dependabot-npm_and_yarn 0.195.0 → 0.196.2

data/helpers/package.json

@@ -10,15 +10,16 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.21.1",
-    "@npmcli/arborist": "^5.2.0",
+    "@npmcli/arborist": "^5.2.3",
     "detect-indent": "^6.1.0",
+    "nock": "^13.2.7",
     "npm": "6.14.17",
     "semver": "^7.3.7"
   },
   "devDependencies": {
     "eslint": "^8.18.0",
     "eslint-config-prettier": "^8.5.0",
-    "jest": "^28.1.0",
+    "jest": "^28.1.1",
     "prettier": "^2.7.1",
     "rimraf": "^3.0.2"
   }

data/helpers/run.js

@@ -18,18 +18,13 @@ process.stdin.on("end", () => {
     process.exit(1);
   }
 
-  try {
-    func
-      .apply(null, request.args)
-      .then((result) => {
-        output({ result: result });
-      })
-      .catch((error) => {
-        output({ error: error.message });
-        process.exit(1);
-      });
-  } catch (e) {
-    output({ error: `Error calling function: ${func.name}: ${e}` });
-    process.exit(1);
-  }
+  func
+    .apply(null, request.args)
+    .then((result) => {
+      output({ result: result });
+    })
+    .catch((error) => {
+      output({ error: error.message });
+      process.exit(1);
+    });
 });

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -291,7 +291,7 @@ module Dependabot
 
           if matches_double_glob && !nested
             dependency_files +=
-              expanded_paths(File.join(path, "*")).flat_map do |nested_path|
+              find_directories(File.join(path, "*")).flat_map do |nested_path|
                 fetch_lerna_packages_from_path(nested_path, true)
               end
           end
@@ -309,34 +309,58 @@ module Dependabot
             [] # Invalid lerna.json, which must not be in use
           end
 
-        paths_array.flat_map do |path|
-          # The packages/!(not-this-package) syntax is unique to Yarn
-          if path.include?("*") || path.include?("!(")
-            expanded_paths(path)
-          else
-            path
-          end
-        end
+        paths_array.flat_map { |path| recursive_find_directories(path) }
       end
 
       # Only expands globs one level deep, so path/**/* gets expanded to path/
-      def expanded_paths(path)
-        ignored_path = path.match?(/!\(.*?\)/) && path.gsub(/(!\((.*?)\))/, '\2')
+      def find_directories(glob)
+        return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
+
+        unglobbed_path =
+          glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
+          split("*").
+          first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
 
         dir = directory.gsub(%r{(^/|/$)}, "")
-        path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
-        unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
-                         "."
 
-        results =
+        paths =
           repo_contents(dir: unglobbed_path, raise_errors: false).
           select { |file| file.type == "dir" }.
-          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }.
-          select { |filename| File.fnmatch?(path, filename) }
+          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
+
+        matching_paths(glob, paths)
+      end
+
+      def matching_paths(glob, paths)
+        ignored_glob = yarn_ignored_glob(glob)
+        glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+
+        results = paths.select { |filename| File.fnmatch?(glob, filename) }
+        return results unless ignored_glob
 
-        return results unless ignored_path
+        results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
+      end
+
+      def recursive_find_directories(glob, prefix = "")
+        return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
+
+        glob = glob.gsub(%r{^\./}, "")
+        glob_parts = glob.split("/")
+
+        paths = find_directories(prefix + glob_parts.first)
+        next_parts = glob_parts.drop(1)
+        return paths if next_parts.empty?
+
+        paths = paths.flat_map do |expanded_path|
+          recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
+        end
+
+        matching_paths(prefix + glob, paths)
+      end
 
-        results.reject { |filename| File.fnmatch?(ignored_path, filename) }
+      # The packages/!(not-this-package) syntax is unique to Yarn
+      def yarn_ignored_glob(glob)
+        glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
       end
 
       def parsed_package_json

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require "stringio"
+require "dependabot/dependency"
+require "dependabot/errors"
+require "dependabot/logger"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/native_helpers"
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/update_checker/dependency_files_builder"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      class VulnerabilityAuditor
+        def initialize(dependency_files:, credentials:)
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        # Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have
+        # a subdependency on the given dependency that is locked to a vuln version range.
+        #
+        # NOTE: yarn is currently not supported.
+        #
+        # @param dependency [Dependabot::Dependency] the dependency to check
+        # @param security_advisories [Array<Dependabot::SecurityAdvisory>] advisories for the dependency
+        # @return [Hash<String, [String, Array<Hash<String, String>>]>] the audit results
+        #   * :dependency_name [String] the name of the dependency
+        #   * :fix_available [Boolean] whether a fix is available
+        #   * :current_version [String] the version of the dependency
+        #   * :target_version [String] the version of the dependency after the fix
+        #   * :fix_updates [Array<Hash<String, String>>] a list of dependencies to update in order to fix
+        #     * :dependency_name [String] the name of the blocking dependency
+        #     * :current_version [String] the current version of the blocking dependency
+        #     * :target_version [String] the target version of the blocking dependency
+        def audit(dependency:, security_advisories:)
+          fix_unavailable = {
+            "dependency_name" => dependency.name,
+            "fix_available" => false
+          }
+
+          SharedHelpers.in_a_temporary_directory do
+            dependency_files_builder = DependencyFilesBuilder.new(
+              dependency: dependency,
+              dependency_files: dependency_files,
+              credentials: credentials
+            )
+            dependency_files_builder.write_temporary_dependency_files
+
+            # `npm-shrinkwrap.js`, if present, takes precedence over `package-lock.js`.
+            # Both files use the same format. See https://bit.ly/3lDIAJV for more.
+            lockfile = (dependency_files_builder.shrinkwraps + dependency_files_builder.package_locks).first
+            return fix_unavailable unless lockfile
+
+            vuln_versions = security_advisories.map do |a|
+              {
+                dependency_name: a.dependency_name,
+                affected_versions: a.vulnerable_version_strings
+              }
+            end
+
+            audit_result = SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "npm:vulnerabilityAuditor",
+              args: [Dir.pwd, vuln_versions]
+            )
+            return fix_unavailable unless valid_audit_result?(audit_result, security_advisories)
+
+            audit_result
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          log_helper_subprocess_failure(dependency, e)
+          fix_unavailable
+        end
+
+        private
+
+        attr_reader :dependency_files, :credentials
+
+        def valid_audit_result?(audit_result, security_advisories)
+          # we only need to check results that indicate a fix is available
+          return true unless audit_result["fix_available"]
+
+          return false if vulnerable_dependency_removed?(audit_result)
+          return false if dependency_still_vulnerable?(audit_result, security_advisories)
+          return false if downgrades_dependencies?(audit_result)
+
+          true
+        end
+
+        def vulnerable_dependency_removed?(audit_result)
+          !audit_result["target_version"]
+        end
+
+        def dependency_still_vulnerable?(audit_result, security_advisories)
+          version = Version.new(audit_result["target_version"])
+          security_advisories.any? { |a| a.vulnerable?(version) }
+        end
+
+        def downgrades_dependencies?(audit_result)
+          return true if downgrades_version?(audit_result["current_version"], audit_result["target_version"])
+
+          audit_result["fix_updates"].any? do |update|
+            downgrades_version?(update["current_version"], update["target_version"])
+          end
+        end
+
+        def downgrades_version?(current_version, target_version)
+          current = Version.new(current_version)
+          target = Version.new(target_version)
+          current > target
+        end
+
+        def log_helper_subprocess_failure(dependency, error)
+          # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context
+          context = error.error_context || {}
+
+          builder = ::StringIO.new
+          builder << "VulnerabilityAuditor: "
+          builder << "#{context[:function]} " if context[:function]
+          builder << "failed"
+          builder << " after #{context[:time_taken].truncate(2)}s" if context[:time_taken]
+          builder << " while auditing #{dependency.name}: "
+          builder << error.message
+          builder << "\n" << context[:trace]
+
+          msg = builder.string
+          Dependabot.logger.info(msg) # TODO: is this the right log level?
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -14,6 +14,7 @@ module Dependabot
       require_relative "update_checker/version_resolver"
       require_relative "update_checker/subdependency_version_resolver"
       require_relative "update_checker/conflicting_dependency_resolver"
+      require_relative "update_checker/vulnerability_auditor"
 
       def latest_version
         @latest_version ||=
@@ -106,20 +107,86 @@ module Dependabot
 
       private
 
+      def vulnerability_audit
+        @vulnerability_audit ||=
+          VulnerabilityAuditor.new(
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).audit(
+            dependency: dependency,
+            security_advisories: security_advisories
+          )
+      end
+
       def latest_version_resolvable_with_full_unlock?
-        return unless latest_version
+        return false unless latest_version
 
-        # No support for full unlocks for subdependencies yet
-        return false unless dependency.top_level?
+        return version_resolver.latest_version_resolvable_with_full_unlock? if dependency.top_level?
 
-        version_resolver.latest_version_resolvable_with_full_unlock?
+        return false unless transitive_security_updates_enabled? && security_advisories.any?
+
+        vulnerability_audit["fix_available"]
+      end
+
+      def transitive_security_updates_enabled?
+        options.key?(:npm_transitive_security_updates)
       end
 
       def updated_dependencies_after_full_unlock
+        if !dependency.top_level? && transitive_security_updates_enabled? && security_advisories.any?
+          return conflicting_updated_dependencies
+        end
+
         version_resolver.dependency_updates_from_full_unlock.
           map { |update_details| build_updated_dependency(update_details) }
       end
 
+      def conflicting_updated_dependencies
+        top_level_dependencies = top_level_dependency_lookup
+
+        updated_deps = []
+        vulnerability_audit["fix_updates"].each do |update|
+          dependency_name = update["dependency_name"]
+          requirements = top_level_dependencies[dependency_name]&.requirements || []
+          conflicting_dep = Dependency.new(
+            name: dependency_name,
+            package_manager: "npm_and_yarn",
+            requirements: requirements
+          )
+
+          updated_deps << build_updated_dependency(
+            dependency: conflicting_dep,
+            version: update["target_version"],
+            previous_version: update["current_version"]
+          )
+        end
+
+        # We don't need to update this but need to include it so it's described
+        # in the PR and we'll pass validation that this dependency is at a
+        # non-vulnerable version.
+        if updated_deps.none? { |dep| dep.name == dependency.name }
+          updated_deps << build_updated_dependency(
+            dependency: dependency,
+            version: vulnerability_audit["target_version"],
+            previous_version: dependency.version
+          )
+        end
+
+        # Target dependency should be first in the result to support rebases
+        updated_deps.select { |dep| dep.name == dependency.name } +
+          updated_deps.reject { |dep| dep.name == dependency.name }
+      end
+
+      def top_level_dependency_lookup
+        top_level_dependencies = FileParser.new(
+          dependency_files: dependency_files,
+          credentials: credentials,
+          source: nil
+        ).parse.select(&:top_level?)
+
+        top_level_dependencies.map { |dep| [dep.name, dep] }.to_h
+      end
+
       def build_updated_dependency(update_details)
         original_dep = update_details.fetch(:dependency)
         version = update_details.fetch(:version).to_s

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.195.0
+  version: 0.196.2
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-24 00:00:00.000000000 Z
+date: 2022-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.195.0
+        version: 0.196.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.195.0
+        version: 0.196.2
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement
@@ -233,6 +233,7 @@ files:
 - helpers/jest.config.js
 - helpers/lib/npm/conflicting-dependency-parser.js
 - helpers/lib/npm/index.js
+- helpers/lib/npm/vulnerability-auditor.js
 - helpers/lib/npm6/helpers.js
 - helpers/lib/npm6/index.js
 - helpers/lib/npm6/peer-dependency-checker.js
@@ -307,6 +308,7 @@ files:
 - lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb
 - lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb
 - lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb
+- lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb
 - lib/dependabot/npm_and_yarn/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: