dependabot-npm_and_yarn 0.248.0 → 0.250.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4d8c37418b227c06a52aa5052c75b0b072595db577f6d8d8b815bed1f883dc0c
-  data.tar.gz: 96d4246790357bdc08b1d4dbbbd7a883421fe401717bd2ae43dc2093270c81f7
+  metadata.gz: 9720ff3635c00dcd1ea68e9f898b8e5a716f0379f19ffd345605df678f0626a2
+  data.tar.gz: a5a3aaa35195696fc1016dae1d6eefb374a8a4e017a3278f17162a337fe00551
 SHA512:
-  metadata.gz: 40d06b38c0e9d6bb5ad257536af005567b6b51d632228e0e4605e7dd8850ed38922d2adfb9ac28ca8b54707e18c21a0822faf07378bb6f3e2a332e2df12968a4
-  data.tar.gz: d8d19df3a8ea9ab1f7cb665d37db2f995c954668cb7f6b02d401dd62451e30d67e12bd0f2365ac8b58159bc48f83f8c7fd7930b79096aab827253366f7ca35ab
+  metadata.gz: 2accb24fcb1bcb4032641a3ff5dd8b8dcb817f1727f380dc686fa0e4f95221ad4c1c271a33b1709e70aa355ec2f4f1348e9e5c501369be49e0620ce56d1f72b9
+  data.tar.gz: 7e1dfeb34efcf438d6dab402fa678eca690f9631df8efbbf1cc0efdab8e95bbacff814fe714bcf614dafaf0281cbc32d97b67d0187744994991ae70de57b1d89

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/utils"
 require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
+require "sorbet-runtime"
 
 # Used in the version resolver and file updater to only run yarn/npm helpers on
 # dependency files that require updates. This is useful for large monorepos with
@@ -10,51 +11,67 @@ require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
 module Dependabot
   module NpmAndYarn
     class DependencyFilesFilterer
+      extend T::Sig
+
+      sig { params(dependency_files: T::Array[DependencyFile], updated_dependencies: T::Array[Dependency]).void }
       def initialize(dependency_files:, updated_dependencies:)
         @dependency_files = dependency_files
         @updated_dependencies = updated_dependencies
       end
 
+      sig { returns(T::Array[String]) }
       def paths_requiring_update_check
-        @paths_requiring_update_check ||= fetch_paths_requiring_update_check
+        @paths_requiring_update_check ||= T.let(fetch_paths_requiring_update_check, T.nilable(T::Array[String]))
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def files_requiring_update
-        @files_requiring_update ||=
+        @files_requiring_update ||= T.let(
           dependency_files.select do |file|
             package_files_requiring_update.include?(file) ||
               package_required_lockfile?(file) ||
               workspaces_lockfile?(file)
-          end
+          end, T.nilable(T::Array[DependencyFile])
+        )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
       def package_files_requiring_update
-        @package_files_requiring_update ||=
+        @package_files_requiring_update ||= T.let(
           dependency_files.select do |file|
             dependency_manifest_requirements.include?(file.name)
-          end
+          end, T.nilable(T::Array[DependencyFile])
+        )
       end
 
       private
 
-      attr_reader :dependency_files, :updated_dependencies
+      sig { returns(T::Array[DependencyFile]) }
+      attr_reader :dependency_files
+
+      sig { returns(T::Array[Dependency]) }
+      attr_reader :updated_dependencies
 
+      sig { returns(T::Array[String]) }
       def fetch_paths_requiring_update_check
         # if only a root lockfile exists, it tracks all dependencies
-        return [File.dirname(root_lockfile.name)] if lockfiles == [root_lockfile]
+        return [File.dirname(T.must(root_lockfile).name)] if lockfiles == [root_lockfile]
 
         package_files_requiring_update.map do |file|
           File.dirname(file.name)
         end
       end
 
+      sig { returns(T::Array[String]) }
       def dependency_manifest_requirements
-        @dependency_manifest_requirements ||=
+        @dependency_manifest_requirements ||= T.let(
           updated_dependencies.flat_map do |dep|
             dep.requirements.map { |requirement| requirement[:file] }
-          end
+          end, T.nilable(T::Array[String])
+        )
       end
 
+      sig { params(lockfile: DependencyFile).returns(T::Boolean) }
       def package_required_lockfile?(lockfile)
         return false unless lockfile?(lockfile)
 
@@ -63,6 +80,7 @@ module Dependabot
         end
       end
 
+      sig { params(lockfile: DependencyFile).returns(T::Boolean) }
       def workspaces_lockfile?(lockfile)
         return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml"].include?(lockfile.name)
 
@@ -73,28 +91,35 @@ module Dependabot
         updated_dependencies_in_lockfile?(lockfile)
       end
 
+      sig { returns(T.nilable(DependencyFile)) }
       def root_lockfile
-        @root_lockfile ||=
+        @root_lockfile ||= T.let(
           lockfiles.find do |file|
             File.dirname(file.name) == "."
-          end
+          end, T.nilable(DependencyFile)
+        )
       end
 
+      sig { returns(T::Array[DependencyFile]) }
       def lockfiles
-        @lockfiles ||=
+        @lockfiles ||= T.let(
           dependency_files.select do |file|
             lockfile?(file)
-          end
+          end, T.nilable(T::Array[DependencyFile])
+        )
       end
 
+      sig { returns(T::Hash[String, T.untyped]) }
       def parsed_root_package_json
-        @parsed_root_package_json ||=
+        @parsed_root_package_json ||= T.let(
           begin
-            package = dependency_files.find { |f| f.name == "package.json" }
-            JSON.parse(package.content)
-          end
+            package = T.must(dependency_files.find { |f| f.name == "package.json" })
+            JSON.parse(T.must(package.content))
+          end, T.nilable(T::Hash[String, T.untyped])
+        )
       end
 
+      sig { params(lockfile: Dependabot::DependencyFile).returns(T::Boolean) }
       def updated_dependencies_in_lockfile?(lockfile)
         lockfile_dependencies(lockfile).any? do |sub_dep|
           updated_dependencies.any? do |updated_dep|
@@ -103,18 +128,21 @@ module Dependabot
         end
       end
 
+      sig { params(lockfile: DependencyFile).returns(T::Array[Dependency]) }
       def lockfile_dependencies(lockfile)
-        @lockfile_dependencies ||= {}
+        @lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependency]]))
         @lockfile_dependencies[lockfile.name] ||=
           NpmAndYarn::FileParser::LockfileParser.new(
             dependency_files: [lockfile]
           ).parse
       end
 
+      sig { params(file: DependencyFile).returns(T::Boolean) }
       def manifest?(file)
         file.name.end_with?("package.json")
       end
 
+      sig { params(file: DependencyFile).returns(T::Boolean) }
       def lockfile?(file)
         file.name.end_with?(
           "package-lock.json",

data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb

@@ -1,15 +1,28 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "json"
 require "dependabot/dependency_file"
 require "dependabot/errors"
 require "dependabot/npm_and_yarn/file_fetcher"
+require "sorbet-runtime"
 
 module Dependabot
   module NpmAndYarn
     class FileFetcher
       class PathDependencyBuilder
+        extend T::Sig
+
+        sig do
+          params(
+            dependency_name: String,
+            path: String,
+            directory: String,
+            package_lock: T.nilable(DependencyFile),
+            yarn_lock: T.nilable(DependencyFile)
+          )
+            .void
+        end
         def initialize(dependency_name:, path:, directory:, package_lock:,
                        yarn_lock:)
           @dependency_name = dependency_name
@@ -19,6 +32,7 @@ module Dependabot
           @yarn_lock = yarn_lock
         end
 
+        sig { returns(DependencyFile) }
         def dependency_file
           filename = File.join(path, "package.json")
 
@@ -32,19 +46,33 @@ module Dependabot
 
         private
 
-        attr_reader :dependency_name, :path, :package_lock, :yarn_lock,
-                    :directory
+        sig { returns(String) }
+        attr_reader :dependency_name
+
+        sig { returns(String) }
+        attr_reader :path
+
+        sig { returns(T.nilable(DependencyFile)) }
+        attr_reader :package_lock
+
+        sig { returns(T.nilable(DependencyFile)) }
+        attr_reader :yarn_lock
+
+        sig { returns(String) }
+        attr_reader :directory
 
+        sig { returns(T.untyped) }
         def details_from_yarn_lock
           path_starts = FileFetcher::PATH_DEPENDENCY_STARTS
           parsed_yarn_lock.to_a
                           .find do |n, _|
             next false unless n.split(/(?<=\w)\@/).first == dependency_name
 
-            n.split(/(?<=\w)\@/).last.start_with?(*path_starts)
+            T.must(n.split(/(?<=\w)\@/).last).start_with?(*path_starts)
           end&.last
         end
 
+        sig { returns(T.untyped) }
         def details_from_npm_lock
           path_starts = FileFetcher::NPM_PATH_DEPENDENCY_STARTS
           path_deps = parsed_package_lock.fetch("dependencies", []).to_a
@@ -54,6 +82,7 @@ module Dependabot
           path_deps.find { |n, _| n == dependency_name }&.last
         end
 
+        sig { params(dependency_name: String).returns(String) }
         def build_path_dep_content(dependency_name)
           unless details_from_yarn_lock || details_from_npm_lock
             raise Dependabot::PathDependenciesNotReachable, [dependency_name]
@@ -86,6 +115,7 @@ module Dependabot
         # relative. Worse, they may point to the user's local cache.
         # We work around this by constructing a relative path to the
         # (second-level) path dependencies.
+        sig { params(dependencies_hash: T.nilable(T::Hash[String, T.untyped])).returns(T.untyped) }
         def replace_yarn_lockfile_paths(dependencies_hash)
           return unless dependencies_hash
 
@@ -98,7 +128,7 @@ module Dependabot
                               .find do |n, _|
                 next false unless n.split(/(?<=\w)\@/).first == name
 
-                n.split(/(?<=\w)\@/).last
+                T.must(n.split(/(?<=\w)\@/).last)
                  .start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
               end&.first&.split(/(?<=\w)\@/)&.last
 
@@ -110,32 +140,36 @@ module Dependabot
           end
         end
 
+        sig { returns(T.untyped) }
         def parsed_package_lock
           return {} unless package_lock
 
-          JSON.parse(package_lock.content)
+          JSON.parse(T.must(T.must(package_lock).content))
         rescue JSON::ParserError
           {}
         end
 
+        sig { returns(T.nilable(T::Hash[String, T.untyped])) }
         def parsed_yarn_lock
-          return {} unless yarn_lock
-
-          @parsed_yarn_lock ||=
-            SharedHelpers.in_a_temporary_directory do
-              File.write("yarn.lock", yarn_lock.content)
-
-              SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
-                function: "yarn:parseLockfile",
-                args: [Dir.pwd]
-              )
-            rescue SharedHelpers::HelperSubprocessFailed
-              raise Dependabot::DependencyFileNotParseable, yarn_lock.path
-            end
+          return unless yarn_lock
+          return @parsed_yarn_lock if defined?(@parsed_yarn_lock)
+
+          parsed = T.cast(SharedHelpers.in_a_temporary_directory do
+            File.write("yarn.lock", T.must(yarn_lock).content)
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "yarn:parseLockfile",
+              args: [Dir.pwd]
+            )
+          rescue SharedHelpers::HelperSubprocessFailed
+            raise Dependabot::DependencyFileNotParseable, T.must(yarn_lock).path
+          end, T::Hash[String, T.untyped])
+          @parsed_yarn_lock = T.let(parsed, T.nilable(T::Hash[String, T.untyped]))
         end
 
         # The path back to the root lockfile
+        sig { returns(String) }
         def inverted_path
           path.split("/").map do |part|
             next part if part == "."