dependabot-npm_and_yarn 0.279.0 → 0.280.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +1 -1
  3. data/lib/dependabot/npm_and_yarn/file_updater.rb +63 -27
  4. data/lib/dependabot/npm_and_yarn/helpers.rb +75 -17
  5. data/lib/dependabot/npm_and_yarn/package_manager.rb +5 -1
  6. data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +1 -1
  7. metadata +10 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: fc1831a7fd0ce199df4dd0a3cf181a9f98a77bc9afdbef011edcf39d6ebabc32
4
- data.tar.gz: 2c674ec57330ef559f09cd3f9dff509f326b9da9e48f4af535a19a1e9841e236
3
+ metadata.gz: 2dc7fad7c10b170c7ca02d8804da5cd8871731f7e86910b4ef1c05d887c9d123
4
+ data.tar.gz: 8eda392b48cbd506847c2d2044297a65411849062e707280c0372e231d5d1c82
5
5
  SHA512:
6
- metadata.gz: e3658b8c3d8168dcd7728e95b6642bc415c54905bc540fa54ce77c0d6081c90a4236b88dbf05fcf52ffbacc476120ea68a9b99953ca6fb71e8dbdd9176103f1a
7
- data.tar.gz: 1d7ce4d6a12e28747b5781c7a87c9396de229da85ff57b3a2af340d495aa396b67de27be1f09eec99452db931d756767cf745202bcf019443f88c6b83e7314f6
6
+ metadata.gz: 70a2f7c669ca3ff3c41e885146186c5f54af7940313570a0117b98024aa49c822a0deeb375d098cabac930d6f4fb209388ab85f665dd7ccdc95fe62916f87e27
7
+ data.tar.gz: da9fe3afc5f0c388fd2ba83d41b2e932c239ff7c652861f50abb6d3d53f545bc702aa5d756ed1fd9da96eb7e1c1b23491c381008de8b214c1fe84422f7d79f62
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED
@@ -500,7 +500,7 @@ module Dependabot
500
500
  return false unless yarnrc_global_registry
501
501
 
502
502
  UpdateChecker::RegistryFinder::CENTRAL_REGISTRIES.any? do |r|
503
- r.include?(URI(yarnrc_global_registry).host)
503
+ r.include?(T.must(URI(yarnrc_global_registry).host))
504
504
  end
505
505
  end
506
506
 
data/lib/dependabot/npm_and_yarn/file_updater.rb CHANGED
@@ -1,4 +1,4 @@
1
- # typed: true
1
+ # typed: strict
2
2
  # frozen_string_literal: true
3
3
 
4
4
  require "dependabot/file_updaters"
@@ -20,11 +20,15 @@ module Dependabot
20
20
  require_relative "file_updater/pnpm_lockfile_updater"
21
21
 
22
22
  class NoChangeError < StandardError
23
+ extend T::Sig
24
+
25
+ sig { params(message: String, error_context: T::Hash[Symbol, T.untyped]).void }
23
26
  def initialize(message:, error_context:)
24
27
  super(message)
25
28
  @error_context = error_context
26
29
  end
27
30
 
31
+ sig { returns(T::Hash[Symbol, T.untyped]) }
28
32
  def sentry_context
29
33
  { extra: @error_context }
30
34
  end
@@ -70,8 +74,9 @@ module Dependabot
70
74
 
71
75
  private
72
76
 
77
+ sig { params(updated_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
73
78
  def vendor_updated_files(updated_files)
74
- base_dir = updated_files.first.directory
79
+ base_dir = T.must(updated_files.first).directory
75
80
  pnp_updater.updated_files(base_directory: base_dir, only_paths: [".pnp.cjs", ".pnp.data.json"]).each do |file|
76
81
  updated_files << file
77
82
  end
@@ -86,16 +91,20 @@ module Dependabot
86
91
  end
87
92
 
88
93
  # Dynamically fetch the vendor cache folder from yarn
94
+ sig { returns(String) }
89
95
  def vendor_cache_dir
90
- return @vendor_cache_dir if defined?(@vendor_cache_dir)
91
-
92
- @vendor_cache_dir = Helpers.fetch_yarnrc_yml_value("cacheFolder", "./.yarn/cache")
96
+ @vendor_cache_dir ||= T.let(
97
+ Helpers.fetch_yarnrc_yml_value("cacheFolder", "./.yarn/cache"),
98
+ T.nilable(String)
99
+ )
93
100
  end
94
101
 
102
+ sig { returns(String) }
95
103
  def install_state_path
96
- return @install_state_path if defined?(@install_state_path)
97
-
98
- @install_state_path = Helpers.fetch_yarnrc_yml_value("installStatePath", "./.yarn/install-state.gz")
104
+ @install_state_path ||= T.let(
105
+ Helpers.fetch_yarnrc_yml_value("installStatePath", "./.yarn/install-state.gz"),
106
+ T.nilable(String)
107
+ )
99
108
  end
100
109
 
101
110
  sig { returns(Dependabot::FileUpdaters::VendorUpdater) }
@@ -153,28 +162,40 @@ module Dependabot
153
162
  }
154
163
  end
155
164
 
165
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
156
166
  def package_locks
157
- @package_locks ||=
167
+ @package_locks ||= T.let(
158
168
  filtered_dependency_files
159
- .select { |f| f.name.end_with?("package-lock.json") }
169
+ .select { |f| f.name.end_with?("package-lock.json") },
170
+ T.nilable(T::Array[Dependabot::DependencyFile])
171
+ )
160
172
  end
161
173
 
174
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
162
175
  def yarn_locks
163
- @yarn_locks ||=
176
+ @yarn_locks ||= T.let(
164
177
  filtered_dependency_files
165
- .select { |f| f.name.end_with?("yarn.lock") }
178
+ .select { |f| f.name.end_with?("yarn.lock") },
179
+ T.nilable(T::Array[Dependabot::DependencyFile])
180
+ )
166
181
  end
167
182
 
183
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
168
184
  def pnpm_locks
169
- @pnpm_locks ||=
185
+ @pnpm_locks ||= T.let(
170
186
  filtered_dependency_files
171
- .select { |f| f.name.end_with?("pnpm-lock.yaml") }
187
+ .select { |f| f.name.end_with?("pnpm-lock.yaml") },
188
+ T.nilable(T::Array[Dependabot::DependencyFile])
189
+ )
172
190
  end
173
191
 
192
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
174
193
  def shrinkwraps
175
- @shrinkwraps ||=
194
+ @shrinkwraps ||= T.let(
176
195
  filtered_dependency_files
177
- .select { |f| f.name.end_with?("npm-shrinkwrap.json") }
196
+ .select { |f| f.name.end_with?("npm-shrinkwrap.json") },
197
+ T.nilable(T::Array[Dependabot::DependencyFile])
198
+ )
178
199
  end
179
200
 
180
201
  sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -186,18 +207,22 @@ module Dependabot
186
207
  )
187
208
  end
188
209
 
210
+ sig { params(yarn_lock: Dependabot::DependencyFile).returns(T::Boolean) }
189
211
  def yarn_lock_changed?(yarn_lock)
190
212
  yarn_lock.content != updated_yarn_lock_content(yarn_lock)
191
213
  end
192
214
 
215
+ sig { params(pnpm_lock: Dependabot::DependencyFile).returns(T::Boolean) }
193
216
  def pnpm_lock_changed?(pnpm_lock)
194
217
  pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock)
195
218
  end
196
219
 
220
+ sig { params(package_lock: Dependabot::DependencyFile).returns(T::Boolean) }
197
221
  def package_lock_changed?(package_lock)
198
222
  package_lock.content != updated_lockfile_content(package_lock)
199
223
  end
200
224
 
225
+ sig { params(shrinkwrap: Dependabot::DependencyFile).returns(T::Boolean) }
201
226
  def shrinkwrap_changed?(shrinkwrap)
202
227
  shrinkwrap.content != updated_lockfile_content(shrinkwrap)
203
228
  end
@@ -208,10 +233,11 @@ module Dependabot
208
233
  updated_content = updated_package_json_content(file)
209
234
  next if updated_content == file.content
210
235
 
211
- updated_file(file: file, content: updated_content)
236
+ updated_file(file: file, content: T.must(updated_content))
212
237
  end
213
238
  end
214
239
 
240
+ sig { returns(T::Array[Dependabot::DependencyFile]) }
215
241
  def updated_lockfiles
216
242
  updated_files = []
217
243
 
@@ -238,7 +264,7 @@ module Dependabot
238
264
 
239
265
  updated_files << updated_file(
240
266
  file: package_lock,
241
- content: updated_lockfile_content(package_lock)
267
+ content: T.must(updated_lockfile_content(package_lock))
242
268
  )
243
269
  end
244
270
 
@@ -247,47 +273,56 @@ module Dependabot
247
273
 
248
274
  updated_files << updated_file(
249
275
  file: shrinkwrap,
250
- content: updated_lockfile_content(shrinkwrap)
276
+ content: T.must(updated_lockfile_content(shrinkwrap))
251
277
  )
252
278
  end
253
279
 
254
280
  updated_files
255
281
  end
256
282
 
283
+ sig { params(yarn_lock: Dependabot::DependencyFile).returns(String) }
257
284
  def updated_yarn_lock_content(yarn_lock)
258
- @updated_yarn_lock_content ||= {}
285
+ @updated_yarn_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
259
286
  @updated_yarn_lock_content[yarn_lock.name] ||=
260
287
  yarn_lockfile_updater.updated_yarn_lock_content(yarn_lock)
261
288
  end
262
289
 
290
+ sig { params(pnpm_lock: Dependabot::DependencyFile).returns(String) }
263
291
  def updated_pnpm_lock_content(pnpm_lock)
264
- @updated_pnpm_lock_content ||= {}
292
+ @updated_pnpm_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
265
293
  @updated_pnpm_lock_content[pnpm_lock.name] ||=
266
294
  pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock)
267
295
  end
268
296
 
297
+ sig { returns(Dependabot::NpmAndYarn::FileUpdater::YarnLockfileUpdater) }
269
298
  def yarn_lockfile_updater
270
- @yarn_lockfile_updater ||=
299
+ @yarn_lockfile_updater ||= T.let(
271
300
  YarnLockfileUpdater.new(
272
301
  dependencies: dependencies,
273
302
  dependency_files: dependency_files,
274
303
  repo_contents_path: repo_contents_path,
275
304
  credentials: credentials
276
- )
305
+ ),
306
+ T.nilable(Dependabot::NpmAndYarn::FileUpdater::YarnLockfileUpdater)
307
+ )
277
308
  end
278
309
 
310
+ sig { returns(Dependabot::NpmAndYarn::FileUpdater::PnpmLockfileUpdater) }
279
311
  def pnpm_lockfile_updater
280
- @pnpm_lockfile_updater ||=
312
+ @pnpm_lockfile_updater ||= T.let(
281
313
  PnpmLockfileUpdater.new(
282
314
  dependencies: dependencies,
283
315
  dependency_files: dependency_files,
284
316
  repo_contents_path: repo_contents_path,
285
317
  credentials: credentials
286
- )
318
+ ),
319
+ T.nilable(Dependabot::NpmAndYarn::FileUpdater::PnpmLockfileUpdater)
320
+ )
287
321
  end
288
322
 
323
+ sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
289
324
  def updated_lockfile_content(file)
290
- @updated_lockfile_content ||= {}
325
+ @updated_lockfile_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
291
326
  @updated_lockfile_content[file.name] ||=
292
327
  NpmLockfileUpdater.new(
293
328
  lockfile: file,
@@ -297,8 +332,9 @@ module Dependabot
297
332
  ).updated_lockfile.content
298
333
  end
299
334
 
335
+ sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
300
336
  def updated_package_json_content(file)
301
- @updated_package_json_content ||= {}
337
+ @updated_package_json_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
302
338
  @updated_package_json_content[file.name] ||=
303
339
  PackageJsonUpdater.new(
304
340
  package_json: file,
data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED
@@ -14,22 +14,83 @@ module Dependabot
14
14
  YARN_PATH_NOT_FOUND =
15
15
  /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
16
16
 
17
+ # NPM Version Constants
18
+ NPM_V8 = 8
19
+ NPM_V6 = 6
20
+ NPM_DEFAULT_VERSION = NPM_V8
21
+
22
+ # PNPM Version Constants
23
+ PNPM_V9 = 9
24
+ PNPM_V8 = 8
25
+ PNPM_V7 = 7
26
+ PNPM_V6 = 6
27
+ PNPM_DEFAULT_VERSION = PNPM_V9
28
+ PNPM_FALLBACK_VERSION = PNPM_V6
29
+
30
+ # YARN Version Constants
31
+ YARN_V3 = 3
32
+ YARN_V2 = 2
33
+ YARN_V1 = 1
34
+ YARN_DEFAULT_VERSION = YARN_V3
35
+ YARN_FALLBACK_VERSION = YARN_V1
36
+
37
+ # Determines the npm version depends to the feature flag
38
+ # If the feature flag is enabled, we are going to use the minimum version npm 8
39
+ # Otherwise, we are going to use old versionining npm 6
17
40
  sig { params(lockfile: DependencyFile).returns(Integer) }
18
41
  def self.npm_version_numeric(lockfile)
42
+ fallback_version_npm8 = Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6)
43
+
44
+ return npm_version_numeric_npm8_or_higher(lockfile) if fallback_version_npm8
45
+
46
+ npm_version_numeric_npm6_or_higher(lockfile)
47
+ end
48
+
49
+ sig { params(lockfile: DependencyFile).returns(Integer) }
50
+ def self.npm_version_numeric_npm6_or_higher(lockfile)
19
51
  lockfile_content = T.must(lockfile.content)
20
- return 8 if JSON.parse(lockfile_content)["lockfileVersion"].to_i >= 2
52
+ return NPM_V8 if JSON.parse(lockfile_content)["lockfileVersion"].to_i >= 2
21
53
 
22
- 6
54
+ NPM_V6
23
55
  rescue JSON::ParserError
24
- 6
56
+ NPM_V6
57
+ end
58
+
59
+ # Determines the npm version based on the lockfile version
60
+ # - NPM 7 uses lockfileVersion 2
61
+ # - NPM 8 uses lockfileVersion 2
62
+ # - NPM 9 uses lockfileVersion 3
63
+ sig { params(lockfile: DependencyFile).returns(Integer) }
64
+ def self.npm_version_numeric_npm8_or_higher(lockfile)
65
+ lockfile_content = lockfile.content
66
+
67
+ # Return default NPM version if there's no lockfile or it's empty
68
+ return NPM_DEFAULT_VERSION if lockfile_content.nil? || lockfile_content.strip.empty?
69
+
70
+ parsed_lockfile = JSON.parse(lockfile_content)
71
+
72
+ lockfile_version_str = parsed_lockfile["lockfileVersion"]
73
+
74
+ # Default to npm default version if lockfileVersion is missing or empty
75
+ return NPM_DEFAULT_VERSION if lockfile_version_str.nil? || lockfile_version_str.to_s.strip.empty?
76
+
77
+ lockfile_version = lockfile_version_str.to_i
78
+
79
+ # Using npm 8 as the default for lockfile_version > 2.
80
+ # Update needed to support npm 9+ based on lockfile version.
81
+ return NPM_V8 if lockfile_version >= 2
82
+
83
+ NPM_DEFAULT_VERSION
84
+ rescue JSON::ParserError
85
+ NPM_DEFAULT_VERSION # Fallback to default npm version if parsing fails
25
86
  end
26
87
 
27
88
  sig { params(yarn_lock: DependencyFile).returns(Integer) }
28
89
  def self.yarn_version_numeric(yarn_lock)
29
90
  if yarn_berry?(yarn_lock)
30
- 3
91
+ YARN_DEFAULT_VERSION
31
92
  else
32
- 1
93
+ YARN_FALLBACK_VERSION
33
94
  end
34
95
  end
35
96
 
@@ -38,15 +99,12 @@ module Dependabot
38
99
 
39
100
  sig { params(pnpm_lock: DependencyFile).returns(Integer) }
40
101
  def self.pnpm_version_numeric(pnpm_lock)
41
- if pnpm_lockfile_version(pnpm_lock).to_f >= 9.0
42
- 9
43
- elsif pnpm_lockfile_version(pnpm_lock).to_f >= 6.0
44
- 8
45
- elsif pnpm_lockfile_version(pnpm_lock).to_f >= 5.4
46
- 7
47
- else
48
- 6
49
- end
102
+ pnpm_lockfile_version = pnpm_lockfile_version(pnpm_lock).to_f
103
+ return PNPM_V9 if pnpm_lockfile_version >= 9.0
104
+ return PNPM_V8 if pnpm_lockfile_version >= 6.0
105
+ return PNPM_V7 if pnpm_lockfile_version >= 5.4
106
+
107
+ PNPM_FALLBACK_VERSION
50
108
  end
51
109
 
52
110
  def self.fetch_yarnrc_yml_value(key, default_value)
@@ -61,7 +119,7 @@ module Dependabot
61
119
  def self.npm8?(package_lock)
62
120
  return true unless package_lock
63
121
 
64
- npm_version_numeric(package_lock) == 8
122
+ npm_version_numeric(package_lock) == NPM_V8
65
123
  end
66
124
 
67
125
  sig { params(yarn_lock: T.nilable(DependencyFile)).returns(T::Boolean) }
@@ -140,12 +198,12 @@ module Dependabot
140
198
 
141
199
  sig { returns(T::Boolean) }
142
200
  def self.yarn_berry_skip_build?
143
- yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
201
+ yarn_major_version >= YARN_V3 && (yarn_zero_install? || yarn_offline_cache?)
144
202
  end
145
203
 
146
204
  sig { returns(T::Boolean) }
147
205
  def self.yarn_berry_disable_scripts?
148
- yarn_major_version == 2 || !yarn_zero_install?
206
+ yarn_major_version == YARN_V2 || !yarn_zero_install?
149
207
  end
150
208
 
151
209
  sig { returns(T::Boolean) }
data/lib/dependabot/npm_and_yarn/package_manager.rb CHANGED
@@ -96,7 +96,11 @@ module Dependabot
96
96
  lockfile = @lockfiles[name.to_sym]
97
97
  return unless lockfile
98
98
 
99
- Helpers.send(:"#{name}_version_numeric", lockfile)
99
+ version = Helpers.send(:"#{name}_version_numeric", lockfile)
100
+
101
+ Dependabot.logger.info("Guessed version info \"#{name}\" : \"#{version}\"")
102
+
103
+ version
100
104
  end
101
105
 
102
106
  sig { params(name: T.untyped).returns(T.nilable(String)) }
data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb CHANGED
@@ -114,7 +114,7 @@ module Dependabot
114
114
  return false unless yarnrc_global_registry
115
115
 
116
116
  UpdateChecker::RegistryFinder::CENTRAL_REGISTRIES.none? do |r|
117
- r.include?(URI(yarnrc_global_registry).host)
117
+ r.include?(T.must(URI(yarnrc_global_registry).host))
118
118
  end
119
119
  end
120
120
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.279.0
4
+ version: 0.280.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-03 00:00:00.000000000 Z
11
+ date: 2024-10-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.279.0
19
+ version: 0.280.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.279.0
26
+ version: 0.280.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -156,14 +156,14 @@ dependencies:
156
156
  requirements:
157
157
  - - "~>"
158
158
  - !ruby/object:Gem::Version
159
- version: 0.8.1
159
+ version: 0.8.5
160
160
  type: :development
161
161
  prerelease: false
162
162
  version_requirements: !ruby/object:Gem::Requirement
163
163
  requirements:
164
164
  - - "~>"
165
165
  - !ruby/object:Gem::Version
166
- version: 0.8.1
166
+ version: 0.8.5
167
167
  - !ruby/object:Gem::Dependency
168
168
  name: simplecov
169
169
  requirement: !ruby/object:Gem::Requirement
@@ -346,8 +346,8 @@ licenses:
346
346
  - MIT
347
347
  metadata:
348
348
  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
349
- changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.279.0
350
- post_install_message:
349
+ changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.280.0
350
+ post_install_message:
351
351
  rdoc_options: []
352
352
  require_paths:
353
353
  - lib
@@ -363,7 +363,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
363
363
  version: 3.1.0
364
364
  requirements: []
365
365
  rubygems_version: 3.5.9
366
- signing_key:
366
+ signing_key:
367
367
  specification_version: 4
368
368
  summary: Provides Dependabot support for Javascript (npm and yarn)
369
369
  test_files: []