RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.292.0 → 0.293.0 - Mend

dependabot-npm_and_yarn 0.292.0 → 0.293.0

Files changed (22) hide show

data/lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb ADDED Viewed

@@ -0,0 +1,144 @@
+# typed: true
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
+require "dependabot/npm_and_yarn/registry_parser"
+require "dependabot/shared_helpers"
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class BunLockfileUpdater
+        require_relative "npmrc_builder"
+        require_relative "package_json_updater"
+        def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @repo_contents_path = repo_contents_path
+          @credentials = credentials
+        end
+        def updated_bun_lock_content(bun_lock)
+          @updated_bun_lock_content ||= {}
+          return @updated_bun_lock_content[bun_lock.name] if @updated_bun_lock_content[bun_lock.name]
+          new_content = run_bun_update(bun_lock: bun_lock)
+          @updated_bun_lock_content[bun_lock.name] = new_content
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_bun_lock_updater_error(e, bun_lock)
+        end
+        private
+        attr_reader :dependencies
+        attr_reader :dependency_files
+        attr_reader :repo_contents_path
+        attr_reader :credentials
+        ERR_PATTERNS = {
+          /get .* 404/i => Dependabot::DependencyNotFound,
+          /installfailed cloning repository/i => Dependabot::DependencyNotFound,
+          /file:.* failed to resolve/i => Dependabot::DependencyNotFound,
+          /no version matching/i => Dependabot::DependencyFileNotResolvable,
+          /failed to resolve/i => Dependabot::DependencyFileNotResolvable
+        }.freeze
+        def run_bun_update(bun_lock:)
+          SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            File.write(".npmrc", npmrc_content(bun_lock))
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              run_bun_updater
+              write_final_package_json_files
+              run_bun_install
+              File.read(bun_lock.name)
+            end
+          end
+        end
+        def run_bun_updater
+          dependency_updates = dependencies.map do |d|
+            "#{d.name}@#{d.version}"
+          end.join(" ")
+          Helpers.run_bun_command(
+            "install #{dependency_updates} --save-text-lockfile",
+            fingerprint: "install <dependency_updates> --save-text-lockfile"
+          )
+        end
+        def run_bun_install
+          Helpers.run_bun_command(
+            "install --save-text-lockfile"
+          )
+        end
+        def lockfile_dependencies(lockfile)
+          @lockfile_dependencies ||= {}
+          @lockfile_dependencies[lockfile.name] ||=
+            NpmAndYarn::FileParser.new(
+              dependency_files: [lockfile, *package_files],
+              source: nil,
+              credentials: credentials
+            ).parse
+        end
+        def handle_bun_lock_updater_error(error, _bun_lock)
+          error_message = error.message
+          ERR_PATTERNS.each do |pattern, error_class|
+            raise error_class, error_message if error_message.match?(pattern)
+          end
+          raise error
+        end
+        def write_final_package_json_files
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, updated_package_json_content(file))
+          end
+        end
+        def npmrc_content(bun_lock)
+          NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files,
+            dependencies: lockfile_dependencies(bun_lock)
+          ).npmrc_content
+        end
+        def updated_package_json_content(file)
+          @updated_package_json_content ||= {}
+          @updated_package_json_content[file.name] ||=
+            PackageJsonUpdater.new(
+              package_json: file,
+              dependencies: dependencies
+            ).updated_package_json.content
+        end
+        def package_files
+          @package_files ||= dependency_files.select { |f| f.name.end_with?("package.json") }
+        end
+        def base_dir
+          dependency_files.first.directory
+        end
+        def npmrc_file
+          dependency_files.find { |f| f.name == ".npmrc" }
+        end
+        def sanitize_message(message)
+          message.gsub(/"|\[|\]|\}|\{/, "")
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb CHANGED Viewed

@@ -62,6 +62,13 @@ module Dependabot
         ERR_PNPM_PATCH_NOT_APPLIED = /ERR_PNPM_PATCH_NOT_APPLIED/
+        # this intermittent issue is related with Node v20
+        ERR_INVALID_THIS = /ERR_INVALID_THIS/
+        URL_SEARCH_PARAMS = /URLSearchParams/
+        # A modules directory is present and is linked to a different store directory.
+        ERR_PNPM_UNEXPECTED_STORE = /ERR_PNPM_UNEXPECTED_STORE/
         # ERR_PNPM_UNSUPPORTED_PLATFORM
         ERR_PNPM_UNSUPPORTED_PLATFORM = /ERR_PNPM_UNSUPPORTED_PLATFORM/
         PLATFORM_PACAKGE_DEP = /Unsupported platform for (?<dep>.*)\: wanted/
@@ -78,6 +85,16 @@ module Dependabot
         ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND = /ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND*.*Could not install from \"(?<dir>.*)\" /
         ERR_PNPM_WORKSPACE_PKG_NOT_FOUND = /ERR_PNPM_WORKSPACE_PKG_NOT_FOUND/
+        # Unparsable package.json file
+        ERR_PNPM_INVALID_PACKAGE_JSON = /Invalid package.json in package/
+        # Unparsable lockfile
+        ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE = /ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE/
+        ERR_PNPM_OUTDATED_LOCKFILE = /ERR_PNPM_OUTDATED_LOCKFILE/
+        # Peer dependencies configuration error
+        ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
@@ -196,10 +213,39 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
+          if error_message.match?(ERR_PNPM_INVALID_PACKAGE_JSON) || error_message.match?(ERR_PNPM_UNEXPECTED_STORE)
+            msg = "Error while resolving package.json."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+          [ERR_PNPM_UNEXPECTED_PKG_CONTENT_IN_STORE, ERR_PNPM_OUTDATED_LOCKFILE]
+            .each do |regexp|
+            next unless error_message.match?(regexp)
+            error_msg = T.let("Error while resolving pnpm-lock.yaml file.", String)
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, error_msg
+          end
+          if error_message.match?(ERR_PNPM_PEER_DEP_ISSUES)
+            msg = "Missing or invalid configuration while installing peer dependencies."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
           raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
           raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
+          if error_message.match?(ERR_INVALID_THIS) && error_message.match?(URL_SEARCH_PARAMS)
+            msg = "Error while resolving dependencies."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
           if error_message.match?(ERR_PNPM_UNSUPPORTED_PLATFORM)
             raise_unsupported_platform_error(error_message,
                                              pnpm_lock)

data/lib/dependabot/npm_and_yarn/file_updater.rb CHANGED Viewed

@@ -18,6 +18,7 @@ module Dependabot
       require_relative "file_updater/npm_lockfile_updater"
       require_relative "file_updater/yarn_lockfile_updater"
       require_relative "file_updater/pnpm_lockfile_updater"
+      require_relative "file_updater/bun_lockfile_updater"
       class NoChangeError < StandardError
         extend T::Sig
@@ -189,6 +190,15 @@ module Dependabot
         )
       end
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def bun_locks
+        @bun_locks ||= T.let(
+          filtered_dependency_files
+          .select { |f| f.name.end_with?("bun.lock") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def shrinkwraps
         @shrinkwraps ||= T.let(
@@ -217,6 +227,11 @@ module Dependabot
         pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock)
       end
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(T::Boolean) }
+      def bun_lock_changed?(bun_lock)
+        bun_lock.content != updated_bun_lock_content(bun_lock)
+      end
       sig { params(package_lock: Dependabot::DependencyFile).returns(T::Boolean) }
       def package_lock_changed?(package_lock)
         package_lock.content != updated_lockfile_content(package_lock)
@@ -237,6 +252,8 @@ module Dependabot
         end
       end
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def updated_lockfiles
         updated_files = []
@@ -259,6 +276,15 @@ module Dependabot
           )
         end
+        bun_locks.each do |bun_lock|
+          next unless bun_lock_changed?(bun_lock)
+          updated_files << updated_file(
+            file: bun_lock,
+            content: updated_bun_lock_content(bun_lock)
+          )
+        end
         package_locks.each do |package_lock|
           next unless package_lock_changed?(package_lock)
@@ -279,6 +305,8 @@ module Dependabot
         updated_files
       end
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
       sig { params(yarn_lock: Dependabot::DependencyFile).returns(String) }
       def updated_yarn_lock_content(yarn_lock)
@@ -294,6 +322,13 @@ module Dependabot
           pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock)
       end
+      sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }
+      def updated_bun_lock_content(bun_lock)
+        @updated_bun_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_bun_lock_content[bun_lock.name] ||=
+          bun_lockfile_updater.updated_bun_lock_content(bun_lock)
+      end
       sig { returns(Dependabot::NpmAndYarn::FileUpdater::YarnLockfileUpdater) }
       def yarn_lockfile_updater
         @yarn_lockfile_updater ||= T.let(
@@ -320,6 +355,19 @@ module Dependabot
         )
       end
+      sig { returns(Dependabot::NpmAndYarn::FileUpdater::BunLockfileUpdater) }
+      def bun_lockfile_updater
+        @bun_lockfile_updater ||= T.let(
+          BunLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            repo_contents_path: repo_contents_path,
+            credentials: credentials
+          ),
+          T.nilable(Dependabot::NpmAndYarn::FileUpdater::BunLockfileUpdater)
+        )
+      end
       sig { params(file: Dependabot::DependencyFile).returns(T.nilable(String)) }
       def updated_lockfile_content(file)
         @updated_lockfile_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))

data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED Viewed

@@ -29,6 +29,10 @@ module Dependabot
       PNPM_DEFAULT_VERSION = PNPM_V9
       PNPM_FALLBACK_VERSION = PNPM_V6
+      # BUN Version Constants
+      BUN_V1 = 1
+      BUN_DEFAULT_VERSION = BUN_V1
       # YARN Version Constants
       YARN_V3 = 3
       YARN_V2 = 2
@@ -159,6 +163,11 @@ module Dependabot
         PNPM_FALLBACK_VERSION
       end
+      sig { params(_bun_lock: T.nilable(DependencyFile)).returns(Integer) }
+      def self.bun_version_numeric(_bun_lock)
+        BUN_DEFAULT_VERSION
+      end
       sig { params(key: String, default_value: String).returns(T.untyped) }
       def self.fetch_yarnrc_yml_value(key, default_value)
         if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
@@ -352,6 +361,35 @@ module Dependabot
         raise
       end
+      sig { returns(T.nilable(String)) }
+      def self.bun_version
+        version = run_bun_command("--version", fingerprint: "--version").strip
+        if version.include?("+")
+          version.split("+").first # Remove build info, if present
+        end
+      rescue StandardError => e
+        Dependabot.logger.error("Error retrieving Bun version: #{e.message}")
+        nil
+      end
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_bun_command(command, fingerprint: nil)
+        full_command = "bun #{command}"
+        Dependabot.logger.info("Running bun command: #{full_command}")
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "bun #{fingerprint || command}"
+        )
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running bun command: #{full_command}, Error: #{e.message}")
+        raise
+      end
       # Setup yarn and run a single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_yarn_command(command, fingerprint: nil)
@@ -496,6 +534,8 @@ module Dependabot
         ).returns(String)
       end
       def self.package_manager_run_command(name, command, fingerprint: nil)
+        return run_bun_command(command, fingerprint: fingerprint) if name == BunPackageManager::NAME
         full_command = "corepack #{name} #{command}"
         result = Dependabot::SharedHelpers.run_shell_command(

data/lib/dependabot/npm_and_yarn/language.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class NpmPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "npm"
+      RC_FILENAME = ".npmrc"
+      LOCKFILE_NAME = "package-lock.json"
+      SHRINKWRAP_LOCKFILE_NAME = "npm-shrinkwrap.json"
+      NPM_V6 = "6"
+      NPM_V7 = "7"
+      NPM_V8 = "8"
+      NPM_V9 = "9"
+      NPM_V10 = "10"
+      # Keep versions in ascending order
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(NPM_V7),
+        Version.new(NPM_V8),
+        Version.new(NPM_V9),
+        Version.new(NPM_V10)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        return false unless detected_version
+        return false if unsupported?
+        return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
+        deprecated_versions.include?(detected_version)
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        return false unless detected_version
+        return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
+        supported_versions.all? { |supported| supported > detected_version }
+      end
+    end
+  end
+end