dependabot-npm_and_yarn 0.196.0 → 0.196.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/conflicting-dependency-parser.js +2 -0
  3. data/helpers/lib/npm/vulnerability-auditor.js +38 -0
  4. data/helpers/package-lock.json +1157 -995
  5. data/helpers/package.json +4 -4
  6. data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
  7. data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +2 -1
  8. data/lib/dependabot/npm_and_yarn/update_checker.rb +15 -9
  9. metadata +6 -6
data/helpers/package.json CHANGED
@@ -10,16 +10,16 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@dependabot/yarn-lib": "^1.21.1",
13
- "@npmcli/arborist": "^5.2.0",
13
+ "@npmcli/arborist": "^5.2.3",
14
14
  "detect-indent": "^6.1.0",
15
- "nock": "^13.2.4",
15
+ "nock": "^13.2.8",
16
16
  "npm": "6.14.17",
17
17
  "semver": "^7.3.7"
18
18
  },
19
19
  "devDependencies": {
20
- "eslint": "^8.18.0",
20
+ "eslint": "^8.19.0",
21
21
  "eslint-config-prettier": "^8.5.0",
22
- "jest": "^28.1.0",
22
+ "jest": "^28.1.2",
23
23
  "prettier": "^2.7.1",
24
24
  "rimraf": "^3.0.2"
25
25
  }
data/lib/dependabot/npm_and_yarn/file_fetcher.rb CHANGED
@@ -291,7 +291,7 @@ module Dependabot
291
291
 
292
292
  if matches_double_glob && !nested
293
293
  dependency_files +=
294
- expanded_paths(File.join(path, "*")).flat_map do |nested_path|
294
+ find_directories(File.join(path, "*")).flat_map do |nested_path|
295
295
  fetch_lerna_packages_from_path(nested_path, true)
296
296
  end
297
297
  end
@@ -309,34 +309,58 @@ module Dependabot
309
309
  [] # Invalid lerna.json, which must not be in use
310
310
  end
311
311
 
312
- paths_array.flat_map do |path|
313
- # The packages/!(not-this-package) syntax is unique to Yarn
314
- if path.include?("*") || path.include?("!(")
315
- expanded_paths(path)
316
- else
317
- path
318
- end
319
- end
312
+ paths_array.flat_map { |path| recursive_find_directories(path) }
320
313
  end
321
314
 
322
315
  # Only expands globs one level deep, so path/**/* gets expanded to path/
323
- def expanded_paths(path)
324
- ignored_path = path.match?(/!\(.*?\)/) && path.gsub(/(!\((.*?)\))/, '\2')
316
+ def find_directories(glob)
317
+ return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
318
+
319
+ unglobbed_path =
320
+ glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
321
+ split("*").
322
+ first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
325
323
 
326
324
  dir = directory.gsub(%r{(^/|/$)}, "")
327
- path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
328
- unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
329
- "."
330
325
 
331
- results =
326
+ paths =
332
327
  repo_contents(dir: unglobbed_path, raise_errors: false).
333
328
  select { |file| file.type == "dir" }.
334
- map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }.
335
- select { |filename| File.fnmatch?(path, filename) }
329
+ map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
330
+
331
+ matching_paths(glob, paths)
332
+ end
333
+
334
+ def matching_paths(glob, paths)
335
+ ignored_glob = yarn_ignored_glob(glob)
336
+ glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
337
+
338
+ results = paths.select { |filename| File.fnmatch?(glob, filename) }
339
+ return results unless ignored_glob
336
340
 
337
- return results unless ignored_path
341
+ results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
342
+ end
343
+
344
+ def recursive_find_directories(glob, prefix = "")
345
+ return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
346
+
347
+ glob = glob.gsub(%r{^\./}, "")
348
+ glob_parts = glob.split("/")
349
+
350
+ paths = find_directories(prefix + glob_parts.first)
351
+ next_parts = glob_parts.drop(1)
352
+ return paths if next_parts.empty?
353
+
354
+ paths = paths.flat_map do |expanded_path|
355
+ recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
356
+ end
357
+
358
+ matching_paths(prefix + glob, paths)
359
+ end
338
360
 
339
- results.reject { |filename| File.fnmatch?(ignored_path, filename) }
361
+ # The packages/!(not-this-package) syntax is unique to Yarn
362
+ def yarn_ignored_glob(glob)
363
+ glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
340
364
  end
341
365
 
342
366
  def parsed_package_json
data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb CHANGED
@@ -39,7 +39,8 @@ module Dependabot
39
39
  def audit(dependency:, security_advisories:)
40
40
  fix_unavailable = {
41
41
  "dependency_name" => dependency.name,
42
- "fix_available" => false
42
+ "fix_available" => false,
43
+ "fix_updates" => []
43
44
  }
44
45
 
45
46
  SharedHelpers.in_a_temporary_directory do
data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED
@@ -142,18 +142,12 @@ module Dependabot
142
142
  end
143
143
 
144
144
  def conflicting_updated_dependencies
145
- top_level_dependencies = FileParser.new(
146
- dependency_files: dependency_files,
147
- credentials: credentials,
148
- source: nil
149
- ).parse.select(&:top_level?)
150
-
151
- top_level_dependency_lookup = top_level_dependencies.map { |dep| [dep.name, dep] }.to_h
145
+ top_level_dependencies = top_level_dependency_lookup
152
146
 
153
147
  updated_deps = []
154
148
  vulnerability_audit["fix_updates"].each do |update|
155
149
  dependency_name = update["dependency_name"]
156
- requirements = top_level_dependency_lookup[dependency_name]&.requirements || []
150
+ requirements = top_level_dependencies[dependency_name]&.requirements || []
157
151
  conflicting_dep = Dependency.new(
158
152
  name: dependency_name,
159
153
  package_manager: "npm_and_yarn",
@@ -178,7 +172,19 @@ module Dependabot
178
172
  )
179
173
  end
180
174
 
181
- updated_deps
175
+ # Target dependency should be first in the result to support rebases
176
+ updated_deps.select { |dep| dep.name == dependency.name } +
177
+ updated_deps.reject { |dep| dep.name == dependency.name }
178
+ end
179
+
180
+ def top_level_dependency_lookup
181
+ top_level_dependencies = FileParser.new(
182
+ dependency_files: dependency_files,
183
+ credentials: credentials,
184
+ source: nil
185
+ ).parse.select(&:top_level?)
186
+
187
+ top_level_dependencies.map { |dep| [dep.name, dep] }.to_h
182
188
  end
183
189
 
184
190
  def build_updated_dependency(update_details)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.196.0
4
+ version: 0.196.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-06-24 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.196.0
19
+ version: 0.196.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.196.0
26
+ version: 0.196.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 1.30.1
131
+ version: 1.31.2
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 1.30.1
138
+ version: 1.31.2
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: ruby-debug-ide
141
141
  requirement: !ruby/object:Gem::Requirement