RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.292.0 → 0.294.0 - Mend

dependabot-npm_and_yarn 0.292.0 → 0.294.0

Files changed (25) hide show

data/lib/dependabot/npm_and_yarn/language.rb ADDED Viewed

@@ -0,0 +1,45 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb ADDED Viewed

@@ -0,0 +1,70 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class NpmPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "npm"
+      RC_FILENAME = ".npmrc"
+      LOCKFILE_NAME = "package-lock.json"
+      SHRINKWRAP_LOCKFILE_NAME = "npm-shrinkwrap.json"
+      NPM_V6 = "6"
+      NPM_V7 = "7"
+      NPM_V8 = "8"
+      NPM_V9 = "9"
+      NPM_V10 = "10"
+      # Keep versions in ascending order
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(NPM_V7),
+        Version.new(NPM_V8),
+        Version.new(NPM_V9),
+        Version.new(NPM_V10)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        return false unless detected_version
+        return false if unsupported?
+        return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
+        deprecated_versions.include?(detected_version)
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        return false unless detected_version
+        return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
+        supported_versions.all? { |supported| supported > detected_version }
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/package_manager.rb CHANGED Viewed

@@ -6,6 +6,11 @@ require "dependabot/ecosystem"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
 require "dependabot/npm_and_yarn/registry_helper"
+require "dependabot/npm_and_yarn/npm_package_manager"
+require "dependabot/npm_and_yarn/yarn_package_manager"
+require "dependabot/npm_and_yarn/pnpm_package_manager"
+require "dependabot/npm_and_yarn/bun_package_manager"
+require "dependabot/npm_and_yarn/language"
 module Dependabot
   module NpmAndYarn
@@ -47,163 +52,6 @@ module Dependabot
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
-    class NpmPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "npm"
-      RC_FILENAME = ".npmrc"
-      LOCKFILE_NAME = "package-lock.json"
-      SHRINKWRAP_LOCKFILE_NAME = "npm-shrinkwrap.json"
-      NPM_V6 = "6"
-      NPM_V7 = "7"
-      NPM_V8 = "8"
-      NPM_V9 = "9"
-      NPM_V10 = "10"
-      # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(NPM_V7),
-        Version.new(NPM_V8),
-        Version.new(NPM_V9),
-        Version.new(NPM_V10)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
-        super(
-          name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        return false unless detected_version
-        return false if unsupported?
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
-        deprecated_versions.include?(detected_version)
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        return false unless detected_version
-        return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
-        supported_versions.all? { |supported| supported > detected_version }
-      end
-    end
-    class YarnPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "yarn"
-      RC_FILENAME = ".yarnrc"
-      RC_YML_FILENAME = ".yarnrc.yml"
-      LOCKFILE_NAME = "yarn.lock"
-      YARN_V1 = "1"
-      YARN_V2 = "2"
-      YARN_V3 = "3"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(YARN_V1),
-        Version.new(YARN_V2),
-        Version.new(YARN_V3)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
-        super(
-          name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
-    class PNPMPackageManager < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "pnpm"
-      LOCKFILE_NAME = "pnpm-lock.yaml"
-      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
-      PNPM_V7 = "7"
-      PNPM_V8 = "8"
-      PNPM_V9 = "9"
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PNPM_V7),
-        Version.new(PNPM_V8),
-        Version.new(PNPM_V9)
-      ].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
-        super(
-          name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     DEFAULT_PACKAGE_MANAGER = NpmPackageManager::NAME
     # Define a type alias for the expected class interface
@@ -211,16 +59,21 @@ module Dependabot
       T.any(
         T.class_of(Dependabot::NpmAndYarn::NpmPackageManager),
         T.class_of(Dependabot::NpmAndYarn::YarnPackageManager),
-        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager)
+        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::BunPackageManager)
       )
     end
     PACKAGE_MANAGER_CLASSES = T.let({
       NpmPackageManager::NAME => NpmPackageManager,
       YarnPackageManager::NAME => YarnPackageManager,
-      PNPMPackageManager::NAME => PNPMPackageManager
+      PNPMPackageManager::NAME => PNPMPackageManager,
+      BunPackageManager::NAME => BunPackageManager
     }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
+    # Error malformed version number string
+    ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"
     class PackageManagerDetector
       extend T::Sig
       extend T::Helpers
@@ -285,43 +138,6 @@ module Dependabot
       end
     end
-    class Language < Ecosystem::VersionManager
-      extend T::Sig
-      NAME = "node"
-      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
-      sig do
-        params(
-          detected_version: T.nilable(String),
-          raw_version: T.nilable(String),
-          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
-        ).void
-      end
-      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
-        super(
-          name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
-          deprecated_versions: DEPRECATED_VERSIONS,
-          supported_versions: SUPPORTED_VERSIONS,
-          requirement: requirement
-        )
-      end
-      sig { override.returns(T::Boolean) }
-      def deprecated?
-        false
-      end
-      sig { override.returns(T::Boolean) }
-      def unsupported?
-        false
-      end
-    end
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
@@ -520,6 +336,10 @@ module Dependabot
           raw_version: installed_version,
           requirement: package_manager_requirement
         )
+      rescue ArgumentError => e
+        raise DependencyFileNotParseable, e.message if e.message.include?(ERROR_MALFORMED_VERSION_NUMBER)
+        raise
       rescue StandardError => e
         Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
         raise

data/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb ADDED Viewed

@@ -0,0 +1,55 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class PNPMPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "pnpm"
+      LOCKFILE_NAME = "pnpm-lock.yaml"
+      PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"
+      PNPM_V7 = "7"
+      PNPM_V8 = "8"
+      PNPM_V9 = "9"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(PNPM_V7),
+        Version.new(PNPM_V8),
+        Version.new(PNPM_V9)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb CHANGED Viewed

@@ -68,6 +68,7 @@ module Dependabot
           "package-lock.json",
           "yarn.lock",
           "npm-shrinkwrap.json",
+          "bun.lock",
           "pnpm-lock.yaml"
         )
       end

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb CHANGED Viewed

@@ -49,6 +49,12 @@ module Dependabot
             .select { |f| f.name.end_with?("pnpm-lock.yaml") }
         end
+        def bun_locks
+          @bun_locks ||=
+            dependency_files
+            .select { |f| f.name.end_with?("bun.lock") }
+        end
         def root_yarn_lock
           @root_yarn_lock ||=
             dependency_files
@@ -61,6 +67,12 @@ module Dependabot
             .find { |f| f.name == "pnpm-lock.yaml" }
         end
+        def root_bun_lock
+          @root_bun_lock ||=
+            dependency_files
+            .find { |f| f.name == "bun.lock" }
+        end
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files
@@ -68,7 +80,7 @@ module Dependabot
         end
         def lockfiles
-          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks]
+          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks, *bun_locks]
         end
         def package_files
@@ -89,12 +101,7 @@ module Dependabot
             File.write(f.name, prepared_yarn_lockfile_content(f.content))
           end
-          pnpm_locks.each do |f|
-            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-            File.write(f.name, f.content)
-          end
-          [*package_locks, *shrinkwraps].each do |f|
+          [*package_locks, *shrinkwraps, *pnpm_locks, *bun_locks].each do |f|
             FileUtils.mkdir_p(Pathname.new(f.name).dirname)
             File.write(f.name, f.content)
           end

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED Viewed

@@ -70,6 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
+                          elsif lockfile.name.end_with?("bun.lock")
+                            run_bun_updater(path, lockfile_name)
                           elsif !Helpers.npm8?(lockfile)
                             run_npm6_updater(path, lockfile_name)
                           else
@@ -153,6 +155,18 @@ module Dependabot
           end
         end
+        def run_bun_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name} --save-text-lockfile",
+                fingerprint: "update <dependency_name> --save-text-lockfile"
+              )
+              { lockfile_name => File.read(lockfile_name) }
+            end
+          end
+        end
         def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED Viewed

@@ -413,6 +413,8 @@ module Dependabot
         end
         def error_details_from_captures(captures)
+          return {} unless captures.is_a?(Hash)
           required_dep_captures  = captures.fetch("required_dep")
           requiring_dep_captures = captures.fetch("requiring_dep")
           return {} unless required_dep_captures && requiring_dep_captures
@@ -549,12 +551,18 @@ module Dependabot
           npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
           return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
+          bun_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.bun_locks, path: path)
+          return run_bun_checker(path: path, version: version) if bun_lockfiles.any?
           root_yarn_lock = dependency_files_builder.root_yarn_lock
           return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
           root_pnpm_lock = dependency_files_builder.root_pnpm_lock
           return run_pnpm_checker(path: path, version: version) if root_pnpm_lock
+          root_bun_lock = dependency_files_builder.root_bun_lock
+          return run_bun_checker(path: path, version: version) if root_bun_lock
           run_npm_checker(path: path, version: version)
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_peer_dependency_errors(e.message)
@@ -583,6 +591,17 @@ module Dependabot
           end
         end
+        def run_bun_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              Helpers.run_bun_command(
+                "update #{dependency.name}@#{version} --save-text-lockfile",
+                fingerprint: "update <dependency_name>@<version> --save-text-lockfile"
+              )
+            end
+          end
+        end
         def run_yarn_berry_checker(path:, version:)
           # This method mimics calling a native helper in order to comply with the caller's expectations
           # Specifically we add the dependency at the specified updated version

data/lib/dependabot/npm_and_yarn/version.rb CHANGED Viewed

@@ -80,6 +80,10 @@ module Dependabot
           # Matches @ followed by x.y.z (digits separated by dots)
           if (match = version.match(/@(\d+\.\d+\.\d+)/))
             version = match[1] # Just "4.5.3"
+          # Extract version in case the output contains Corepack verbose data
+          elsif version.include?("Corepack")
+            version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
           end
           version = version&.gsub(/^v/, "")
         end

data/lib/dependabot/npm_and_yarn/yarn_package_manager.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# typed: strong
+# frozen_string_literal: true
+require "dependabot/npm_and_yarn/package_manager"
+module Dependabot
+  module NpmAndYarn
+    class YarnPackageManager < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "yarn"
+      RC_FILENAME = ".yarnrc"
+      RC_YML_FILENAME = ".yarnrc.yml"
+      LOCKFILE_NAME = "yarn.lock"
+      YARN_V1 = "1"
+      YARN_V2 = "2"
+      YARN_V3 = "3"
+      SUPPORTED_VERSIONS = T.let([
+        Version.new(YARN_V1),
+        Version.new(YARN_V2),
+        Version.new(YARN_V3)
+      ].freeze, T::Array[Dependabot::Version])
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+      sig do
+        params(
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
+        super(
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
+        )
+      end
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+  end
+end