dependabot-npm_and_yarn 0.197.0 → 0.200.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +51 -15
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 02e28f1047d8b7ef5a5ddb4cf6c15baad65b0fc4b2da7baead4b4818d18a601e
|
|
4
|
+
data.tar.gz: 650320fa6e03b9bee507e587a4605f52d50aee0e53c1618e8c43aab895e2a346
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1545d4d8906a2d5af7d5372a2deff11238f7ba5430098f3a93e3f460d1c8c966e33b24455aecfced09fdd4ea037c65e61adc85b815db1ce9a5b2f721082a111c
|
|
7
|
+
data.tar.gz: 02653cb6ff3299d82549f0e7ed33863cfc8aa540828f00abf38c3ff2a7332778e1b0d017d18ac3df610731b69a900edd4a6521c8310ec762d1e448865d021a9d
|
|
@@ -28,7 +28,7 @@
|
|
|
28
28
|
|
|
29
29
|
const Arborist = require('@npmcli/arborist')
|
|
30
30
|
const nock = require('nock')
|
|
31
|
-
const { promisify } = require('util');
|
|
31
|
+
const { inspect, promisify } = require('util');
|
|
32
32
|
const exec = promisify(require('child_process').exec)
|
|
33
33
|
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
|
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
|
136
136
|
}
|
|
137
137
|
|
|
138
138
|
/* Traverses all effects originating from the named dependency in the
|
|
139
|
-
* audit report and
|
|
139
|
+
* audit report and returns an array of dependency chains rooted in the named
|
|
140
|
+
* dependency,
|
|
140
141
|
* [
|
|
141
142
|
* {
|
|
142
143
|
* fixAvailable: true | false | object,
|
|
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
|
153
154
|
* applies to the first item in the chain (if that item is fixable, then
|
|
154
155
|
* every item after it must be fixable, too).
|
|
155
156
|
*/
|
|
156
|
-
function buildDependencyChains(auditReport, name
|
|
157
|
-
const
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
157
|
+
function buildDependencyChains(auditReport, name) {
|
|
158
|
+
const helper = (name, chain, visited) => {
|
|
159
|
+
// The vuln for this dependency.
|
|
160
|
+
const vuln = auditReport.get(name)
|
|
161
|
+
|
|
162
|
+
// The current version of this dependency.
|
|
163
|
+
const version = [...vuln.nodes][0].version
|
|
164
|
+
|
|
165
|
+
// The item that will represent this dependency in this chain.
|
|
166
|
+
const item = { name, version }
|
|
167
|
+
|
|
168
|
+
// Array of effects, excluding cycles.
|
|
169
|
+
const effects = [...vuln.effects]
|
|
170
|
+
|
|
171
|
+
if (visited.has(name)) {
|
|
172
|
+
// We've already visited this dependency in this chain, so we've detected a cycle.
|
|
173
|
+
// We currently throw when this happens. Ultimately we want to gracefully handle
|
|
174
|
+
// cycles and still return the recommended fix updates.
|
|
175
|
+
const source = chain.items[chain.items.length-1]
|
|
176
|
+
const message = `Cycle detected while traversing effects from ` +
|
|
177
|
+
`${source.name}@${source.version}: ` +
|
|
178
|
+
inspect([name, ...visited], {
|
|
179
|
+
breakLength: Infinity,
|
|
180
|
+
depth: 1,
|
|
181
|
+
maxStringLength: 255,
|
|
182
|
+
})
|
|
183
|
+
throw new Error(message)
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
if (!effects.length) {
|
|
187
|
+
// If the current vuln has no effects, we've reached the end of this chain.
|
|
188
|
+
return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
return effects.reduce((chains, effect) => {
|
|
192
|
+
return chains.concat(
|
|
193
|
+
helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
|
|
194
|
+
}, [])
|
|
164
195
|
}
|
|
165
196
|
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
197
|
+
const chains = helper(name, { items: [] }, new Set())
|
|
198
|
+
const seen = new Set()
|
|
199
|
+
return chains.filter(chain => {
|
|
200
|
+
const head = chain.items[0]
|
|
201
|
+
if (seen.has(head.name)) {
|
|
202
|
+
return false
|
|
203
|
+
}
|
|
204
|
+
seen.add(head.name)
|
|
205
|
+
return true
|
|
206
|
+
})
|
|
171
207
|
}
|
|
172
208
|
|
|
173
209
|
async function loadNpmConfig() {
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.200.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-07-
|
|
11
|
+
date: 2022-07-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.200.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.200.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debase
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|