dependabot-npm_and_yarn 0.196.0 → 0.196.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/conflicting-dependency-parser.js +2 -0
- data/helpers/lib/npm/vulnerability-auditor.js +38 -0
- data/helpers/package-lock.json +1157 -995
- data/helpers/package.json +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +2 -1
- data/lib/dependabot/npm_and_yarn/update_checker.rb +15 -9
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 7b7522d7728466cae083fc498a0e5c4a7923c46a56a38546f36834de5470fe84
|
|
4
|
+
data.tar.gz: a55c8659f731d24c8b93a13853d2d05bdc11eb72466873ab002b56b5d8a8ed99
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f5c67225a4f85b8887d2318f236b078820c201e5daf654cde802633723005f98b7136f3581a9c1edc09d6f2923839454f4340580fc2e3f9e96d478de1de44de4
|
|
7
|
+
data.tar.gz: 7dd77797d4c581508b60c49adb083e6fab1f2fecdb74456f1b8d9fc2023172f6349cf3b12d2a70f0ab6af5930d73777fa62764dcbb39d2ccde12583e3e2bfec3
|
|
@@ -15,6 +15,8 @@ const semver = require("semver");
|
|
|
15
15
|
async function findConflictingDependencies(directory, depName, targetVersion) {
|
|
16
16
|
const arb = new Arborist({
|
|
17
17
|
path: directory,
|
|
18
|
+
dryRun: true,
|
|
19
|
+
ignoreScripts: true,
|
|
18
20
|
});
|
|
19
21
|
|
|
20
22
|
return await arb.loadVirtual().then((tree) => {
|
|
@@ -34,6 +34,8 @@ const exec = promisify(require('child_process').exec)
|
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
|
35
35
|
const npmConfig = await loadNpmConfig()
|
|
36
36
|
const caCerts = loadCACerts(npmConfig)
|
|
37
|
+
const registryOpts = extractRegistryOptions(npmConfig)
|
|
38
|
+
const registryCreds = loadNpmConfigCredentials(directory)
|
|
37
39
|
|
|
38
40
|
const arb = new Arborist({
|
|
39
41
|
path: directory,
|
|
@@ -41,6 +43,9 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
|
41
43
|
ca: caCerts,
|
|
42
44
|
force: true,
|
|
43
45
|
dryRun: true,
|
|
46
|
+
ignoreScripts: true,
|
|
47
|
+
...registryOpts,
|
|
48
|
+
...registryCreds,
|
|
44
49
|
})
|
|
45
50
|
|
|
46
51
|
const scope = nock('http://localhost:9999')
|
|
@@ -170,6 +175,39 @@ async function loadNpmConfig() {
|
|
|
170
175
|
return JSON.parse(configOutput.stdout)
|
|
171
176
|
}
|
|
172
177
|
|
|
178
|
+
function extractRegistryOptions(npmConfig) {
|
|
179
|
+
const opts = []
|
|
180
|
+
for (const [key, value] of Object.entries(npmConfig)) {
|
|
181
|
+
if (key == "registry" || key.endsWith(":registry")) {
|
|
182
|
+
opts.push([key, value])
|
|
183
|
+
}
|
|
184
|
+
}
|
|
185
|
+
return Object.fromEntries(opts)
|
|
186
|
+
}
|
|
187
|
+
|
|
188
|
+
// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
|
|
189
|
+
// Dependabot will have written them to the project's .npmrc file.
|
|
190
|
+
const ini = require('ini')
|
|
191
|
+
const path = require('path')
|
|
192
|
+
|
|
193
|
+
const credKeys = ['token', '_authToken', '_auth']
|
|
194
|
+
|
|
195
|
+
function loadNpmConfigCredentials(projectDir) {
|
|
196
|
+
const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
|
|
197
|
+
if (!projectNpmrc) {
|
|
198
|
+
return {}
|
|
199
|
+
}
|
|
200
|
+
|
|
201
|
+
const credentials = []
|
|
202
|
+
const config = ini.parse(projectNpmrc)
|
|
203
|
+
for (const [key, value] of Object.entries(config)) {
|
|
204
|
+
if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
|
|
205
|
+
credentials.push([key, value])
|
|
206
|
+
}
|
|
207
|
+
}
|
|
208
|
+
return Object.fromEntries(credentials)
|
|
209
|
+
}
|
|
210
|
+
|
|
173
211
|
// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
|
|
174
212
|
const fs = require('fs')
|
|
175
213
|
const maybeReadFile = file => {
|