dependabot-npm_and_yarn 0.235.0 → 0.237.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/lib/pnpm/lockfile-parser.js +1 -0
- data/helpers/package-lock.json +144 -132
- data/helpers/package.json +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +25 -6
- data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser.rb +49 -75
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +15 -21
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +10 -2
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb +6 -8
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb +14 -5
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/helpers.rb +14 -9
- data/lib/dependabot/npm_and_yarn/package_manager.rb +4 -4
- data/lib/dependabot/npm_and_yarn/registry_parser.rb +75 -0
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +76 -61
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +1 -10
- data/lib/dependabot/npm_and_yarn/update_checker.rb +1 -2
- data/lib/dependabot/npm_and_yarn.rb +1 -1
- metadata +22 -7
|
@@ -31,7 +31,7 @@ module Dependabot
|
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
def registry
|
|
34
|
-
locked_registry || first_registry_with_dependency_details
|
|
34
|
+
@registry ||= locked_registry || configured_registry || first_registry_with_dependency_details
|
|
35
35
|
end
|
|
36
36
|
|
|
37
37
|
def auth_headers
|
|
@@ -49,16 +49,22 @@ module Dependabot
|
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
def registry_from_rc(dependency_name)
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
scope = dependency_name.split("/").first
|
|
55
|
-
scoped_registry(scope)
|
|
52
|
+
explicit_registry_from_rc(dependency_name) || global_registry
|
|
56
53
|
end
|
|
57
54
|
|
|
58
55
|
private
|
|
59
56
|
|
|
60
57
|
attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file, :yarnrc_yml_file
|
|
61
58
|
|
|
59
|
+
def explicit_registry_from_rc(dependency_name)
|
|
60
|
+
if dependency_name.start_with?("@") && dependency_name.include?("/")
|
|
61
|
+
scope = dependency_name.split("/").first
|
|
62
|
+
scoped_registry(scope) || configured_global_registry
|
|
63
|
+
else
|
|
64
|
+
configured_global_registry
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
62
68
|
def first_registry_with_dependency_details
|
|
63
69
|
@first_registry_with_dependency_details ||=
|
|
64
70
|
known_registries.find do |details|
|
|
@@ -126,6 +132,13 @@ module Dependabot
|
|
|
126
132
|
detailed_registry || lockfile_registry
|
|
127
133
|
end
|
|
128
134
|
|
|
135
|
+
def configured_registry
|
|
136
|
+
configured_registry_url = explicit_registry_from_rc(dependency.name)
|
|
137
|
+
return unless configured_registry_url
|
|
138
|
+
|
|
139
|
+
normalize_configured_registry(configured_registry_url)
|
|
140
|
+
end
|
|
141
|
+
|
|
129
142
|
def known_registries
|
|
130
143
|
@known_registries ||=
|
|
131
144
|
begin
|
|
@@ -157,44 +170,13 @@ module Dependabot
|
|
|
157
170
|
}
|
|
158
171
|
end
|
|
159
172
|
|
|
160
|
-
|
|
161
|
-
next if Regexp.last_match[:registry].include?("${")
|
|
162
|
-
|
|
163
|
-
registry = Regexp.last_match[:registry].strip
|
|
164
|
-
.sub(%r{/+$}, "")
|
|
165
|
-
.sub(%r{^.*?//}, "")
|
|
166
|
-
.gsub(/\s+/, "%20")
|
|
167
|
-
next if registries.map { |r| r["registry"] }.include?(registry)
|
|
168
|
-
|
|
169
|
-
registries << {
|
|
170
|
-
"type" => "npm_registry",
|
|
171
|
-
"registry" => registry,
|
|
172
|
-
"token" => nil
|
|
173
|
-
}
|
|
174
|
-
end
|
|
175
|
-
|
|
176
|
-
registries
|
|
173
|
+
registries += npmrc_global_registries
|
|
177
174
|
end
|
|
178
175
|
|
|
179
176
|
def yarnrc_registries
|
|
180
177
|
return [] unless yarnrc_file
|
|
181
178
|
|
|
182
|
-
|
|
183
|
-
yarnrc_file.content.scan(YARN_GLOBAL_REGISTRY_REGEX) do
|
|
184
|
-
next if Regexp.last_match[:registry].include?("${")
|
|
185
|
-
|
|
186
|
-
registry = Regexp.last_match[:registry].strip
|
|
187
|
-
.sub(%r{/+$}, "")
|
|
188
|
-
.sub(%r{^.*?//}, "")
|
|
189
|
-
.gsub(/\s+/, "%20")
|
|
190
|
-
registries << {
|
|
191
|
-
"type" => "npm_registry",
|
|
192
|
-
"registry" => registry,
|
|
193
|
-
"token" => nil
|
|
194
|
-
}
|
|
195
|
-
end
|
|
196
|
-
|
|
197
|
-
registries
|
|
179
|
+
yarnrc_global_registries
|
|
198
180
|
end
|
|
199
181
|
|
|
200
182
|
def unique_registries(registries)
|
|
@@ -208,56 +190,83 @@ module Dependabot
|
|
|
208
190
|
end
|
|
209
191
|
end
|
|
210
192
|
|
|
211
|
-
# rubocop:disable Metrics/PerceivedComplexity
|
|
212
193
|
def global_registry
|
|
213
194
|
return @global_registry if defined? @global_registry
|
|
214
195
|
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
return @global_registry = Regexp.last_match[:registry].strip
|
|
219
|
-
end
|
|
196
|
+
@global_registry ||= configured_global_registry || "https://registry.npmjs.org"
|
|
197
|
+
end
|
|
220
198
|
|
|
221
|
-
|
|
222
|
-
|
|
199
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
200
|
+
def configured_global_registry
|
|
201
|
+
return @configured_global_registry if defined? @configured_global_registry
|
|
223
202
|
|
|
224
|
-
|
|
225
|
-
|
|
203
|
+
@configured_global_registry = (npmrc_file && npmrc_global_registries.first&.fetch("url")) ||
|
|
204
|
+
(yarnrc_file && yarnrc_global_registries.first&.fetch("url"))
|
|
205
|
+
return @configured_global_registry if @configured_global_registry
|
|
226
206
|
|
|
227
207
|
if parsed_yarnrc_yml&.key?("npmRegistryServer")
|
|
228
|
-
return @
|
|
208
|
+
return @configured_global_registry = parsed_yarnrc_yml["npmRegistryServer"]
|
|
229
209
|
end
|
|
230
210
|
|
|
231
211
|
replaces_base = credentials.find { |cred| cred["type"] == "npm_registry" && cred["replaces-base"] == true }
|
|
232
212
|
if replaces_base
|
|
233
213
|
registry = replaces_base["registry"]
|
|
234
214
|
registry = "https://#{registry}" unless registry.start_with?("http")
|
|
235
|
-
return @
|
|
215
|
+
return @configured_global_registry = registry
|
|
236
216
|
end
|
|
237
217
|
|
|
238
|
-
|
|
218
|
+
@configured_global_registry = nil
|
|
239
219
|
end
|
|
240
220
|
# rubocop:enable Metrics/PerceivedComplexity
|
|
241
221
|
|
|
222
|
+
def npmrc_global_registries
|
|
223
|
+
global_rc_registries(npmrc_file, syntax: NPM_GLOBAL_REGISTRY_REGEX)
|
|
224
|
+
end
|
|
225
|
+
|
|
226
|
+
def yarnrc_global_registries
|
|
227
|
+
global_rc_registries(yarnrc_file, syntax: YARN_GLOBAL_REGISTRY_REGEX)
|
|
228
|
+
end
|
|
229
|
+
|
|
242
230
|
def scoped_registry(scope)
|
|
243
|
-
npmrc_file
|
|
244
|
-
|
|
231
|
+
scoped_rc_registry = scoped_rc_registry(npmrc_file, syntax: NPM_SCOPED_REGISTRY_REGEX, scope: scope) ||
|
|
232
|
+
scoped_rc_registry(yarnrc_file, syntax: YARN_SCOPED_REGISTRY_REGEX, scope: scope)
|
|
233
|
+
return scoped_rc_registry if scoped_rc_registry
|
|
245
234
|
|
|
246
|
-
|
|
235
|
+
if parsed_yarnrc_yml
|
|
236
|
+
yarn_berry_registry = parsed_yarnrc_yml.dig("npmScopes", scope.delete_prefix("@"), "npmRegistryServer")
|
|
237
|
+
return yarn_berry_registry if yarn_berry_registry
|
|
247
238
|
end
|
|
248
239
|
|
|
249
|
-
|
|
250
|
-
|
|
240
|
+
nil
|
|
241
|
+
end
|
|
251
242
|
|
|
252
|
-
|
|
243
|
+
def global_rc_registries(file, syntax:)
|
|
244
|
+
registries = []
|
|
245
|
+
|
|
246
|
+
file.content.scan(syntax) do
|
|
247
|
+
next if Regexp.last_match[:registry].include?("${")
|
|
248
|
+
|
|
249
|
+
url = Regexp.last_match[:registry].strip
|
|
250
|
+
registry = normalize_configured_registry(url)
|
|
251
|
+
registries << {
|
|
252
|
+
"type" => "npm_registry",
|
|
253
|
+
"registry" => registry,
|
|
254
|
+
"url" => url,
|
|
255
|
+
"token" => nil
|
|
256
|
+
}
|
|
253
257
|
end
|
|
254
258
|
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
259
|
+
registries
|
|
260
|
+
end
|
|
261
|
+
|
|
262
|
+
def scoped_rc_registry(file, syntax:, scope:)
|
|
263
|
+
file&.content.to_s.scan(syntax) do
|
|
264
|
+
next if Regexp.last_match[:registry].include?("${") || Regexp.last_match[:scope] != scope
|
|
265
|
+
|
|
266
|
+
return Regexp.last_match[:registry].strip
|
|
258
267
|
end
|
|
259
268
|
|
|
260
|
-
|
|
269
|
+
nil
|
|
261
270
|
end
|
|
262
271
|
|
|
263
272
|
# npm registries expect slashes to be escaped
|
|
@@ -279,6 +288,12 @@ module Dependabot
|
|
|
279
288
|
|
|
280
289
|
@parsed_yarnrc_yml = YAML.safe_load(yarnrc_yml_file.content)
|
|
281
290
|
end
|
|
291
|
+
|
|
292
|
+
def normalize_configured_registry(url)
|
|
293
|
+
url.sub(%r{/+$}, "")
|
|
294
|
+
.sub(%r{^.*?//}, "")
|
|
295
|
+
.gsub(/\s+/, "%20")
|
|
296
|
+
end
|
|
282
297
|
end
|
|
283
298
|
end
|
|
284
299
|
end
|
|
@@ -16,10 +16,9 @@ module Dependabot
|
|
|
16
16
|
module NpmAndYarn
|
|
17
17
|
class UpdateChecker < Dependabot::UpdateCheckers::Base
|
|
18
18
|
class VulnerabilityAuditor
|
|
19
|
-
def initialize(dependency_files:, credentials
|
|
19
|
+
def initialize(dependency_files:, credentials:)
|
|
20
20
|
@dependency_files = dependency_files
|
|
21
21
|
@credentials = credentials
|
|
22
|
-
@allow_removal = allow_removal
|
|
23
22
|
end
|
|
24
23
|
|
|
25
24
|
# rubocop:disable Metrics/MethodLength
|
|
@@ -109,15 +108,11 @@ module Dependabot
|
|
|
109
108
|
"No patched version available for #{dependency.name}"
|
|
110
109
|
when :fix_incomplete
|
|
111
110
|
"The lockfile might be out of sync?"
|
|
112
|
-
when :vulnerable_dependency_removed
|
|
113
|
-
"#{dependency.name} was removed in the update. Dependabot is not able to " \
|
|
114
|
-
"deal with this yet, but you can still upgrade manually."
|
|
115
111
|
end
|
|
116
112
|
end
|
|
117
113
|
|
|
118
114
|
def validate_audit_result(audit_result, security_advisories)
|
|
119
115
|
return :fix_unavailable unless audit_result["fix_available"]
|
|
120
|
-
return :vulnerable_dependency_removed if !@allow_removal && vulnerable_dependency_removed?(audit_result)
|
|
121
116
|
return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
|
|
122
117
|
return :downgrades_dependencies if downgrades_dependencies?(audit_result)
|
|
123
118
|
return :fix_incomplete if fix_incomplete?(audit_result)
|
|
@@ -125,10 +120,6 @@ module Dependabot
|
|
|
125
120
|
:viable
|
|
126
121
|
end
|
|
127
122
|
|
|
128
|
-
def vulnerable_dependency_removed?(audit_result)
|
|
129
|
-
!audit_result["target_version"]
|
|
130
|
-
end
|
|
131
|
-
|
|
132
123
|
def dependency_still_vulnerable?(audit_result, security_advisories)
|
|
133
124
|
# vulnerable depenendency is removed if the target version is nil
|
|
134
125
|
return false unless audit_result["target_version"]
|
|
@@ -142,8 +142,7 @@ module Dependabot
|
|
|
142
142
|
@vulnerability_audit ||=
|
|
143
143
|
VulnerabilityAuditor.new(
|
|
144
144
|
dependency_files: dependency_files,
|
|
145
|
-
credentials: credentials
|
|
146
|
-
allow_removal: @options.key?(:npm_transitive_dependency_removal)
|
|
145
|
+
credentials: credentials
|
|
147
146
|
).audit(
|
|
148
147
|
dependency: dependency,
|
|
149
148
|
security_advisories: security_advisories
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.237.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-11-21 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.237.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.237.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -94,20 +94,34 @@ dependencies:
|
|
|
94
94
|
- - "~>"
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '1.3'
|
|
97
|
+
- !ruby/object:Gem::Dependency
|
|
98
|
+
name: rspec-sorbet
|
|
99
|
+
requirement: !ruby/object:Gem::Requirement
|
|
100
|
+
requirements:
|
|
101
|
+
- - "~>"
|
|
102
|
+
- !ruby/object:Gem::Version
|
|
103
|
+
version: 1.9.2
|
|
104
|
+
type: :development
|
|
105
|
+
prerelease: false
|
|
106
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
+
requirements:
|
|
108
|
+
- - "~>"
|
|
109
|
+
- !ruby/object:Gem::Version
|
|
110
|
+
version: 1.9.2
|
|
97
111
|
- !ruby/object:Gem::Dependency
|
|
98
112
|
name: rubocop
|
|
99
113
|
requirement: !ruby/object:Gem::Requirement
|
|
100
114
|
requirements:
|
|
101
115
|
- - "~>"
|
|
102
116
|
- !ruby/object:Gem::Version
|
|
103
|
-
version: 1.
|
|
117
|
+
version: 1.57.2
|
|
104
118
|
type: :development
|
|
105
119
|
prerelease: false
|
|
106
120
|
version_requirements: !ruby/object:Gem::Requirement
|
|
107
121
|
requirements:
|
|
108
122
|
- - "~>"
|
|
109
123
|
- !ruby/object:Gem::Version
|
|
110
|
-
version: 1.
|
|
124
|
+
version: 1.57.2
|
|
111
125
|
- !ruby/object:Gem::Dependency
|
|
112
126
|
name: rubocop-performance
|
|
113
127
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -277,6 +291,7 @@ files:
|
|
|
277
291
|
- lib/dependabot/npm_and_yarn/native_helpers.rb
|
|
278
292
|
- lib/dependabot/npm_and_yarn/package_manager.rb
|
|
279
293
|
- lib/dependabot/npm_and_yarn/package_name.rb
|
|
294
|
+
- lib/dependabot/npm_and_yarn/registry_parser.rb
|
|
280
295
|
- lib/dependabot/npm_and_yarn/requirement.rb
|
|
281
296
|
- lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb
|
|
282
297
|
- lib/dependabot/npm_and_yarn/update_checker.rb
|
|
@@ -295,7 +310,7 @@ licenses:
|
|
|
295
310
|
- Nonstandard
|
|
296
311
|
metadata:
|
|
297
312
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
298
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
313
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
|
|
299
314
|
post_install_message:
|
|
300
315
|
rdoc_options: []
|
|
301
316
|
require_paths:
|