dependabot-npm_and_yarn 0.214.0 → 0.216.0

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -95,7 +95,7 @@ module Dependabot
           requirement: requirement,
           manifest_name: file.name
         )
-        version = version_for(name, requirement, file.name)
+        version = version_for(requirement, lockfile_details)
 
         return if lockfile_details && !version
         return if ignore_requirement?(requirement)
@@ -116,7 +116,7 @@ module Dependabot
             requirement: requirement_for(requirement),
             file: file.name,
             groups: [type],
-            source: source_for(name, requirement, file.name)
+            source: source_for(name, requirement, lockfile_details)
           }]
         )
       end
@@ -165,29 +165,21 @@ module Dependabot
           package_files.filter_map { |f| JSON.parse(f.content)["name"] }
       end
 
-      def version_for(name, requirement, manifest_name)
+      def version_for(requirement, lockfile_details)
         if git_url_with_semver?(requirement)
-          semver_version = semver_version_for(name, requirement, manifest_name)
+          semver_version = semver_version_for(lockfile_details)
           return semver_version if semver_version
 
-          git_revision = git_revision_for(name, requirement, manifest_name)
+          git_revision = git_revision_for(lockfile_details)
           version_from_git_revision(requirement, git_revision) || git_revision
         elsif git_url?(requirement)
-          git_revision_for(name, requirement, manifest_name)
+          git_revision_for(lockfile_details)
         else
-          semver_version_for(name, requirement, manifest_name)
+          semver_version_for(lockfile_details)
         end
       end
 
-      def git_revision_for(name, requirement, manifest_name)
-        return unless git_url?(requirement)
-
-        lockfile_details = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )
-
+      def git_revision_for(lockfile_details)
         [
           lockfile_details&.fetch("version", nil)&.split("#")&.last,
           lockfile_details&.fetch("resolved", nil)&.split("#")&.last,
@@ -224,29 +216,13 @@ module Dependabot
         nil
       end
 
-      def semver_version_for(name, requirement, manifest_name)
-        lock_version = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )&.fetch("version", nil)
-
-        # This line is to guard against improperly formatted versions in a
-        # lockfile, such as additional characters. NPM/yarn fixes these when
-        # running an update, so we can safely ignore these versions.
-        return unless version_class.correct?(lock_version)
-
-        lock_version
+      def semver_version_for(lockfile_details)
+        version_class.semver_for(lockfile_details&.fetch("version", ""))
       end
 
-      def source_for(name, requirement, manifest_name)
+      def source_for(name, requirement, lockfile_details)
         return git_source_for(requirement) if git_url?(requirement)
 
-        lockfile_details = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )
         resolved_url = lockfile_details&.fetch("resolved", nil)
 
         resolution = lockfile_details&.fetch("resolution", nil)
@@ -313,11 +289,22 @@ module Dependabot
       end
 
       def url_for_relevant_cred(resolved_url)
+        resolved_url_host = URI(resolved_url).host
+
         credential_matching_url =
           credentials.
           select { |cred| cred["type"] == "npm_registry" }.
           sort_by { |cred| cred["registry"].length }.
-          find { |details| resolved_url.include?(details["registry"]) }
+          find do |details|
+            next true if resolved_url_host == details["registry"]
+
+            uri = if details["registry"]&.include?("://")
+                    URI(details["registry"])
+                  else
+                    URI("https://#{details['registry']}")
+                  end
+            resolved_url_host == uri.host
+          end
 
         return unless credential_matching_url
 

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -176,36 +176,28 @@ module Dependabot
             dependency_in_package_json?(dependency)
           end
 
-          # NOTE: When updating a dependency in a nested workspace project we
-          # need to run `npm install` without any arguments to update the root
-          # level lockfile after having updated the nested packages package.json
-          # requirement, otherwise npm will add the dependency as a new
-          # top-level dependency to the root lockfile.
-          install_args = ""
-          if dependencies_in_current_package_json
-            # TODO: Update the npm 6 updater to use these args as we currently
-            # do the same in the js updater helper, we've kept it seperate for
-            # the npm 7 rollout
-            install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
-          end
-
-          # NOTE: npm options
-          # - `--force` ignores checks for platform (os, cpu) and engines
-          # - `--dry-run=false` the updater sets a global .npmrc with dry-run:
-          #   true to work around an issue in npm 6, we don't want that here
-          # - `--ignore-scripts` disables prepare and prepack scripts which are
-          #   run when installing git dependencies
-          command = [
-            "npm",
-            "install",
-            *install_args,
-            "--force",
-            "--dry-run",
-            "false",
-            "--ignore-scripts",
-            "--package-lock-only"
-          ].join(" ")
-          SharedHelpers.run_shell_command(command)
+          unless dependencies_in_current_package_json
+            # NOTE: When updating a dependency in a nested workspace project, npm
+            # will add the dependency as a new top-level dependency to the root
+            # lockfile. To overcome this, we save the content before the update,
+            # and then re-run `npm install` after the update against the previous
+            # content to remove that
+            previous_package_json = File.read(package_json.name)
+          end
+
+          # TODO: Update the npm 6 updater to use these args as we currently
+          # do the same in the js updater helper, we've kept it separate for
+          # the npm 7 rollout
+          install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
+
+          run_npm_install_lockfile_only(*install_args)
+
+          unless dependencies_in_current_package_json
+            File.write(package_json.name, previous_package_json)
+
+            run_npm_install_lockfile_only
+          end
+
           { lockfile_basename => File.read(lockfile_basename) }
         end
 
@@ -223,7 +215,7 @@ module Dependabot
 
         def run_npm8_subdependency_updater(sub_dependencies:)
           dependency_names = sub_dependencies.map(&:name)
-          SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
+          NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
           { lockfile_basename => File.read(lockfile_basename) }
         end
 
@@ -244,6 +236,41 @@ module Dependabot
             end
         end
 
+        # Runs `npm install` with `--package-lock-only` flag to update the
+        # lockfiile.
+        #
+        # Other npm flags:
+        # - `--force` ignores checks for platform (os, cpu) and engines
+        # - `--dry-run=false` the updater sets a global .npmrc with `dry-run: true`
+        #   to work around an issue in npm 6, we don't want that here
+        # - `--ignore-scripts` disables prepare and prepack scripts which are
+        #   run when installing git dependencies
+        def run_npm_install_lockfile_only(*install_args)
+          command = [
+            "npm",
+            "install",
+            *install_args,
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+
+          fingerprint = [
+            "npm",
+            "install",
+            install_args.empty? ? "" : "<install_args>",
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        end
+
         def npm_install_args(dependency)
           git_requirement = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
 

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -149,16 +149,18 @@ module Dependabot
           # lockfile in the right state. Otherwise we'll need to manually update
           # the lockfile.
 
-          command = if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
-                      "yarn install #{Helpers.yarn_berry_args}".strip
-                    else
-                      updates = top_level_dependency_updates.collect do |dep|
-                        dep[:name]
-                      end
-
-                      "yarn up -R #{updates.join(' ')} #{Helpers.yarn_berry_args}".strip
-                    end
-          Helpers.run_yarn_commands(command)
+          if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
+            Helpers.run_yarn_command("yarn install #{yarn_berry_args}".strip)
+          else
+            updates = top_level_dependency_updates.collect do |dep|
+              dep[:name]
+            end
+
+            Helpers.run_yarn_command(
+              "yarn up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
+              fingerprint: "yarn up -R <dependency_names> #{yarn_berry_args}".strip
+            )
+          end
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 
@@ -171,14 +173,20 @@ module Dependabot
           dep = sub_dependencies.first
           update = "#{dep.name}@#{dep.version}"
 
-          Helpers.run_yarn_commands(
-            "yarn add #{update} #{Helpers.yarn_berry_args}".strip,
-            "yarn dedupe #{dep.name} #{Helpers.yarn_berry_args}".strip,
-            "yarn remove #{dep.name} #{Helpers.yarn_berry_args}".strip
-          )
+          commands = [
+            ["yarn add #{update} #{yarn_berry_args}".strip, "yarn add <update> #{yarn_berry_args}".strip],
+            ["yarn dedupe #{dep.name} #{yarn_berry_args}".strip, "yarn dedupe <dep_name> #{yarn_berry_args}".strip],
+            ["yarn remove #{dep.name} #{yarn_berry_args}".strip, "yarn remove <dep_name> #{yarn_berry_args}".strip]
+          ]
+
+          Helpers.run_yarn_commands(*commands)
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 
+        def yarn_berry_args
+          Helpers.yarn_berry_args
+        end
+
         def run_yarn_top_level_updater(top_level_dependency_updates:)
           SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
@@ -195,7 +203,7 @@ module Dependabot
           SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
             function: "yarn:updateSubdependency",
-            args: [Dir.pwd, lockfile_name, sub_dependencies.first.to_h]
+            args: [Dir.pwd, lockfile_name, sub_dependencies.map(&:to_h)]
           )
         end
 
@@ -358,6 +366,25 @@ module Dependabot
             updated_content = sanitized_package_json_content(updated_content)
             File.write(file.name, updated_content)
           end
+
+          clean_npmrc_in_path(yarn_lock)
+        end
+
+        def clean_npmrc_in_path(yarn_lock)
+          # Berry does not read npmrc files.
+          return if Helpers.yarn_berry?(yarn_lock)
+
+          # Find .npmrc files in parent directories and remove variables in them
+          # to avoid errors when running yarn 1.
+          dirs = Dir.getwd.split("/")
+          dirs.pop
+          while dirs.any?
+            npmrc = dirs.join("/") + "/.npmrc"
+            break unless File.exist?(npmrc)
+
+            File.write(npmrc, File.read(npmrc).gsub(/\$\{.*\}/, ""))
+            dirs.pop
+          end
         end
 
         def write_lockfiles

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -64,10 +64,7 @@ module Dependabot
         pnp_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
           updated_files << file if file.name == ".pnp.cjs" || file.name == ".pnp.data.json"
         end
-        # updated .pnp.cjs means zero install, include cache
-        if updated_files.find { |f| f.name == ".pnp.cjs" }
-          vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
-        end
+        vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
         install_state_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
           updated_files << file
         end

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -40,19 +40,32 @@ module Dependabot
         File.exist?(".pnp.cjs")
       end
 
+      def self.yarn_offline_cache?
+        yarn_cache_dir = fetch_yarnrc_yml_value("cacheFolder", ".yarn/cache")
+        File.exist?(yarn_cache_dir) && (fetch_yarnrc_yml_value("nodeLinker", "") == "node-modules")
+      end
+
       def self.yarn_berry_args
         if yarn_major_version == 2
           ""
-        elsif yarn_major_version >= 3 && yarn_zero_install?
+        elsif yarn_berry_skip_build?
           "--mode=skip-build"
         else
+          # We only want this mode if the cache is not being updated/managed
+          # as this improperly leaves old versions in the cache
           "--mode=update-lockfile"
         end
       end
 
+      def self.yarn_berry_skip_build?
+        yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
+      end
+
       def self.setup_yarn_berry
         # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
         SharedHelpers.run_shell_command("yarn config set enableImmutableInstalls false")
+        # Do not generate a cache if offline cache disabled. Otherwise side effects may confuse further checks
+        SharedHelpers.run_shell_command("yarn config set enableGlobalCache true") unless yarn_berry_skip_build?
         # We never want to execute postinstall scripts, either set this config or mode=skip-build must be set
         if yarn_major_version == 2 || !yarn_zero_install?
           SharedHelpers.run_shell_command("yarn config set enableScripts false")
@@ -78,13 +91,13 @@ module Dependabot
       # contain malicious code.
       def self.run_yarn_commands(*commands)
         setup_yarn_berry
-        commands.each { |cmd| SharedHelpers.run_shell_command(cmd) }
+        commands.each { |cmd, fingerprint| SharedHelpers.run_shell_command(cmd, fingerprint: fingerprint) }
       end
 
       # Run a single yarn command returning stdout/stderr
-      def self.run_yarn_command(command)
+      def self.run_yarn_command(command, fingerprint: nil)
         setup_yarn_berry
-        SharedHelpers.run_shell_command(command)
+        SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
       end
 
       def self.dependencies_with_all_versions_metadata(dependency_set)

data/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -14,14 +14,14 @@ module Dependabot
         File.join(__dir__, "../../../helpers")
       end
 
-      def self.npm8_subdependency_update_command(dependency_names)
+      def self.run_npm8_subdependency_update_command(dependency_names)
         # NOTE: npm options
         # - `--force` ignores checks for platform (os, cpu) and engines
         # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
         #   work around an issue in npm 6, we don't want that here
         # - `--ignore-scripts` disables prepare and prepack scripts which are run
         #   when installing git dependencies
-        [
+        command = [
           "npm",
           "update",
           *dependency_names,
@@ -31,6 +31,19 @@ module Dependabot
           "--ignore-scripts",
           "--package-lock-only"
         ].join(" ")
+
+        fingerprint = [
+          "npm",
+          "update",
+          "<dependency_names>",
+          "--force",
+          "--dry-run",
+          "false",
+          "--ignore-scripts",
+          "--package-lock-only"
+        ].join(" ")
+
+        SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
       end
     end
   end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -42,6 +42,12 @@ module Dependabot
             select { |f| f.name.end_with?("yarn.lock") }
         end
 
+        def root_yarn_lock
+          @root_yarn_lock ||=
+            dependency_files.
+            find { |f| f.name == "yarn.lock" }
+        end
+
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files.

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -95,7 +95,7 @@ module Dependabot
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
                 function: "yarn:updateSubdependency",
-                args: [Dir.pwd, lockfile_name]
+                args: [Dir.pwd, lockfile_name, [dependency.to_h]]
               )
             end
           end
@@ -116,8 +116,9 @@ module Dependabot
         def run_yarn_berry_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
-              Helpers.run_yarn_commands(
-                "yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip
+              Helpers.run_yarn_command(
+                "yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
+                fingerprint: "yarn up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
               )
               { lockfile_name => File.read(lockfile_name) }
             end
@@ -130,7 +131,7 @@ module Dependabot
               npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
 
               if npm_version == "npm8"
-                SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
+                NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
                 { lockfile_name => File.read(lockfile_name) }
               else
                 SharedHelpers.run_helper_subprocess(

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -27,13 +27,12 @@ module Dependabot
         }.freeze
 
         # Error message from yarn add:
-        # " > @reach/router@1.2.1" has incorrect \
-        # peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
-        # " > react-burger-menu@1.9.9" has unmet \
-        # peer dependency "react@>=0.14.0 <16.0.0".
+        # " > @reach/router@1.2.1" has incorrect peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
+        # "workspace-aggregator-<random-string> > test > react-dom@15.6.2" has incorrect peer dependency "react@^15.6.2"
+        # " > react-burger-menu@1.9.9" has unmet peer dependency "react@>=0.14.0 <16.0.0"
         YARN_PEER_DEP_ERROR_REGEX =
           /
-            "\s>\s(?<requiring_dep>[^"]+)"\s
+            \s>\s(?<requiring_dep>[^>"]+)"\s
             has\s(incorrect|unmet)\speer\sdependency\s
             "(?<required_dep>[^"]+)"
           /x
@@ -324,8 +323,6 @@ module Dependabot
             filtered_package_files.flat_map do |file|
               path = Pathname.new(file.name).dirname
               run_checker(path: path, version: version)
-            rescue SharedHelpers::HelperSubprocessFailed => e
-              handle_peer_dependency_errors(e)
             end.compact
           end
         rescue SharedHelpers::HelperSubprocessFailed
@@ -488,14 +485,24 @@ module Dependabot
         def run_checker(path:, version:)
           # If there are both yarn lockfiles and npm lockfiles only run the
           # yarn updater
-          lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
-          if lockfiles.any?
-            return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfiles.first)
+          yarn_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
+          return run_yarn_checker(path: path, version: version, lockfile: yarn_lockfiles.first) if yarn_lockfiles.any?
 
-            return run_yarn_checker(path: path, version: version)
-          end
+          npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
+          return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
+
+          root_yarn_lock = dependency_files_builder.root_yarn_lock
+          return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
 
           run_npm_checker(path: path, version: version)
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_peer_dependency_errors(e)
+        end
+
+        def run_yarn_checker(path:, version:, lockfile:)
+          return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfile)
+
+          run_yarn_classic_checker(path: path, version: version)
         end
 
         def run_yarn_berry_checker(path:, version:)
@@ -519,7 +526,7 @@ module Dependabot
           end
         end
 
-        def run_yarn_checker(path:, version:)
+        def run_yarn_classic_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               SharedHelpers.run_helper_subprocess(

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -118,6 +118,7 @@ module Dependabot
           dependency: dependency,
           target_version: lowest_security_fix_version
         )
+        return conflicts unless vulnerability_audit_performed?
 
         vulnerable = [vulnerability_audit].select do |hash|
           !hash["fix_available"] && hash["explanation"]
@@ -128,6 +129,10 @@ module Dependabot
 
       private
 
+      def vulnerability_audit_performed?
+        defined?(@vulnerability_audit)
+      end
+
       def vulnerability_audit
         @vulnerability_audit ||=
           VulnerabilityAuditor.new(
@@ -279,9 +284,7 @@ module Dependabot
 
       def latest_version_for_git_dependency
         @latest_version_for_git_dependency ||=
-          if git_branch_or_ref_in_latest_release?
-            latest_released_version
-          elsif version_class.correct?(dependency.version)
+          if version_class.correct?(dependency.version)
             latest_git_version_details[:version] &&
               version_class.new(latest_git_version_details[:version])
           else
@@ -294,26 +297,9 @@ module Dependabot
           latest_version_finder.latest_version_from_registry
       end
 
-      def should_switch_source_from_git_to_registry?
-        return false unless git_dependency?
-        return false unless git_branch_or_ref_in_latest_release?
-        return false if latest_version_for_git_dependency.nil?
-
-        version_class.correct?(latest_version_for_git_dependency)
-      end
-
-      def git_branch_or_ref_in_latest_release?
-        return false unless latest_released_version
-
-        return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
-
-        @git_branch_or_ref_in_latest_release ||=
-          git_commit_checker.branch_or_ref_in_release?(latest_released_version)
-      end
-
       def latest_version_details
         @latest_version_details ||=
-          if git_dependency? && !should_switch_source_from_git_to_registry?
+          if git_dependency?
             latest_git_version_details
           else
             { version: latest_released_version }
@@ -389,9 +375,6 @@ module Dependabot
         # Never need to update source, unless a git_dependency
         return dependency_source_details unless git_dependency?
 
-        # Source becomes `nil` if switching to default rubygems
-        return nil if should_switch_source_from_git_to_registry?
-
         # Update the git tag if updating a pinned version
         if git_commit_checker.pinned_ref_looks_like_version? &&
            !git_commit_checker.local_tag_for_latest_version.nil?

data/lib/dependabot/npm_and_yarn/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
 # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
@@ -11,7 +11,7 @@ require "rubygems_version_patch"
 
 module Dependabot
   module NpmAndYarn
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       attr_reader :build_info
 
       VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
@@ -25,6 +25,17 @@ module Dependabot
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
+      def self.semver_for(version)
+        # The next two lines are to guard against improperly formatted
+        # versions in a lockfile, such as an empty string or additional
+        # characters. NPM/yarn fixes these when running an update, so we can
+        # safely ignore these versions.
+        return if version == ""
+        return unless correct?(version)
+
+        version
+      end
+
       def initialize(version)
         @version_string = version.to_s
         version = version.gsub(/^v/, "") if version.is_a?(String)