dependabot-npm_and_yarn 0.272.0 → 0.273.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b986a02c4b0f3aec877f1f3e5713415bf0f6dd7e2cbb347fb8c69c69934e369
-  data.tar.gz: 70a12ed63b81ce69ea93473df5792b26397a81015ab40fb9a57c77aa37ceea60
+  metadata.gz: f50ca11122e4cb20467429d842d14a2f94ba49961bae91467427a9f5e5e527bd
+  data.tar.gz: 1e5cb3d387f9028704cbafdac219711f4fde4630398bc8372d41a0c0980bacaa
 SHA512:
-  metadata.gz: 023a5ff98729ff3e7e53fb36e086cb957f3f1e545ca1345a69dc1ba4664580b2842af29b407fdbd39fa7c2fe3dc90f04928eb8954b27a3f4aef3ab6bfae0cb36
-  data.tar.gz: ce482960e083b8141181fd2a5c7c58159715f7360cf339b372fe230b8ade5148ad657568c25273d394e4549033f9db09cb82c9e16796e8147278bcc2b18d39fb
+  metadata.gz: 7f4db9619ad3e83704ff8761805ae2fb920c4573ce42a7c0cbf582fc10757bd7a8b1b5df85f781a253c5d4f9c47ff5323d40eb342f7a2f3e62aab269f66ebac6
+  data.tar.gz: 984b65763fa999cab20ca319dcd20406032bfda471612554a5ea1aa51cdc5d666bb31c444b487bf996e118f73b9cb8ba58b8d88615e04c1cfdf4f45f8bc4bad7

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -74,9 +74,11 @@ module Dependabot
         INVALID_PACKAGE = /Can't install (?<package_req>.*): Missing/
         SOCKET_HANG_UP = /(?:request to )?(?<url>.*): socket hang up/
         ESOCKETTIMEDOUT = /(?<url>.*): ESOCKETTIMEDOUT/
+        UNABLE_TO_ACCESS = /unable to access '(?<url>.*)': Empty reply from server/
         UNABLE_TO_AUTH_NPMRC = /Unable to authenticate, need: Basic, Bearer/
         UNABLE_TO_AUTH_REGISTRY = /Unable to authenticate, need: *.*(Basic|BASIC) *.*realm="(?<url>.*)"/
         MISSING_AUTH_TOKEN = /401 Unauthorized - GET (?<url>.*) - authentication token not provided/
+        AUTH_REQUIRED_ERROR = /(?<url>.*): authentication required/
         INVALID_AUTH_TOKEN =
           /401 Unauthorized - GET (?<url>.*) - unauthenticated: User cannot be authenticated with the token provided./
         NPM_PACKAGE_REGISTRY = "https://npm.pkg.github.com"
@@ -88,8 +90,13 @@ module Dependabot
         EMPTY_OBJECT_ERROR = /Object for dependency "(?<package>.*)" is empty/
         ERROR_E401 = /code E401/
         ERROR_E403 = /code E403/
+        REQUEST_ERROR_E403 = /Request "(?<pkg>.*)" returned a 403/
         ERROR_EAI_AGAIN = /request to (?<url>.*) failed, reason: getaddrinfo EAI_AGAIN/
-        PACKAGE_DISCOVERY_FAIL = /Couldn't find package "(?<pkg>.*)" *.* on the "(?<regis>.*)" registry./
+
+        NPM_PACKAGE_NOT_FOUND_CODES = T.let([
+          /Couldn't find package "(?<pkg>.*)" on the "(?<regis>.*)" registry./,
+          /Couldn't find package "(?<pkg>.*)" required by "(?<dep>.*)" on the "(?<regis>.*)" registry./
+        ].freeze, T::Array[Regexp])
 
         # TODO: look into fixing this in npm, seems like a bug in the git
         # downloader introduced in npm 7
@@ -416,8 +423,9 @@ module Dependabot
                   "Error while updating peer dependency."
           end
 
-          if error_message.match?(ERROR_E401) || error_message.match?(ERROR_E403)
-            raise Dependabot::PrivateSourceAuthenticationFailure, error_message
+          if error_message.match?(ERROR_E401) || error_message.match?(ERROR_E403) || error_message.match?(REQUEST_ERROR_E403) || error_message.match?(AUTH_REQUIRED_ERROR) # rubocop:disable Layout/LineLength
+            url = T.must(URI.decode_www_form_component(error_message).split("https://").last).split("/").first
+            raise Dependabot::PrivateSourceAuthenticationFailure, url
           end
 
           if error_message.match?(MISSING_PACKAGE)
@@ -531,7 +539,8 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
-          if (git_source = error_message.match(SOCKET_HANG_UP) || error_message.match(ESOCKETTIMEDOUT))
+          if (git_source = error_message.match(SOCKET_HANG_UP) || error_message.match(ESOCKETTIMEDOUT) ||
+            error_message.match(UNABLE_TO_ACCESS))
             msg = sanitize_uri(git_source.named_captures.fetch("url"))
             raise Dependabot::PrivateSourceTimedOut, msg
           end
@@ -576,7 +585,10 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
-          raise Dependabot::DependencyFileNotResolvable, error_message if error_message.match(PACKAGE_DISCOVERY_FAIL)
+          package_errors = Regexp.union(NPM_PACKAGE_NOT_FOUND_CODES)
+          if (msg = error_message.match(package_errors))
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
 
           raise error
         end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -48,8 +48,10 @@ module Dependabot
         # ERR_PNPM_FETCH ERROR CODES
         ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):  - 401/
         ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):  - 403/
+        ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*):  - 404/
         ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):  - 500/
         ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):  - 502/
+        ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*):  - 503/
 
         # ERR_PNPM_UNSUPPORTED_ENGINE
         ERR_PNPM_UNSUPPORTED_ENGINE = /ERR_PNPM_UNSUPPORTED_ENGINE/
@@ -66,6 +68,16 @@ module Dependabot
         PLATFORM_VERSION_REQUIREMENT = /wanted {(?<supported_ver>.*)} \(current: (?<detected_ver>.*)\)/
         PLATFORM_PACAKGE_MANAGER = "pnpm"
 
+        INVALID_PACKAGE_SPEC = /Invalid package manager specification/
+
+        # Metadata inconsistent error codes
+        ERR_PNPM_META_FETCH_FAIL = /ERR_PNPM_META_FETCH_FAIL/
+        ERR_PNPM_BROKEN_METADATA_JSON = /ERR_PNPM_BROKEN_METADATA_JSON/
+
+        # Directory related error codes
+        ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND = /ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND*.*Could not install from \"(?<dir>.*)\" /
+        ERR_PNPM_WORKSPACE_PKG_NOT_FOUND = /ERR_PNPM_WORKSPACE_PKG_NOT_FOUND/
+
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
@@ -111,6 +123,8 @@ module Dependabot
 
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/PerceivedComplexity
+        # rubocop:disable Metrics/MethodLength
+        # rubocop:disable Metrics/CyclomaticComplexity
         def handle_pnpm_lock_updater_error(error, pnpm_lock)
           error_message = error.message
 
@@ -131,7 +145,8 @@ module Dependabot
           end
 
           [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE, ERR_PNPM_FETCH_401,
-           ERR_PNPM_FETCH_403, ERR_PNPM_FETCH_500, ERR_PNPM_FETCH_502].each do |regexp|
+           ERR_PNPM_FETCH_403, ERR_PNPM_FETCH_404, ERR_PNPM_FETCH_500, ERR_PNPM_FETCH_502, ERR_PNPM_FETCH_503]
+            .each do |regexp|
             next unless error_message.match?(regexp)
 
             dependency_url = error_message.match(regexp).named_captures["dependency_url"]
@@ -147,6 +162,40 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
+          # TO-DO : investigate "packageManager" allowed regex
+          if error_message.match?(INVALID_PACKAGE_SPEC)
+            dependency_names = dependencies.map(&:name).join(", ")
+
+            msg = "Invalid package manager specification in package.json while resolving \"#{dependency_names}\"."
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          if error_message.match?(ERR_PNPM_META_FETCH_FAIL)
+
+            msg = error_message.split(ERR_PNPM_META_FETCH_FAIL).last
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          if error_message.match?(ERR_PNPM_WORKSPACE_PKG_NOT_FOUND)
+            dependency_names = dependencies.map(&:name).join(", ")
+
+            msg = "No package named \"#{dependency_names}\" present in workspace."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          if error_message.match?(ERR_PNPM_BROKEN_METADATA_JSON)
+            msg = "Error (ERR_PNPM_BROKEN_METADATA_JSON) while resolving \"pnpm-lock.yaml\" file."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          if error_message.match?(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND)
+            dir = error_message.match(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND).named_captures.fetch("dir")
+            msg = "Could not find linked package installation directory \"#{dir.split('/').last}\""
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
 
           raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
@@ -160,6 +209,8 @@ module Dependabot
         end
         # rubocop:enable Metrics/AbcSize
         # rubocop:enable Metrics/PerceivedComplexity
+        # rubocop:enable Metrics/MethodLength
+        # rubocop:enable Metrics/CyclomaticComplexity
 
         def raise_resolvability_error(error_message, pnpm_lock)
           dependency_names = dependencies.map(&:name).join(", ")

data/lib/dependabot/npm_and_yarn.rb

@@ -61,6 +61,16 @@ module Dependabot
 
     SOCKET_HANG_UP = /(?<url>.*?): socket hang up/
 
+    # Misc errors
+    EEXIST = /EEXIST: file already exists, mkdir '(?<regis>.*)'/
+
+    # registry access errors
+    REQUEST_ERROR_E403 = /Request "(?<url>.*)" returned a 403/ # Forbidden access to the URL.
+    AUTH_REQUIRED_ERROR = /(?<url>.*): authentication required/ # Authentication is required for the URL.
+    PERMISSION_DENIED = /(?<url>.*): Permission denied/ # Lack of permission to access the URL.
+    BAD_REQUEST = /(?<url>.*): bad_request/ # Inconsistent request while accessing resource.
+    INTERNAL_SERVER_ERROR = /Request failed "500 Internal Server Error"/ # Server error response by remote registry.
+
     # Used to identify git unreachable error
     UNREACHABLE_GIT_CHECK_REGEX = /ls-remote --tags --heads (?<url>.*)/
 
@@ -79,6 +89,8 @@ module Dependabot
     PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE = "package_req"
     PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE_SPLIT_REGEX = /(?<=\w)\@/
 
+    YARN_PACKAGE_NOT_FOUND_CODE = /npm package "(?<dep>.*)" does not exist under owner "(?<regis>.*)"/
+
     YN0035 = T.let({
       PACKAGE_NOT_FOUND: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): Package not found},
       FAILED_TO_RETRIEVE: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): The remote server failed to provide the requested resource} # rubocop:disable Layout/LineLength
@@ -97,6 +109,9 @@ module Dependabot
 
     DEPENDENCY_NO_VERSION_FOUND = "Couldn't find any versions"
 
+    # Manifest not found
+    MANIFEST_NOT_FOUND = /Cannot read properties of undefined \(reading '(?<file>.*)'\)/
+
     # Used to identify error if node_modules state file not resolved
     NODE_MODULES_STATE_FILE_NOT_FOUND = "Couldn't find the node_modules state file"
 
@@ -126,13 +141,17 @@ module Dependabot
     YARNRC_ENOENT = /Internal Error: ENOENT/
     YARNRC_ENOENT_REGEX = /Internal Error: ENOENT: no such file or directory, stat '(?<filename>.*?)'/
 
+    # if not package found with specified version
+    YARN_PACKAGE_NOT_FOUND = /MessageError: Couldn't find any versions for "(?<pkg>.*?)" that matches "(?<ver>.*?)"/
+
     YN0001_FILE_NOT_RESOLVED_CODES = T.let({
-      FIND_PACKAGE_LOCATION: /YN0001: UsageError: Couldn't find the (?<pkg>.*) state file/,
-      NO_CANDIDATE_FOUND: /YN0001: Error: (?<pkg>.*): No candidates found/,
-      NO_SUPPORTED_RESOLVER: /YN0001:*.*Error: (?<pkg>.*) isn't supported by any available resolver/,
-      WORKSPACE_NOT_FOUND: /YN0001: Error: (?<pkg>.*): Workspace not found/,
-      ENOENT: /YN0001:*.*Thrown Error: (?<pkg>.*) ENOENT/,
-      MANIFEST_NOT_FOUND: /YN0001: Error: (?<pkg>.*): Manifest not found/
+      FIND_PACKAGE_LOCATION: /YN0001:(.*?)UsageError: Couldn't find the (?<pkg>.*) state file/,
+      NO_CANDIDATE_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): No candidates found/,
+      NO_SUPPORTED_RESOLVER: /YN0001:(.*?)Error: (?<pkg>.*) isn't supported by any available resolver/,
+      WORKSPACE_NOT_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): Workspace not found/,
+      ENOENT: /YN0001:(.*?)Thrown Error: (?<pkg>.*) ENOENT/,
+      MANIFEST_NOT_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): Manifest not found/,
+      LIBZIP_ERROR: /YN0001:(.*?)Libzip Error: Failed to open the cache entry for (?<pkg>.*): Not a zip archive/
     }.freeze, T::Hash[String, Regexp])
 
     YN0001_AUTH_ERROR_CODES = T.let({
@@ -200,6 +219,12 @@ module Dependabot
           Dependabot::DependencyFileNotResolvable.new(message)
         }
       },
+      "YN0009" => {
+        message: "Build Failed",
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        }
+      },
       "YN0016" => {
         message: "Remote not found",
         handler: lambda { |message, _error, _params|
@@ -225,6 +250,13 @@ module Dependabot
           Dependabot::DependencyNotFound.new(message)
         }
       },
+      "YN0041" => {
+        message: "Invalid authentication",
+        handler: lambda { |message, _error, _params|
+          url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
+          Dependabot::PrivateSourceAuthenticationFailure.new(url)
+        }
+      },
       "YN0046" => {
         message: "Automerge failed to parse",
         handler: lambda { |message, _error, _params|
@@ -249,6 +281,12 @@ module Dependabot
           Dependabot::IncompatibleCPU.new(message)
         }
       },
+      "YN0068" => {
+        message: "No matching package",
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        }
+      },
       "YN0071" => {
         message: "NM can't install external soft link",
         handler: lambda { |message, _error, _params|
@@ -477,8 +515,57 @@ module Dependabot
         },
         in_usage: false,
         matchfn: nil
-      }
+      },
+      {
+        patterns: [YARN_PACKAGE_NOT_FOUND],
+        handler: lambda { |message, _error, _params|
+          package_name = message.match(YARN_PACKAGE_NOT_FOUND).named_captures["pkg"]
+          version = message.match(YARN_PACKAGE_NOT_FOUND).named_captures["ver"]
+
+          Dependabot::InconsistentRegistryResponse.new("Couldn't find any versions for \"#{package_name}\" that " \
+                                                       "matches \"#{version}\"")
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [YARN_PACKAGE_NOT_FOUND_CODE],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(YARN_PACKAGE_NOT_FOUND_CODE)
 
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [REQUEST_ERROR_E403, AUTH_REQUIRED_ERROR, PERMISSION_DENIED, BAD_REQUEST],
+        handler: lambda { |message, _error, _params|
+          dependency_url = T.must(URI.decode_www_form_component(message).split("https://").last).split("/").first
+
+          Dependabot::PrivateSourceAuthenticationFailure.new(dependency_url)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [MANIFEST_NOT_FOUND],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(MANIFEST_NOT_FOUND)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [INTERNAL_SERVER_ERROR],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(INTERNAL_SERVER_ERROR)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
+      }
     ].freeze, T::Array[{
       patterns: T::Array[T.any(String, Regexp)],
       handler: ErrorHandler,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.272.0
+  version: 0.273.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-22 00:00:00.000000000 Z
+date: 2024-08-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.272.0
+        version: 0.273.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.272.0
+        version: 0.273.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.272.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.273.0
 post_install_message: 
 rdoc_options: []
 require_paths: