dependabot-npm_and_yarn 0.197.0 → 0.198.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/lib/npm/vulnerability-auditor.js +51 -15
  3. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 866b96901b075a70bbd36550219418d1b1e0e8c0f6cfb237785bebd8076f3b61
4
- data.tar.gz: ba5e0030c5f9122c7607bc4462040519b287184cba1d1002821f7dd9a392b070
3
+ metadata.gz: 8b4af608f94aedfc8112da94b62a4691f1c496af6f47d41cc8445171cbd32e5a
4
+ data.tar.gz: 0d765146b3970caf42148f34d1d849beb0c71d02045330835dc14a4d4179a16b
5
5
  SHA512:
6
- metadata.gz: 3ce4c3daf6f9395f650e76955a9d71ed9f5747273880dede7f46afe21c4c3f24aacb24fa6a77ce932d0008fa9d8c9fde8584fdf78e272006d912bc73868e32ca
7
- data.tar.gz: a4eff1acb0059fbbad93339b04768a48d85a9e3de5cc5b6958faaee93c7d2693657cfc33c7bf65f3ac573f0824cdb6b087d7c7cda8c50b8f0aeac3d34a839164
6
+ metadata.gz: 4a9ef601dfaa9aa8afec0658a373e94f34e274ae1da55f45c4468dc7b2e2fe7664ae3936b233124c8a0fb6405043b968477715d16d952a2082101f3bd7c8e593
7
+ data.tar.gz: 692756d692992aa35ef3fca4a8055ee6f31444df48d42c036f1c7398514bf7a802f307914e9671905c4c924fab155ece1b631655931df3f9d4112fec86182185
data/helpers/lib/npm/vulnerability-auditor.js CHANGED
@@ -28,7 +28,7 @@
28
28
 
29
29
  const Arborist = require('@npmcli/arborist')
30
30
  const nock = require('nock')
31
- const { promisify } = require('util');
31
+ const { inspect, promisify } = require('util');
32
32
  const exec = promisify(require('child_process').exec)
33
33
 
34
34
  async function findVulnerableDependencies(directory, advisories) {
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
136
136
  }
137
137
 
138
138
  /* Traverses all effects originating from the named dependency in the
139
- * audit report and builds an array of all dependency chains,
139
+ * audit report and returns an array of dependency chains rooted in the named
140
+ * dependency,
140
141
  * [
141
142
  * {
142
143
  * fixAvailable: true | false | object,
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
153
154
  * applies to the first item in the chain (if that item is fixable, then
154
155
  * every item after it must be fixable, too).
155
156
  */
156
- function buildDependencyChains(auditReport, name, chain = { items: [] }) {
157
- const vuln = auditReport.get(name)
158
- const version = [...vuln.nodes][0].version
159
- const item = { name, version }
160
-
161
- if (!vuln.effects.size) {
162
- // If the current vuln has no effects, we've reached the end of this chain.
163
- return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
157
+ function buildDependencyChains(auditReport, name) {
158
+ const helper = (name, chain, visited) => {
159
+ // The vuln for this dependency.
160
+ const vuln = auditReport.get(name)
161
+
162
+ // The current version of this dependency.
163
+ const version = [...vuln.nodes][0].version
164
+
165
+ // The item that will represent this dependency in this chain.
166
+ const item = { name, version }
167
+
168
+ // Array of effects, excluding cycles.
169
+ const effects = [...vuln.effects]
170
+
171
+ if (visited.has(name)) {
172
+ // We've already visited this dependency in this chain, so we've detected a cycle.
173
+ // We currently throw when this happens. Ultimately we want to gracefully handle
174
+ // cycles and still return the recommended fix updates.
175
+ const source = chain.items[chain.items.length-1]
176
+ const message = `Cycle detected while traversing effects from ` +
177
+ `${source.name}@${source.version}: ` +
178
+ inspect([name, ...visited], {
179
+ breakLength: Infinity,
180
+ depth: 1,
181
+ maxStringLength: 255,
182
+ })
183
+ throw new Error(message)
184
+ }
185
+
186
+ if (!effects.length) {
187
+ // If the current vuln has no effects, we've reached the end of this chain.
188
+ return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
189
+ }
190
+
191
+ return effects.reduce((chains, effect) => {
192
+ return chains.concat(
193
+ helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
194
+ }, [])
164
195
  }
165
196
 
166
- return [...vuln.effects].reduce((chains, effect) => {
167
- return chains.concat(
168
- buildDependencyChains(
169
- auditReport, effect.name, { items: [item, ...chain.items] }))
170
- }, [])
197
+ const chains = helper(name, { items: [] }, new Set())
198
+ const seen = new Set()
199
+ return chains.filter(chain => {
200
+ const head = chain.items[0]
201
+ if (seen.has(head.name)) {
202
+ return false
203
+ }
204
+ seen.add(head.name)
205
+ return true
206
+ })
171
207
  }
172
208
 
173
209
  async function loadNpmConfig() {
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.197.0
4
+ version: 0.198.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.197.0
19
+ version: 0.198.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.197.0
26
+ version: 0.198.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement