dependabot-npm_and_yarn 0.215.0 → 0.216.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (25) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/build +1 -1
  3. data/helpers/lib/yarn/subdependency-updater.js +15 -44
  4. data/helpers/package-lock.json +2584 -1559
  5. data/helpers/package.json +7 -8
  6. data/helpers/test/npm6/conflicting-dependency-parser.test.js +1 -2
  7. data/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json +3 -3
  8. data/helpers/test/npm6/updater.test.js +1 -2
  9. data/helpers/test/yarn/conflicting-dependency-parser.test.js +1 -2
  10. data/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/yarn.lock +3 -3
  11. data/helpers/test/yarn/updater.test.js +1 -2
  12. data/lib/dependabot/npm_and_yarn/file_fetcher.rb +26 -38
  13. data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +86 -0
  14. data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +21 -183
  15. data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +80 -0
  16. data/lib/dependabot/npm_and_yarn/file_parser.rb +23 -36
  17. data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +55 -40
  18. data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +20 -1
  19. data/lib/dependabot/npm_and_yarn/helpers.rb +7 -1
  20. data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +6 -0
  21. data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +1 -1
  22. data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +20 -13
  23. data/lib/dependabot/npm_and_yarn/update_checker.rb +5 -0
  24. data/lib/dependabot/npm_and_yarn/version.rb +13 -2
  25. metadata +37 -32
@@ -95,7 +95,7 @@ module Dependabot
95
95
  requirement: requirement,
96
96
  manifest_name: file.name
97
97
  )
98
- version = version_for(name, requirement, file.name)
98
+ version = version_for(requirement, lockfile_details)
99
99
 
100
100
  return if lockfile_details && !version
101
101
  return if ignore_requirement?(requirement)
@@ -116,7 +116,7 @@ module Dependabot
116
116
  requirement: requirement_for(requirement),
117
117
  file: file.name,
118
118
  groups: [type],
119
- source: source_for(name, requirement, file.name)
119
+ source: source_for(name, requirement, lockfile_details)
120
120
  }]
121
121
  )
122
122
  end
@@ -165,29 +165,21 @@ module Dependabot
165
165
  package_files.filter_map { |f| JSON.parse(f.content)["name"] }
166
166
  end
167
167
 
168
- def version_for(name, requirement, manifest_name)
168
+ def version_for(requirement, lockfile_details)
169
169
  if git_url_with_semver?(requirement)
170
- semver_version = semver_version_for(name, requirement, manifest_name)
170
+ semver_version = semver_version_for(lockfile_details)
171
171
  return semver_version if semver_version
172
172
 
173
- git_revision = git_revision_for(name, requirement, manifest_name)
173
+ git_revision = git_revision_for(lockfile_details)
174
174
  version_from_git_revision(requirement, git_revision) || git_revision
175
175
  elsif git_url?(requirement)
176
- git_revision_for(name, requirement, manifest_name)
176
+ git_revision_for(lockfile_details)
177
177
  else
178
- semver_version_for(name, requirement, manifest_name)
178
+ semver_version_for(lockfile_details)
179
179
  end
180
180
  end
181
181
 
182
- def git_revision_for(name, requirement, manifest_name)
183
- return unless git_url?(requirement)
184
-
185
- lockfile_details = lockfile_parser.lockfile_details(
186
- dependency_name: name,
187
- requirement: requirement,
188
- manifest_name: manifest_name
189
- )
190
-
182
+ def git_revision_for(lockfile_details)
191
183
  [
192
184
  lockfile_details&.fetch("version", nil)&.split("#")&.last,
193
185
  lockfile_details&.fetch("resolved", nil)&.split("#")&.last,
@@ -224,29 +216,13 @@ module Dependabot
224
216
  nil
225
217
  end
226
218
 
227
- def semver_version_for(name, requirement, manifest_name)
228
- lock_version = lockfile_parser.lockfile_details(
229
- dependency_name: name,
230
- requirement: requirement,
231
- manifest_name: manifest_name
232
- )&.fetch("version", nil)
233
-
234
- # This line is to guard against improperly formatted versions in a
235
- # lockfile, such as additional characters. NPM/yarn fixes these when
236
- # running an update, so we can safely ignore these versions.
237
- return unless version_class.correct?(lock_version)
238
-
239
- lock_version
219
+ def semver_version_for(lockfile_details)
220
+ version_class.semver_for(lockfile_details&.fetch("version", ""))
240
221
  end
241
222
 
242
- def source_for(name, requirement, manifest_name)
223
+ def source_for(name, requirement, lockfile_details)
243
224
  return git_source_for(requirement) if git_url?(requirement)
244
225
 
245
- lockfile_details = lockfile_parser.lockfile_details(
246
- dependency_name: name,
247
- requirement: requirement,
248
- manifest_name: manifest_name
249
- )
250
226
  resolved_url = lockfile_details&.fetch("resolved", nil)
251
227
 
252
228
  resolution = lockfile_details&.fetch("resolution", nil)
@@ -313,11 +289,22 @@ module Dependabot
313
289
  end
314
290
 
315
291
  def url_for_relevant_cred(resolved_url)
292
+ resolved_url_host = URI(resolved_url).host
293
+
316
294
  credential_matching_url =
317
295
  credentials.
318
296
  select { |cred| cred["type"] == "npm_registry" }.
319
297
  sort_by { |cred| cred["registry"].length }.
320
- find { |details| resolved_url.include?(details["registry"]) }
298
+ find do |details|
299
+ next true if resolved_url_host == details["registry"]
300
+
301
+ uri = if details["registry"]&.include?("://")
302
+ URI(details["registry"])
303
+ else
304
+ URI("https://#{details['registry']}")
305
+ end
306
+ resolved_url_host == uri.host
307
+ end
321
308
 
322
309
  return unless credential_matching_url
323
310
 
@@ -176,48 +176,28 @@ module Dependabot
176
176
  dependency_in_package_json?(dependency)
177
177
  end
178
178
 
179
- # NOTE: When updating a dependency in a nested workspace project we
180
- # need to run `npm install` without any arguments to update the root
181
- # level lockfile after having updated the nested packages package.json
182
- # requirement, otherwise npm will add the dependency as a new
183
- # top-level dependency to the root lockfile.
184
- install_args = ""
185
- if dependencies_in_current_package_json
186
- # TODO: Update the npm 6 updater to use these args as we currently
187
- # do the same in the js updater helper, we've kept it seperate for
188
- # the npm 7 rollout
189
- install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
190
- end
191
-
192
- # NOTE: npm options
193
- # - `--force` ignores checks for platform (os, cpu) and engines
194
- # - `--dry-run=false` the updater sets a global .npmrc with dry-run:
195
- # true to work around an issue in npm 6, we don't want that here
196
- # - `--ignore-scripts` disables prepare and prepack scripts which are
197
- # run when installing git dependencies
198
- command = [
199
- "npm",
200
- "install",
201
- *install_args,
202
- "--force",
203
- "--dry-run",
204
- "false",
205
- "--ignore-scripts",
206
- "--package-lock-only"
207
- ].join(" ")
179
+ unless dependencies_in_current_package_json
180
+ # NOTE: When updating a dependency in a nested workspace project, npm
181
+ # will add the dependency as a new top-level dependency to the root
182
+ # lockfile. To overcome this, we save the content before the update,
183
+ # and then re-run `npm install` after the update against the previous
184
+ # content to remove that
185
+ previous_package_json = File.read(package_json.name)
186
+ end
208
187
 
209
- fingerprint = [
210
- "npm",
211
- "install",
212
- "<install_args>",
213
- "--force",
214
- "--dry-run",
215
- "false",
216
- "--ignore-scripts",
217
- "--package-lock-only"
218
- ].join(" ")
188
+ # TODO: Update the npm 6 updater to use these args as we currently
189
+ # do the same in the js updater helper, we've kept it separate for
190
+ # the npm 7 rollout
191
+ install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
192
+
193
+ run_npm_install_lockfile_only(*install_args)
194
+
195
+ unless dependencies_in_current_package_json
196
+ File.write(package_json.name, previous_package_json)
197
+
198
+ run_npm_install_lockfile_only
199
+ end
219
200
 
220
- SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
221
201
  { lockfile_basename => File.read(lockfile_basename) }
222
202
  end
223
203
 
@@ -256,6 +236,41 @@ module Dependabot
256
236
  end
257
237
  end
258
238
 
239
+ # Runs `npm install` with `--package-lock-only` flag to update the
240
+ # lockfiile.
241
+ #
242
+ # Other npm flags:
243
+ # - `--force` ignores checks for platform (os, cpu) and engines
244
+ # - `--dry-run=false` the updater sets a global .npmrc with `dry-run: true`
245
+ # to work around an issue in npm 6, we don't want that here
246
+ # - `--ignore-scripts` disables prepare and prepack scripts which are
247
+ # run when installing git dependencies
248
+ def run_npm_install_lockfile_only(*install_args)
249
+ command = [
250
+ "npm",
251
+ "install",
252
+ *install_args,
253
+ "--force",
254
+ "--dry-run",
255
+ "false",
256
+ "--ignore-scripts",
257
+ "--package-lock-only"
258
+ ].join(" ")
259
+
260
+ fingerprint = [
261
+ "npm",
262
+ "install",
263
+ install_args.empty? ? "" : "<install_args>",
264
+ "--force",
265
+ "--dry-run",
266
+ "false",
267
+ "--ignore-scripts",
268
+ "--package-lock-only"
269
+ ].join(" ")
270
+
271
+ SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
272
+ end
273
+
259
274
  def npm_install_args(dependency)
260
275
  git_requirement = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
261
276
 
@@ -203,7 +203,7 @@ module Dependabot
203
203
  SharedHelpers.run_helper_subprocess(
204
204
  command: NativeHelpers.helper_path,
205
205
  function: "yarn:updateSubdependency",
206
- args: [Dir.pwd, lockfile_name, sub_dependencies.first.to_h]
206
+ args: [Dir.pwd, lockfile_name, sub_dependencies.map(&:to_h)]
207
207
  )
208
208
  end
209
209
 
@@ -366,6 +366,25 @@ module Dependabot
366
366
  updated_content = sanitized_package_json_content(updated_content)
367
367
  File.write(file.name, updated_content)
368
368
  end
369
+
370
+ clean_npmrc_in_path(yarn_lock)
371
+ end
372
+
373
+ def clean_npmrc_in_path(yarn_lock)
374
+ # Berry does not read npmrc files.
375
+ return if Helpers.yarn_berry?(yarn_lock)
376
+
377
+ # Find .npmrc files in parent directories and remove variables in them
378
+ # to avoid errors when running yarn 1.
379
+ dirs = Dir.getwd.split("/")
380
+ dirs.pop
381
+ while dirs.any?
382
+ npmrc = dirs.join("/") + "/.npmrc"
383
+ break unless File.exist?(npmrc)
384
+
385
+ File.write(npmrc, File.read(npmrc).gsub(/\$\{.*\}/, ""))
386
+ dirs.pop
387
+ end
369
388
  end
370
389
 
371
390
  def write_lockfiles
@@ -48,7 +48,7 @@ module Dependabot
48
48
  def self.yarn_berry_args
49
49
  if yarn_major_version == 2
50
50
  ""
51
- elsif yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
51
+ elsif yarn_berry_skip_build?
52
52
  "--mode=skip-build"
53
53
  else
54
54
  # We only want this mode if the cache is not being updated/managed
@@ -57,9 +57,15 @@ module Dependabot
57
57
  end
58
58
  end
59
59
 
60
+ def self.yarn_berry_skip_build?
61
+ yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
62
+ end
63
+
60
64
  def self.setup_yarn_berry
61
65
  # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
62
66
  SharedHelpers.run_shell_command("yarn config set enableImmutableInstalls false")
67
+ # Do not generate a cache if offline cache disabled. Otherwise side effects may confuse further checks
68
+ SharedHelpers.run_shell_command("yarn config set enableGlobalCache true") unless yarn_berry_skip_build?
63
69
  # We never want to execute postinstall scripts, either set this config or mode=skip-build must be set
64
70
  if yarn_major_version == 2 || !yarn_zero_install?
65
71
  SharedHelpers.run_shell_command("yarn config set enableScripts false")
@@ -42,6 +42,12 @@ module Dependabot
42
42
  select { |f| f.name.end_with?("yarn.lock") }
43
43
  end
44
44
 
45
+ def root_yarn_lock
46
+ @root_yarn_lock ||=
47
+ dependency_files.
48
+ find { |f| f.name == "yarn.lock" }
49
+ end
50
+
45
51
  def shrinkwraps
46
52
  @shrinkwraps ||=
47
53
  dependency_files.
@@ -95,7 +95,7 @@ module Dependabot
95
95
  SharedHelpers.run_helper_subprocess(
96
96
  command: NativeHelpers.helper_path,
97
97
  function: "yarn:updateSubdependency",
98
- args: [Dir.pwd, lockfile_name]
98
+ args: [Dir.pwd, lockfile_name, [dependency.to_h]]
99
99
  )
100
100
  end
101
101
  end
@@ -27,13 +27,12 @@ module Dependabot
27
27
  }.freeze
28
28
 
29
29
  # Error message from yarn add:
30
- # " > @reach/router@1.2.1" has incorrect \
31
- # peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
32
- # " > react-burger-menu@1.9.9" has unmet \
33
- # peer dependency "react@>=0.14.0 <16.0.0".
30
+ # " > @reach/router@1.2.1" has incorrect peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
31
+ # "workspace-aggregator-<random-string> > test > react-dom@15.6.2" has incorrect peer dependency "react@^15.6.2"
32
+ # " > react-burger-menu@1.9.9" has unmet peer dependency "react@>=0.14.0 <16.0.0"
34
33
  YARN_PEER_DEP_ERROR_REGEX =
35
34
  /
36
- "\s>\s(?<requiring_dep>[^"]+)"\s
35
+ \s>\s(?<requiring_dep>[^>"]+)"\s
37
36
  has\s(incorrect|unmet)\speer\sdependency\s
38
37
  "(?<required_dep>[^"]+)"
39
38
  /x
@@ -324,8 +323,6 @@ module Dependabot
324
323
  filtered_package_files.flat_map do |file|
325
324
  path = Pathname.new(file.name).dirname
326
325
  run_checker(path: path, version: version)
327
- rescue SharedHelpers::HelperSubprocessFailed => e
328
- handle_peer_dependency_errors(e)
329
326
  end.compact
330
327
  end
331
328
  rescue SharedHelpers::HelperSubprocessFailed
@@ -488,14 +485,24 @@ module Dependabot
488
485
  def run_checker(path:, version:)
489
486
  # If there are both yarn lockfiles and npm lockfiles only run the
490
487
  # yarn updater
491
- lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
492
- if lockfiles.any?
493
- return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfiles.first)
488
+ yarn_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
489
+ return run_yarn_checker(path: path, version: version, lockfile: yarn_lockfiles.first) if yarn_lockfiles.any?
494
490
 
495
- return run_yarn_checker(path: path, version: version)
496
- end
491
+ npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
492
+ return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
493
+
494
+ root_yarn_lock = dependency_files_builder.root_yarn_lock
495
+ return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
497
496
 
498
497
  run_npm_checker(path: path, version: version)
498
+ rescue SharedHelpers::HelperSubprocessFailed => e
499
+ handle_peer_dependency_errors(e)
500
+ end
501
+
502
+ def run_yarn_checker(path:, version:, lockfile:)
503
+ return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfile)
504
+
505
+ run_yarn_classic_checker(path: path, version: version)
499
506
  end
500
507
 
501
508
  def run_yarn_berry_checker(path:, version:)
@@ -519,7 +526,7 @@ module Dependabot
519
526
  end
520
527
  end
521
528
 
522
- def run_yarn_checker(path:, version:)
529
+ def run_yarn_classic_checker(path:, version:)
523
530
  SharedHelpers.with_git_configured(credentials: credentials) do
524
531
  Dir.chdir(path) do
525
532
  SharedHelpers.run_helper_subprocess(
@@ -118,6 +118,7 @@ module Dependabot
118
118
  dependency: dependency,
119
119
  target_version: lowest_security_fix_version
120
120
  )
121
+ return conflicts unless vulnerability_audit_performed?
121
122
 
122
123
  vulnerable = [vulnerability_audit].select do |hash|
123
124
  !hash["fix_available"] && hash["explanation"]
@@ -128,6 +129,10 @@ module Dependabot
128
129
 
129
130
  private
130
131
 
132
+ def vulnerability_audit_performed?
133
+ defined?(@vulnerability_audit)
134
+ end
135
+
131
136
  def vulnerability_audit
132
137
  @vulnerability_audit ||=
133
138
  VulnerabilityAuditor.new(
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require "dependabot/version"
3
4
  require "dependabot/utils"
4
- require "rubygems_version_patch"
5
5
 
6
6
  # JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
7
7
  # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
@@ -11,7 +11,7 @@ require "rubygems_version_patch"
11
11
 
12
12
  module Dependabot
13
13
  module NpmAndYarn
14
- class Version < Gem::Version
14
+ class Version < Dependabot::Version
15
15
  attr_reader :build_info
16
16
 
17
17
  VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
@@ -25,6 +25,17 @@ module Dependabot
25
25
  version.to_s.match?(ANCHORED_VERSION_PATTERN)
26
26
  end
27
27
 
28
+ def self.semver_for(version)
29
+ # The next two lines are to guard against improperly formatted
30
+ # versions in a lockfile, such as an empty string or additional
31
+ # characters. NPM/yarn fixes these when running an update, so we can
32
+ # safely ignore these versions.
33
+ return if version == ""
34
+ return unless correct?(version)
35
+
36
+ version
37
+ end
38
+
28
39
  def initialize(version)
29
40
  @version_string = version.to_s
30
41
  version = version.gsub(/^v/, "") if version.is_a?(String)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.215.0
4
+ version: 0.216.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-12-07 00:00:00.000000000 Z
11
+ date: 2023-04-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.215.0
19
+ version: 0.216.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.215.0
26
+ version: 0.216.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - ">="
31
+ - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: 1.0.0
33
+ version: 1.7.1
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - ">="
38
+ - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: 1.0.0
40
+ version: 1.7.1
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: gpgme
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
58
58
  requirements:
59
59
  - - "~>"
60
60
  - !ruby/object:Gem::Version
61
- version: 4.0.0
61
+ version: 4.2.0
62
62
  type: :development
63
63
  prerelease: false
64
64
  version_requirements: !ruby/object:Gem::Requirement
65
65
  requirements:
66
66
  - - "~>"
67
67
  - !ruby/object:Gem::Version
68
- version: 4.0.0
68
+ version: 4.2.0
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: rake
71
71
  requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
86
86
  requirements:
87
87
  - - "~>"
88
88
  - !ruby/object:Gem::Version
89
- version: '3.8'
89
+ version: '3.12'
90
90
  type: :development
91
91
  prerelease: false
92
92
  version_requirements: !ruby/object:Gem::Requirement
93
93
  requirements:
94
94
  - - "~>"
95
95
  - !ruby/object:Gem::Version
96
- version: '3.8'
96
+ version: '3.12'
97
97
  - !ruby/object:Gem::Dependency
98
98
  name: rspec-its
99
99
  requirement: !ruby/object:Gem::Requirement
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: '1.2'
103
+ version: '1.3'
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: '1.2'
110
+ version: '1.3'
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: rubocop
113
113
  requirement: !ruby/object:Gem::Requirement
114
114
  requirements:
115
115
  - - "~>"
116
116
  - !ruby/object:Gem::Version
117
- version: 1.39.0
117
+ version: 1.48.0
118
118
  type: :development
119
119
  prerelease: false
120
120
  version_requirements: !ruby/object:Gem::Requirement
121
121
  requirements:
122
122
  - - "~>"
123
123
  - !ruby/object:Gem::Version
124
- version: 1.39.0
124
+ version: 1.48.0
125
125
  - !ruby/object:Gem::Dependency
126
126
  name: rubocop-performance
127
127
  requirement: !ruby/object:Gem::Requirement
128
128
  requirements:
129
129
  - - "~>"
130
130
  - !ruby/object:Gem::Version
131
- version: 1.15.0
131
+ version: 1.17.1
132
132
  type: :development
133
133
  prerelease: false
134
134
  version_requirements: !ruby/object:Gem::Requirement
135
135
  requirements:
136
136
  - - "~>"
137
137
  - !ruby/object:Gem::Version
138
- version: 1.15.0
138
+ version: 1.17.1
139
139
  - !ruby/object:Gem::Dependency
140
140
  name: simplecov
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
143
  - - "~>"
144
144
  - !ruby/object:Gem::Version
145
- version: 0.21.0
145
+ version: 0.22.0
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
150
  - - "~>"
151
151
  - !ruby/object:Gem::Version
152
- version: 0.21.0
152
+ version: 0.22.0
153
153
  - !ruby/object:Gem::Dependency
154
154
  name: simplecov-console
155
155
  requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
182
182
  name: vcr
183
183
  requirement: !ruby/object:Gem::Requirement
184
184
  requirements:
185
- - - '='
185
+ - - "~>"
186
186
  - !ruby/object:Gem::Version
187
- version: 6.1.0
187
+ version: '6.1'
188
188
  type: :development
189
189
  prerelease: false
190
190
  version_requirements: !ruby/object:Gem::Requirement
191
191
  requirements:
192
- - - '='
192
+ - - "~>"
193
193
  - !ruby/object:Gem::Version
194
- version: 6.1.0
194
+ version: '6.1'
195
195
  - !ruby/object:Gem::Dependency
196
196
  name: webmock
197
197
  requirement: !ruby/object:Gem::Requirement
198
198
  requirements:
199
199
  - - "~>"
200
200
  - !ruby/object:Gem::Version
201
- version: '3.4'
201
+ version: '3.18'
202
202
  type: :development
203
203
  prerelease: false
204
204
  version_requirements: !ruby/object:Gem::Requirement
205
205
  requirements:
206
206
  - - "~>"
207
207
  - !ruby/object:Gem::Version
208
- version: '3.4'
209
- description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
210
- Rust, Java, .NET, Elm and Go
211
- email: support@dependabot.com
208
+ version: '3.18'
209
+ description: Dependabot-NPM_And_Yarn provides support for bumping Javascript (npm
210
+ and yarn) libraries via Dependabot. If you want support for multiple package managers,
211
+ you probably want the meta-gem dependabot-omnibus.
212
+ email: opensource@github.com
212
213
  executables: []
213
214
  extensions: []
214
215
  extra_rdoc_files: []
@@ -271,7 +272,9 @@ files:
271
272
  - lib/dependabot/npm_and_yarn/file_fetcher.rb
272
273
  - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
273
274
  - lib/dependabot/npm_and_yarn/file_parser.rb
275
+ - lib/dependabot/npm_and_yarn/file_parser/json_lock.rb
274
276
  - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
277
+ - lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb
275
278
  - lib/dependabot/npm_and_yarn/file_updater.rb
276
279
  - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
277
280
  - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
@@ -298,7 +301,9 @@ files:
298
301
  homepage: https://github.com/dependabot/dependabot-core
299
302
  licenses:
300
303
  - Nonstandard
301
- metadata: {}
304
+ metadata:
305
+ issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
306
+ changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
302
307
  post_install_message:
303
308
  rdoc_options: []
304
309
  require_paths:
@@ -314,8 +319,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
314
319
  - !ruby/object:Gem::Version
315
320
  version: 3.1.0
316
321
  requirements: []
317
- rubygems_version: 3.3.7
322
+ rubygems_version: 3.3.26
318
323
  signing_key:
319
324
  specification_version: 4
320
- summary: JS support for dependabot
325
+ summary: Provides Dependabot support for Javascript (npm and yarn)
321
326
  test_files: []