dependabot-npm_and_yarn 0.197.0 → 0.200.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +51 -15
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 02e28f1047d8b7ef5a5ddb4cf6c15baad65b0fc4b2da7baead4b4818d18a601e
|
|
4
|
+
data.tar.gz: 650320fa6e03b9bee507e587a4605f52d50aee0e53c1618e8c43aab895e2a346
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1545d4d8906a2d5af7d5372a2deff11238f7ba5430098f3a93e3f460d1c8c966e33b24455aecfced09fdd4ea037c65e61adc85b815db1ce9a5b2f721082a111c
|
|
7
|
+
data.tar.gz: 02653cb6ff3299d82549f0e7ed33863cfc8aa540828f00abf38c3ff2a7332778e1b0d017d18ac3df610731b69a900edd4a6521c8310ec762d1e448865d021a9d
|
|
@@ -28,7 +28,7 @@
|
|
|
28
28
|
|
|
29
29
|
const Arborist = require('@npmcli/arborist')
|
|
30
30
|
const nock = require('nock')
|
|
31
|
-
const { promisify } = require('util');
|
|
31
|
+
const { inspect, promisify } = require('util');
|
|
32
32
|
const exec = promisify(require('child_process').exec)
|
|
33
33
|
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
|
@@ -136,7 +136,8 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
|
136
136
|
}
|
|
137
137
|
|
|
138
138
|
/* Traverses all effects originating from the named dependency in the
|
|
139
|
-
* audit report and
|
|
139
|
+
* audit report and returns an array of dependency chains rooted in the named
|
|
140
|
+
* dependency,
|
|
140
141
|
* [
|
|
141
142
|
* {
|
|
142
143
|
* fixAvailable: true | false | object,
|
|
@@ -153,21 +154,56 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
|
153
154
|
* applies to the first item in the chain (if that item is fixable, then
|
|
154
155
|
* every item after it must be fixable, too).
|
|
155
156
|
*/
|
|
156
|
-
function buildDependencyChains(auditReport, name
|
|
157
|
-
const
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
157
|
+
function buildDependencyChains(auditReport, name) {
|
|
158
|
+
const helper = (name, chain, visited) => {
|
|
159
|
+
// The vuln for this dependency.
|
|
160
|
+
const vuln = auditReport.get(name)
|
|
161
|
+
|
|
162
|
+
// The current version of this dependency.
|
|
163
|
+
const version = [...vuln.nodes][0].version
|
|
164
|
+
|
|
165
|
+
// The item that will represent this dependency in this chain.
|
|
166
|
+
const item = { name, version }
|
|
167
|
+
|
|
168
|
+
// Array of effects, excluding cycles.
|
|
169
|
+
const effects = [...vuln.effects]
|
|
170
|
+
|
|
171
|
+
if (visited.has(name)) {
|
|
172
|
+
// We've already visited this dependency in this chain, so we've detected a cycle.
|
|
173
|
+
// We currently throw when this happens. Ultimately we want to gracefully handle
|
|
174
|
+
// cycles and still return the recommended fix updates.
|
|
175
|
+
const source = chain.items[chain.items.length-1]
|
|
176
|
+
const message = `Cycle detected while traversing effects from ` +
|
|
177
|
+
`${source.name}@${source.version}: ` +
|
|
178
|
+
inspect([name, ...visited], {
|
|
179
|
+
breakLength: Infinity,
|
|
180
|
+
depth: 1,
|
|
181
|
+
maxStringLength: 255,
|
|
182
|
+
})
|
|
183
|
+
throw new Error(message)
|
|
184
|
+
}
|
|
185
|
+
|
|
186
|
+
if (!effects.length) {
|
|
187
|
+
// If the current vuln has no effects, we've reached the end of this chain.
|
|
188
|
+
return [{ fixAvailable: vuln.fixAvailable, items: [item, ...chain.items] }]
|
|
189
|
+
}
|
|
190
|
+
|
|
191
|
+
return effects.reduce((chains, effect) => {
|
|
192
|
+
return chains.concat(
|
|
193
|
+
helper(effect.name, { items: [item, ...chain.items] }, new Set([name, ...visited])))
|
|
194
|
+
}, [])
|
|
164
195
|
}
|
|
165
196
|
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
197
|
+
const chains = helper(name, { items: [] }, new Set())
|
|
198
|
+
const seen = new Set()
|
|
199
|
+
return chains.filter(chain => {
|
|
200
|
+
const head = chain.items[0]
|
|
201
|
+
if (seen.has(head.name)) {
|
|
202
|
+
return false
|
|
203
|
+
}
|
|
204
|
+
seen.add(head.name)
|
|
205
|
+
return true
|
|
206
|
+
})
|
|
171
207
|
}
|
|
172
208
|
|
|
173
209
|
async function loadNpmConfig() {
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.200.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-07-
|
|
11
|
+
date: 2022-07-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.200.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.200.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debase
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|