dependabot-npm_and_yarn 0.175.0 → 0.178.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/package-lock.json +6 -6
  3. data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +2 -2
  4. data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +24 -22
  5. data/lib/dependabot/npm_and_yarn/helpers.rb +2 -2
  6. data/lib/dependabot/npm_and_yarn/native_helpers.rb +1 -1
  7. data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +2 -2
  8. data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +7 -7
  9. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3c07f155a90a67db8072626219fa6d797c7294ebb3531565c6fe5b7163378f3e
4
- data.tar.gz: 5ededcae3a93518dd184c7e5b202a63b9f80c0614ceba6a9a59a9c32c92980af
3
+ metadata.gz: bdd9e2679b6d836b64ac2090230587d4d40a481d53f8c2b7fdb6a45e1d359de4
4
+ data.tar.gz: 6017374515a9ee5db91fb0963a9de3eec230ccf2d770089da1d6ddc283c16a0f
5
5
  SHA512:
6
- metadata.gz: ef4274999e5373d0e7d20c5697214836c67750719061b9e9768f688a42f2fb84a80dc841363158f2520d8330eb2b913e5d4ab4af318bdd6b9faed192cc0f6767
7
- data.tar.gz: 2b739c355b0096994ee83157bfdf4f514a310ca0981ef649d550d446951b40ce87d174802c1ec4c0b9446bf207d5d123f1876a6741de7e67100f2cbec5604f6e
6
+ metadata.gz: ec0a20c4b6ba2bf326c02a5a7bb3cf455ab11c1d7959df1ac80b62b2037f2470122d2247600b527470754732716c7c3dea88c81ef1b19a8136b563142372b28b
7
+ data.tar.gz: 5d5be3e55457b6813aa91f5484b221630f1723043df6b287bd84a165b99c96cbc9b9b9577b9bd7881aafca5ad959d228a7b910430d002c37ad535dbb7c9d4e7d
data/helpers/package-lock.json CHANGED
@@ -12003,9 +12003,9 @@
12003
12003
  }
12004
12004
  },
12005
12005
  "node_modules/object-path": {
12006
- "version": "0.11.5",
12007
- "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
12008
- "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg==",
12006
+ "version": "0.11.8",
12007
+ "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
12008
+ "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA==",
12009
12009
  "engines": {
12010
12010
  "node": ">= 10.12.0"
12011
12011
  }
@@ -23163,9 +23163,9 @@
23163
23163
  "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
23164
23164
  },
23165
23165
  "object-path": {
23166
- "version": "0.11.5",
23167
- "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
23168
- "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg=="
23166
+ "version": "0.11.8",
23167
+ "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
23168
+ "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA=="
23169
23169
  },
23170
23170
  "object.omit": {
23171
23171
  "version": "2.0.1",
data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb CHANGED
@@ -55,8 +55,8 @@ module Dependabot
55
55
  def npm_lockfile_details(lockfile, dependency_name, manifest_name)
56
56
  parsed_lockfile = parse_package_lock(lockfile)
57
57
 
58
- if Helpers.npm_version(lockfile.content) == "npm7"
59
- # NOTE: npm 7 sometimes doesn't install workspace dependencies in the
58
+ if Helpers.npm_version(lockfile.content) == "npm8"
59
+ # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
60
60
  # workspace folder so we need to fallback to checking top-level
61
61
  nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
62
62
  details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED
@@ -45,9 +45,9 @@ module Dependabot
45
45
  # TODO: look into fixing this in npm, seems like a bug in the git
46
46
  # downloader introduced in npm 7
47
47
  #
48
- # NOTE: error message returned from arborist/npm 7 when trying to
48
+ # NOTE: error message returned from arborist/npm 8 when trying to
49
49
  # fetching a invalid/non-existent git ref
50
- NPM7_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
50
+ NPM8_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
51
51
  NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
52
52
 
53
53
  def updated_lockfile_content
@@ -141,8 +141,8 @@ module Dependabot
141
141
  end
142
142
 
143
143
  def run_npm_top_level_updater(top_level_dependencies:)
144
- if npm7?
145
- run_npm_7_top_level_updater(top_level_dependencies: top_level_dependencies)
144
+ if npm8?
145
+ run_npm8_top_level_updater(top_level_dependencies: top_level_dependencies)
146
146
  else
147
147
  SharedHelpers.run_helper_subprocess(
148
148
  command: NativeHelpers.helper_path,
@@ -156,7 +156,7 @@ module Dependabot
156
156
  end
157
157
  end
158
158
 
159
- def run_npm_7_top_level_updater(top_level_dependencies:)
159
+ def run_npm8_top_level_updater(top_level_dependencies:)
160
160
  dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
161
161
  dependency_in_package_json?(dependency)
162
162
  end
@@ -195,8 +195,8 @@ module Dependabot
195
195
  end
196
196
 
197
197
  def run_npm_subdependency_updater
198
- if npm7?
199
- run_npm_7_subdependency_updater
198
+ if npm8?
199
+ run_npm8_subdependency_updater
200
200
  else
201
201
  SharedHelpers.run_helper_subprocess(
202
202
  command: NativeHelpers.helper_path,
@@ -206,9 +206,9 @@ module Dependabot
206
206
  end
207
207
  end
208
208
 
209
- def run_npm_7_subdependency_updater
209
+ def run_npm8_subdependency_updater
210
210
  dependency_names = sub_dependencies.map(&:name)
211
- SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command(dependency_names))
211
+ SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
212
212
  { lockfile_basename => File.read(lockfile_basename) }
213
213
  end
214
214
 
@@ -365,12 +365,12 @@ module Dependabot
365
365
  error_message.include?("Non-registry package missing package") ||
366
366
  error_message.include?("Invalid tag name") ||
367
367
  error_message.match?(NPM6_MISSING_GIT_REF) ||
368
- error_message.match?(NPM7_MISSING_GIT_REF)) &&
368
+ error_message.match?(NPM8_MISSING_GIT_REF)) &&
369
369
  !resolvable_before_update?
370
370
  raise_resolvability_error(error_message)
371
371
  end
372
372
 
373
- # NOTE: This check was introduced in npm7/arborist
373
+ # NOTE: This check was introduced in npm8/arborist
374
374
  if error_message.include?("must provide string spec")
375
375
  msg = "Error parsing your package.json manifest: the version requirement must be a string"
376
376
  raise Dependabot::DependencyFileNotParseable, msg
@@ -500,6 +500,8 @@ module Dependabot
500
500
  # levels deep it is indented.
501
501
  def detect_indentation(json)
502
502
  indentation = json.scan(/^\s+/).min_by(&:length)
503
+ return "" if indentation.nil? # let npm set the default if we can't detect any indentation
504
+
503
505
  indentation_size = indentation.length
504
506
  indentation_type = indentation.scan(/\t/).any? ? "\t" : " "
505
507
 
@@ -609,10 +611,10 @@ module Dependabot
609
611
  # Restore lockfile name attribute from the original lockfile
610
612
  updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
611
613
 
612
- # Restore npm 7 "packages" "name" entry from package.json if previously set
614
+ # Restore npm 8 "packages" "name" entry from package.json if previously set
613
615
  updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
614
616
 
615
- # Switch back npm 7 lockfile "packages" requirements from the package.json
617
+ # Switch back npm 8 lockfile "packages" requirements from the package.json
616
618
  updated_lockfile_content = restore_locked_package_dependencies(
617
619
  updated_lockfile_content, parsed_updated_lockfile_content
618
620
  )
@@ -634,7 +636,7 @@ module Dependabot
634
636
  end
635
637
 
636
638
  def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
637
- return updated_lockfile_content unless npm7?
639
+ return updated_lockfile_content unless npm8?
638
640
 
639
641
  current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
640
642
  original_name = parsed_lockfile.dig("packages", "", "name")
@@ -679,7 +681,7 @@ module Dependabot
679
681
  end
680
682
 
681
683
  # NOTE: This is a workaround to "sync" what's in package.json
682
- # requirements and the `packages.""` entry in npm 7 v2 lockfiles. These
684
+ # requirements and the `packages.""` entry in npm 8 v2 lockfiles. These
683
685
  # get out of sync because we lock git dependencies (that are not being
684
686
  # updated) to a specific sha to prevent unrelated updates and the way we
685
687
  # invoke the `npm install` cli, where we might tell npm to install a
@@ -688,7 +690,7 @@ module Dependabot
688
690
  # need to copy this from the manifest to the lockfile after the update
689
691
  # has finished.
690
692
  def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
691
- return updated_lockfile_content unless npm7?
693
+ return updated_lockfile_content unless npm8?
692
694
 
693
695
  dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
694
696
 
@@ -729,10 +731,10 @@ module Dependabot
729
731
  # updates the lockfile "from" field to the new git commit when we
730
732
  # run npm install
731
733
  original_from = %("from": "#{details[:from]}")
732
- if npm7?
734
+ if npm8?
733
735
  # NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
734
- npm7_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
735
- updated_lockfile_content = updated_lockfile_content.gsub(npm7_locked_from, original_from)
736
+ npm8_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
737
+ updated_lockfile_content = updated_lockfile_content.gsub(npm8_locked_from, original_from)
736
738
  else
737
739
  npm6_locked_from = %("from": "#{details[:version]}")
738
740
  updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
@@ -796,10 +798,10 @@ module Dependabot
796
798
  npmrc_content.match?(/^package-lock\s*=\s*false/)
797
799
  end
798
800
 
799
- def npm7?
800
- return @npm7 if defined?(@npm7)
801
+ def npm8?
802
+ return @npm8 if defined?(@npm8)
801
803
 
802
- @npm7 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm7"
804
+ @npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
803
805
  end
804
806
 
805
807
  def sanitized_package_json_content(content)
data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED
@@ -4,8 +4,8 @@ module Dependabot
4
4
  module NpmAndYarn
5
5
  module Helpers
6
6
  def self.npm_version(lockfile_content)
7
- return "npm7" unless lockfile_content
8
- return "npm7" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
7
+ return "npm8" unless lockfile_content
8
+ return "npm8" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
9
9
 
10
10
  "npm6"
11
11
  rescue JSON::ParserError
data/lib/dependabot/npm_and_yarn/native_helpers.rb CHANGED
@@ -14,7 +14,7 @@ module Dependabot
14
14
  File.join(__dir__, "../../../helpers")
15
15
  end
16
16
 
17
- def self.npm7_subdependency_update_command(dependency_names)
17
+ def self.npm8_subdependency_update_command(dependency_names)
18
18
  # NOTE: npm options
19
19
  # - `--force` ignores checks for platform (os, cpu) and engines
20
20
  # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED
@@ -114,8 +114,8 @@ module Dependabot
114
114
  Dir.chdir(path) do
115
115
  npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
116
116
 
117
- if npm_version == "npm7"
118
- SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command([dependency.name]))
117
+ if npm_version == "npm8"
118
+ SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
119
119
  { lockfile_name => File.read(lockfile_name) }
120
120
  else
121
121
  SharedHelpers.run_helper_subprocess(
data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED
@@ -54,7 +54,7 @@ module Dependabot
54
54
  # or with two semver constraints:
55
55
  # npm ERR! Could not resolve dependency:
56
56
  # npm ERR! peer @opentelemetry/api@">=1.0.0 <1.1.0" from @opentelemetry/context-async-hooks@1.0.1
57
- NPM7_PEER_DEP_ERROR_REGEX =
57
+ NPM8_PEER_DEP_ERROR_REGEX =
58
58
  /
59
59
  npm\s(?:WARN|ERR!)\sCould\snot\sresolve\sdependency:\n
60
60
  npm\s(?:WARN|ERR!)\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
@@ -258,8 +258,8 @@ module Dependabot
258
258
  e.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
259
259
  errors << Regexp.last_match.named_captures
260
260
  end
261
- elsif e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
262
- e.message.scan(NPM7_PEER_DEP_ERROR_REGEX) do
261
+ elsif e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
262
+ e.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
263
263
  errors << Regexp.last_match.named_captures
264
264
  end
265
265
  elsif e.message.match?(YARN_PEER_DEP_ERROR_REGEX)
@@ -440,7 +440,7 @@ module Dependabot
440
440
  end
441
441
  npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
442
442
 
443
- return run_npm7_checker(version: version) if npm_version == "npm7"
443
+ return run_npm8_checker(version: version) if npm_version == "npm8"
444
444
 
445
445
  SharedHelpers.run_helper_subprocess(
446
446
  command: NativeHelpers.helper_path,
@@ -457,16 +457,16 @@ module Dependabot
457
457
  end
458
458
  end
459
459
 
460
- def run_npm7_checker(version:)
460
+ def run_npm8_checker(version:)
461
461
  cmd =
462
462
  "npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
463
463
  output = SharedHelpers.run_shell_command(cmd)
464
- if output.match?(NPM7_PEER_DEP_ERROR_REGEX)
464
+ if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
465
465
  error_context = { command: cmd, process_exit_value: 1 }
466
466
  raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
467
467
  end
468
468
  rescue SharedHelpers::HelperSubprocessFailed => e
469
- raise if e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
469
+ raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
470
470
  end
471
471
 
472
472
  def version_install_arg(version:)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.175.0
4
+ version: 0.178.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-25 00:00:00.000000000 Z
11
+ date: 2022-03-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.175.0
19
+ version: 0.178.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.175.0
26
+ version: 0.178.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement