dependabot-npm_and_yarn 0.272.0 → 0.273.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2b986a02c4b0f3aec877f1f3e5713415bf0f6dd7e2cbb347fb8c69c69934e369
4
- data.tar.gz: 70a12ed63b81ce69ea93473df5792b26397a81015ab40fb9a57c77aa37ceea60
3
+ metadata.gz: f50ca11122e4cb20467429d842d14a2f94ba49961bae91467427a9f5e5e527bd
4
+ data.tar.gz: 1e5cb3d387f9028704cbafdac219711f4fde4630398bc8372d41a0c0980bacaa
5
5
  SHA512:
6
- metadata.gz: 023a5ff98729ff3e7e53fb36e086cb957f3f1e545ca1345a69dc1ba4664580b2842af29b407fdbd39fa7c2fe3dc90f04928eb8954b27a3f4aef3ab6bfae0cb36
7
- data.tar.gz: ce482960e083b8141181fd2a5c7c58159715f7360cf339b372fe230b8ade5148ad657568c25273d394e4549033f9db09cb82c9e16796e8147278bcc2b18d39fb
6
+ metadata.gz: 7f4db9619ad3e83704ff8761805ae2fb920c4573ce42a7c0cbf582fc10757bd7a8b1b5df85f781a253c5d4f9c47ff5323d40eb342f7a2f3e62aab269f66ebac6
7
+ data.tar.gz: 984b65763fa999cab20ca319dcd20406032bfda471612554a5ea1aa51cdc5d666bb31c444b487bf996e118f73b9cb8ba58b8d88615e04c1cfdf4f45f8bc4bad7
@@ -74,9 +74,11 @@ module Dependabot
74
74
  INVALID_PACKAGE = /Can't install (?<package_req>.*): Missing/
75
75
  SOCKET_HANG_UP = /(?:request to )?(?<url>.*): socket hang up/
76
76
  ESOCKETTIMEDOUT = /(?<url>.*): ESOCKETTIMEDOUT/
77
+ UNABLE_TO_ACCESS = /unable to access '(?<url>.*)': Empty reply from server/
77
78
  UNABLE_TO_AUTH_NPMRC = /Unable to authenticate, need: Basic, Bearer/
78
79
  UNABLE_TO_AUTH_REGISTRY = /Unable to authenticate, need: *.*(Basic|BASIC) *.*realm="(?<url>.*)"/
79
80
  MISSING_AUTH_TOKEN = /401 Unauthorized - GET (?<url>.*) - authentication token not provided/
81
+ AUTH_REQUIRED_ERROR = /(?<url>.*): authentication required/
80
82
  INVALID_AUTH_TOKEN =
81
83
  /401 Unauthorized - GET (?<url>.*) - unauthenticated: User cannot be authenticated with the token provided./
82
84
  NPM_PACKAGE_REGISTRY = "https://npm.pkg.github.com"
@@ -88,8 +90,13 @@ module Dependabot
88
90
  EMPTY_OBJECT_ERROR = /Object for dependency "(?<package>.*)" is empty/
89
91
  ERROR_E401 = /code E401/
90
92
  ERROR_E403 = /code E403/
93
+ REQUEST_ERROR_E403 = /Request "(?<pkg>.*)" returned a 403/
91
94
  ERROR_EAI_AGAIN = /request to (?<url>.*) failed, reason: getaddrinfo EAI_AGAIN/
92
- PACKAGE_DISCOVERY_FAIL = /Couldn't find package "(?<pkg>.*)" *.* on the "(?<regis>.*)" registry./
95
+
96
+ NPM_PACKAGE_NOT_FOUND_CODES = T.let([
97
+ /Couldn't find package "(?<pkg>.*)" on the "(?<regis>.*)" registry./,
98
+ /Couldn't find package "(?<pkg>.*)" required by "(?<dep>.*)" on the "(?<regis>.*)" registry./
99
+ ].freeze, T::Array[Regexp])
93
100
 
94
101
  # TODO: look into fixing this in npm, seems like a bug in the git
95
102
  # downloader introduced in npm 7
@@ -416,8 +423,9 @@ module Dependabot
416
423
  "Error while updating peer dependency."
417
424
  end
418
425
 
419
- if error_message.match?(ERROR_E401) || error_message.match?(ERROR_E403)
420
- raise Dependabot::PrivateSourceAuthenticationFailure, error_message
426
+ if error_message.match?(ERROR_E401) || error_message.match?(ERROR_E403) || error_message.match?(REQUEST_ERROR_E403) || error_message.match?(AUTH_REQUIRED_ERROR) # rubocop:disable Layout/LineLength
427
+ url = T.must(URI.decode_www_form_component(error_message).split("https://").last).split("/").first
428
+ raise Dependabot::PrivateSourceAuthenticationFailure, url
421
429
  end
422
430
 
423
431
  if error_message.match?(MISSING_PACKAGE)
@@ -531,7 +539,8 @@ module Dependabot
531
539
  raise Dependabot::DependencyFileNotResolvable, msg
532
540
  end
533
541
 
534
- if (git_source = error_message.match(SOCKET_HANG_UP) || error_message.match(ESOCKETTIMEDOUT))
542
+ if (git_source = error_message.match(SOCKET_HANG_UP) || error_message.match(ESOCKETTIMEDOUT) ||
543
+ error_message.match(UNABLE_TO_ACCESS))
535
544
  msg = sanitize_uri(git_source.named_captures.fetch("url"))
536
545
  raise Dependabot::PrivateSourceTimedOut, msg
537
546
  end
@@ -576,7 +585,10 @@ module Dependabot
576
585
  raise Dependabot::DependencyFileNotResolvable, msg
577
586
  end
578
587
 
579
- raise Dependabot::DependencyFileNotResolvable, error_message if error_message.match(PACKAGE_DISCOVERY_FAIL)
588
+ package_errors = Regexp.union(NPM_PACKAGE_NOT_FOUND_CODES)
589
+ if (msg = error_message.match(package_errors))
590
+ raise Dependabot::DependencyFileNotResolvable, msg
591
+ end
580
592
 
581
593
  raise error
582
594
  end
@@ -48,8 +48,10 @@ module Dependabot
48
48
  # ERR_PNPM_FETCH ERROR CODES
49
49
  ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*): - 401/
50
50
  ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*): - 403/
51
+ ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*): - 404/
51
52
  ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*): - 500/
52
53
  ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*): - 502/
54
+ ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*): - 503/
53
55
 
54
56
  # ERR_PNPM_UNSUPPORTED_ENGINE
55
57
  ERR_PNPM_UNSUPPORTED_ENGINE = /ERR_PNPM_UNSUPPORTED_ENGINE/
@@ -66,6 +68,16 @@ module Dependabot
66
68
  PLATFORM_VERSION_REQUIREMENT = /wanted {(?<supported_ver>.*)} \(current: (?<detected_ver>.*)\)/
67
69
  PLATFORM_PACAKGE_MANAGER = "pnpm"
68
70
 
71
+ INVALID_PACKAGE_SPEC = /Invalid package manager specification/
72
+
73
+ # Metadata inconsistent error codes
74
+ ERR_PNPM_META_FETCH_FAIL = /ERR_PNPM_META_FETCH_FAIL/
75
+ ERR_PNPM_BROKEN_METADATA_JSON = /ERR_PNPM_BROKEN_METADATA_JSON/
76
+
77
+ # Directory related error codes
78
+ ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND = /ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND*.*Could not install from \"(?<dir>.*)\" /
79
+ ERR_PNPM_WORKSPACE_PKG_NOT_FOUND = /ERR_PNPM_WORKSPACE_PKG_NOT_FOUND/
80
+
69
81
  def run_pnpm_update(pnpm_lock:)
70
82
  SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
71
83
  File.write(".npmrc", npmrc_content(pnpm_lock))
@@ -111,6 +123,8 @@ module Dependabot
111
123
 
112
124
  # rubocop:disable Metrics/AbcSize
113
125
  # rubocop:disable Metrics/PerceivedComplexity
126
+ # rubocop:disable Metrics/MethodLength
127
+ # rubocop:disable Metrics/CyclomaticComplexity
114
128
  def handle_pnpm_lock_updater_error(error, pnpm_lock)
115
129
  error_message = error.message
116
130
 
@@ -131,7 +145,8 @@ module Dependabot
131
145
  end
132
146
 
133
147
  [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE, ERR_PNPM_FETCH_401,
134
- ERR_PNPM_FETCH_403, ERR_PNPM_FETCH_500, ERR_PNPM_FETCH_502].each do |regexp|
148
+ ERR_PNPM_FETCH_403, ERR_PNPM_FETCH_404, ERR_PNPM_FETCH_500, ERR_PNPM_FETCH_502, ERR_PNPM_FETCH_503]
149
+ .each do |regexp|
135
150
  next unless error_message.match?(regexp)
136
151
 
137
152
  dependency_url = error_message.match(regexp).named_captures["dependency_url"]
@@ -147,6 +162,40 @@ module Dependabot
147
162
  raise Dependabot::DependencyFileNotResolvable, msg
148
163
  end
149
164
 
165
+ # TO-DO : investigate "packageManager" allowed regex
166
+ if error_message.match?(INVALID_PACKAGE_SPEC)
167
+ dependency_names = dependencies.map(&:name).join(", ")
168
+
169
+ msg = "Invalid package manager specification in package.json while resolving \"#{dependency_names}\"."
170
+ raise Dependabot::DependencyFileNotResolvable, msg
171
+ end
172
+
173
+ if error_message.match?(ERR_PNPM_META_FETCH_FAIL)
174
+
175
+ msg = error_message.split(ERR_PNPM_META_FETCH_FAIL).last
176
+ raise Dependabot::DependencyFileNotResolvable, msg
177
+ end
178
+
179
+ if error_message.match?(ERR_PNPM_WORKSPACE_PKG_NOT_FOUND)
180
+ dependency_names = dependencies.map(&:name).join(", ")
181
+
182
+ msg = "No package named \"#{dependency_names}\" present in workspace."
183
+ Dependabot.logger.warn(error_message)
184
+ raise Dependabot::DependencyFileNotResolvable, msg
185
+ end
186
+
187
+ if error_message.match?(ERR_PNPM_BROKEN_METADATA_JSON)
188
+ msg = "Error (ERR_PNPM_BROKEN_METADATA_JSON) while resolving \"pnpm-lock.yaml\" file."
189
+ Dependabot.logger.warn(error_message)
190
+ raise Dependabot::DependencyFileNotResolvable, msg
191
+ end
192
+
193
+ if error_message.match?(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND)
194
+ dir = error_message.match(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND).named_captures.fetch("dir")
195
+ msg = "Could not find linked package installation directory \"#{dir.split('/').last}\""
196
+ raise Dependabot::DependencyFileNotResolvable, msg
197
+ end
198
+
150
199
  raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
151
200
 
152
201
  raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
@@ -160,6 +209,8 @@ module Dependabot
160
209
  end
161
210
  # rubocop:enable Metrics/AbcSize
162
211
  # rubocop:enable Metrics/PerceivedComplexity
212
+ # rubocop:enable Metrics/MethodLength
213
+ # rubocop:enable Metrics/CyclomaticComplexity
163
214
 
164
215
  def raise_resolvability_error(error_message, pnpm_lock)
165
216
  dependency_names = dependencies.map(&:name).join(", ")
@@ -61,6 +61,16 @@ module Dependabot
61
61
 
62
62
  SOCKET_HANG_UP = /(?<url>.*?): socket hang up/
63
63
 
64
+ # Misc errors
65
+ EEXIST = /EEXIST: file already exists, mkdir '(?<regis>.*)'/
66
+
67
+ # registry access errors
68
+ REQUEST_ERROR_E403 = /Request "(?<url>.*)" returned a 403/ # Forbidden access to the URL.
69
+ AUTH_REQUIRED_ERROR = /(?<url>.*): authentication required/ # Authentication is required for the URL.
70
+ PERMISSION_DENIED = /(?<url>.*): Permission denied/ # Lack of permission to access the URL.
71
+ BAD_REQUEST = /(?<url>.*): bad_request/ # Inconsistent request while accessing resource.
72
+ INTERNAL_SERVER_ERROR = /Request failed "500 Internal Server Error"/ # Server error response by remote registry.
73
+
64
74
  # Used to identify git unreachable error
65
75
  UNREACHABLE_GIT_CHECK_REGEX = /ls-remote --tags --heads (?<url>.*)/
66
76
 
@@ -79,6 +89,8 @@ module Dependabot
79
89
  PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE = "package_req"
80
90
  PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE_SPLIT_REGEX = /(?<=\w)\@/
81
91
 
92
+ YARN_PACKAGE_NOT_FOUND_CODE = /npm package "(?<dep>.*)" does not exist under owner "(?<regis>.*)"/
93
+
82
94
  YN0035 = T.let({
83
95
  PACKAGE_NOT_FOUND: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): Package not found},
84
96
  FAILED_TO_RETRIEVE: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): The remote server failed to provide the requested resource} # rubocop:disable Layout/LineLength
@@ -97,6 +109,9 @@ module Dependabot
97
109
 
98
110
  DEPENDENCY_NO_VERSION_FOUND = "Couldn't find any versions"
99
111
 
112
+ # Manifest not found
113
+ MANIFEST_NOT_FOUND = /Cannot read properties of undefined \(reading '(?<file>.*)'\)/
114
+
100
115
  # Used to identify error if node_modules state file not resolved
101
116
  NODE_MODULES_STATE_FILE_NOT_FOUND = "Couldn't find the node_modules state file"
102
117
 
@@ -126,13 +141,17 @@ module Dependabot
126
141
  YARNRC_ENOENT = /Internal Error: ENOENT/
127
142
  YARNRC_ENOENT_REGEX = /Internal Error: ENOENT: no such file or directory, stat '(?<filename>.*?)'/
128
143
 
144
+ # if not package found with specified version
145
+ YARN_PACKAGE_NOT_FOUND = /MessageError: Couldn't find any versions for "(?<pkg>.*?)" that matches "(?<ver>.*?)"/
146
+
129
147
  YN0001_FILE_NOT_RESOLVED_CODES = T.let({
130
- FIND_PACKAGE_LOCATION: /YN0001: UsageError: Couldn't find the (?<pkg>.*) state file/,
131
- NO_CANDIDATE_FOUND: /YN0001: Error: (?<pkg>.*): No candidates found/,
132
- NO_SUPPORTED_RESOLVER: /YN0001:*.*Error: (?<pkg>.*) isn't supported by any available resolver/,
133
- WORKSPACE_NOT_FOUND: /YN0001: Error: (?<pkg>.*): Workspace not found/,
134
- ENOENT: /YN0001:*.*Thrown Error: (?<pkg>.*) ENOENT/,
135
- MANIFEST_NOT_FOUND: /YN0001: Error: (?<pkg>.*): Manifest not found/
148
+ FIND_PACKAGE_LOCATION: /YN0001:(.*?)UsageError: Couldn't find the (?<pkg>.*) state file/,
149
+ NO_CANDIDATE_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): No candidates found/,
150
+ NO_SUPPORTED_RESOLVER: /YN0001:(.*?)Error: (?<pkg>.*) isn't supported by any available resolver/,
151
+ WORKSPACE_NOT_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): Workspace not found/,
152
+ ENOENT: /YN0001:(.*?)Thrown Error: (?<pkg>.*) ENOENT/,
153
+ MANIFEST_NOT_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): Manifest not found/,
154
+ LIBZIP_ERROR: /YN0001:(.*?)Libzip Error: Failed to open the cache entry for (?<pkg>.*): Not a zip archive/
136
155
  }.freeze, T::Hash[String, Regexp])
137
156
 
138
157
  YN0001_AUTH_ERROR_CODES = T.let({
@@ -200,6 +219,12 @@ module Dependabot
200
219
  Dependabot::DependencyFileNotResolvable.new(message)
201
220
  }
202
221
  },
222
+ "YN0009" => {
223
+ message: "Build Failed",
224
+ handler: lambda { |message, _error, _params|
225
+ Dependabot::DependencyFileNotResolvable.new(message)
226
+ }
227
+ },
203
228
  "YN0016" => {
204
229
  message: "Remote not found",
205
230
  handler: lambda { |message, _error, _params|
@@ -225,6 +250,13 @@ module Dependabot
225
250
  Dependabot::DependencyNotFound.new(message)
226
251
  }
227
252
  },
253
+ "YN0041" => {
254
+ message: "Invalid authentication",
255
+ handler: lambda { |message, _error, _params|
256
+ url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
257
+ Dependabot::PrivateSourceAuthenticationFailure.new(url)
258
+ }
259
+ },
228
260
  "YN0046" => {
229
261
  message: "Automerge failed to parse",
230
262
  handler: lambda { |message, _error, _params|
@@ -249,6 +281,12 @@ module Dependabot
249
281
  Dependabot::IncompatibleCPU.new(message)
250
282
  }
251
283
  },
284
+ "YN0068" => {
285
+ message: "No matching package",
286
+ handler: lambda { |message, _error, _params|
287
+ Dependabot::DependencyFileNotResolvable.new(message)
288
+ }
289
+ },
252
290
  "YN0071" => {
253
291
  message: "NM can't install external soft link",
254
292
  handler: lambda { |message, _error, _params|
@@ -477,8 +515,57 @@ module Dependabot
477
515
  },
478
516
  in_usage: false,
479
517
  matchfn: nil
480
- }
518
+ },
519
+ {
520
+ patterns: [YARN_PACKAGE_NOT_FOUND],
521
+ handler: lambda { |message, _error, _params|
522
+ package_name = message.match(YARN_PACKAGE_NOT_FOUND).named_captures["pkg"]
523
+ version = message.match(YARN_PACKAGE_NOT_FOUND).named_captures["ver"]
524
+
525
+ Dependabot::InconsistentRegistryResponse.new("Couldn't find any versions for \"#{package_name}\" that " \
526
+ "matches \"#{version}\"")
527
+ },
528
+ in_usage: false,
529
+ matchfn: nil
530
+ },
531
+ {
532
+ patterns: [YARN_PACKAGE_NOT_FOUND_CODE],
533
+ handler: lambda { |message, _error, _params|
534
+ msg = message.match(YARN_PACKAGE_NOT_FOUND_CODE)
481
535
 
536
+ Dependabot::DependencyFileNotResolvable.new(msg)
537
+ },
538
+ in_usage: false,
539
+ matchfn: nil
540
+ },
541
+ {
542
+ patterns: [REQUEST_ERROR_E403, AUTH_REQUIRED_ERROR, PERMISSION_DENIED, BAD_REQUEST],
543
+ handler: lambda { |message, _error, _params|
544
+ dependency_url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
545
+
546
+ Dependabot::PrivateSourceAuthenticationFailure.new(dependency_url)
547
+ },
548
+ in_usage: false,
549
+ matchfn: nil
550
+ },
551
+ {
552
+ patterns: [MANIFEST_NOT_FOUND],
553
+ handler: lambda { |message, _error, _params|
554
+ msg = message.match(MANIFEST_NOT_FOUND)
555
+ Dependabot::DependencyFileNotResolvable.new(msg)
556
+ },
557
+ in_usage: false,
558
+ matchfn: nil
559
+ },
560
+ {
561
+ patterns: [INTERNAL_SERVER_ERROR],
562
+ handler: lambda { |message, _error, _params|
563
+ msg = message.match(INTERNAL_SERVER_ERROR)
564
+ Dependabot::DependencyFileNotResolvable.new(msg)
565
+ },
566
+ in_usage: false,
567
+ matchfn: nil
568
+ }
482
569
  ].freeze, T::Array[{
483
570
  patterns: T::Array[T.any(String, Regexp)],
484
571
  handler: ErrorHandler,
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.272.0
4
+ version: 0.273.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-08-22 00:00:00.000000000 Z
11
+ date: 2024-08-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.272.0
19
+ version: 0.273.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.272.0
26
+ version: 0.273.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
345
345
  - MIT
346
346
  metadata:
347
347
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
348
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.272.0
348
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.273.0
349
349
  post_install_message:
350
350
  rdoc_options: []
351
351
  require_paths: