RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.212.0 → 0.213.0 - Mend

dependabot-npm_and_yarn 0.212.0 → 0.213.0

Files changed (27) hide show

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require "dependabot/git_commit_checker"
 require "dependabot/update_checkers"
 require "dependabot/update_checkers/base"
 require "dependabot/shared_helpers"
+require "set"
 module Dependabot
   module NpmAndYarn
@@ -16,6 +17,20 @@ module Dependabot
       require_relative "update_checker/conflicting_dependency_resolver"
       require_relative "update_checker/vulnerability_auditor"
+      def up_to_date?
+        return false if security_update? &&
+                        dependency.version &&
+                        version_class.correct?(dependency.version) &&
+                        vulnerable_versions.any? &&
+                        !vulnerable_versions.include?(version_class.new(dependency.version))
+        super
+      end
+      def vulnerable?
+        super || vulnerable_versions.any?
+      end
       def latest_version
         @latest_version ||=
           if git_dependency?
@@ -46,8 +61,8 @@ module Dependabot
         raise "Dependency not vulnerable!" unless vulnerable?
         # NOTE: we currently don't resolve transitive/sub-dependencies as
         # npm/yarn don't provide any control over updating to a specific
-        # sub-dependency
-        return latest_resolvable_version unless dependency.top_level?
+        # sub-dependency version
+        return latest_resolvable_transitive_security_fix_version_with_no_unlock unless dependency.top_level?
         # TODO: Might want to check resolvability here?
         lowest_security_fix_version
@@ -96,13 +111,19 @@ module Dependabot
       end
       def conflicting_dependencies
-        ConflictingDependencyResolver.new(
+        conflicts = ConflictingDependencyResolver.new(
           dependency_files: dependency_files,
           credentials: credentials
         ).conflicting_dependencies(
           dependency: dependency,
           target_version: lowest_security_fix_version
         )
+        vulnerable = [vulnerability_audit].select do |hash|
+          !hash["fix_available"] && hash["explanation"]
+        end
+        conflicts + vulnerable
       end
       private
@@ -119,24 +140,30 @@ module Dependabot
           )
       end
+      def vulnerable_versions
+        @vulnerable_versions ||=
+          begin
+            all_versions = dependency.all_versions.
+                           filter_map { |v| version_class.new(v) if version_class.correct?(v) }
+            all_versions.select do |v|
+              security_advisories.any? { |advisory| advisory.vulnerable?(v) }
+            end
+          end
+      end
       def latest_version_resolvable_with_full_unlock?
         return false unless latest_version
         return version_resolver.latest_version_resolvable_with_full_unlock? if dependency.top_level?
-        return false unless transitive_security_updates_enabled? && security_advisories.any?
+        return false unless security_advisories.any?
         vulnerability_audit["fix_available"]
       end
-      def transitive_security_updates_enabled?
-        options.key?(:npm_transitive_security_updates)
-      end
       def updated_dependencies_after_full_unlock
-        if !dependency.top_level? && transitive_security_updates_enabled? && security_advisories.any?
-          return conflicting_updated_dependencies
-        end
+        return conflicting_updated_dependencies if !dependency.top_level? && security_advisories.any?
         version_resolver.dependency_updates_from_full_unlock.
           map { |update_details| build_updated_dependency(update_details) }
@@ -163,16 +190,18 @@ module Dependabot
         end
         # rubocop:enable Metrics/AbcSize
-        # We don't need to update this but need to include it so it's described
-        # in the PR and we'll pass validation that this dependency is at a
-        # non-vulnerable version.
+        # We don't need to directly update the target dependency if it will
+        # be updated as a side effect of updating the parent. However, we need
+        # to include it so it's described in the PR and we'll pass validation
+        # that this dependency is at a non-vulnerable version.
         if updated_deps.none? { |dep| dep.name == dependency.name }
           target_version = vulnerability_audit["target_version"]
           updated_deps << build_updated_dependency(
             dependency: dependency,
             version: target_version,
             previous_version: dependency.version,
-            removed: target_version.nil?
+            removed: target_version.nil?,
+            metadata: { information_only: true } # Instruct updater to not directly update this dependency
           )
         end
@@ -196,23 +225,35 @@ module Dependabot
         removed = update_details.fetch(:removed, false)
         version = update_details.fetch(:version).to_s unless removed
         previous_version = update_details.fetch(:previous_version)&.to_s
+        metadata = update_details.fetch(:metadata, {})
         Dependency.new(
           name: original_dep.name,
           version: version,
           requirements: RequirementsUpdater.new(
             requirements: original_dep.requirements,
-            updated_source: original_dep == dependency ? updated_source : nil,
+            updated_source: original_dep == dependency ? updated_source : original_source(original_dep),
             latest_resolvable_version: version,
             update_strategy: requirements_update_strategy
           ).updated_requirements,
           previous_version: previous_version,
           previous_requirements: original_dep.requirements,
           package_manager: original_dep.package_manager,
-          removed: removed
+          removed: removed,
+          metadata: metadata
         )
       end
+      def latest_resolvable_transitive_security_fix_version_with_no_unlock
+        fix_possible = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(
+          [latest_resolvable_version].compact,
+          security_advisories
+        ).any?
+        return nil unless fix_possible
+        latest_resolvable_version
+      end
       def latest_resolvable_version_with_no_unlock_for_git_dependency
         reqs = dependency.requirements.filter_map do |r|
           next if r.fetch(:requirement).nil?
@@ -365,12 +406,24 @@ module Dependabot
         return true if dependency_files.any? { |f| f.name == "lerna.json" }
         @library =
-          LibraryDetector.new(package_json_file: package_json).library?
+          LibraryDetector.new(
+            package_json_file: package_json,
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).library?
+      end
+      def security_update?
+        security_advisories.any?
       end
       def dependency_source_details
+        original_source(dependency)
+      end
+      def original_source(updated_dependency)
         sources =
-          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact.
+          updated_dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact.
           sort_by { |source| RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }
         sources.first

data/lib/dependabot/npm_and_yarn/version.rb CHANGED Viewed

@@ -15,7 +15,7 @@ module Dependabot
       attr_reader :build_info
       VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
-      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/.freeze
+      ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
       def self.correct?(version)
         version = version.gsub(/^v/, "") if version.is_a?(String)

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.212.0
+  version: 0.213.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2022-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,42 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
+        version: 0.213.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.212.0
-- !ruby/object:Gem::Dependency
-  name: debase
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.2.3
-- !ruby/object:Gem::Dependency
-  name: debase-ruby_core_source
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 0.10.16
+        version: 0.213.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -142,42 +114,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.37.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.36.0
+        version: 1.37.1
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.14.2
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.14.2
-- !ruby/object:Gem::Dependency
-  name: ruby-debug-ide
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.7.3
+        version: 1.15.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -350,14 +308,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.1.0
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: JS support for dependabot