dependabot-npm_and_yarn 0.148.1 → 0.148.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/package-lock.json +10 -7
  3. data/helpers/package.json +1 -1
  4. data/lib/dependabot/npm_and_yarn/file_parser.rb +0 -5
  5. data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +1 -7
  6. data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +1 -5
  7. data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -3
  8. data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -0
  9. data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +13 -6
  10. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9d3fe3be7bc4c116c6261c990c35a5bb395a6137d1fedc5c56ac24444d62a8a6
4
- data.tar.gz: 48800df1055aac9e356518cad2b75331be82fa6e445cbe89e079d6d4a7429950
3
+ metadata.gz: c4f5000d192deed978e6b50f65bc4dd4444f4f8b90e2e46e92190328d71cad60
4
+ data.tar.gz: 9c27dd71fc2df071fca445b045cff1dbe4df616e28be7ca6b57dfa74ebbe059b
5
5
  SHA512:
6
- metadata.gz: 5ac988ec6109ed828b57aacfe34fb2aff085699f23a987f52b31e83b305593cc1a52f65277dda3b29e7e5834e4539d892246993f7492d513ee414cc95e3f289d
7
- data.tar.gz: 1a9491a0360c02021c099d9df66e5f40590742f9f442a96dbaf9e3d5f2fd098e501088d4cc496bb04620dcf1ed5e7f9ff71424143afc42bb5a20a719cb0fa052
6
+ metadata.gz: a8b90c8dc2973256dc4324883db4fe41c80224a3c9506304f4f6203fe5c3189dd81c6eb9b2faa852e8d084b3a0862c3542919e40c82537cf644acbfed8782807
7
+ data.tar.gz: 9212fb56691953bd065e7adb860bd7121168c9c2415a9c7bd9f0ba417fbdc5e7c9f9ae376bfe8530d57f60213d0f88632790192faf4317e4085588bf7150705d
data/helpers/package-lock.json CHANGED
@@ -7,7 +7,7 @@
7
7
  "name": "@dependabot/helper",
8
8
  "dependencies": {
9
9
  "@dependabot/yarn-lib": "^1.21.1",
10
- "@npmcli/arborist": "^2.5.0",
10
+ "@npmcli/arborist": "^2.6.0",
11
11
  "detect-indent": "^6.0.0",
12
12
  "npm": "6.14.13",
13
13
  "semver": "^7.3.4"
@@ -1425,9 +1425,9 @@
1425
1425
  }
1426
1426
  },
1427
1427
  "node_modules/@npmcli/arborist": {
1428
- "version": "2.5.0",
1429
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.5.0.tgz",
1430
- "integrity": "sha512-YPSkV/8vofpbAJyeu52J12YnC5VTkYIcfcNkRoSW6qjfQG+QybgbJtCbcdx+M0YxfdzDKS6iDTjpNMoETZ8HOA==",
1428
+ "version": "2.6.0",
1429
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.6.0.tgz",
1430
+ "integrity": "sha512-6njRVuPMgGRvQUmsXwGdp1ItZtJuSdt5ouoQe4AeFTTZoMufKWLeXFDOlWj7qbMAzqw+guNEAZwBiwm04J7T2g==",
1431
1431
  "dependencies": {
1432
1432
  "@npmcli/installed-package-contents": "^1.0.7",
1433
1433
  "@npmcli/map-workspaces": "^1.0.2",
@@ -1459,6 +1459,9 @@
1459
1459
  },
1460
1460
  "bin": {
1461
1461
  "arborist": "bin/index.js"
1462
+ },
1463
+ "engines": {
1464
+ "node": ">= 10"
1462
1465
  }
1463
1466
  },
1464
1467
  "node_modules/@npmcli/arborist/node_modules/npm-registry-fetch": {
@@ -17257,9 +17260,9 @@
17257
17260
  }
17258
17261
  },
17259
17262
  "@npmcli/arborist": {
17260
- "version": "2.5.0",
17261
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.5.0.tgz",
17262
- "integrity": "sha512-YPSkV/8vofpbAJyeu52J12YnC5VTkYIcfcNkRoSW6qjfQG+QybgbJtCbcdx+M0YxfdzDKS6iDTjpNMoETZ8HOA==",
17263
+ "version": "2.6.0",
17264
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-2.6.0.tgz",
17265
+ "integrity": "sha512-6njRVuPMgGRvQUmsXwGdp1ItZtJuSdt5ouoQe4AeFTTZoMufKWLeXFDOlWj7qbMAzqw+guNEAZwBiwm04J7T2g==",
17263
17266
  "requires": {
17264
17267
  "@npmcli/installed-package-contents": "^1.0.7",
17265
17268
  "@npmcli/map-workspaces": "^1.0.2",
data/helpers/package.json CHANGED
@@ -10,7 +10,7 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@dependabot/yarn-lib": "^1.21.1",
13
- "@npmcli/arborist": "^2.5.0",
13
+ "@npmcli/arborist": "^2.6.0",
14
14
  "detect-indent": "^6.0.0",
15
15
  "npm": "6.14.13",
16
16
  "semver": "^7.3.4"
data/lib/dependabot/npm_and_yarn/file_parser.rb CHANGED
@@ -20,11 +20,6 @@ module Dependabot
20
20
 
21
21
  DEPENDENCY_TYPES =
22
22
  %w(dependencies devDependencies optionalDependencies).freeze
23
- CENTRAL_REGISTRIES = %w(
24
- https://registry.npmjs.org
25
- http://registry.npmjs.org
26
- https://registry.yarnpkg.com
27
- ).freeze
28
23
  GIT_URL_REGEX = %r{
29
24
  (?<git_prefix>^|^git.*?|^github:|^bitbucket:|^gitlab:|github\.com/)
30
25
  (?<username>[a-z0-9-]+)/
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED
@@ -436,17 +436,11 @@ module Dependabot
436
436
  find { |f| f.name.end_with?(".yarnrc") }
437
437
  ).registry
438
438
 
439
- return if central_registry?(reg) && !package_name.start_with?("@")
439
+ return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
440
440
 
441
441
  raise Dependabot::PrivateSourceAuthenticationFailure, reg
442
442
  end
443
443
 
444
- def central_registry?(registry)
445
- NpmAndYarn::FileParser::CENTRAL_REGISTRIES.any? do |r|
446
- r.include?(registry)
447
- end
448
- end
449
-
450
444
  def resolvable_before_update?
451
445
  return @resolvable_before_update if defined?(@resolvable_before_update)
452
446
 
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED
@@ -420,15 +420,11 @@ module Dependabot
420
420
  yarnrc_file: yarnrc_file
421
421
  ).registry
422
422
 
423
- return if central_registry?(reg) && !package_name.start_with?("@")
423
+ return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
424
424
 
425
425
  raise PrivateSourceAuthenticationFailure, reg
426
426
  end
427
427
 
428
- def central_registry?(registry)
429
- FileParser::CENTRAL_REGISTRIES.any? { |r| r.include?(registry) }
430
- end
431
-
432
428
  def raise_resolvability_error(error_message, yarn_lock)
433
429
  dependency_names = dependencies.map(&:name).join(", ")
434
430
  msg = "Error whilst updating #{dependency_names} in "\
data/lib/dependabot/npm_and_yarn/metadata_finder.rb CHANGED
@@ -6,6 +6,7 @@ require "time"
6
6
  require "dependabot/metadata_finders"
7
7
  require "dependabot/metadata_finders/base"
8
8
  require "dependabot/shared_helpers"
9
+ require "dependabot/npm_and_yarn/update_checker/registry_finder"
9
10
  require "dependabot/npm_and_yarn/version"
10
11
 
11
12
  module Dependabot
@@ -92,9 +93,8 @@ module Dependabot
92
93
 
93
94
  def new_source
94
95
  sources = dependency.requirements.
95
- map { |r| r.fetch(:source) }.uniq.compact
96
-
97
- raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
96
+ map { |r| r.fetch(:source) }.uniq.compact.
97
+ sort_by { |source| UpdateChecker::RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }
98
98
 
99
99
  sources.first
100
100
  end
data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb CHANGED
@@ -138,6 +138,8 @@ module Dependabot
138
138
  end
139
139
 
140
140
  def filter_lower_versions(versions_array)
141
+ return versions_array unless dependency.version
142
+
141
143
  versions_array.
142
144
  select { |version, _| version > version_class.new(dependency.version) }
143
145
  end
data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb CHANGED
@@ -8,6 +8,11 @@ module Dependabot
8
8
  module NpmAndYarn
9
9
  class UpdateChecker
10
10
  class RegistryFinder
11
+ CENTRAL_REGISTRIES = %w(
12
+ https://registry.npmjs.org
13
+ http://registry.npmjs.org
14
+ https://registry.yarnpkg.com
15
+ ).freeze
11
16
  NPM_AUTH_TOKEN_REGEX =
12
17
  %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}.freeze
13
18
  NPM_GLOBAL_REGISTRY_REGEX =
@@ -35,6 +40,12 @@ module Dependabot
35
40
  "#{registry_url.gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
36
41
  end
37
42
 
43
+ def self.central_registry?(registry)
44
+ CENTRAL_REGISTRIES.any? do |r|
45
+ r.include?(registry)
46
+ end
47
+ end
48
+
38
49
  private
39
50
 
40
51
  attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file
@@ -212,13 +223,9 @@ module Dependabot
212
223
 
213
224
  def registry_source_url
214
225
  sources = dependency.requirements.
215
- map { |r| r.fetch(:source) }.uniq.compact
216
-
217
- # If there are multiple source types, or multiple source URLs, then
218
- # it's unclear how we should proceed
219
- raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
226
+ map { |r| r.fetch(:source) }.uniq.compact.
227
+ sort_by { |source| self.class.central_registry?(source[:url]) ? 1 : 0 }
220
228
 
221
- # Otherwise we just take the URL of the first registry
222
229
  sources.find { |s| s[:type] == "registry" }&.fetch(:url)
223
230
  end
224
231
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.148.1
4
+ version: 0.148.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-05-19 00:00:00.000000000 Z
11
+ date: 2021-05-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.148.1
19
+ version: 0.148.6
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.148.1
26
+ version: 0.148.6
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement