dependabot-npm_and_yarn 0.248.0 → 0.249.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d8c37418b227c06a52aa5052c75b0b072595db577f6d8d8b815bed1f883dc0c
-  data.tar.gz: 96d4246790357bdc08b1d4dbbbd7a883421fe401717bd2ae43dc2093270c81f7
+  metadata.gz: d151652a4b121a997ad0d4bc33f9a7c8ea85be7b80243caff0b206fe98546c10
+  data.tar.gz: 5855c2d02fd81e6e83c603a1cc2ef6a096a8ce4d16f821e75d31aef2aa8f37b3
 SHA512:
-  metadata.gz: 40d06b38c0e9d6bb5ad257536af005567b6b51d632228e0e4605e7dd8850ed38922d2adfb9ac28ca8b54707e18c21a0822faf07378bb6f3e2a332e2df12968a4
-  data.tar.gz: d8d19df3a8ea9ab1f7cb665d37db2f995c954668cb7f6b02d401dd62451e30d67e12bd0f2365ac8b58159bc48f83f8c7fd7930b79096aab827253366f7ca35ab
+  metadata.gz: b0cb6772b69527887eb0a55c4c7e315b772c9290fa19f0e744ffd75c4c8fc3b736e035049a6049c8c4c16638f3c5b79a6206c66476b43e1b4a9778a2ba52c849
+  data.tar.gz: fbe325addd40ac04e91c0582167b6704e9f990e6df936faa441319e948e5e58c8917fdfe0b2346f5712571eef883c2baced7d840abca176428e66012d5667a43

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -37,7 +37,8 @@ module Dependabot
 
       private
 
-      attr_reader :dependency_files, :updated_dependencies
+      attr_reader :dependency_files
+      attr_reader :updated_dependencies
 
       def fetch_paths_requiring_update_check
         # if only a root lockfile exists, it tracks all dependencies

data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb

@@ -32,8 +32,11 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_name, :path, :package_lock, :yarn_lock,
-                    :directory
+        attr_reader :dependency_name
+        attr_reader :path
+        attr_reader :package_lock
+        attr_reader :yarn_lock
+        attr_reader :directory
 
         def details_from_yarn_lock
           path_starts = FileFetcher::PATH_DEPENDENCY_STARTS

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -33,7 +33,10 @@ module Dependabot
 
         private
 
-        attr_reader :lockfile, :dependencies, :dependency_files, :credentials
+        attr_reader :lockfile
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
 
         UNREACHABLE_GIT = /fatal: repository '(?<url>.*)' not found/
         FORBIDDEN_GIT = /fatal: Authentication failed for '(?<url>.*)'/

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -61,7 +61,9 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_files, :credentials, :dependencies
+        attr_reader :dependency_files
+        attr_reader :credentials
+        attr_reader :dependencies
 
         def build_npmrc_content_from_lockfile
           return unless yarn_lock || package_lock || shrinkwrap

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -20,7 +20,8 @@ module Dependabot
 
         private
 
-        attr_reader :package_json, :dependencies
+        attr_reader :package_json
+        attr_reader :dependencies
 
         def updated_package_json_content
           dependencies.reduce(package_json.content.dup) do |content, dep|

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -32,7 +32,10 @@ module Dependabot
 
         private
 
-        attr_reader :dependencies, :dependency_files, :repo_contents_path, :credentials
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :repo_contents_path
+        attr_reader :credentials
 
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
         INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -39,7 +39,10 @@ module Dependabot
 
         private
 
-        attr_reader :dependencies, :dependency_files, :repo_contents_path, :credentials
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :repo_contents_path
+        attr_reader :credentials
 
         UNREACHABLE_GIT = /ls-remote --tags --heads (?<url>.*)/
         TIMEOUT_FETCHING_PACKAGE = %r{(?<url>.+)/(?<package>[^/]+): ETIMEDOUT}
@@ -342,8 +345,9 @@ module Dependabot
         def write_temporary_dependency_files(yarn_lock, update_package_json: true)
           write_lockfiles
 
-          if Helpers.yarn_berry?(yarn_lock)
-            File.write(".yarnrc.yml", yarnrc_yml_content) if yarnrc_yml_file
+          if Helpers.yarn_berry?(yarn_lock) && yarnrc_yml_file
+            yarnrc_yml_sanitize_content = sanitize_yarnrc_content(yarnrc_yml_content)
+            File.write(".yarnrc.yml", yarnrc_yml_sanitize_content)
           else
             File.write(".npmrc", npmrc_content)
             File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_private_reg?
@@ -367,6 +371,11 @@ module Dependabot
           clean_npmrc_in_path(yarn_lock)
         end
 
+        def sanitize_yarnrc_content(content)
+          # Replace all "${...}" and ${...} occurrences with empty strings
+          content.gsub(/\"\$\{.*?\}\"/, '""').gsub(/\$\{.*?\}/, '""')
+        end
+
         def clean_npmrc_in_path(yarn_lock)
           # Berry does not read npmrc files.
           return if Helpers.yarn_berry?(yarn_lock)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -79,11 +79,20 @@ module Dependabot
           retry
         end
 
+        handle_subprocess_failure(e)
+      end
+
+      def self.handle_subprocess_failure(error)
+        message = error.message
         if YARN_PATH_NOT_FOUND.match?(message)
           error = T.must(T.must(YARN_PATH_NOT_FOUND.match(message))[:error]).sub(Dir.pwd, ".")
           raise MisconfiguredTooling.new("Yarn", error)
         end
 
+        if message.include?("Internal Error") && message.include?(".yarnrc.yml")
+          raise MisconfiguredTooling.new("Invalid .yarnrc.yml file", message)
+        end
+
         raise
       end
 

data/lib/dependabot/npm_and_yarn/registry_parser.rb

@@ -43,7 +43,8 @@ module Dependabot
 
       private
 
-      attr_reader :resolved_url, :credentials
+      attr_reader :resolved_url
+      attr_reader :credentials
 
       # rubocop:disable Metrics/PerceivedComplexity
       def url_for_relevant_cred

data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb

@@ -33,7 +33,8 @@ module Dependabot
 
       private
 
-      attr_reader :dependency_files, :updated_dependencies
+      attr_reader :dependency_files
+      attr_reader :updated_dependencies
 
       def lockfile_dependencies(lockfile)
         @lockfile_dependencies ||= {}

data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb

@@ -65,7 +65,8 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_files, :credentials
+        attr_reader :dependency_files
+        attr_reader :credentials
       end
     end
   end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -79,7 +79,9 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :dependency_files, :credentials
+        attr_reader :dependency
+        attr_reader :dependency_files
+        attr_reader :credentials
 
         def write_lockfiles
           yarn_locks.each do |f|

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -108,8 +108,11 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :credentials, :dependency_files,
-                    :ignored_versions, :security_advisories
+        attr_reader :dependency
+        attr_reader :credentials
+        attr_reader :dependency_files
+        attr_reader :ignored_versions
+        attr_reader :security_advisories
 
         def valid_npm_details?
           !npm_details&.fetch("dist-tags", nil).nil?

data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb

@@ -23,7 +23,9 @@ module Dependabot
 
         private
 
-        attr_reader :package_json_file, :credentials, :dependency_files
+        attr_reader :package_json_file
+        attr_reader :credentials
+        attr_reader :dependency_files
 
         def package_json_may_be_for_library?
           return false unless project_name

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

@@ -61,7 +61,11 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file, :yarnrc_yml_file
+        attr_reader :dependency
+        attr_reader :credentials
+        attr_reader :npmrc_file
+        attr_reader :yarnrc_file
+        attr_reader :yarnrc_yml_file
 
         def explicit_registry_from_rc(dependency_name)
           if dependency_name.start_with?("@") && dependency_name.include?("/")

data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb

@@ -62,8 +62,10 @@ module Dependabot
 
         private
 
-        attr_reader :requirements, :updated_source, :update_strategy,
-                    :latest_resolvable_version
+        attr_reader :requirements
+        attr_reader :updated_source
+        attr_reader :update_strategy
+        attr_reader :latest_resolvable_version
 
         def check_update_strategy
           return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -53,8 +53,12 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :credentials, :dependency_files,
-                    :ignored_versions, :latest_allowable_version, :repo_contents_path
+        attr_reader :dependency
+        attr_reader :credentials
+        attr_reader :dependency_files
+        attr_reader :ignored_versions
+        attr_reader :latest_allowable_version
+        attr_reader :repo_contents_path
 
         def update_subdependency_in_lockfile(lockfile)
           lockfile_name = Pathname.new(lockfile.name).basename.to_s

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -154,8 +154,12 @@ module Dependabot
 
         private
 
-        attr_reader :dependency, :credentials, :dependency_files,
-                    :latest_allowable_version, :repo_contents_path, :dependency_group
+        attr_reader :dependency
+        attr_reader :credentials
+        attr_reader :dependency_files
+        attr_reader :latest_allowable_version
+        attr_reader :repo_contents_path
+        attr_reader :dependency_group
 
         def latest_version_finder(dep)
           @latest_version_finder[dep] ||=

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

@@ -100,7 +100,8 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_files, :credentials
+        attr_reader :dependency_files
+        attr_reader :credentials
 
         def explain_fix_unavailable(validation_result, dependency)
           case validation_result

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.248.0
+  version: 0.249.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-21 00:00:00.000000000 Z
+date: 2024-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.248.0
+        version: 0.249.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.248.0
+        version: 0.249.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -338,7 +338,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.248.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.249.0
 post_install_message: 
 rdoc_options: []
 require_paths: