dependabot-npm_and_yarn 0.206.0 → 0.207.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 982bada4a5fa7c5684307f5788312a2950d623f698093e5d37ec681020f5dd25
-  data.tar.gz: f6b002ff019673222ba9e0c5a945eae620d906a6f57732130697c682b1b5d5ee
+  metadata.gz: 03401ba025d016378be876e5dce04812ebc128cb765945809f4411db5e384b06
+  data.tar.gz: 9dca7ec07f579fd3149d98fb3ef041c027910c095a9c3fc358f4ed0d06c3474e
 SHA512:
-  metadata.gz: 884b55700d38d5f99952e8d3bb84968549b5384af0ad5ce69d64e4dc1f957eaaee5988c5fc41473c9fda406c9a3c8f712b8132a4ae04da215f7590984115eaab
-  data.tar.gz: eacdea94863a73e095719a2f3bec5616b8ee8c740dfedbb7f188b98b8666abd86c5ae099a809d893c2c16bdde3637b47c56b1eec06e0207efa06245593adf68a
+  metadata.gz: 410e5ad218144d322a75f9c0baa41dfef9973d4a05e686016a97dff1f1ab7a4813dc8fcf319e86e0721ceae60a8ae8931075623a09bde0c5d12b708dc3518c5f
+  data.tar.gz: cfd9e6f5a96226b6bcf3f1e0d7dc7dd8485010a592449018e9bc8db4dec3a072d818e6175d5840cd2887cb56ce04b7c454adafb236d4e231f208d36aa390584a

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

@@ -73,7 +73,7 @@ module Dependabot
               function: "npm:vulnerabilityAuditor",
               args: [Dir.pwd, vuln_versions]
             )
-            return fix_unavailable unless valid_audit_result?(audit_result, security_advisories)
+            return fix_unavailable unless viable_audit_result?(audit_result, security_advisories)
 
             audit_result
           end
@@ -86,15 +86,21 @@ module Dependabot
 
         attr_reader :dependency_files, :credentials
 
-        def valid_audit_result?(audit_result, security_advisories)
-          # we only need to check results that indicate a fix is available
-          return true unless audit_result["fix_available"]
+        def viable_audit_result?(audit_result, security_advisories)
+          validation_result = validate_audit_result(audit_result, security_advisories)
+          return true if validation_result == :viable
 
-          return false if vulnerable_dependency_removed?(audit_result)
-          return false if dependency_still_vulnerable?(audit_result, security_advisories)
-          return false if downgrades_dependencies?(audit_result)
+          Dependabot.logger.info("VulnerabilityAuditor: audit result not viable: #{validation_result}")
+          false
+        end
+
+        def validate_audit_result(audit_result, security_advisories)
+          return :fix_unavailable unless audit_result["fix_available"]
+          return :vulnerable_dependency_removed if vulnerable_dependency_removed?(audit_result)
+          return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
+          return :downgrades_dependencies if downgrades_dependencies?(audit_result)
 
-          true
+          :viable
         end
 
         def vulnerable_dependency_removed?(audit_result)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.206.0
+  version: 0.207.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-08-10 00:00:00.000000000 Z
+date: 2022-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.206.0
+        version: 0.207.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.206.0
+        version: 0.207.0
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement