RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.291.0 → 0.293.0 - Mend

dependabot-npm_and_yarn 0.291.0 → 0.293.0

Files changed (23) hide show

data/lib/dependabot/npm_and_yarn/package_manager.rb CHANGED Viewed

@@ -6,6 +6,11 @@ require "dependabot/ecosystem"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
 require "dependabot/npm_and_yarn/registry_helper"
+require "dependabot/npm_and_yarn/npm_package_manager"
+require "dependabot/npm_and_yarn/yarn_package_manager"
+require "dependabot/npm_and_yarn/pnpm_package_manager"
+require "dependabot/npm_and_yarn/bun_package_manager"
+require "dependabot/npm_and_yarn/language"
 module Dependabot
   module NpmAndYarn
@@ -47,152 +52,6 @@ module Dependabot
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
-    class NpmPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "npm"
-      RC_FILENAME = ".npmrc"
-      LOCKFILE_NAME = "package-lock.json"
-      SHRINKWRAP_LOCKFILE_NAME = "npm-shrinkwrap.json"
-      NPM_V6 = "6"
-      NPM_V7 = "7"
-      NPM_V8 = "8"
-      NPM_V9 = "9"
-      NPM_V10 = "10"
-      # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(NPM_V7),
-        Version.new(NPM_V8),
-        Version.new(NPM_V9),
-        Version.new(NPM_V10)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        return false if unsupported?
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
-        deprecated_versions.include?(version)
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
-        supported_versions.all? { |supported| supported > version }
-      end
-    end
-    class YarnPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "yarn"
-      RC_FILENAME = ".yarnrc"
-      RC_YML_FILENAME = ".yarnrc.yml"
-      LOCKFILE_NAME = "yarn.lock"
-      YARN_V1 = "1"
-      YARN_V2 = "2"
-      YARN_V3 = "3"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(YARN_V1),
-        Version.new(YARN_V2),
-        Version.new(YARN_V3)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
-    class PNPMPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "pnpm"
-      LOCKFILE_NAME = "pnpm-lock.yaml"
-      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
-      PNPM_V7 = "7"
-      PNPM_V8 = "8"
-      PNPM_V9 = "9"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PNPM_V7),
-        Version.new(PNPM_V8),
-        Version.new(PNPM_V9)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     DEFAULT_PACKAGE_MANAGER = NpmPackageManager::NAME
     # Define a type alias for the expected class interface
@@ -210,6 +69,9 @@ module Dependabot
       PNPMPackageManager::NAME => PNPMPackageManager
     }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
+    # Error malformed version number string
+    ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"
     class PackageManagerDetector
       extend T::Sig
       extend T::Helpers
@@ -274,41 +136,6 @@ module Dependabot
       end
     end
-    class Language < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "node"
-      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Requirement)
-        ).void
-      end
-      def initialize(raw_version, requirement: nil)
-        super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
@@ -349,7 +176,7 @@ module Dependabot
       sig { returns(Ecosystem::VersionManager) }
       def language
         @language ||= Language.new(
-          Helpers.node_version,
+          raw_version: Helpers.node_version,
           requirement: language_requirement
         )
       end
@@ -393,6 +220,7 @@ module Dependabot
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -405,6 +233,8 @@ module Dependabot
           return
         end
+        return package_manager.version.to_s if package_manager.deprecated? || package_manager.unsupported?
         if @engines && @manifest_package_manager.nil?
           # if "packageManager" doesn't exists in manifest file,
           # we check if we can extract "engines" information
@@ -453,6 +283,24 @@ module Dependabot
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/MethodLength
+      sig { params(name: String).returns(T.nilable(String)) }
+      def detect_version(name)
+        # we prioritize version mentioned in "packageManager" instead of "engines"
+        if @manifest_package_manager&.start_with?("#{name}@")
+          detected_version = @manifest_package_manager.split("@").last.to_s
+        end
+        # if "packageManager" have no version specified, we check if we can extract "engines" information
+        detected_version = check_engine_version(name) if !detected_version || detected_version.empty?
+        # if "packageManager" and "engines" both are not present, we check if we can infer the version
+        # from the manifest file lockfileVersion
+        detected_version = guessed_version(name) if !detected_version || detected_version.empty?
+        detected_version&.to_s
+      end
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
@@ -461,6 +309,16 @@ module Dependabot
         name = ensure_valid_package_manager(name)
         package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
+        detected_version = detect_version(name)
+        # if we have a detected version, we check if it is deprecated or unsupported
+        if detected_version
+          package_manager = package_manager_class.new(
+            detected_version: detected_version.to_s
+          )
+          return package_manager if package_manager.deprecated? || package_manager.unsupported?
+        end
         installed_version = installed_version(name)
         Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
@@ -472,9 +330,14 @@ module Dependabot
         end
         package_manager_class.new(
-          installed_version,
+          detected_version: detected_version.to_s,
+          raw_version: installed_version,
           requirement: package_manager_requirement
         )
+      rescue ArgumentError => e
+        raise DependencyFileNotParseable, e.message if e.message.include?(ERROR_MALFORMED_VERSION_NUMBER)
+        raise
       rescue StandardError => e
         Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
         raise

data/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class PNPMPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "pnpm"
+      LOCKFILE_NAME = "pnpm-lock.yaml"
+      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
+      PNPM_V7 = "7"
+      PNPM_V8 = "8"
+      PNPM_V9 = "9"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PNPM_V7),
+        Version.new(PNPM_V8),
+        Version.new(PNPM_V9)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb CHANGED Viewed

@@ -68,6 +68,7 @@ module Dependabot
           "package-lock.json",
           "yarn.lock",
           "npm-shrinkwrap.json",
+          "bun.lock",
           "pnpm-lock.yaml"
         )
       end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb CHANGED Viewed

@@ -49,6 +49,12 @@ module Dependabot
             .select { |f| f.name.end_with?("pnpm-lock.yaml") }
         end
+        def bun_locks
+          @bun_locks ||=
+            dependency_files
+            .select { |f| f.name.end_with?("bun.lock") }
+        end
         def root_yarn_lock
           @root_yarn_lock ||=
             dependency_files
@@ -61,6 +67,12 @@ module Dependabot
             .find { |f| f.name == "pnpm-lock.yaml" }
         end
+        def root_bun_lock
+          @root_bun_lock ||=
+            dependency_files
+            .find { |f| f.name == "bun.lock" }
+        end
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files
@@ -68,7 +80,7 @@ module Dependabot
         end
         def lockfiles
-          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks]
+          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks, *bun_locks]
         end
         def package_files
@@ -89,12 +101,7 @@ module Dependabot
             File.write(f.name, prepared_yarn_lockfile_content(f.content))
           end
-          pnpm_locks.each do |f|
-            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-            File.write(f.name, f.content)
-          end
-          [*package_locks, *shrinkwraps].each do |f|
+          [*package_locks, *shrinkwraps, *pnpm_locks, *bun_locks].each do |f|
             FileUtils.mkdir_p(Pathname.new(f.name).dirname)
             File.write(f.name, f.content)
           end

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED Viewed

@@ -70,6 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
+                          elsif lockfile.name.end_with?("bun.lock")
+                            run_bun_updater(path, lockfile_name)
                           elsif !Helpers.npm8?(lockfile)
                             run_npm6_updater(path, lockfile_name)
                           else
@@ -153,6 +155,18 @@ module Dependabot
           end
         end
+        def run_bun_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name} --save-text-lockfile",
+                fingerprint: "update <dependency_name> --save-text-lockfile"
+              )
+              { lockfile_name => File.read(lockfile_name) }
+            end
+          end
+        end
         def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED Viewed

@@ -413,6 +413,8 @@ module Dependabot
         end
         def error_details_from_captures(captures)
+          return {} unless captures.is_a?(Hash)
           required_dep_captures  = captures.fetch("required_dep")
           requiring_dep_captures = captures.fetch("requiring_dep")
           return {} unless required_dep_captures && requiring_dep_captures
@@ -549,12 +551,18 @@ module Dependabot
           npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
           return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
+          bun_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.bun_locks, path: path)
+          return run_bun_checker(path: path, version: version) if bun_lockfiles.any?
           root_yarn_lock = dependency_files_builder.root_yarn_lock
           return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
           root_pnpm_lock = dependency_files_builder.root_pnpm_lock
           return run_pnpm_checker(path: path, version: version) if root_pnpm_lock
+          root_bun_lock = dependency_files_builder.root_bun_lock
+          return run_bun_checker(path: path, version: version) if root_bun_lock
           run_npm_checker(path: path, version: version)
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_peer_dependency_errors(e.message)
@@ -583,6 +591,17 @@ module Dependabot
           end
         end
+        def run_bun_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name}@#{version} --save-text-lockfile",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+              )
+            end
+          end
+        end
         def run_yarn_berry_checker(path:, version:)
           # This method mimics calling a native helper in order to comply with the caller's expectations
           # Specifically we add the dependency at the specified updated version

data/lib/dependabot/npm_and_yarn/version.rb CHANGED Viewed

@@ -62,8 +62,10 @@ module Dependabot
       sig { override.params(version: VersionParameter).void }
       def initialize(version)
+        version = clean_version(version)
         @version_string = T.let(version.to_s, String)
-        version = version.gsub(/^v/, "") if version.is_a?(String)
         @build_info = T.let(nil, T.nilable(String))
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
@@ -71,6 +73,20 @@ module Dependabot
         super(T.must(version))
       end
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def clean_version(version)
+        # Check if version is a string before attempting to match
+        if version.is_a?(String)
+          # Matches @ followed by x.y.z (digits separated by dots)
+          if (match = version.match(/@(\d+\.\d+\.\d+)/))
+            version = match[1] # Just "4.5.3"
+          end
+          version = version&.gsub(/^v/, "")
+        end
+        version
+      end
       sig { override.params(version: VersionParameter).returns(Dependabot::NpmAndYarn::Version) }
       def self.new(version)
         T.cast(super, Dependabot::NpmAndYarn::Version)

data/lib/dependabot/npm_and_yarn/yarn_package_manager.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class YarnPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "yarn"
+      RC_FILENAME = ".yarnrc"
+      RC_YML_FILENAME = ".yarnrc.yml"
+      LOCKFILE_NAME = "yarn.lock"
+      YARN_V1 = "1"
+      YARN_V2 = "2"
+      YARN_V3 = "3"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(YARN_V1),
+        Version.new(YARN_V2),
+        Version.new(YARN_V3)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.291.0
+  version: 0.293.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.293.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -306,15 +306,18 @@ files:
 - helpers/test/yarn/helpers.js
 - helpers/test/yarn/updater.test.js
 - lib/dependabot/npm_and_yarn.rb
+- lib/dependabot/npm_and_yarn/bun_package_manager.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/json_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
 - lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb
 - lib/dependabot/npm_and_yarn/file_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
@@ -322,10 +325,13 @@ files:
 - lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/helpers.rb
+- lib/dependabot/npm_and_yarn/language.rb
 - lib/dependabot/npm_and_yarn/metadata_finder.rb
 - lib/dependabot/npm_and_yarn/native_helpers.rb
+- lib/dependabot/npm_and_yarn/npm_package_manager.rb
 - lib/dependabot/npm_and_yarn/package_manager.rb
 - lib/dependabot/npm_and_yarn/package_name.rb
+- lib/dependabot/npm_and_yarn/pnpm_package_manager.rb
 - lib/dependabot/npm_and_yarn/registry_helper.rb
 - lib/dependabot/npm_and_yarn/registry_parser.rb
 - lib/dependabot/npm_and_yarn/requirement.rb
@@ -342,12 +348,13 @@ files:
 - lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb
 - lib/dependabot/npm_and_yarn/version.rb
 - lib/dependabot/npm_and_yarn/version_selector.rb
+- lib/dependabot/npm_and_yarn/yarn_package_manager.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.291.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -363,7 +370,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for Javascript (npm and yarn)