dependabot-npm_and_yarn 0.174.1 → 0.177.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1670420229d206add0e33c55f169aa32c48ffeb556c52eb852f0eed843dd567a
-  data.tar.gz: e07a8e900f981e12b4edc06dfaa6deb404ab406705ae8f1e944934f551e2d918
+  metadata.gz: 52a42523d67ccc035c219c5bfe10dc5a2dfbdfc94f9861bf4a4c059d060fcc23
+  data.tar.gz: '0631281fdc085c071457a35c165fd30c12932a43d3db2c482d30d76a2536fa0d'
 SHA512:
-  metadata.gz: 42c6c3d11dce9a7c91115529cb62cdadab6ea13979ea4ed149383ac952fe94b507b784c43ac9e4abc39fc6681dcf0da6c377d26b0c27b52feae837547d1080a8
-  data.tar.gz: 6d4ee2595178167f01f29bcbd304ff05f823c3e42fc9b7ec849a27a9eacfe3cd8fc71ea3ac5ef5b6d8fea64166dda4221f2edfd52f3b57aa3853ace78f87e834
+  metadata.gz: 2438424284f5903523fdbecc7336a8e9b160e2038d997d58c51a9270e58de10b41f193d9cb64b02fb4162b00ed67dc0351f308a68bce3e4ed7f92d3ccc6743d7
+  data.tar.gz: 24a57ea220261c9bbb6f6ecd8a25fd297de28f807a1ad4da2ba0a622dd15c0dc2f8c0abf6c18857318e9062f76258bf87cc75944319ffb6450db6bd6c2042699

data/helpers/package-lock.json

@@ -12003,9 +12003,9 @@
       }
     },
     "node_modules/object-path": {
-      "version": "0.11.5",
-      "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
-      "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg==",
+      "version": "0.11.8",
+      "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
+      "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA==",
       "engines": {
         "node": ">= 10.12.0"
       }
@@ -23163,9 +23163,9 @@
       "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
     },
     "object-path": {
-      "version": "0.11.5",
-      "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
-      "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg=="
+      "version": "0.11.8",
+      "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
+      "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA=="
     },
     "object.omit": {
       "version": "2.0.1",

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -55,8 +55,8 @@ module Dependabot
         def npm_lockfile_details(lockfile, dependency_name, manifest_name)
           parsed_lockfile = parse_package_lock(lockfile)
 
-          if Helpers.npm_version(lockfile.content) == "npm7"
-            # NOTE: npm 7 sometimes doesn't install workspace dependencies in the
+          if Helpers.npm_version(lockfile.content) == "npm8"
+            # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
             # workspace folder so we need to fallback to checking top-level
             nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
             details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -45,9 +45,9 @@ module Dependabot
         # TODO: look into fixing this in npm, seems like a bug in the git
         # downloader introduced in npm 7
         #
-        # NOTE: error message returned from arborist/npm 7 when trying to
+        # NOTE: error message returned from arborist/npm 8 when trying to
         # fetching a invalid/non-existent git ref
-        NPM7_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
+        NPM8_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
         NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
 
         def updated_lockfile_content
@@ -141,8 +141,8 @@ module Dependabot
         end
 
         def run_npm_top_level_updater(top_level_dependencies:)
-          if npm7?
-            run_npm_7_top_level_updater(top_level_dependencies: top_level_dependencies)
+          if npm8?
+            run_npm8_top_level_updater(top_level_dependencies: top_level_dependencies)
           else
             SharedHelpers.run_helper_subprocess(
               command: NativeHelpers.helper_path,
@@ -156,7 +156,7 @@ module Dependabot
           end
         end
 
-        def run_npm_7_top_level_updater(top_level_dependencies:)
+        def run_npm8_top_level_updater(top_level_dependencies:)
           dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
             dependency_in_package_json?(dependency)
           end
@@ -195,8 +195,8 @@ module Dependabot
         end
 
         def run_npm_subdependency_updater
-          if npm7?
-            run_npm_7_subdependency_updater
+          if npm8?
+            run_npm8_subdependency_updater
           else
             SharedHelpers.run_helper_subprocess(
               command: NativeHelpers.helper_path,
@@ -206,9 +206,9 @@ module Dependabot
           end
         end
 
-        def run_npm_7_subdependency_updater
+        def run_npm8_subdependency_updater
           dependency_names = sub_dependencies.map(&:name)
-          SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command(dependency_names))
+          SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
           { lockfile_basename => File.read(lockfile_basename) }
         end
 
@@ -365,12 +365,12 @@ module Dependabot
              error_message.include?("Non-registry package missing package") ||
              error_message.include?("Invalid tag name") ||
              error_message.match?(NPM6_MISSING_GIT_REF) ||
-             error_message.match?(NPM7_MISSING_GIT_REF)) &&
+             error_message.match?(NPM8_MISSING_GIT_REF)) &&
              !resolvable_before_update?
             raise_resolvability_error(error_message)
           end
 
-          # NOTE: This check was introduced in npm7/arborist
+          # NOTE: This check was introduced in npm8/arborist
           if error_message.include?("must provide string spec")
             msg = "Error parsing your package.json manifest: the version requirement must be a string"
             raise Dependabot::DependencyFileNotParseable, msg
@@ -476,6 +476,7 @@ module Dependabot
             updated_content = lock_deps_with_latest_reqs(updated_content)
 
             updated_content = sanitized_package_json_content(updated_content)
+
             File.write(file.name, updated_content)
           end
         end
@@ -495,6 +496,16 @@ module Dependabot
           end
         end
 
+        # Takes a JSON string and detects if it is spaces or tabs and how many
+        # levels deep it is indented.
+        def detect_indentation(json)
+          indentation = json.scan(/^\s+/).min_by(&:length)
+          indentation_size = indentation.length
+          indentation_type = indentation.scan(/\t/).any? ? "\t" : " "
+
+          indentation_type * indentation_size
+        end
+
         def lock_git_deps(content)
           return content if git_dependencies_to_lock.empty?
 
@@ -508,7 +519,8 @@ module Dependabot
             end
           end
 
-          json.to_json
+          indent = detect_indentation(content)
+          JSON.pretty_generate(json, indent: indent)
         end
 
         def git_dependencies_to_lock
@@ -549,7 +561,8 @@ module Dependabot
             end
           end
 
-          json.to_json
+          indent = detect_indentation(content)
+          JSON.pretty_generate(json, indent: indent)
         end
 
         def replace_ssh_sources(content)
@@ -596,10 +609,10 @@ module Dependabot
           # Restore lockfile name attribute from the original lockfile
           updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
 
-          # Restore npm 7 "packages" "name" entry from package.json if previously set
+          # Restore npm 8 "packages" "name" entry from package.json if previously set
           updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
 
-          # Switch back npm 7 lockfile "packages" requirements from the package.json
+          # Switch back npm 8 lockfile "packages" requirements from the package.json
           updated_lockfile_content = restore_locked_package_dependencies(
             updated_lockfile_content, parsed_updated_lockfile_content
           )
@@ -621,7 +634,7 @@ module Dependabot
         end
 
         def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
-          return updated_lockfile_content unless npm7?
+          return updated_lockfile_content unless npm8?
 
           current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
           original_name = parsed_lockfile.dig("packages", "", "name")
@@ -666,7 +679,7 @@ module Dependabot
         end
 
         # NOTE: This is a workaround to "sync" what's in package.json
-        # requirements and the `packages.""` entry in npm 7 v2 lockfiles. These
+        # requirements and the `packages.""` entry in npm 8 v2 lockfiles. These
         # get out of sync because we lock git dependencies (that are not being
         # updated) to a specific sha to prevent unrelated updates and the way we
         # invoke the `npm install` cli, where we might tell npm to install a
@@ -675,7 +688,7 @@ module Dependabot
         # need to copy this from the manifest to the lockfile after the update
         # has finished.
         def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
-          return updated_lockfile_content unless npm7?
+          return updated_lockfile_content unless npm8?
 
           dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
 
@@ -716,10 +729,10 @@ module Dependabot
             # updates the lockfile "from" field to the new git commit when we
             # run npm install
             original_from = %("from": "#{details[:from]}")
-            if npm7?
+            if npm8?
               # NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
-              npm7_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
-              updated_lockfile_content = updated_lockfile_content.gsub(npm7_locked_from, original_from)
+              npm8_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
+              updated_lockfile_content = updated_lockfile_content.gsub(npm8_locked_from, original_from)
             else
               npm6_locked_from = %("from": "#{details[:version]}")
               updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
@@ -783,10 +796,10 @@ module Dependabot
           npmrc_content.match?(/^package-lock\s*=\s*false/)
         end
 
-        def npm7?
-          return @npm7 if defined?(@npm7)
+        def npm8?
+          return @npm8 if defined?(@npm8)
 
-          @npm7 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm7"
+          @npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
         end
 
         def sanitized_package_json_content(content)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -4,8 +4,8 @@ module Dependabot
   module NpmAndYarn
     module Helpers
       def self.npm_version(lockfile_content)
-        return "npm7" unless lockfile_content
-        return "npm7" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
+        return "npm8" unless lockfile_content
+        return "npm8" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
 
         "npm6"
       rescue JSON::ParserError

data/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -14,7 +14,7 @@ module Dependabot
         File.join(__dir__, "../../../helpers")
       end
 
-      def self.npm7_subdependency_update_command(dependency_names)
+      def self.npm8_subdependency_update_command(dependency_names)
         # NOTE: npm options
         # - `--force` ignores checks for platform (os, cpu) and engines
         # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -114,8 +114,8 @@ module Dependabot
             Dir.chdir(path) do
               npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
 
-              if npm_version == "npm7"
-                SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command([dependency.name]))
+              if npm_version == "npm8"
+                SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
                 { lockfile_name => File.read(lockfile_name) }
               else
                 SharedHelpers.run_helper_subprocess(

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -54,10 +54,10 @@ module Dependabot
         # or with two semver constraints:
         # npm ERR! Could not resolve dependency:
         # npm ERR! peer @opentelemetry/api@">=1.0.0 <1.1.0" from @opentelemetry/context-async-hooks@1.0.1
-        NPM7_PEER_DEP_ERROR_REGEX =
+        NPM8_PEER_DEP_ERROR_REGEX =
           /
-            npm\sERR!\sCould\snot\sresolve\sdependency:\n
-            npm\sERR!\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
+            npm\s(?:WARN|ERR!)\sCould\snot\sresolve\sdependency:\n
+            npm\s(?:WARN|ERR!)\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
           /x.freeze
 
         def initialize(dependency:, credentials:, dependency_files:,
@@ -258,8 +258,8 @@ module Dependabot
                 e.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
                   errors << Regexp.last_match.named_captures
                 end
-              elsif e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
-                e.message.scan(NPM7_PEER_DEP_ERROR_REGEX) do
+              elsif e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
+                e.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
                   errors << Regexp.last_match.named_captures
                 end
               elsif e.message.match?(YARN_PEER_DEP_ERROR_REGEX)
@@ -440,7 +440,7 @@ module Dependabot
               end
               npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
 
-              return run_npm7_checker(version: version) if npm_version == "npm7"
+              return run_npm8_checker(version: version) if npm_version == "npm8"
 
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
@@ -457,13 +457,16 @@ module Dependabot
           end
         end
 
-        def run_npm7_checker(version:)
-          SharedHelpers.run_shell_command(
+        def run_npm8_checker(version:)
+          cmd =
             "npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
-          )
-          nil
+          output = SharedHelpers.run_shell_command(cmd)
+          if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
+            error_context = { command: cmd, process_exit_value: 1 }
+            raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
+          end
         rescue SharedHelpers::HelperSubprocessFailed => e
-          raise if e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
+          raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
         end
 
         def version_install_arg(version:)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.174.1
+  version: 0.177.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-22 00:00:00.000000000 Z
+date: 2022-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.174.1
+        version: 0.177.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.174.1
+        version: 0.177.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement