dependabot-npm_and_yarn 0.289.0 → 0.290.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +14 -1
- data/lib/dependabot/npm_and_yarn/file_parser.rb +33 -1
- data/lib/dependabot/npm_and_yarn/helpers.rb +70 -18
- data/lib/dependabot/npm_and_yarn/package_manager.rb +21 -11
- data/lib/dependabot/npm_and_yarn/registry_helper.rb +188 -0
- metadata +9 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a8a094096ac6049e60970f2435585ab4cde21182030752133351f3b211f83d2b
|
|
4
|
+
data.tar.gz: 78e3e5f474091fa12526c005a4309a65d71420cbfd64d6a835cae7a1d387f031
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a264a72f6140fae85f8f5d03519381060c44093838cf8828130d30b8489bfe334790106fcf874d2805d62edfe295d2cc7963118e768806da61d879df5ff9863d
|
|
7
|
+
data.tar.gz: 82d5056fa18f3f7592a0471e4ce29d9feebb68108f5793f7e07b7603d63f6bba1294912ad1b56ba8bbfbc3e676ad74adfbda3d5a8446533e63463f88988569d8
|
|
@@ -207,7 +207,9 @@ module Dependabot
|
|
|
207
207
|
@package_manager_helper ||= T.let(
|
|
208
208
|
PackageManagerHelper.new(
|
|
209
209
|
parsed_package_json,
|
|
210
|
-
lockfiles
|
|
210
|
+
lockfiles,
|
|
211
|
+
registry_config_files,
|
|
212
|
+
credentials
|
|
211
213
|
), T.nilable(PackageManagerHelper)
|
|
212
214
|
)
|
|
213
215
|
end
|
|
@@ -221,6 +223,17 @@ module Dependabot
|
|
|
221
223
|
}
|
|
222
224
|
end
|
|
223
225
|
|
|
226
|
+
# Returns the .npmrc, and .yarnrc files for the repository.
|
|
227
|
+
# @return [Hash{Symbol => Dependabot::DependencyFile}]
|
|
228
|
+
sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
|
|
229
|
+
def registry_config_files
|
|
230
|
+
{
|
|
231
|
+
npmrc: npmrc,
|
|
232
|
+
yarnrc: yarnrc,
|
|
233
|
+
yarnrc_yml: yarnrc_yml
|
|
234
|
+
}
|
|
235
|
+
end
|
|
236
|
+
|
|
224
237
|
sig { returns(DependencyFile) }
|
|
225
238
|
def package_json
|
|
226
239
|
@package_json ||= T.let(fetch_file_from_host(MANIFEST_FILENAME), T.nilable(DependencyFile))
|
|
@@ -98,7 +98,9 @@ module Dependabot
|
|
|
98
98
|
@package_manager_helper ||= T.let(
|
|
99
99
|
PackageManagerHelper.new(
|
|
100
100
|
parsed_package_json,
|
|
101
|
-
lockfiles
|
|
101
|
+
lockfiles,
|
|
102
|
+
registry_config_files,
|
|
103
|
+
credentials
|
|
102
104
|
), T.nilable(PackageManagerHelper)
|
|
103
105
|
)
|
|
104
106
|
end
|
|
@@ -112,6 +114,15 @@ module Dependabot
|
|
|
112
114
|
}
|
|
113
115
|
end
|
|
114
116
|
|
|
117
|
+
sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
|
|
118
|
+
def registry_config_files
|
|
119
|
+
{
|
|
120
|
+
npmrc: npmrc,
|
|
121
|
+
yarnrc: yarnrc,
|
|
122
|
+
yarnrc_yml: yarnrc_yml
|
|
123
|
+
}
|
|
124
|
+
end
|
|
125
|
+
|
|
115
126
|
sig { returns(T.untyped) }
|
|
116
127
|
def parsed_package_json
|
|
117
128
|
JSON.parse(T.must(package_json.content))
|
|
@@ -156,6 +167,27 @@ module Dependabot
|
|
|
156
167
|
end, T.nilable(Dependabot::DependencyFile))
|
|
157
168
|
end
|
|
158
169
|
|
|
170
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
171
|
+
def npmrc
|
|
172
|
+
@npmrc ||= T.let(dependency_files.find do |f|
|
|
173
|
+
f.name == NpmPackageManager::RC_FILENAME
|
|
174
|
+
end, T.nilable(Dependabot::DependencyFile))
|
|
175
|
+
end
|
|
176
|
+
|
|
177
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
178
|
+
def yarnrc
|
|
179
|
+
@yarnrc ||= T.let(dependency_files.find do |f|
|
|
180
|
+
f.name == YarnPackageManager::RC_FILENAME
|
|
181
|
+
end, T.nilable(Dependabot::DependencyFile))
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
sig { returns(T.nilable(DependencyFile)) }
|
|
185
|
+
def yarnrc_yml
|
|
186
|
+
@yarnrc_yml ||= T.let(dependency_files.find do |f|
|
|
187
|
+
f.name == YarnPackageManager::RC_YML_FILENAME
|
|
188
|
+
end, T.nilable(Dependabot::DependencyFile))
|
|
189
|
+
end
|
|
190
|
+
|
|
159
191
|
sig { returns(Dependabot::FileParsers::Base::DependencySet) }
|
|
160
192
|
def manifest_dependencies
|
|
161
193
|
dependency_set = DependencySet.new
|
|
@@ -9,7 +9,7 @@ require "sorbet-runtime"
|
|
|
9
9
|
|
|
10
10
|
module Dependabot
|
|
11
11
|
module NpmAndYarn
|
|
12
|
-
module Helpers
|
|
12
|
+
module Helpers # rubocop:disable Metrics/ModuleLength
|
|
13
13
|
extend T::Sig
|
|
14
14
|
|
|
15
15
|
YARN_PATH_NOT_FOUND =
|
|
@@ -332,7 +332,7 @@ module Dependabot
|
|
|
332
332
|
version.strip.delete_prefix("v") # Remove the "v" prefix if present
|
|
333
333
|
end
|
|
334
334
|
rescue StandardError => e
|
|
335
|
-
|
|
335
|
+
Dependabot.logger.error("Error retrieving Node.js version: #{e.message}")
|
|
336
336
|
nil
|
|
337
337
|
end
|
|
338
338
|
|
|
@@ -388,35 +388,89 @@ module Dependabot
|
|
|
388
388
|
end
|
|
389
389
|
|
|
390
390
|
# Install the package manager for specified version by using corepack
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
391
|
+
sig do
|
|
392
|
+
params(
|
|
393
|
+
name: String,
|
|
394
|
+
version: String,
|
|
395
|
+
env: T.nilable(T::Hash[String, String])
|
|
396
|
+
)
|
|
397
|
+
.returns(String)
|
|
398
|
+
end
|
|
399
|
+
def self.install(name, version, env: {})
|
|
394
400
|
Dependabot.logger.info("Installing \"#{name}@#{version}\"")
|
|
395
401
|
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
402
|
+
begin
|
|
403
|
+
# Try to install the specified version
|
|
404
|
+
output = package_manager_install(name, version, env: env)
|
|
405
|
+
|
|
406
|
+
# Confirm success based on the output
|
|
407
|
+
if output.match?(/Adding #{name}@.* to the cache/)
|
|
408
|
+
Dependabot.logger.info("#{name}@#{version} successfully installed.")
|
|
399
409
|
|
|
400
|
-
|
|
410
|
+
Dependabot.logger.info("Activating currently installed version of #{name}: #{version}")
|
|
411
|
+
package_manager_activate(name, version)
|
|
412
|
+
|
|
413
|
+
else
|
|
414
|
+
Dependabot.logger.error("Corepack installation output unexpected: #{output}")
|
|
415
|
+
fallback_to_local_version(name)
|
|
416
|
+
end
|
|
417
|
+
rescue StandardError => e
|
|
418
|
+
Dependabot.logger.error("Error installing #{name}@#{version}: #{e.message}")
|
|
419
|
+
fallback_to_local_version(name)
|
|
420
|
+
end
|
|
421
|
+
|
|
422
|
+
# Verify the installed version
|
|
423
|
+
installed_version = package_manager_version(name)
|
|
401
424
|
|
|
402
425
|
installed_version
|
|
403
426
|
end
|
|
404
427
|
|
|
428
|
+
# Attempt to activate the local version of the package manager
|
|
429
|
+
sig { params(name: String).void }
|
|
430
|
+
def self.fallback_to_local_version(name)
|
|
431
|
+
Dependabot.logger.info("Falling back to activate the currently installed version of #{name}.")
|
|
432
|
+
|
|
433
|
+
# Fetch the currently installed version directly from the environment
|
|
434
|
+
current_version = local_package_manager_version(name)
|
|
435
|
+
Dependabot.logger.info("Activating currently installed version of #{name}: #{current_version}")
|
|
436
|
+
|
|
437
|
+
# Prepare the existing version
|
|
438
|
+
package_manager_activate(name, current_version)
|
|
439
|
+
end
|
|
440
|
+
|
|
405
441
|
# Install the package manager for specified version by using corepack
|
|
406
|
-
sig
|
|
407
|
-
|
|
442
|
+
sig do
|
|
443
|
+
params(
|
|
444
|
+
name: String,
|
|
445
|
+
version: String,
|
|
446
|
+
env: T.nilable(T::Hash[String, String])
|
|
447
|
+
)
|
|
448
|
+
.returns(String)
|
|
449
|
+
end
|
|
450
|
+
def self.package_manager_install(name, version, env: {})
|
|
408
451
|
Dependabot::SharedHelpers.run_shell_command(
|
|
409
452
|
"corepack install #{name}@#{version} --global --cache-only",
|
|
410
|
-
fingerprint: "corepack install <name>@<version> --global --cache-only"
|
|
453
|
+
fingerprint: "corepack install <name>@<version> --global --cache-only",
|
|
454
|
+
env: env
|
|
411
455
|
).strip
|
|
412
456
|
end
|
|
413
457
|
|
|
414
458
|
# Prepare the package manager for use by using corepack
|
|
415
|
-
sig { params(name: String, version: String).
|
|
459
|
+
sig { params(name: String, version: String).returns(String) }
|
|
416
460
|
def self.package_manager_activate(name, version)
|
|
417
461
|
Dependabot::SharedHelpers.run_shell_command(
|
|
418
462
|
"corepack prepare #{name}@#{version} --activate",
|
|
419
|
-
fingerprint: "corepack prepare --activate"
|
|
463
|
+
fingerprint: "corepack prepare <name>@<version> --activate"
|
|
464
|
+
).strip
|
|
465
|
+
end
|
|
466
|
+
|
|
467
|
+
# Fetch the currently installed version of the package manager directly
|
|
468
|
+
# from the system without involving Corepack
|
|
469
|
+
sig { params(name: String).returns(String) }
|
|
470
|
+
def self.local_package_manager_version(name)
|
|
471
|
+
Dependabot::SharedHelpers.run_shell_command(
|
|
472
|
+
"#{name} -v",
|
|
473
|
+
fingerprint: "#{name} -v"
|
|
420
474
|
).strip
|
|
421
475
|
end
|
|
422
476
|
|
|
@@ -427,7 +481,8 @@ module Dependabot
|
|
|
427
481
|
|
|
428
482
|
version = package_manager_run_command(name, "-v").strip
|
|
429
483
|
|
|
430
|
-
Dependabot.logger.info("
|
|
484
|
+
Dependabot.logger.info("Installed version of #{name}: #{version}")
|
|
485
|
+
|
|
431
486
|
version
|
|
432
487
|
rescue StandardError => e
|
|
433
488
|
Dependabot.logger.error("Error fetching version for package manager #{name}: #{e.message}")
|
|
@@ -445,14 +500,11 @@ module Dependabot
|
|
|
445
500
|
def self.package_manager_run_command(name, command, fingerprint: nil)
|
|
446
501
|
full_command = "corepack #{name} #{command}"
|
|
447
502
|
|
|
448
|
-
Dependabot.logger.info("Running package manager command: #{full_command}")
|
|
449
|
-
|
|
450
503
|
result = Dependabot::SharedHelpers.run_shell_command(
|
|
451
504
|
full_command,
|
|
452
505
|
fingerprint: "corepack #{name} #{fingerprint || command}"
|
|
453
506
|
).strip
|
|
454
507
|
|
|
455
|
-
Dependabot.logger.info("Command executed successfully: #{full_command}")
|
|
456
508
|
result
|
|
457
509
|
rescue StandardError => e
|
|
458
510
|
Dependabot.logger.error("Error running package manager command: #{full_command}, Error: #{e.message}")
|
|
@@ -5,6 +5,7 @@ require "dependabot/shared_helpers"
|
|
|
5
5
|
require "dependabot/ecosystem"
|
|
6
6
|
require "dependabot/npm_and_yarn/requirement"
|
|
7
7
|
require "dependabot/npm_and_yarn/version_selector"
|
|
8
|
+
require "dependabot/npm_and_yarn/registry_helper"
|
|
8
9
|
|
|
9
10
|
module Dependabot
|
|
10
11
|
module NpmAndYarn
|
|
@@ -311,17 +312,24 @@ module Dependabot
|
|
|
311
312
|
sig do
|
|
312
313
|
params(
|
|
313
314
|
package_json: T.nilable(T::Hash[String, T.untyped]),
|
|
314
|
-
lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]
|
|
315
|
+
lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
|
|
316
|
+
registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
|
|
317
|
+
credentials: T.nilable(T::Array[Dependabot::Credential])
|
|
315
318
|
).void
|
|
316
319
|
end
|
|
317
|
-
def initialize(package_json, lockfiles
|
|
320
|
+
def initialize(package_json, lockfiles, registry_config_files, credentials)
|
|
318
321
|
@package_json = package_json
|
|
319
322
|
@lockfiles = lockfiles
|
|
323
|
+
@registry_helper = T.let(
|
|
324
|
+
RegistryHelper.new(registry_config_files, credentials),
|
|
325
|
+
Dependabot::NpmAndYarn::RegistryHelper
|
|
326
|
+
)
|
|
320
327
|
@package_manager_detector = T.let(PackageManagerDetector.new(lockfiles, package_json), PackageManagerDetector)
|
|
321
328
|
@manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
|
|
322
329
|
@engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
|
|
323
330
|
|
|
324
331
|
@installed_versions = T.let({}, T::Hash[String, String])
|
|
332
|
+
@registries = T.let({}, T::Hash[String, String])
|
|
325
333
|
|
|
326
334
|
@language = T.let(nil, T.nilable(Ecosystem::VersionManager))
|
|
327
335
|
@language_requirement = T.let(nil, T.nilable(Requirement))
|
|
@@ -379,8 +387,8 @@ module Dependabot
|
|
|
379
387
|
end
|
|
380
388
|
|
|
381
389
|
# rubocop:disable Metrics/CyclomaticComplexity
|
|
382
|
-
# rubocop:disable Metrics/PerceivedComplexity
|
|
383
390
|
# rubocop:disable Metrics/AbcSize
|
|
391
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
384
392
|
sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
|
|
385
393
|
def setup(name)
|
|
386
394
|
# we prioritize version mentioned in "packageManager" instead of "engines"
|
|
@@ -438,6 +446,9 @@ module Dependabot
|
|
|
438
446
|
end
|
|
439
447
|
version
|
|
440
448
|
end
|
|
449
|
+
# rubocop:enable Metrics/CyclomaticComplexity
|
|
450
|
+
# rubocop:enable Metrics/AbcSize
|
|
451
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
441
452
|
|
|
442
453
|
sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
|
|
443
454
|
def package_manager_by_name(name)
|
|
@@ -456,21 +467,15 @@ module Dependabot
|
|
|
456
467
|
Dependabot.logger.info("No version requirement found for #{name}")
|
|
457
468
|
end
|
|
458
469
|
|
|
459
|
-
|
|
470
|
+
package_manager_class.new(
|
|
460
471
|
installed_version,
|
|
461
472
|
requirement: package_manager_requirement
|
|
462
473
|
)
|
|
463
|
-
|
|
464
|
-
Dependabot.logger.info("Package manager resolved for #{name}: #{package_manager_instance}")
|
|
465
|
-
package_manager_instance
|
|
466
474
|
rescue StandardError => e
|
|
467
475
|
Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
|
|
468
476
|
raise
|
|
469
477
|
end
|
|
470
478
|
|
|
471
|
-
# rubocop:enable Metrics/CyclomaticComplexity
|
|
472
|
-
# rubocop:enable Metrics/PerceivedComplexity
|
|
473
|
-
# rubocop:enable Metrics/AbcSize
|
|
474
479
|
# Retrieve the installed version of the package manager by executing
|
|
475
480
|
# the "corepack <name> -v" command and using the output.
|
|
476
481
|
# If the output does not match the expected version format (PACKAGE_MANAGER_VERSION_REGEX),
|
|
@@ -510,7 +515,12 @@ module Dependabot
|
|
|
510
515
|
sig { params(name: String, version: T.nilable(String)).void }
|
|
511
516
|
def install(name, version)
|
|
512
517
|
if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
|
|
513
|
-
|
|
518
|
+
env = {}
|
|
519
|
+
if Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
|
|
520
|
+
env = @registry_helper.find_corepack_env_variables
|
|
521
|
+
end
|
|
522
|
+
# Use the Helpers.install method to install the package manager
|
|
523
|
+
return Helpers.install(name, version.to_s, env: env)
|
|
514
524
|
end
|
|
515
525
|
|
|
516
526
|
Dependabot.logger.info("Installing \"#{name}@#{version}\"")
|
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "yaml"
|
|
5
|
+
require "dependabot/dependency_file"
|
|
6
|
+
require "sorbet-runtime"
|
|
7
|
+
|
|
8
|
+
module Dependabot
|
|
9
|
+
module NpmAndYarn
|
|
10
|
+
class RegistryHelper
|
|
11
|
+
extend T::Sig
|
|
12
|
+
|
|
13
|
+
# Keys for configurations
|
|
14
|
+
REGISTRY_KEY = "registry"
|
|
15
|
+
AUTH_KEY = "authToken"
|
|
16
|
+
|
|
17
|
+
# Yarn-specific keys
|
|
18
|
+
NPM_AUTH_TOKEN_KEY_FOR_YARN = "npmAuthToken"
|
|
19
|
+
NPM_SCOPE_KEY_FOR_YARN = "npmScopes"
|
|
20
|
+
NPM_REGISTER_KEY_FOR_YARN = "npmRegistryServer"
|
|
21
|
+
|
|
22
|
+
# Environment variable keys
|
|
23
|
+
COREPACK_NPM_REGISTRY_ENV = "COREPACK_NPM_REGISTRY"
|
|
24
|
+
COREPACK_NPM_TOKEN_ENV = "COREPACK_NPM_TOKEN"
|
|
25
|
+
|
|
26
|
+
sig do
|
|
27
|
+
params(
|
|
28
|
+
registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
|
|
29
|
+
credentials: T.nilable(T::Array[Dependabot::Credential])
|
|
30
|
+
).void
|
|
31
|
+
end
|
|
32
|
+
def initialize(registry_config_files, credentials)
|
|
33
|
+
@registry_config_files = T.let(registry_config_files, T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
|
|
34
|
+
@credentials = T.let(credentials, T.nilable(T::Array[Dependabot::Credential]))
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
sig { returns(T::Hash[String, String]) }
|
|
38
|
+
def find_corepack_env_variables
|
|
39
|
+
registry_info = find_registry_and_token
|
|
40
|
+
|
|
41
|
+
env_variables = {}
|
|
42
|
+
env_variables[COREPACK_NPM_REGISTRY_ENV] = registry_info[:registry] if registry_info[:registry]
|
|
43
|
+
env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
|
|
44
|
+
|
|
45
|
+
env_variables
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
private
|
|
49
|
+
|
|
50
|
+
sig { returns(T::Hash[Symbol, T.nilable(String)]) }
|
|
51
|
+
def find_registry_and_token
|
|
52
|
+
# Step 1: Check dependabot.yml configuration
|
|
53
|
+
dependabot_config = config_npm_registry_and_token
|
|
54
|
+
return dependabot_config if dependabot_config[:registry]
|
|
55
|
+
|
|
56
|
+
# Step 2: Check .npmrc
|
|
57
|
+
npmrc_config = @registry_config_files[:npmrc]
|
|
58
|
+
npmrc_result = parse_registry_from_npmrc_yarnrc(npmrc_config, "=", "npm")
|
|
59
|
+
|
|
60
|
+
return npmrc_result if npmrc_result[:registry]
|
|
61
|
+
|
|
62
|
+
# Step 3: Check .yarnrc
|
|
63
|
+
yarnrc_config = @registry_config_files[:yarnrc]
|
|
64
|
+
yarnrc_result = parse_registry_from_npmrc_yarnrc(yarnrc_config, " ", "npm")
|
|
65
|
+
return yarnrc_result if yarnrc_result[:registry]
|
|
66
|
+
|
|
67
|
+
# Step 4: Check yarnrc.yml
|
|
68
|
+
yarnrc_yml_config = @registry_config_files[:yarnrc_yml]
|
|
69
|
+
yarnrc_yml_result = parse_npm_from_yarnrc_yml(yarnrc_yml_config)
|
|
70
|
+
return yarnrc_yml_result if yarnrc_yml_result[:registry]
|
|
71
|
+
|
|
72
|
+
# Default values if no registry is found
|
|
73
|
+
{}
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
sig { returns(T::Hash[Symbol, T.nilable(String)]) }
|
|
77
|
+
def config_npm_registry_and_token
|
|
78
|
+
registries = {}
|
|
79
|
+
|
|
80
|
+
return registries unless @credentials&.any?
|
|
81
|
+
|
|
82
|
+
@credentials.each do |cred|
|
|
83
|
+
next unless cred["type"] == "npm_registry" # Skip if not an npm registry
|
|
84
|
+
next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
|
|
85
|
+
|
|
86
|
+
# Set the registry if it's not already set
|
|
87
|
+
registries[:registry] ||= cred["registry"]
|
|
88
|
+
|
|
89
|
+
# Set the token if it's not already set
|
|
90
|
+
registries[:auth_token] ||= cred["token"]
|
|
91
|
+
end
|
|
92
|
+
registries
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
# Find registry and token in .npmrc or .yarnrc file
|
|
96
|
+
sig do
|
|
97
|
+
params(
|
|
98
|
+
file: T.nilable(Dependabot::DependencyFile),
|
|
99
|
+
separator: String
|
|
100
|
+
).returns(T::Hash[Symbol, T.nilable(String)])
|
|
101
|
+
end
|
|
102
|
+
def parse_npm_from_npm_or_yarn_rc(file, separator = "=")
|
|
103
|
+
parse_registry_from_npmrc_yarnrc(file, separator, NpmPackageManager::NAME)
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
# Find registry and token in .npmrc or .yarnrc file
|
|
107
|
+
sig do
|
|
108
|
+
params(
|
|
109
|
+
file: T.nilable(Dependabot::DependencyFile),
|
|
110
|
+
separator: String,
|
|
111
|
+
scope: T.nilable(String)
|
|
112
|
+
).returns(T::Hash[Symbol, T.nilable(String)])
|
|
113
|
+
end
|
|
114
|
+
def parse_registry_from_npmrc_yarnrc(file, separator = "=", scope = nil)
|
|
115
|
+
content = file&.content
|
|
116
|
+
return { registry: nil, auth_token: nil } unless content
|
|
117
|
+
|
|
118
|
+
global_registry = T.let(nil, T.nilable(String))
|
|
119
|
+
scoped_registry = T.let(nil, T.nilable(String))
|
|
120
|
+
auth_token = T.let(nil, T.nilable(String))
|
|
121
|
+
|
|
122
|
+
content.split("\n").each do |line|
|
|
123
|
+
# Split using the provided separator
|
|
124
|
+
key, value = line.strip.split(separator, 2)
|
|
125
|
+
next unless key && value
|
|
126
|
+
|
|
127
|
+
# Remove surrounding quotes from keys and values
|
|
128
|
+
cleaned_key = key.strip.gsub(/\A["']|["']\z/, "")
|
|
129
|
+
cleaned_value = value.strip.gsub(/\A["']|["']\z/, "")
|
|
130
|
+
|
|
131
|
+
case cleaned_key
|
|
132
|
+
when "registry"
|
|
133
|
+
# Case 1: Found a global registry
|
|
134
|
+
global_registry = cleaned_value
|
|
135
|
+
when "_authToken"
|
|
136
|
+
# Case 2: Found an auth token
|
|
137
|
+
auth_token = cleaned_value
|
|
138
|
+
else
|
|
139
|
+
# Handle scoped registry if a scope is provided
|
|
140
|
+
scoped_registry = cleaned_value if scope && cleaned_key == "@#{scope}:registry"
|
|
141
|
+
end
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
# Determine the registry to return (global first, fallback to scoped)
|
|
145
|
+
registry = global_registry || scoped_registry
|
|
146
|
+
|
|
147
|
+
{ registry: registry, auth_token: auth_token }
|
|
148
|
+
end
|
|
149
|
+
|
|
150
|
+
# rubocop:disable Metrics/PerceivedComplexity
|
|
151
|
+
sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T::Hash[Symbol, T.nilable(String)]) }
|
|
152
|
+
def parse_npm_from_yarnrc_yml(file)
|
|
153
|
+
content = file&.content
|
|
154
|
+
return { registry: nil, auth_token: nil } unless content
|
|
155
|
+
|
|
156
|
+
result = {}
|
|
157
|
+
yaml_data = safe_load_yaml(content)
|
|
158
|
+
|
|
159
|
+
# Step 1: Extract global registry and auth token
|
|
160
|
+
result[:registry] = yaml_data[NPM_REGISTER_KEY_FOR_YARN] if yaml_data.key?(NPM_REGISTER_KEY_FOR_YARN)
|
|
161
|
+
result[:auth_token] = yaml_data[NPM_AUTH_TOKEN_KEY_FOR_YARN] if yaml_data.key?(NPM_AUTH_TOKEN_KEY_FOR_YARN)
|
|
162
|
+
|
|
163
|
+
# Step 2: Fallback to any scoped registry and auth token if global is missing
|
|
164
|
+
if result[:registry].nil? && yaml_data.key?(NPM_SCOPE_KEY_FOR_YARN)
|
|
165
|
+
yaml_data[NPM_SCOPE_KEY_FOR_YARN].each do |_current_scope, config|
|
|
166
|
+
next unless config.is_a?(Hash)
|
|
167
|
+
|
|
168
|
+
result[:registry] ||= config[NPM_REGISTER_KEY_FOR_YARN]
|
|
169
|
+
result[:auth_token] ||= config[NPM_AUTH_TOKEN_KEY_FOR_YARN]
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
|
|
173
|
+
result
|
|
174
|
+
end
|
|
175
|
+
# rubocop:enable Metrics/PerceivedComplexity
|
|
176
|
+
|
|
177
|
+
# Safely loads the YAML content and logs any parsing errors
|
|
178
|
+
sig { params(content: String).returns(T::Hash[String, T.untyped]) }
|
|
179
|
+
def safe_load_yaml(content)
|
|
180
|
+
YAML.safe_load(content, permitted_classes: [Symbol, String]) || {}
|
|
181
|
+
rescue Psych::SyntaxError => e
|
|
182
|
+
# Log the error instead of raising it
|
|
183
|
+
Dependabot.logger.error("YAML parsing error: #{e.message}")
|
|
184
|
+
{}
|
|
185
|
+
end
|
|
186
|
+
end
|
|
187
|
+
end
|
|
188
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.290.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-12-
|
|
11
|
+
date: 2024-12-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.290.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.290.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -326,6 +326,7 @@ files:
|
|
|
326
326
|
- lib/dependabot/npm_and_yarn/native_helpers.rb
|
|
327
327
|
- lib/dependabot/npm_and_yarn/package_manager.rb
|
|
328
328
|
- lib/dependabot/npm_and_yarn/package_name.rb
|
|
329
|
+
- lib/dependabot/npm_and_yarn/registry_helper.rb
|
|
329
330
|
- lib/dependabot/npm_and_yarn/registry_parser.rb
|
|
330
331
|
- lib/dependabot/npm_and_yarn/requirement.rb
|
|
331
332
|
- lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb
|
|
@@ -346,8 +347,8 @@ licenses:
|
|
|
346
347
|
- MIT
|
|
347
348
|
metadata:
|
|
348
349
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
349
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
350
|
-
post_install_message:
|
|
350
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.290.0
|
|
351
|
+
post_install_message:
|
|
351
352
|
rdoc_options: []
|
|
352
353
|
require_paths:
|
|
353
354
|
- lib
|
|
@@ -363,7 +364,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
363
364
|
version: 3.1.0
|
|
364
365
|
requirements: []
|
|
365
366
|
rubygems_version: 3.5.9
|
|
366
|
-
signing_key:
|
|
367
|
+
signing_key:
|
|
367
368
|
specification_version: 4
|
|
368
369
|
summary: Provides Dependabot support for Javascript (npm and yarn)
|
|
369
370
|
test_files: []
|