dependabot-npm_and_yarn 0.215.0 → 0.216.0

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -95,7 +95,7 @@ module Dependabot
           requirement: requirement,
           manifest_name: file.name
         )
-        version = version_for(name, requirement, file.name)
+        version = version_for(requirement, lockfile_details)
 
         return if lockfile_details && !version
         return if ignore_requirement?(requirement)
@@ -116,7 +116,7 @@ module Dependabot
             requirement: requirement_for(requirement),
             file: file.name,
             groups: [type],
-            source: source_for(name, requirement, file.name)
+            source: source_for(name, requirement, lockfile_details)
           }]
         )
       end
@@ -165,29 +165,21 @@ module Dependabot
           package_files.filter_map { |f| JSON.parse(f.content)["name"] }
       end
 
-      def version_for(name, requirement, manifest_name)
+      def version_for(requirement, lockfile_details)
         if git_url_with_semver?(requirement)
-          semver_version = semver_version_for(name, requirement, manifest_name)
+          semver_version = semver_version_for(lockfile_details)
           return semver_version if semver_version
 
-          git_revision = git_revision_for(name, requirement, manifest_name)
+          git_revision = git_revision_for(lockfile_details)
           version_from_git_revision(requirement, git_revision) || git_revision
         elsif git_url?(requirement)
-          git_revision_for(name, requirement, manifest_name)
+          git_revision_for(lockfile_details)
         else
-          semver_version_for(name, requirement, manifest_name)
+          semver_version_for(lockfile_details)
         end
       end
 
-      def git_revision_for(name, requirement, manifest_name)
-        return unless git_url?(requirement)
-
-        lockfile_details = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )
-
+      def git_revision_for(lockfile_details)
         [
           lockfile_details&.fetch("version", nil)&.split("#")&.last,
           lockfile_details&.fetch("resolved", nil)&.split("#")&.last,
@@ -224,29 +216,13 @@ module Dependabot
         nil
       end
 
-      def semver_version_for(name, requirement, manifest_name)
-        lock_version = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )&.fetch("version", nil)
-
-        # This line is to guard against improperly formatted versions in a
-        # lockfile, such as additional characters. NPM/yarn fixes these when
-        # running an update, so we can safely ignore these versions.
-        return unless version_class.correct?(lock_version)
-
-        lock_version
+      def semver_version_for(lockfile_details)
+        version_class.semver_for(lockfile_details&.fetch("version", ""))
       end
 
-      def source_for(name, requirement, manifest_name)
+      def source_for(name, requirement, lockfile_details)
         return git_source_for(requirement) if git_url?(requirement)
 
-        lockfile_details = lockfile_parser.lockfile_details(
-          dependency_name: name,
-          requirement: requirement,
-          manifest_name: manifest_name
-        )
         resolved_url = lockfile_details&.fetch("resolved", nil)
 
         resolution = lockfile_details&.fetch("resolution", nil)
@@ -313,11 +289,22 @@ module Dependabot
       end
 
       def url_for_relevant_cred(resolved_url)
+        resolved_url_host = URI(resolved_url).host
+
         credential_matching_url =
           credentials.
           select { |cred| cred["type"] == "npm_registry" }.
           sort_by { |cred| cred["registry"].length }.
-          find { |details| resolved_url.include?(details["registry"]) }
+          find do |details|
+            next true if resolved_url_host == details["registry"]
+
+            uri = if details["registry"]&.include?("://")
+                    URI(details["registry"])
+                  else
+                    URI("https://#{details['registry']}")
+                  end
+            resolved_url_host == uri.host
+          end
 
         return unless credential_matching_url
 

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -176,48 +176,28 @@ module Dependabot
             dependency_in_package_json?(dependency)
           end
 
-          # NOTE: When updating a dependency in a nested workspace project we
-          # need to run `npm install` without any arguments to update the root
-          # level lockfile after having updated the nested packages package.json
-          # requirement, otherwise npm will add the dependency as a new
-          # top-level dependency to the root lockfile.
-          install_args = ""
-          if dependencies_in_current_package_json
-            # TODO: Update the npm 6 updater to use these args as we currently
-            # do the same in the js updater helper, we've kept it seperate for
-            # the npm 7 rollout
-            install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
-          end
-
-          # NOTE: npm options
-          # - `--force` ignores checks for platform (os, cpu) and engines
-          # - `--dry-run=false` the updater sets a global .npmrc with dry-run:
-          #   true to work around an issue in npm 6, we don't want that here
-          # - `--ignore-scripts` disables prepare and prepack scripts which are
-          #   run when installing git dependencies
-          command = [
-            "npm",
-            "install",
-            *install_args,
-            "--force",
-            "--dry-run",
-            "false",
-            "--ignore-scripts",
-            "--package-lock-only"
-          ].join(" ")
+          unless dependencies_in_current_package_json
+            # NOTE: When updating a dependency in a nested workspace project, npm
+            # will add the dependency as a new top-level dependency to the root
+            # lockfile. To overcome this, we save the content before the update,
+            # and then re-run `npm install` after the update against the previous
+            # content to remove that
+            previous_package_json = File.read(package_json.name)
+          end
 
-          fingerprint = [
-            "npm",
-            "install",
-            "<install_args>",
-            "--force",
-            "--dry-run",
-            "false",
-            "--ignore-scripts",
-            "--package-lock-only"
-          ].join(" ")
+          # TODO: Update the npm 6 updater to use these args as we currently
+          # do the same in the js updater helper, we've kept it separate for
+          # the npm 7 rollout
+          install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
+
+          run_npm_install_lockfile_only(*install_args)
+
+          unless dependencies_in_current_package_json
+            File.write(package_json.name, previous_package_json)
+
+            run_npm_install_lockfile_only
+          end
 
-          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
           { lockfile_basename => File.read(lockfile_basename) }
         end
 
@@ -256,6 +236,41 @@ module Dependabot
             end
         end
 
+        # Runs `npm install` with `--package-lock-only` flag to update the
+        # lockfiile.
+        #
+        # Other npm flags:
+        # - `--force` ignores checks for platform (os, cpu) and engines
+        # - `--dry-run=false` the updater sets a global .npmrc with `dry-run: true`
+        #   to work around an issue in npm 6, we don't want that here
+        # - `--ignore-scripts` disables prepare and prepack scripts which are
+        #   run when installing git dependencies
+        def run_npm_install_lockfile_only(*install_args)
+          command = [
+            "npm",
+            "install",
+            *install_args,
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+
+          fingerprint = [
+            "npm",
+            "install",
+            install_args.empty? ? "" : "<install_args>",
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        end
+
         def npm_install_args(dependency)
           git_requirement = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
 

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -203,7 +203,7 @@ module Dependabot
           SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
             function: "yarn:updateSubdependency",
-            args: [Dir.pwd, lockfile_name, sub_dependencies.first.to_h]
+            args: [Dir.pwd, lockfile_name, sub_dependencies.map(&:to_h)]
           )
         end
 
@@ -366,6 +366,25 @@ module Dependabot
             updated_content = sanitized_package_json_content(updated_content)
             File.write(file.name, updated_content)
           end
+
+          clean_npmrc_in_path(yarn_lock)
+        end
+
+        def clean_npmrc_in_path(yarn_lock)
+          # Berry does not read npmrc files.
+          return if Helpers.yarn_berry?(yarn_lock)
+
+          # Find .npmrc files in parent directories and remove variables in them
+          # to avoid errors when running yarn 1.
+          dirs = Dir.getwd.split("/")
+          dirs.pop
+          while dirs.any?
+            npmrc = dirs.join("/") + "/.npmrc"
+            break unless File.exist?(npmrc)
+
+            File.write(npmrc, File.read(npmrc).gsub(/\$\{.*\}/, ""))
+            dirs.pop
+          end
         end
 
         def write_lockfiles

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -48,7 +48,7 @@ module Dependabot
       def self.yarn_berry_args
         if yarn_major_version == 2
           ""
-        elsif yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
+        elsif yarn_berry_skip_build?
           "--mode=skip-build"
         else
           # We only want this mode if the cache is not being updated/managed
@@ -57,9 +57,15 @@ module Dependabot
         end
       end
 
+      def self.yarn_berry_skip_build?
+        yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
+      end
+
       def self.setup_yarn_berry
         # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
         SharedHelpers.run_shell_command("yarn config set enableImmutableInstalls false")
+        # Do not generate a cache if offline cache disabled. Otherwise side effects may confuse further checks
+        SharedHelpers.run_shell_command("yarn config set enableGlobalCache true") unless yarn_berry_skip_build?
         # We never want to execute postinstall scripts, either set this config or mode=skip-build must be set
         if yarn_major_version == 2 || !yarn_zero_install?
           SharedHelpers.run_shell_command("yarn config set enableScripts false")

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -42,6 +42,12 @@ module Dependabot
             select { |f| f.name.end_with?("yarn.lock") }
         end
 
+        def root_yarn_lock
+          @root_yarn_lock ||=
+            dependency_files.
+            find { |f| f.name == "yarn.lock" }
+        end
+
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files.

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -95,7 +95,7 @@ module Dependabot
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
                 function: "yarn:updateSubdependency",
-                args: [Dir.pwd, lockfile_name]
+                args: [Dir.pwd, lockfile_name, [dependency.to_h]]
               )
             end
           end

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -27,13 +27,12 @@ module Dependabot
         }.freeze
 
         # Error message from yarn add:
-        # " > @reach/router@1.2.1" has incorrect \
-        # peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
-        # " > react-burger-menu@1.9.9" has unmet \
-        # peer dependency "react@>=0.14.0 <16.0.0".
+        # " > @reach/router@1.2.1" has incorrect peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
+        # "workspace-aggregator-<random-string> > test > react-dom@15.6.2" has incorrect peer dependency "react@^15.6.2"
+        # " > react-burger-menu@1.9.9" has unmet peer dependency "react@>=0.14.0 <16.0.0"
         YARN_PEER_DEP_ERROR_REGEX =
           /
-            "\s>\s(?<requiring_dep>[^"]+)"\s
+            \s>\s(?<requiring_dep>[^>"]+)"\s
             has\s(incorrect|unmet)\speer\sdependency\s
             "(?<required_dep>[^"]+)"
           /x
@@ -324,8 +323,6 @@ module Dependabot
             filtered_package_files.flat_map do |file|
               path = Pathname.new(file.name).dirname
               run_checker(path: path, version: version)
-            rescue SharedHelpers::HelperSubprocessFailed => e
-              handle_peer_dependency_errors(e)
             end.compact
           end
         rescue SharedHelpers::HelperSubprocessFailed
@@ -488,14 +485,24 @@ module Dependabot
         def run_checker(path:, version:)
           # If there are both yarn lockfiles and npm lockfiles only run the
           # yarn updater
-          lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
-          if lockfiles.any?
-            return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfiles.first)
+          yarn_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
+          return run_yarn_checker(path: path, version: version, lockfile: yarn_lockfiles.first) if yarn_lockfiles.any?
 
-            return run_yarn_checker(path: path, version: version)
-          end
+          npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
+          return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
+
+          root_yarn_lock = dependency_files_builder.root_yarn_lock
+          return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
 
           run_npm_checker(path: path, version: version)
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_peer_dependency_errors(e)
+        end
+
+        def run_yarn_checker(path:, version:, lockfile:)
+          return run_yarn_berry_checker(path: path, version: version) if Helpers.yarn_berry?(lockfile)
+
+          run_yarn_classic_checker(path: path, version: version)
         end
 
         def run_yarn_berry_checker(path:, version:)
@@ -519,7 +526,7 @@ module Dependabot
           end
         end
 
-        def run_yarn_checker(path:, version:)
+        def run_yarn_classic_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               SharedHelpers.run_helper_subprocess(

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -118,6 +118,7 @@ module Dependabot
           dependency: dependency,
           target_version: lowest_security_fix_version
         )
+        return conflicts unless vulnerability_audit_performed?
 
         vulnerable = [vulnerability_audit].select do |hash|
           !hash["fix_available"] && hash["explanation"]
@@ -128,6 +129,10 @@ module Dependabot
 
       private
 
+      def vulnerability_audit_performed?
+        defined?(@vulnerability_audit)
+      end
+
       def vulnerability_audit
         @vulnerability_audit ||=
           VulnerabilityAuditor.new(

data/lib/dependabot/npm_and_yarn/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
+require "dependabot/version"
 require "dependabot/utils"
-require "rubygems_version_patch"
 
 # JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
 # converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
@@ -11,7 +11,7 @@ require "rubygems_version_patch"
 
 module Dependabot
   module NpmAndYarn
-    class Version < Gem::Version
+    class Version < Dependabot::Version
       attr_reader :build_info
 
       VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
@@ -25,6 +25,17 @@ module Dependabot
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
+      def self.semver_for(version)
+        # The next two lines are to guard against improperly formatted
+        # versions in a lockfile, such as an empty string or additional
+        # characters. NPM/yarn fixes these when running an update, so we can
+        # safely ignore these versions.
+        return if version == ""
+        return unless correct?(version)
+
+        version
+      end
+
       def initialize(version)
         @version_string = version.to_s
         version = version.gsub(/^v/, "") if version.is_a?(String)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.215.0
+  version: 0.216.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-12-07 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.215.0
+        version: 0.216.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.0
+        version: 1.7.1
 - !ruby/object:Gem::Dependency
   name: gpgme
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.0.0
+        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -86,70 +86,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '3.12'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.39.0
+        version: 1.48.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.15.0
+        version: 1.17.1
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.21.0
+        version: 0.22.0
 - !ruby/object:Gem::Dependency
   name: simplecov-console
   requirement: !ruby/object:Gem::Requirement
@@ -182,33 +182,34 @@ dependencies:
   name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.18'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
-description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
-  Rust, Java, .NET, Elm and Go
-email: support@dependabot.com
+        version: '3.18'
+description: Dependabot-NPM_And_Yarn provides support for bumping Javascript (npm
+  and yarn) libraries via Dependabot. If you want support for multiple package managers,
+  you probably want the meta-gem dependabot-omnibus.
+email: opensource@github.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -271,7 +272,9 @@ files:
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/json_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb
 - lib/dependabot/npm_and_yarn/file_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
@@ -298,7 +301,9 @@ files:
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
-metadata: {}
+metadata:
+  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -314,8 +319,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
-summary: JS support for dependabot
+summary: Provides Dependabot support for Javascript (npm and yarn)
 test_files: []