dependabot-npm_and_yarn 0.196.3 → 0.198.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +51 -15
- data/helpers/package-lock.json +700 -668
- data/helpers/package.json +1 -1
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -13
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +19 -27
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +1 -6
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +4 -8
- metadata +4 -4
data/helpers/package.json
CHANGED
@@ -5,7 +5,7 @@ require "time"
|
|
5
5
|
|
6
6
|
require "dependabot/metadata_finders"
|
7
7
|
require "dependabot/metadata_finders/base"
|
8
|
-
require "dependabot/
|
8
|
+
require "dependabot/registry_client"
|
9
9
|
require "dependabot/npm_and_yarn/update_checker/registry_finder"
|
10
10
|
require "dependabot/npm_and_yarn/version"
|
11
11
|
|
@@ -136,12 +136,7 @@ module Dependabot
|
|
136
136
|
def latest_version_listing
|
137
137
|
return @latest_version_listing if defined?(@latest_version_listing)
|
138
138
|
|
139
|
-
response =
|
140
|
-
"#{dependency_url}/latest",
|
141
|
-
idempotent: true,
|
142
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
143
|
-
)
|
144
|
-
|
139
|
+
response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest", headers: registry_auth_headers)
|
145
140
|
return @latest_version_listing = JSON.parse(response.body) if response.status == 200
|
146
141
|
|
147
142
|
@latest_version_listing = {}
|
@@ -161,12 +156,7 @@ module Dependabot
|
|
161
156
|
def npm_listing
|
162
157
|
return @npm_listing unless @npm_listing.nil?
|
163
158
|
|
164
|
-
response =
|
165
|
-
dependency_url,
|
166
|
-
idempotent: true,
|
167
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
168
|
-
)
|
169
|
-
|
159
|
+
response = Dependabot::RegistryClient.get(url: dependency_url, headers: registry_auth_headers)
|
170
160
|
return @npm_listing = {} if response.status >= 500
|
171
161
|
|
172
162
|
begin
|
@@ -227,18 +227,16 @@ module Dependabot
|
|
227
227
|
|
228
228
|
@yanked[version] =
|
229
229
|
begin
|
230
|
-
status =
|
231
|
-
dependency_url + "/#{version}",
|
232
|
-
|
233
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
230
|
+
status = Dependabot::RegistryClient.get(
|
231
|
+
url: dependency_url + "/#{version}",
|
232
|
+
headers: registry_auth_headers
|
234
233
|
).status
|
235
234
|
|
236
235
|
if status == 404 && dependency_registry != "registry.npmjs.org"
|
237
236
|
# Some registries don't handle escaped package names properly
|
238
|
-
status =
|
239
|
-
dependency_url.gsub("%2F", "/") + "/#{version}",
|
240
|
-
|
241
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
237
|
+
status = Dependabot::RegistryClient.get(
|
238
|
+
url: dependency_url.gsub("%2F", "/") + "/#{version}",
|
239
|
+
headers: registry_auth_headers
|
242
240
|
).status
|
243
241
|
end
|
244
242
|
|
@@ -257,10 +255,9 @@ module Dependabot
|
|
257
255
|
|
258
256
|
@version_endpoint_working =
|
259
257
|
begin
|
260
|
-
|
261
|
-
dependency_url + "/latest",
|
262
|
-
|
263
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
258
|
+
Dependabot::RegistryClient.get(
|
259
|
+
url: dependency_url + "/latest",
|
260
|
+
headers: registry_auth_headers
|
264
261
|
).status < 400
|
265
262
|
rescue Excon::Error::Timeout, Excon::Error::Socket
|
266
263
|
# Give the benefit of the doubt if the registry is playing up
|
@@ -291,10 +288,9 @@ module Dependabot
|
|
291
288
|
end
|
292
289
|
|
293
290
|
def fetch_npm_response
|
294
|
-
response =
|
295
|
-
dependency_url,
|
296
|
-
|
297
|
-
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
291
|
+
response = Dependabot::RegistryClient.get(
|
292
|
+
url: dependency_url,
|
293
|
+
headers: registry_auth_headers
|
298
294
|
)
|
299
295
|
|
300
296
|
return response unless response.status == 500
|
@@ -307,12 +303,12 @@ module Dependabot
|
|
307
303
|
return unless decoded_token.include?(":")
|
308
304
|
|
309
305
|
username, password = decoded_token.split(":")
|
310
|
-
|
311
|
-
dependency_url,
|
312
|
-
|
313
|
-
|
314
|
-
|
315
|
-
|
306
|
+
Dependabot::RegistryClient.get(
|
307
|
+
url: dependency_url,
|
308
|
+
options: {
|
309
|
+
user: username,
|
310
|
+
password: password
|
311
|
+
}
|
316
312
|
)
|
317
313
|
end
|
318
314
|
|
@@ -349,11 +345,7 @@ module Dependabot
|
|
349
345
|
if dependency_registry == "registry.npmjs.org"
|
350
346
|
return false unless dependency.name.start_with?("@")
|
351
347
|
|
352
|
-
web_response =
|
353
|
-
"https://www.npmjs.com/package/#{dependency.name}",
|
354
|
-
idempotent: true,
|
355
|
-
**SharedHelpers.excon_defaults
|
356
|
-
)
|
348
|
+
web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
|
357
349
|
# NOTE: returns 429 when the login page is rate limited
|
358
350
|
return web_response.body.include?("Forgot password?") ||
|
359
351
|
web_response.status == 429
|
@@ -36,12 +36,7 @@ module Dependabot
|
|
36
36
|
return false unless project_description
|
37
37
|
|
38
38
|
# Check if the project is listed on npm. If it is, it's a library
|
39
|
-
@project_npm_response ||=
|
40
|
-
"https://registry.npmjs.org/#{escaped_project_name}",
|
41
|
-
idempotent: true,
|
42
|
-
**SharedHelpers.excon_defaults
|
43
|
-
)
|
44
|
-
|
39
|
+
@project_npm_response ||= Dependabot::RegistryClient.get(url: "https://registry.npmjs.org/#{escaped_project_name}")
|
45
40
|
return false unless @project_npm_response.status == 200
|
46
41
|
|
47
42
|
@project_npm_response.body.force_encoding("UTF-8").encode.
|
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
require "excon"
|
4
4
|
require "dependabot/npm_and_yarn/update_checker"
|
5
|
-
require "dependabot/
|
5
|
+
require "dependabot/registry_client"
|
6
6
|
|
7
7
|
module Dependabot
|
8
8
|
module NpmAndYarn
|
@@ -53,13 +53,9 @@ module Dependabot
|
|
53
53
|
def first_registry_with_dependency_details
|
54
54
|
@first_registry_with_dependency_details ||=
|
55
55
|
known_registries.find do |details|
|
56
|
-
response =
|
57
|
-
"https://#{details['registry'].gsub(%r{/+$}, '')}
|
58
|
-
"
|
59
|
-
idempotent: true,
|
60
|
-
**SharedHelpers.excon_defaults(
|
61
|
-
headers: auth_header_for(details["token"])
|
62
|
-
)
|
56
|
+
response = Dependabot::RegistryClient.get(
|
57
|
+
url: "https://#{details['registry'].gsub(%r{/+$}, '')}/#{escaped_dependency_name}",
|
58
|
+
headers: auth_header_for(details["token"])
|
63
59
|
)
|
64
60
|
response.status < 400 && JSON.parse(response.body)
|
65
61
|
rescue Excon::Error::Timeout,
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.198.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-07-
|
11
|
+
date: 2022-07-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.198.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.198.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debase
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|