dependabot-npm_and_yarn 0.196.1 → 0.196.4

data/helpers/package.json

@@ -12,14 +12,14 @@
     "@dependabot/yarn-lib": "^1.21.1",
     "@npmcli/arborist": "^5.2.3",
     "detect-indent": "^6.1.0",
-    "nock": "^13.2.7",
+    "nock": "^13.2.8",
     "npm": "6.14.17",
     "semver": "^7.3.7"
   },
   "devDependencies": {
-    "eslint": "^8.18.0",
+    "eslint": "^8.19.0",
     "eslint-config-prettier": "^8.5.0",
-    "jest": "^28.1.1",
+    "jest": "^28.1.3",
     "prettier": "^2.7.1",
     "rimraf": "^3.0.2"
   }

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -291,7 +291,7 @@ module Dependabot
 
           if matches_double_glob && !nested
             dependency_files +=
-              expanded_paths(File.join(path, "*")).flat_map do |nested_path|
+              find_directories(File.join(path, "*")).flat_map do |nested_path|
                 fetch_lerna_packages_from_path(nested_path, true)
               end
           end
@@ -309,34 +309,58 @@ module Dependabot
             [] # Invalid lerna.json, which must not be in use
           end
 
-        paths_array.flat_map do |path|
-          # The packages/!(not-this-package) syntax is unique to Yarn
-          if path.include?("*") || path.include?("!(")
-            expanded_paths(path)
-          else
-            path
-          end
-        end
+        paths_array.flat_map { |path| recursive_find_directories(path) }
       end
 
       # Only expands globs one level deep, so path/**/* gets expanded to path/
-      def expanded_paths(path)
-        ignored_path = path.match?(/!\(.*?\)/) && path.gsub(/(!\((.*?)\))/, '\2')
+      def find_directories(glob)
+        return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
+
+        unglobbed_path =
+          glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
+          split("*").
+          first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
 
         dir = directory.gsub(%r{(^/|/$)}, "")
-        path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
-        unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
-                         "."
 
-        results =
+        paths =
           repo_contents(dir: unglobbed_path, raise_errors: false).
           select { |file| file.type == "dir" }.
-          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }.
-          select { |filename| File.fnmatch?(path, filename) }
+          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
+
+        matching_paths(glob, paths)
+      end
+
+      def matching_paths(glob, paths)
+        ignored_glob = yarn_ignored_glob(glob)
+        glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+
+        results = paths.select { |filename| File.fnmatch?(glob, filename) }
+        return results unless ignored_glob
 
-        return results unless ignored_path
+        results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
+      end
+
+      def recursive_find_directories(glob, prefix = "")
+        return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
+
+        glob = glob.gsub(%r{^\./}, "")
+        glob_parts = glob.split("/")
+
+        paths = find_directories(prefix + glob_parts.first)
+        next_parts = glob_parts.drop(1)
+        return paths if next_parts.empty?
+
+        paths = paths.flat_map do |expanded_path|
+          recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
+        end
+
+        matching_paths(prefix + glob, paths)
+      end
 
-        results.reject { |filename| File.fnmatch?(ignored_path, filename) }
+      # The packages/!(not-this-package) syntax is unique to Yarn
+      def yarn_ignored_glob(glob)
+        glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
       end
 
       def parsed_package_json

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -5,7 +5,7 @@ require "time"
 
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
-require "dependabot/shared_helpers"
+require "dependabot/registry_client"
 require "dependabot/npm_and_yarn/update_checker/registry_finder"
 require "dependabot/npm_and_yarn/version"
 
@@ -136,12 +136,7 @@ module Dependabot
       def latest_version_listing
         return @latest_version_listing if defined?(@latest_version_listing)
 
-        response = Excon.get(
-          "#{dependency_url}/latest",
-          idempotent: true,
-          **SharedHelpers.excon_defaults(headers: registry_auth_headers)
-        )
-
+        response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest", headers: registry_auth_headers)
         return @latest_version_listing = JSON.parse(response.body) if response.status == 200
 
         @latest_version_listing = {}
@@ -161,12 +156,7 @@ module Dependabot
       def npm_listing
         return @npm_listing unless @npm_listing.nil?
 
-        response = Excon.get(
-          dependency_url,
-          idempotent: true,
-          **SharedHelpers.excon_defaults(headers: registry_auth_headers)
-        )
-
+        response = Dependabot::RegistryClient.get(url: dependency_url, headers: registry_auth_headers)
         return @npm_listing = {} if response.status >= 500
 
         begin

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -227,18 +227,16 @@ module Dependabot
 
           @yanked[version] =
             begin
-              status = Excon.get(
-                dependency_url + "/#{version}",
-                idempotent: true,
-                **SharedHelpers.excon_defaults(headers: registry_auth_headers)
+              status = Dependabot::RegistryClient.get(
+                url: dependency_url + "/#{version}",
+                headers: registry_auth_headers
               ).status
 
               if status == 404 && dependency_registry != "registry.npmjs.org"
                 # Some registries don't handle escaped package names properly
-                status = Excon.get(
-                  dependency_url.gsub("%2F", "/") + "/#{version}",
-                  idempotent: true,
-                  **SharedHelpers.excon_defaults(headers: registry_auth_headers)
+                status = Dependabot::RegistryClient.get(
+                  url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                  headers: registry_auth_headers
                 ).status
               end
 
@@ -257,10 +255,9 @@ module Dependabot
 
           @version_endpoint_working =
             begin
-              Excon.get(
-                dependency_url + "/latest",
-                idempotent: true,
-                **SharedHelpers.excon_defaults(headers: registry_auth_headers)
+              Dependabot::RegistryClient.get(
+                url: dependency_url + "/latest",
+                headers: registry_auth_headers
               ).status < 400
             rescue Excon::Error::Timeout, Excon::Error::Socket
               # Give the benefit of the doubt if the registry is playing up
@@ -291,10 +288,9 @@ module Dependabot
         end
 
         def fetch_npm_response
-          response = Excon.get(
-            dependency_url,
-            idempotent: true,
-            **SharedHelpers.excon_defaults(headers: registry_auth_headers)
+          response = Dependabot::RegistryClient.get(
+            url: dependency_url,
+            headers: registry_auth_headers
           )
 
           return response unless response.status == 500
@@ -307,12 +303,12 @@ module Dependabot
           return unless decoded_token.include?(":")
 
           username, password = decoded_token.split(":")
-          Excon.get(
-            dependency_url,
-            user: username,
-            password: password,
-            idempotent: true,
-            **SharedHelpers.excon_defaults
+          Dependabot::RegistryClient.get(
+            url: dependency_url,
+            options: {
+              user: username,
+              password: password
+            }
           )
         end
 
@@ -349,11 +345,7 @@ module Dependabot
           if dependency_registry == "registry.npmjs.org"
             return false unless dependency.name.start_with?("@")
 
-            web_response = Excon.get(
-              "https://www.npmjs.com/package/#{dependency.name}",
-              idempotent: true,
-              **SharedHelpers.excon_defaults
-            )
+            web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
             # NOTE: returns 429 when the login page is rate limited
             return web_response.body.include?("Forgot password?") ||
                    web_response.status == 429

data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb

@@ -36,12 +36,7 @@ module Dependabot
           return false unless project_description
 
           # Check if the project is listed on npm. If it is, it's a library
-          @project_npm_response ||= Excon.get(
-            "https://registry.npmjs.org/#{escaped_project_name}",
-            idempotent: true,
-            **SharedHelpers.excon_defaults
-          )
-
+          @project_npm_response ||= Dependabot::RegistryClient.get(url: "https://registry.npmjs.org/#{escaped_project_name}")
           return false unless @project_npm_response.status == 200
 
           @project_npm_response.body.force_encoding("UTF-8").encode.

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

@@ -2,7 +2,7 @@
 
 require "excon"
 require "dependabot/npm_and_yarn/update_checker"
-require "dependabot/shared_helpers"
+require "dependabot/registry_client"
 
 module Dependabot
   module NpmAndYarn
@@ -53,13 +53,9 @@ module Dependabot
         def first_registry_with_dependency_details
           @first_registry_with_dependency_details ||=
             known_registries.find do |details|
-              response = Excon.get(
-                "https://#{details['registry'].gsub(%r{/+$}, '')}/"\
-                "#{escaped_dependency_name}",
-                idempotent: true,
-                **SharedHelpers.excon_defaults(
-                  headers: auth_header_for(details["token"])
-                )
+              response = Dependabot::RegistryClient.get(
+                url: "https://#{details['registry'].gsub(%r{/+$}, '')}/#{escaped_dependency_name}",
+                headers: auth_header_for(details["token"])
               )
               response.status < 400 && JSON.parse(response.body)
             rescue Excon::Error::Timeout,

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

@@ -39,7 +39,8 @@ module Dependabot
         def audit(dependency:, security_advisories:)
           fix_unavailable = {
             "dependency_name" => dependency.name,
-            "fix_available" => false
+            "fix_available" => false,
+            "fix_updates" => []
           }
 
           SharedHelpers.in_a_temporary_directory do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.196.1
+  version: 0.196.4
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-27 00:00:00.000000000 Z
+date: 2022-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.196.1
+        version: 0.196.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.196.1
+        version: 0.196.4
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement
@@ -128,14 +128,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.30.1
+        version: 1.31.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.30.1
+        version: 1.31.2
 - !ruby/object:Gem::Dependency
   name: ruby-debug-ide
   requirement: !ruby/object:Gem::Requirement