dependabot-npm_and_yarn 0.237.0 → 0.238.0

data/helpers/package.json

@@ -11,9 +11,9 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
-    "@npmcli/arborist": "^7.2.0",
+    "@npmcli/arborist": "^7.2.1",
     "detect-indent": "^6.1.0",
-    "nock": "^13.3.6",
+    "nock": "^13.3.8",
     "npm": "6.14.18",
     "@pnpm/lockfile-file": "^8.1.4",
     "@pnpm/dependency-path": "^2.1.1",
@@ -21,9 +21,9 @@
     "patch-package": "^8.0.0"
   },
   "devDependencies": {
-    "eslint": "^8.52.0",
+    "eslint": "^8.54.0",
     "eslint-config-prettier": "^9.0.0",
     "jest": "^29.7.0",
-    "prettier": "^3.0.3"
+    "prettier": "^3.1.0"
   }
 }

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -32,9 +32,17 @@ module Dependabot
               build_npmrc_content_from_lockfile
             end
 
-          return initial_content || "" unless registry_credentials.any?
+          final_content = initial_content || ""
 
-          ([initial_content] + credential_lines_for_npmrc).compact.join("\n")
+          return final_content unless registry_credentials.any?
+
+          credential_lines_for_npmrc.each do |credential_line|
+            next if final_content.include?(credential_line)
+
+            final_content = [final_content, credential_line].reject(&:empty?).join("\n")
+          end
+
+          final_content
         end
 
         # PROXY WORK
@@ -105,15 +113,7 @@ module Dependabot
           token = global_registry.fetch("token", nil)
           return "" unless token
 
-          if token.include?(":")
-            encoded_token = Base64.encode64(token).delete("\n")
-            "_auth = #{encoded_token}\n"
-          elsif Base64.decode64(token).ascii_only? &&
-                Base64.decode64(token).include?(":")
-            "_auth = #{token.delete("\n")}\n"
-          else
-            "_authToken = #{token}\n"
-          end
+          auth_line(token, global_registry.fetch("registry")) + "\n"
         end
 
         def yarnrc_global_registry_auth_line
@@ -122,12 +122,12 @@ module Dependabot
 
           if token.include?(":")
             encoded_token = Base64.encode64(token).delete("\n")
-            "npmAuthIdent: \"#{encoded_token}\"\n"
+            "npmAuthIdent: \"#{encoded_token}\""
           elsif Base64.decode64(token).ascii_only? &&
                 Base64.decode64(token).include?(":")
-            "npmAuthIdent: \"#{token.delete("\n")}\"\n"
+            "npmAuthIdent: \"#{token.delete("\n")}\""
           else
-            "npmAuthToken: \"#{token}\"\n"
+            "npmAuthToken: \"#{token}\""
           end
         end
 
@@ -230,18 +230,7 @@ module Dependabot
             token = cred.fetch("token", nil)
             next unless token
 
-            # We need to ensure the registry uri ends with a trailing slash in the npmrc file
-            # but we do not want to add one if it already exists
-            registry_with_trailing_slash = registry.sub(%r{\/?$}, "/")
-            if token.include?(":")
-              encoded_token = Base64.encode64(token).delete("\n")
-              lines << "//#{registry_with_trailing_slash}:_auth=#{encoded_token}"
-            elsif Base64.decode64(token).ascii_only? &&
-                  Base64.decode64(token).include?(":")
-              lines << %(//#{registry_with_trailing_slash}:_auth=#{token.delete("\n")})
-            else
-              lines << "//#{registry_with_trailing_slash}:_authToken=#{token}"
-            end
+            lines << auth_line(token, registry)
           end
 
           return lines unless lines.any? { |str| str.include?("auth=") }
@@ -250,6 +239,26 @@ module Dependabot
           ["always-auth = true"] + lines
         end
 
+        def auth_line(token, registry = nil)
+          auth = if token.include?(":")
+                   encoded_token = Base64.encode64(token).delete("\n")
+                   "_auth=#{encoded_token}"
+                 elsif Base64.decode64(token).ascii_only? &&
+                       Base64.decode64(token).include?(":")
+                   "_auth=#{token.delete("\n")}"
+                 else
+                   "_authToken=#{token}"
+                 end
+
+          return auth unless registry
+
+          # We need to ensure the registry uri ends with a trailing slash in the npmrc file
+          # but we do not want to add one if it already exists
+          registry_with_trailing_slash = registry.sub(%r{\/?$}, "/")
+
+          "//#{registry_with_trailing_slash}:#{auth}"
+        end
+
         def npmrc_scoped_registries
           return [] unless npmrc_file
 

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -37,7 +37,9 @@ module Dependabot
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
         INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"
         UNREACHABLE_GIT = %r{ERR_PNPM_FETCH_404[ [^:print:]]+GET (?<url>https://codeload\.github\.com/[^/]+/[^/]+)/}
+        FORBIDDEN_PACKAGE = /ERR_PNPM_FETCH_403[ [^:print:]]+GET (?<dependency_url>.*): Forbidden - 403/
         MISSING_PACKAGE = /ERR_PNPM_FETCH_404[ [^:print:]]+GET (?<dependency_url>.*): Not Found - 404/
+        UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print:]]+GET (?<dependency_url>.*): Unauthorized - 401/
 
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
@@ -90,18 +92,20 @@ module Dependabot
           end
 
           if error_message.match?(UNREACHABLE_GIT)
-            dependency_url = error_message.match(UNREACHABLE_GIT).named_captures.fetch("url")
+            url = error_message.match(UNREACHABLE_GIT).named_captures.fetch("url")
 
-            raise Dependabot::GitDependenciesNotReachable, dependency_url
+            raise Dependabot::GitDependenciesNotReachable, url
           end
 
-          raise unless error_message.match?(MISSING_PACKAGE)
+          [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE].each do |regexp|
+            next unless error_message.match?(regexp)
 
-          dependency_url = error_message.match(MISSING_PACKAGE)
-                                        .named_captures["dependency_url"]
+            dependency_url = error_message.match(regexp).named_captures["dependency_url"]
 
-          package_name = RegistryParser.new(resolved_url: dependency_url, credentials: credentials).dependency_name
-          raise_missing_package_error(package_name, error_message, pnpm_lock)
+            raise_package_access_error(dependency_url, pnpm_lock)
+          end
+
+          raise
         end
 
         def raise_resolvability_error(error_message, pnpm_lock)
@@ -111,7 +115,8 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def raise_missing_package_error(package_name, _error_message, pnpm_lock)
+        def raise_package_access_error(dependency_url, pnpm_lock)
+          package_name = RegistryParser.new(resolved_url: dependency_url, credentials: credentials).dependency_name
           missing_dep = lockfile_dependencies(pnpm_lock)
                         .find { |dep| dep.name == package_name }
 

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -186,7 +186,7 @@ module Dependabot
         end
 
         def yarn_berry_args
-          Helpers.yarn_berry_args
+          @yarn_berry_args ||= Helpers.yarn_berry_args
         end
 
         def run_yarn_top_level_updater(top_level_dependency_updates:)
@@ -228,9 +228,9 @@ module Dependabot
           # Local path error: When installing a git dependency which
           # is using local file paths for sub-dependencies (e.g. unbuilt yarn
           # workspace project)
-          sub_dep_local_path_err = 'Package "" refers to a non-existing file'
+          sub_dep_local_path_err = "refers to a non-existing file"
           if error_message.match?(INVALID_PACKAGE) ||
-             error_message.start_with?(sub_dep_local_path_err)
+             error_message.include?(sub_dep_local_path_err)
             raise_resolvability_error(error_message, yarn_lock)
           end
 
@@ -295,7 +295,8 @@ module Dependabot
           handle_timeout(error_message, yarn_lock) if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
 
           if error_message.start_with?("Couldn't find any versions") ||
-             error_message.include?(": Not found")
+             error_message.include?(": Not found") ||
+             error_message.include?("Couldn't find match for")
 
             raise_resolvability_error(error_message, yarn_lock) unless resolvable_before_update?(yarn_lock)
 

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -4,6 +4,9 @@
 module Dependabot
   module NpmAndYarn
     module Helpers
+      YARN_PATH_NOT_FOUND =
+        /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
+
       def self.npm_version(lockfile_content)
         "npm#{npm_version_numeric(lockfile_content)}"
       end
@@ -51,12 +54,33 @@ module Dependabot
       end
 
       def self.yarn_major_version
-        @yarn_major_version ||= fetch_yarn_major_version
-      end
-
-      def self.fetch_yarn_major_version
+        retries = 0
         output = SharedHelpers.run_shell_command("yarn --version")
         Version.new(output).major
+      rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
+        # Should never happen, can probably be removed once this settles
+        raise "Failed to replace ENV, not sure why" if T.must(retries).positive?
+
+        message = e.message
+
+        missing_env_var_regex = %r{Environment variable not found \((?:[^)]+)\) in #{Dir.pwd}/(?<path>\S+)}
+
+        if message.match?(missing_env_var_regex)
+          match = T.must(message.match(missing_env_var_regex))
+          path = T.must(match.named_captures["path"])
+
+          File.write(path, File.read(path).gsub(/\$\{[^}-]+\}/, ""))
+          retries = T.must(retries) + 1
+
+          retry
+        end
+
+        if YARN_PATH_NOT_FOUND.match?(message)
+          error = T.must(T.must(YARN_PATH_NOT_FOUND.match(message))[:error]).sub(Dir.pwd, ".")
+          raise MisconfiguredTooling.new("Yarn", error)
+        end
+
+        raise
       end
 
       def self.yarn_zero_install?
@@ -84,15 +108,21 @@ module Dependabot
         yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
       end
 
+      def self.yarn_berry_disable_scripts?
+        yarn_major_version == 2 || !yarn_zero_install?
+      end
+
+      def self.yarn_4_or_higher?
+        yarn_major_version >= 4
+      end
+
       def self.setup_yarn_berry
         # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
         SharedHelpers.run_shell_command("yarn config set enableImmutableInstalls false")
         # Do not generate a cache if offline cache disabled. Otherwise side effects may confuse further checks
         SharedHelpers.run_shell_command("yarn config set enableGlobalCache true") unless yarn_berry_skip_build?
         # We never want to execute postinstall scripts, either set this config or mode=skip-build must be set
-        if yarn_major_version == 2 || !yarn_zero_install?
-          SharedHelpers.run_shell_command("yarn config set enableScripts false")
-        end
+        SharedHelpers.run_shell_command("yarn config set enableScripts false") if yarn_berry_disable_scripts?
         if (http_proxy = ENV.fetch("HTTP_PROXY", false))
           SharedHelpers.run_shell_command("yarn config set httpProxy #{http_proxy}")
         end
@@ -101,7 +131,7 @@ module Dependabot
         end
         return unless (ca_file_path = ENV.fetch("NODE_EXTRA_CA_CERTS", false))
 
-        if yarn_major_version >= 4
+        if yarn_4_or_higher?
           SharedHelpers.run_shell_command("yarn config set httpsCaFilePath #{ca_file_path}")
         else
           SharedHelpers.run_shell_command("yarn config set caFilePath #{ca_file_path}")

data/lib/dependabot/npm_and_yarn/registry_parser.rb

@@ -1,4 +1,4 @@
-# typed: false
+# typed: true
 # frozen_string_literal: true
 
 module Dependabot
@@ -38,7 +38,7 @@ module Dependabot
                      resolved_url
                    end
 
-        url_base.split("/")[3..-1].join("/").gsub("%2F", "/")
+        url_base[/@.*/].gsub("%2F", "/").split("/")[0..1].join("/")
       end
 
       private

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -225,17 +225,24 @@ module Dependabot
 
           @yanked[version] =
             begin
-              status = Dependabot::RegistryClient.get(
-                url: dependency_url + "/#{version}",
-                headers: registry_auth_headers
-              ).status
-
-              if status == 404 && dependency_registry != "registry.npmjs.org"
-                # Some registries don't handle escaped package names properly
+              if dependency_registry == "registry.npmjs.org"
+                status = Dependabot::RegistryClient.head(
+                  url: registry_finder.tarball_url(version),
+                  headers: registry_auth_headers
+                ).status
+              else
                 status = Dependabot::RegistryClient.get(
-                  url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                  url: dependency_url + "/#{version}",
                   headers: registry_auth_headers
                 ).status
+
+                if status == 404
+                  # Some registries don't handle escaped package names properly
+                  status = Dependabot::RegistryClient.get(
+                    url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                    headers: registry_auth_headers
+                  ).status
+                end
               end
 
               version_not_found = status == 404

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

@@ -39,7 +39,14 @@ module Dependabot
         end
 
         def dependency_url
-          "#{registry_url.gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
+          "#{registry_url}/#{escaped_dependency_name}"
+        end
+
+        def tarball_url(version)
+          version_without_build_metadata = version.to_s.gsub(/\+.*/, "")
+
+          # Dependency name needs to be unescaped since tarball URLs don't always work with escaped slashes
+          "#{registry_url}/#{dependency.name}/-/#{scopeless_name}-#{version_without_build_metadata}.tgz"
         end
 
         def self.central_registry?(registry)
@@ -85,16 +92,21 @@ module Dependabot
         end
 
         def registry_url
-          return registry if registry.start_with?("http")
-
-          protocol =
-            if registry_source_url
-              registry_source_url.split("://").first
+          url =
+            if registry.start_with?("http")
+              registry
             else
-              "https"
+              protocol =
+                if registry_source_url
+                  registry_source_url.split("://").first
+                else
+                  "https"
+                end
+
+              "#{protocol}://#{registry}"
             end
 
-          "#{protocol}://#{registry}"
+          url.gsub(%r{/+$}, "")
         end
 
         def auth_header_for(token)
@@ -274,6 +286,10 @@ module Dependabot
           dependency.name.gsub("/", "%2F")
         end
 
+        def scopeless_name
+          dependency.name.split("/").last
+        end
+
         def registry_source_url
           sources = dependency.requirements
                               .map { |r| r.fetch(:source) }.uniq.compact

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.237.0
+  version: 0.238.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.238.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.237.0
+        version: 0.238.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -310,7 +310,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.237.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.238.0
 post_install_message: 
 rdoc_options: []
 require_paths: