dependabot-npm_and_yarn 0.196.1 → 0.196.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +37 -0
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 17d091442f5535aee32eff806235c2c2fd5a003c1a0462020b66ed72877193c5
|
|
4
|
+
data.tar.gz: 0bc5a3ea0d891b2b146b576fa173e335b61e6495eb7d5246fffc9c7742dc2e55
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 488838fc133bb86735d241857ce6ce2825a2b00d555568999c435426e64b94a01f657f685f53b4f354daeb2437d257dcd319b4e935303bc8eb2237379ef25bd7
|
|
7
|
+
data.tar.gz: 239df30dd2eb4694e28f7382c1bfa6c75dc64b94d3d086c7831bbe893d1d06c5cb86244ad93635a192f0e96f6d3aa91aba6cefb535464f77492bad8796454c4b
|
|
@@ -34,6 +34,8 @@ const exec = promisify(require('child_process').exec)
|
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
|
35
35
|
const npmConfig = await loadNpmConfig()
|
|
36
36
|
const caCerts = loadCACerts(npmConfig)
|
|
37
|
+
const registryOpts = extractRegistryOptions(npmConfig)
|
|
38
|
+
const registryCreds = loadNpmConfigCredentials(directory)
|
|
37
39
|
|
|
38
40
|
const arb = new Arborist({
|
|
39
41
|
path: directory,
|
|
@@ -41,6 +43,8 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
|
41
43
|
ca: caCerts,
|
|
42
44
|
force: true,
|
|
43
45
|
dryRun: true,
|
|
46
|
+
...registryOpts,
|
|
47
|
+
...registryCreds,
|
|
44
48
|
})
|
|
45
49
|
|
|
46
50
|
const scope = nock('http://localhost:9999')
|
|
@@ -170,6 +174,39 @@ async function loadNpmConfig() {
|
|
|
170
174
|
return JSON.parse(configOutput.stdout)
|
|
171
175
|
}
|
|
172
176
|
|
|
177
|
+
function extractRegistryOptions(npmConfig) {
|
|
178
|
+
const opts = []
|
|
179
|
+
for (const [key, value] of Object.entries(npmConfig)) {
|
|
180
|
+
if (key == "registry" || key.endsWith(":registry")) {
|
|
181
|
+
opts.push([key, value])
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
return Object.fromEntries(opts)
|
|
185
|
+
}
|
|
186
|
+
|
|
187
|
+
// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
|
|
188
|
+
// Dependabot will have written them to the project's .npmrc file.
|
|
189
|
+
const ini = require('ini')
|
|
190
|
+
const path = require('path')
|
|
191
|
+
|
|
192
|
+
const credKeys = ['token', '_authToken', '_auth']
|
|
193
|
+
|
|
194
|
+
function loadNpmConfigCredentials(projectDir) {
|
|
195
|
+
const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
|
|
196
|
+
if (!projectNpmrc) {
|
|
197
|
+
return {}
|
|
198
|
+
}
|
|
199
|
+
|
|
200
|
+
const credentials = []
|
|
201
|
+
const config = ini.parse(projectNpmrc)
|
|
202
|
+
for (const [key, value] of Object.entries(config)) {
|
|
203
|
+
if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
|
|
204
|
+
credentials.push([key, value])
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
return Object.fromEntries(credentials)
|
|
208
|
+
}
|
|
209
|
+
|
|
173
210
|
// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
|
|
174
211
|
const fs = require('fs')
|
|
175
212
|
const maybeReadFile = file => {
|
|
@@ -291,7 +291,7 @@ module Dependabot
|
|
|
291
291
|
|
|
292
292
|
if matches_double_glob && !nested
|
|
293
293
|
dependency_files +=
|
|
294
|
-
|
|
294
|
+
find_directories(File.join(path, "*")).flat_map do |nested_path|
|
|
295
295
|
fetch_lerna_packages_from_path(nested_path, true)
|
|
296
296
|
end
|
|
297
297
|
end
|
|
@@ -309,34 +309,58 @@ module Dependabot
|
|
|
309
309
|
[] # Invalid lerna.json, which must not be in use
|
|
310
310
|
end
|
|
311
311
|
|
|
312
|
-
paths_array.flat_map
|
|
313
|
-
# The packages/!(not-this-package) syntax is unique to Yarn
|
|
314
|
-
if path.include?("*") || path.include?("!(")
|
|
315
|
-
expanded_paths(path)
|
|
316
|
-
else
|
|
317
|
-
path
|
|
318
|
-
end
|
|
319
|
-
end
|
|
312
|
+
paths_array.flat_map { |path| recursive_find_directories(path) }
|
|
320
313
|
end
|
|
321
314
|
|
|
322
315
|
# Only expands globs one level deep, so path/**/* gets expanded to path/
|
|
323
|
-
def
|
|
324
|
-
|
|
316
|
+
def find_directories(glob)
|
|
317
|
+
return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
|
|
318
|
+
|
|
319
|
+
unglobbed_path =
|
|
320
|
+
glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
|
|
321
|
+
split("*").
|
|
322
|
+
first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
|
|
325
323
|
|
|
326
324
|
dir = directory.gsub(%r{(^/|/$)}, "")
|
|
327
|
-
path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
|
328
|
-
unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
|
|
329
|
-
"."
|
|
330
325
|
|
|
331
|
-
|
|
326
|
+
paths =
|
|
332
327
|
repo_contents(dir: unglobbed_path, raise_errors: false).
|
|
333
328
|
select { |file| file.type == "dir" }.
|
|
334
|
-
map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
|
335
|
-
|
|
329
|
+
map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
|
330
|
+
|
|
331
|
+
matching_paths(glob, paths)
|
|
332
|
+
end
|
|
333
|
+
|
|
334
|
+
def matching_paths(glob, paths)
|
|
335
|
+
ignored_glob = yarn_ignored_glob(glob)
|
|
336
|
+
glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
|
337
|
+
|
|
338
|
+
results = paths.select { |filename| File.fnmatch?(glob, filename) }
|
|
339
|
+
return results unless ignored_glob
|
|
336
340
|
|
|
337
|
-
|
|
341
|
+
results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
|
|
342
|
+
end
|
|
343
|
+
|
|
344
|
+
def recursive_find_directories(glob, prefix = "")
|
|
345
|
+
return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
|
|
346
|
+
|
|
347
|
+
glob = glob.gsub(%r{^\./}, "")
|
|
348
|
+
glob_parts = glob.split("/")
|
|
349
|
+
|
|
350
|
+
paths = find_directories(prefix + glob_parts.first)
|
|
351
|
+
next_parts = glob_parts.drop(1)
|
|
352
|
+
return paths if next_parts.empty?
|
|
353
|
+
|
|
354
|
+
paths = paths.flat_map do |expanded_path|
|
|
355
|
+
recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
|
|
356
|
+
end
|
|
357
|
+
|
|
358
|
+
matching_paths(prefix + glob, paths)
|
|
359
|
+
end
|
|
338
360
|
|
|
339
|
-
|
|
361
|
+
# The packages/!(not-this-package) syntax is unique to Yarn
|
|
362
|
+
def yarn_ignored_glob(glob)
|
|
363
|
+
glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
|
|
340
364
|
end
|
|
341
365
|
|
|
342
366
|
def parsed_package_json
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.196.
|
|
4
|
+
version: 0.196.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-06-
|
|
11
|
+
date: 2022-06-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.196.
|
|
19
|
+
version: 0.196.2
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.196.
|
|
26
|
+
version: 0.196.2
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debase
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|