dependabot-npm_and_yarn 0.206.0 → 0.209.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 982bada4a5fa7c5684307f5788312a2950d623f698093e5d37ec681020f5dd25
4
- data.tar.gz: f6b002ff019673222ba9e0c5a945eae620d906a6f57732130697c682b1b5d5ee
3
+ metadata.gz: fe0d3a90eb2f5f43576383e8fc1f08c33a07cbbe5c7bb06b8fbd5d7ab3bc9b84
4
+ data.tar.gz: efa30a33ade771b86d98a275fd29d4807d9986c5714591a9dea11c9da562e172
5
5
  SHA512:
6
- metadata.gz: 884b55700d38d5f99952e8d3bb84968549b5384af0ad5ce69d64e4dc1f957eaaee5988c5fc41473c9fda406c9a3c8f712b8132a4ae04da215f7590984115eaab
7
- data.tar.gz: eacdea94863a73e095719a2f3bec5616b8ee8c740dfedbb7f188b98b8666abd86c5ae099a809d893c2c16bdde3637b47c56b1eec06e0207efa06245593adf68a
6
+ metadata.gz: 04efa4e6819ecd2df778d621758c0de379a6eac114363b6b2b710d2e4dc20b0fd9e45105f323b008962c120ebecc35d83280ac79d2c0ef18783230971deead20
7
+ data.tar.gz: 65b27b95388fa3dff97fd7dd2961bd9101f00ee85c6a0bfc45a0b9f0260ac61d0145ba10b9f29476ab522ca11bfd148b939aed7a93ab519f2506c58302942202
@@ -6,7 +6,7 @@
6
6
  "": {
7
7
  "name": "@dependabot/helper",
8
8
  "dependencies": {
9
- "@dependabot/yarn-lib": "^1.21.1",
9
+ "@dependabot/yarn-lib": "^1.22.19",
10
10
  "@npmcli/arborist": "^5.3.1",
11
11
  "detect-indent": "^6.1.0",
12
12
  "nock": "^13.2.8",
@@ -580,9 +580,9 @@
580
580
  "dev": true
581
581
  },
582
582
  "node_modules/@dependabot/yarn-lib": {
583
- "version": "1.21.1",
584
- "resolved": "https://registry.npmjs.org/@dependabot/yarn-lib/-/yarn-lib-1.21.1.tgz",
585
- "integrity": "sha512-wroyXO/e0h077IkPxLGJRIdMYzQWGIiLiYrhx2y6pwDfh6I492Saof5G80si21ltU3fHpCpGlB9cenr9b7Ak3Q==",
583
+ "version": "1.22.19",
584
+ "resolved": "https://registry.npmjs.org/@dependabot/yarn-lib/-/yarn-lib-1.22.19.tgz",
585
+ "integrity": "sha512-+ayu/53xZOUpRvQrzlhkHPogTNnmu+UIxd2S+IfQDLfBhyhrLqPB8F3kjIkGZRyNXPed2MyxEljyEVBSljPmxw==",
586
586
  "dependencies": {
587
587
  "@zkochan/cmd-shim": "^3.1.0",
588
588
  "babel-runtime": "^6.26.0",
@@ -14648,9 +14648,9 @@
14648
14648
  "dev": true
14649
14649
  },
14650
14650
  "@dependabot/yarn-lib": {
14651
- "version": "1.21.1",
14652
- "resolved": "https://registry.npmjs.org/@dependabot/yarn-lib/-/yarn-lib-1.21.1.tgz",
14653
- "integrity": "sha512-wroyXO/e0h077IkPxLGJRIdMYzQWGIiLiYrhx2y6pwDfh6I492Saof5G80si21ltU3fHpCpGlB9cenr9b7Ak3Q==",
14651
+ "version": "1.22.19",
14652
+ "resolved": "https://registry.npmjs.org/@dependabot/yarn-lib/-/yarn-lib-1.22.19.tgz",
14653
+ "integrity": "sha512-+ayu/53xZOUpRvQrzlhkHPogTNnmu+UIxd2S+IfQDLfBhyhrLqPB8F3kjIkGZRyNXPed2MyxEljyEVBSljPmxw==",
14654
14654
  "requires": {
14655
14655
  "@zkochan/cmd-shim": "^3.1.0",
14656
14656
  "babel-runtime": "^6.26.0",
data/helpers/package.json CHANGED
@@ -9,7 +9,7 @@
9
9
  "test": "jest"
10
10
  },
11
11
  "dependencies": {
12
- "@dependabot/yarn-lib": "^1.21.1",
12
+ "@dependabot/yarn-lib": "^1.22.19",
13
13
  "@npmcli/arborist": "^5.3.1",
14
14
  "detect-indent": "^6.1.0",
15
15
  "nock": "^13.2.8",
@@ -499,7 +499,7 @@ module Dependabot
499
499
  # Takes a JSON string and detects if it is spaces or tabs and how many
500
500
  # levels deep it is indented.
501
501
  def detect_indentation(json)
502
- indentation = json.scan(/^\s+/).min_by(&:length)
502
+ indentation = json.scan(/^[[:blank:]]+/).min_by(&:length)
503
503
  return "" if indentation.nil? # let npm set the default if we can't detect any indentation
504
504
 
505
505
  indentation_size = indentation.length
@@ -73,7 +73,7 @@ module Dependabot
73
73
  function: "npm:vulnerabilityAuditor",
74
74
  args: [Dir.pwd, vuln_versions]
75
75
  )
76
- return fix_unavailable unless valid_audit_result?(audit_result, security_advisories)
76
+ return fix_unavailable unless viable_audit_result?(audit_result, security_advisories)
77
77
 
78
78
  audit_result
79
79
  end
@@ -86,15 +86,21 @@ module Dependabot
86
86
 
87
87
  attr_reader :dependency_files, :credentials
88
88
 
89
- def valid_audit_result?(audit_result, security_advisories)
90
- # we only need to check results that indicate a fix is available
91
- return true unless audit_result["fix_available"]
89
+ def viable_audit_result?(audit_result, security_advisories)
90
+ validation_result = validate_audit_result(audit_result, security_advisories)
91
+ return true if validation_result == :viable
92
92
 
93
- return false if vulnerable_dependency_removed?(audit_result)
94
- return false if dependency_still_vulnerable?(audit_result, security_advisories)
95
- return false if downgrades_dependencies?(audit_result)
93
+ Dependabot.logger.info("VulnerabilityAuditor: audit result not viable: #{validation_result}")
94
+ false
95
+ end
96
+
97
+ def validate_audit_result(audit_result, security_advisories)
98
+ return :fix_unavailable unless audit_result["fix_available"]
99
+ return :vulnerable_dependency_removed if vulnerable_dependency_removed?(audit_result)
100
+ return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
101
+ return :downgrades_dependencies if downgrades_dependencies?(audit_result)
96
102
 
97
- true
103
+ :viable
98
104
  end
99
105
 
100
106
  def vulnerable_dependency_removed?(audit_result)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.206.0
4
+ version: 0.209.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-08-10 00:00:00.000000000 Z
11
+ date: 2022-08-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.206.0
19
+ version: 0.209.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.206.0
26
+ version: 0.209.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement