_and_yarn 0.147.1 → 0.148.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '082ee79306473f08204902aeb51e23b91051f2353501c292b1c5541522d24a07'
4
- data.tar.gz: 95b56fd255971a9a95ac4fc8a8a47b809e8cba9317b49668a8322c8cc8cd013b
3
+ metadata.gz: de1d193152d8533d222041ec3f41c407c9fe348f709390ac12019fa0f3708044
4
+ data.tar.gz: e88dbce4199796088c01beb14f1c8e6e57fe7d44cec12d199cda75a04048ac17
5
5
  SHA512:
6
- metadata.gz: efda468b3effd7ecd05c90810c9568b3158719148970a8358e0b944ec55a8db4078cd104479edbf5b0be7136f5cfbd17d5e5f40b2d832648589bcf9496c8db1f
7
- data.tar.gz: 499b90ae02d9dd8c9c794596de1ffd364a6bc81ad9767835761d91764a003be71346b5c3c770705321d60d6639a7eeb77f36789b5bd9d5ddb47974e658a1de80
6
+ metadata.gz: 8fa3bcbc2b861c32a579f74304bf545b0bfd70d85f7e33d04e6c1d0e20c0ac115ae5ed811f2d6c95607c0afad916cf2984e4ec6ca597f4253e1c1f35bf8475d9
7
+ data.tar.gz: 89bb2011c81b8f6df0643def49da6eb224e21438c1b5ec890e2ad7cf22954c75144c7c4c0029ada5f585e2d0683470d29d1f0eb4e703f370eaa673204d96562d
@@ -7,7 +7,7 @@
7
7
  "name": "@dependabot/helper",
8
8
  "dependencies": {
9
9
  "@dependabot/yarn-lib": "^1.21.1",
10
- "@npmcli/arborist": "^2.5.0",
10
+ "@npmcli/arborist": "^2.6.0",
11
11
  "detect-indent": "^6.0.0",
12
12
  "npm": "6.14.13",
13
13
  "semver": "^7.3.4"
@@ -1425,9 +1425,9 @@
1425
1425
  }
1426
1426
  },
1427
1427
  "node_modules/@npmcli/arborist": {
1428
- "version": "2.5.0",
1429
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.5.0.tgz",
1430
- "integrity": "sha512-YPSkV/8vofpbAJyeu52J12YnC5VTkYIcfcNkRoSW6qjfQG+QybgbJtCbcdx+M0YxfdzDKS6iDTjpNMoETZ8HOA==",
1428
+ "version": "2.6.0",
1429
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.6.0.tgz",
1430
+ "integrity": "sha512-6njRVuPMgGRvQUmsXwGdp1ItZtJuSdt5ouoQe4AeFTTZoMufKWLeXFDOlWj7qbMAzqw+guNEAZwBiwm04J7T2g==",
1431
1431
  "dependencies": {
1432
1432
  "@npmcli/installed-package-contents": "^1.0.7",
1433
1433
  "@npmcli/map-workspaces": "^1.0.2",
@@ -1459,6 +1459,9 @@
1459
1459
  },
1460
1460
  "bin": {
1461
1461
  "arborist": "bin/index.js"
1462
+ },
1463
+ "engines": {
1464
+ "node": ">= 10"
1462
1465
  }
1463
1466
  },
1464
1467
  "node_modules/@npmcli/arborist/node_modules/npm-registry-fetch": {
@@ -17257,9 +17260,9 @@
17257
17260
  }
17258
17261
  },
17259
17262
  "@npmcli/arborist": {
17260
- "version": "2.5.0",
17261
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.5.0.tgz",
17262
- "integrity": "sha512-YPSkV/8vofpbAJyeu52J12YnC5VTkYIcfcNkRoSW6qjfQG+QybgbJtCbcdx+M0YxfdzDKS6iDTjpNMoETZ8HOA==",
17263
+ "version": "2.6.0",
17264
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.6.0.tgz",
17265
+ "integrity": "sha512-6njRVuPMgGRvQUmsXwGdp1ItZtJuSdt5ouoQe4AeFTTZoMufKWLeXFDOlWj7qbMAzqw+guNEAZwBiwm04J7T2g==",
17263
17266
  "requires": {
17264
17267
  "@npmcli/installed-package-contents": "^1.0.7",
17265
17268
  "@npmcli/map-workspaces": "^1.0.2",
data/helpers/package.json CHANGED
@@ -10,7 +10,7 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@dependabot/yarn-lib": "^1.21.1",
13
- "@npmcli/arborist": "^2.5.0",
13
+ "@npmcli/arborist": "^2.6.0",
14
14
  "detect-indent": "^6.0.0",
15
15
  "npm": "6.14.13",
16
16
  "semver": "^7.3.4"
@@ -20,11 +20,6 @@ module Dependabot
20
20
 
21
21
  DEPENDENCY_TYPES =
22
22
  %w(dependencies devDependencies optionalDependencies).freeze
23
- CENTRAL_REGISTRIES = %w(
24
- https://registry.npmjs.org
25
- http://registry.npmjs.org
26
- https://registry.yarnpkg.com
27
- ).freeze
28
23
  GIT_URL_REGEX = %r{
29
24
  (?<git_prefix>^|^git.*?|^github:|^bitbucket:|^gitlab:|github\.com/)
30
25
  (?<username>[a-z0-9-]+)/
@@ -56,10 +56,11 @@ module Dependabot
56
56
  parsed_lockfile = parse_package_lock(lockfile)
57
57
 
58
58
  if Helpers.npm_version(lockfile.content) == "npm7"
59
- parsed_lockfile.dig(
60
- "packages",
61
- node_modules_path(manifest_name, dependency_name)
62
- )&.slice("version", "resolved", "integrity", "dev")
59
+ # NOTE: npm 7 sometimes doesn't install workspace dependencies in the
60
+ # workspace folder so we need to fallback to checking top-level
61
+ nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
62
+ details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
63
+ details&.slice("version", "resolved", "integrity", "dev")
63
64
  else
64
65
  parsed_lockfile.dig("dependencies", dependency_name)
65
66
  end
@@ -436,17 +436,11 @@ module Dependabot
436
436
  find { |f| f.name.end_with?(".yarnrc") }
437
437
  ).registry
438
438
 
439
- return if central_registry?(reg) && !package_name.start_with?("@")
439
+ return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
440
440
 
441
441
  raise Dependabot::PrivateSourceAuthenticationFailure, reg
442
442
  end
443
443
 
444
- def central_registry?(registry)
445
- NpmAndYarn::FileParser::CENTRAL_REGISTRIES.any? do |r|
446
- r.include?(registry)
447
- end
448
- end
449
-
450
444
  def resolvable_before_update?
451
445
  return @resolvable_before_update if defined?(@resolvable_before_update)
452
446
 
@@ -420,15 +420,11 @@ module Dependabot
420
420
  yarnrc_file: yarnrc_file
421
421
  ).registry
422
422
 
423
- return if central_registry?(reg) && !package_name.start_with?("@")
423
+ return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
424
424
 
425
425
  raise PrivateSourceAuthenticationFailure, reg
426
426
  end
427
427
 
428
- def central_registry?(registry)
429
- FileParser::CENTRAL_REGISTRIES.any? { |r| r.include?(registry) }
430
- end
431
-
432
428
  def raise_resolvability_error(error_message, yarn_lock)
433
429
  dependency_names = dependencies.map(&:name).join(", ")
434
430
  msg = "Error whilst updating #{dependency_names} in "\
@@ -6,6 +6,7 @@ require "time"
6
6
  require "dependabot/metadata_finders"
7
7
  require "dependabot/metadata_finders/base"
8
8
  require "dependabot/shared_helpers"
9
+ require "dependabot/npm_and_yarn/update_checker/registry_finder"
9
10
  require "dependabot/npm_and_yarn/version"
10
11
 
11
12
  module Dependabot
@@ -92,9 +93,8 @@ module Dependabot
92
93
 
93
94
  def new_source
94
95
  sources = dependency.requirements.
95
- map { |r| r.fetch(:source) }.uniq.compact
96
-
97
- raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
96
+ map { |r| r.fetch(:source) }.uniq.compact.
97
+ sort_by { |source| UpdateChecker::RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }
98
98
 
99
99
  sources.first
100
100
  end
@@ -8,6 +8,11 @@ module Dependabot
8
8
  module NpmAndYarn
9
9
  class UpdateChecker
10
10
  class RegistryFinder
11
+ CENTRAL_REGISTRIES = %w(
12
+ https://registry.npmjs.org
13
+ http://registry.npmjs.org
14
+ https://registry.yarnpkg.com
15
+ ).freeze
11
16
  NPM_AUTH_TOKEN_REGEX =
12
17
  %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}.freeze
13
18
  NPM_GLOBAL_REGISTRY_REGEX =
@@ -35,6 +40,12 @@ module Dependabot
35
40
  "#{registry_url.gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
36
41
  end
37
42
 
43
+ def self.central_registry?(registry)
44
+ CENTRAL_REGISTRIES.any? do |r|
45
+ r.include?(registry)
46
+ end
47
+ end
48
+
38
49
  private
39
50
 
40
51
  attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file
@@ -212,13 +223,9 @@ module Dependabot
212
223
 
213
224
  def registry_source_url
214
225
  sources = dependency.requirements.
215
- map { |r| r.fetch(:source) }.uniq.compact
216
-
217
- # If there are multiple source types, or multiple source URLs, then
218
- # it's unclear how we should proceed
219
- raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
226
+ map { |r| r.fetch(:source) }.uniq.compact.
227
+ sort_by { |source| self.class.central_registry?(source[:url]) ? 1 : 0 }
220
228
 
221
- # Otherwise we just take the URL of the first registry
222
229
  sources.find { |s| s[:type] == "registry" }&.fetch(:url)
223
230
  end
224
231
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.147.1
4
+ version: 0.148.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-05-19 00:00:00.000000000 Z
11
+ date: 2021-05-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.147.1
19
+ version: 0.148.4
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.147.1
26
+ version: 0.148.4
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement