dependabot-npm_and_yarn 0.209.0 → 0.212.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +185 -53
- data/helpers/package.json +3 -3
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +3 -3
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +1 -2
- data/lib/dependabot/npm_and_yarn/file_parser.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +6 -6
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +7 -8
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +3 -3
- data/lib/dependabot/npm_and_yarn/file_updater.rb +2 -2
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +4 -4
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +5 -5
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +8 -2
- data/lib/dependabot/npm_and_yarn/update_checker.rb +20 -14
- metadata +34 -6
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5ff4958e3092d765d3d92a6035f05dee25680d26697649b3adad94b2b876df7b
|
4
|
+
data.tar.gz: 0adce108f8a33fefd73641d55db1730ba0bdfd167d2e0a8b7d674d1074455c87
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3eac1860e88136dc0b8ebc851b1fdad2ae27459df2a39937d401372b86cd6c86432d46bfe93d68422098d664ebe776fdaf3f7674f07911525e5c97fce83e0136
|
7
|
+
data.tar.gz: c7c5f918a175e8f8de6cfc8110895f3c13f15cd1af0e342ab2cdd74794c2d383c74e46ea2076b36a3059a75cc5e93a92233a1d08368e5cfdd456fb3a5d89bc34
|
data/helpers/package-lock.json
CHANGED
@@ -7,9 +7,9 @@
|
|
7
7
|
"name": "@dependabot/helper",
|
8
8
|
"dependencies": {
|
9
9
|
"@dependabot/yarn-lib": "^1.22.19",
|
10
|
-
"@npmcli/arborist": "^5.
|
10
|
+
"@npmcli/arborist": "^5.6.0",
|
11
11
|
"detect-indent": "^6.1.0",
|
12
|
-
"nock": "^13.2.
|
12
|
+
"nock": "^13.2.9",
|
13
13
|
"npm": "6.14.17",
|
14
14
|
"semver": "^7.3.7"
|
15
15
|
},
|
@@ -17,7 +17,7 @@
|
|
17
17
|
"helper": "run.js"
|
18
18
|
},
|
19
19
|
"devDependencies": {
|
20
|
-
"eslint": "^8.
|
20
|
+
"eslint": "^8.22.0",
|
21
21
|
"eslint-config-prettier": "^8.5.0",
|
22
22
|
"jest": "^28.1.3",
|
23
23
|
"prettier": "^2.7.1",
|
@@ -1685,9 +1685,9 @@
|
|
1685
1685
|
}
|
1686
1686
|
},
|
1687
1687
|
"node_modules/@npmcli/arborist": {
|
1688
|
-
"version": "5.
|
1689
|
-
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-5.
|
1690
|
-
"integrity": "sha512-
|
1688
|
+
"version": "5.6.0",
|
1689
|
+
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-5.6.0.tgz",
|
1690
|
+
"integrity": "sha512-gM2AxWCaXTZRZnKOHT6uIUHTkvRf+UPU2iC/3nC1Bj21zemnoKyJh2NvcG69UCcfs+r1jpx6hZ0dL9s2yPssJQ==",
|
1691
1691
|
"dependencies": {
|
1692
1692
|
"@isaacs/string-locale-compare": "^1.1.0",
|
1693
1693
|
"@npmcli/installed-package-contents": "^1.0.7",
|
@@ -1697,15 +1697,17 @@
|
|
1697
1697
|
"@npmcli/name-from-folder": "^1.0.1",
|
1698
1698
|
"@npmcli/node-gyp": "^2.0.0",
|
1699
1699
|
"@npmcli/package-json": "^2.0.0",
|
1700
|
+
"@npmcli/query": "^1.1.1",
|
1700
1701
|
"@npmcli/run-script": "^4.1.3",
|
1701
1702
|
"bin-links": "^3.0.0",
|
1702
1703
|
"cacache": "^16.0.6",
|
1703
1704
|
"common-ancestor-path": "^1.0.1",
|
1704
1705
|
"json-parse-even-better-errors": "^2.3.1",
|
1705
1706
|
"json-stringify-nice": "^1.1.4",
|
1707
|
+
"minimatch": "^5.1.0",
|
1706
1708
|
"mkdirp": "^1.0.4",
|
1707
1709
|
"mkdirp-infer-owner": "^2.0.0",
|
1708
|
-
"nopt": "^
|
1710
|
+
"nopt": "^6.0.0",
|
1709
1711
|
"npm-install-checks": "^5.0.0",
|
1710
1712
|
"npm-package-arg": "^9.0.0",
|
1711
1713
|
"npm-pick-manifest": "^7.0.0",
|
@@ -1731,6 +1733,25 @@
|
|
1731
1733
|
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
1732
1734
|
}
|
1733
1735
|
},
|
1736
|
+
"node_modules/@npmcli/arborist/node_modules/brace-expansion": {
|
1737
|
+
"version": "2.0.1",
|
1738
|
+
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
|
1739
|
+
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
|
1740
|
+
"dependencies": {
|
1741
|
+
"balanced-match": "^1.0.0"
|
1742
|
+
}
|
1743
|
+
},
|
1744
|
+
"node_modules/@npmcli/arborist/node_modules/minimatch": {
|
1745
|
+
"version": "5.1.0",
|
1746
|
+
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz",
|
1747
|
+
"integrity": "sha512-9TPBGGak4nHfGZsPBohm9AWg6NoT7QTCehS3BIJABslyZbzxfV78QM2Y6+i741OPZIafFAaiiEMh5OyIrJPgtg==",
|
1748
|
+
"dependencies": {
|
1749
|
+
"brace-expansion": "^2.0.1"
|
1750
|
+
},
|
1751
|
+
"engines": {
|
1752
|
+
"node": ">=10"
|
1753
|
+
}
|
1754
|
+
},
|
1734
1755
|
"node_modules/@npmcli/arborist/node_modules/mkdirp": {
|
1735
1756
|
"version": "1.0.4",
|
1736
1757
|
"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
|
@@ -1742,6 +1763,20 @@
|
|
1742
1763
|
"node": ">=10"
|
1743
1764
|
}
|
1744
1765
|
},
|
1766
|
+
"node_modules/@npmcli/arborist/node_modules/nopt": {
|
1767
|
+
"version": "6.0.0",
|
1768
|
+
"resolved": "https://registry.npmjs.org/nopt/-/nopt-6.0.0.tgz",
|
1769
|
+
"integrity": "sha512-ZwLpbTgdhuZUnZzjd7nb1ZV+4DoiC6/sfiVKok72ym/4Tlf+DFdlHYmT2JPmcNNWV6Pi3SDf1kT+A4r9RTuT9g==",
|
1770
|
+
"dependencies": {
|
1771
|
+
"abbrev": "^1.0.0"
|
1772
|
+
},
|
1773
|
+
"bin": {
|
1774
|
+
"nopt": "bin/nopt.js"
|
1775
|
+
},
|
1776
|
+
"engines": {
|
1777
|
+
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
1778
|
+
}
|
1779
|
+
},
|
1745
1780
|
"node_modules/@npmcli/arborist/node_modules/npm-install-checks": {
|
1746
1781
|
"version": "5.0.0",
|
1747
1782
|
"resolved": "https://registry.npmjs.org/npm-install-checks/-/npm-install-checks-5.0.0.tgz",
|
@@ -1941,6 +1976,19 @@
|
|
1941
1976
|
"infer-owner": "^1.0.4"
|
1942
1977
|
}
|
1943
1978
|
},
|
1979
|
+
"node_modules/@npmcli/query": {
|
1980
|
+
"version": "1.2.0",
|
1981
|
+
"resolved": "https://registry.npmjs.org/@npmcli/query/-/query-1.2.0.tgz",
|
1982
|
+
"integrity": "sha512-uWglsUM3PjBLgTSmZ3/vygeGdvWEIZ3wTUnzGFbprC/RtvQSaT+GAXu1DXmSFj2bD3oOZdcRm1xdzsV2z1YWdw==",
|
1983
|
+
"dependencies": {
|
1984
|
+
"npm-package-arg": "^9.1.0",
|
1985
|
+
"postcss-selector-parser": "^6.0.10",
|
1986
|
+
"semver": "^7.3.7"
|
1987
|
+
},
|
1988
|
+
"engines": {
|
1989
|
+
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
1990
|
+
}
|
1991
|
+
},
|
1944
1992
|
"node_modules/@npmcli/run-script": {
|
1945
1993
|
"version": "4.1.3",
|
1946
1994
|
"resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-4.1.3.tgz",
|
@@ -2735,9 +2783,12 @@
|
|
2735
2783
|
}
|
2736
2784
|
},
|
2737
2785
|
"node_modules/builtins": {
|
2738
|
-
"version": "
|
2739
|
-
"resolved": "https://registry.npmjs.org/builtins/-/builtins-
|
2740
|
-
"integrity": "
|
2786
|
+
"version": "5.0.1",
|
2787
|
+
"resolved": "https://registry.npmjs.org/builtins/-/builtins-5.0.1.tgz",
|
2788
|
+
"integrity": "sha512-qwVpFEHNfhYJIzNRBvd2C1kyo6jz3ZSMPyyuR47OPdiKWlbYnZNyDWuyR175qDnAJLiCo5fBBqPb3RiXgWlkOQ==",
|
2789
|
+
"dependencies": {
|
2790
|
+
"semver": "^7.0.0"
|
2791
|
+
}
|
2741
2792
|
},
|
2742
2793
|
"node_modules/bytes": {
|
2743
2794
|
"version": "3.1.0",
|
@@ -3144,6 +3195,17 @@
|
|
3144
3195
|
"node": ">= 8"
|
3145
3196
|
}
|
3146
3197
|
},
|
3198
|
+
"node_modules/cssesc": {
|
3199
|
+
"version": "3.0.0",
|
3200
|
+
"resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
|
3201
|
+
"integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==",
|
3202
|
+
"bin": {
|
3203
|
+
"cssesc": "bin/cssesc"
|
3204
|
+
},
|
3205
|
+
"engines": {
|
3206
|
+
"node": ">=4"
|
3207
|
+
}
|
3208
|
+
},
|
3147
3209
|
"node_modules/currently-unhandled": {
|
3148
3210
|
"version": "0.4.1",
|
3149
3211
|
"resolved": "https://registry.npmjs.org/currently-unhandled/-/currently-unhandled-0.4.1.tgz",
|
@@ -3452,9 +3514,9 @@
|
|
3452
3514
|
}
|
3453
3515
|
},
|
3454
3516
|
"node_modules/eslint": {
|
3455
|
-
"version": "8.
|
3456
|
-
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.
|
3457
|
-
"integrity": "sha512
|
3517
|
+
"version": "8.22.0",
|
3518
|
+
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.22.0.tgz",
|
3519
|
+
"integrity": "sha512-ci4t0sz6vSRKdmkOGmprBo6fmI4PrphDFMy5JEq/fNS0gQkJM3rLmrqcp8ipMcdobH3KtUP40KniAE9W19S4wA==",
|
3458
3520
|
"dev": true,
|
3459
3521
|
"dependencies": {
|
3460
3522
|
"@eslint/eslintrc": "^1.3.0",
|
@@ -7610,9 +7672,9 @@
|
|
7610
7672
|
}
|
7611
7673
|
},
|
7612
7674
|
"node_modules/nock": {
|
7613
|
-
"version": "13.2.
|
7614
|
-
"resolved": "https://registry.npmjs.org/nock/-/nock-13.2.
|
7615
|
-
"integrity": "sha512-
|
7675
|
+
"version": "13.2.9",
|
7676
|
+
"resolved": "https://registry.npmjs.org/nock/-/nock-13.2.9.tgz",
|
7677
|
+
"integrity": "sha512-1+XfJNYF1cjGB+TKMWi29eZ0b82QOvQs2YoLNzbpWGqFMtRQHTa57osqdGj4FrFPgkO4D4AZinzUJR9VvW3QUA==",
|
7616
7678
|
"dependencies": {
|
7617
7679
|
"debug": "^4.1.0",
|
7618
7680
|
"json-stringify-safe": "^5.0.1",
|
@@ -8029,16 +8091,17 @@
|
|
8029
8091
|
"integrity": "sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA=="
|
8030
8092
|
},
|
8031
8093
|
"node_modules/npm-package-arg": {
|
8032
|
-
"version": "9.0
|
8033
|
-
"resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-9.0.
|
8034
|
-
"integrity": "sha512-
|
8094
|
+
"version": "9.1.0",
|
8095
|
+
"resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-9.1.0.tgz",
|
8096
|
+
"integrity": "sha512-4J0GL+u2Nh6OnhvUKXRr2ZMG4lR8qtLp+kv7UiV00Y+nGiSxtttCyIRHCt5L5BNkXQld/RceYItau3MDOoGiBw==",
|
8035
8097
|
"dependencies": {
|
8036
8098
|
"hosted-git-info": "^5.0.0",
|
8099
|
+
"proc-log": "^2.0.1",
|
8037
8100
|
"semver": "^7.3.5",
|
8038
|
-
"validate-npm-package-name": "^
|
8101
|
+
"validate-npm-package-name": "^4.0.0"
|
8039
8102
|
},
|
8040
8103
|
"engines": {
|
8041
|
-
"node": "^12.13.0 || ^14.15.0 || >=16"
|
8104
|
+
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
8042
8105
|
}
|
8043
8106
|
},
|
8044
8107
|
"node_modules/npm-packlist": {
|
@@ -12538,6 +12601,18 @@
|
|
12538
12601
|
"node": ">=8"
|
12539
12602
|
}
|
12540
12603
|
},
|
12604
|
+
"node_modules/postcss-selector-parser": {
|
12605
|
+
"version": "6.0.10",
|
12606
|
+
"resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.10.tgz",
|
12607
|
+
"integrity": "sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==",
|
12608
|
+
"dependencies": {
|
12609
|
+
"cssesc": "^3.0.0",
|
12610
|
+
"util-deprecate": "^1.0.2"
|
12611
|
+
},
|
12612
|
+
"engines": {
|
12613
|
+
"node": ">=4"
|
12614
|
+
}
|
12615
|
+
},
|
12541
12616
|
"node_modules/prelude-ls": {
|
12542
12617
|
"version": "1.2.1",
|
12543
12618
|
"resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
|
@@ -12606,11 +12681,11 @@
|
|
12606
12681
|
}
|
12607
12682
|
},
|
12608
12683
|
"node_modules/proc-log": {
|
12609
|
-
"version": "2.0.
|
12610
|
-
"resolved": "https://registry.npmjs.org/proc-log/-/proc-log-2.0.
|
12611
|
-
"integrity": "sha512-
|
12684
|
+
"version": "2.0.1",
|
12685
|
+
"resolved": "https://registry.npmjs.org/proc-log/-/proc-log-2.0.1.tgz",
|
12686
|
+
"integrity": "sha512-Kcmo2FhfDTXdcbfDH76N7uBYHINxc/8GW7UAVuVP9I+Va3uHSerrnKV6dLooga/gh7GlgzuCCr/eoldnL1muGw==",
|
12612
12687
|
"engines": {
|
12613
|
-
"node": "^12.13.0 || ^14.15.0 || >=16"
|
12688
|
+
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
12614
12689
|
}
|
12615
12690
|
},
|
12616
12691
|
"node_modules/process-nextick-args": {
|
@@ -13960,11 +14035,14 @@
|
|
13960
14035
|
}
|
13961
14036
|
},
|
13962
14037
|
"node_modules/validate-npm-package-name": {
|
13963
|
-
"version": "
|
13964
|
-
"resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-
|
13965
|
-
"integrity": "
|
14038
|
+
"version": "4.0.0",
|
14039
|
+
"resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-4.0.0.tgz",
|
14040
|
+
"integrity": "sha512-mzR0L8ZDktZjpX4OB46KT+56MAhl4EIazWP/+G/HPGuvfdaqg4YsCdtOm6U9+LOFyYDoh4dpnpxZRB9MQQns5Q==",
|
13966
14041
|
"dependencies": {
|
13967
|
-
"builtins": "^
|
14042
|
+
"builtins": "^5.0.0"
|
14043
|
+
},
|
14044
|
+
"engines": {
|
14045
|
+
"node": "^12.13.0 || ^14.15.0 || >=16.0.0"
|
13968
14046
|
}
|
13969
14047
|
},
|
13970
14048
|
"node_modules/verror": {
|
@@ -15498,9 +15576,9 @@
|
|
15498
15576
|
}
|
15499
15577
|
},
|
15500
15578
|
"@npmcli/arborist": {
|
15501
|
-
"version": "5.
|
15502
|
-
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-5.
|
15503
|
-
"integrity": "sha512-
|
15579
|
+
"version": "5.6.0",
|
15580
|
+
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-5.6.0.tgz",
|
15581
|
+
"integrity": "sha512-gM2AxWCaXTZRZnKOHT6uIUHTkvRf+UPU2iC/3nC1Bj21zemnoKyJh2NvcG69UCcfs+r1jpx6hZ0dL9s2yPssJQ==",
|
15504
15582
|
"requires": {
|
15505
15583
|
"@isaacs/string-locale-compare": "^1.1.0",
|
15506
15584
|
"@npmcli/installed-package-contents": "^1.0.7",
|
@@ -15510,15 +15588,17 @@
|
|
15510
15588
|
"@npmcli/name-from-folder": "^1.0.1",
|
15511
15589
|
"@npmcli/node-gyp": "^2.0.0",
|
15512
15590
|
"@npmcli/package-json": "^2.0.0",
|
15591
|
+
"@npmcli/query": "^1.1.1",
|
15513
15592
|
"@npmcli/run-script": "^4.1.3",
|
15514
15593
|
"bin-links": "^3.0.0",
|
15515
15594
|
"cacache": "^16.0.6",
|
15516
15595
|
"common-ancestor-path": "^1.0.1",
|
15517
15596
|
"json-parse-even-better-errors": "^2.3.1",
|
15518
15597
|
"json-stringify-nice": "^1.1.4",
|
15598
|
+
"minimatch": "^5.1.0",
|
15519
15599
|
"mkdirp": "^1.0.4",
|
15520
15600
|
"mkdirp-infer-owner": "^2.0.0",
|
15521
|
-
"nopt": "^
|
15601
|
+
"nopt": "^6.0.0",
|
15522
15602
|
"npm-install-checks": "^5.0.0",
|
15523
15603
|
"npm-package-arg": "^9.0.0",
|
15524
15604
|
"npm-pick-manifest": "^7.0.0",
|
@@ -15538,11 +15618,35 @@
|
|
15538
15618
|
"walk-up-path": "^1.0.0"
|
15539
15619
|
},
|
15540
15620
|
"dependencies": {
|
15621
|
+
"brace-expansion": {
|
15622
|
+
"version": "2.0.1",
|
15623
|
+
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
|
15624
|
+
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
|
15625
|
+
"requires": {
|
15626
|
+
"balanced-match": "^1.0.0"
|
15627
|
+
}
|
15628
|
+
},
|
15629
|
+
"minimatch": {
|
15630
|
+
"version": "5.1.0",
|
15631
|
+
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.0.tgz",
|
15632
|
+
"integrity": "sha512-9TPBGGak4nHfGZsPBohm9AWg6NoT7QTCehS3BIJABslyZbzxfV78QM2Y6+i741OPZIafFAaiiEMh5OyIrJPgtg==",
|
15633
|
+
"requires": {
|
15634
|
+
"brace-expansion": "^2.0.1"
|
15635
|
+
}
|
15636
|
+
},
|
15541
15637
|
"mkdirp": {
|
15542
15638
|
"version": "1.0.4",
|
15543
15639
|
"resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz",
|
15544
15640
|
"integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw=="
|
15545
15641
|
},
|
15642
|
+
"nopt": {
|
15643
|
+
"version": "6.0.0",
|
15644
|
+
"resolved": "https://registry.npmjs.org/nopt/-/nopt-6.0.0.tgz",
|
15645
|
+
"integrity": "sha512-ZwLpbTgdhuZUnZzjd7nb1ZV+4DoiC6/sfiVKok72ym/4Tlf+DFdlHYmT2JPmcNNWV6Pi3SDf1kT+A4r9RTuT9g==",
|
15646
|
+
"requires": {
|
15647
|
+
"abbrev": "^1.0.0"
|
15648
|
+
}
|
15649
|
+
},
|
15546
15650
|
"npm-install-checks": {
|
15547
15651
|
"version": "5.0.0",
|
15548
15652
|
"resolved": "https://registry.npmjs.org/npm-install-checks/-/npm-install-checks-5.0.0.tgz",
|
@@ -15696,6 +15800,16 @@
|
|
15696
15800
|
"infer-owner": "^1.0.4"
|
15697
15801
|
}
|
15698
15802
|
},
|
15803
|
+
"@npmcli/query": {
|
15804
|
+
"version": "1.2.0",
|
15805
|
+
"resolved": "https://registry.npmjs.org/@npmcli/query/-/query-1.2.0.tgz",
|
15806
|
+
"integrity": "sha512-uWglsUM3PjBLgTSmZ3/vygeGdvWEIZ3wTUnzGFbprC/RtvQSaT+GAXu1DXmSFj2bD3oOZdcRm1xdzsV2z1YWdw==",
|
15807
|
+
"requires": {
|
15808
|
+
"npm-package-arg": "^9.1.0",
|
15809
|
+
"postcss-selector-parser": "^6.0.10",
|
15810
|
+
"semver": "^7.3.7"
|
15811
|
+
}
|
15812
|
+
},
|
15699
15813
|
"@npmcli/run-script": {
|
15700
15814
|
"version": "4.1.3",
|
15701
15815
|
"resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-4.1.3.tgz",
|
@@ -16344,9 +16458,12 @@
|
|
16344
16458
|
"integrity": "sha512-3U5kUA5VPsRUA3nofm/BXX7GVHKfxz0hOBAPxXrIvHzlDRkQVqEn6yi8QJegxl4LzOHLdvb7XF5dVawa/VVYBg=="
|
16345
16459
|
},
|
16346
16460
|
"builtins": {
|
16347
|
-
"version": "
|
16348
|
-
"resolved": "https://registry.npmjs.org/builtins/-/builtins-
|
16349
|
-
"integrity": "
|
16461
|
+
"version": "5.0.1",
|
16462
|
+
"resolved": "https://registry.npmjs.org/builtins/-/builtins-5.0.1.tgz",
|
16463
|
+
"integrity": "sha512-qwVpFEHNfhYJIzNRBvd2C1kyo6jz3ZSMPyyuR47OPdiKWlbYnZNyDWuyR175qDnAJLiCo5fBBqPb3RiXgWlkOQ==",
|
16464
|
+
"requires": {
|
16465
|
+
"semver": "^7.0.0"
|
16466
|
+
}
|
16350
16467
|
},
|
16351
16468
|
"bytes": {
|
16352
16469
|
"version": "3.1.0",
|
@@ -16664,6 +16781,11 @@
|
|
16664
16781
|
"which": "^2.0.1"
|
16665
16782
|
}
|
16666
16783
|
},
|
16784
|
+
"cssesc": {
|
16785
|
+
"version": "3.0.0",
|
16786
|
+
"resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
|
16787
|
+
"integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg=="
|
16788
|
+
},
|
16667
16789
|
"currently-unhandled": {
|
16668
16790
|
"version": "0.4.1",
|
16669
16791
|
"resolved": "https://registry.npmjs.org/currently-unhandled/-/currently-unhandled-0.4.1.tgz",
|
@@ -16911,9 +17033,9 @@
|
|
16911
17033
|
"integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
|
16912
17034
|
},
|
16913
17035
|
"eslint": {
|
16914
|
-
"version": "8.
|
16915
|
-
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.
|
16916
|
-
"integrity": "sha512
|
17036
|
+
"version": "8.22.0",
|
17037
|
+
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.22.0.tgz",
|
17038
|
+
"integrity": "sha512-ci4t0sz6vSRKdmkOGmprBo6fmI4PrphDFMy5JEq/fNS0gQkJM3rLmrqcp8ipMcdobH3KtUP40KniAE9W19S4wA==",
|
16917
17039
|
"dev": true,
|
16918
17040
|
"requires": {
|
16919
17041
|
"@eslint/eslintrc": "^1.3.0",
|
@@ -20041,9 +20163,9 @@
|
|
20041
20163
|
"integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="
|
20042
20164
|
},
|
20043
20165
|
"nock": {
|
20044
|
-
"version": "13.2.
|
20045
|
-
"resolved": "https://registry.npmjs.org/nock/-/nock-13.2.
|
20046
|
-
"integrity": "sha512-
|
20166
|
+
"version": "13.2.9",
|
20167
|
+
"resolved": "https://registry.npmjs.org/nock/-/nock-13.2.9.tgz",
|
20168
|
+
"integrity": "sha512-1+XfJNYF1cjGB+TKMWi29eZ0b82QOvQs2YoLNzbpWGqFMtRQHTa57osqdGj4FrFPgkO4D4AZinzUJR9VvW3QUA==",
|
20047
20169
|
"requires": {
|
20048
20170
|
"debug": "^4.1.0",
|
20049
20171
|
"json-stringify-safe": "^5.0.1",
|
@@ -23267,13 +23389,14 @@
|
|
23267
23389
|
"integrity": "sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA=="
|
23268
23390
|
},
|
23269
23391
|
"npm-package-arg": {
|
23270
|
-
"version": "9.0
|
23271
|
-
"resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-9.0.
|
23272
|
-
"integrity": "sha512-
|
23392
|
+
"version": "9.1.0",
|
23393
|
+
"resolved": "https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-9.1.0.tgz",
|
23394
|
+
"integrity": "sha512-4J0GL+u2Nh6OnhvUKXRr2ZMG4lR8qtLp+kv7UiV00Y+nGiSxtttCyIRHCt5L5BNkXQld/RceYItau3MDOoGiBw==",
|
23273
23395
|
"requires": {
|
23274
23396
|
"hosted-git-info": "^5.0.0",
|
23397
|
+
"proc-log": "^2.0.1",
|
23275
23398
|
"semver": "^7.3.5",
|
23276
|
-
"validate-npm-package-name": "^
|
23399
|
+
"validate-npm-package-name": "^4.0.0"
|
23277
23400
|
}
|
23278
23401
|
},
|
23279
23402
|
"npm-packlist": {
|
@@ -23680,6 +23803,15 @@
|
|
23680
23803
|
"find-up": "^4.0.0"
|
23681
23804
|
}
|
23682
23805
|
},
|
23806
|
+
"postcss-selector-parser": {
|
23807
|
+
"version": "6.0.10",
|
23808
|
+
"resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.10.tgz",
|
23809
|
+
"integrity": "sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==",
|
23810
|
+
"requires": {
|
23811
|
+
"cssesc": "^3.0.0",
|
23812
|
+
"util-deprecate": "^1.0.2"
|
23813
|
+
}
|
23814
|
+
},
|
23683
23815
|
"prelude-ls": {
|
23684
23816
|
"version": "1.2.1",
|
23685
23817
|
"resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
|
@@ -23723,9 +23855,9 @@
|
|
23723
23855
|
}
|
23724
23856
|
},
|
23725
23857
|
"proc-log": {
|
23726
|
-
"version": "2.0.
|
23727
|
-
"resolved": "https://registry.npmjs.org/proc-log/-/proc-log-2.0.
|
23728
|
-
"integrity": "sha512-
|
23858
|
+
"version": "2.0.1",
|
23859
|
+
"resolved": "https://registry.npmjs.org/proc-log/-/proc-log-2.0.1.tgz",
|
23860
|
+
"integrity": "sha512-Kcmo2FhfDTXdcbfDH76N7uBYHINxc/8GW7UAVuVP9I+Va3uHSerrnKV6dLooga/gh7GlgzuCCr/eoldnL1muGw=="
|
23729
23861
|
},
|
23730
23862
|
"process-nextick-args": {
|
23731
23863
|
"version": "2.0.1",
|
@@ -24762,11 +24894,11 @@
|
|
24762
24894
|
}
|
24763
24895
|
},
|
24764
24896
|
"validate-npm-package-name": {
|
24765
|
-
"version": "
|
24766
|
-
"resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-
|
24767
|
-
"integrity": "
|
24897
|
+
"version": "4.0.0",
|
24898
|
+
"resolved": "https://registry.npmjs.org/validate-npm-package-name/-/validate-npm-package-name-4.0.0.tgz",
|
24899
|
+
"integrity": "sha512-mzR0L8ZDktZjpX4OB46KT+56MAhl4EIazWP/+G/HPGuvfdaqg4YsCdtOm6U9+LOFyYDoh4dpnpxZRB9MQQns5Q==",
|
24768
24900
|
"requires": {
|
24769
|
-
"builtins": "^
|
24901
|
+
"builtins": "^5.0.0"
|
24770
24902
|
}
|
24771
24903
|
},
|
24772
24904
|
"verror": {
|
data/helpers/package.json
CHANGED
@@ -10,14 +10,14 @@
|
|
10
10
|
},
|
11
11
|
"dependencies": {
|
12
12
|
"@dependabot/yarn-lib": "^1.22.19",
|
13
|
-
"@npmcli/arborist": "^5.
|
13
|
+
"@npmcli/arborist": "^5.6.0",
|
14
14
|
"detect-indent": "^6.1.0",
|
15
|
-
"nock": "^13.2.
|
15
|
+
"nock": "^13.2.9",
|
16
16
|
"npm": "6.14.17",
|
17
17
|
"semver": "^7.3.7"
|
18
18
|
},
|
19
19
|
"devDependencies": {
|
20
|
-
"eslint": "^8.
|
20
|
+
"eslint": "^8.22.0",
|
21
21
|
"eslint-config-prettier": "^8.5.0",
|
22
22
|
"jest": "^28.1.3",
|
23
23
|
"prettier": "^2.7.1",
|
@@ -88,7 +88,7 @@ module Dependabot
|
|
88
88
|
|
89
89
|
# Loop through parent directories looking for an npmrc
|
90
90
|
(1..directory.split("/").count).each do |i|
|
91
|
-
@npmrc = fetch_file_from_host("../" * i + ".npmrc")&.
|
91
|
+
@npmrc = fetch_file_from_host(("../" * i) + ".npmrc")&.
|
92
92
|
tap { |f| f.support_file = true }
|
93
93
|
break if @npmrc
|
94
94
|
rescue Dependabot::DependencyFileNotFound
|
@@ -107,7 +107,7 @@ module Dependabot
|
|
107
107
|
|
108
108
|
# Loop through parent directories looking for an yarnrc
|
109
109
|
(1..directory.split("/").count).each do |i|
|
110
|
-
@yarnrc = fetch_file_from_host("../" * i + ".yarnrc")&.
|
110
|
+
@yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")&.
|
111
111
|
tap { |f| f.support_file = true }
|
112
112
|
break if @yarnrc
|
113
113
|
rescue Dependabot::DependencyFileNotFound
|
@@ -200,7 +200,7 @@ module Dependabot
|
|
200
200
|
resolution_objects = parsed_manifest.values_at("resolutions").compact
|
201
201
|
manifest_objects = dependency_objects + resolution_objects
|
202
202
|
|
203
|
-
raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all?
|
203
|
+
raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all?(Hash)
|
204
204
|
|
205
205
|
resolution_deps = resolution_objects.flat_map(&:to_a).
|
206
206
|
map do |path, value|
|
@@ -48,8 +48,7 @@ module Dependabot
|
|
48
48
|
%w(yarn.lock package-lock.json npm-shrinkwrap.json)
|
49
49
|
|
50
50
|
possible_lockfile_names.uniq.
|
51
|
-
|
52
|
-
compact
|
51
|
+
filter_map { |nm| dependency_files.find { |f| f.name == nm } }
|
53
52
|
end
|
54
53
|
|
55
54
|
def npm_lockfile_details(lockfile, dependency_name, manifest_name)
|
@@ -159,7 +159,7 @@ module Dependabot
|
|
159
159
|
|
160
160
|
def workspace_package_names
|
161
161
|
@workspace_package_names ||=
|
162
|
-
package_files.
|
162
|
+
package_files.filter_map { |f| JSON.parse(f.content)["name"] }
|
163
163
|
end
|
164
164
|
|
165
165
|
def version_for(name, requirement, manifest_name)
|
@@ -385,7 +385,7 @@ module Dependabot
|
|
385
385
|
|
386
386
|
def raise_resolvability_error(error_message)
|
387
387
|
dependency_names = dependencies.map(&:name).join(", ")
|
388
|
-
msg = "Error whilst updating #{dependency_names} in "\
|
388
|
+
msg = "Error whilst updating #{dependency_names} in " \
|
389
389
|
"#{lockfile.path}:\n#{error_message}"
|
390
390
|
raise Dependabot::DependencyFileNotResolvable, msg
|
391
391
|
end
|
@@ -397,11 +397,11 @@ module Dependabot
|
|
397
397
|
# issues on the error message (issue detail) on the backend
|
398
398
|
#
|
399
399
|
# ToDo: add an error ID to issues to make it easier to unique them
|
400
|
-
msg = "Error whilst updating dependencies in #{lockfile.name}:\n"\
|
401
|
-
"#{error_message}\n\n"\
|
402
|
-
"It looks like your lockfile has some corrupt entries with "\
|
403
|
-
"missing versions and needs to be re-generated.\n"\
|
404
|
-
"You'll need to remove #{lockfile.name} and #{modules_path} "\
|
400
|
+
msg = "Error whilst updating dependencies in #{lockfile.name}:\n" \
|
401
|
+
"#{error_message}\n\n" \
|
402
|
+
"It looks like your lockfile has some corrupt entries with " \
|
403
|
+
"missing versions and needs to be re-generated.\n" \
|
404
|
+
"You'll need to remove #{lockfile.name} and #{modules_path} " \
|
405
405
|
"before you run npm install."
|
406
406
|
raise Dependabot::DependencyFileNotResolvable, msg
|
407
407
|
end
|
@@ -42,9 +42,9 @@ module Dependabot
|
|
42
42
|
return unless yarn_lock || package_lock
|
43
43
|
return unless global_registry
|
44
44
|
|
45
|
-
"registry = https://#{global_registry['registry']}\n"\
|
46
|
-
|
47
|
-
|
45
|
+
"registry = https://#{global_registry['registry']}\n" \
|
46
|
+
"#{global_registry_auth_line}" \
|
47
|
+
"always-auth = true"
|
48
48
|
end
|
49
49
|
|
50
50
|
def global_registry # rubocop:disable Metrics/PerceivedComplexity
|
@@ -89,7 +89,7 @@ module Dependabot
|
|
89
89
|
if package_lock
|
90
90
|
@dependency_urls +=
|
91
91
|
parsed_package_lock.fetch("dependencies", {}).
|
92
|
-
|
92
|
+
filter_map { |_, details| details["resolved"] }.
|
93
93
|
select { |url| url.is_a?(String) }.
|
94
94
|
reject { |url| url.start_with?("git") }
|
95
95
|
end
|
@@ -114,8 +114,8 @@ module Dependabot
|
|
114
114
|
return initial_content unless global_registry
|
115
115
|
|
116
116
|
initial_content +
|
117
|
-
"registry = https://#{global_registry['registry']}\n"\
|
118
|
-
"#{global_registry_auth_line}"\
|
117
|
+
"registry = https://#{global_registry['registry']}\n" \
|
118
|
+
"#{global_registry_auth_line}" \
|
119
119
|
"always-auth = true\n"
|
120
120
|
end
|
121
121
|
|
@@ -166,8 +166,7 @@ module Dependabot
|
|
166
166
|
|
167
167
|
@npmrc_scoped_registries ||=
|
168
168
|
npmrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }.
|
169
|
-
|
170
|
-
compact
|
169
|
+
filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
|
171
170
|
end
|
172
171
|
|
173
172
|
# rubocop:disable Metrics/PerceivedComplexity
|
@@ -220,8 +220,8 @@ module Dependabot
|
|
220
220
|
content.scan(/['"]#{sections_regex}['"]\s*:\s*\{/m) do
|
221
221
|
mtch = Regexp.last_match
|
222
222
|
declaration_blocks <<
|
223
|
-
mtch.to_s +
|
224
|
-
mtch.post_match[0..closing_bracket_index(mtch.post_match)]
|
223
|
+
(mtch.to_s +
|
224
|
+
mtch.post_match[0..closing_bracket_index(mtch.post_match)])
|
225
225
|
end
|
226
226
|
|
227
227
|
declaration_blocks.reduce(content.dup) do |new_content, block|
|
@@ -155,11 +155,11 @@ module Dependabot
|
|
155
155
|
def requirements_for_path(requirements, path)
|
156
156
|
return requirements if path.to_s == "."
|
157
157
|
|
158
|
-
requirements.
|
158
|
+
requirements.filter_map do |r|
|
159
159
|
next unless r[:file].start_with?("#{path}/")
|
160
160
|
|
161
161
|
r.merge(file: r[:file].gsub(/^#{Regexp.quote("#{path}/")}/, ""))
|
162
|
-
end
|
162
|
+
end
|
163
163
|
end
|
164
164
|
|
165
165
|
# rubocop:disable Metrics/AbcSize
|
@@ -430,7 +430,7 @@ module Dependabot
|
|
430
430
|
|
431
431
|
def raise_resolvability_error(error_message, yarn_lock)
|
432
432
|
dependency_names = dependencies.map(&:name).join(", ")
|
433
|
-
msg = "Error whilst updating #{dependency_names} in "\
|
433
|
+
msg = "Error whilst updating #{dependency_names} in " \
|
434
434
|
"#{yarn_lock.path}:\n#{error_message}"
|
435
435
|
raise Dependabot::DependencyFileNotResolvable, msg
|
436
436
|
end
|
@@ -123,12 +123,12 @@ module Dependabot
|
|
123
123
|
end
|
124
124
|
|
125
125
|
def updated_manifest_files
|
126
|
-
package_files.
|
126
|
+
package_files.filter_map do |file|
|
127
127
|
updated_content = updated_package_json_content(file)
|
128
128
|
next if updated_content == file.content
|
129
129
|
|
130
130
|
updated_file(file: file, content: updated_content)
|
131
|
-
end
|
131
|
+
end
|
132
132
|
end
|
133
133
|
|
134
134
|
def updated_lockfiles
|
@@ -26,9 +26,9 @@ module Dependabot
|
|
26
26
|
return unless npm_listing.dig("time", dependency.version)
|
27
27
|
return if previous_releasers.include?(npm_releaser)
|
28
28
|
|
29
|
-
"This version was pushed to npm by "\
|
30
|
-
|
31
|
-
|
29
|
+
"This version was pushed to npm by " \
|
30
|
+
"[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new " \
|
31
|
+
"releaser for #{dependency.name} since your current version."
|
32
32
|
end
|
33
33
|
|
34
34
|
private
|
@@ -64,7 +64,7 @@ module Dependabot
|
|
64
64
|
|
65
65
|
all_version_listings.
|
66
66
|
reject { |v, _| Time.parse(times[v]) > cutoff }.
|
67
|
-
|
67
|
+
filter_map { |_, d| d.fetch("_npmUser", nil)&.fetch("name", nil) }
|
68
68
|
end
|
69
69
|
|
70
70
|
def find_source_from_registry
|
@@ -8,7 +8,7 @@ module Dependabot
|
|
8
8
|
end
|
9
9
|
|
10
10
|
def self.native_helpers_root
|
11
|
-
helpers_root = ENV
|
11
|
+
helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
|
12
12
|
return File.join(helpers_root, "npm_and_yarn") unless helpers_root.nil?
|
13
13
|
|
14
14
|
File.join(__dir__, "../../../helpers")
|
@@ -121,9 +121,9 @@ module Dependabot
|
|
121
121
|
end
|
122
122
|
|
123
123
|
def filter_out_of_range_versions(versions_array)
|
124
|
-
reqs = dependency.requirements.
|
124
|
+
reqs = dependency.requirements.filter_map do |r|
|
125
125
|
NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
|
126
|
-
end
|
126
|
+
end
|
127
127
|
|
128
128
|
versions_array.
|
129
129
|
select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
@@ -63,7 +63,7 @@ module Dependabot
|
|
63
63
|
def updating_from_git_to_npm?
|
64
64
|
return false unless updated_source.nil?
|
65
65
|
|
66
|
-
original_source = requirements.
|
66
|
+
original_source = requirements.filter_map { |r| r[:source] }.first
|
67
67
|
original_source&.fetch(:type) == "git"
|
68
68
|
end
|
69
69
|
|
@@ -157,7 +157,7 @@ module Dependabot
|
|
157
157
|
relevant_versions = latest_version_finder(dependency).
|
158
158
|
possible_previous_versions_with_details.
|
159
159
|
map(&:first)
|
160
|
-
reqs = dep.requirements.
|
160
|
+
reqs = dep.requirements.filter_map { |r| r[:requirement] }.
|
161
161
|
map { |r| requirement_class.requirements_array(r) }
|
162
162
|
|
163
163
|
# Pick the lowest version from the max possible version from all
|
@@ -355,7 +355,7 @@ module Dependabot
|
|
355
355
|
requirement_name:
|
356
356
|
captures.fetch("required_dep").sub(/@[^@]+$/, ""),
|
357
357
|
requirement_version:
|
358
|
-
captures.fetch("required_dep").split("@").last.
|
358
|
+
captures.fetch("required_dep").split("@").last.delete('"'),
|
359
359
|
requiring_dep_name:
|
360
360
|
captures.fetch("requiring_dep").sub(/@[^@]+$/, "")
|
361
361
|
}
|
@@ -543,11 +543,11 @@ module Dependabot
|
|
543
543
|
def requirements_for_path(requirements, path)
|
544
544
|
return requirements if path.to_s == "."
|
545
545
|
|
546
|
-
requirements.
|
546
|
+
requirements.filter_map do |r|
|
547
547
|
next unless r[:file].start_with?("#{path}/")
|
548
548
|
|
549
549
|
r.merge(file: r[:file].gsub(/^#{Regexp.quote("#{path}/")}/, ""))
|
550
|
-
end
|
550
|
+
end
|
551
551
|
end
|
552
552
|
|
553
553
|
# Top level dependencies are required in the peer dep checker
|
@@ -581,7 +581,7 @@ module Dependabot
|
|
581
581
|
def version_for_dependency(dep)
|
582
582
|
return version_class.new(dep.version) if dep.version && version_class.correct?(dep.version)
|
583
583
|
|
584
|
-
dep.requirements.
|
584
|
+
dep.requirements.filter_map { |r| r[:requirement] }.
|
585
585
|
reject { |req_string| req_string.start_with?("<") }.
|
586
586
|
select { |req_string| req_string.match?(version_regex) }.
|
587
587
|
map { |req_string| req_string.match(version_regex) }.
|
@@ -15,9 +15,10 @@ module Dependabot
|
|
15
15
|
module NpmAndYarn
|
16
16
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
17
17
|
class VulnerabilityAuditor
|
18
|
-
def initialize(dependency_files:, credentials:)
|
18
|
+
def initialize(dependency_files:, credentials:, allow_removal: false)
|
19
19
|
@dependency_files = dependency_files
|
20
20
|
@credentials = credentials
|
21
|
+
@allow_removal = allow_removal
|
21
22
|
end
|
22
23
|
|
23
24
|
# Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have
|
@@ -96,7 +97,7 @@ module Dependabot
|
|
96
97
|
|
97
98
|
def validate_audit_result(audit_result, security_advisories)
|
98
99
|
return :fix_unavailable unless audit_result["fix_available"]
|
99
|
-
return :vulnerable_dependency_removed if vulnerable_dependency_removed?(audit_result)
|
100
|
+
return :vulnerable_dependency_removed if !@allow_removal && vulnerable_dependency_removed?(audit_result)
|
100
101
|
return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
|
101
102
|
return :downgrades_dependencies if downgrades_dependencies?(audit_result)
|
102
103
|
|
@@ -108,6 +109,9 @@ module Dependabot
|
|
108
109
|
end
|
109
110
|
|
110
111
|
def dependency_still_vulnerable?(audit_result, security_advisories)
|
112
|
+
# vulnerable depenendency is removed if the target version is nil
|
113
|
+
return false unless audit_result["target_version"]
|
114
|
+
|
111
115
|
version = Version.new(audit_result["target_version"])
|
112
116
|
security_advisories.any? { |a| a.vulnerable?(version) }
|
113
117
|
end
|
@@ -121,6 +125,8 @@ module Dependabot
|
|
121
125
|
end
|
122
126
|
|
123
127
|
def downgrades_version?(current_version, target_version)
|
128
|
+
return false unless target_version
|
129
|
+
|
124
130
|
current = Version.new(current_version)
|
125
131
|
target = Version.new(target_version)
|
126
132
|
current > target
|
@@ -111,7 +111,8 @@ module Dependabot
|
|
111
111
|
@vulnerability_audit ||=
|
112
112
|
VulnerabilityAuditor.new(
|
113
113
|
dependency_files: dependency_files,
|
114
|
-
credentials: credentials
|
114
|
+
credentials: credentials,
|
115
|
+
allow_removal: @options.key?(:npm_transitive_dependency_removal)
|
115
116
|
).audit(
|
116
117
|
dependency: dependency,
|
117
118
|
security_advisories: security_advisories
|
@@ -141,6 +142,7 @@ module Dependabot
|
|
141
142
|
map { |update_details| build_updated_dependency(update_details) }
|
142
143
|
end
|
143
144
|
|
145
|
+
# rubocop:disable Metrics/AbcSize
|
144
146
|
def conflicting_updated_dependencies
|
145
147
|
top_level_dependencies = top_level_dependency_lookup
|
146
148
|
|
@@ -148,27 +150,29 @@ module Dependabot
|
|
148
150
|
vulnerability_audit["fix_updates"].each do |update|
|
149
151
|
dependency_name = update["dependency_name"]
|
150
152
|
requirements = top_level_dependencies[dependency_name]&.requirements || []
|
151
|
-
conflicting_dep = Dependency.new(
|
152
|
-
name: dependency_name,
|
153
|
-
package_manager: "npm_and_yarn",
|
154
|
-
requirements: requirements
|
155
|
-
)
|
156
153
|
|
157
154
|
updated_deps << build_updated_dependency(
|
158
|
-
dependency:
|
155
|
+
dependency: Dependency.new(
|
156
|
+
name: dependency_name,
|
157
|
+
package_manager: "npm_and_yarn",
|
158
|
+
requirements: requirements
|
159
|
+
),
|
159
160
|
version: update["target_version"],
|
160
161
|
previous_version: update["current_version"]
|
161
162
|
)
|
162
163
|
end
|
164
|
+
# rubocop:enable Metrics/AbcSize
|
163
165
|
|
164
166
|
# We don't need to update this but need to include it so it's described
|
165
167
|
# in the PR and we'll pass validation that this dependency is at a
|
166
168
|
# non-vulnerable version.
|
167
169
|
if updated_deps.none? { |dep| dep.name == dependency.name }
|
170
|
+
target_version = vulnerability_audit["target_version"]
|
168
171
|
updated_deps << build_updated_dependency(
|
169
172
|
dependency: dependency,
|
170
|
-
version:
|
171
|
-
previous_version: dependency.version
|
173
|
+
version: target_version,
|
174
|
+
previous_version: dependency.version,
|
175
|
+
removed: target_version.nil?
|
172
176
|
)
|
173
177
|
end
|
174
178
|
|
@@ -184,12 +188,13 @@ module Dependabot
|
|
184
188
|
source: nil
|
185
189
|
).parse.select(&:top_level?)
|
186
190
|
|
187
|
-
top_level_dependencies.
|
191
|
+
top_level_dependencies.to_h { |dep| [dep.name, dep] }
|
188
192
|
end
|
189
193
|
|
190
194
|
def build_updated_dependency(update_details)
|
191
195
|
original_dep = update_details.fetch(:dependency)
|
192
|
-
|
196
|
+
removed = update_details.fetch(:removed, false)
|
197
|
+
version = update_details.fetch(:version).to_s unless removed
|
193
198
|
previous_version = update_details.fetch(:previous_version)&.to_s
|
194
199
|
|
195
200
|
Dependency.new(
|
@@ -203,16 +208,17 @@ module Dependabot
|
|
203
208
|
).updated_requirements,
|
204
209
|
previous_version: previous_version,
|
205
210
|
previous_requirements: original_dep.requirements,
|
206
|
-
package_manager: original_dep.package_manager
|
211
|
+
package_manager: original_dep.package_manager,
|
212
|
+
removed: removed
|
207
213
|
)
|
208
214
|
end
|
209
215
|
|
210
216
|
def latest_resolvable_version_with_no_unlock_for_git_dependency
|
211
|
-
reqs = dependency.requirements.
|
217
|
+
reqs = dependency.requirements.filter_map do |r|
|
212
218
|
next if r.fetch(:requirement).nil?
|
213
219
|
|
214
220
|
requirement_class.requirements_array(r.fetch(:requirement))
|
215
|
-
end
|
221
|
+
end
|
216
222
|
|
217
223
|
current_version =
|
218
224
|
if existing_version_is_sha? ||
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.212.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-09-06 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.212.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.212.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debase
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -80,6 +80,20 @@ dependencies:
|
|
80
80
|
- - "~>"
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '2.0'
|
83
|
+
- !ruby/object:Gem::Dependency
|
84
|
+
name: parallel_tests
|
85
|
+
requirement: !ruby/object:Gem::Requirement
|
86
|
+
requirements:
|
87
|
+
- - "~>"
|
88
|
+
- !ruby/object:Gem::Version
|
89
|
+
version: 3.12.0
|
90
|
+
type: :development
|
91
|
+
prerelease: false
|
92
|
+
version_requirements: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - "~>"
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: 3.12.0
|
83
97
|
- !ruby/object:Gem::Dependency
|
84
98
|
name: rake
|
85
99
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,14 +142,28 @@ dependencies:
|
|
128
142
|
requirements:
|
129
143
|
- - "~>"
|
130
144
|
- !ruby/object:Gem::Version
|
131
|
-
version: 1.
|
145
|
+
version: 1.36.0
|
146
|
+
type: :development
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - "~>"
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 1.36.0
|
153
|
+
- !ruby/object:Gem::Dependency
|
154
|
+
name: rubocop-performance
|
155
|
+
requirement: !ruby/object:Gem::Requirement
|
156
|
+
requirements:
|
157
|
+
- - "~>"
|
158
|
+
- !ruby/object:Gem::Version
|
159
|
+
version: 1.14.2
|
132
160
|
type: :development
|
133
161
|
prerelease: false
|
134
162
|
version_requirements: !ruby/object:Gem::Requirement
|
135
163
|
requirements:
|
136
164
|
- - "~>"
|
137
165
|
- !ruby/object:Gem::Version
|
138
|
-
version: 1.
|
166
|
+
version: 1.14.2
|
139
167
|
- !ruby/object:Gem::Dependency
|
140
168
|
name: ruby-debug-ide
|
141
169
|
requirement: !ruby/object:Gem::Requirement
|