dependabot-npm_and_yarn 0.232.0 → 0.234.0

data/helpers/package.json

@@ -11,9 +11,9 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
-    "@npmcli/arborist": "^6.3.0",
+    "@npmcli/arborist": "^7.1.0",
     "detect-indent": "^6.1.0",
-    "nock": "^13.3.2",
+    "nock": "^13.3.3",
     "npm": "6.14.18",
     "@pnpm/lockfile-file": "^8.1.2",
     "@pnpm/dependency-path": "^2.1.1",
@@ -21,9 +21,9 @@
     "patch-package": "^8.0.0"
   },
   "devDependencies": {
-    "eslint": "^8.49.0",
+    "eslint": "^8.51.0",
     "eslint-config-prettier": "^9.0.0",
-    "jest": "^29.6.4",
+    "jest": "^29.7.0",
     "prettier": "^3.0.3"
   }
 }

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -247,7 +247,7 @@ module Dependabot
         # Loop through parent directories looking for an yarnrc
         (1..directory.split("/").count).each do |i|
           @yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")
-                   &.tap { |f| f.support_file = true }
+                    &.tap { |f| f.support_file = true }
           break if @yarnrc
         rescue Dependabot::DependencyFileNotFound
           # Ignore errors (.yarnrc may not be present)

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -17,9 +17,10 @@ module Dependabot
 
         SCOPED_REGISTRY = /^\s*@(?<scope>\S+):registry\s*=\s*(?<registry>\S+)/
 
-        def initialize(dependency_files:, credentials:)
+        def initialize(dependency_files:, credentials:, dependencies: [])
           @dependency_files = dependency_files
           @credentials = credentials
+          @dependencies = dependencies
         end
 
         # PROXY WORK
@@ -52,7 +53,7 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_files, :credentials
+        attr_reader :dependency_files, :credentials, :dependencies
 
         def build_npmrc_content_from_lockfile
           return unless yarn_lock || package_lock
@@ -134,6 +135,17 @@ module Dependabot
           return @dependency_urls if defined?(@dependency_urls)
 
           @dependency_urls = []
+
+          if dependencies.any?
+            @dependency_urls = dependencies.map do |dependency|
+              UpdateChecker::RegistryFinder.new(
+                dependency: dependency,
+                credentials: credentials
+              ).dependency_url
+            end
+            return @dependency_urls
+          end
+
           if package_lock
             @dependency_urls +=
               package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)
@@ -185,8 +197,8 @@ module Dependabot
           yarnrc_global_registry =
             yarnrc_file.content
                        .lines.find { |line| line.match?(/^\s*registry\s/) }
-            &.match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
-            &.named_captures&.fetch("registry")
+                       &.match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
+                       &.named_captures&.fetch("registry")
 
           return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
 
@@ -197,8 +209,8 @@ module Dependabot
           yarnrc_global_registry =
             yarnrc_file.content
                        .lines.find { |line| line.match?(/^\s*registry\s/) }
-            &.match(/^\s*registry\s+"(?<registry>[^"]+)"/)
-            &.named_captures&.fetch("registry")
+                       &.match(/^\s*registry\s+"(?<registry>[^"]+)"/)
+                       &.named_captures&.fetch("registry")
 
           return "registry \"#{yarnrc_global_registry}\"\n" if yarnrc_global_registry
 

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -9,6 +9,7 @@ module Dependabot
   module NpmAndYarn
     class FileUpdater
       class PnpmLockfileUpdater
+        require_relative "npmrc_builder"
         require_relative "package_json_updater"
 
         def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
@@ -38,6 +39,8 @@ module Dependabot
 
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            File.write(".npmrc", npmrc_content(pnpm_lock))
+
             SharedHelpers.with_git_configured(credentials: credentials) do
               run_pnpm_updater
 
@@ -120,6 +123,14 @@ module Dependabot
           end
         end
 
+        def npmrc_content(pnpm_lock)
+          NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files,
+            dependencies: lockfile_dependencies(pnpm_lock)
+          ).npmrc_content
+        end
+
         def updated_package_json_content(file)
           @updated_package_json_content ||= {}
           @updated_package_json_content[file.name] ||=

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -511,9 +511,9 @@ module Dependabot
           yarnrc_global_registry =
             yarnrc_file.content
                        .lines.find { |line| line.match?(regex) }
-            &.match(regex)
-            &.named_captures
-            &.fetch("registry")
+                       &.match(regex)
+                       &.named_captures
+                       &.fetch("registry")
 
           return false unless yarnrc_global_registry
 

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -105,9 +105,9 @@ module Dependabot
           yarnrc_global_registry =
             yarnrc_file.content
                        .lines.find { |line| line.match?(regex) }
-            &.match(regex)
-            &.named_captures
-            &.fetch("registry")
+                       &.match(regex)
+                       &.named_captures
+                       &.fetch("registry")
 
           return false unless yarnrc_global_registry
 

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -146,7 +146,7 @@ module Dependabot
           # it exists, use it.
           dist_tag_req = dependency.requirements
                                    .find { |r| dist_tags.include?(r[:requirement]) }
-                         &.fetch(:requirement)
+                                   &.fetch(:requirement)
 
           if dist_tag_req
             tag_vers =

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -204,7 +204,7 @@ module Dependabot
         # resulting in a bunch of package duplication which is pretty confusing.
         def bundled_dependency?
           dependency.subdependency_metadata
-            &.any? { |h| h.fetch(:npm_bundled, false) } ||
+                    &.any? { |h| h.fetch(:npm_bundled, false) } ||
             false
         end
       end

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -356,7 +356,7 @@ module Dependabot
         semver_req =
           dependency.requirements
                     .find { |req| req.dig(:source, :type) == "git" }
-          &.fetch(:requirement)
+                    &.fetch(:requirement)
 
         # If there was a semver requirement provided or the dependency was
         # pinned to a version, look for the latest tag

data/lib/dependabot/npm_and_yarn/version.rb

@@ -13,11 +13,15 @@ require "dependabot/utils"
 module Dependabot
   module NpmAndYarn
     class Version < Dependabot::Version
+      extend T::Sig
+
+      sig { returns(String) }
       attr_reader :build_info
 
-      VERSION_PATTERN = Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?'
+      VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
+      sig { override.params(version: T.nilable(T.any(String, Gem::Version))).returns(T::Boolean) }
       def self.correct?(version)
         version = version.gsub(/^v/, "") if version.is_a?(String)
 
@@ -26,6 +30,7 @@ module Dependabot
         version.to_s.match?(ANCHORED_VERSION_PATTERN)
       end
 
+      sig { params(version: T.nilable(T.any(String, Gem::Version))).returns(T.nilable(T.any(String, Gem::Version))) }
       def self.semver_for(version)
         # The next two lines are to guard against improperly formatted
         # versions in a lockfile, such as an empty string or additional
@@ -37,8 +42,9 @@ module Dependabot
         version
       end
 
+      sig { override.params(version: T.any(String, Gem::Version)).void }
       def initialize(version)
-        @version_string = version.to_s
+        @version_string = T.let(version.to_s, String)
         version = version.gsub(/^v/, "") if version.is_a?(String)
 
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
@@ -46,18 +52,22 @@ module Dependabot
         super
       end
 
+      sig { returns(Integer) }
       def major
-        @major ||= segments[0] || 0
+        @major ||= T.let(segments[0] || 0, T.nilable(Integer))
       end
 
+      sig { returns(Integer) }
       def minor
-        @minor ||= segments[1] || 0
+        @minor ||= T.let(segments[1] || 0, T.nilable(Integer))
       end
 
+      sig { returns(Integer) }
       def patch
-        @patch ||= segments[2] || 0
+        @patch ||= T.let(segments[2] || 0, T.nilable(Integer))
       end
 
+      sig { params(other: Dependabot::NpmAndYarn::Version).returns(T::Boolean) }
       def backwards_compatible_with?(other)
         case major
         when 0
@@ -67,10 +77,12 @@ module Dependabot
         end
       end
 
+      sig { override.returns(String) }
       def to_s
         @version_string
       end
 
+      sig { override.returns(String) }
       def inspect
         "#<#{self.class} #{@version_string}>"
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.232.0
+  version: 0.234.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-09-14 00:00:00.000000000 Z
+date: 2023-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.232.0
+        version: 0.234.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.232.0
+        version: 0.234.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-- !ruby/object:Gem::Dependency
-  name: parallel_tests
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.2.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 4.2.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +150,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.2.16
+- !ruby/object:Gem::Dependency
+  name: turbo_tests
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: vcr
   requirement: !ruby/object:Gem::Requirement
@@ -295,7 +295,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.232.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.234.0
 post_install_message: 
 rdoc_options: []
 require_paths: