dependabot-npm_and_yarn 0.196.1 → 0.196.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f571bc3ea2061c9be74632412d008fa2cf20ce7301ca135bd44691e0c71568a6
-  data.tar.gz: 8de83c33bc6b953238a25be305e770d1ecd93997f9ef3591ccc99d9e2d890e53
+  metadata.gz: 69ba3d07e5c8921abc3968db377134c08c1704171291ec76c130f4fbdd3449a5
+  data.tar.gz: 79f23aa0fe41a68fa6f1d64d89ef62d91e03cccd606ce92c0905a5d884e1f377
 SHA512:
-  metadata.gz: d3f7032e974091c5968bf89dba3782fecc0eb31e888764e64cf5c38512d1cf41952a4059866c2e6fe9c17d6413ec0efa0cc256f7506b20097b53774d70367fe3
-  data.tar.gz: 5bf66a58afc71a31bbbe1926040fc1a7c2f02af40434695b5538987d67be0d0e8ab8dc35d0ce0ddac184b37a61156886f6ce22c0bc7b1933d2e5bd4be54f2ea8
+  metadata.gz: 629aaedf620875cf21accb159c6bff0315d9047f4835853eccdabd1147346e7697d001e83c7fcb0e3f2312c7eb716eeb19c344a8c79e123a68901126a2c46976
+  data.tar.gz: 2cfd3991a035b564218c7f1dd01fc60e66f224a14ffb3b2c4f8256373884fcec77e81f7310e65b858e204c806bac223d5f38931810a4eda58b35ff2e3885dd49

data/helpers/lib/npm/conflicting-dependency-parser.js

@@ -15,6 +15,8 @@ const semver = require("semver");
 async function findConflictingDependencies(directory, depName, targetVersion) {
   const arb = new Arborist({
     path: directory,
+    dryRun: true,
+    ignoreScripts: true,
   });
 
   return await arb.loadVirtual().then((tree) => {

data/helpers/lib/npm/vulnerability-auditor.js

@@ -34,6 +34,8 @@ const exec = promisify(require('child_process').exec)
 async function findVulnerableDependencies(directory, advisories) {
   const npmConfig = await loadNpmConfig()
   const caCerts = loadCACerts(npmConfig)
+  const registryOpts = extractRegistryOptions(npmConfig)
+  const registryCreds = loadNpmConfigCredentials(directory)
 
   const arb = new Arborist({
     path: directory,
@@ -41,6 +43,9 @@ async function findVulnerableDependencies(directory, advisories) {
     ca: caCerts,
     force: true,
     dryRun: true,
+    ignoreScripts: true,
+    ...registryOpts,
+    ...registryCreds,
   })
 
   const scope = nock('http://localhost:9999')
@@ -170,6 +175,39 @@ async function loadNpmConfig() {
   return JSON.parse(configOutput.stdout)
 }
 
+function extractRegistryOptions(npmConfig) {
+  const opts = []
+  for (const [key, value] of Object.entries(npmConfig)) {
+    if (key == "registry" || key.endsWith(":registry")) {
+      opts.push([key, value])
+    }
+  }
+  return Object.fromEntries(opts)
+}
+
+// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
+// Dependabot will have written them to the project's .npmrc file.
+const ini = require('ini')
+const path = require('path')
+
+const credKeys = ['token', '_authToken', '_auth']
+
+function loadNpmConfigCredentials(projectDir) {
+  const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
+  if (!projectNpmrc) {
+    return {}
+  }
+
+  const credentials = []
+  const config = ini.parse(projectNpmrc)
+  for (const [key, value] of Object.entries(config)) {
+    if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
+      credentials.push([key, value])
+    }
+  }
+  return Object.fromEntries(credentials)
+}
+
 // sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
 const fs = require('fs')
 const maybeReadFile = file => {