RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.309.0 → 0.311.0 - Mend

dependabot-npm_and_yarn 0.309.0 → 0.311.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "dependabot/npm_and_yarn/helpers"
@@ -9,24 +9,47 @@ require "dependabot/shared_helpers"
 module Dependabot
   module NpmAndYarn
     class FileUpdater < Dependabot::FileUpdaters::Base
+      # rubocop:disable Metrics/ClassLength
       class PnpmLockfileUpdater
+        extend T::Sig
         require_relative "npmrc_builder"
         require_relative "package_json_updater"
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            repo_contents_path: T.nilable(String),
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
         def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
           @dependencies = dependencies
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
-          @error_handler = PnpmErrorHandler.new(
-            dependencies: dependencies,
-            dependency_files: dependency_files
+          @error_handler = T.let(
+            PnpmErrorHandler.new(
+              dependencies: dependencies,
+              dependency_files: dependency_files
+            ),
+            PnpmErrorHandler
           )
         end
+        sig do
+          params(
+            pnpm_lock: Dependabot::DependencyFile,
+            updated_pnpm_workspace_content: T.nilable(T::Hash[String, T.nilable(String)])
+          ).returns(String)
+        end
         def updated_pnpm_lock_content(pnpm_lock, updated_pnpm_workspace_content: nil)
-          @updated_pnpm_lock_content ||= {}
-          return @updated_pnpm_lock_content[pnpm_lock.name] if @updated_pnpm_lock_content[pnpm_lock.name]
+          @updated_pnpm_lock_content ||= T.let(
+            {},
+            T.nilable(T::Hash[String, String])
+          )
+          return T.must(@updated_pnpm_lock_content[pnpm_lock.name]) if @updated_pnpm_lock_content[pnpm_lock.name]
           new_content = run_pnpm_update(
             pnpm_lock: pnpm_lock,
@@ -39,10 +62,19 @@ module Dependabot
         private
+        sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { returns(PnpmErrorHandler) }
         attr_reader :error_handler
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
@@ -103,6 +135,13 @@ module Dependabot
         # Peer dependencies configuration error
         ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
+        sig do
+          params(
+            pnpm_lock: Dependabot::DependencyFile,
+            updated_pnpm_workspace_content: T.nilable(T::Hash[String, T.nilable(String)])
+          )
+            .returns(String)
+        end
         def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
@@ -122,6 +161,7 @@ module Dependabot
           end
         end
+        sig { returns(T.nilable(String)) }
         def run_pnpm_update_packages
           dependency_updates = dependencies.map do |d|
             "#{d.name}@#{d.version}"
@@ -133,18 +173,24 @@ module Dependabot
           )
         end
+        sig { returns(T.nilable(String)) }
         def run_pnpm_install
           Helpers.run_pnpm_command(
             "install --lockfile-only"
           )
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def workspace_files
-          @workspace_files ||= dependency_files.select { |f| f.name.end_with?("pnpm-workspace.yaml") }
+          @workspace_files ||= T.let(
+            dependency_files.select { |f| f.name.end_with?("pnpm-workspace.yaml") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
         end
+        sig { params(lockfile: Dependabot::DependencyFile).returns(T::Array[Dependabot::Dependency]) }
         def lockfile_dependencies(lockfile)
-          @lockfile_dependencies ||= {}
+          @lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependabot::Dependency]]))
           @lockfile_dependencies[lockfile.name] ||=
             NpmAndYarn::FileParser.new(
               dependency_files: [lockfile, *package_files, *workspace_files],
@@ -157,6 +203,13 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
         # rubocop:disable Metrics/CyclomaticComplexity
+        sig do
+          params(
+            error: SharedHelpers::HelperSubprocessFailed,
+            pnpm_lock: Dependabot::DependencyFile
+          )
+            .returns(T.noreturn)
+        end
         def handle_pnpm_lock_updater_error(error, pnpm_lock)
           error_message = error.message
@@ -165,15 +218,15 @@ module Dependabot
           end
           if error_message.match?(UNREACHABLE_GIT)
-            url = error_message.match(UNREACHABLE_GIT).named_captures.fetch("url").gsub("git+ssh://git@", "https://").delete_suffix(".git")
+            url = error_message.match(UNREACHABLE_GIT)&.named_captures&.fetch("url")&.gsub("git+ssh://git@", "https://")&.delete_suffix(".git")
-            raise Dependabot::GitDependenciesNotReachable, url
+            raise Dependabot::GitDependenciesNotReachable, T.must(url)
           end
           if error_message.match?(UNREACHABLE_GIT_V8)
-            url = error_message.match(UNREACHABLE_GIT_V8).named_captures.fetch("url").gsub("codeload.", "")
+            url = error_message.match(UNREACHABLE_GIT_V8)&.named_captures&.fetch("url")&.gsub("codeload.", "")
-            raise Dependabot::GitDependenciesNotReachable, url
+            raise Dependabot::GitDependenciesNotReachable, T.must(url)
           end
           [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE, ERR_PNPM_FETCH_401,
@@ -181,14 +234,13 @@ module Dependabot
             .each do |regexp|
             next unless error_message.match?(regexp)
-            dependency_url = error_message.match(regexp).named_captures["dependency_url"]
+            dependency_url = T.must(error_message.match(regexp)&.named_captures&.[]("dependency_url"))
             raise_package_access_error(error_message, dependency_url, pnpm_lock)
           end
           # TO-DO : subclassifcation of ERR_PNPM_TARBALL_INTEGRITY errors
           if error_message.match?(ERR_PNPM_TARBALL_INTEGRITY)
             dependency_names = dependencies.map(&:name).join(", ")
             msg = "Error (ERR_PNPM_TARBALL_INTEGRITY) while resolving \"#{dependency_names}\"."
             Dependabot.logger.warn(error_message)
             raise Dependabot::DependencyFileNotResolvable, msg
@@ -197,20 +249,17 @@ module Dependabot
           # TO-DO : investigate "packageManager" allowed regex
           if error_message.match?(INVALID_PACKAGE_SPEC)
             dependency_names = dependencies.map(&:name).join(", ")
             msg = "Invalid package manager specification in package.json while resolving \"#{dependency_names}\"."
             raise Dependabot::DependencyFileNotResolvable, msg
           end
           if error_message.match?(ERR_PNPM_META_FETCH_FAIL)
             msg = error_message.split(ERR_PNPM_META_FETCH_FAIL).last
             raise Dependabot::DependencyFileNotResolvable, msg
           end
           if error_message.match?(ERR_PNPM_WORKSPACE_PKG_NOT_FOUND)
             dependency_names = dependencies.map(&:name).join(", ")
             msg = "No package named \"#{dependency_names}\" present in workspace."
             Dependabot.logger.warn(error_message)
             raise Dependabot::DependencyFileNotResolvable, msg
@@ -223,8 +272,8 @@ module Dependabot
           end
           if error_message.match?(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND)
-            dir = error_message.match(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND).named_captures.fetch("dir")
-            msg = "Could not find linked package installation directory \"#{dir.split('/').last}\""
+            dir = error_message.match(ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND)&.named_captures&.fetch("dir")
+            msg = "Could not find linked package installation directory \"#{dir&.split('/')&.last}\""
             raise Dependabot::DependencyFileNotResolvable, msg
           end
@@ -246,13 +295,11 @@ module Dependabot
           if error_message.match?(ERR_PNPM_PEER_DEP_ISSUES)
             msg = "Missing or invalid configuration while installing peer dependencies."
             Dependabot.logger.warn(error_message)
             raise Dependabot::DependencyFileNotResolvable, msg
           end
           raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
           raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
           if error_message.match?(ERR_INVALID_THIS) && error_message.match?(URL_SEARCH_PARAMS)
@@ -262,8 +309,7 @@ module Dependabot
           end
           if error_message.match?(ERR_PNPM_UNSUPPORTED_PLATFORM)
-            raise_unsupported_platform_error(error_message,
-                                             pnpm_lock)
+            raise_unsupported_platform_error(error_message, pnpm_lock)
           end
           error_handler.handle_pnpm_error(error)
@@ -275,6 +321,7 @@ module Dependabot
         # rubocop:enable Metrics/MethodLength
         # rubocop:enable Metrics/CyclomaticComplexity
+        sig { params(error_message: String, pnpm_lock: Dependabot::DependencyFile).returns(T.noreturn) }
         def raise_resolvability_error(error_message, pnpm_lock)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in " \
@@ -282,6 +329,7 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
+        sig { params(error_message: String).returns(T.noreturn) }
         def raise_patch_dependency_error(error_message)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error while updating \"#{dependency_names}\" in " \
@@ -290,21 +338,50 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
+        sig do
+          params(
+            error_message: String,
+            _pnpm_lock: Dependabot::DependencyFile
+          ).returns(T.nilable(T.noreturn))
+        end
         def raise_unsupported_engine_error(error_message, _pnpm_lock)
-          unless error_message.match(PACAKGE_MANAGER) &&
-                 error_message.match(VERSION_REQUIREMENT)
-            return
+          match_pkg_mgr = error_message.match(PACAKGE_MANAGER)
+          match_version = error_message.match(VERSION_REQUIREMENT)
+          unless match_pkg_mgr && match_version &&
+                 match_pkg_mgr.named_captures && match_version.named_captures
+            return nil
           end
-          package_manager = error_message.match(PACAKGE_MANAGER).named_captures["pkg_mgr"]
-          supported_version = error_message.match(VERSION_REQUIREMENT).named_captures["supported_ver"]
-          detected_version = error_message.match(VERSION_REQUIREMENT).named_captures["detected_ver"]
+          captures_pkg_mgr = match_pkg_mgr.named_captures
+          captures_version = match_version.named_captures
+          pkg_mgr = captures_pkg_mgr["pkg_mgr"]
+          supported_ver = captures_version["supported_ver"]
+          detected_ver = captures_version["detected_ver"]
+          if pkg_mgr && supported_ver && detected_ver
+            raise Dependabot::ToolVersionNotSupported.new(
+              pkg_mgr,
+              supported_ver,
+              detected_ver
+            )
+          end
-          raise Dependabot::ToolVersionNotSupported.new(package_manager, supported_version, detected_version)
+          nil
         end
+        sig do
+          params(
+            error_message: String,
+            dependency_url: String,
+            pnpm_lock: Dependabot::DependencyFile
+          )
+            .returns(T.noreturn)
+        end
         def raise_package_access_error(error_message, dependency_url, pnpm_lock)
-          package_name = RegistryParser.new(resolved_url: dependency_url, credentials: credentials).dependency_name
+          package_name = RegistryParser.new(resolved_url: dependency_url,
+                                            credentials: credentials).dependency_name
           missing_dep = lockfile_dependencies(pnpm_lock)
                         .find { |dep| dep.name == package_name }
           raise DependencyNotFound, package_name unless missing_dep
@@ -318,6 +395,7 @@ module Dependabot
           raise PrivateSourceAuthenticationFailure, reg
         end
+        sig { void }
         def write_final_package_json_files
           package_files.each do |file|
             path = file.name
@@ -326,57 +404,88 @@ module Dependabot
           end
         end
+        sig do
+          params(
+            error_message: String,
+            _pnpm_lock: Dependabot::DependencyFile
+          )
+            .returns(T.nilable(T.noreturn))
+        end
         def raise_unsupported_platform_error(error_message, _pnpm_lock)
-          unless error_message.match(PLATFORM_PACAKGE_DEP) &&
-                 error_message.match(PLATFORM_VERSION_REQUIREMENT)
-            return
+          match_dep = error_message.match(PLATFORM_PACAKGE_DEP)
+          match_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
+          unless match_dep && match_version &&
+                 match_dep.named_captures && match_version.named_captures
+            return nil
           end
-          supported_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
-                                           .named_captures["supported_ver"]
-                                           .then { sanitize_message(_1) }
-          detected_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
-                                          .named_captures["detected_ver"]
-                                          .then { sanitize_message(_1) }
+          captures_version = match_version.named_captures
-          Dependabot.logger.warn(error_message)
-          raise Dependabot::ToolVersionNotSupported.new(PLATFORM_PACAKGE_MANAGER, supported_version, detected_version)
+          supported_ver = captures_version["supported_ver"]
+          detected_ver = captures_version["detected_ver"]
+          if supported_ver && detected_ver
+            supported_version = sanitize_message(supported_ver)
+            detected_version = sanitize_message(detected_ver)
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::ToolVersionNotSupported.new(
+              PLATFORM_PACAKGE_MANAGER,
+              supported_version,
+              detected_version
+            )
+          end
+          nil
         end
+        sig { params(pnpm_lock: Dependabot::DependencyFile).returns(String) }
         def npmrc_content(pnpm_lock)
           NpmrcBuilder.new(
-            credentials: credentials,
+            credentials: T.unsafe(credentials),
             dependency_files: dependency_files,
             dependencies: lockfile_dependencies(pnpm_lock)
           ).npmrc_content
         end
+        sig { params(file: Dependabot::DependencyFile).returns(String) }
         def updated_package_json_content(file)
-          @updated_package_json_content ||= {}
+          @updated_package_json_content ||= T.let({}, T.nilable(T::Hash[String, String]))
           @updated_package_json_content[file.name] ||=
-            PackageJsonUpdater.new(
-              package_json: file,
-              dependencies: dependencies
-            ).updated_package_json.content
+            T.must(
+              PackageJsonUpdater.new(
+                package_json: file,
+                dependencies: dependencies
+              ).updated_package_json.content
+            )
         end
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         def package_files
-          @package_files ||= dependency_files.select { |f| f.name.end_with?("package.json") }
+          @package_files ||= T.let(
+            dependency_files.select { |f| f.name.end_with?("package.json") },
+            T.nilable(T::Array[Dependabot::DependencyFile])
+          )
         end
+        sig { returns(String) }
         def base_dir
-          dependency_files.first.directory
+          T.must(dependency_files.first).directory
         end
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
         def npmrc_file
           dependency_files.find { |f| f.name == ".npmrc" }
         end
+        sig { params(message: String).returns(String) }
         def sanitize_message(message)
           message.gsub(/"|\[|\]|\}|\{/, "")
         end
       end
     end
+    # rubocop:enable Metrics/ClassLength
     class PnpmErrorHandler
       extend T::Sig
@@ -400,7 +509,8 @@ module Dependabot
         params(
           dependencies: T::Array[Dependabot::Dependency],
           dependency_files: T::Array[Dependabot::DependencyFile]
-        ).void
+        )
+          .void
       end
       def initialize(dependencies:, dependency_files:)
         @dependencies = dependencies