dependabot-npm_and_yarn 0.292.0 → 0.294.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e406eab7c13be2bea1200de0103017da062fcd4eda7b30652cc697cf2529c2de
-  data.tar.gz: c41b184b80a82577f5ed87eb4df0c0c4bff862350afe5f992b75f04ac6e69f96
+  metadata.gz: 72e338772b3c3aac3cf86538fc2d70dbbc45f5f7cb854cd7fd74913b140fe056
+  data.tar.gz: 1856c138b871ebe80e5cc6faa5984ba80c10b342aa8bf0822e325e5a31a3f815
 SHA512:
-  metadata.gz: 535024739c08d5e33e7a53a300a75f16009c8227a27b27c8c758501b6328865db2ebeaaace0bc8ae94d5f199d93bd63f76f98164e1524df7896c22784aa04975
-  data.tar.gz: e12a28a7d0933ad3fc4ccff35d36948e42b9ea9c884a132f7aed5bd9c33b67ad61037f0b29975c5fc04329a64ef7bcc8703ce3c684e4e278168706eecd1a37a7
+  metadata.gz: 0e3267d0aafcf35e345505c87a23b2b783cfc36377e46f5f10875a4bd8b0c4fe201b6dea0dbed75463b75dccba175014af850451cfc52b39c0a2a410a5c5ab34
+  data.tar.gz: a1c6be5ccbebcf43a76a51d7871a37743428f052c734a985a48fc90d4b1e2944679a8b6eb17910a8ef7e14c69dbe46d9761319b28d6a57d7dcbac7e94fbb9c09

data/helpers/lib/npm/vulnerability-auditor.js

@@ -97,9 +97,9 @@ async function findVulnerableDependencies(directory, advisories) {
 
     for (const group of groupedFixUpdateChains.values()) {
       const fixUpdateNode = group[0].nodes[0]
-      const groupTopLevelAncestors = group.reduce((anc, chain) => {
+      const groupTopLevelAncestors = group.reduce((ancestor, chain) => {
         const topLevelNode = chain.nodes[chain.nodes.length - 1]
-        return anc.add(topLevelNode.name)
+        return ancestor.add(topLevelNode.name)
       }, new Set())
 
       // Add group's top-level ancestors to the set of all top-level ancestors of
@@ -269,23 +269,23 @@ const maybeReadFile = file => {
 }
 
 function loadCACerts(npmConfig) {
-    if (npmConfig.ca) {
-      return npmConfig.ca
-    }
+  if (npmConfig.ca) {
+    return npmConfig.ca
+  }
 
-    if (!npmConfig.cafile) {
-      return
-    }
+  if (!npmConfig.cafile) {
+    return
+  }
 
-    const raw = maybeReadFile(npmConfig.cafile)
-    if (!raw) {
-      return
-    }
+  const raw = maybeReadFile(npmConfig.cafile)
+  if (!raw) {
+    return
+  }
 
-    const delim = '-----END CERTIFICATE-----'
-    return raw.replace(/\r\n/g, '\n').split(delim)
-      .filter(section => section.trim())
-      .map(section => section.trimStart() + delim)
+  const delim = '-----END CERTIFICATE-----'
+  return raw.replace(/\r\n/g, '\n').split(delim)
+    .filter(section => section.trim())
+    .map(section => section.trimStart() + delim)
 }
 
 module.exports = { findVulnerableDependencies }

data/helpers/lib/npm6/updater.js

@@ -113,7 +113,7 @@ function flattenAllDependencies(manifest) {
   );
 }
 
-// NOTE: Re-used in npm 7 updater
+// NOTE: Reused in npm 7 updater
 function installArgs(
   depName,
   desiredVersion,

data/lib/dependabot/npm_and_yarn/bun_package_manager.rb

@@ -0,0 +1,46 @@
+# typed: strong
+# frozen_string_literal: true
+
+module Dependabot
+  module NpmAndYarn
+    class BunPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "bun"
+      LOCKFILE_NAME = "bun.lock"
+
+      # In Bun 1.1.39, the lockfile format was changed from a binary bun.lockb to a text-based bun.lock.
+      # https://bun.sh/blog/bun-lock-text-lockfile
+      MIN_SUPPORTED_VERSION = Version.new("1.1.39")
+      SUPPORTED_VERSIONS = T.let([MIN_SUPPORTED_VERSION].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -82,7 +82,7 @@ module Dependabot
 
       sig { params(lockfile: DependencyFile).returns(T::Boolean) }
       def workspaces_lockfile?(lockfile)
-        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml"].include?(lockfile.name)
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml", "bun.lock"].include?(lockfile.name)
 
         return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
           file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
@@ -148,6 +148,7 @@ module Dependabot
           "package-lock.json",
           "yarn.lock",
           "pnpm-lock.yaml",
+          "bun.lock",
           "npm-shrinkwrap.json"
         )
       end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -68,6 +68,7 @@ module Dependabot
         package_managers["npm"] = npm_version if npm_version
         package_managers["yarn"] = yarn_version if yarn_version
         package_managers["pnpm"] = pnpm_version if pnpm_version
+        package_managers["bun"] = bun_version if bun_version
         package_managers["unknown"] = 1 if package_managers.empty?
 
         {
@@ -83,6 +84,7 @@ module Dependabot
         fetched_files += npm_files if npm_version
         fetched_files += yarn_files if yarn_version
         fetched_files += pnpm_files if pnpm_version
+        fetched_files += bun_files if bun_version
         fetched_files += lerna_files
         fetched_files += workspace_package_jsons
         fetched_files += path_dependencies(fetched_files)
@@ -120,6 +122,13 @@ module Dependabot
         fetched_pnpm_files
       end
 
+      sig { returns(T::Array[DependencyFile]) }
+      def bun_files
+        fetched_bun_files = []
+        fetched_bun_files << bun_lock if bun_lock
+        fetched_bun_files
+      end
+
       sig { returns(T::Array[DependencyFile]) }
       def lerna_files
         fetched_lerna_files = []
@@ -202,6 +211,16 @@ module Dependabot
         )
       end
 
+      sig { returns(T.nilable(T.any(Integer, String))) }
+      def bun_version
+        return @bun_version = nil unless allow_beta_ecosystems?
+
+        @bun_version ||= T.let(
+          package_manager_helper.setup(BunPackageManager::NAME),
+          T.nilable(T.any(Integer, String))
+        )
+      end
+
       sig { returns(PackageManagerHelper) }
       def package_manager_helper
         @package_manager_helper ||= T.let(
@@ -219,7 +238,8 @@ module Dependabot
         {
           npm: package_lock || shrinkwrap,
           yarn: yarn_lock,
-          pnpm: pnpm_lock
+          pnpm: pnpm_lock,
+          bun: bun_lock
         }
       end
 
@@ -261,17 +281,18 @@ module Dependabot
 
         return @pnpm_lock if @pnpm_lock || directory == "/"
 
-        # Loop through parent directories looking for a pnpm-lock
-        (1..directory.split("/").count).each do |i|
-          @pnpm_lock = fetch_file_from_host(("../" * i) + PNPMPackageManager::LOCKFILE_NAME)
-                       .tap { |f| f.support_file = true }
-          break if @pnpm_lock
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (pnpm_lock.yaml may not be present)
-          nil
-        end
+        @pnpm_lock = fetch_file_from_parent_directories(PNPMPackageManager::LOCKFILE_NAME)
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def bun_lock
+        return @bun_lock if defined?(@bun_lock)
+
+        @bun_lock ||= T.let(fetch_file_if_present(BunPackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
+
+        return @bun_lock if @bun_lock || directory == "/"
 
-        @pnpm_lock
+        @bun_lock = fetch_file_from_parent_directories(BunPackageManager::LOCKFILE_NAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -294,17 +315,7 @@ module Dependabot
 
         return @npmrc if @npmrc || directory == "/"
 
-        # Loop through parent directories looking for an npmrc
-        (1..directory.split("/").count).each do |i|
-          @npmrc = fetch_file_from_host(("../" * i) + NpmPackageManager::RC_FILENAME)
-                   .tap { |f| f.support_file = true }
-          break if @npmrc
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (.npmrc may not be present)
-          nil
-        end
-
-        @npmrc
+        @npmrc = fetch_file_from_parent_directories(NpmPackageManager::RC_FILENAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -315,17 +326,7 @@ module Dependabot
 
         return @yarnrc if @yarnrc || directory == "/"
 
-        # Loop through parent directories looking for an yarnrc
-        (1..directory.split("/").count).each do |i|
-          @yarnrc = fetch_file_from_host(("../" * i) + YarnPackageManager::RC_FILENAME)
-                    .tap { |f| f.support_file = true }
-          break if @yarnrc
-        rescue Dependabot::DependencyFileNotFound
-          # Ignore errors (.yarnrc may not be present)
-          nil
-        end
-
-        @yarnrc
+        @yarnrc = fetch_file_from_parent_directories(YarnPackageManager::RC_FILENAME)
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -452,6 +453,15 @@ module Dependabot
 
         resolution_deps = resolution_objects.flat_map(&:to_a)
                                             .map do |path, value|
+          # skip dependencies that contain invalid values such as inline comments, null, etc.
+
+          unless value.is_a?(String)
+            Dependabot.logger.warn("File fetcher: Skipping dependency \"#{path}\" " \
+                                   "with value: \"#{value}\"")
+
+            next
+          end
+
           convert_dependency_path_to_name(path, value)
         end
 
@@ -644,8 +654,8 @@ module Dependabot
       def parsed_pnpm_workspace_yaml
         return {} unless pnpm_workspace_yaml
 
-        YAML.safe_load(T.must(T.must(pnpm_workspace_yaml).content))
-      rescue Psych::SyntaxError
+        YAML.safe_load(T.must(T.must(pnpm_workspace_yaml).content), aliases: true)
+      rescue Psych::SyntaxError, Psych::BadAlias
         raise Dependabot::DependencyFileNotParseable, T.must(pnpm_workspace_yaml).path
       end
 
@@ -699,6 +709,22 @@ module Dependabot
           Dependabot.logger.info("Repository contents path does not exist")
         end
       end
+
+      sig { params(filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_with_support(filename)
+        fetch_file_from_host(filename).tap { |f| f.support_file = true }
+      rescue Dependabot::DependencyFileNotFound
+        nil
+      end
+
+      sig { params(filename: String).returns(T.nilable(DependencyFile)) }
+      def fetch_file_from_parent_directories(filename)
+        (1..directory.split("/").count).each do |i|
+          file = fetch_file_with_support(("../" * i) + filename)
+          return file if file
+        end
+        nil
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -0,0 +1,141 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/helpers"
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser < Dependabot::FileParsers::Base
+      class BunLock
+        extend T::Sig
+
+        sig { params(dependency_file: DependencyFile).void }
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        sig { returns(T::Hash[String, T.untyped]) }
+        def parsed
+          @parsed ||= begin
+            content = begin
+              # Since bun.lock is a JSONC file, which is a subset of YAML, we can use YAML to parse it
+              YAML.load(T.must(@dependency_file.content))
+            rescue Psych::SyntaxError => e
+              raise_invalid!("malformed JSONC at line #{e.line}, column #{e.column}")
+            end
+            raise_invalid!("expected to be an object") unless content.is_a?(Hash)
+
+            version = content["lockfileVersion"]
+            raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
+            raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
+            raise_invalid!("unsupported 'lockfileVersion' = #{version}") unless version.zero?
+
+            T.let(content, T.untyped)
+          end
+        end
+
+        sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+        def dependencies
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          # bun.lock v0 format:
+          # https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
+
+          packages = parsed["packages"]
+          raise_invalid!("expected 'packages' to be an object") unless packages.is_a?(Hash)
+
+          packages.each do |key, details|
+            raise_invalid!("expected 'packages.#{key}' to be an array") unless details.is_a?(Array)
+
+            resolution = details.first
+            raise_invalid!("expected 'packages.#{key}[0]' to be a string") unless resolution.is_a?(String)
+
+            name, version = resolution.split(/(?<=\w)\@/)
+            next if name.empty?
+
+            semver = Version.semver_for(version)
+            next unless semver
+
+            dependency_set << Dependency.new(
+              name: name,
+              version: semver.to_s,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            )
+          end
+
+          dependency_set
+        end
+
+        sig do
+          params(dependency_name: String, requirement: T.untyped, _manifest_name: String)
+            .returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def details(dependency_name, requirement, _manifest_name)
+          packages = parsed["packages"]
+          return unless packages.is_a?(Hash)
+
+          candidates =
+            packages
+            .select { |name, _| name == dependency_name }
+            .values
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if candidates.one?
+            parse_details(candidates.first)
+          else
+            candidate = candidates.find do |label, _|
+              label.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
+            end&.last
+            parse_details(candidate)
+          end
+        end
+
+        private
+
+        sig { params(message: String).void }
+        def raise_invalid!(message)
+          raise Dependabot::DependencyFileNotParseable.new(@dependency_file.path, "Invalid bun.lock file: #{message}")
+        end
+
+        sig do
+          params(entry: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def parse_details(entry)
+          return unless entry.is_a?(Array)
+
+          # Either:
+          # - "{name}@{version}", registry, details, integrity
+          # - "{name}@{resolution}", details
+          resolution = entry.first
+          return unless resolution.is_a?(String)
+
+          name, version = resolution.split(/(?<=\w)\@/)
+          semver = Version.semver_for(version)
+
+          if semver
+            registry, details, integrity = entry[1..3]
+            {
+              "name" => name,
+              "version" => semver.to_s,
+              "registry" => registry,
+              "details" => details,
+              "integrity" => integrity
+            }
+          else
+            details = entry[1]
+            {
+              "name" => name,
+              "resolution" => version,
+              "details" => details
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -15,6 +15,11 @@ module Dependabot
         require "dependabot/npm_and_yarn/file_parser/yarn_lock"
         require "dependabot/npm_and_yarn/file_parser/pnpm_lock"
         require "dependabot/npm_and_yarn/file_parser/json_lock"
+        require "dependabot/npm_and_yarn/file_parser/bun_lock"
+
+        DEFAULT_LOCKFILES = %w(package-lock.json yarn.lock pnpm-lock.yaml bun.lock npm-shrinkwrap.json).freeze
+
+        LockFile = T.type_alias { T.any(JsonLock, YarnLock, PnpmLock, BunLock) }
 
         sig { params(dependency_files: T::Array[DependencyFile]).void }
         def initialize(dependency_files:)
@@ -29,7 +34,7 @@ module Dependabot
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
-          (yarn_locks + pnpm_locks + package_locks + shrinkwraps).each do |file|
+          (yarn_locks + pnpm_locks + package_locks + bun_locks + shrinkwraps).each do |file|
             dependency_set += lockfile_for(file).dependencies
           end
 
@@ -64,58 +69,59 @@ module Dependabot
         sig { params(manifest_filename: String).returns(T::Array[DependencyFile]) }
         def potential_lockfiles_for_manifest(manifest_filename)
           dir_name = File.dirname(manifest_filename)
-          possible_lockfile_names =
-            %w(package-lock.json npm-shrinkwrap.json pnpm-lock.yaml yarn.lock).map do |f|
-              Pathname.new(File.join(dir_name, f)).cleanpath.to_path
-            end +
-            %w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
+          possible_lockfile_names = DEFAULT_LOCKFILES.map do |f|
+            Pathname.new(File.join(dir_name, f)).cleanpath.to_path
+          end + DEFAULT_LOCKFILES
 
           possible_lockfile_names.uniq
                                  .filter_map { |nm| dependency_files.find { |f| f.name == nm } }
         end
 
-        sig { params(file: DependencyFile).returns(T.any(JsonLock, YarnLock, PnpmLock)) }
+        sig { params(file: DependencyFile).returns(LockFile) }
         def lockfile_for(file)
-          @lockfiles ||= T.let({}, T.nilable(T::Hash[String, T.any(JsonLock, YarnLock, PnpmLock)]))
-          @lockfiles[file.name] ||= if [*package_locks, *shrinkwraps].include?(file)
+          @lockfiles ||= T.let({}, T.nilable(T::Hash[String, LockFile]))
+          @lockfiles[file.name] ||= case file.name
+                                    when *package_locks.map(&:name), *shrinkwraps.map(&:name)
                                       JsonLock.new(file)
-                                    elsif yarn_locks.include?(file)
+                                    when *yarn_locks.map(&:name)
                                       YarnLock.new(file)
-                                    else
+                                    when *pnpm_locks.map(&:name)
                                       PnpmLock.new(file)
+                                    when *bun_locks.map(&:name)
+                                      BunLock.new(file)
+                                    else
+                                      raise "Unexpected lockfile: #{file.name}"
                                     end
         end
 
+        sig { params(extension: String).returns(T::Array[DependencyFile]) }
+        def select_files_by_extension(extension)
+          dependency_files.select { |f| f.name.end_with?(extension) }
+        end
+
         sig { returns(T::Array[DependencyFile]) }
         def package_locks
-          @package_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("package-lock.json") }, T.nilable(T::Array[DependencyFile])
-          )
+          @package_locks ||= T.let(select_files_by_extension("package-lock.json"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def pnpm_locks
-          @pnpm_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("pnpm-lock.yaml") }, T.nilable(T::Array[DependencyFile])
-          )
+          @pnpm_locks ||= T.let(select_files_by_extension("pnpm-lock.yaml"), T.nilable(T::Array[DependencyFile]))
+        end
+
+        sig { returns(T::Array[DependencyFile]) }
+        def bun_locks
+          @bun_locks ||= T.let(select_files_by_extension("bun.lock"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def yarn_locks
-          @yarn_locks ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("yarn.lock") }, T.nilable(T::Array[DependencyFile])
-          )
+          @yarn_locks ||= T.let(select_files_by_extension("yarn.lock"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T::Array[DependencyFile]) }
         def shrinkwraps
-          @shrinkwraps ||= T.let(
-            dependency_files
-            .select { |f| f.name.end_with?("npm-shrinkwrap.json") }, T.nilable(T::Array[DependencyFile])
-          )
+          @shrinkwraps ||= T.let(select_files_by_extension("npm-shrinkwrap.json"), T.nilable(T::Array[DependencyFile]))
         end
 
         sig { returns(T.class_of(Dependabot::NpmAndYarn::Version)) }

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -26,6 +26,10 @@ module Dependabot
         end
 
         def dependencies
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            return dependencies_with_prioritization
+          end
+
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           parsed.each do |details|
@@ -52,6 +56,49 @@ module Dependabot
           dependency_set
         end
 
+        def dependencies_with_prioritization
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          # Separate dependencies into two categories: with specifiers and without specifiers.
+          dependencies_with_specifiers = [] # Main dependencies with specifiers.
+          dependencies_without_specifiers = [] # Subdependencies without specifiers.
+
+          parsed.each do |details|
+            next if details["aliased"]
+
+            name = details["name"]
+            version = details["version"]
+
+            dependency_args = {
+              name: name,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            # Add metadata for subdependencies if marked as a dev dependency.
+            dependency_args[:subdependency_metadata] = [{ production: !details["dev"] }] if details["dev"]
+
+            specifiers = details["specifiers"]
+            if specifiers&.any?
+              dependencies_with_specifiers << dependency_args
+            else
+              dependencies_without_specifiers << dependency_args
+            end
+          end
+
+          # Add prioritized dependencies to the dependency set.
+          dependencies_with_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependencies_without_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependency_set
+        end
+
         def details(dependency_name, requirement, _manifest_name)
           details_candidates = parsed.select { |info| info["name"] == dependency_name }