dependabot-npm_and_yarn 0.196.4 → 0.199.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/vulnerability-auditor.js +51 -15
  3. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 69ba3d07e5c8921abc3968db377134c08c1704171291ec76c130f4fbdd3449a5
4
- data.tar.gz: 79f23aa0fe41a68fa6f1d64d89ef62d91e03cccd606ce92c0905a5d884e1f377
3
+ metadata.gz: 8c0fcc145eb52dad9645d7ccc70869973fc1314c91d1b0b1d12776fef1b69047
4
+ data.tar.gz: 2368f8ad52b64b386ae28eaca6fe0f00d468dfbc54c335cb2b063b637674161b
5
5
  SHA512:
6
- metadata.gz: 629aaedf620875cf21accb159c6bff0315d9047f4835853eccdabd1147346e7697d001e83c7fcb0e3f2312c7eb716eeb19c344a8c79e123a68901126a2c46976
7
- data.tar.gz: 2cfd3991a035b564218c7f1dd01fc60e66f224a14ffb3b2c4f8256373884fcec77e81f7310e65b858e204c806bac223d5f38931810a4eda58b35ff2e3885dd49
6
+ metadata.gz: 7f1314a97d127c4d3e203bae73074d7c97f833cd1830f17c44ba2b54de122344224a752047d8e0e08eb09f4e1c2c36ac69709585d1b2317869b2fca2afdc76eb
7
+ data.tar.gz: 285a995834eaa0d8115d52be7157e6e24e5dbd7a93daeb19bbb137436043c18ed6742380ec99dc0bb5c225fb00f961187c5e13a71550155f22cb380b81555b83
data/helpers/lib/npm/vulnerability-auditor.js CHANGED
@@ -28,7 +28,7 @@
28
28
 
29
29
  const Arborist = require('@npmcli/arborist')
30
30
  const nock = require('nock')
31
- const { promisify } = require('util');
31
+ const { inspect, promisify } = require('util');
32
32
  const exec = promisify(require('child_process').exec)
33
33
 
34
34
  async function findVulnerableDependencies(directory, advisories) {
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
136
136
  }
137
137
 
138
138
  /* Traverses all effects originating from the named dependency in the
139
- * audit report and builds an array of all dependency chains,
139
+ * audit report and returns an array of dependency chains rooted in the named
140
+ * dependency,
140
141
  * [
141
142
  * {
142
143
  * fixAvailable: true | false | object,
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
153
154
  * applies to the first item in the chain (if that item is fixable, then
154
155
  * every item after it must be fixable, too).
155
156
  */
156
- function buildDependencyChains(auditReport, name, chain = { items: [] }) {
157
- const vuln = auditReport.get(name)
158
- const version = [...vuln.nodes][0].version
159
- const item = { name, version }
160
-
161
- if (!vuln.effects.size) {
162
- // If the current vuln has no effects, we've reached the end of this chain.
163
- return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
157
+ function buildDependencyChains(auditReport, name) {
158
+ const helper = (name, chain, visited) => {
159
+ // The vuln for this dependency.
160
+ const vuln = auditReport.get(name)
161
+
162
+ // The current version of this dependency.
163
+ const version = [...vuln.nodes][0].version
164
+
165
+ // The item that will represent this dependency in this chain.
166
+ const item = { name, version }
167
+
168
+ // Array of effects, excluding cycles.
169
+ const effects = [...vuln.effects]
170
+
171
+ if (visited.has(name)) {
172
+ // We've already visited this dependency in this chain, so we've detected a cycle.
173
+ // We currently throw when this happens. Ultimately we want to gracefully handle
174
+ // cycles and still return the recommended fix updates.
175
+ const source = chain.items[chain.items.length-1]
176
+ const message = `Cycle detected while traversing effects from ` +
177
+ `${source.name}@${source.version}: ` +
178
+ inspect([name, ...visited], {
179
+ breakLength: Infinity,
180
+ depth: 1,
181
+ maxStringLength: 255,
182
+ })
183
+ throw new Error(message)
184
+ }
185
+
186
+ if (!effects.length) {
187
+ // If the current vuln has no effects, we've reached the end of this chain.
188
+ return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
189
+ }
190
+
191
+ return effects.reduce((chains, effect) => {
192
+ return chains.concat(
193
+ helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
194
+ }, [])
164
195
  }
165
196
 
166
- return [...vuln.effects].reduce((chains, effect) => {
167
- return chains.concat(
168
- buildDependencyChains(
169
- auditReport, effect.name, { items: [item, ...chain.items] }))
170
- }, [])
197
+ const chains = helper(name, { items: [] }, new Set())
198
+ const seen = new Set()
199
+ return chains.filter(chain => {
200
+ const head = chain.items[0]
201
+ if (seen.has(head.name)) {
202
+ return false
203
+ }
204
+ seen.add(head.name)
205
+ return true
206
+ })
171
207
  }
172
208
 
173
209
  async function loadNpmConfig() {
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.196.4
4
+ version: 0.199.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-07-14 00:00:00.000000000 Z
11
+ date: 2022-07-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.196.4
19
+ version: 0.199.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.196.4
26
+ version: 0.199.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement