dependabot-npm_and_yarn 0.303.0 → 0.304.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ad45cf35ecbd2646efac000b10b1e75788d1b14717df839f7cecbdd8b0f528da
-  data.tar.gz: a5263324b67553166c24f348da59a0845fec2d9c97562fc4db80474fd936feaf
+  metadata.gz: 03ceb27ff40ce2354675588a932c77c0aba9957d7ada32b82c73edcd4566c470
+  data.tar.gz: 9670f9f1102fe62f0b2d838aa359300040f486b93a181f768bb96869f514b15e
 SHA512:
-  metadata.gz: f7e9fc7913ca0366e0eb18b31ab9add1e7007d575993b1e85f10401b66ffcd003a5d517de9c31ab0e39628d3f00aad1a904076fe0ca1de297c3b3985c4071734
-  data.tar.gz: 04e7fa3cc8372cd13778b191bd68e5e9aecd5cf33989f8e2c7e10bbb1b98f3daa10b3da59d5b4bbf6d2c6cb04d7a63a0e665712bbf623822d68cf7f755f1e0c5
+  metadata.gz: c1891b008fe1683848ee2cbc5e0d2b28276e88e6cf728a5c5233bbf1f13b6dfc1c01ea48c575297e26a9ce9b0e89dbe3f98bb85055fcb4f17c6c31583363c4cb
+  data.tar.gz: e4e953398df4515cc1f81a894a4d24173e3a453f482ee3b33cc12eedd76bf7160131704ddf25f16bc9bff6ee27da15d813905c10dc93505879d46211aaf37b57

data/lib/dependabot/npm_and_yarn/package/package_details_fetcher.rb

@@ -14,6 +14,29 @@ module Dependabot
       class PackageDetailsFetcher
         extend T::Sig
 
+        GLOBAL_REGISTRY = "registry.npmjs.org"
+        NPM_OFFICIAL_WEBSITE = "https://www.npmjs.com"
+
+        API_AUTHORIZATION_KEY = "Authorization"
+        API_AUTHORIZATION_VALUE_BASIC_PREFIX = "Basic"
+        API_RESPONSE_STATUS_SUCCESS_PREFIX = "2"
+
+        RELEASE_TIME_KEY = "time"
+        RELEASE_VERSIONS_KEY = "versions"
+        RELEASE_DIST_TAGS_KEY = "dist-tags"
+        RELEASE_DIST_TAGS_LATEST_KEY = "latest"
+        RELEASE_ENGINES_KEY = "engines"
+        RELEASE_LANGUAGE_KEY = "node"
+        RELEASE_DEPRECATION_KEY = "deprecated"
+        RELEASE_REPOSITORY_KEY = "repository"
+        RELEASE_PACKAGE_TYPE_KEY = "type"
+        RELEASE_PACKAGE_TYPE_GIT = "git"
+        RELEASE_PACKAGE_TYPE_NPM = "npm"
+
+        REGISTRY_FILE_NPMRC = ".npmrc"
+        REGISTRY_FILE_YARNRC = ".yarnrc"
+        REGISTRY_FILE_YARNRC_YML = ".yarnrc.yml"
+
         sig do
           params(
             dependency: Dependabot::Dependency,
@@ -33,6 +56,8 @@ module Dependabot
           @npm_details = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
           @dist_tags = T.let(nil, T.nilable(T::Hash[String, String]))
           @registry_finder = T.let(nil, T.nilable(Package::RegistryFinder))
+          @version_endpoint_working = T.let(nil, T.nilable(T::Boolean))
+          @yanked = T.let({}, T::Hash[Gem::Version, T.nilable(T::Boolean)])
         end
 
         sig { returns(Dependabot::Dependency) }
@@ -46,7 +71,7 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
         def fetch
-          package_data = fetch_npm_details
+          package_data = npm_details
           Dependabot::Package::PackageDetails.new(
             dependency: @dependency,
             releases: package_data ? parse_versions(package_data) : [],
@@ -64,27 +89,91 @@ module Dependabot
           @npm_details ||= fetch_npm_details
         end
 
+        sig { returns(T::Boolean) }
+        def custom_registry?
+          registry_finder.custom_registry?
+        end
+
+        sig { returns(String) }
+        def dependency_url
+          registry_finder.dependency_url
+        end
+
+        sig { params(version: Gem::Version).returns(T::Boolean) }
+        def yanked?(version)
+          return @yanked[version] || false if @yanked.key?(version)
+
+          @yanked[version] =
+            begin
+              if dependency_registry == GLOBAL_REGISTRY
+                status = Dependabot::RegistryClient.head(
+                  url: registry_finder.tarball_url(version),
+                  headers: registry_auth_headers
+                ).status
+              else
+                status = Dependabot::RegistryClient.get(
+                  url: dependency_url + "/#{version}",
+                  headers: registry_auth_headers
+                ).status
+
+                if status == 404
+                  # Some registries don't handle escaped package names properly
+                  status = Dependabot::RegistryClient.get(
+                    url: dependency_url.gsub("%2F", "/") + "/#{version}",
+                    headers: registry_auth_headers
+                  ).status
+                end
+              end
+
+              version_not_found = status == 404
+              version_not_found && version_endpoint_working?
+            rescue Excon::Error::Timeout, Excon::Error::Socket
+              # Give the benefit of the doubt if the registry is playing up
+              false
+            end
+
+          @yanked[version] || false
+        end
+
         private
 
+        sig { returns(T.nilable(T::Boolean)) }
+        def version_endpoint_working?
+          return true if dependency_registry == GLOBAL_REGISTRY
+
+          return @version_endpoint_working if @version_endpoint_working
+
+          @version_endpoint_working =
+            begin
+              Dependabot::RegistryClient.get(
+                url: dependency_url + "/#{RELEASE_DIST_TAGS_LATEST_KEY}",
+                headers: registry_auth_headers
+              ).status < 400
+            rescue Excon::Error::Timeout, Excon::Error::Socket
+              # Give the benefit of the doubt if the registry is playing up
+              true
+            end
+          @version_endpoint_working
+        end
+
         sig do
           params(
             npm_data: T::Hash[String, T.untyped]
           ).returns(T::Array[Dependabot::Package::PackageRelease])
         end
         def parse_versions(npm_data)
-          time_data = npm_data["time"] || {}
-          versions_data = npm_data["versions"] || {}
+          time_data = fetch_value_from_hash(npm_data, RELEASE_TIME_KEY) || {}
+          versions_data = fetch_value_from_hash(npm_data, RELEASE_VERSIONS_KEY) || {}
 
-          latest_version = npm_data.dig("dist-tags", "latest")
+          dist_tags = fetch_value_from_hash(npm_data, RELEASE_DIST_TAGS_KEY)
+          latest_version = fetch_value_from_hash(dist_tags, RELEASE_DIST_TAGS_LATEST_KEY)
 
           versions_data.filter_map do |version, details|
             next unless Dependabot::NpmAndYarn::Version.correct?(version)
 
-            package_type = details.dig("repository", "type")
-
-            deprecated = details["deprecated"]
+            package_type = infer_package_type(details)
 
-            puts "version: #{version}, #{latest_version}"
+            deprecated = fetch_value_from_hash(details, RELEASE_DEPRECATION_KEY)
 
             Dependabot::Package::PackageRelease.new(
               version: Version.new(version),
@@ -95,7 +184,8 @@ module Dependabot
               latest: latest_version.to_s == version,
               url: package_version_url(version),
               package_type: package_type,
-              language: package_language(details)
+              language: package_language(details),
+              details: details
             )
           end.sort_by(&:version).reverse
         end
@@ -110,13 +200,16 @@ module Dependabot
             .returns(T.nilable(Dependabot::Package::PackageLanguage))
         end
         def package_language(version_details)
-          node_requirement = version_details.dig("engines", "node")
+          # Fetch the engines hash from the version details
+          engines = version_details.is_a?(Hash) ? version_details[RELEASE_ENGINES_KEY] : nil
+          # Check if engines is a hash and fetch the node requirement
+          node_requirement = engines.is_a?(Hash) ? engines.fetch(RELEASE_LANGUAGE_KEY, nil) : nil
 
           return nil unless node_requirement
 
           if node_requirement
             Dependabot::Package::PackageLanguage.new(
-              name: "node",
+              name: RELEASE_LANGUAGE_KEY,
               version: nil,
               requirement: Requirement.new(node_requirement)
             )
@@ -127,7 +220,7 @@ module Dependabot
 
         sig { returns(T.nilable(T::Hash[String, String])) }
         def dist_tags
-          @dist_tags ||= npm_details&.fetch("dist-tags", nil)
+          @dist_tags ||= fetch_value_from_hash(npm_details, RELEASE_DIST_TAGS_KEY)
         end
 
         sig { returns(T.nilable(T::Hash[String, T.untyped])) }
@@ -136,9 +229,11 @@ module Dependabot
           check_npm_response(npm_response) if npm_response
           JSON.parse(npm_response.body)
         rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket, RegistryError => e
-          return nil if git_dependency?
-
-          raise_npm_details_error(e)
+          if git_dependency?
+            nil
+          else
+            raise_npm_details_error(e)
+          end
         end
 
         sig { returns(Excon::Response) }
@@ -149,19 +244,20 @@ module Dependabot
           )
 
           # If response is successful, return it
-          return response if response.status.to_s.start_with?("2")
+          return response if response.status.to_s.start_with?(API_RESPONSE_STATUS_SUCCESS_PREFIX)
 
           # If the registry is public (not explicitly private) and the request fails, return the response as is
-          return response if dependency_registry == "registry.npmjs.org"
+          return response if dependency_registry == GLOBAL_REGISTRY
 
           # If a private registry returns a 500 error, check authentication
           return response unless response.status == 500
-          return response unless registry_auth_headers["Authorization"]
 
-          auth = registry_auth_headers["Authorization"]
-          return response unless auth&.start_with?("Basic")
+          auth = fetch_value_from_hash(registry_auth_headers, API_AUTHORIZATION_KEY)
+          return response unless auth
 
-          decoded_token = Base64.decode64(auth.gsub("Basic ", "")).strip
+          return response unless auth&.start_with?(API_AUTHORIZATION_VALUE_BASIC_PREFIX)
+
+          decoded_token = Base64.decode64(auth.gsub("#{API_AUTHORIZATION_VALUE_BASIC_PREFIX} ", "")).strip
 
           # Ensure decoded token is not empty and contains a colon
           if decoded_token.empty? || !decoded_token.include?(":")
@@ -181,6 +277,29 @@ module Dependabot
           raise DependencyFileNotResolvable, e.message
         end
 
+        sig do
+          params(
+            details: T::Hash[String, T.untyped],
+            git_dependency: T::Boolean
+          )
+            .returns(String)
+        end
+        def infer_package_type(details, git_dependency: false)
+          return RELEASE_PACKAGE_TYPE_GIT if git_dependency
+
+          repository = fetch_value_from_hash(details, RELEASE_REPOSITORY_KEY)
+
+          case repository
+          when String
+            return repository.start_with?("git+") ? RELEASE_PACKAGE_TYPE_GIT : RELEASE_PACKAGE_TYPE_NPM
+          when Hash
+            type = fetch_value_from_hash(repository, RELEASE_PACKAGE_TYPE_KEY)
+            return RELEASE_PACKAGE_TYPE_GIT if type == RELEASE_PACKAGE_TYPE_GIT
+          end
+
+          RELEASE_PACKAGE_TYPE_NPM
+        end
+
         sig { params(npm_response: Excon::Response).void }
         def check_npm_response(npm_response)
           return if git_dependency?
@@ -199,13 +318,13 @@ module Dependabot
           status = npm_response.status
 
           # handles issue when status 200 is returned from registry but with an invalid JSON object
-          if status.to_s.start_with?("2") && response_invalid_json?(npm_response)
+          if status.to_s.start_with?(API_RESPONSE_STATUS_SUCCESS_PREFIX) && response_invalid_json?(npm_response)
             msg = "Invalid JSON object returned from registry #{dependency_registry}."
             Dependabot.logger.warn("#{msg} Response body (truncated) : #{npm_response.body[0..500]}...")
             raise DependencyFileNotResolvable, msg
           end
 
-          return if status.to_s.start_with?("2")
+          return if status.to_s.start_with?(API_RESPONSE_STATUS_SUCCESS_PREFIX)
 
           # Ignore 404s from the registry for updates where a lockfile doesn't
           # need to be generated. The 404 won't cause problems later.
@@ -217,7 +336,7 @@ module Dependabot
 
         sig { params(error: StandardError).void }
         def raise_npm_details_error(error)
-          raise if dependency_registry == "registry.npmjs.org"
+          raise if dependency_registry == GLOBAL_REGISTRY
           raise unless error.is_a?(Excon::Error::Timeout)
 
           raise PrivateSourceTimedOut, dependency_registry
@@ -229,10 +348,10 @@ module Dependabot
           return false unless [401, 402, 403, 404].include?(npm_response.status)
 
           # Check whether this dependency is (likely to be) private
-          if dependency_registry == "registry.npmjs.org"
+          if dependency_registry == GLOBAL_REGISTRY
             return false unless dependency.name.start_with?("@")
 
-            web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
+            web_response = Dependabot::RegistryClient.get(url: "#{NPM_OFFICIAL_WEBSITE}/package/#{dependency.name}")
             # NOTE: returns 429 when the login page is rate limited
             return web_response.body.include?("Forgot password?") ||
                    web_response.status == 429
@@ -244,8 +363,10 @@ module Dependabot
         sig { params(npm_response: Excon::Response).returns(T::Boolean) }
         def private_dependency_server_error?(npm_response)
           if [500, 501, 502, 503].include?(npm_response.status)
-            Dependabot.logger.warn("#{dependency_registry} returned code #{npm_response.status} with " \
-                                   "body #{npm_response.body}.")
+            Dependabot.logger.warn(
+              "#{dependency_registry} returned code #{npm_response.status} " \
+              "with body #{npm_response.body}."
+            )
             return true
           end
           false
@@ -260,11 +381,6 @@ module Dependabot
           true
         end
 
-        sig { returns(String) }
-        def dependency_url
-          registry_finder.dependency_url
-        end
-
         sig { returns(T::Hash[String, String]) }
         def registry_auth_headers
           registry_finder.auth_headers
@@ -288,17 +404,17 @@ module Dependabot
 
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def npmrc_file
-          dependency_files.find { |f| f.name.end_with?(".npmrc") }
+          dependency_files.find { |f| f.name.end_with?(REGISTRY_FILE_NPMRC) }
         end
 
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def yarnrc_file
-          dependency_files.find { |f| f.name.end_with?(".yarnrc") }
+          dependency_files.find { |f| f.name.end_with?(REGISTRY_FILE_YARNRC) }
         end
 
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def yarnrc_yml_file
-          dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
+          dependency_files.find { |f| f.name.end_with?(REGISTRY_FILE_YARNRC_YML) }
         end
 
         sig { returns(T::Boolean) }
@@ -309,6 +425,15 @@ module Dependabot
             credentials: credentials
           ).git_dependency?
         end
+
+        # This function safely retrieves a value for a given key from a Hash.
+        # If the hash is valid and the key exists, it will return the value, otherwise nil.
+        sig { params(hash: T.untyped, key: T.untyped).returns(T.untyped) }
+        def fetch_value_from_hash(hash, key)
+          return nil unless hash.is_a?(Hash) # Return nil if the hash is not a Hash
+
+          hash.fetch(key, nil) # Fetch the value for the given key, defaulting to nil if not found
+        end
       end
     end
   end