dependabot-npm_and_yarn 0.309.0 → 0.311.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb +60 -19
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +37 -16
- data/lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb +60 -19
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +4 -50
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb +16 -4
- data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb +161 -51
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +211 -60
- data/lib/dependabot/npm_and_yarn/file_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/helpers.rb +12 -59
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +64 -15
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +8 -1
- data/lib/dependabot/npm_and_yarn/package/registry_finder.rb +1 -1
- data/lib/dependabot/npm_and_yarn/requirement.rb +23 -9
- data/lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb +36 -9
- data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +82 -24
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +35 -5
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +61 -24
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +66 -37
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +60 -7
- data/lib/dependabot/npm_and_yarn/update_checker.rb +18 -8
- metadata +9 -9
|
@@ -1,7 +1,9 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "excon"
|
|
5
|
+
require "sorbet-runtime"
|
|
6
|
+
|
|
5
7
|
require "dependabot/npm_and_yarn/update_checker"
|
|
6
8
|
require "dependabot/shared_helpers"
|
|
7
9
|
|
|
@@ -9,12 +11,23 @@ module Dependabot
|
|
|
9
11
|
module NpmAndYarn
|
|
10
12
|
class UpdateChecker
|
|
11
13
|
class LibraryDetector
|
|
14
|
+
extend T::Sig
|
|
15
|
+
|
|
16
|
+
sig do
|
|
17
|
+
params(
|
|
18
|
+
package_json_file: Dependabot::DependencyFile,
|
|
19
|
+
credentials: T::Array[Dependabot::Credential],
|
|
20
|
+
dependency_files: T::Array[Dependabot::DependencyFile]
|
|
21
|
+
)
|
|
22
|
+
.void
|
|
23
|
+
end
|
|
12
24
|
def initialize(package_json_file:, credentials:, dependency_files:)
|
|
13
25
|
@package_json_file = package_json_file
|
|
14
26
|
@credentials = credentials
|
|
15
27
|
@dependency_files = dependency_files
|
|
16
28
|
end
|
|
17
29
|
|
|
30
|
+
sig { returns(T::Boolean) }
|
|
18
31
|
def library?
|
|
19
32
|
return false unless package_json_may_be_for_library?
|
|
20
33
|
|
|
@@ -23,26 +36,36 @@ module Dependabot
|
|
|
23
36
|
|
|
24
37
|
private
|
|
25
38
|
|
|
39
|
+
sig { returns(Dependabot::DependencyFile) }
|
|
26
40
|
attr_reader :package_json_file
|
|
41
|
+
|
|
42
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
27
43
|
attr_reader :credentials
|
|
44
|
+
|
|
45
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
28
46
|
attr_reader :dependency_files
|
|
29
47
|
|
|
48
|
+
sig { returns(T::Boolean) }
|
|
30
49
|
def package_json_may_be_for_library?
|
|
31
50
|
return false unless project_name
|
|
32
|
-
return false if project_name.match?(/\{\{.*\}\}/)
|
|
51
|
+
return false if T.must(project_name).match?(/\{\{.*\}\}/)
|
|
33
52
|
return false unless parsed_package_json["version"]
|
|
34
53
|
return false if parsed_package_json["private"]
|
|
35
54
|
|
|
36
55
|
true
|
|
37
56
|
end
|
|
38
57
|
|
|
58
|
+
sig { returns(T::Boolean) }
|
|
39
59
|
def npm_response_matches_package_json?
|
|
40
60
|
project_description = parsed_package_json["description"]
|
|
41
61
|
return false unless project_description
|
|
42
62
|
|
|
43
63
|
# Check if the project is listed on npm. If it is, it's a library
|
|
44
64
|
url = "#{registry.chomp('/')}/#{escaped_project_name}"
|
|
45
|
-
@project_npm_response ||=
|
|
65
|
+
@project_npm_response ||= T.let(
|
|
66
|
+
Dependabot::RegistryClient.get(url: url),
|
|
67
|
+
T.nilable(Excon::Response)
|
|
68
|
+
)
|
|
46
69
|
return false unless @project_npm_response.status == 200
|
|
47
70
|
|
|
48
71
|
@project_npm_response.body.dup.force_encoding("UTF-8").encode
|
|
@@ -51,18 +74,25 @@ module Dependabot
|
|
|
51
74
|
false
|
|
52
75
|
end
|
|
53
76
|
|
|
77
|
+
sig { returns(T.nilable(String)) }
|
|
54
78
|
def project_name
|
|
55
79
|
parsed_package_json.fetch("name", nil)
|
|
56
80
|
end
|
|
57
81
|
|
|
82
|
+
sig { returns(T.nilable(String)) }
|
|
58
83
|
def escaped_project_name
|
|
59
84
|
project_name&.gsub("/", "%2F")
|
|
60
85
|
end
|
|
61
86
|
|
|
87
|
+
sig { returns(T::Hash[String, T.untyped]) }
|
|
62
88
|
def parsed_package_json
|
|
63
|
-
@parsed_package_json ||=
|
|
89
|
+
@parsed_package_json ||= T.let(
|
|
90
|
+
JSON.parse(T.must(package_json_file.content)),
|
|
91
|
+
T.nilable(T::Hash[String, T.untyped])
|
|
92
|
+
)
|
|
64
93
|
end
|
|
65
94
|
|
|
95
|
+
sig { returns(String) }
|
|
66
96
|
def registry
|
|
67
97
|
Package::RegistryFinder.new(
|
|
68
98
|
dependency: nil,
|
|
@@ -70,7 +100,7 @@ module Dependabot
|
|
|
70
100
|
npmrc_file: dependency_files.find { |f| f.name.end_with?(".npmrc") },
|
|
71
101
|
yarnrc_file: dependency_files.find { |f| f.name.end_with?(".yarnrc") },
|
|
72
102
|
yarnrc_yml_file: dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
|
|
73
|
-
).registry_from_rc(project_name)
|
|
103
|
+
).registry_from_rc(T.must(project_name))
|
|
74
104
|
end
|
|
75
105
|
end
|
|
76
106
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
################################################################################
|
|
@@ -6,6 +6,8 @@
|
|
|
6
6
|
# https://docs.npmjs.com/misc/semver #
|
|
7
7
|
################################################################################
|
|
8
8
|
|
|
9
|
+
require "sorbet-runtime"
|
|
10
|
+
|
|
9
11
|
require "dependabot/npm_and_yarn/requirement"
|
|
10
12
|
require "dependabot/npm_and_yarn/update_checker"
|
|
11
13
|
require "dependabot/npm_and_yarn/version"
|
|
@@ -15,6 +17,8 @@ module Dependabot
|
|
|
15
17
|
module NpmAndYarn
|
|
16
18
|
class UpdateChecker
|
|
17
19
|
class RequirementsUpdater
|
|
20
|
+
extend T::Sig
|
|
21
|
+
|
|
18
22
|
VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
|
|
19
23
|
SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
|
|
20
24
|
ALLOWED_UPDATE_STRATEGIES = T.let(
|
|
@@ -27,8 +31,16 @@ module Dependabot
|
|
|
27
31
|
T::Array[Dependabot::RequirementsUpdateStrategy]
|
|
28
32
|
)
|
|
29
33
|
|
|
30
|
-
|
|
31
|
-
|
|
34
|
+
sig do
|
|
35
|
+
params(
|
|
36
|
+
requirements: T::Array[T::Hash[Symbol, T.untyped]],
|
|
37
|
+
updated_source: T.nilable(T::Hash[Symbol, T.untyped]),
|
|
38
|
+
update_strategy: Dependabot::RequirementsUpdateStrategy,
|
|
39
|
+
latest_resolvable_version: T.nilable(T.any(String, Gem::Version))
|
|
40
|
+
)
|
|
41
|
+
.void
|
|
42
|
+
end
|
|
43
|
+
def initialize(requirements:, updated_source:, update_strategy:, latest_resolvable_version:)
|
|
32
44
|
@requirements = requirements
|
|
33
45
|
@updated_source = updated_source
|
|
34
46
|
@update_strategy = update_strategy
|
|
@@ -37,10 +49,13 @@ module Dependabot
|
|
|
37
49
|
|
|
38
50
|
return unless latest_resolvable_version
|
|
39
51
|
|
|
40
|
-
@latest_resolvable_version =
|
|
41
|
-
version_class.new(latest_resolvable_version)
|
|
52
|
+
@latest_resolvable_version = T.let(
|
|
53
|
+
version_class.new(latest_resolvable_version),
|
|
54
|
+
NpmAndYarn::Version
|
|
55
|
+
)
|
|
42
56
|
end
|
|
43
57
|
|
|
58
|
+
sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
44
59
|
def updated_requirements
|
|
45
60
|
return requirements if update_strategy.lockfile_only?
|
|
46
61
|
|
|
@@ -62,17 +77,26 @@ module Dependabot
|
|
|
62
77
|
|
|
63
78
|
private
|
|
64
79
|
|
|
80
|
+
sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
|
|
65
81
|
attr_reader :requirements
|
|
82
|
+
|
|
83
|
+
sig { returns(T.nilable(T::Hash[Symbol, T.untyped])) }
|
|
66
84
|
attr_reader :updated_source
|
|
85
|
+
|
|
86
|
+
sig { returns(Dependabot::RequirementsUpdateStrategy) }
|
|
67
87
|
attr_reader :update_strategy
|
|
88
|
+
|
|
89
|
+
sig { returns(T.nilable(NpmAndYarn::Version)) }
|
|
68
90
|
attr_reader :latest_resolvable_version
|
|
69
91
|
|
|
92
|
+
sig { void }
|
|
70
93
|
def check_update_strategy
|
|
71
94
|
return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
|
|
72
95
|
|
|
73
96
|
raise "Unknown update strategy: #{update_strategy}"
|
|
74
97
|
end
|
|
75
98
|
|
|
99
|
+
sig { returns(T::Boolean) }
|
|
76
100
|
def updating_from_git_to_npm?
|
|
77
101
|
return false unless updated_source.nil?
|
|
78
102
|
|
|
@@ -80,6 +104,7 @@ module Dependabot
|
|
|
80
104
|
original_source&.fetch(:type) == "git"
|
|
81
105
|
end
|
|
82
106
|
|
|
107
|
+
sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
|
|
83
108
|
def initial_req_after_source_change(req)
|
|
84
109
|
return req unless updating_from_git_to_npm?
|
|
85
110
|
return req unless req[:requirement].nil?
|
|
@@ -87,12 +112,13 @@ module Dependabot
|
|
|
87
112
|
req.merge(requirement: "^#{latest_resolvable_version}")
|
|
88
113
|
end
|
|
89
114
|
|
|
115
|
+
sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
|
|
90
116
|
def update_version_requirement(req)
|
|
91
117
|
current_requirement = req[:requirement]
|
|
92
118
|
|
|
93
119
|
if current_requirement.match?(/(<|-\s)/i)
|
|
94
120
|
ruby_req = ruby_requirements(current_requirement).first
|
|
95
|
-
return req if ruby_req
|
|
121
|
+
return req if ruby_req&.satisfied_by?(latest_resolvable_version)
|
|
96
122
|
|
|
97
123
|
updated_req = update_range_requirement(current_requirement)
|
|
98
124
|
return req.merge(requirement: updated_req)
|
|
@@ -102,6 +128,7 @@ module Dependabot
|
|
|
102
128
|
req.merge(requirement: update_version_string(reqs.first))
|
|
103
129
|
end
|
|
104
130
|
|
|
131
|
+
sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
|
|
105
132
|
def update_version_requirement_if_needed(req)
|
|
106
133
|
current_requirement = req[:requirement]
|
|
107
134
|
version = latest_resolvable_version
|
|
@@ -113,6 +140,7 @@ module Dependabot
|
|
|
113
140
|
update_version_requirement(req)
|
|
114
141
|
end
|
|
115
142
|
|
|
143
|
+
sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
|
|
116
144
|
def widen_requirement(req)
|
|
117
145
|
current_requirement = req[:requirement]
|
|
118
146
|
version = latest_resolvable_version
|
|
@@ -135,22 +163,25 @@ module Dependabot
|
|
|
135
163
|
req.merge(requirement: updated_requirement)
|
|
136
164
|
end
|
|
137
165
|
|
|
166
|
+
sig { params(requirement_string: String).returns(T::Array[NpmAndYarn::Requirement]) }
|
|
138
167
|
def ruby_requirements(requirement_string)
|
|
139
168
|
NpmAndYarn::Requirement
|
|
140
169
|
.requirements_array(requirement_string)
|
|
141
170
|
end
|
|
142
171
|
|
|
172
|
+
sig { params(req_string: String).returns(String) }
|
|
143
173
|
def update_range_requirement(req_string)
|
|
144
174
|
range_requirements =
|
|
145
175
|
req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
|
|
146
176
|
|
|
147
177
|
if range_requirements.count == 1
|
|
148
|
-
range_requirement = range_requirements.first
|
|
178
|
+
range_requirement = T.must(range_requirements.first)
|
|
149
179
|
versions = range_requirement.scan(VERSION_REGEX)
|
|
150
|
-
|
|
180
|
+
version_objects = versions.map { |v| version_class.new(v.to_s) }
|
|
181
|
+
upper_bound = T.must(version_objects.max)
|
|
151
182
|
new_upper_bound = update_greatest_version(
|
|
152
|
-
upper_bound,
|
|
153
|
-
latest_resolvable_version
|
|
183
|
+
upper_bound.to_s,
|
|
184
|
+
T.must(latest_resolvable_version)
|
|
154
185
|
)
|
|
155
186
|
|
|
156
187
|
req_string.sub(
|
|
@@ -158,45 +189,51 @@ module Dependabot
|
|
|
158
189
|
new_upper_bound.to_s
|
|
159
190
|
)
|
|
160
191
|
else
|
|
161
|
-
req_string + " || ^#{latest_resolvable_version}"
|
|
192
|
+
req_string + " || ^#{T.must(latest_resolvable_version)}"
|
|
162
193
|
end
|
|
163
194
|
end
|
|
164
195
|
|
|
196
|
+
sig { params(req_string: String).returns(String) }
|
|
165
197
|
def update_version_string(req_string)
|
|
166
198
|
req_string
|
|
167
199
|
.sub(VERSION_REGEX) do |old_version|
|
|
168
200
|
if old_version.match?(/\d-/) ||
|
|
169
|
-
latest_resolvable_version.to_s.match?(/\d-/)
|
|
170
|
-
latest_resolvable_version.to_s
|
|
201
|
+
T.must(latest_resolvable_version).to_s.match?(/\d-/)
|
|
202
|
+
T.must(latest_resolvable_version).to_s
|
|
171
203
|
else
|
|
172
204
|
old_parts = old_version.split(".")
|
|
173
|
-
new_parts = latest_resolvable_version.to_s.split(".")
|
|
174
|
-
|
|
205
|
+
new_parts = T.must(latest_resolvable_version).to_s.split(".")
|
|
206
|
+
.first(old_parts.count)
|
|
175
207
|
new_parts.map.with_index do |part, i|
|
|
176
|
-
old_parts[i]
|
|
208
|
+
old_parts[i]&.match?(/^x\b/) ? "x" : part
|
|
177
209
|
end.join(".")
|
|
178
210
|
end
|
|
179
211
|
end
|
|
180
212
|
end
|
|
181
213
|
|
|
214
|
+
sig { params(old_version: String, version_to_be_permitted: NpmAndYarn::Version).returns(String) }
|
|
182
215
|
def update_greatest_version(old_version, version_to_be_permitted)
|
|
183
216
|
version = version_class.new(old_version)
|
|
184
217
|
version = version.release if version.prerelease?
|
|
185
218
|
|
|
186
219
|
index_to_update =
|
|
187
|
-
version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
|
|
220
|
+
version.segments.map.with_index { |seg, i| T.cast(seg, Integer).zero? ? 0 : i }.max || 0
|
|
188
221
|
|
|
189
222
|
version.segments.map.with_index do |_, index|
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
223
|
+
segment_value =
|
|
224
|
+
if index < index_to_update
|
|
225
|
+
T.cast(version_to_be_permitted.segments[index], Integer)
|
|
226
|
+
elsif index == index_to_update
|
|
227
|
+
# Cast to Integer before adding 1 to ensure correct type
|
|
228
|
+
T.cast(version_to_be_permitted.segments[index], Integer) + 1
|
|
229
|
+
else
|
|
230
|
+
0
|
|
231
|
+
end
|
|
232
|
+
segment_value.to_s
|
|
197
233
|
end.join(".")
|
|
198
234
|
end
|
|
199
235
|
|
|
236
|
+
sig { returns(T.class_of(NpmAndYarn::Version)) }
|
|
200
237
|
def version_class
|
|
201
238
|
NpmAndYarn::Version
|
|
202
239
|
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# typed:
|
|
1
|
+
# typed: strict
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/dependency"
|
|
@@ -12,11 +12,42 @@ require "dependabot/npm_and_yarn/update_checker"
|
|
|
12
12
|
require "dependabot/npm_and_yarn/update_checker/dependency_files_builder"
|
|
13
13
|
require "dependabot/npm_and_yarn/version"
|
|
14
14
|
require "dependabot/shared_helpers"
|
|
15
|
+
require "sorbet-runtime"
|
|
15
16
|
|
|
16
17
|
module Dependabot
|
|
17
18
|
module NpmAndYarn
|
|
18
19
|
class UpdateChecker
|
|
19
20
|
class SubdependencyVersionResolver
|
|
21
|
+
extend T::Sig
|
|
22
|
+
|
|
23
|
+
sig { returns(Dependency) }
|
|
24
|
+
attr_reader :dependency
|
|
25
|
+
|
|
26
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
27
|
+
attr_reader :credentials
|
|
28
|
+
|
|
29
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
30
|
+
attr_reader :dependency_files
|
|
31
|
+
|
|
32
|
+
sig { returns(T::Array[String]) }
|
|
33
|
+
attr_reader :ignored_versions
|
|
34
|
+
|
|
35
|
+
sig { returns(T.nilable(T.any(String, Gem::Version))) }
|
|
36
|
+
attr_reader :latest_allowable_version
|
|
37
|
+
|
|
38
|
+
sig { returns(T.nilable(String)) }
|
|
39
|
+
attr_reader :repo_contents_path
|
|
40
|
+
|
|
41
|
+
sig do
|
|
42
|
+
params(
|
|
43
|
+
dependency: Dependency,
|
|
44
|
+
credentials: T::Array[Dependabot::Credential],
|
|
45
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
46
|
+
ignored_versions: T::Array[String],
|
|
47
|
+
latest_allowable_version: T.nilable(T.any(String, Gem::Version)),
|
|
48
|
+
repo_contents_path: T.nilable(String)
|
|
49
|
+
).void
|
|
50
|
+
end
|
|
20
51
|
def initialize(dependency:, credentials:, dependency_files:,
|
|
21
52
|
ignored_versions:, latest_allowable_version:, repo_contents_path:)
|
|
22
53
|
@dependency = dependency
|
|
@@ -27,11 +58,12 @@ module Dependabot
|
|
|
27
58
|
@repo_contents_path = repo_contents_path
|
|
28
59
|
end
|
|
29
60
|
|
|
61
|
+
sig { returns(T.nilable(T.any(String, Gem::Version))) }
|
|
30
62
|
def latest_resolvable_version
|
|
31
63
|
raise "Not a subdependency!" if dependency.requirements.any?
|
|
32
64
|
return if bundled_dependency?
|
|
33
65
|
|
|
34
|
-
base_dir = dependency_files.first.directory
|
|
66
|
+
base_dir = T.must(dependency_files.first).directory
|
|
35
67
|
SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
|
|
36
68
|
dependency_files_builder.write_temporary_dependency_files
|
|
37
69
|
|
|
@@ -53,13 +85,7 @@ module Dependabot
|
|
|
53
85
|
|
|
54
86
|
private
|
|
55
87
|
|
|
56
|
-
|
|
57
|
-
attr_reader :credentials
|
|
58
|
-
attr_reader :dependency_files
|
|
59
|
-
attr_reader :ignored_versions
|
|
60
|
-
attr_reader :latest_allowable_version
|
|
61
|
-
attr_reader :repo_contents_path
|
|
62
|
-
|
|
88
|
+
sig { params(lockfile: Dependabot::DependencyFile).returns(String) }
|
|
63
89
|
def update_subdependency_in_lockfile(lockfile)
|
|
64
90
|
lockfile_name = Pathname.new(lockfile.name).basename.to_s
|
|
65
91
|
path = Pathname.new(lockfile.name).dirname.to_s
|
|
@@ -72,7 +98,7 @@ module Dependabot
|
|
|
72
98
|
run_pnpm_updater(path, lockfile_name)
|
|
73
99
|
elsif lockfile.name.end_with?("bun.lock")
|
|
74
100
|
run_bun_updater(path, lockfile_name)
|
|
75
|
-
elsif !Helpers.
|
|
101
|
+
elsif !Helpers.parse_npm8?(lockfile)
|
|
76
102
|
run_npm6_updater(path, lockfile_name)
|
|
77
103
|
else
|
|
78
104
|
run_npm_updater(path, lockfile_name)
|
|
@@ -81,6 +107,7 @@ module Dependabot
|
|
|
81
107
|
updated_files.fetch(lockfile_name)
|
|
82
108
|
end
|
|
83
109
|
|
|
110
|
+
sig { params(updated_lockfiles: T::Array[Dependabot::DependencyFile]).returns(T.nilable(Gem::Version)) }
|
|
84
111
|
def version_from_updated_lockfiles(updated_lockfiles)
|
|
85
112
|
updated_files = dependency_files -
|
|
86
113
|
dependency_files_builder.lockfiles +
|
|
@@ -96,13 +123,17 @@ module Dependabot
|
|
|
96
123
|
version_class.new(updated_version)
|
|
97
124
|
end
|
|
98
125
|
|
|
126
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
99
127
|
def run_yarn_updater(path, lockfile_name)
|
|
100
128
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
101
129
|
Dir.chdir(path) do
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
130
|
+
T.cast(
|
|
131
|
+
SharedHelpers.run_helper_subprocess(
|
|
132
|
+
command: NativeHelpers.helper_path,
|
|
133
|
+
function: "yarn:updateSubdependency",
|
|
134
|
+
args: [Dir.pwd, lockfile_name, [dependency.to_h]]
|
|
135
|
+
),
|
|
136
|
+
T::Hash[String, String]
|
|
106
137
|
)
|
|
107
138
|
end
|
|
108
139
|
end
|
|
@@ -121,6 +152,7 @@ module Dependabot
|
|
|
121
152
|
retry
|
|
122
153
|
end
|
|
123
154
|
|
|
155
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
124
156
|
def run_yarn_berry_updater(path, lockfile_name)
|
|
125
157
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
126
158
|
Dir.chdir(path) do
|
|
@@ -133,6 +165,7 @@ module Dependabot
|
|
|
133
165
|
end
|
|
134
166
|
end
|
|
135
167
|
|
|
168
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
136
169
|
def run_pnpm_updater(path, lockfile_name)
|
|
137
170
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
138
171
|
Dir.chdir(path) do
|
|
@@ -145,6 +178,7 @@ module Dependabot
|
|
|
145
178
|
end
|
|
146
179
|
end
|
|
147
180
|
|
|
181
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
148
182
|
def run_npm_updater(path, lockfile_name)
|
|
149
183
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
150
184
|
Dir.chdir(path) do
|
|
@@ -155,6 +189,7 @@ module Dependabot
|
|
|
155
189
|
end
|
|
156
190
|
end
|
|
157
191
|
|
|
192
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
158
193
|
def run_bun_updater(path, lockfile_name)
|
|
159
194
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
160
195
|
Dir.chdir(path) do
|
|
@@ -167,6 +202,7 @@ module Dependabot
|
|
|
167
202
|
end
|
|
168
203
|
end
|
|
169
204
|
|
|
205
|
+
sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
|
|
170
206
|
def run_npm6_updater(path, lockfile_name)
|
|
171
207
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
|
172
208
|
Dir.chdir(path) do
|
|
@@ -179,53 +215,46 @@ module Dependabot
|
|
|
179
215
|
end
|
|
180
216
|
end
|
|
181
217
|
|
|
218
|
+
sig { returns(T.class_of(Dependabot::Version)) }
|
|
182
219
|
def version_class
|
|
183
220
|
dependency.version_class
|
|
184
221
|
end
|
|
185
222
|
|
|
223
|
+
sig { returns(Dependabot::Dependency) }
|
|
186
224
|
def updated_dependency
|
|
187
225
|
Dependabot::Dependency.new(
|
|
188
226
|
name: dependency.name,
|
|
189
|
-
version: latest_allowable_version,
|
|
227
|
+
version: T.cast(latest_allowable_version, T.nilable(T.any(String, Dependabot::Version))),
|
|
190
228
|
previous_version: dependency.version,
|
|
191
229
|
requirements: [],
|
|
192
230
|
package_manager: dependency.package_manager
|
|
193
231
|
)
|
|
194
232
|
end
|
|
195
233
|
|
|
234
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
196
235
|
def filtered_lockfiles
|
|
197
|
-
@filtered_lockfiles ||=
|
|
236
|
+
@filtered_lockfiles ||= T.let(
|
|
198
237
|
SubDependencyFilesFilterer.new(
|
|
199
238
|
dependency_files: dependency_files,
|
|
200
239
|
updated_dependencies: [updated_dependency]
|
|
201
|
-
).files_requiring_update
|
|
240
|
+
).files_requiring_update,
|
|
241
|
+
T.nilable(T::Array[Dependabot::DependencyFile])
|
|
242
|
+
)
|
|
202
243
|
end
|
|
203
244
|
|
|
245
|
+
sig { returns(Dependabot::NpmAndYarn::UpdateChecker::DependencyFilesBuilder) }
|
|
204
246
|
def dependency_files_builder
|
|
205
|
-
@dependency_files_builder ||=
|
|
247
|
+
@dependency_files_builder ||= T.let(
|
|
206
248
|
DependencyFilesBuilder.new(
|
|
207
249
|
dependency: dependency,
|
|
208
250
|
dependency_files: dependency_files,
|
|
209
251
|
credentials: credentials
|
|
210
|
-
)
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
#
|
|
217
|
-
# We shouldn't update bundled sub-dependencies as they have been bundled
|
|
218
|
-
# into the release at an exact version by a parent using
|
|
219
|
-
# `bundledDependencies`.
|
|
220
|
-
#
|
|
221
|
-
# For example, fsevents < 2 bundles node-pre-gyp meaning all it's
|
|
222
|
-
# sub-dependencies get bundled into the release tarball at publish time
|
|
223
|
-
# so you always get the same sub-dependency versions if you re-install a
|
|
224
|
-
# specific version of fsevents.
|
|
225
|
-
#
|
|
226
|
-
# Updating the sub-dependency by deleting the entry works but it gets
|
|
227
|
-
# removed from the bundled set of dependencies and moved top level
|
|
228
|
-
# resulting in a bunch of package duplication which is pretty confusing.
|
|
252
|
+
),
|
|
253
|
+
T.nilable(Dependabot::NpmAndYarn::UpdateChecker::DependencyFilesBuilder)
|
|
254
|
+
)
|
|
255
|
+
end
|
|
256
|
+
|
|
257
|
+
sig { returns(T::Boolean) }
|
|
229
258
|
def bundled_dependency?
|
|
230
259
|
dependency.subdependency_metadata
|
|
231
260
|
&.any? { |h| h.fetch(:npm_bundled, false) } ||
|
|
@@ -825,7 +825,7 @@ module Dependabot
|
|
|
825
825
|
f.name == [path, "package-lock.json"].join("/").sub(%r{\A.?\/}, "")
|
|
826
826
|
end
|
|
827
827
|
|
|
828
|
-
return run_npm8_checker(version: version) if Dependabot::NpmAndYarn::Helpers.
|
|
828
|
+
return run_npm8_checker(version: version) if Dependabot::NpmAndYarn::Helpers.parse_npm8?(package_lock)
|
|
829
829
|
|
|
830
830
|
SharedHelpers.run_helper_subprocess(
|
|
831
831
|
command: NativeHelpers.helper_path,
|