dependabot-npm_and_yarn 0.196.3 → 0.198.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/vulnerability-auditor.js +51 -15
  3. data/helpers/package-lock.json +700 -668
  4. data/helpers/package.json +1 -1
  5. data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -13
  6. data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +19 -27
  7. data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +1 -6
  8. data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +4 -8
  9. metadata +4 -4
data/helpers/package.json CHANGED
@@ -19,7 +19,7 @@
19
19
  "devDependencies": {
20
20
  "eslint": "^8.19.0",
21
21
  "eslint-config-prettier": "^8.5.0",
22
- "jest": "^28.1.2",
22
+ "jest": "^28.1.3",
23
23
  "prettier": "^2.7.1",
24
24
  "rimraf": "^3.0.2"
25
25
  }
data/lib/dependabot/npm_and_yarn/metadata_finder.rb CHANGED
@@ -5,7 +5,7 @@ require "time"
5
5
 
6
6
  require "dependabot/metadata_finders"
7
7
  require "dependabot/metadata_finders/base"
8
- require "dependabot/shared_helpers"
8
+ require "dependabot/registry_client"
9
9
  require "dependabot/npm_and_yarn/update_checker/registry_finder"
10
10
  require "dependabot/npm_and_yarn/version"
11
11
 
@@ -136,12 +136,7 @@ module Dependabot
136
136
  def latest_version_listing
137
137
  return @latest_version_listing if defined?(@latest_version_listing)
138
138
 
139
- response = Excon.get(
140
- "#{dependency_url}/latest",
141
- idempotent: true,
142
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
143
- )
144
-
139
+ response = Dependabot::RegistryClient.get(url: "#{dependency_url}/latest", headers: registry_auth_headers)
145
140
  return @latest_version_listing = JSON.parse(response.body) if response.status == 200
146
141
 
147
142
  @latest_version_listing = {}
@@ -161,12 +156,7 @@ module Dependabot
161
156
  def npm_listing
162
157
  return @npm_listing unless @npm_listing.nil?
163
158
 
164
- response = Excon.get(
165
- dependency_url,
166
- idempotent: true,
167
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
168
- )
169
-
159
+ response = Dependabot::RegistryClient.get(url: dependency_url, headers: registry_auth_headers)
170
160
  return @npm_listing = {} if response.status >= 500
171
161
 
172
162
  begin
data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb CHANGED
@@ -227,18 +227,16 @@ module Dependabot
227
227
 
228
228
  @yanked[version] =
229
229
  begin
230
- status = Excon.get(
231
- dependency_url + "/#{version}",
232
- idempotent: true,
233
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
230
+ status = Dependabot::RegistryClient.get(
231
+ url: dependency_url + "/#{version}",
232
+ headers: registry_auth_headers
234
233
  ).status
235
234
 
236
235
  if status == 404 && dependency_registry != "registry.npmjs.org"
237
236
  # Some registries don't handle escaped package names properly
238
- status = Excon.get(
239
- dependency_url.gsub("%2F", "/") + "/#{version}",
240
- idempotent: true,
241
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
237
+ status = Dependabot::RegistryClient.get(
238
+ url: dependency_url.gsub("%2F", "/") + "/#{version}",
239
+ headers: registry_auth_headers
242
240
  ).status
243
241
  end
244
242
 
@@ -257,10 +255,9 @@ module Dependabot
257
255
 
258
256
  @version_endpoint_working =
259
257
  begin
260
- Excon.get(
261
- dependency_url + "/latest",
262
- idempotent: true,
263
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
258
+ Dependabot::RegistryClient.get(
259
+ url: dependency_url + "/latest",
260
+ headers: registry_auth_headers
264
261
  ).status < 400
265
262
  rescue Excon::Error::Timeout, Excon::Error::Socket
266
263
  # Give the benefit of the doubt if the registry is playing up
@@ -291,10 +288,9 @@ module Dependabot
291
288
  end
292
289
 
293
290
  def fetch_npm_response
294
- response = Excon.get(
295
- dependency_url,
296
- idempotent: true,
297
- **SharedHelpers.excon_defaults(headers: registry_auth_headers)
291
+ response = Dependabot::RegistryClient.get(
292
+ url: dependency_url,
293
+ headers: registry_auth_headers
298
294
  )
299
295
 
300
296
  return response unless response.status == 500
@@ -307,12 +303,12 @@ module Dependabot
307
303
  return unless decoded_token.include?(":")
308
304
 
309
305
  username, password = decoded_token.split(":")
310
- Excon.get(
311
- dependency_url,
312
- user: username,
313
- password: password,
314
- idempotent: true,
315
- **SharedHelpers.excon_defaults
306
+ Dependabot::RegistryClient.get(
307
+ url: dependency_url,
308
+ options: {
309
+ user: username,
310
+ password: password
311
+ }
316
312
  )
317
313
  end
318
314
 
@@ -349,11 +345,7 @@ module Dependabot
349
345
  if dependency_registry == "registry.npmjs.org"
350
346
  return false unless dependency.name.start_with?("@")
351
347
 
352
- web_response = Excon.get(
353
- "https://www.npmjs.com/package/#{dependency.name}",
354
- idempotent: true,
355
- **SharedHelpers.excon_defaults
356
- )
348
+ web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
357
349
  # NOTE: returns 429 when the login page is rate limited
358
350
  return web_response.body.include?("Forgot password?") ||
359
351
  web_response.status == 429
data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb CHANGED
@@ -36,12 +36,7 @@ module Dependabot
36
36
  return false unless project_description
37
37
 
38
38
  # Check if the project is listed on npm. If it is, it's a library
39
- @project_npm_response ||= Excon.get(
40
- "https://registry.npmjs.org/#{escaped_project_name}",
41
- idempotent: true,
42
- **SharedHelpers.excon_defaults
43
- )
44
-
39
+ @project_npm_response ||= Dependabot::RegistryClient.get(url: "https://registry.npmjs.org/#{escaped_project_name}")
45
40
  return false unless @project_npm_response.status == 200
46
41
 
47
42
  @project_npm_response.body.force_encoding("UTF-8").encode.
data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb CHANGED
@@ -2,7 +2,7 @@
2
2
 
3
3
  require "excon"
4
4
  require "dependabot/npm_and_yarn/update_checker"
5
- require "dependabot/shared_helpers"
5
+ require "dependabot/registry_client"
6
6
 
7
7
  module Dependabot
8
8
  module NpmAndYarn
@@ -53,13 +53,9 @@ module Dependabot
53
53
  def first_registry_with_dependency_details
54
54
  @first_registry_with_dependency_details ||=
55
55
  known_registries.find do |details|
56
- response = Excon.get(
57
- "https://#{details['registry'].gsub(%r{/+$}, '')}/"\
58
- "#{escaped_dependency_name}",
59
- idempotent: true,
60
- **SharedHelpers.excon_defaults(
61
- headers: auth_header_for(details["token"])
62
- )
56
+ response = Dependabot::RegistryClient.get(
57
+ url: "https://#{details['registry'].gsub(%r{/+$}, '')}/#{escaped_dependency_name}",
58
+ headers: auth_header_for(details["token"])
63
59
  )
64
60
  response.status < 400 && JSON.parse(response.body)
65
61
  rescue Excon::Error::Timeout,
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.196.3
4
+ version: 0.198.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-07-12 00:00:00.000000000 Z
11
+ date: 2022-07-15 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.196.3
19
+ version: 0.198.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.196.3
26
+ version: 0.198.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement