dependabot-npm_and_yarn 0.196.0 → 0.196.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/conflicting-dependency-parser.js +2 -0
  3. data/helpers/lib/npm/vulnerability-auditor.js +38 -0
  4. data/helpers/package-lock.json +1157 -995
  5. data/helpers/package.json +4 -4
  6. data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
  7. data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +2 -1
  8. data/lib/dependabot/npm_and_yarn/update_checker.rb +15 -9
  9. metadata +6 -6
data/helpers/package.json CHANGED
@@ -10,16 +10,16 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@dependabot/yarn-lib": "^1.21.1",
13
- "@npmcli/arborist": "^5.2.0",
13
+ "@npmcli/arborist": "^5.2.3",
14
14
  "detect-indent": "^6.1.0",
15
- "nock": "^13.2.4",
15
+ "nock": "^13.2.8",
16
16
  "npm": "6.14.17",
17
17
  "semver": "^7.3.7"
18
18
  },
19
19
  "devDependencies": {
20
- "eslint": "^8.18.0",
20
+ "eslint": "^8.19.0",
21
21
  "eslint-config-prettier": "^8.5.0",
22
- "jest": "^28.1.0",
22
+ "jest": "^28.1.2",
23
23
  "prettier": "^2.7.1",
24
24
  "rimraf": "^3.0.2"
25
25
  }
data/lib/dependabot/npm_and_yarn/file_fetcher.rb CHANGED
@@ -291,7 +291,7 @@ module Dependabot
291
291
 
292
292
  if matches_double_glob && !nested
293
293
  dependency_files +=
294
- expanded_paths(File.join(path, "*")).flat_map do |nested_path|
294
+ find_directories(File.join(path, "*")).flat_map do |nested_path|
295
295
  fetch_lerna_packages_from_path(nested_path, true)
296
296
  end
297
297
  end
@@ -309,34 +309,58 @@ module Dependabot
309
309
  [] # Invalid lerna.json, which must not be in use
310
310
  end
311
311
 
312
- paths_array.flat_map do |path|
313
- # The packages/!(not-this-package) syntax is unique to Yarn
314
- if path.include?("*") || path.include?("!(")
315
- expanded_paths(path)
316
- else
317
- path
318
- end
319
- end
312
+ paths_array.flat_map { |path| recursive_find_directories(path) }
320
313
  end
321
314
 
322
315
  # Only expands globs one level deep, so path/**/* gets expanded to path/
323
- def expanded_paths(path)
324
- ignored_path = path.match?(/!\(.*?\)/) && path.gsub(/(!\((.*?)\))/, '\2')
316
+ def find_directories(glob)
317
+ return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
318
+
319
+ unglobbed_path =
320
+ glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
321
+ split("*").
322
+ first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
325
323
 
326
324
  dir = directory.gsub(%r{(^/|/$)}, "")
327
- path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
328
- unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
329
- "."
330
325
 
331
- results =
326
+ paths =
332
327
  repo_contents(dir: unglobbed_path, raise_errors: false).
333
328
  select { |file| file.type == "dir" }.
334
- map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }.
335
- select { |filename| File.fnmatch?(path, filename) }
329
+ map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
330
+
331
+ matching_paths(glob, paths)
332
+ end
333
+
334
+ def matching_paths(glob, paths)
335
+ ignored_glob = yarn_ignored_glob(glob)
336
+ glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
337
+
338
+ results = paths.select { |filename| File.fnmatch?(glob, filename) }
339
+ return results unless ignored_glob
336
340
 
337
- return results unless ignored_path
341
+ results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
342
+ end
343
+
344
+ def recursive_find_directories(glob, prefix = "")
345
+ return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
346
+
347
+ glob = glob.gsub(%r{^\./}, "")
348
+ glob_parts = glob.split("/")
349
+
350
+ paths = find_directories(prefix + glob_parts.first)
351
+ next_parts = glob_parts.drop(1)
352
+ return paths if next_parts.empty?
353
+
354
+ paths = paths.flat_map do |expanded_path|
355
+ recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
356
+ end
357
+
358
+ matching_paths(prefix + glob, paths)
359
+ end
338
360
 
339
- results.reject { |filename| File.fnmatch?(ignored_path, filename) }
361
+ # The packages/!(not-this-package) syntax is unique to Yarn
362
+ def yarn_ignored_glob(glob)
363
+ glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
340
364
  end
341
365
 
342
366
  def parsed_package_json
data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb CHANGED
@@ -39,7 +39,8 @@ module Dependabot
39
39
  def audit(dependency:, security_advisories:)
40
40
  fix_unavailable = {
41
41
  "dependency_name" => dependency.name,
42
- "fix_available" => false
42
+ "fix_available" => false,
43
+ "fix_updates" => []
43
44
  }
44
45
 
45
46
  SharedHelpers.in_a_temporary_directory do
data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED
@@ -142,18 +142,12 @@ module Dependabot
142
142
  end
143
143
 
144
144
  def conflicting_updated_dependencies
145
- top_level_dependencies = FileParser.new(
146
- dependency_files: dependency_files,
147
- credentials: credentials,
148
- source: nil
149
- ).parse.select(&:top_level?)
150
-
151
- top_level_dependency_lookup = top_level_dependencies.map { |dep| [dep.name, dep] }.to_h
145
+ top_level_dependencies = top_level_dependency_lookup
152
146
 
153
147
  updated_deps = []
154
148
  vulnerability_audit["fix_updates"].each do |update|
155
149
  dependency_name = update["dependency_name"]
156
- requirements = top_level_dependency_lookup[dependency_name]&.requirements || []
150
+ requirements = top_level_dependencies[dependency_name]&.requirements || []
157
151
  conflicting_dep = Dependency.new(
158
152
  name: dependency_name,
159
153
  package_manager: "npm_and_yarn",
@@ -178,7 +172,19 @@ module Dependabot
178
172
  )
179
173
  end
180
174
 
181
- updated_deps
175
+ # Target dependency should be first in the result to support rebases
176
+ updated_deps.select { |dep| dep.name == dependency.name } +
177
+ updated_deps.reject { |dep| dep.name == dependency.name }
178
+ end
179
+
180
+ def top_level_dependency_lookup
181
+ top_level_dependencies = FileParser.new(
182
+ dependency_files: dependency_files,
183
+ credentials: credentials,
184
+ source: nil
185
+ ).parse.select(&:top_level?)
186
+
187
+ top_level_dependencies.map { |dep| [dep.name, dep] }.to_h
182
188
  end
183
189
 
184
190
  def build_updated_dependency(update_details)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.196.0
4
+ version: 0.196.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-06-24 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.196.0
19
+ version: 0.196.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.196.0
26
+ version: 0.196.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 1.30.1
131
+ version: 1.31.2
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 1.30.1
138
+ version: 1.31.2
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: ruby-debug-ide
141
141
  requirement: !ruby/object:Gem::Requirement