dependabot-npm_and_yarn 0.176.0 → 0.178.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +6 -6
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +24 -22
- data/lib/dependabot/npm_and_yarn/helpers.rb +2 -2
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +7 -7
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9104439c21cfefd677f1aeea018257099e02ef5e35e38cf407ba9a9a8d880953
|
4
|
+
data.tar.gz: 696ffa2e6261632ffdcab96043ae80c09188ac556861fe8746397eea1982e1fa
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 5b5d0c1063b1a67577ec0f0e679403d3365e2822d29f9d2b2a0ed66e19d22b3c26c8886e6bc4619ed7e2ab6789b7cc907dbd66ea15a868b4d07ef4722fea8a90
|
7
|
+
data.tar.gz: 4474365981a0c178cd5a5badc404916d98bcc5bd04ababf345f544472c47f8db4dce4f20317877be37d728bcb262201b906d0ab80a9d0f03fc8586cd1900224b
|
data/helpers/package-lock.json
CHANGED
@@ -12003,9 +12003,9 @@
|
|
12003
12003
|
}
|
12004
12004
|
},
|
12005
12005
|
"node_modules/object-path": {
|
12006
|
-
"version": "0.11.
|
12007
|
-
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.
|
12008
|
-
"integrity": "sha512-
|
12006
|
+
"version": "0.11.8",
|
12007
|
+
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
|
12008
|
+
"integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA==",
|
12009
12009
|
"engines": {
|
12010
12010
|
"node": ">= 10.12.0"
|
12011
12011
|
}
|
@@ -23163,9 +23163,9 @@
|
|
23163
23163
|
"integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
|
23164
23164
|
},
|
23165
23165
|
"object-path": {
|
23166
|
-
"version": "0.11.
|
23167
|
-
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.
|
23168
|
-
"integrity": "sha512-
|
23166
|
+
"version": "0.11.8",
|
23167
|
+
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
|
23168
|
+
"integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA=="
|
23169
23169
|
},
|
23170
23170
|
"object.omit": {
|
23171
23171
|
"version": "2.0.1",
|
@@ -55,8 +55,8 @@ module Dependabot
|
|
55
55
|
def npm_lockfile_details(lockfile, dependency_name, manifest_name)
|
56
56
|
parsed_lockfile = parse_package_lock(lockfile)
|
57
57
|
|
58
|
-
if Helpers.npm_version(lockfile.content) == "
|
59
|
-
# NOTE: npm
|
58
|
+
if Helpers.npm_version(lockfile.content) == "npm8"
|
59
|
+
# NOTE: npm 8 sometimes doesn't install workspace dependencies in the
|
60
60
|
# workspace folder so we need to fallback to checking top-level
|
61
61
|
nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
|
62
62
|
details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
|
@@ -45,9 +45,9 @@ module Dependabot
|
|
45
45
|
# TODO: look into fixing this in npm, seems like a bug in the git
|
46
46
|
# downloader introduced in npm 7
|
47
47
|
#
|
48
|
-
# NOTE: error message returned from arborist/npm
|
48
|
+
# NOTE: error message returned from arborist/npm 8 when trying to
|
49
49
|
# fetching a invalid/non-existent git ref
|
50
|
-
|
50
|
+
NPM8_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
|
51
51
|
NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
|
52
52
|
|
53
53
|
def updated_lockfile_content
|
@@ -141,8 +141,8 @@ module Dependabot
|
|
141
141
|
end
|
142
142
|
|
143
143
|
def run_npm_top_level_updater(top_level_dependencies:)
|
144
|
-
if
|
145
|
-
|
144
|
+
if npm8?
|
145
|
+
run_npm8_top_level_updater(top_level_dependencies: top_level_dependencies)
|
146
146
|
else
|
147
147
|
SharedHelpers.run_helper_subprocess(
|
148
148
|
command: NativeHelpers.helper_path,
|
@@ -156,7 +156,7 @@ module Dependabot
|
|
156
156
|
end
|
157
157
|
end
|
158
158
|
|
159
|
-
def
|
159
|
+
def run_npm8_top_level_updater(top_level_dependencies:)
|
160
160
|
dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
|
161
161
|
dependency_in_package_json?(dependency)
|
162
162
|
end
|
@@ -195,8 +195,8 @@ module Dependabot
|
|
195
195
|
end
|
196
196
|
|
197
197
|
def run_npm_subdependency_updater
|
198
|
-
if
|
199
|
-
|
198
|
+
if npm8?
|
199
|
+
run_npm8_subdependency_updater
|
200
200
|
else
|
201
201
|
SharedHelpers.run_helper_subprocess(
|
202
202
|
command: NativeHelpers.helper_path,
|
@@ -206,9 +206,9 @@ module Dependabot
|
|
206
206
|
end
|
207
207
|
end
|
208
208
|
|
209
|
-
def
|
209
|
+
def run_npm8_subdependency_updater
|
210
210
|
dependency_names = sub_dependencies.map(&:name)
|
211
|
-
SharedHelpers.run_shell_command(NativeHelpers.
|
211
|
+
SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
|
212
212
|
{ lockfile_basename => File.read(lockfile_basename) }
|
213
213
|
end
|
214
214
|
|
@@ -365,12 +365,12 @@ module Dependabot
|
|
365
365
|
error_message.include?("Non-registry package missing package") ||
|
366
366
|
error_message.include?("Invalid tag name") ||
|
367
367
|
error_message.match?(NPM6_MISSING_GIT_REF) ||
|
368
|
-
error_message.match?(
|
368
|
+
error_message.match?(NPM8_MISSING_GIT_REF)) &&
|
369
369
|
!resolvable_before_update?
|
370
370
|
raise_resolvability_error(error_message)
|
371
371
|
end
|
372
372
|
|
373
|
-
# NOTE: This check was introduced in
|
373
|
+
# NOTE: This check was introduced in npm8/arborist
|
374
374
|
if error_message.include?("must provide string spec")
|
375
375
|
msg = "Error parsing your package.json manifest: the version requirement must be a string"
|
376
376
|
raise Dependabot::DependencyFileNotParseable, msg
|
@@ -500,6 +500,8 @@ module Dependabot
|
|
500
500
|
# levels deep it is indented.
|
501
501
|
def detect_indentation(json)
|
502
502
|
indentation = json.scan(/^\s+/).min_by(&:length)
|
503
|
+
return "" if indentation.nil? # let npm set the default if we can't detect any indentation
|
504
|
+
|
503
505
|
indentation_size = indentation.length
|
504
506
|
indentation_type = indentation.scan(/\t/).any? ? "\t" : " "
|
505
507
|
|
@@ -609,10 +611,10 @@ module Dependabot
|
|
609
611
|
# Restore lockfile name attribute from the original lockfile
|
610
612
|
updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
611
613
|
|
612
|
-
# Restore npm
|
614
|
+
# Restore npm 8 "packages" "name" entry from package.json if previously set
|
613
615
|
updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
614
616
|
|
615
|
-
# Switch back npm
|
617
|
+
# Switch back npm 8 lockfile "packages" requirements from the package.json
|
616
618
|
updated_lockfile_content = restore_locked_package_dependencies(
|
617
619
|
updated_lockfile_content, parsed_updated_lockfile_content
|
618
620
|
)
|
@@ -634,7 +636,7 @@ module Dependabot
|
|
634
636
|
end
|
635
637
|
|
636
638
|
def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
637
|
-
return updated_lockfile_content unless
|
639
|
+
return updated_lockfile_content unless npm8?
|
638
640
|
|
639
641
|
current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
|
640
642
|
original_name = parsed_lockfile.dig("packages", "", "name")
|
@@ -679,7 +681,7 @@ module Dependabot
|
|
679
681
|
end
|
680
682
|
|
681
683
|
# NOTE: This is a workaround to "sync" what's in package.json
|
682
|
-
# requirements and the `packages.""` entry in npm
|
684
|
+
# requirements and the `packages.""` entry in npm 8 v2 lockfiles. These
|
683
685
|
# get out of sync because we lock git dependencies (that are not being
|
684
686
|
# updated) to a specific sha to prevent unrelated updates and the way we
|
685
687
|
# invoke the `npm install` cli, where we might tell npm to install a
|
@@ -688,7 +690,7 @@ module Dependabot
|
|
688
690
|
# need to copy this from the manifest to the lockfile after the update
|
689
691
|
# has finished.
|
690
692
|
def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
|
691
|
-
return updated_lockfile_content unless
|
693
|
+
return updated_lockfile_content unless npm8?
|
692
694
|
|
693
695
|
dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
|
694
696
|
|
@@ -729,10 +731,10 @@ module Dependabot
|
|
729
731
|
# updates the lockfile "from" field to the new git commit when we
|
730
732
|
# run npm install
|
731
733
|
original_from = %("from": "#{details[:from]}")
|
732
|
-
if
|
734
|
+
if npm8?
|
733
735
|
# NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
|
734
|
-
|
735
|
-
updated_lockfile_content = updated_lockfile_content.gsub(
|
736
|
+
npm8_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
|
737
|
+
updated_lockfile_content = updated_lockfile_content.gsub(npm8_locked_from, original_from)
|
736
738
|
else
|
737
739
|
npm6_locked_from = %("from": "#{details[:version]}")
|
738
740
|
updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
|
@@ -796,10 +798,10 @@ module Dependabot
|
|
796
798
|
npmrc_content.match?(/^package-lock\s*=\s*false/)
|
797
799
|
end
|
798
800
|
|
799
|
-
def
|
800
|
-
return @
|
801
|
+
def npm8?
|
802
|
+
return @npm8 if defined?(@npm8)
|
801
803
|
|
802
|
-
@
|
804
|
+
@npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
|
803
805
|
end
|
804
806
|
|
805
807
|
def sanitized_package_json_content(content)
|
@@ -4,8 +4,8 @@ module Dependabot
|
|
4
4
|
module NpmAndYarn
|
5
5
|
module Helpers
|
6
6
|
def self.npm_version(lockfile_content)
|
7
|
-
return "
|
8
|
-
return "
|
7
|
+
return "npm8" unless lockfile_content
|
8
|
+
return "npm8" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
|
9
9
|
|
10
10
|
"npm6"
|
11
11
|
rescue JSON::ParserError
|
@@ -14,7 +14,7 @@ module Dependabot
|
|
14
14
|
File.join(__dir__, "../../../helpers")
|
15
15
|
end
|
16
16
|
|
17
|
-
def self.
|
17
|
+
def self.npm8_subdependency_update_command(dependency_names)
|
18
18
|
# NOTE: npm options
|
19
19
|
# - `--force` ignores checks for platform (os, cpu) and engines
|
20
20
|
# - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
|
@@ -114,8 +114,8 @@ module Dependabot
|
|
114
114
|
Dir.chdir(path) do
|
115
115
|
npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
|
116
116
|
|
117
|
-
if npm_version == "
|
118
|
-
SharedHelpers.run_shell_command(NativeHelpers.
|
117
|
+
if npm_version == "npm8"
|
118
|
+
SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
|
119
119
|
{ lockfile_name => File.read(lockfile_name) }
|
120
120
|
else
|
121
121
|
SharedHelpers.run_helper_subprocess(
|
@@ -54,7 +54,7 @@ module Dependabot
|
|
54
54
|
# or with two semver constraints:
|
55
55
|
# npm ERR! Could not resolve dependency:
|
56
56
|
# npm ERR! peer @opentelemetry/api@">=1.0.0 <1.1.0" from @opentelemetry/context-async-hooks@1.0.1
|
57
|
-
|
57
|
+
NPM8_PEER_DEP_ERROR_REGEX =
|
58
58
|
/
|
59
59
|
npm\s(?:WARN|ERR!)\sCould\snot\sresolve\sdependency:\n
|
60
60
|
npm\s(?:WARN|ERR!)\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
|
@@ -258,8 +258,8 @@ module Dependabot
|
|
258
258
|
e.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
|
259
259
|
errors << Regexp.last_match.named_captures
|
260
260
|
end
|
261
|
-
elsif e.message.match?(
|
262
|
-
e.message.scan(
|
261
|
+
elsif e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
262
|
+
e.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
|
263
263
|
errors << Regexp.last_match.named_captures
|
264
264
|
end
|
265
265
|
elsif e.message.match?(YARN_PEER_DEP_ERROR_REGEX)
|
@@ -440,7 +440,7 @@ module Dependabot
|
|
440
440
|
end
|
441
441
|
npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
|
442
442
|
|
443
|
-
return
|
443
|
+
return run_npm8_checker(version: version) if npm_version == "npm8"
|
444
444
|
|
445
445
|
SharedHelpers.run_helper_subprocess(
|
446
446
|
command: NativeHelpers.helper_path,
|
@@ -457,16 +457,16 @@ module Dependabot
|
|
457
457
|
end
|
458
458
|
end
|
459
459
|
|
460
|
-
def
|
460
|
+
def run_npm8_checker(version:)
|
461
461
|
cmd =
|
462
462
|
"npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
|
463
463
|
output = SharedHelpers.run_shell_command(cmd)
|
464
|
-
if output.match?(
|
464
|
+
if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
465
465
|
error_context = { command: cmd, process_exit_value: 1 }
|
466
466
|
raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
|
467
467
|
end
|
468
468
|
rescue SharedHelpers::HelperSubprocessFailed => e
|
469
|
-
raise if e.message.match?(
|
469
|
+
raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
470
470
|
end
|
471
471
|
|
472
472
|
def version_install_arg(version:)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.178.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-03-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.178.1
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.178.1
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|