dependabot-npm_and_yarn 0.196.4 → 0.199.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +51 -15
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8c0fcc145eb52dad9645d7ccc70869973fc1314c91d1b0b1d12776fef1b69047
|
4
|
+
data.tar.gz: 2368f8ad52b64b386ae28eaca6fe0f00d468dfbc54c335cb2b063b637674161b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7f1314a97d127c4d3e203bae73074d7c97f833cd1830f17c44ba2b54de122344224a752047d8e0e08eb09f4e1c2c36ac69709585d1b2317869b2fca2afdc76eb
|
7
|
+
data.tar.gz: 285a995834eaa0d8115d52be7157e6e24e5dbd7a93daeb19bbb137436043c18ed6742380ec99dc0bb5c225fb00f961187c5e13a71550155f22cb380b81555b83
|
@@ -28,7 +28,7 @@
|
|
28
28
|
|
29
29
|
const Arborist = require('@npmcli/arborist')
|
30
30
|
const nock = require('nock')
|
31
|
-
const { promisify } = require('util');
|
31
|
+
const { inspect, promisify } = require('util');
|
32
32
|
const exec = promisify(require('child_process').exec)
|
33
33
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
136
136
|
}
|
137
137
|
|
138
138
|
/* Traverses all effects originating from the named dependency in the
|
139
|
-
* audit report and
|
139
|
+
* audit report and returns an array of dependency chains rooted in the named
|
140
|
+
* dependency,
|
140
141
|
* [
|
141
142
|
* {
|
142
143
|
* fixAvailable: true | false | object,
|
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
153
154
|
* applies to the first item in the chain (if that item is fixable, then
|
154
155
|
* every item after it must be fixable, too).
|
155
156
|
*/
|
156
|
-
function buildDependencyChains(auditReport, name
|
157
|
-
const
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
157
|
+
function buildDependencyChains(auditReport, name) {
|
158
|
+
const helper = (name, chain, visited) => {
|
159
|
+
// The vuln for this dependency.
|
160
|
+
const vuln = auditReport.get(name)
|
161
|
+
|
162
|
+
// The current version of this dependency.
|
163
|
+
const version = [...vuln.nodes][0].version
|
164
|
+
|
165
|
+
// The item that will represent this dependency in this chain.
|
166
|
+
const item = { name, version }
|
167
|
+
|
168
|
+
// Array of effects, excluding cycles.
|
169
|
+
const effects = [...vuln.effects]
|
170
|
+
|
171
|
+
if (visited.has(name)) {
|
172
|
+
// We've already visited this dependency in this chain, so we've detected a cycle.
|
173
|
+
// We currently throw when this happens. Ultimately we want to gracefully handle
|
174
|
+
// cycles and still return the recommended fix updates.
|
175
|
+
const source = chain.items[chain.items.length-1]
|
176
|
+
const message = `Cycle detected while traversing effects from ` +
|
177
|
+
`${source.name}@${source.version}: ` +
|
178
|
+
inspect([name, ...visited], {
|
179
|
+
breakLength: Infinity,
|
180
|
+
depth: 1,
|
181
|
+
maxStringLength: 255,
|
182
|
+
})
|
183
|
+
throw new Error(message)
|
184
|
+
}
|
185
|
+
|
186
|
+
if (!effects.length) {
|
187
|
+
// If the current vuln has no effects, we've reached the end of this chain.
|
188
|
+
return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
|
189
|
+
}
|
190
|
+
|
191
|
+
return effects.reduce((chains, effect) => {
|
192
|
+
return chains.concat(
|
193
|
+
helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
|
194
|
+
}, [])
|
164
195
|
}
|
165
196
|
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
197
|
+
const chains = helper(name, { items: [] }, new Set())
|
198
|
+
const seen = new Set()
|
199
|
+
return chains.filter(chain => {
|
200
|
+
const head = chain.items[0]
|
201
|
+
if (seen.has(head.name)) {
|
202
|
+
return false
|
203
|
+
}
|
204
|
+
seen.add(head.name)
|
205
|
+
return true
|
206
|
+
})
|
171
207
|
}
|
172
208
|
|
173
209
|
async function loadNpmConfig() {
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.199.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-07-
|
11
|
+
date: 2022-07-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.199.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.199.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debase
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|