RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.309.0 → 0.310.0 - Mend

dependabot-npm_and_yarn 0.309.0 → 0.310.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb CHANGED Viewed

@@ -1,7 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "excon"
+require "sorbet-runtime"
 require "dependabot/npm_and_yarn/update_checker"
 require "dependabot/shared_helpers"
@@ -9,12 +11,23 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker
       class LibraryDetector
+        extend T::Sig
+        sig do
+          params(
+            package_json_file: Dependabot::DependencyFile,
+            credentials: T::Array[Dependabot::Credential],
+            dependency_files: T::Array[Dependabot::DependencyFile]
+          )
+            .void
+        end
         def initialize(package_json_file:, credentials:, dependency_files:)
           @package_json_file = package_json_file
           @credentials = credentials
           @dependency_files = dependency_files
         end
+        sig { returns(T::Boolean) }
         def library?
           return false unless package_json_may_be_for_library?
@@ -23,26 +36,36 @@ module Dependabot
         private
+        sig { returns(Dependabot::DependencyFile) }
         attr_reader :package_json_file
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(T::Boolean) }
         def package_json_may_be_for_library?
           return false unless project_name
-          return false if project_name.match?(/\{\{.*\}\}/)
+          return false if T.must(project_name).match?(/\{\{.*\}\}/)
           return false unless parsed_package_json["version"]
           return false if parsed_package_json["private"]
           true
         end
+        sig { returns(T::Boolean) }
         def npm_response_matches_package_json?
           project_description = parsed_package_json["description"]
           return false unless project_description
           # Check if the project is listed on npm. If it is, it's a library
           url = "#{registry.chomp('/')}/#{escaped_project_name}"
-          @project_npm_response ||= Dependabot::RegistryClient.get(url: url)
+          @project_npm_response ||= T.let(
+            Dependabot::RegistryClient.get(url: url),
+            T.nilable(Excon::Response)
+          )
           return false unless @project_npm_response.status == 200
           @project_npm_response.body.dup.force_encoding("UTF-8").encode
@@ -51,18 +74,25 @@ module Dependabot
           false
         end
+        sig { returns(T.nilable(String)) }
         def project_name
           parsed_package_json.fetch("name", nil)
         end
+        sig { returns(T.nilable(String)) }
         def escaped_project_name
           project_name&.gsub("/", "%2F")
         end
+        sig { returns(T::Hash[String, T.untyped]) }
         def parsed_package_json
-          @parsed_package_json ||= JSON.parse(package_json_file.content)
+          @parsed_package_json ||= T.let(
+            JSON.parse(T.must(package_json_file.content)),
+            T.nilable(T::Hash[String, T.untyped])
+          )
         end
+        sig { returns(String) }
         def registry
           Package::RegistryFinder.new(
             dependency: nil,
@@ -70,7 +100,7 @@ module Dependabot
             npmrc_file: dependency_files.find { |f| f.name.end_with?(".npmrc") },
             yarnrc_file: dependency_files.find { |f| f.name.end_with?(".yarnrc") },
             yarnrc_yml_file: dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
-          ).registry_from_rc(project_name)
+          ).registry_from_rc(T.must(project_name))
         end
       end
     end

data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 ################################################################################
@@ -6,6 +6,8 @@
 # https://docs.npmjs.com/misc/semver                                           #
 ################################################################################
+require "sorbet-runtime"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/update_checker"
 require "dependabot/npm_and_yarn/version"
@@ -15,6 +17,8 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker
       class RequirementsUpdater
+        extend T::Sig
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
         SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
         ALLOWED_UPDATE_STRATEGIES = T.let(
@@ -27,8 +31,16 @@ module Dependabot
           T::Array[Dependabot::RequirementsUpdateStrategy]
         )
-        def initialize(requirements:, updated_source:, update_strategy:,
-                       latest_resolvable_version:)
+        sig do
+          params(
+            requirements: T::Array[T::Hash[Symbol, T.untyped]],
+            updated_source: T.nilable(T::Hash[Symbol, T.untyped]),
+            update_strategy: Dependabot::RequirementsUpdateStrategy,
+            latest_resolvable_version: T.nilable(T.any(String, Gem::Version))
+          )
+            .void
+        end
+        def initialize(requirements:, updated_source:, update_strategy:, latest_resolvable_version:)
           @requirements = requirements
           @updated_source = updated_source
           @update_strategy = update_strategy
@@ -37,10 +49,13 @@ module Dependabot
           return unless latest_resolvable_version
-          @latest_resolvable_version =
-            version_class.new(latest_resolvable_version)
+          @latest_resolvable_version = T.let(
+            version_class.new(latest_resolvable_version),
+            NpmAndYarn::Version
+          )
         end
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         def updated_requirements
           return requirements if update_strategy.lockfile_only?
@@ -62,17 +77,26 @@ module Dependabot
         private
+        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
         attr_reader :requirements
+        sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
         attr_reader :updated_source
+        sig { returns(Dependabot::RequirementsUpdateStrategy) }
         attr_reader :update_strategy
+        sig { returns(T.nilable(NpmAndYarn::Version)) }
         attr_reader :latest_resolvable_version
+        sig { void }
         def check_update_strategy
           return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
           raise "Unknown update strategy: #{update_strategy}"
         end
+        sig { returns(T::Boolean) }
         def updating_from_git_to_npm?
           return false unless updated_source.nil?
@@ -80,6 +104,7 @@ module Dependabot
           original_source&.fetch(:type) == "git"
         end
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def initial_req_after_source_change(req)
           return req unless updating_from_git_to_npm?
           return req unless req[:requirement].nil?
@@ -87,12 +112,13 @@ module Dependabot
           req.merge(requirement: "^#{latest_resolvable_version}")
         end
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_version_requirement(req)
           current_requirement = req[:requirement]
           if current_requirement.match?(/(<|-\s)/i)
             ruby_req = ruby_requirements(current_requirement).first
-            return req if ruby_req.satisfied_by?(latest_resolvable_version)
+            return req if ruby_req&.satisfied_by?(latest_resolvable_version)
             updated_req = update_range_requirement(current_requirement)
             return req.merge(requirement: updated_req)
@@ -102,6 +128,7 @@ module Dependabot
           req.merge(requirement: update_version_string(reqs.first))
         end
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def update_version_requirement_if_needed(req)
           current_requirement = req[:requirement]
           version = latest_resolvable_version
@@ -113,6 +140,7 @@ module Dependabot
           update_version_requirement(req)
         end
+        sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
         def widen_requirement(req)
           current_requirement = req[:requirement]
           version = latest_resolvable_version
@@ -135,22 +163,25 @@ module Dependabot
           req.merge(requirement: updated_requirement)
         end
+        sig { params(requirement_string: String).returns(T::Array[NpmAndYarn::Requirement]) }
         def ruby_requirements(requirement_string)
           NpmAndYarn::Requirement
             .requirements_array(requirement_string)
         end
+        sig { params(req_string: String).returns(String) }
         def update_range_requirement(req_string)
           range_requirements =
             req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
           if range_requirements.count == 1
-            range_requirement = range_requirements.first
+            range_requirement = T.must(range_requirements.first)
             versions = range_requirement.scan(VERSION_REGEX)
-            upper_bound = versions.map { |v| version_class.new(v) }.max
+            version_objects = versions.map { |v| version_class.new(v.to_s) }
+            upper_bound = T.must(version_objects.max)
             new_upper_bound = update_greatest_version(
-              upper_bound,
-              latest_resolvable_version
+              upper_bound.to_s,
+              T.must(latest_resolvable_version)
             )
             req_string.sub(
@@ -158,45 +189,51 @@ module Dependabot
               new_upper_bound.to_s
             )
           else
-            req_string + " || ^#{latest_resolvable_version}"
+            req_string + " || ^#{T.must(latest_resolvable_version)}"
           end
         end
+        sig { params(req_string: String).returns(String) }
         def update_version_string(req_string)
           req_string
             .sub(VERSION_REGEX) do |old_version|
               if old_version.match?(/\d-/) ||
-                 latest_resolvable_version.to_s.match?(/\d-/)
-                latest_resolvable_version.to_s
+                 T.must(latest_resolvable_version).to_s.match?(/\d-/)
+                T.must(latest_resolvable_version).to_s
               else
                 old_parts = old_version.split(".")
-                new_parts = latest_resolvable_version.to_s.split(".")
-                                                     .first(old_parts.count)
+                new_parts = T.must(latest_resolvable_version).to_s.split(".")
+                             .first(old_parts.count)
                 new_parts.map.with_index do |part, i|
-                  old_parts[i].match?(/^x\b/) ? "x" : part
+                  old_parts[i]&.match?(/^x\b/) ? "x" : part
                 end.join(".")
               end
             end
         end
+        sig { params(old_version: String, version_to_be_permitted: NpmAndYarn::Version).returns(String) }
         def update_greatest_version(old_version, version_to_be_permitted)
           version = version_class.new(old_version)
           version = version.release if version.prerelease?
           index_to_update =
-            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+            version.segments.map.with_index { |seg, i| T.cast(seg, Integer).zero? ? 0 : i }.max || 0
           version.segments.map.with_index do |_, index|
-            if index < index_to_update
-              version_to_be_permitted.segments[index]
-            elsif index == index_to_update
-              version_to_be_permitted.segments[index] + 1
-            else
-              0
-            end
+            segment_value =
+              if index < index_to_update
+                T.cast(version_to_be_permitted.segments[index], Integer)
+              elsif index == index_to_update
+                # Cast to Integer before adding 1 to ensure correct type
+                T.cast(version_to_be_permitted.segments[index], Integer) + 1
+              else
+                0
+              end
+            segment_value.to_s
           end.join(".")
         end
+        sig { returns(T.class_of(NpmAndYarn::Version)) }
         def version_class
           NpmAndYarn::Version
         end

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb CHANGED Viewed

@@ -1,7 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "stringio"
+require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/logger"
@@ -16,6 +18,15 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class VulnerabilityAuditor
+        extend T::Sig
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          )
+            .void
+        end
         def initialize(dependency_files:, credentials:)
           @dependency_files = dependency_files
           @credentials = credentials
@@ -43,6 +54,13 @@ module Dependabot
         #   * :top_level_ancestors [Array<String>] the names of all top-level dependencies with a transitive
         #     dependency on the dependency
         #   * :explanation [String] an explanation for why the project failed the vulnerability auditor run
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          )
+            .returns(T::Hash[String, T.untyped])
+        end
         def audit(dependency:, security_advisories:)
           Dependabot.logger.info("VulnerabilityAuditor: starting audit")
@@ -76,10 +94,13 @@ module Dependabot
               }
             end
-            audit_result = SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
-              function: "npm:vulnerabilityAuditor",
-              args: [Dir.pwd, vuln_versions]
+            audit_result = T.cast(
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "npm:vulnerabilityAuditor",
+                args: [Dir.pwd, vuln_versions]
+              ),
+              T::Hash[String, T.untyped]
             )
             validation_result = validate_audit_result(audit_result, security_advisories)
@@ -94,24 +115,36 @@ module Dependabot
           end
         rescue SharedHelpers::HelperSubprocessFailed => e
           log_helper_subprocess_failure(dependency, e)
-          fix_unavailable
+          T.must(fix_unavailable)
         end
         # rubocop:enable Metrics/MethodLength
         private
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { params(validation_result: Symbol, dependency: Dependabot::Dependency).returns(String) }
         def explain_fix_unavailable(validation_result, dependency)
           case validation_result
           when :fix_unavailable, :dependency_still_vulnerable, :downgrades_dependencies
             "No patched version available for #{dependency.name}"
           when :fix_incomplete
             "The lockfile might be out of sync?"
+          else
+            raise "Unexpected validation result: #{validation_result}"
           end
         end
+        sig do
+          params(
+            audit_result: T::Hash[String, T.untyped],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          ).returns(Symbol)
+        end
         def validate_audit_result(audit_result, security_advisories)
           return :fix_unavailable unless audit_result["fix_available"]
           return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
@@ -121,6 +154,13 @@ module Dependabot
           :viable
         end
+        sig do
+          params(
+            audit_result: T::Hash[String, T.untyped],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          )
+            .returns(T::Boolean)
+        end
         def dependency_still_vulnerable?(audit_result, security_advisories)
           # vulnerable dependency is removed if the target version is nil
           return false unless audit_result["target_version"]
@@ -129,6 +169,7 @@ module Dependabot
           security_advisories.any? { |a| a.vulnerable?(version) }
         end
+        sig { params(audit_result: T::Hash[String, T.untyped]).returns(T::Boolean) }
         def downgrades_dependencies?(audit_result)
           return true if downgrades_version?(audit_result["current_version"], audit_result["target_version"])
@@ -137,6 +178,13 @@ module Dependabot
           end
         end
+        sig do
+          params(
+            current_version: T.nilable(T.any(String, Integer, Gem::Version)),
+            target_version: T.nilable(T.any(String, Integer, Gem::Version))
+          )
+            .returns(T::Boolean)
+        end
         def downgrades_version?(current_version, target_version)
           return false unless target_version
@@ -145,14 +193,19 @@ module Dependabot
           current > target
         end
+        sig { params(audit_result: T::Hash[String, T.untyped]).returns(T::Boolean) }
         def fix_incomplete?(audit_result)
           audit_result["fix_updates"].any? { |update| !update.key?("target_version") } ||
             audit_result["fix_updates"].empty?
         end
+        sig do
+          params(dependency: Dependabot::Dependency,
+                 error: Dependabot::SharedHelpers::HelperSubprocessFailed).void
+        end
         def log_helper_subprocess_failure(dependency, error)
           # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context
-          context = error.error_context || {}
+          context = error.error_context
           builder = ::StringIO.new
           builder << "VulnerabilityAuditor: "

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -167,7 +167,7 @@ module Dependabot
             requirements: dependency.requirements,
             updated_source: updated_source,
             latest_resolvable_version: resolvable_version,
-            update_strategy: requirements_update_strategy
+            update_strategy: T.must(requirements_update_strategy)
           ).updated_requirements
       end
@@ -326,7 +326,7 @@ module Dependabot
             requirements: original_dep.requirements,
             updated_source: original_dep == dependency ? updated_source : original_source(original_dep),
             latest_resolvable_version: version,
-            update_strategy: requirements_update_strategy
+            update_strategy: T.must(requirements_update_strategy)
           ).updated_requirements,
           previous_version: previous_version,
           previous_requirements: original_dep.requirements,
@@ -516,7 +516,7 @@ module Dependabot
         @library =
           LibraryDetector.new(
-            package_json_file: package_json,
+            package_json_file: T.must(package_json),
             credentials: credentials,
             dependency_files: dependency_files
           ).library?

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.309.0
+  version: 0.310.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-04-17 00:00:00.000000000 Z
+date: 2025-04-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.309.0
+        version: 0.310.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.309.0
+        version: 0.310.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -356,7 +356,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.309.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.310.0
 rdoc_options: []
 require_paths:
 - lib