dependabot-npm_and_yarn 0.225.0 → 0.227.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +1211 -1255
- data/helpers/package.json +5 -5
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +15 -10
- data/lib/dependabot/npm_and_yarn/file_parser.rb +18 -4
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +14 -34
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +20 -73
- data/lib/dependabot/npm_and_yarn/helpers.rb +3 -19
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +18 -18
- data/lib/dependabot/npm_and_yarn.rb +1 -0
- metadata +7 -7
data/helpers/package.json
CHANGED
@@ -14,14 +14,14 @@
|
|
14
14
|
"detect-indent": "^6.1.0",
|
15
15
|
"nock": "^13.3.2",
|
16
16
|
"npm": "6.14.18",
|
17
|
-
"@pnpm/lockfile-file": "^8.1.
|
17
|
+
"@pnpm/lockfile-file": "^8.1.2",
|
18
18
|
"@pnpm/dependency-path": "^2.1.1",
|
19
19
|
"semver": "^7.4.0"
|
20
20
|
},
|
21
21
|
"devDependencies": {
|
22
|
-
"eslint": "^8.
|
23
|
-
"eslint-config-prettier": "^
|
24
|
-
"jest": "^29.
|
25
|
-
"prettier": "^
|
22
|
+
"eslint": "^8.47.0",
|
23
|
+
"eslint-config-prettier": "^9.0.0",
|
24
|
+
"jest": "^29.6.2",
|
25
|
+
"prettier": "^3.0.1"
|
26
26
|
}
|
27
27
|
}
|
@@ -217,8 +217,9 @@ module Dependabot
|
|
217
217
|
end
|
218
218
|
|
219
219
|
def npmrc
|
220
|
-
@npmrc
|
221
|
-
|
220
|
+
return @npmrc if defined?(@npmrc)
|
221
|
+
|
222
|
+
@npmrc = fetch_support_file(".npmrc")
|
222
223
|
|
223
224
|
return @npmrc if @npmrc || directory == "/"
|
224
225
|
|
@@ -236,8 +237,9 @@ module Dependabot
|
|
236
237
|
end
|
237
238
|
|
238
239
|
def yarnrc
|
239
|
-
@yarnrc
|
240
|
-
|
240
|
+
return @yarnrc if defined?(@yarnrc)
|
241
|
+
|
242
|
+
@yarnrc = fetch_support_file(".yarnrc")
|
241
243
|
|
242
244
|
return @yarnrc if @yarnrc || directory == "/"
|
243
245
|
|
@@ -255,18 +257,21 @@ module Dependabot
|
|
255
257
|
end
|
256
258
|
|
257
259
|
def yarnrc_yml
|
258
|
-
@yarnrc_yml
|
259
|
-
|
260
|
+
return @yarnrc_yml if defined?(@yarnrc_yml)
|
261
|
+
|
262
|
+
@yarnrc_yml = fetch_support_file(".yarnrc.yml")
|
260
263
|
end
|
261
264
|
|
262
265
|
def pnpm_workspace_yaml
|
263
|
-
@pnpm_workspace_yaml
|
264
|
-
|
266
|
+
return @pnpm_workspace_yaml if defined?(@pnpm_workspace_yaml)
|
267
|
+
|
268
|
+
@pnpm_workspace_yaml = fetch_support_file("pnpm-workspace.yaml")
|
265
269
|
end
|
266
270
|
|
267
271
|
def lerna_json
|
268
|
-
@lerna_json
|
269
|
-
|
272
|
+
return @lerna_json if defined?(@lerna_json)
|
273
|
+
|
274
|
+
@lerna_json = fetch_support_file("lerna.json")
|
270
275
|
end
|
271
276
|
|
272
277
|
def workspace_package_jsons
|
@@ -9,6 +9,7 @@ require "dependabot/shared_helpers"
|
|
9
9
|
require "dependabot/npm_and_yarn/helpers"
|
10
10
|
require "dependabot/npm_and_yarn/native_helpers"
|
11
11
|
require "dependabot/npm_and_yarn/version"
|
12
|
+
require "dependabot/npm_and_yarn/requirement"
|
12
13
|
require "dependabot/git_metadata_fetcher"
|
13
14
|
require "dependabot/git_commit_checker"
|
14
15
|
require "dependabot/errors"
|
@@ -167,15 +168,20 @@ module Dependabot
|
|
167
168
|
|
168
169
|
def version_for(requirement, lockfile_details)
|
169
170
|
if git_url_with_semver?(requirement)
|
170
|
-
semver_version =
|
171
|
+
semver_version = lockfile_version_for(lockfile_details)
|
171
172
|
return semver_version if semver_version
|
172
173
|
|
173
174
|
git_revision = git_revision_for(lockfile_details)
|
174
175
|
version_from_git_revision(requirement, git_revision) || git_revision
|
175
176
|
elsif git_url?(requirement)
|
176
177
|
git_revision_for(lockfile_details)
|
178
|
+
elsif lockfile_details
|
179
|
+
lockfile_version_for(lockfile_details)
|
177
180
|
else
|
178
|
-
|
181
|
+
req = requirement_class.new(requirement)
|
182
|
+
return unless req.exact?
|
183
|
+
|
184
|
+
semver_version_for(req.requirements.first.last.to_s)
|
179
185
|
end
|
180
186
|
end
|
181
187
|
|
@@ -216,8 +222,12 @@ module Dependabot
|
|
216
222
|
nil
|
217
223
|
end
|
218
224
|
|
219
|
-
def
|
220
|
-
|
225
|
+
def lockfile_version_for(lockfile_details)
|
226
|
+
semver_version_for(lockfile_details&.fetch("version", ""))
|
227
|
+
end
|
228
|
+
|
229
|
+
def semver_version_for(version)
|
230
|
+
version_class.semver_for(version)
|
221
231
|
end
|
222
232
|
|
223
233
|
def source_for(name, requirement, lockfile_details)
|
@@ -334,6 +344,10 @@ module Dependabot
|
|
334
344
|
def version_class
|
335
345
|
NpmAndYarn::Version
|
336
346
|
end
|
347
|
+
|
348
|
+
def requirement_class
|
349
|
+
NpmAndYarn::Requirement
|
350
|
+
end
|
337
351
|
end
|
338
352
|
end
|
339
353
|
end
|
@@ -513,16 +513,18 @@ module Dependabot
|
|
513
513
|
file.content
|
514
514
|
end
|
515
515
|
|
516
|
+
package_json_preparer = package_json_preparer(updated_content)
|
517
|
+
|
516
518
|
# TODO: Figure out if we need to lock git deps for npm 7 and can
|
517
519
|
# start deprecating this hornets nest
|
518
520
|
#
|
519
521
|
# NOTE: When updating a package-lock.json we have to manually lock
|
520
522
|
# all git dependencies, otherwise npm will (unhelpfully) update them
|
521
523
|
updated_content = lock_git_deps(updated_content)
|
522
|
-
updated_content = replace_ssh_sources(updated_content)
|
524
|
+
updated_content = package_json_preparer.replace_ssh_sources(updated_content)
|
523
525
|
updated_content = lock_deps_with_latest_reqs(updated_content)
|
524
526
|
|
525
|
-
updated_content =
|
527
|
+
updated_content = package_json_preparer.remove_invalid_characters(updated_content)
|
526
528
|
|
527
529
|
File.write(file.name, updated_content)
|
528
530
|
end
|
@@ -614,35 +616,12 @@ module Dependabot
|
|
614
616
|
JSON.pretty_generate(json, indent: indent)
|
615
617
|
end
|
616
618
|
|
617
|
-
def replace_ssh_sources(content)
|
618
|
-
updated_content = content
|
619
|
-
|
620
|
-
git_ssh_requirements_to_swap.each do |req|
|
621
|
-
new_req = req.gsub(%r{git\+ssh://git@(.*?)[:/]}, 'https://\1/')
|
622
|
-
updated_content = updated_content.gsub(req, new_req)
|
623
|
-
end
|
624
|
-
|
625
|
-
updated_content
|
626
|
-
end
|
627
|
-
|
628
619
|
def git_ssh_requirements_to_swap
|
629
620
|
return @git_ssh_requirements_to_swap if @git_ssh_requirements_to_swap
|
630
621
|
|
631
|
-
@git_ssh_requirements_to_swap =
|
632
|
-
|
633
|
-
package_files.each do |file|
|
634
|
-
NpmAndYarn::FileParser::DEPENDENCY_TYPES.each do |t|
|
635
|
-
JSON.parse(file.content).fetch(t, {}).each do |_, requirement|
|
636
|
-
next unless requirement.is_a?(String)
|
637
|
-
next unless requirement.start_with?("git+ssh:")
|
638
|
-
|
639
|
-
req = requirement.split("#").first
|
640
|
-
@git_ssh_requirements_to_swap << req
|
641
|
-
end
|
642
|
-
end
|
622
|
+
@git_ssh_requirements_to_swap = package_files.flat_map do |file|
|
623
|
+
package_json_preparer(file.content).swapped_ssh_requirements
|
643
624
|
end
|
644
|
-
|
645
|
-
@git_ssh_requirements_to_swap
|
646
625
|
end
|
647
626
|
|
648
627
|
def post_process_npm_lockfile(updated_lockfile_content)
|
@@ -841,6 +820,14 @@ module Dependabot
|
|
841
820
|
).updated_package_json.content
|
842
821
|
end
|
843
822
|
|
823
|
+
def package_json_preparer(content)
|
824
|
+
@package_json_preparer ||= {}
|
825
|
+
@package_json_preparer[content] ||=
|
826
|
+
PackageJsonPreparer.new(
|
827
|
+
package_json_content: content
|
828
|
+
)
|
829
|
+
end
|
830
|
+
|
844
831
|
def npmrc_disables_lockfile?
|
845
832
|
npmrc_content.match?(/^package-lock\s*=\s*false/)
|
846
833
|
end
|
@@ -851,13 +838,6 @@ module Dependabot
|
|
851
838
|
@npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
|
852
839
|
end
|
853
840
|
|
854
|
-
def sanitized_package_json_content(content)
|
855
|
-
content.
|
856
|
-
gsub(/\{\{[^\}]*?\}\}/, "something"). # {{ nm }} syntax not allowed
|
857
|
-
gsub(/(?<!\\)\\ /, " "). # escaped whitespace not allowed
|
858
|
-
gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
859
|
-
end
|
860
|
-
|
861
841
|
def sanitize_package_name(package_name)
|
862
842
|
package_name.gsub("%2f", "/").gsub("%2F", "/")
|
863
843
|
end
|
@@ -17,6 +17,7 @@ module Dependabot
|
|
17
17
|
class YarnLockfileUpdater
|
18
18
|
require_relative "npmrc_builder"
|
19
19
|
require_relative "package_json_updater"
|
20
|
+
require_relative "package_json_preparer"
|
20
21
|
|
21
22
|
def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
|
22
23
|
@dependencies = dependencies
|
@@ -357,13 +358,7 @@ module Dependabot
|
|
357
358
|
file.content
|
358
359
|
end
|
359
360
|
|
360
|
-
updated_content =
|
361
|
-
|
362
|
-
# A bug prevents Yarn recognising that a directory is part of a
|
363
|
-
# workspace if it is specified with a `./` prefix.
|
364
|
-
updated_content = remove_workspace_path_prefixes(updated_content)
|
365
|
-
|
366
|
-
updated_content = sanitized_package_json_content(updated_content)
|
361
|
+
updated_content = package_json_preparer(updated_content).prepared_content
|
367
362
|
File.write(file.name, updated_content)
|
368
363
|
end
|
369
364
|
|
@@ -380,9 +375,10 @@ module Dependabot
|
|
380
375
|
dirs.pop
|
381
376
|
while dirs.any?
|
382
377
|
npmrc = dirs.join("/") + "/.npmrc"
|
383
|
-
|
384
|
-
|
385
|
-
|
378
|
+
if File.exist?(npmrc)
|
379
|
+
# If the .npmrc file exists, clean it
|
380
|
+
File.write(npmrc, File.read(npmrc).gsub(/\$\{.*?\}/, ""))
|
381
|
+
end
|
386
382
|
dirs.pop
|
387
383
|
end
|
388
384
|
end
|
@@ -394,60 +390,12 @@ module Dependabot
|
|
394
390
|
end
|
395
391
|
end
|
396
392
|
|
397
|
-
def replace_ssh_sources(content)
|
398
|
-
updated_content = content
|
399
|
-
|
400
|
-
git_ssh_requirements_to_swap.each do |req|
|
401
|
-
new_req = req.gsub(%r{git\+ssh://git@(.*?)[:/]}, 'https://\1/')
|
402
|
-
updated_content = updated_content.gsub(req, new_req)
|
403
|
-
end
|
404
|
-
|
405
|
-
updated_content
|
406
|
-
end
|
407
|
-
|
408
|
-
def remove_workspace_path_prefixes(content)
|
409
|
-
json = JSON.parse(content)
|
410
|
-
return content unless json.key?("workspaces")
|
411
|
-
|
412
|
-
workspace_object = json.fetch("workspaces")
|
413
|
-
paths_array =
|
414
|
-
if workspace_object.is_a?(Hash)
|
415
|
-
workspace_object.values_at("packages", "nohoist").
|
416
|
-
flatten.compact
|
417
|
-
elsif workspace_object.is_a?(Array) then workspace_object
|
418
|
-
else
|
419
|
-
raise "Unexpected workspace object"
|
420
|
-
end
|
421
|
-
|
422
|
-
paths_array.each { |path| path.gsub!(%r{^\./}, "") }
|
423
|
-
|
424
|
-
json.to_json
|
425
|
-
end
|
426
|
-
|
427
393
|
def git_ssh_requirements_to_swap
|
428
394
|
return @git_ssh_requirements_to_swap if @git_ssh_requirements_to_swap
|
429
395
|
|
430
|
-
|
431
|
-
|
432
|
-
select do |dep|
|
433
|
-
dep.requirements.any? { |r| r.dig(:source, :type) == "git" }
|
434
|
-
end
|
435
|
-
|
436
|
-
@git_ssh_requirements_to_swap = []
|
437
|
-
|
438
|
-
package_files.each do |file|
|
439
|
-
NpmAndYarn::FileParser::DEPENDENCY_TYPES.each do |t|
|
440
|
-
JSON.parse(file.content).fetch(t, {}).each do |nm, requirement|
|
441
|
-
next unless git_dependencies.map(&:name).include?(nm)
|
442
|
-
next unless requirement.start_with?("git+ssh:")
|
443
|
-
|
444
|
-
req = requirement.split("#").first
|
445
|
-
@git_ssh_requirements_to_swap << req
|
446
|
-
end
|
447
|
-
end
|
396
|
+
@git_ssh_requirements_to_swap = package_files.flat_map do |file|
|
397
|
+
package_json_preparer(file.content).swapped_ssh_requirements
|
448
398
|
end
|
449
|
-
|
450
|
-
@git_ssh_requirements_to_swap
|
451
399
|
end
|
452
400
|
|
453
401
|
def post_process_yarn_lockfile(lockfile_content)
|
@@ -537,12 +485,18 @@ module Dependabot
|
|
537
485
|
end
|
538
486
|
|
539
487
|
def updated_package_json_content(file)
|
540
|
-
|
541
|
-
|
542
|
-
|
543
|
-
|
544
|
-
|
545
|
-
|
488
|
+
PackageJsonUpdater.new(
|
489
|
+
package_json: file,
|
490
|
+
dependencies: top_level_dependencies
|
491
|
+
).updated_package_json.content
|
492
|
+
end
|
493
|
+
|
494
|
+
def package_json_preparer(content)
|
495
|
+
@package_json_preparer ||= {}
|
496
|
+
@package_json_preparer[content] ||=
|
497
|
+
PackageJsonPreparer.new(
|
498
|
+
package_json_content: content
|
499
|
+
)
|
546
500
|
end
|
547
501
|
|
548
502
|
def npmrc_disables_lockfile?
|
@@ -574,13 +528,6 @@ module Dependabot
|
|
574
528
|
).yarnrc_content
|
575
529
|
end
|
576
530
|
|
577
|
-
def sanitized_package_json_content(content)
|
578
|
-
content.
|
579
|
-
gsub(/\{\{[^\}]*?\}\}/, "something"). # {{ nm }} syntax not allowed
|
580
|
-
gsub(/(?<!\\)\\ /, " "). # escaped whitespace not allowed
|
581
|
-
gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
582
|
-
end
|
583
|
-
|
584
531
|
def sanitize_package_name(package_name)
|
585
532
|
package_name.gsub("%2f", "/").gsub("%2F", "/")
|
586
533
|
end
|
@@ -122,26 +122,10 @@ module Dependabot
|
|
122
122
|
end
|
123
123
|
|
124
124
|
def self.dependencies_with_all_versions_metadata(dependency_set)
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
names = dependency_set.dependencies.map(&:name)
|
129
|
-
names.each do |name|
|
130
|
-
all_versions = dependency_set.all_versions_for_name(name)
|
131
|
-
all_versions.each do |dep|
|
132
|
-
metadata_versions = dep.metadata.fetch(:all_versions, [])
|
133
|
-
if metadata_versions.any?
|
134
|
-
metadata_versions.each { |a| working_set << a }
|
135
|
-
else
|
136
|
-
working_set << dep
|
137
|
-
end
|
138
|
-
end
|
139
|
-
dependency = working_set.dependency_for_name(name)
|
140
|
-
dependency.metadata[:all_versions] = working_set.all_versions_for_name(name)
|
141
|
-
dependencies << dependency
|
125
|
+
dependency_set.dependencies.map do |dependency|
|
126
|
+
dependency.metadata[:all_versions] = dependency_set.all_versions_for_name(dependency.name)
|
127
|
+
dependency
|
142
128
|
end
|
143
|
-
|
144
|
-
dependencies
|
145
129
|
end
|
146
130
|
end
|
147
131
|
end
|
@@ -261,25 +261,25 @@ module Dependabot
|
|
261
261
|
end
|
262
262
|
|
263
263
|
def npm_details
|
264
|
-
return @npm_details if @
|
264
|
+
return @npm_details if defined?(@npm_details)
|
265
265
|
|
266
|
-
@
|
267
|
-
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
282
|
-
|
266
|
+
@npm_details = fetch_npm_details
|
267
|
+
end
|
268
|
+
|
269
|
+
def fetch_npm_details
|
270
|
+
npm_response = fetch_npm_response
|
271
|
+
|
272
|
+
check_npm_response(npm_response)
|
273
|
+
JSON.parse(npm_response.body)
|
274
|
+
rescue JSON::ParserError,
|
275
|
+
Excon::Error::Timeout,
|
276
|
+
Excon::Error::Socket,
|
277
|
+
RegistryError => e
|
278
|
+
if git_dependency?
|
279
|
+
nil
|
280
|
+
else
|
281
|
+
raise_npm_details_error(e)
|
282
|
+
end
|
283
283
|
end
|
284
284
|
|
285
285
|
def fetch_npm_response
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.227.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-08-18 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.227.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.227.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -128,14 +128,14 @@ dependencies:
|
|
128
128
|
requirements:
|
129
129
|
- - "~>"
|
130
130
|
- !ruby/object:Gem::Version
|
131
|
-
version: 1.
|
131
|
+
version: 1.19.0
|
132
132
|
type: :development
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
|
-
version: 1.
|
138
|
+
version: 1.19.0
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: stackprof
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
@@ -280,7 +280,7 @@ licenses:
|
|
280
280
|
- Nonstandard
|
281
281
|
metadata:
|
282
282
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
283
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
283
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.227.0
|
284
284
|
post_install_message:
|
285
285
|
rdoc_options: []
|
286
286
|
require_paths:
|