dependabot-npm_and_yarn 0.196.1 → 0.196.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/conflicting-dependency-parser.js +2 -0
- data/helpers/lib/npm/vulnerability-auditor.js +38 -0
- data/helpers/package-lock.json +950 -918
- data/helpers/package.json +3 -3
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -13
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +19 -27
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +1 -6
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +4 -8
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +2 -1
- metadata +6 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 69ba3d07e5c8921abc3968db377134c08c1704171291ec76c130f4fbdd3449a5
|
4
|
+
data.tar.gz: 79f23aa0fe41a68fa6f1d64d89ef62d91e03cccd606ce92c0905a5d884e1f377
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 629aaedf620875cf21accb159c6bff0315d9047f4835853eccdabd1147346e7697d001e83c7fcb0e3f2312c7eb716eeb19c344a8c79e123a68901126a2c46976
|
7
|
+
data.tar.gz: 2cfd3991a035b564218c7f1dd01fc60e66f224a14ffb3b2c4f8256373884fcec77e81f7310e65b858e204c806bac223d5f38931810a4eda58b35ff2e3885dd49
|
@@ -15,6 +15,8 @@ const semver = require("semver");
|
|
15
15
|
async function findConflictingDependencies(directory, depName, targetVersion) {
|
16
16
|
const arb = new Arborist({
|
17
17
|
path: directory,
|
18
|
+
dryRun: true,
|
19
|
+
ignoreScripts: true,
|
18
20
|
});
|
19
21
|
|
20
22
|
return await arb.loadVirtual().then((tree) => {
|
@@ -34,6 +34,8 @@ const exec = promisify(require('child_process').exec)
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
35
35
|
const npmConfig = await loadNpmConfig()
|
36
36
|
const caCerts = loadCACerts(npmConfig)
|
37
|
+
const registryOpts = extractRegistryOptions(npmConfig)
|
38
|
+
const registryCreds = loadNpmConfigCredentials(directory)
|
37
39
|
|
38
40
|
const arb = new Arborist({
|
39
41
|
path: directory,
|
@@ -41,6 +43,9 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
41
43
|
ca: caCerts,
|
42
44
|
force: true,
|
43
45
|
dryRun: true,
|
46
|
+
ignoreScripts: true,
|
47
|
+
...registryOpts,
|
48
|
+
...registryCreds,
|
44
49
|
})
|
45
50
|
|
46
51
|
const scope = nock('http://localhost:9999')
|
@@ -170,6 +175,39 @@ async function loadNpmConfig() {
|
|
170
175
|
return JSON.parse(configOutput.stdout)
|
171
176
|
}
|
172
177
|
|
178
|
+
function extractRegistryOptions(npmConfig) {
|
179
|
+
const opts = []
|
180
|
+
for (const [key, value] of Object.entries(npmConfig)) {
|
181
|
+
if (key == "registry" || key.endsWith(":registry")) {
|
182
|
+
opts.push([key, value])
|
183
|
+
}
|
184
|
+
}
|
185
|
+
return Object.fromEntries(opts)
|
186
|
+
}
|
187
|
+
|
188
|
+
// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
|
189
|
+
// Dependabot will have written them to the project's .npmrc file.
|
190
|
+
const ini = require('ini')
|
191
|
+
const path = require('path')
|
192
|
+
|
193
|
+
const credKeys = ['token', '_authToken', '_auth']
|
194
|
+
|
195
|
+
function loadNpmConfigCredentials(projectDir) {
|
196
|
+
const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
|
197
|
+
if (!projectNpmrc) {
|
198
|
+
return {}
|
199
|
+
}
|
200
|
+
|
201
|
+
const credentials = []
|
202
|
+
const config = ini.parse(projectNpmrc)
|
203
|
+
for (const [key, value] of Object.entries(config)) {
|
204
|
+
if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
|
205
|
+
credentials.push([key, value])
|
206
|
+
}
|
207
|
+
}
|
208
|
+
return Object.fromEntries(credentials)
|
209
|
+
}
|
210
|
+
|
173
211
|
// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
|
174
212
|
const fs = require('fs')
|
175
213
|
const maybeReadFile = file => {
|