dependabot-npm_and_yarn 0.210.0 → 0.211.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5a59daca8d3197603d1310f3e9441dbcaf008aede06905fdb6ce6464a2a729bf
|
4
|
+
data.tar.gz: 1fa8b86f5de495b7fa09ee5ad9e3ca50916c152ea4350763e36580309f73491d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '080b0ecf1699841eb2f2830bc29c962732abb6eb704b50d3ac9f64a165eea2f860ad9112eb0a5a2367918d324e408e187883c63d027bb7502c17be2146413657'
|
7
|
+
data.tar.gz: 3cec11a3e2321e639d455cc3df562b51a5ed9a22a197ba6d5a210d9dd63a2a1f6b65099c9bbe5c00b469442f415c6790a898a16ea54589d85468ed45f3183d56
|
@@ -15,9 +15,10 @@ module Dependabot
|
|
15
15
|
module NpmAndYarn
|
16
16
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
17
17
|
class VulnerabilityAuditor
|
18
|
-
def initialize(dependency_files:, credentials:)
|
18
|
+
def initialize(dependency_files:, credentials:, allow_removal: false)
|
19
19
|
@dependency_files = dependency_files
|
20
20
|
@credentials = credentials
|
21
|
+
@allow_removal = allow_removal
|
21
22
|
end
|
22
23
|
|
23
24
|
# Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have
|
@@ -96,7 +97,7 @@ module Dependabot
|
|
96
97
|
|
97
98
|
def validate_audit_result(audit_result, security_advisories)
|
98
99
|
return :fix_unavailable unless audit_result["fix_available"]
|
99
|
-
return :vulnerable_dependency_removed if vulnerable_dependency_removed?(audit_result)
|
100
|
+
return :vulnerable_dependency_removed if !@allow_removal && vulnerable_dependency_removed?(audit_result)
|
100
101
|
return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
|
101
102
|
return :downgrades_dependencies if downgrades_dependencies?(audit_result)
|
102
103
|
|
@@ -108,6 +109,9 @@ module Dependabot
|
|
108
109
|
end
|
109
110
|
|
110
111
|
def dependency_still_vulnerable?(audit_result, security_advisories)
|
112
|
+
# vulnerable depenendency is removed if the target version is nil
|
113
|
+
return false unless audit_result["target_version"]
|
114
|
+
|
111
115
|
version = Version.new(audit_result["target_version"])
|
112
116
|
security_advisories.any? { |a| a.vulnerable?(version) }
|
113
117
|
end
|
@@ -121,6 +125,8 @@ module Dependabot
|
|
121
125
|
end
|
122
126
|
|
123
127
|
def downgrades_version?(current_version, target_version)
|
128
|
+
return false unless target_version
|
129
|
+
|
124
130
|
current = Version.new(current_version)
|
125
131
|
target = Version.new(target_version)
|
126
132
|
current > target
|
@@ -111,7 +111,8 @@ module Dependabot
|
|
111
111
|
@vulnerability_audit ||=
|
112
112
|
VulnerabilityAuditor.new(
|
113
113
|
dependency_files: dependency_files,
|
114
|
-
credentials: credentials
|
114
|
+
credentials: credentials,
|
115
|
+
allow_removal: @options.key?(:npm_transitive_dependency_removal)
|
115
116
|
).audit(
|
116
117
|
dependency: dependency,
|
117
118
|
security_advisories: security_advisories
|
@@ -141,6 +142,7 @@ module Dependabot
|
|
141
142
|
map { |update_details| build_updated_dependency(update_details) }
|
142
143
|
end
|
143
144
|
|
145
|
+
# rubocop:disable Metrics/AbcSize
|
144
146
|
def conflicting_updated_dependencies
|
145
147
|
top_level_dependencies = top_level_dependency_lookup
|
146
148
|
|
@@ -148,27 +150,29 @@ module Dependabot
|
|
148
150
|
vulnerability_audit["fix_updates"].each do |update|
|
149
151
|
dependency_name = update["dependency_name"]
|
150
152
|
requirements = top_level_dependencies[dependency_name]&.requirements || []
|
151
|
-
conflicting_dep = Dependency.new(
|
152
|
-
name: dependency_name,
|
153
|
-
package_manager: "npm_and_yarn",
|
154
|
-
requirements: requirements
|
155
|
-
)
|
156
153
|
|
157
154
|
updated_deps << build_updated_dependency(
|
158
|
-
dependency:
|
155
|
+
dependency: Dependency.new(
|
156
|
+
name: dependency_name,
|
157
|
+
package_manager: "npm_and_yarn",
|
158
|
+
requirements: requirements
|
159
|
+
),
|
159
160
|
version: update["target_version"],
|
160
161
|
previous_version: update["current_version"]
|
161
162
|
)
|
162
163
|
end
|
164
|
+
# rubocop:enable Metrics/AbcSize
|
163
165
|
|
164
166
|
# We don't need to update this but need to include it so it's described
|
165
167
|
# in the PR and we'll pass validation that this dependency is at a
|
166
168
|
# non-vulnerable version.
|
167
169
|
if updated_deps.none? { |dep| dep.name == dependency.name }
|
170
|
+
target_version = vulnerability_audit["target_version"]
|
168
171
|
updated_deps << build_updated_dependency(
|
169
172
|
dependency: dependency,
|
170
|
-
version:
|
171
|
-
previous_version: dependency.version
|
173
|
+
version: target_version,
|
174
|
+
previous_version: dependency.version,
|
175
|
+
removed: target_version.nil?
|
172
176
|
)
|
173
177
|
end
|
174
178
|
|
@@ -189,7 +193,8 @@ module Dependabot
|
|
189
193
|
|
190
194
|
def build_updated_dependency(update_details)
|
191
195
|
original_dep = update_details.fetch(:dependency)
|
192
|
-
|
196
|
+
removed = update_details.fetch(:removed, false)
|
197
|
+
version = update_details.fetch(:version).to_s unless removed
|
193
198
|
previous_version = update_details.fetch(:previous_version)&.to_s
|
194
199
|
|
195
200
|
Dependency.new(
|
@@ -203,7 +208,8 @@ module Dependabot
|
|
203
208
|
).updated_requirements,
|
204
209
|
previous_version: previous_version,
|
205
210
|
previous_requirements: original_dep.requirements,
|
206
|
-
package_manager: original_dep.package_manager
|
211
|
+
package_manager: original_dep.package_manager,
|
212
|
+
removed: removed
|
207
213
|
)
|
208
214
|
end
|
209
215
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.211.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.211.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.211.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debase
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|