dependabot-npm_and_yarn 0.258.0 → 0.260.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +103 -29
  3. data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +3 -2
  4. data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +9 -9
  5. data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +3 -2
  6. data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +18 -10
  7. metadata +5 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bfae5fcd34c7159db44bdc832e687cafe0705df351e72d40ecce5d9c0857a8b4
4
- data.tar.gz: d95fc294357c49a90e1c450971f939fb8354a6dcb0274bd022e18209123d06bb
3
+ metadata.gz: a9f2b9570a88347b5fbfb66edf9fc031b9301e30a7ab86e41b3017cd1b8e2a8c
4
+ data.tar.gz: 7278b7d2adb8fbe5f0e9cd6162b825836883268731a35b30f38f772a6d8d288a
5
5
  SHA512:
6
- metadata.gz: f267519493c1c2cfc85d0419bbc5cbd6ef7508f7dade5eb043d30457d59f2e660cd2d207931b1465fb5fba4128067f36062094f0ac1145619ca50f2a631e7093
7
- data.tar.gz: 6a7531b3e26ce9542eb154258a3fef029aa86860d43415df58da00dbf1a1ca2216e74bb90b98e295e32da2074ce4a7885c8dbb4acb3b6e12ee6a28a446babf52
6
+ metadata.gz: a09574f2190bd8434293521c983b350cbc5bc754d302652545a424147ea515f0f6fc80d574ca2d287e35e44f629c3ab1fd9f8d0615ee6ce312289942bc61520f
7
+ data.tar.gz: d7e37d49b38a0a73c7d6049e3ac71027285287b1d800eb99a1e03673df80469c2461447b4c2131b98938393309dd0e2b01b3e56024efb7842382435faee764ac
data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb CHANGED
@@ -1,17 +1,28 @@
1
- # typed: false
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  require "dependabot/npm_and_yarn/file_updater"
5
7
 
6
8
  module Dependabot
7
9
  module NpmAndYarn
8
10
  class FileUpdater < Dependabot::FileUpdaters::Base
9
11
  class PackageJsonUpdater
12
+ extend T::Sig
13
+
14
+ sig do
15
+ params(
16
+ package_json: Dependabot::DependencyFile,
17
+ dependencies: T::Array[Dependabot::Dependency]
18
+ ) .void
19
+ end
10
20
  def initialize(package_json:, dependencies:)
11
21
  @package_json = package_json
12
22
  @dependencies = dependencies
13
23
  end
14
24
 
25
+ sig { returns(Dependabot::DependencyFile) }
15
26
  def updated_package_json
16
27
  updated_file = package_json.dup
17
28
  updated_file.content = updated_package_json_content
@@ -20,16 +31,20 @@ module Dependabot
20
31
 
21
32
  private
22
33
 
34
+ sig { returns(Dependabot::DependencyFile) }
23
35
  attr_reader :package_json
36
+
37
+ sig { returns(T::Array[Dependabot::Dependency]) }
24
38
  attr_reader :dependencies
25
39
 
40
+ sig { returns(T.nilable(String)) }
26
41
  def updated_package_json_content
27
42
  dependencies.reduce(package_json.content.dup) do |content, dep|
28
- updated_requirements(dep).each do |new_req|
43
+ updated_requirements(dep)&.each do |new_req|
29
44
  old_req = old_requirement(dep, new_req)
30
45
 
31
46
  new_content = update_package_json_declaration(
32
- package_json_content: content,
47
+ package_json_content: T.must(content),
33
48
  dependency_name: dep.name,
34
49
  old_req: old_req,
35
50
  new_req: new_req
@@ -44,7 +59,7 @@ module Dependabot
44
59
  old_req = old_requirement(dep, new_req)
45
60
 
46
61
  content = update_package_json_resolutions(
47
- package_json_content: content,
62
+ package_json_content: T.must(content),
48
63
  new_req: new_req,
49
64
  dependency: dep,
50
65
  old_req: old_req
@@ -55,24 +70,35 @@ module Dependabot
55
70
  end
56
71
  end
57
72
 
73
+ sig do
74
+ params(
75
+ dependency: Dependabot::Dependency,
76
+ new_requirement: T::Hash[Symbol, T.untyped]
77
+ )
78
+ .returns(T.nilable(T::Hash[Symbol, T.untyped]))
79
+ end
58
80
  def old_requirement(dependency, new_requirement)
59
- dependency.previous_requirements
60
- .select { |r| r[:file] == package_json.name }
61
- .find { |r| r[:groups] == new_requirement[:groups] }
81
+ T.must(dependency.previous_requirements)
82
+ .select { |r| r[:file] == package_json.name }
83
+ .find { |r| r[:groups] == new_requirement[:groups] }
62
84
  end
63
85
 
86
+ sig { params(dependency: Dependabot::Dependency).returns(T::Array[T::Hash[Symbol, T.untyped]]) }
64
87
  def new_requirements(dependency)
65
88
  dependency.requirements.select { |r| r[:file] == package_json.name }
66
89
  end
67
90
 
91
+ sig { params(dependency: Dependabot::Dependency).returns(T.nilable(T::Array[T::Hash[Symbol, T.untyped]])) }
68
92
  def updated_requirements(dependency)
93
+ return unless dependency.previous_requirements
94
+
69
95
  updated_requirement_pairs =
70
- dependency.requirements.zip(dependency.previous_requirements)
96
+ dependency.requirements.zip(T.must(dependency.previous_requirements))
71
97
  .reject do |new_req, old_req|
72
98
  next true if new_req == old_req
73
- next false unless old_req[:source].nil?
99
+ next false unless old_req&.fetch(:source).nil?
74
100
 
75
- new_req[:requirement] == old_req[:requirement]
101
+ new_req[:requirement] == old_req&.fetch(:requirement)
76
102
  end
77
103
 
78
104
  updated_requirement_pairs
@@ -80,8 +106,16 @@ module Dependabot
80
106
  .select { |r| r[:file] == package_json.name }
81
107
  end
82
108
 
83
- def update_package_json_declaration(package_json_content:, new_req:,
84
- dependency_name:, old_req:)
109
+ sig do
110
+ params(
111
+ package_json_content: String,
112
+ new_req: T::Hash[Symbol, T.untyped],
113
+ dependency_name: String,
114
+ old_req: T.nilable(T::Hash[Symbol, T.untyped])
115
+ )
116
+ .returns(String)
117
+ end
118
+ def update_package_json_declaration(package_json_content:, new_req:, dependency_name:, old_req:)
85
119
  original_line = declaration_line(
86
120
  dependency_name: dependency_name,
87
121
  dependency_req: old_req,
@@ -107,8 +141,16 @@ module Dependabot
107
141
  # For full details on how Yarn resolutions work, see
108
142
  # https://github.com/yarnpkg/rfcs/blob/master/implemented/
109
143
  # 0000-selective-versions-resolutions.md
110
- def update_package_json_resolutions(package_json_content:, new_req:,
111
- dependency:, old_req:)
144
+ sig do
145
+ params(
146
+ package_json_content: String,
147
+ new_req: T::Hash[Symbol, T.untyped],
148
+ dependency: Dependabot::Dependency,
149
+ old_req: T.nilable(T::Hash[Symbol, T.untyped])
150
+ )
151
+ .returns(String)
152
+ end
153
+ def update_package_json_resolutions(package_json_content:, new_req:, dependency:, old_req:)
112
154
  dep = dependency
113
155
  parsed_json_content = JSON.parse(package_json_content)
114
156
  resolutions =
@@ -141,17 +183,25 @@ module Dependabot
141
183
  content
142
184
  end
143
185
 
186
+ sig do
187
+ params(
188
+ dependency_name: String,
189
+ dependency_req: T.nilable(T::Hash[Symbol, T.untyped]),
190
+ content: String
191
+ )
192
+ .returns(String)
193
+ end
144
194
  def declaration_line(dependency_name:, dependency_req:, content:)
145
- git_dependency = dependency_req.dig(:source, :type) == "git"
195
+ git_dependency = dependency_req&.dig(:source, :type) == "git"
146
196
 
147
197
  unless git_dependency
148
- requirement = dependency_req.fetch(:requirement)
198
+ requirement = dependency_req&.fetch(:requirement)
149
199
  return content.match(/"#{Regexp.escape(dependency_name)}"\s*:\s*
150
200
  "#{Regexp.escape(requirement)}"/x).to_s
151
201
  end
152
202
 
153
203
  username, repo =
154
- dependency_req.dig(:source, :url).split("/").last(2)
204
+ dependency_req&.dig(:source, :url)&.split("/")&.last(2)
155
205
 
156
206
  content.match(
157
207
  %r{"#{Regexp.escape(dependency_name)}"\s*:\s*
@@ -159,13 +209,21 @@ module Dependabot
159
209
  ).to_s
160
210
  end
161
211
 
212
+ sig do
213
+ params(
214
+ original_line: String,
215
+ old_req: T.nilable(T::Hash[Symbol, T.untyped]),
216
+ new_req: T::Hash[Symbol, T.untyped]
217
+ )
218
+ .returns(String)
219
+ end
162
220
  def replacement_declaration_line(original_line:, old_req:, new_req:)
163
- was_git_dependency = old_req.dig(:source, :type) == "git"
221
+ was_git_dependency = old_req&.dig(:source, :type) == "git"
164
222
  now_git_dependency = new_req.dig(:source, :type) == "git"
165
223
 
166
224
  unless was_git_dependency
167
225
  return original_line.gsub(
168
- %("#{old_req.fetch(:requirement)}"),
226
+ %("#{old_req&.fetch(:requirement)}"),
169
227
  %("#{new_req.fetch(:requirement)}")
170
228
  )
171
229
  end
@@ -186,15 +244,23 @@ module Dependabot
186
244
  end
187
245
 
188
246
  original_line.gsub(
189
- %(##{old_req.dig(:source, :ref)}"),
247
+ %(##{old_req&.dig(:source, :ref)}"),
190
248
  %(##{new_req.dig(:source, :ref)}")
191
249
  )
192
250
  end
193
251
 
252
+ sig do
253
+ params(
254
+ original_line: String,
255
+ old_req: T.nilable(T::Hash[Symbol, String]),
256
+ new_req: T::Hash[Symbol, String]
257
+ )
258
+ .returns(String)
259
+ end
194
260
  def update_git_semver_requirement(original_line:, old_req:, new_req:)
195
261
  if original_line.include?("semver:")
196
262
  return original_line.gsub(
197
- %(semver:#{old_req.fetch(:requirement)}"),
263
+ %(semver:#{old_req&.fetch(:requirement)}"),
198
264
  %(semver:#{new_req.fetch(:requirement)}")
199
265
  )
200
266
  end
@@ -202,13 +268,21 @@ module Dependabot
202
268
  raise "Not a semver req!" unless original_line.match?(/#[\^~=<>]/)
203
269
 
204
270
  original_line.gsub(
205
- %(##{old_req.fetch(:requirement)}"),
271
+ %(##{old_req&.fetch(:requirement)}"),
206
272
  %(##{new_req.fetch(:requirement)}")
207
273
  )
208
274
  end
209
275
 
210
- def update_package_json_sections(sections, content, old_line,
211
- new_line)
276
+ sig do
277
+ params(
278
+ sections: T::Array[String],
279
+ content: String,
280
+ old_line: String,
281
+ new_line: String
282
+ )
283
+ .returns(String)
284
+ end
285
+ def update_package_json_sections(sections, content, old_line, new_line)
212
286
  # Currently, Dependabot doesn't update peerDependencies. However,
213
287
  # if a development dependency is being updated and its requirement
214
288
  # matches the requirement on a peer dependency we probably want to
@@ -218,21 +292,21 @@ module Dependabot
218
292
  sections += ["peerDependencies"]
219
293
  sections_regex = /#{sections.join('|')}/
220
294
 
221
- declaration_blocks = []
295
+ declaration_blocks = T.let([], T::Array[String])
222
296
 
223
297
  content.scan(/['"]#{sections_regex}['"]\s*:\s*\{/m) do
224
- mtch = Regexp.last_match
298
+ mtch = T.must(Regexp.last_match)
225
299
  declaration_blocks <<
226
- (mtch.to_s +
227
- mtch.post_match[0..closing_bracket_index(mtch.post_match)])
300
+ (mtch.to_s + T.must(mtch.post_match[0..closing_bracket_index(mtch.post_match)]))
228
301
  end
229
302
 
230
303
  declaration_blocks.reduce(content.dup) do |new_content, block|
231
304
  updated_block = block.sub(old_line, new_line)
232
- new_content.sub!(block, updated_block)
305
+ new_content.sub(block, updated_block)
233
306
  end
234
307
  end
235
308
 
309
+ sig { params(string: String).returns(Integer) }
236
310
  def closing_bracket_index(string)
237
311
  closes_required = 1
238
312
 
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "uri"
@@ -147,7 +147,8 @@ module Dependabot
147
147
  retry_count += 1
148
148
  raise if retry_count > 2
149
149
 
150
- sleep(rand(3.0..10.0)) && retry
150
+ sleep(rand(3.0..10.0))
151
+ retry
151
152
  end
152
153
 
153
154
  # rubocop:enable Metrics/PerceivedComplexity
data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "excon"
@@ -174,14 +174,14 @@ module Dependabot
174
174
 
175
175
  registries = []
176
176
  npmrc_file.content.scan(NPM_AUTH_TOKEN_REGEX) do
177
- next if Regexp.last_match[:registry].include?("${")
177
+ next if Regexp.last_match&.[](:registry)&.include?("${")
178
178
 
179
- registry = Regexp.last_match[:registry]
180
- token = Regexp.last_match[:token]&.strip
179
+ registry = T.must(Regexp.last_match)[:registry]
180
+ token = T.must(Regexp.last_match)[:token]&.strip
181
181
 
182
182
  registries << {
183
183
  "type" => "npm_registry",
184
- "registry" => registry.gsub(/\s+/, "%20"),
184
+ "registry" => registry&.gsub(/\s+/, "%20"),
185
185
  "token" => token
186
186
  }
187
187
  end
@@ -260,9 +260,9 @@ module Dependabot
260
260
  registries = []
261
261
 
262
262
  file.content.scan(syntax) do
263
- next if Regexp.last_match[:registry].include?("${")
263
+ next if Regexp.last_match&.[](:registry)&.include?("${")
264
264
 
265
- url = Regexp.last_match[:registry].strip
265
+ url = T.must(T.must(Regexp.last_match)[:registry]).strip
266
266
  registry = normalize_configured_registry(url)
267
267
  registries << {
268
268
  "type" => "npm_registry",
@@ -277,9 +277,9 @@ module Dependabot
277
277
 
278
278
  def scoped_rc_registry(file, syntax:, scope:)
279
279
  file&.content.to_s.scan(syntax) do
280
- next if Regexp.last_match[:registry].include?("${") || Regexp.last_match[:scope] != scope
280
+ next if Regexp.last_match&.[](:registry)&.include?("${") || Regexp.last_match&.[](:scope) != scope
281
281
 
282
- return Regexp.last_match[:registry].strip
282
+ return T.must(T.must(Regexp.last_match)[:registry]).strip
283
283
  end
284
284
 
285
285
  nil
data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "dependabot/dependency"
@@ -115,7 +115,8 @@ module Dependabot
115
115
  retry_count += 1
116
116
  raise if retry_count > 2
117
117
 
118
- sleep(rand(3.0..10.0)) && retry
118
+ sleep(rand(3.0..10.0))
119
+ retry
119
120
  end
120
121
 
121
122
  def run_yarn_berry_updater(path, lockfile_name)
data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED
@@ -1,6 +1,8 @@
1
- # typed: false
1
+ # typed: true
2
2
  # frozen_string_literal: true
3
3
 
4
+ require "sorbet-runtime"
5
+
4
6
  require "dependabot/errors"
5
7
  require "dependabot/git_commit_checker"
6
8
  require "dependabot/logger"
@@ -21,6 +23,8 @@ module Dependabot
21
23
  module NpmAndYarn
22
24
  class UpdateChecker
23
25
  class VersionResolver
26
+ extend T::Sig
27
+
24
28
  require_relative "latest_version_finder"
25
29
 
26
30
  TIGHTLY_COUPLED_MONOREPOS = {
@@ -162,6 +166,7 @@ module Dependabot
162
166
 
163
167
  private
164
168
 
169
+ sig { returns(Dependabot::Dependency) }
165
170
  attr_reader :dependency
166
171
  attr_reader :credentials
167
172
  attr_reader :dependency_files
@@ -356,32 +361,34 @@ module Dependabot
356
361
  []
357
362
  end
358
363
 
364
+ # rubocop:disable Metrics/AbcSize
365
+ sig { params(message: String).returns(T::Array[T::Hash[String, T.nilable(String)]]) }
359
366
  def handle_peer_dependency_errors(message)
360
367
  errors = []
361
368
  if message.match?(NPM6_PEER_DEP_ERROR_REGEX)
362
369
  message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
363
- errors << Regexp.last_match.named_captures
370
+ errors << Regexp.last_match&.named_captures
364
371
  end
365
372
  elsif message.match?(NPM8_PEER_DEP_ERROR_REGEX)
366
373
  message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
367
- errors << Regexp.last_match.named_captures
374
+ errors << T.must(Regexp.last_match).named_captures
368
375
  end
369
376
  elsif message.match?(YARN_PEER_DEP_ERROR_REGEX)
370
377
  message.scan(YARN_PEER_DEP_ERROR_REGEX) do
371
- errors << Regexp.last_match.named_captures
378
+ errors << T.must(Regexp.last_match).named_captures
372
379
  end
373
380
  elsif message.match?(YARN_BERRY_PEER_DEP_ERROR_REGEX)
374
381
  message.scan(YARN_BERRY_PEER_DEP_ERROR_REGEX) do
375
- errors << Regexp.last_match.named_captures
382
+ errors << T.must(Regexp.last_match).named_captures
376
383
  end
377
384
  elsif message.match?(YARN_BERRY_V4_PEER_DEP_ERROR_REGEX)
378
385
  message.scan(YARN_BERRY_V4_PEER_DEP_ERROR_REGEX) do
379
- errors << Regexp.last_match.named_captures
386
+ errors << T.must(Regexp.last_match).named_captures
380
387
  end
381
388
  elsif message.match?(PNPM_PEER_DEP_ERROR_REGEX)
382
389
  message.scan(PNPM_PEER_DEP_ERROR_REGEX) do
383
- captures = Regexp.last_match.named_captures
384
- captures["requiring_dep"].tr!(" ", "@")
390
+ captures = T.must(Regexp.last_match).named_captures
391
+ T.must(captures["requiring_dep"]).tr!(" ", "@")
385
392
  errors << captures
386
393
  end
387
394
  else
@@ -389,6 +396,7 @@ module Dependabot
389
396
  end
390
397
  errors
391
398
  end
399
+ # rubocop:enable Metrics/AbcSize
392
400
 
393
401
  def unmet_peer_dependencies
394
402
  peer_dependency_errors
@@ -650,7 +658,7 @@ module Dependabot
650
658
  git_source = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
651
659
 
652
660
  if git_source
653
- "#{dependency.name}@#{git_req[:source][:url]}##{version}"
661
+ "#{dependency.name}@#{git_source[:source][:url]}##{version}"
654
662
  else
655
663
  "#{dependency.name}@#{version}"
656
664
  end
@@ -715,7 +723,7 @@ module Dependabot
715
723
  end
716
724
 
717
725
  def version_regex
718
- version_class::VERSION_PATTERN
726
+ Dependabot::NpmAndYarn::Version::VERSION_PATTERN
719
727
  end
720
728
  end
721
729
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.258.0
4
+ version: 0.260.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-05-16 00:00:00.000000000 Z
11
+ date: 2024-06-06 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.258.0
19
+ version: 0.260.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.258.0
26
+ version: 0.260.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
345
345
  - MIT
346
346
  metadata:
347
347
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
348
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.258.0
348
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.260.0
349
349
  post_install_message:
350
350
  rdoc_options: []
351
351
  require_paths: