dependabot-npm_and_yarn 0.230.0 → 0.231.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +517 -517
- data/helpers/package.json +3 -3
- data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb +1 -0
- data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb +16 -15
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +24 -23
- data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +1 -0
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +11 -10
- data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb +1 -0
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +3 -2
- data/lib/dependabot/npm_and_yarn/file_parser.rb +22 -21
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +11 -10
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +30 -29
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb +7 -6
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +12 -11
- data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb +6 -5
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +24 -23
- data/lib/dependabot/npm_and_yarn/file_updater.rb +11 -10
- data/lib/dependabot/npm_and_yarn/helpers.rb +1 -0
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +20 -19
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +1 -0
- data/lib/dependabot/npm_and_yarn/package_manager.rb +1 -0
- data/lib/dependabot/npm_and_yarn/package_name.rb +1 -0
- data/lib/dependabot/npm_and_yarn/requirement.rb +4 -3
- data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb +1 -0
- data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb +1 -0
- data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +20 -19
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +21 -18
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +3 -2
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +24 -23
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +7 -6
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +3 -2
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +45 -44
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +1 -0
- data/lib/dependabot/npm_and_yarn/update_checker.rb +12 -11
- data/lib/dependabot/npm_and_yarn/version.rb +3 -2
- data/lib/dependabot/npm_and_yarn.rb +3 -2
- metadata +19 -5
data/helpers/package.json
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "json"
|
@@ -36,20 +37,20 @@ module Dependabot
|
|
36
37
|
|
37
38
|
def details_from_yarn_lock
|
38
39
|
path_starts = FileFetcher::PATH_DEPENDENCY_STARTS
|
39
|
-
parsed_yarn_lock.to_a
|
40
|
-
|
41
|
-
|
40
|
+
parsed_yarn_lock.to_a
|
41
|
+
.find do |n, _|
|
42
|
+
next false unless n.split(/(?<=\w)\@/).first == dependency_name
|
42
43
|
|
43
|
-
|
44
|
-
|
44
|
+
n.split(/(?<=\w)\@/).last.start_with?(*path_starts)
|
45
|
+
end&.last
|
45
46
|
end
|
46
47
|
|
47
48
|
def details_from_npm_lock
|
48
49
|
path_starts = FileFetcher::NPM_PATH_DEPENDENCY_STARTS
|
49
|
-
path_deps = parsed_package_lock.fetch("dependencies", []).to_a
|
50
|
-
|
51
|
-
|
52
|
-
|
50
|
+
path_deps = parsed_package_lock.fetch("dependencies", []).to_a
|
51
|
+
.select do |_, v|
|
52
|
+
v.fetch("version", "").start_with?(*path_starts)
|
53
|
+
end
|
53
54
|
path_deps.find { |n, _| n == dependency_name }&.last
|
54
55
|
end
|
55
56
|
|
@@ -93,18 +94,18 @@ module Dependabot
|
|
93
94
|
next unless value.start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
|
94
95
|
|
95
96
|
path_from_base =
|
96
|
-
parsed_yarn_lock.to_a
|
97
|
-
|
97
|
+
parsed_yarn_lock.to_a
|
98
|
+
.find do |n, _|
|
98
99
|
next false unless n.split(/(?<=\w)\@/).first == name
|
99
100
|
|
100
|
-
n.split(/(?<=\w)\@/).last
|
101
|
-
|
101
|
+
n.split(/(?<=\w)\@/).last
|
102
|
+
.start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
|
102
103
|
end&.first&.split(/(?<=\w)\@/)&.last
|
103
104
|
|
104
105
|
next unless path_from_base
|
105
106
|
|
106
|
-
cleaned_path = path_from_base
|
107
|
-
gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
|
107
|
+
cleaned_path = path_from_base
|
108
|
+
.gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
|
108
109
|
obj[name] = "file:" + File.join(inverted_path, cleaned_path)
|
109
110
|
end
|
110
111
|
end
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "json"
|
@@ -225,8 +226,8 @@ module Dependabot
|
|
225
226
|
|
226
227
|
# Loop through parent directories looking for an npmrc
|
227
228
|
(1..directory.split("/").count).each do |i|
|
228
|
-
@npmrc = fetch_file_from_host(("../" * i) + ".npmrc")
|
229
|
-
tap { |f| f.support_file = true }
|
229
|
+
@npmrc = fetch_file_from_host(("../" * i) + ".npmrc")
|
230
|
+
&.tap { |f| f.support_file = true }
|
230
231
|
break if @npmrc
|
231
232
|
rescue Dependabot::DependencyFileNotFound
|
232
233
|
# Ignore errors (.npmrc may not be present)
|
@@ -245,8 +246,8 @@ module Dependabot
|
|
245
246
|
|
246
247
|
# Loop through parent directories looking for an yarnrc
|
247
248
|
(1..directory.split("/").count).each do |i|
|
248
|
-
@yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")
|
249
|
-
tap { |f| f.support_file = true }
|
249
|
+
@yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")
|
250
|
+
&.tap { |f| f.support_file = true }
|
250
251
|
break if @yarnrc
|
251
252
|
rescue Dependabot::DependencyFileNotFound
|
252
253
|
# Ignore errors (.yarnrc may not be present)
|
@@ -368,15 +369,15 @@ module Dependabot
|
|
368
369
|
|
369
370
|
raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all?(Hash)
|
370
371
|
|
371
|
-
resolution_deps = resolution_objects.flat_map(&:to_a)
|
372
|
-
|
373
|
-
|
374
|
-
|
372
|
+
resolution_deps = resolution_objects.flat_map(&:to_a)
|
373
|
+
.map do |path, value|
|
374
|
+
convert_dependency_path_to_name(path, value)
|
375
|
+
end
|
375
376
|
|
376
377
|
path_starts = PATH_DEPENDENCY_STARTS
|
377
|
-
(dependency_objects.flat_map(&:to_a) + resolution_deps)
|
378
|
-
select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }
|
379
|
-
map do |name, path|
|
378
|
+
(dependency_objects.flat_map(&:to_a) + resolution_deps)
|
379
|
+
.select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }
|
380
|
+
.map do |name, path|
|
380
381
|
path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
|
381
382
|
raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/", "#{path_to_directory}..")
|
382
383
|
|
@@ -391,10 +392,10 @@ module Dependabot
|
|
391
392
|
|
392
393
|
def path_dependency_details_from_npm_lockfile(parsed_lockfile)
|
393
394
|
path_starts = NPM_PATH_DEPENDENCY_STARTS
|
394
|
-
parsed_lockfile.fetch("dependencies", []).to_a
|
395
|
-
|
396
|
-
|
397
|
-
|
395
|
+
parsed_lockfile.fetch("dependencies", []).to_a
|
396
|
+
.select { |_, v| v.is_a?(Hash) }
|
397
|
+
.select { |_, v| v.fetch("version", "").start_with?(*path_starts) }
|
398
|
+
.map { |k, v| [k, v.fetch("version")] }
|
398
399
|
end
|
399
400
|
|
400
401
|
# Re-write the glob name to the targeted dependency name (which is used
|
@@ -458,16 +459,16 @@ module Dependabot
|
|
458
459
|
return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
|
459
460
|
|
460
461
|
unglobbed_path =
|
461
|
-
glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
462
|
-
|
463
|
-
|
462
|
+
glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
463
|
+
.split("*")
|
464
|
+
.first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
|
464
465
|
|
465
466
|
dir = directory.gsub(%r{(^/|/$)}, "")
|
466
467
|
|
467
468
|
paths =
|
468
|
-
repo_contents(dir: unglobbed_path, raise_errors: false)
|
469
|
-
select { |file| file.type == "dir" }
|
470
|
-
map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
469
|
+
repo_contents(dir: unglobbed_path, raise_errors: false)
|
470
|
+
.select { |file| file.type == "dir" }
|
471
|
+
.map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
471
472
|
|
472
473
|
matching_paths(glob, paths)
|
473
474
|
end
|
@@ -585,5 +586,5 @@ module Dependabot
|
|
585
586
|
end
|
586
587
|
end
|
587
588
|
|
588
|
-
Dependabot::FileFetchers
|
589
|
-
register("npm_and_yarn", Dependabot::NpmAndYarn::FileFetcher)
|
589
|
+
Dependabot::FileFetchers
|
590
|
+
.register("npm_and_yarn", Dependabot::NpmAndYarn::FileFetcher)
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/dependency_file"
|
@@ -56,8 +57,8 @@ module Dependabot
|
|
56
57
|
end +
|
57
58
|
%w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
|
58
59
|
|
59
|
-
possible_lockfile_names.uniq
|
60
|
-
|
60
|
+
possible_lockfile_names.uniq
|
61
|
+
.filter_map { |nm| dependency_files.find { |f| f.name == nm } }
|
61
62
|
end
|
62
63
|
|
63
64
|
def parsed_lockfile(file)
|
@@ -77,26 +78,26 @@ module Dependabot
|
|
77
78
|
|
78
79
|
def package_locks
|
79
80
|
@package_locks ||=
|
80
|
-
dependency_files
|
81
|
-
select { |f| f.name.end_with?("package-lock.json") }
|
81
|
+
dependency_files
|
82
|
+
.select { |f| f.name.end_with?("package-lock.json") }
|
82
83
|
end
|
83
84
|
|
84
85
|
def pnpm_locks
|
85
86
|
@pnpm_locks ||=
|
86
|
-
dependency_files
|
87
|
-
select { |f| f.name.end_with?("pnpm-lock.yaml") }
|
87
|
+
dependency_files
|
88
|
+
.select { |f| f.name.end_with?("pnpm-lock.yaml") }
|
88
89
|
end
|
89
90
|
|
90
91
|
def yarn_locks
|
91
92
|
@yarn_locks ||=
|
92
|
-
dependency_files
|
93
|
-
select { |f| f.name.end_with?("yarn.lock") }
|
93
|
+
dependency_files
|
94
|
+
.select { |f| f.name.end_with?("yarn.lock") }
|
94
95
|
end
|
95
96
|
|
96
97
|
def shrinkwraps
|
97
98
|
@shrinkwraps ||=
|
98
|
-
dependency_files
|
99
|
-
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
99
|
+
dependency_files
|
100
|
+
.select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
100
101
|
end
|
101
102
|
|
102
103
|
def version_class
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/shared_helpers"
|
@@ -51,8 +52,8 @@ module Dependabot
|
|
51
52
|
|
52
53
|
def details(dependency_name, requirement, _manifest_name)
|
53
54
|
details_candidates =
|
54
|
-
parsed
|
55
|
-
select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
|
55
|
+
parsed
|
56
|
+
.select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
|
56
57
|
|
57
58
|
# If there's only one entry for this dependency, use it, even if
|
58
59
|
# the requirement in the lockfile doesn't match
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
# See https://docs.npmjs.com/files/package.json for package.json format docs.
|
@@ -204,14 +205,14 @@ module Dependabot
|
|
204
205
|
Dependabot::GitMetadataFetcher.new(
|
205
206
|
url: git_source_for(requirement).fetch(:url),
|
206
207
|
credentials: credentials
|
207
|
-
).tags
|
208
|
-
|
208
|
+
).tags
|
209
|
+
.select { |t| [t.commit_sha, t.tag_sha].include?(git_revision) }
|
209
210
|
|
210
211
|
tags.each do |t|
|
211
212
|
next unless t.name.match?(Dependabot::GitCommitChecker::VERSION_REGEX)
|
212
213
|
|
213
|
-
version = t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX)
|
214
|
-
|
214
|
+
version = t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX)
|
215
|
+
.named_captures.fetch("version")
|
215
216
|
next unless version_class.correct?(version)
|
216
217
|
|
217
218
|
return version
|
@@ -267,10 +268,10 @@ module Dependabot
|
|
267
268
|
prefix = details.fetch("git_prefix")
|
268
269
|
|
269
270
|
host = if prefix.include?("git@") || prefix.include?("://")
|
270
|
-
prefix.split("git@").last
|
271
|
-
|
272
|
-
|
273
|
-
|
271
|
+
prefix.split("git@").last
|
272
|
+
.sub(%r{.*?://}, "")
|
273
|
+
.sub(%r{[:/]$}, "")
|
274
|
+
.split("#").first
|
274
275
|
elsif prefix.include?("bitbucket") then "bitbucket.org"
|
275
276
|
elsif prefix.include?("gitlab") then "gitlab.com"
|
276
277
|
else
|
@@ -292,8 +293,8 @@ module Dependabot
|
|
292
293
|
resolved_url.split("/~/").first
|
293
294
|
elsif resolved_url.include?("/#{name}/-/#{name}")
|
294
295
|
# MyGet / Bintray format
|
295
|
-
resolved_url.split("/#{name}/-/#{name}").first
|
296
|
-
|
296
|
+
resolved_url.split("/#{name}/-/#{name}").first
|
297
|
+
.gsub("dl.bintray.com//", "api.bintray.com/npm/").
|
297
298
|
# GitLab format
|
298
299
|
gsub(%r{\/projects\/\d+}, "")
|
299
300
|
elsif resolved_url.include?("/#{name}/-/#{name.split('/').last}")
|
@@ -311,10 +312,10 @@ module Dependabot
|
|
311
312
|
resolved_url_host = URI(resolved_url).host
|
312
313
|
|
313
314
|
credential_matching_url =
|
314
|
-
credentials
|
315
|
-
select { |cred| cred["type"] == "npm_registry" }
|
316
|
-
sort_by { |cred| cred["registry"].length }
|
317
|
-
find do |details|
|
315
|
+
credentials
|
316
|
+
.select { |cred| cred["type"] == "npm_registry" }
|
317
|
+
.sort_by { |cred| cred["registry"].length }
|
318
|
+
.find do |details|
|
318
319
|
next true if resolved_url_host == details["registry"]
|
319
320
|
|
320
321
|
uri = if details["registry"]&.include?("://")
|
@@ -337,11 +338,11 @@ module Dependabot
|
|
337
338
|
@package_files ||=
|
338
339
|
begin
|
339
340
|
sub_packages =
|
340
|
-
dependency_files
|
341
|
-
select { |f| f.name.end_with?("package.json") }
|
342
|
-
reject { |f| f.name == "package.json" }
|
343
|
-
reject { |f| f.name.include?("node_modules/") }
|
344
|
-
reject(&:support_file?)
|
341
|
+
dependency_files
|
342
|
+
.select { |f| f.name.end_with?("package.json") }
|
343
|
+
.reject { |f| f.name == "package.json" }
|
344
|
+
.reject { |f| f.name.include?("node_modules/") }
|
345
|
+
.reject(&:support_file?)
|
345
346
|
|
346
347
|
[
|
347
348
|
dependency_files.find { |f| f.name == "package.json" },
|
@@ -361,5 +362,5 @@ module Dependabot
|
|
361
362
|
end
|
362
363
|
end
|
363
364
|
|
364
|
-
Dependabot::FileParsers
|
365
|
-
register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
|
365
|
+
Dependabot::FileParsers
|
366
|
+
.register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/errors"
|
@@ -319,8 +320,8 @@ module Dependabot
|
|
319
320
|
def handle_npm_updater_error(error)
|
320
321
|
error_message = error.message
|
321
322
|
if error_message.match?(MISSING_PACKAGE)
|
322
|
-
package_name = error_message.match(MISSING_PACKAGE)
|
323
|
-
|
323
|
+
package_name = error_message.match(MISSING_PACKAGE)
|
324
|
+
.named_captures["package_req"]
|
324
325
|
sanitized_name = sanitize_package_name(package_name)
|
325
326
|
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
326
327
|
handle_missing_package(sanitized_name, sanitized_error)
|
@@ -368,8 +369,8 @@ module Dependabot
|
|
368
369
|
end
|
369
370
|
|
370
371
|
if error_message.match?(FORBIDDEN_PACKAGE)
|
371
|
-
package_name = error_message.match(FORBIDDEN_PACKAGE)
|
372
|
-
|
372
|
+
package_name = error_message.match(FORBIDDEN_PACKAGE)
|
373
|
+
.named_captures["package_req"]
|
373
374
|
sanitized_name = sanitize_package_name(package_name)
|
374
375
|
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
375
376
|
handle_missing_package(sanitized_name, sanitized_error)
|
@@ -377,8 +378,8 @@ module Dependabot
|
|
377
378
|
|
378
379
|
# Some private registries return a 403 when the user is readonly
|
379
380
|
if error_message.match?(FORBIDDEN_PACKAGE_403)
|
380
|
-
package_name = error_message.match(FORBIDDEN_PACKAGE_403)
|
381
|
-
|
381
|
+
package_name = error_message.match(FORBIDDEN_PACKAGE_403)
|
382
|
+
.named_captures["package_req"]
|
382
383
|
sanitized_name = sanitize_package_name(package_name)
|
383
384
|
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
384
385
|
handle_missing_package(sanitized_name, sanitized_error)
|
@@ -868,14 +869,14 @@ module Dependabot
|
|
868
869
|
|
869
870
|
def package_locks
|
870
871
|
@package_locks ||=
|
871
|
-
dependency_files
|
872
|
-
select { |f| f.name.end_with?("package-lock.json") }
|
872
|
+
dependency_files
|
873
|
+
.select { |f| f.name.end_with?("package-lock.json") }
|
873
874
|
end
|
874
875
|
|
875
876
|
def shrinkwraps
|
876
877
|
@shrinkwraps ||=
|
877
|
-
dependency_files
|
878
|
-
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
878
|
+
dependency_files
|
879
|
+
.select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
879
880
|
end
|
880
881
|
|
881
882
|
def package_files
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/npm_and_yarn/file_updater"
|
@@ -91,9 +92,9 @@ module Dependabot
|
|
91
92
|
next false if yarnrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
|
92
93
|
|
93
94
|
# If any unscoped URLs include this registry, assume it's global
|
94
|
-
dependency_urls
|
95
|
-
reject { |u| u.include?("@") || u.include?("%40") }
|
96
|
-
any? { |url| url.include?(cred["registry"]) }
|
95
|
+
dependency_urls
|
96
|
+
.reject { |u| u.include?("@") || u.include?("%40") }
|
97
|
+
.any? { |url| url.include?(cred["registry"]) }
|
97
98
|
end
|
98
99
|
end
|
99
100
|
|
@@ -135,10 +136,10 @@ module Dependabot
|
|
135
136
|
@dependency_urls = []
|
136
137
|
if package_lock
|
137
138
|
@dependency_urls +=
|
138
|
-
package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)
|
139
|
-
|
140
|
-
|
141
|
-
|
139
|
+
package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)
|
140
|
+
.flatten
|
141
|
+
.select { |url| url.is_a?(String) }
|
142
|
+
.reject { |url| url.start_with?("git") }
|
142
143
|
end
|
143
144
|
if yarn_lock
|
144
145
|
@dependency_urls +=
|
@@ -155,8 +156,8 @@ module Dependabot
|
|
155
156
|
end
|
156
157
|
|
157
158
|
def complete_npmrc_from_credentials
|
158
|
-
initial_content = npmrc_file.content
|
159
|
-
|
159
|
+
initial_content = npmrc_file.content
|
160
|
+
.gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
|
160
161
|
return initial_content unless yarn_lock || package_lock
|
161
162
|
return initial_content unless global_registry
|
162
163
|
|
@@ -169,8 +170,8 @@ module Dependabot
|
|
169
170
|
end
|
170
171
|
|
171
172
|
def complete_yarnrc_from_credentials
|
172
|
-
initial_content = yarnrc_file.content
|
173
|
-
|
173
|
+
initial_content = yarnrc_file.content
|
174
|
+
.gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
|
174
175
|
return initial_content unless yarn_lock || package_lock
|
175
176
|
return initial_content unless global_registry
|
176
177
|
|
@@ -182,10 +183,10 @@ module Dependabot
|
|
182
183
|
|
183
184
|
def build_npmrc_from_yarnrc
|
184
185
|
yarnrc_global_registry =
|
185
|
-
yarnrc_file.content
|
186
|
-
|
187
|
-
match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
|
188
|
-
named_captures&.fetch("registry")
|
186
|
+
yarnrc_file.content
|
187
|
+
.lines.find { |line| line.match?(/^\s*registry\s/) }
|
188
|
+
&.match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
|
189
|
+
&.named_captures&.fetch("registry")
|
189
190
|
|
190
191
|
return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
|
191
192
|
|
@@ -194,10 +195,10 @@ module Dependabot
|
|
194
195
|
|
195
196
|
def build_yarnrc_from_yarnrc
|
196
197
|
yarnrc_global_registry =
|
197
|
-
yarnrc_file.content
|
198
|
-
|
199
|
-
match(/^\s*registry\s+"(?<registry>[^"]+)"/)
|
200
|
-
named_captures&.fetch("registry")
|
198
|
+
yarnrc_file.content
|
199
|
+
.lines.find { |line| line.match?(/^\s*registry\s/) }
|
200
|
+
&.match(/^\s*registry\s+"(?<registry>[^"]+)"/)
|
201
|
+
&.named_captures&.fetch("registry")
|
201
202
|
|
202
203
|
return "registry \"#{yarnrc_global_registry}\"\n" if yarnrc_global_registry
|
203
204
|
|
@@ -238,16 +239,16 @@ module Dependabot
|
|
238
239
|
return [] unless npmrc_file
|
239
240
|
|
240
241
|
@npmrc_scoped_registries ||=
|
241
|
-
npmrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
|
242
|
-
|
242
|
+
npmrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
|
243
|
+
.filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
|
243
244
|
end
|
244
245
|
|
245
246
|
def yarnrc_scoped_registries
|
246
247
|
return [] unless yarnrc_file
|
247
248
|
|
248
249
|
@yarnrc_scoped_registries ||=
|
249
|
-
yarnrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
|
250
|
-
|
250
|
+
yarnrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
|
251
|
+
.filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
|
251
252
|
end
|
252
253
|
|
253
254
|
# rubocop:disable Metrics/PerceivedComplexity
|
@@ -260,8 +261,8 @@ module Dependabot
|
|
260
261
|
registry_credentials.map { |c| c.fetch("registry") } -
|
261
262
|
[registry]
|
262
263
|
affected_urls =
|
263
|
-
dependency_urls
|
264
|
-
select do |url|
|
264
|
+
dependency_urls
|
265
|
+
.select do |url|
|
265
266
|
next false unless url.include?(registry)
|
266
267
|
|
267
268
|
other_regs.none? { |r| r.include?(registry) && url.include?(r) }
|
@@ -287,13 +288,13 @@ module Dependabot
|
|
287
288
|
end
|
288
289
|
|
289
290
|
def npmrc_file
|
290
|
-
@npmrc_file ||= dependency_files
|
291
|
-
find { |f| f.name.end_with?(".npmrc") }
|
291
|
+
@npmrc_file ||= dependency_files
|
292
|
+
.find { |f| f.name.end_with?(".npmrc") }
|
292
293
|
end
|
293
294
|
|
294
295
|
def yarnrc_file
|
295
|
-
@yarnrc_file ||= dependency_files
|
296
|
-
find { |f| f.name.end_with?(".yarnrc") }
|
296
|
+
@yarnrc_file ||= dependency_files
|
297
|
+
.find { |f| f.name.end_with?(".yarnrc") }
|
297
298
|
end
|
298
299
|
|
299
300
|
def yarn_lock
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/npm_and_yarn/file_updater"
|
@@ -39,8 +40,8 @@ module Dependabot
|
|
39
40
|
workspace_object = json.fetch("workspaces")
|
40
41
|
paths_array =
|
41
42
|
if workspace_object.is_a?(Hash)
|
42
|
-
workspace_object.values_at("packages", "nohoist")
|
43
|
-
|
43
|
+
workspace_object.values_at("packages", "nohoist")
|
44
|
+
.flatten.compact
|
44
45
|
elsif workspace_object.is_a?(Array) then workspace_object
|
45
46
|
else
|
46
47
|
raise "Unexpected workspace object"
|
@@ -52,10 +53,10 @@ module Dependabot
|
|
52
53
|
end
|
53
54
|
|
54
55
|
def remove_invalid_characters(content)
|
55
|
-
content
|
56
|
-
gsub(/\{\{[^\}]*?\}\}/, "something")
|
57
|
-
gsub(/(?<!\\)\\ /, " ")
|
58
|
-
gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
56
|
+
content
|
57
|
+
.gsub(/\{\{[^\}]*?\}\}/, "something") # {{ nm }} syntax not allowed
|
58
|
+
.gsub(/(?<!\\)\\ /, " ") # escaped whitespace not allowed
|
59
|
+
.gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
59
60
|
end
|
60
61
|
|
61
62
|
def swapped_ssh_requirements
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/npm_and_yarn/file_updater"
|
@@ -54,9 +55,9 @@ module Dependabot
|
|
54
55
|
end
|
55
56
|
|
56
57
|
def old_requirement(dependency, new_requirement)
|
57
|
-
dependency.previous_requirements
|
58
|
-
|
59
|
-
|
58
|
+
dependency.previous_requirements
|
59
|
+
.select { |r| r[:file] == package_json.name }
|
60
|
+
.find { |r| r[:groups] == new_requirement[:groups] }
|
60
61
|
end
|
61
62
|
|
62
63
|
def new_requirements(dependency)
|
@@ -65,17 +66,17 @@ module Dependabot
|
|
65
66
|
|
66
67
|
def updated_requirements(dependency)
|
67
68
|
updated_requirement_pairs =
|
68
|
-
dependency.requirements.zip(dependency.previous_requirements)
|
69
|
-
|
69
|
+
dependency.requirements.zip(dependency.previous_requirements)
|
70
|
+
.reject do |new_req, old_req|
|
70
71
|
next true if new_req == old_req
|
71
72
|
next false unless old_req[:source].nil?
|
72
73
|
|
73
74
|
new_req[:requirement] == old_req[:requirement]
|
74
75
|
end
|
75
76
|
|
76
|
-
updated_requirement_pairs
|
77
|
-
map(&:first)
|
78
|
-
select { |r| r[:file] == package_json.name }
|
77
|
+
updated_requirement_pairs
|
78
|
+
.map(&:first)
|
79
|
+
.select { |r| r[:file] == package_json.name }
|
79
80
|
end
|
80
81
|
|
81
82
|
def update_package_json_declaration(package_json_content:, new_req:,
|
@@ -110,9 +111,9 @@ module Dependabot
|
|
110
111
|
dep = dependency
|
111
112
|
parsed_json_content = JSON.parse(package_json_content)
|
112
113
|
resolutions =
|
113
|
-
parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {})
|
114
|
-
|
115
|
-
|
114
|
+
parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {})
|
115
|
+
.reject { |_, v| v != old_req && v != dep.previous_version }
|
116
|
+
.select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
|
116
117
|
|
117
118
|
return package_json_content unless resolutions.any?
|
118
119
|
|
@@ -1,3 +1,4 @@
|
|
1
|
+
# typed: false
|
1
2
|
# frozen_string_literal: true
|
2
3
|
|
3
4
|
require "dependabot/npm_and_yarn/helpers"
|
@@ -85,9 +86,9 @@ module Dependabot
|
|
85
86
|
|
86
87
|
raise unless error_message.match?(MISSING_PACKAGE)
|
87
88
|
|
88
|
-
package_name = error_message.match(MISSING_PACKAGE)
|
89
|
-
|
90
|
-
|
89
|
+
package_name = error_message.match(MISSING_PACKAGE)
|
90
|
+
.named_captures["package_req"]
|
91
|
+
.split(/(?<=\w)\@/).first
|
91
92
|
raise_missing_package_error(package_name, error_message, pnpm_lock)
|
92
93
|
end
|
93
94
|
|
@@ -99,8 +100,8 @@ module Dependabot
|
|
99
100
|
end
|
100
101
|
|
101
102
|
def raise_missing_package_error(package_name, _error_message, pnpm_lock)
|
102
|
-
missing_dep = lockfile_dependencies(pnpm_lock)
|
103
|
-
find { |dep| dep.name == package_name }
|
103
|
+
missing_dep = lockfile_dependencies(pnpm_lock)
|
104
|
+
.find { |dep| dep.name == package_name }
|
104
105
|
|
105
106
|
reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
|
106
107
|
dependency: missing_dep,
|