dependabot-npm_and_yarn 0.212.0 → 0.214.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/.eslintrc +1 -1
- data/helpers/README.md +2 -2
- data/helpers/lib/npm/vulnerability-auditor.js +7 -7
- data/helpers/package-lock.json +2781 -2547
- data/helpers/package.json +5 -5
- data/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json +3 -3
- data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb +11 -2
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +90 -5
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +15 -4
- data/lib/dependabot/npm_and_yarn/file_parser.rb +15 -6
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +35 -21
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +86 -7
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +96 -32
- data/lib/dependabot/npm_and_yarn/file_updater.rb +53 -1
- data/lib/dependabot/npm_and_yarn/helpers.rb +94 -0
- data/lib/dependabot/npm_and_yarn/package_name.rb +2 -2
- data/lib/dependabot/npm_and_yarn/requirement.rb +3 -3
- data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +43 -1
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +13 -14
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +16 -3
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +77 -23
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +3 -4
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +19 -4
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +74 -30
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +33 -8
- data/lib/dependabot/npm_and_yarn/update_checker.rb +76 -21
- data/lib/dependabot/npm_and_yarn/version.rb +1 -1
- data/lib/dependabot/npm_and_yarn.rb +2 -0
- metadata +13 -56
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser.rb +0 -59
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6f056274186e20cfd09b6ed8bbf84249b6676461533bb76de51ecf4025e189a6
|
4
|
+
data.tar.gz: 4e30b85987104e3d79fb89d62d51e2dbff8c57337700b6a646633feaae47aadf
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fa8d78e12bb014909be03e084887d429f9bd2295d69f6cff6df0f9058c4a8e49e19c465470659010917be9c13c7a95a57ad970b2875e0be8fb2b050755b89a84
|
7
|
+
data.tar.gz: 54d9510b40145d16a62453ef2613503fcc87f336c14bd5a0809c71dfa99242cc91c3722504d87d737af3a0213ecc2383081a129a459124dc2079df91009a4ac9
|
data/helpers/.eslintrc
CHANGED
data/helpers/README.md
CHANGED
@@ -24,6 +24,6 @@ yarn test path/to/test.js
|
|
24
24
|
In order to run an interactive debugger:
|
25
25
|
|
26
26
|
- `node --inspect-brk node_modules/.bin/jest --runInBand path/to/test/test.js`
|
27
|
-
- In Chrome,
|
27
|
+
- In Chrome, navigate to `chrome://inspect`
|
28
28
|
- Click `Open dedicated DevTools for Node`
|
29
|
-
- You'll now be able to interactively debug using the
|
29
|
+
- You'll now be able to interactively debug using the Chrome dev tools.
|
@@ -139,11 +139,6 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
139
139
|
}
|
140
140
|
|
141
141
|
function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
142
|
-
// npm audit differentiates advisories by `id`. In order to prevent
|
143
|
-
// advisories from being clobbered, we maintain a counter so that each
|
144
|
-
// advisory gets a unique `id`.
|
145
|
-
let nextAdvisoryId = 1
|
146
|
-
|
147
142
|
return advisories.reduce((formattedAdvisories, advisory) => {
|
148
143
|
if (!formattedAdvisories[advisory.dependency_name]) {
|
149
144
|
formattedAdvisories[advisory.dependency_name] = []
|
@@ -151,7 +146,7 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
151
146
|
let formattedVersions =
|
152
147
|
advisory.affected_versions.reduce((memo, version) => {
|
153
148
|
memo.push({
|
154
|
-
id:
|
149
|
+
id: Math.floor(Math.random() * Number.MAX_SAFE_INTEGER),
|
155
150
|
vulnerable_versions: version
|
156
151
|
})
|
157
152
|
return memo
|
@@ -192,7 +187,12 @@ function buildDependencyChains(auditReport, name) {
|
|
192
187
|
}
|
193
188
|
if (auditReport.has(node.name)) {
|
194
189
|
const vuln = auditReport.get(node.name)
|
195
|
-
|
190
|
+
if (vuln.isVulnerable(node)) {
|
191
|
+
return [{ fixAvailable: vuln.fixAvailable, nodes: [node, ...chain.nodes] }]
|
192
|
+
} else if (node.name == name) {
|
193
|
+
// This is a non-vulnerable version of the advisory dependency; end path.
|
194
|
+
return []
|
195
|
+
}
|
196
196
|
}
|
197
197
|
if (!node.edgesOut.size) {
|
198
198
|
// This is a leaf node that is unaffected by the vuln; end path.
|