dependabot-npm_and_yarn 0.227.0 → 0.229.0

data/helpers/package.json

@@ -6,7 +6,8 @@
   },
   "scripts": {
     "lint": "eslint .",
-    "test": "jest"
+    "test": "jest",
+    "postinstall": "patch-package"
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
@@ -16,12 +17,13 @@
     "npm": "6.14.18",
     "@pnpm/lockfile-file": "^8.1.2",
     "@pnpm/dependency-path": "^2.1.1",
-    "semver": "^7.4.0"
+    "semver": "^7.4.0",
+    "patch-package": "^8.0.0"
   },
   "devDependencies": {
     "eslint": "^8.47.0",
     "eslint-config-prettier": "^9.0.0",
-    "jest": "^29.6.2",
-    "prettier": "^3.0.1"
+    "jest": "^29.6.3",
+    "prettier": "^3.0.2"
   }
 }

data/helpers/patches/npm++pacote+9.5.12.patch

@@ -0,0 +1,14 @@
+diff --git a/node_modules/npm/node_modules/pacote/lib/util/git.js b/node_modules/npm/node_modules/pacote/lib/util/git.js
+index 7642eb2..7bb3324 100644
+--- a/node_modules/npm/node_modules/pacote/lib/util/git.js
++++ b/node_modules/npm/node_modules/pacote/lib/util/git.js
+@@ -25,7 +25,8 @@ const GOOD_ENV_VARS = new Set([
+   'GIT_SSH',
+   'GIT_SSH_COMMAND',
+   'GIT_SSL_CAINFO',
+-  'GIT_SSL_NO_VERIFY'
++  'GIT_SSL_NO_VERIFY',
++  'GIT_CONFIG_GLOBAL'
+ ])
+ 
+ const GIT_TRANSIENT_ERRORS = [

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -178,10 +178,10 @@ module Dependabot
         elsif lockfile_details
           lockfile_version_for(lockfile_details)
         else
-          req = requirement_class.new(requirement)
-          return unless req.exact?
+          exact_version = exact_version_for(requirement)
+          return unless exact_version
 
-          semver_version_for(req.requirements.first.last.to_s)
+          semver_version_for(exact_version)
         end
       end
 
@@ -230,6 +230,15 @@ module Dependabot
         version_class.semver_for(version)
       end
 
+      def exact_version_for(requirement)
+        req = requirement_class.new(requirement)
+        return unless req.exact?
+
+        req.requirements.first.last.to_s
+      rescue Gem::Requirement::BadRequirementError
+        # If it doesn't parse, it's definitely not exact
+      end
+
       def source_for(name, requirement, lockfile_details)
         return git_source_for(requirement) if git_url?(requirement)
 

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -552,7 +552,7 @@ module Dependabot
           return "" if indentation.nil? # let npm set the default if we can't detect any indentation
 
           indentation_size = indentation.length
-          indentation_type = indentation.scan(/\t/).any? ? "\t" : " "
+          indentation_type = indentation.scan("\t").any? ? "\t" : " "
 
           indentation_type * indentation_size
         end

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -214,7 +214,7 @@ module Dependabot
           #
           # TODO: Move this logic to the UpdateChecker (and parse peer deps)
           sections += ["peerDependencies"]
-          sections_regex = /#{sections.join("|")}/
+          sections_regex = /#{sections.join('|')}/
 
           declaration_blocks = []
 

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -111,7 +111,7 @@ module Dependabot
 
       def filtered_dependency_files
         @filtered_dependency_files ||=
-          if dependencies.select(&:top_level?).any?
+          if dependencies.any?(&:top_level?)
             DependencyFilesFilterer.new(
               dependency_files: dependency_files,
               updated_dependencies: dependencies

data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb

@@ -42,7 +42,7 @@ module Dependabot
           @project_npm_response ||= Dependabot::RegistryClient.get(url: url)
           return false unless @project_npm_response.status == 200
 
-          @project_npm_response.body.force_encoding("UTF-8").encode.
+          @project_npm_response.body.dup.force_encoding("UTF-8").encode.
             include?(project_description)
         rescue Excon::Error::Socket, Excon::Error::Timeout, URI::InvalidURIError
           false

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.227.0
+  version: 0.229.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-18 00:00:00.000000000 Z
+date: 2023-08-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.227.0
+        version: 0.229.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.227.0
+        version: 0.229.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.50.0
+        version: 1.56.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -212,6 +212,7 @@ files:
 - helpers/lib/yarn/updater.js
 - helpers/package-lock.json
 - helpers/package.json
+- helpers/patches/npm++pacote+9.5.12.patch
 - helpers/run.js
 - helpers/test/npm6/conflicting-dependency-parser.test.js
 - helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json
@@ -280,7 +281,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.227.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.229.0
 post_install_message: 
 rdoc_options: []
 require_paths: