RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.235.0 → 0.237.0 - Mend

dependabot-npm_and_yarn 0.235.0 → 0.237.0

Files changed (24) hide show

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb CHANGED Viewed

@@ -31,7 +31,7 @@ module Dependabot
         end
         def registry
-          locked_registry || first_registry_with_dependency_details
+          @registry ||= locked_registry || configured_registry || first_registry_with_dependency_details
         end
         def auth_headers
@@ -49,16 +49,22 @@ module Dependabot
         end
         def registry_from_rc(dependency_name)
-          return global_registry unless dependency_name.start_with?("@") && dependency_name.include?("/")
-          scope = dependency_name.split("/").first
-          scoped_registry(scope)
+          explicit_registry_from_rc(dependency_name) || global_registry
         end
         private
         attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file, :yarnrc_yml_file
+        def explicit_registry_from_rc(dependency_name)
+          if dependency_name.start_with?("@") && dependency_name.include?("/")
+            scope = dependency_name.split("/").first
+            scoped_registry(scope) || configured_global_registry
+          else
+            configured_global_registry
+          end
+        end
         def first_registry_with_dependency_details
           @first_registry_with_dependency_details ||=
             known_registries.find do |details|
@@ -126,6 +132,13 @@ module Dependabot
           detailed_registry || lockfile_registry
         end
+        def configured_registry
+          configured_registry_url = explicit_registry_from_rc(dependency.name)
+          return unless configured_registry_url
+          normalize_configured_registry(configured_registry_url)
+        end
         def known_registries
           @known_registries ||=
             begin
@@ -157,44 +170,13 @@ module Dependabot
             }
           end
-          npmrc_file.content.scan(NPM_GLOBAL_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${")
-            registry = Regexp.last_match[:registry].strip
-                             .sub(%r{/+$}, "")
-                             .sub(%r{^.*?//}, "")
-                             .gsub(/\s+/, "%20")
-            next if registries.map { |r| r["registry"] }.include?(registry)
-            registries << {
-              "type" => "npm_registry",
-              "registry" => registry,
-              "token" => nil
-            }
-          end
-          registries
+          registries += npmrc_global_registries
         end
         def yarnrc_registries
           return [] unless yarnrc_file
-          registries = []
-          yarnrc_file.content.scan(YARN_GLOBAL_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${")
-            registry = Regexp.last_match[:registry].strip
-                             .sub(%r{/+$}, "")
-                             .sub(%r{^.*?//}, "")
-                             .gsub(/\s+/, "%20")
-            registries << {
-              "type" => "npm_registry",
-              "registry" => registry,
-              "token" => nil
-            }
-          end
-          registries
+          yarnrc_global_registries
         end
         def unique_registries(registries)
@@ -208,56 +190,83 @@ module Dependabot
           end
         end
-        # rubocop:disable Metrics/PerceivedComplexity
         def global_registry
           return @global_registry if defined? @global_registry
-          npmrc_file&.content.to_s.scan(NPM_GLOBAL_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${")
-            return @global_registry = Regexp.last_match[:registry].strip
-          end
+          @global_registry ||= configured_global_registry || "https://registry.npmjs.org"
+        end
-          yarnrc_file&.content.to_s.scan(YARN_GLOBAL_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${")
+        # rubocop:disable Metrics/PerceivedComplexity
+        def configured_global_registry
+          return @configured_global_registry if defined? @configured_global_registry
-            return @global_registry = Regexp.last_match[:registry].strip
-          end
+          @configured_global_registry = (npmrc_file && npmrc_global_registries.first&.fetch("url")) ||
+                                        (yarnrc_file && yarnrc_global_registries.first&.fetch("url"))
+          return @configured_global_registry if @configured_global_registry
           if parsed_yarnrc_yml&.key?("npmRegistryServer")
-            return @global_registry = parsed_yarnrc_yml["npmRegistryServer"]
+            return @configured_global_registry = parsed_yarnrc_yml["npmRegistryServer"]
           end
           replaces_base = credentials.find { |cred| cred["type"] == "npm_registry" && cred["replaces-base"] == true }
           if replaces_base
             registry = replaces_base["registry"]
             registry = "https://#{registry}" unless registry.start_with?("http")
-            return @global_registry = registry
+            return @configured_global_registry = registry
           end
-          "https://registry.npmjs.org"
+          @configured_global_registry = nil
         end
         # rubocop:enable Metrics/PerceivedComplexity
+        def npmrc_global_registries
+          global_rc_registries(npmrc_file, syntax: NPM_GLOBAL_REGISTRY_REGEX)
+        end
+        def yarnrc_global_registries
+          global_rc_registries(yarnrc_file, syntax: YARN_GLOBAL_REGISTRY_REGEX)
+        end
         def scoped_registry(scope)
-          npmrc_file&.content.to_s.scan(NPM_SCOPED_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${") || Regexp.last_match[:scope] != scope
+          scoped_rc_registry = scoped_rc_registry(npmrc_file, syntax: NPM_SCOPED_REGISTRY_REGEX, scope: scope) ||
+                               scoped_rc_registry(yarnrc_file, syntax: YARN_SCOPED_REGISTRY_REGEX, scope: scope)
+          return scoped_rc_registry if scoped_rc_registry
-            return Regexp.last_match[:registry].strip
+          if parsed_yarnrc_yml
+            yarn_berry_registry = parsed_yarnrc_yml.dig("npmScopes", scope.delete_prefix("@"), "npmRegistryServer")
+            return yarn_berry_registry if yarn_berry_registry
           end
-          yarnrc_file&.content.to_s.scan(YARN_SCOPED_REGISTRY_REGEX) do
-            next if Regexp.last_match[:registry].include?("${") || Regexp.last_match[:scope] != scope
+          nil
+        end
-            return Regexp.last_match[:registry].strip
+        def global_rc_registries(file, syntax:)
+          registries = []
+          file.content.scan(syntax) do
+            next if Regexp.last_match[:registry].include?("${")
+            url = Regexp.last_match[:registry].strip
+            registry = normalize_configured_registry(url)
+            registries << {
+              "type" => "npm_registry",
+              "registry" => registry,
+              "url" => url,
+              "token" => nil
+            }
           end
-          if parsed_yarnrc_yml
-            yarn_berry_registry = parsed_yarnrc_yml.dig("npmScopes", scope.delete_prefix("@"), "npmRegistryServer")
-            return yarn_berry_registry if yarn_berry_registry
+          registries
+        end
+        def scoped_rc_registry(file, syntax:, scope:)
+          file&.content.to_s.scan(syntax) do
+            next if Regexp.last_match[:registry].include?("${") || Regexp.last_match[:scope] != scope
+            return Regexp.last_match[:registry].strip
           end
-          global_registry
+          nil
         end
         # npm registries expect slashes to be escaped
@@ -279,6 +288,12 @@ module Dependabot
           @parsed_yarnrc_yml = YAML.safe_load(yarnrc_yml_file.content)
         end
+        def normalize_configured_registry(url)
+          url.sub(%r{/+$}, "")
+             .sub(%r{^.*?//}, "")
+             .gsub(/\s+/, "%20")
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb CHANGED Viewed

@@ -16,10 +16,9 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class VulnerabilityAuditor
-        def initialize(dependency_files:, credentials:, allow_removal: false)
+        def initialize(dependency_files:, credentials:)
           @dependency_files = dependency_files
           @credentials = credentials
-          @allow_removal = allow_removal
         end
         # rubocop:disable Metrics/MethodLength
@@ -109,15 +108,11 @@ module Dependabot
             "No patched version available for #{dependency.name}"
           when :fix_incomplete
             "The lockfile might be out of sync?"
-          when :vulnerable_dependency_removed
-            "#{dependency.name} was removed in the update. Dependabot is not able to " \
-            "deal with this yet, but you can still upgrade manually."
           end
         end
         def validate_audit_result(audit_result, security_advisories)
           return :fix_unavailable unless audit_result["fix_available"]
-          return :vulnerable_dependency_removed if !@allow_removal && vulnerable_dependency_removed?(audit_result)
           return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
           return :downgrades_dependencies if downgrades_dependencies?(audit_result)
           return :fix_incomplete if fix_incomplete?(audit_result)
@@ -125,10 +120,6 @@ module Dependabot
           :viable
         end
-        def vulnerable_dependency_removed?(audit_result)
-          !audit_result["target_version"]
-        end
         def dependency_still_vulnerable?(audit_result, security_advisories)
           # vulnerable depenendency is removed if the target version is nil
           return false unless audit_result["target_version"]

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -142,8 +142,7 @@ module Dependabot
         @vulnerability_audit ||=
           VulnerabilityAuditor.new(
             dependency_files: dependency_files,
-            credentials: credentials,
-            allow_removal: @options.key?(:npm_transitive_dependency_removal)
+            credentials: credentials
           ).audit(
             dependency: dependency,
             security_advisories: security_advisories

data/lib/dependabot/npm_and_yarn.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 # These all need to be required so the various classes can be registered in a

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.235.0
+  version: 0.237.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-19 00:00:00.000000000 Z
+date: 2023-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.235.0
+        version: 0.237.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.235.0
+        version: 0.237.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -94,20 +94,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rspec-sorbet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.56.0
+        version: 1.57.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.56.0
+        version: 1.57.2
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -277,6 +291,7 @@ files:
 - lib/dependabot/npm_and_yarn/native_helpers.rb
 - lib/dependabot/npm_and_yarn/package_manager.rb
 - lib/dependabot/npm_and_yarn/package_name.rb
+- lib/dependabot/npm_and_yarn/registry_parser.rb
 - lib/dependabot/npm_and_yarn/requirement.rb
 - lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb
 - lib/dependabot/npm_and_yarn/update_checker.rb
@@ -295,7 +310,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.235.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
 post_install_message:
 rdoc_options: []
 require_paths: