RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.291.0 → 0.293.0 - Mend

dependabot-npm_and_yarn 0.291.0 → 0.293.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

data/lib/dependabot/npm_and_yarn/package_manager.rb CHANGED Viewed

@@ -6,6 +6,11 @@ require "dependabot/ecosystem"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
 require "dependabot/npm_and_yarn/registry_helper"
+require "dependabot/npm_and_yarn/npm_package_manager"
+require "dependabot/npm_and_yarn/yarn_package_manager"
+require "dependabot/npm_and_yarn/pnpm_package_manager"
+require "dependabot/npm_and_yarn/bun_package_manager"
+require "dependabot/npm_and_yarn/language"
 module Dependabot
   module NpmAndYarn
@@ -47,152 +52,6 @@ module Dependabot
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
-    class NpmPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "npm"
-      RC_FILENAME = ".npmrc"
-      LOCKFILE_NAME = "package-lock.json"
-      SHRINKWRAP_LOCKFILE_NAME = "npm-shrinkwrap.json"
-      NPM_V6 = "6"
-      NPM_V7 = "7"
-      NPM_V8 = "8"
-      NPM_V9 = "9"
-      NPM_V10 = "10"
-      # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(NPM_V7),
-        Version.new(NPM_V8),
-        Version.new(NPM_V9),
-        Version.new(NPM_V10)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        return false if unsupported?
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
-        deprecated_versions.include?(version)
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
-        supported_versions.all? { |supported| supported > version }
-      end
-    end
-    class YarnPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "yarn"
-      RC_FILENAME = ".yarnrc"
-      RC_YML_FILENAME = ".yarnrc.yml"
-      LOCKFILE_NAME = "yarn.lock"
-      YARN_V1 = "1"
-      YARN_V2 = "2"
-      YARN_V3 = "3"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(YARN_V1),
-        Version.new(YARN_V2),
-        Version.new(YARN_V3)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
-    class PNPMPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "pnpm"
-      LOCKFILE_NAME = "pnpm-lock.yaml"
-      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
-      PNPM_V7 = "7"
-      PNPM_V8 = "8"
-      PNPM_V9 = "9"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PNPM_V7),
-        Version.new(PNPM_V8),
-        Version.new(PNPM_V9)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     DEFAULT_PACKAGE_MANAGER = NpmPackageManager::NAME
     # Define a type alias for the expected class interface
@@ -210,6 +69,9 @@ module Dependabot
       PNPMPackageManager::NAME => PNPMPackageManager
     }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
+    # Error malformed version number string
+    ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"
     class PackageManagerDetector
       extend T::Sig
       extend T::Helpers
@@ -274,41 +136,6 @@ module Dependabot
       end
     end
-    class Language < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "node"
-      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
@@ -349,7 +176,7 @@ module Dependabot
       sig { returns(Ecosystem::VersionManager) }
       def language
         @language ||= Language.new(
-          Helpers.node_version,
+          raw_version: Helpers.node_version,
           requirement: language_requirement
         )
       end
@@ -393,6 +220,7 @@ module Dependabot
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -405,6 +233,8 @@ module Dependabot
           return
         end
+        return package_manager.version.to_s if package_manager.deprecated? || package_manager.unsupported?
         if @engines && @manifest_package_manager.nil?
           # if "packageManager" doesn't exists in manifest file,
           # we check if we can extract "engines" information
@@ -453,6 +283,24 @@ module Dependabot
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/MethodLength
+      sig { params(name: String).returns(T.nilable(String)) }
+      def detect_version(name)
+        # we prioritize version mentioned in "packageManager" instead of "engines"
+        if @manifest_package_manager&.start_with?("#{name}@")
+          detected_version = @manifest_package_manager.split("@").last.to_s
+        end
+        # if "packageManager" have no version specified, we check if we can extract "engines" information
+        detected_version = check_engine_version(name) if !detected_version || detected_version.empty?
+        # if "packageManager" and "engines" both are not present, we check if we can infer the version
+        # from the manifest file lockfileVersion
+        detected_version = guessed_version(name) if !detected_version || detected_version.empty?
+        detected_version&.to_s
+      end
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
@@ -461,6 +309,16 @@ module Dependabot
         name = ensure_valid_package_manager(name)
         package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
+        detected_version = detect_version(name)
+        # if we have a detected version, we check if it is deprecated or unsupported
+        if detected_version
+          package_manager = package_manager_class.new(
+            detected_version: detected_version.to_s
+          )
+          return package_manager if package_manager.deprecated? || package_manager.unsupported?
+        end
         installed_version = installed_version(name)
         Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
@@ -472,9 +330,14 @@ module Dependabot
         end
         package_manager_class.new(
-          installed_version,
+          detected_version: detected_version.to_s,
+          raw_version: installed_version,
           requirement: package_manager_requirement
         )
+      rescue ArgumentError => e
+        raise DependencyFileNotParseable, e.message if e.message.include?(ERROR_MALFORMED_VERSION_NUMBER)
+        raise
       rescue StandardError => e
         Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
         raise

data/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class PNPMPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "pnpm"
+      LOCKFILE_NAME = "pnpm-lock.yaml"
+      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
+      PNPM_V7 = "7"
+      PNPM_V8 = "8"
+      PNPM_V9 = "9"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PNPM_V7),
+        Version.new(PNPM_V8),
+        Version.new(PNPM_V9)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb CHANGED Viewed

@@ -68,6 +68,7 @@ module Dependabot
           "package-lock.json",
           "yarn.lock",
           "npm-shrinkwrap.json",
+          "bun.lock",
           "pnpm-lock.yaml"
         )
       end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb CHANGED Viewed

@@ -49,6 +49,12 @@ module Dependabot
             .select { |f| f.name.end_with?("pnpm-lock.yaml") }
         end
+        def bun_locks
+          @bun_locks ||=
+            dependency_files
+            .select { |f| f.name.end_with?("bun.lock") }
+        end
         def root_yarn_lock
           @root_yarn_lock ||=
             dependency_files
@@ -61,6 +67,12 @@ module Dependabot
             .find { |f| f.name == "pnpm-lock.yaml" }
         end
+        def root_bun_lock
+          @root_bun_lock ||=
+            dependency_files
+            .find { |f| f.name == "bun.lock" }
+        end
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files
@@ -68,7 +80,7 @@ module Dependabot
         end
         def lockfiles
-          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks]
+          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks, *bun_locks]
         end
         def package_files
@@ -89,12 +101,7 @@ module Dependabot
             File.write(f.name, prepared_yarn_lockfile_content(f.content))
           end
-          pnpm_locks.each do |f|
-            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-            File.write(f.name, f.content)
-          end
-          [*package_locks, *shrinkwraps].each do |f|
+          [*package_locks, *shrinkwraps, *pnpm_locks, *bun_locks].each do |f|
             FileUtils.mkdir_p(Pathname.new(f.name).dirname)
             File.write(f.name, f.content)
           end

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED Viewed

@@ -70,6 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
+                          elsif lockfile.name.end_with?("bun.lock")
+                            run_bun_updater(path, lockfile_name)
                           elsif !Helpers.npm8?(lockfile)
                             run_npm6_updater(path, lockfile_name)
                           else
@@ -153,6 +155,18 @@ module Dependabot
           end
         end
+        def run_bun_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name} --save-text-lockfile",
+                fingerprint: "update <dependency_name> --save-text-lockfile"
+              )
+              { lockfile_name => File.read(lockfile_name) }
+            end
+          end
+        end
         def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED Viewed

@@ -413,6 +413,8 @@ module Dependabot
         end
         def error_details_from_captures(captures)
+          return {} unless captures.is_a?(Hash)
           required_dep_captures  = captures.fetch("required_dep")
           requiring_dep_captures = captures.fetch("requiring_dep")
           return {} unless required_dep_captures && requiring_dep_captures
@@ -549,12 +551,18 @@ module Dependabot
           npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
           return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
+          bun_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.bun_locks, path: path)
+          return run_bun_checker(path: path, version: version) if bun_lockfiles.any?
           root_yarn_lock = dependency_files_builder.root_yarn_lock
           return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
           root_pnpm_lock = dependency_files_builder.root_pnpm_lock
           return run_pnpm_checker(path: path, version: version) if root_pnpm_lock
+          root_bun_lock = dependency_files_builder.root_bun_lock
+          return run_bun_checker(path: path, version: version) if root_bun_lock
           run_npm_checker(path: path, version: version)
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_peer_dependency_errors(e.message)
@@ -583,6 +591,17 @@ module Dependabot
           end
         end
+        def run_bun_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name}@#{version} --save-text-lockfile",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+              )
+            end
+          end
+        end
         def run_yarn_berry_checker(path:, version:)
           # This method mimics calling a native helper in order to comply with the caller's expectations
           # Specifically we add the dependency at the specified updated version

data/lib/dependabot/npm_and_yarn/version.rb CHANGED Viewed

@@ -62,8 +62,10 @@ module Dependabot
       sig { override.params(version: VersionParameter).void }
       def initialize(version)
+        version = clean_version(version)
         @version_string = T.let(version.to_s, String)
-        version = version.gsub(/^v/, "") if version.is_a?(String)
         @build_info = T.let(nil, T.nilable(String))
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
@@ -71,6 +73,20 @@ module Dependabot
         super(T.must(version))
       end
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def clean_version(version)
+        # Check if version is a string before attempting to match
+        if version.is_a?(String)
+          # Matches @ followed by x.y.z (digits separated by dots)
+          if (match = version.match(/@(\d+\.\d+\.\d+)/))
+            version = match[1] # Just "4.5.3"
+          end
+          version = version&.gsub(/^v/, "")
+        end
+        version
+      end
       sig { override.params(version: VersionParameter).returns(Dependabot::NpmAndYarn::Version) }
       def self.new(version)
         T.cast(super, Dependabot::NpmAndYarn::Version)

data/lib/dependabot/npm_and_yarn/yarn_package_manager.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class YarnPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "yarn"
+      RC_FILENAME = ".yarnrc"
+      RC_YML_FILENAME = ".yarnrc.yml"
+      LOCKFILE_NAME = "yarn.lock"
+      YARN_V1 = "1"
+      YARN_V2 = "2"
+      YARN_V3 = "3"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(YARN_V1),
+        Version.new(YARN_V2),
+        Version.new(YARN_V3)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.291.0
+  version: 0.293.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -306,15 +306,18 @@ files:
 - helpers/test/yarn/helpers.js
 - helpers/test/yarn/updater.test.js
 - lib/dependabot/npm_and_yarn.rb
+- lib/dependabot/npm_and_yarn/bun_package_manager.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/json_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
 - lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb
 - lib/dependabot/npm_and_yarn/file_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
@@ -322,10 +325,13 @@ files:
 - lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/helpers.rb
+- lib/dependabot/npm_and_yarn/language.rb
 - lib/dependabot/npm_and_yarn/metadata_finder.rb
 - lib/dependabot/npm_and_yarn/native_helpers.rb
+- lib/dependabot/npm_and_yarn/npm_package_manager.rb
 - lib/dependabot/npm_and_yarn/package_manager.rb
 - lib/dependabot/npm_and_yarn/package_name.rb
+- lib/dependabot/npm_and_yarn/pnpm_package_manager.rb
 - lib/dependabot/npm_and_yarn/registry_helper.rb
 - lib/dependabot/npm_and_yarn/registry_parser.rb
 - lib/dependabot/npm_and_yarn/requirement.rb
@@ -342,12 +348,13 @@ files:
 - lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb
 - lib/dependabot/npm_and_yarn/version.rb
 - lib/dependabot/npm_and_yarn/version_selector.rb
+- lib/dependabot/npm_and_yarn/yarn_package_manager.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.291.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -363,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for Javascript (npm and yarn)