dependabot-npm_and_yarn 0.196.3 → 0.198.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/vulnerability-auditor.js +51 -15
  3. data/helpers/package-lock.json +700 -668
  4. data/helpers/package.json +1 -1
  5. data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -13
  6. data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +19 -27
  7. data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +1 -6
  8. data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +4 -8
  9. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7b7522d7728466cae083fc498a0e5c4a7923c46a56a38546f36834de5470fe84
4
- data.tar.gz: a55c8659f731d24c8b93a13853d2d05bdc11eb72466873ab002b56b5d8a8ed99
3
+ metadata.gz: 8b4af608f94aedfc8112da94b62a4691f1c496af6f47d41cc8445171cbd32e5a
4
+ data.tar.gz: 0d765146b3970caf42148f34d1d849beb0c71d02045330835dc14a4d4179a16b
5
5
  SHA512:
6
- metadata.gz: f5c67225a4f85b8887d2318f236b078820c201e5daf654cde802633723005f98b7136f3581a9c1edc09d6f2923839454f4340580fc2e3f9e96d478de1de44de4
7
- data.tar.gz: 7dd77797d4c581508b60c49adb083e6fab1f2fecdb74456f1b8d9fc2023172f6349cf3b12d2a70f0ab6af5930d73777fa62764dcbb39d2ccde12583e3e2bfec3
6
+ metadata.gz: 4a9ef601dfaa9aa8afec0658a373e94f34e274ae1da55f45c4468dc7b2e2fe7664ae3936b233124c8a0fb6405043b968477715d16d952a2082101f3bd7c8e593
7
+ data.tar.gz: 692756d692992aa35ef3fca4a8055ee6f31444df48d42c036f1c7398514bf7a802f307914e9671905c4c924fab155ece1b631655931df3f9d4112fec86182185
data/helpers/lib/npm/vulnerability-auditor.js CHANGED
@@ -28,7 +28,7 @@
28
28
 
29
29
  const Arborist = require('@npmcli/arborist')
30
30
  const nock = require('nock')
31
- const { promisify } = require('util');
31
+ const { inspect, promisify } = require('util');
32
32
  const exec = promisify(require('child_process').exec)
33
33
 
34
34
  async function findVulnerableDependencies(directory, advisories) {
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
136
136
  }
137
137
 
138
138
  /* Traverses all effects originating from the named dependency in the
139
- * audit report and builds an array of all dependency chains,
139
+ * audit report and returns an array of dependency chains rooted in the named
140
+ * dependency,
140
141
  * [
141
142
  * {
142
143
  * fixAvailable: true | false | object,
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
153
154
  * applies to the first item in the chain (if that item is fixable, then
154
155
  * every item after it must be fixable, too).
155
156
  */
156
- function buildDependencyChains(auditReport, name, chain = { items: [] }) {
157
- const vuln = auditReport.get(name)
158
- const version = [...vuln.nodes][0].version
159
- const item = { name, version }
160
-
161
- if (!vuln.effects.size) {
162
- // If the current vuln has no effects, we've reached the end of this chain.
163
- return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
157
+ function buildDependencyChains(auditReport, name) {
158
+ const helper = (name, chain, visited) => {
159
+ // The vuln for this dependency.
160
+ const vuln = auditReport.get(name)
161
+
162
+ // The current version of this dependency.
163
+ const version = [...vuln.nodes][0].version
164
+
165
+ // The item that will represent this dependency in this chain.
166
+ const item = { name, version }
167
+
168
+ // Array of effects, excluding cycles.
169
+ const effects = [...vuln.effects]
170
+
171
+ if (visited.has(name)) {
172
+ // We've already visited this dependency in this chain, so we've detected a cycle.
173
+ // We currently throw when this happens. Ultimately we want to gracefully handle
174
+ // cycles and still return the recommended fix updates.
175
+ const source = chain.items[chain.items.length-1]
176
+ const message = `Cycle detected while traversing effects from ` +
177
+ `${source.name}@${source.version}: ` +
178
+ inspect([name, ...visited], {
179
+ breakLength: Infinity,
180
+ depth: 1,
181
+ maxStringLength: 255,
182
+ })
183
+ throw new Error(message)
184
+ }
185
+
186
+ if (!effects.length) {
187
+ // If the current vuln has no effects, we've reached the end of this chain.
188
+ return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
189
+ }
190
+
191
+ return effects.reduce((chains, effect) => {
192
+ return chains.concat(
193
+ helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
194
+ }, [])
164
195
  }
165
196
 
166
- return [...vuln.effects].reduce((chains, effect) => {
167
- return chains.concat(
168
- buildDependencyChains(
169
- auditReport, effect.name, { items: [item, ...chain.items] }))
170
- }, [])
197
+ const chains = helper(name, { items: [] }, new Set())
198
+ const seen = new Set()
199
+ return chains.filter(chain => {
200
+ const head = chain.items[0]
201
+ if (seen.has(head.name)) {
202
+ return false
203
+ }
204
+ seen.add(head.name)
205
+ return true
206
+ })
171
207
  }
172
208
 
173
209
  async function loadNpmConfig() {