dependabot-npm_and_yarn 0.291.0 → 0.293.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02635cf238f21d329717cb8590e2c779109f30e53edb5a18d0af02c2eb1b7b52
-  data.tar.gz: 05a8982b1c132c4560dbde94a72575a7ba62d9e9b1b3e6524d2cbcb2042f3eae
+  metadata.gz: 0d548c0891264c8b407f2b673e39266b3494683e431ac1e8b9ebc899319208f5
+  data.tar.gz: b43aeb89fb1a1c1e32a9d86eee5ccc188d8fc3da548ee4cbbcfbc4c76cfd59c7
 SHA512:
-  metadata.gz: 69d8f7352749ea26e0aeee9ca63943fc6d46eccf927ec217fd9d5b072b60a405b5b7a4515c120e8e05145870ac1c0bc196c27ad38d4733c15e693af40d0055fa
-  data.tar.gz: e5f8ad4e72213b0620785369b37c6cbf4d2200eea2a2ec521df6f6240694527216da0450af39cb86b7d9650d4d04649d5fc3bb4136163574ae29f2a3dc6db539
+  metadata.gz: 95eef6390619686a8017fc949e5a5609e34f3675920fea726975fb42c55904e9901ef55b80df005ffa43bf74e87623ed00a9a287005af9446c93b78fcb0c010d
+  data.tar.gz: 9a104350702acef102f005bdc0c4649b7713288de3685992538f9e58384487802f48a1f1c6e57dd6ac244fb11e849fd89b72f2f3648355eb3115d1174846e21f

data/lib/dependabot/npm_and_yarn/bun_package_manager.rb

@@ -0,0 +1,46 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module NpmAndYarn
+    class BunPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "bun"
+      LOCKFILE_NAME = "bun.lock"
+
+      # In Bun 1.1.39, the lockfile format was changed from a binary bun.lockb to a text-based bun.lock.
+      # https://bun.sh/blog/bun-lock-text-lockfile
+      MIN_SUPPORTED_VERSION = Version.new("1.1.39")
+      SUPPORTED_VERSIONS = T.let([MIN_SUPPORTED_VERSION].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        supported_versions.all? { |supported| supported > version }
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -82,7 +82,7 @@ module Dependabot
 
       sig { params(lockfile: DependencyFile).returns(T::Boolean) }
       def workspaces_lockfile?(lockfile)
-        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml"].include?(lockfile.name)
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml", "bun.lock"].include?(lockfile.name)
 
         return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
           file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
@@ -148,6 +148,7 @@ module Dependabot
           "package-lock.json",
           "yarn.lock",
           "pnpm-lock.yaml",
+          "bun.lock",
           "npm-shrinkwrap.json"
         )
       end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -68,6 +68,7 @@ module Dependabot
         package_managers["npm"] = npm_version if npm_version
         package_managers["yarn"] = yarn_version if yarn_version
         package_managers["pnpm"] = pnpm_version if pnpm_version
+        package_managers["bun"] = bun_version if bun_version
         package_managers["unknown"] = 1 if package_managers.empty?
 
         {
@@ -83,6 +84,7 @@ module Dependabot
         fetched_files += npm_files if npm_version
         fetched_files += yarn_files if yarn_version
         fetched_files += pnpm_files if pnpm_version
+        fetched_files += bun_files if bun_version
         fetched_files += lerna_files
         fetched_files += workspace_package_jsons
         fetched_files += path_dependencies(fetched_files)
@@ -120,6 +122,13 @@ module Dependabot
         fetched_pnpm_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def bun_files
+        fetched_bun_files = []
+        fetched_bun_files << bun_lock if bun_lock
+        fetched_bun_files
+      end
+
       sig { returns(T::Array[DependencyFile]) }
       def lerna_files
         fetched_lerna_files = []
@@ -202,6 +211,16 @@ module Dependabot
         )
       end
 
+      sig { returns(T.nilable(T.any(Integer, String))) }
+      def bun_version
+        return @bun_version = nil unless Experiments.enabled?(:bun_updates)
+
+        @bun_version ||= T.let(
+          package_manager_helper.setup(BunPackageManager::NAME),
+          T.nilable(T.any(Integer, String))
+        )
+      end
+
       sig { returns(PackageManagerHelper) }
       def package_manager_helper
         @package_manager_helper ||= T.let(
@@ -219,7 +238,8 @@ module Dependabot
         {
           npm: package_lock || shrinkwrap,
           yarn: yarn_lock,
-          pnpm: pnpm_lock
+          pnpm: pnpm_lock,
+          bun: bun_lock
         }
       end
 
@@ -261,17 +281,18 @@ module Dependabot
 
         return @pnpm_lock if @pnpm_lock || directory == "/"
 
-        # Loop through parent directories looking for a pnpm-lock
-        (1..directory.split("/").count).each do |i|
-          @pnpm_lock = fetch_file_from_host(("../" * i) + PNPMPackageManager::LOCKFILE_NAME)
-                       .tap { |f| f.support_file = true }
-          break if @pnpm_lock
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (pnpm_lock.yaml may not be present)
-          nil
-        end
+        @pnpm_lock = fetch_file_from_parent_directories(PNPMPackageManager::LOCKFILE_NAME)
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def bun_lock
+        return @bun_lock if defined?(@bun_lock)
+
+        @bun_lock ||= T.let(fetch_file_if_present(BunPackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
 
-        @pnpm_lock
+        return @bun_lock if @bun_lock || directory == "/"
+
+        @bun_lock = fetch_file_from_parent_directories(BunPackageManager::LOCKFILE_NAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -294,17 +315,7 @@ module Dependabot
 
         return @npmrc if @npmrc || directory == "/"
 
-        # Loop through parent directories looking for an npmrc
-        (1..directory.split("/").count).each do |i|
-          @npmrc = fetch_file_from_host(("../" * i) + NpmPackageManager::RC_FILENAME)
-                   .tap { |f| f.support_file = true }
-          break if @npmrc
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (.npmrc may not be present)
-          nil
-        end
-
-        @npmrc
+        @npmrc = fetch_file_from_parent_directories(NpmPackageManager::RC_FILENAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -315,17 +326,7 @@ module Dependabot
 
         return @yarnrc if @yarnrc || directory == "/"
 
-        # Loop through parent directories looking for an yarnrc
-        (1..directory.split("/").count).each do |i|
-          @yarnrc = fetch_file_from_host(("../" * i) + YarnPackageManager::RC_FILENAME)
-                    .tap { |f| f.support_file = true }
-          break if @yarnrc
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (.yarnrc may not be present)
-          nil
-        end
-
-        @yarnrc
+        @yarnrc = fetch_file_from_parent_directories(YarnPackageManager::RC_FILENAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -699,6 +700,22 @@ module Dependabot
           Dependabot.logger.info("Repository contents path does not exist")
         end
       end
+
+      sig { params(filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_with_support(filename)
+        fetch_file_from_host(filename).tap { |f| f.support_file = true }
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+
+      sig { params(filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_from_parent_directories(filename)
+        (1..directory.split("/").count).each do |i|
+          file = fetch_file_with_support(("../" * i) + filename)
+          return file if file
+        end
+        nil
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -0,0 +1,141 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/helpers"
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser < Dependabot::FileParsers::Base
+      class BunLock
+        extend T::Sig
+
+        sig { params(dependency_file: DependencyFile).void }
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed
+          @parsed ||= begin
+            content = begin
+              # Since bun.lock is a JSONC file, which is a subset of YAML, we can use YAML to parse it
+              YAML.load(T.must(@dependency_file.content))
+            rescue Psych::SyntaxError => e
+              raise_invalid!("malformed JSONC at line #{e.line}, column #{e.column}")
+            end
+            raise_invalid!("expected to be an object") unless content.is_a?(Hash)
+
+            version = content["lockfileVersion"]
+            raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
+            raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
+            raise_invalid!("unsupported 'lockfileVersion' = #{version}") unless version.zero?
+
+            T.let(content, T.untyped)
+          end
+        end
+
+        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+        def dependencies
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          # bun.lock v0 format:
+          # https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
+
+          packages = parsed["packages"]
+          raise_invalid!("expected 'packages' to be an object") unless packages.is_a?(Hash)
+
+          packages.each do |key, details|
+            raise_invalid!("expected 'packages.#{key}' to be an array") unless details.is_a?(Array)
+
+            resolution = details.first
+            raise_invalid!("expected 'packages.#{key}[0]' to be a string") unless resolution.is_a?(String)
+
+            name, version = resolution.split(/(?<=\w)\@/)
+            next if name.empty?
+
+            semver = Version.semver_for(version)
+            next unless semver
+
+            dependency_set << Dependency.new(
+              name: name,
+              version: semver.to_s,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            )
+          end
+
+          dependency_set
+        end
+
+        sig do
+          params(dependency_name: String, requirement: T.untyped, _manifest_name: String)
+            .returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def details(dependency_name, requirement, _manifest_name)
+          packages = parsed["packages"]
+          return unless packages.is_a?(Hash)
+
+          candidates =
+            packages
+            .select { |name, _| name == dependency_name }
+            .values
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if candidates.one?
+            parse_details(candidates.first)
+          else
+            candidate = candidates.find do |label, _|
+              label.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
+            end&.last
+            parse_details(candidate)
+          end
+        end
+
+        private
+
+        sig { params(message: String).void }
+        def raise_invalid!(message)
+          raise Dependabot::DependencyFileNotParseable.new(@dependency_file.path, "Invalid bun.lock file: #{message}")
+        end
+
+        sig do
+          params(entry: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def parse_details(entry)
+          return unless entry.is_a?(Array)
+
+          # Either:
+          # - "{name}@{version}", registry, details, integrity
+          # - "{name}@{resolution}", details
+          resolution = entry.first
+          return unless resolution.is_a?(String)
+
+          name, version = resolution.split(/(?<=\w)\@/)
+          semver = Version.semver_for(version)
+
+          if semver
+            registry, details, integrity = entry[1..3]
+            {
+              "name" => name,
+              "version" => semver.to_s,
+              "registry" => registry,
+              "details" => details,
+              "integrity" => integrity
+            }
+          else
+            details = entry[1]
+            {
+              "name" => name,
+              "resolution" => version,
+              "details" => details
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -15,6 +15,11 @@ module Dependabot
         require "dependabot/npm_and_yarn/file_parser/yarn_lock"
         require "dependabot/npm_and_yarn/file_parser/pnpm_lock"
         require "dependabot/npm_and_yarn/file_parser/json_lock"
+        require "dependabot/npm_and_yarn/file_parser/bun_lock"
+
+        DEFAULT_LOCKFILES = %w(package-lock.json yarn.lock pnpm-lock.yaml bun.lock npm-shrinkwrap.json).freeze
+
+        LockFile = T.type_alias { T.any(JsonLock, YarnLock, PnpmLock, BunLock) }
 
         sig { params(dependency_files: T::Array[DependencyFile]).void }
         def initialize(dependency_files:)
@@ -29,7 +34,7 @@ module Dependabot
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
-          (yarn_locks + pnpm_locks + package_locks + shrinkwraps).each do |file|
+          (yarn_locks + pnpm_locks + package_locks + bun_locks + shrinkwraps).each do |file|
             dependency_set += lockfile_for(file).dependencies
           end
 
@@ -64,58 +69,59 @@ module Dependabot
         sig { params(manifest_filename: String).returns(T::Array[DependencyFile]) }
         def potential_lockfiles_for_manifest(manifest_filename)
           dir_name = File.dirname(manifest_filename)
-          possible_lockfile_names =
-            %w(package-lock.json npm-shrinkwrap.json pnpm-lock.yaml yarn.lock).map do |f|
-              Pathname.new(File.join(dir_name, f)).cleanpath.to_path
-            end +
-            %w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
+          possible_lockfile_names = DEFAULT_LOCKFILES.map do |f|
+            Pathname.new(File.join(dir_name, f)).cleanpath.to_path
+          end + DEFAULT_LOCKFILES
 
           possible_lockfile_names.uniq
                                  .filter_map { |nm| dependency_files.find { |f| f.name == nm } }
         end
 
-        sig { params(file: DependencyFile).returns(T.any(JsonLock, YarnLock, PnpmLock)) }
+        sig { params(file: DependencyFile).returns(LockFile) }
         def lockfile_for(file)
-          @lockfiles ||= T.let({}, T.nilable(T::Hash[String, T.any(JsonLock, YarnLock, PnpmLock)]))
-          @lockfiles[file.name] ||= if [*package_locks, *shrinkwraps].include?(file)
+          @lockfiles ||= T.let({}, T.nilable(T::Hash[String, LockFile]))
+          @lockfiles[file.name] ||= case file.name
+                                    when *package_locks.map(&:name), *shrinkwraps.map(&:name)
                                       JsonLock.new(file)
-                                    elsif yarn_locks.include?(file)
+                                    when *yarn_locks.map(&:name)
                                       YarnLock.new(file)
-                                    else
+                                    when *pnpm_locks.map(&:name)
                                       PnpmLock.new(file)
+                                    when *bun_locks.map(&:name)
+                                      BunLock.new(file)
+                                    else
+                                      raise "Unexpected lockfile: #{file.name}"
                                     end
         end
 
+        sig { params(extension: String).returns(T::Array[DependencyFile]) }
+        def select_files_by_extension(extension)
+          dependency_files.select { |f| f.name.end_with?(extension) }
+        end
+
         sig { returns(T::Array[DependencyFile]) }
         def package_locks
-          @package_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("package-lock.json") }, T.nilable(T::Array[DependencyFile])
-          )
+          @package_locks ||= T.let(select_files_by_extension("package-lock.json"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def pnpm_locks
-          @pnpm_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("pnpm-lock.yaml") }, T.nilable(T::Array[DependencyFile])
-          )
+          @pnpm_locks ||= T.let(select_files_by_extension("pnpm-lock.yaml"), T.nilable(T::Array[DependencyFile]))
+        end
+
+        sig { returns(T::Array[DependencyFile]) }
+        def bun_locks
+          @bun_locks ||= T.let(select_files_by_extension("bun.lock"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def yarn_locks
-          @yarn_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("yarn.lock") }, T.nilable(T::Array[DependencyFile])
-          )
+          @yarn_locks ||= T.let(select_files_by_extension("yarn.lock"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def shrinkwraps
-          @shrinkwraps ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("npm-shrinkwrap.json") }, T.nilable(T::Array[DependencyFile])
-          )
+          @shrinkwraps ||= T.let(select_files_by_extension("npm-shrinkwrap.json"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T.class_of(Dependabot::NpmAndYarn::Version)) }

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -26,6 +26,10 @@ module Dependabot
         end
 
         def dependencies
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            return dependencies_with_prioritization
+          end
+
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           parsed.each do |details|
@@ -52,6 +56,49 @@ module Dependabot
           dependency_set
         end
 
+        def dependencies_with_prioritization
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          # Separate dependencies into two categories: with specifiers and without specifiers.
+          dependencies_with_specifiers = [] # Main dependencies with specifiers.
+          dependencies_without_specifiers = [] # Subdependencies without specifiers.
+
+          parsed.each do |details|
+            next if details["aliased"]
+
+            name = details["name"]
+            version = details["version"]
+
+            dependency_args = {
+              name: name,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            # Add metadata for subdependencies if marked as a dev dependency.
+            dependency_args[:subdependency_metadata] = [{ production: !details["dev"] }] if details["dev"]
+
+            specifiers = details["specifiers"]
+            if specifiers&.any?
+              dependencies_with_specifiers << dependency_args
+            else
+              dependencies_without_specifiers << dependency_args
+            end
+          end
+
+          # Add prioritized dependencies to the dependency set.
+          dependencies_with_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependencies_without_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependency_set
+        end
+
         def details(dependency_name, requirement, _manifest_name)
           details_candidates = parsed.select { |info| info["name"] == dependency_name }
 

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -110,7 +110,8 @@ module Dependabot
         {
           npm: package_lock || shrinkwrap,
           yarn: yarn_lock,
-          pnpm: pnpm_lock
+          pnpm: pnpm_lock,
+          bun: bun_lock
         }
       end
 
@@ -167,6 +168,13 @@ module Dependabot
         end, T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def bun_lock
+        @bun_lock ||= T.let(dependency_files.find do |f|
+          f.name == BunPackageManager::LOCKFILE_NAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def npmrc
         @npmrc ||= T.let(dependency_files.find do |f|