dependabot-npm_and_yarn 0.210.0 → 0.211.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f32509e40630064ea93f09ba03d6fdba1708f4ee2df52212c6a5b54b0e409b7a
4
- data.tar.gz: f7a7c308a5d4a611951a86caebfa0801e52e1602028b2f2d802a0adad9c1f1d6
3
+ metadata.gz: 5a59daca8d3197603d1310f3e9441dbcaf008aede06905fdb6ce6464a2a729bf
4
+ data.tar.gz: 1fa8b86f5de495b7fa09ee5ad9e3ca50916c152ea4350763e36580309f73491d
5
5
  SHA512:
6
- metadata.gz: 46e55f1257f55e6259c008fbf556268f73ff32727d97e43b667d78e3b0fbdc3db5b5d34e8b728bc68258612189e48d61885639fa814a27f2be574e95f25814f6
7
- data.tar.gz: b727eb53be0c36249e2b80ae07abc9568e787a39aa1cddbd0f68b1691fa9d4c7d068a0e440aa770fe255c3b03d43b8d08c61dc5bb4523dd8ce2d6784c7c8a841
6
+ metadata.gz: '080b0ecf1699841eb2f2830bc29c962732abb6eb704b50d3ac9f64a165eea2f860ad9112eb0a5a2367918d324e408e187883c63d027bb7502c17be2146413657'
7
+ data.tar.gz: 3cec11a3e2321e639d455cc3df562b51a5ed9a22a197ba6d5a210d9dd63a2a1f6b65099c9bbe5c00b469442f415c6790a898a16ea54589d85468ed45f3183d56
@@ -15,9 +15,10 @@ module Dependabot
15
15
  module NpmAndYarn
16
16
  class UpdateChecker < Dependabot::UpdateCheckers::Base
17
17
  class VulnerabilityAuditor
18
- def initialize(dependency_files:, credentials:)
18
+ def initialize(dependency_files:, credentials:, allow_removal: false)
19
19
  @dependency_files = dependency_files
20
20
  @credentials = credentials
21
+ @allow_removal = allow_removal
21
22
  end
22
23
 
23
24
  # Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have
@@ -96,7 +97,7 @@ module Dependabot
96
97
 
97
98
  def validate_audit_result(audit_result, security_advisories)
98
99
  return :fix_unavailable unless audit_result["fix_available"]
99
- return :vulnerable_dependency_removed if vulnerable_dependency_removed?(audit_result)
100
+ return :vulnerable_dependency_removed if !@allow_removal && vulnerable_dependency_removed?(audit_result)
100
101
  return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
101
102
  return :downgrades_dependencies if downgrades_dependencies?(audit_result)
102
103
 
@@ -108,6 +109,9 @@ module Dependabot
108
109
  end
109
110
 
110
111
  def dependency_still_vulnerable?(audit_result, security_advisories)
112
+ # vulnerable depenendency is removed if the target version is nil
113
+ return false unless audit_result["target_version"]
114
+
111
115
  version = Version.new(audit_result["target_version"])
112
116
  security_advisories.any? { |a| a.vulnerable?(version) }
113
117
  end
@@ -121,6 +125,8 @@ module Dependabot
121
125
  end
122
126
 
123
127
  def downgrades_version?(current_version, target_version)
128
+ return false unless target_version
129
+
124
130
  current = Version.new(current_version)
125
131
  target = Version.new(target_version)
126
132
  current > target
@@ -111,7 +111,8 @@ module Dependabot
111
111
  @vulnerability_audit ||=
112
112
  VulnerabilityAuditor.new(
113
113
  dependency_files: dependency_files,
114
- credentials: credentials
114
+ credentials: credentials,
115
+ allow_removal: @options.key?(:npm_transitive_dependency_removal)
115
116
  ).audit(
116
117
  dependency: dependency,
117
118
  security_advisories: security_advisories
@@ -141,6 +142,7 @@ module Dependabot
141
142
  map { |update_details| build_updated_dependency(update_details) }
142
143
  end
143
144
 
145
+ # rubocop:disable Metrics/AbcSize
144
146
  def conflicting_updated_dependencies
145
147
  top_level_dependencies = top_level_dependency_lookup
146
148
 
@@ -148,27 +150,29 @@ module Dependabot
148
150
  vulnerability_audit["fix_updates"].each do |update|
149
151
  dependency_name = update["dependency_name"]
150
152
  requirements = top_level_dependencies[dependency_name]&.requirements || []
151
- conflicting_dep = Dependency.new(
152
- name: dependency_name,
153
- package_manager: "npm_and_yarn",
154
- requirements: requirements
155
- )
156
153
 
157
154
  updated_deps << build_updated_dependency(
158
- dependency: conflicting_dep,
155
+ dependency: Dependency.new(
156
+ name: dependency_name,
157
+ package_manager: "npm_and_yarn",
158
+ requirements: requirements
159
+ ),
159
160
  version: update["target_version"],
160
161
  previous_version: update["current_version"]
161
162
  )
162
163
  end
164
+ # rubocop:enable Metrics/AbcSize
163
165
 
164
166
  # We don't need to update this but need to include it so it's described
165
167
  # in the PR and we'll pass validation that this dependency is at a
166
168
  # non-vulnerable version.
167
169
  if updated_deps.none? { |dep| dep.name == dependency.name }
170
+ target_version = vulnerability_audit["target_version"]
168
171
  updated_deps << build_updated_dependency(
169
172
  dependency: dependency,
170
- version: vulnerability_audit["target_version"],
171
- previous_version: dependency.version
173
+ version: target_version,
174
+ previous_version: dependency.version,
175
+ removed: target_version.nil?
172
176
  )
173
177
  end
174
178
 
@@ -189,7 +193,8 @@ module Dependabot
189
193
 
190
194
  def build_updated_dependency(update_details)
191
195
  original_dep = update_details.fetch(:dependency)
192
- version = update_details.fetch(:version).to_s
196
+ removed = update_details.fetch(:removed, false)
197
+ version = update_details.fetch(:version).to_s unless removed
193
198
  previous_version = update_details.fetch(:previous_version)&.to_s
194
199
 
195
200
  Dependency.new(
@@ -203,7 +208,8 @@ module Dependabot
203
208
  ).updated_requirements,
204
209
  previous_version: previous_version,
205
210
  previous_requirements: original_dep.requirements,
206
- package_manager: original_dep.package_manager
211
+ package_manager: original_dep.package_manager,
212
+ removed: removed
207
213
  )
208
214
  end
209
215
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.210.0
4
+ version: 0.211.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.210.0
19
+ version: 0.211.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.210.0
26
+ version: 0.211.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debase
29
29
  requirement: !ruby/object:Gem::Requirement