dependabot-npm_and_yarn 0.196.4 → 0.199.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/vulnerability-auditor.js +51 -15
  3. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 69ba3d07e5c8921abc3968db377134c08c1704171291ec76c130f4fbdd3449a5
4
- data.tar.gz: 79f23aa0fe41a68fa6f1d64d89ef62d91e03cccd606ce92c0905a5d884e1f377
3
+ metadata.gz: 8c0fcc145eb52dad9645d7ccc70869973fc1314c91d1b0b1d12776fef1b69047
4
+ data.tar.gz: 2368f8ad52b64b386ae28eaca6fe0f00d468dfbc54c335cb2b063b637674161b
5
5
  SHA512:
6
- metadata.gz: 629aaedf620875cf21accb159c6bff0315d9047f4835853eccdabd1147346e7697d001e83c7fcb0e3f2312c7eb716eeb19c344a8c79e123a68901126a2c46976
7
- data.tar.gz: 2cfd3991a035b564218c7f1dd01fc60e66f224a14ffb3b2c4f8256373884fcec77e81f7310e65b858e204c806bac223d5f38931810a4eda58b35ff2e3885dd49
6
+ metadata.gz: 7f1314a97d127c4d3e203bae73074d7c97f833cd1830f17c44ba2b54de122344224a752047d8e0e08eb09f4e1c2c36ac69709585d1b2317869b2fca2afdc76eb
7
+ data.tar.gz: 285a995834eaa0d8115d52be7157e6e24e5dbd7a93daeb19bbb137436043c18ed6742380ec99dc0bb5c225fb00f961187c5e13a71550155f22cb380b81555b83
data/helpers/lib/npm/vulnerability-auditor.js CHANGED
@@ -28,7 +28,7 @@
28
28
 
29
29
  const Arborist = require('@npmcli/arborist')
30
30
  const nock = require('nock')
31
- const { promisify } = require('util');
31
+ const { inspect, promisify } = require('util');
32
32
  const exec = promisify(require('child_process').exec)
33
33
 
34
34
  async function findVulnerableDependencies(directory, advisories) {
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
136
136
  }
137
137
 
138
138
  /* Traverses all effects originating from the named dependency in the
139
- * audit report and builds an array of all dependency chains,
139
+ * audit report and returns an array of dependency chains rooted in the named
140
+ * dependency,
140
141
  * [
141
142
  * {
142
143
  * fixAvailable: true | false | object,
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
153
154
  * applies to the first item in the chain (if that item is fixable, then
154
155
  * every item after it must be fixable, too).
155
156
  */
156
- function buildDependencyChains(auditReport, name, chain = { items: [] }) {
157
- const vuln = auditReport.get(name)
158
- const version = [...vuln.nodes][0].version
159
- const item = { name, version }
160
-
161
- if (!vuln.effects.size) {
162
- // If the current vuln has no effects, we've reached the end of this chain.
163
- return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
157
+ function buildDependencyChains(auditReport, name) {
158
+ const helper = (name, chain, visited) => {
159
+ // The vuln for this dependency.
160
+ const vuln = auditReport.get(name)
161
+
162
+ // The current version of this dependency.
163
+ const version = [...vuln.nodes][0].version
164
+
165
+ // The item that will represent this dependency in this chain.
166
+ const item = { name, version }
167
+
168
+ // Array of effects, excluding cycles.
169
+ const effects = [...vuln.effects]
170
+
171
+ if (visited.has(name)) {
172
+ // We've already visited this dependency in this chain, so we've detected a cycle.
173
+ // We currently throw when this happens. Ultimately we want to gracefully handle
174
+ // cycles and still return the recommended fix updates.
175
+ const source = chain.items[chain.items.length-1]
176
+ const message = `Cycle detected while traversing effects from ` +
177
+ `${source.name}@${source.version}: ` +
178
+ inspect([name, ...visited], {
179
+ breakLength: Infinity,
180
+ depth: 1,
181
+ maxStringLength: 255,
182
+ })
183
+ throw new Error(message)
184
+ }
185
+
186
+ if (!effects.length) {
187
+ // If the current vuln has no effects, we've reached the end of this chain.
188
+ return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
189
+ }
190
+
191
+ return effects.reduce((chains, effect) => {
192
+ return chains.concat(
193
+ helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
194
+ }, [])
164
195
  }
165
196
 
166
- return [...vuln.effects].reduce((chains, effect) => {
167
- return chains.concat(
168
- buildDependencyChains(
169
- auditReport, effect.name, { items: [item, ...chain.items] }))
170
- }, [])
197
+ const chains = helper(name, { items: [] }, new Set())
198
+ const seen = new Set()
199
+ return chains.filter(chain => {
200
+ const head = chain.items[0]
201
+ if (seen.has(head.name)) {
202
+ return false
203
+ }
204
+ seen.add(head.name)
205
+ return true
206
+ })
171
207
  }
172
208
 
173
209
  async function loadNpmConfig() {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.196.4
4
+ version: 0.199.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-07-14 00:00:00.000000000 Z
11
+ date: 2022-07-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.196.4
19
+ version: 0.199.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.196.4
26
+ version: 0.199.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement