RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.309.0 → 0.311.0 - Mend

dependabot-npm_and_yarn 0.309.0 → 0.311.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb CHANGED Viewed

@@ -1,7 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 require "stringio"
+require "sorbet-runtime"
 require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/logger"
@@ -16,6 +18,15 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker < Dependabot::UpdateCheckers::Base
       class VulnerabilityAuditor
+        extend T::Sig
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          )
+            .void
+        end
         def initialize(dependency_files:, credentials:)
           @dependency_files = dependency_files
           @credentials = credentials
@@ -43,6 +54,13 @@ module Dependabot
         #   * :top_level_ancestors [Array<String>] the names of all top-level dependencies with a transitive
         #     dependency on the dependency
         #   * :explanation [String] an explanation for why the project failed the vulnerability auditor run
+        sig do
+          params(
+            dependency: Dependabot::Dependency,
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          )
+            .returns(T::Hash[String, T.untyped])
+        end
         def audit(dependency:, security_advisories:)
           Dependabot.logger.info("VulnerabilityAuditor: starting audit")
@@ -76,10 +94,13 @@ module Dependabot
               }
             end
-            audit_result = SharedHelpers.run_helper_subprocess(
-              command: NativeHelpers.helper_path,
-              function: "npm:vulnerabilityAuditor",
-              args: [Dir.pwd, vuln_versions]
+            audit_result = T.cast(
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "npm:vulnerabilityAuditor",
+                args: [Dir.pwd, vuln_versions]
+              ),
+              T::Hash[String, T.untyped]
             )
             validation_result = validate_audit_result(audit_result, security_advisories)
@@ -94,24 +115,36 @@ module Dependabot
           end
         rescue SharedHelpers::HelperSubprocessFailed => e
           log_helper_subprocess_failure(dependency, e)
-          fix_unavailable
+          T.must(fix_unavailable)
         end
         # rubocop:enable Metrics/MethodLength
         private
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+        sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+        sig { params(validation_result: Symbol, dependency: Dependabot::Dependency).returns(String) }
         def explain_fix_unavailable(validation_result, dependency)
           case validation_result
           when :fix_unavailable, :dependency_still_vulnerable, :downgrades_dependencies
             "No patched version available for #{dependency.name}"
           when :fix_incomplete
             "The lockfile might be out of sync?"
+          else
+            raise "Unexpected validation result: #{validation_result}"
           end
         end
+        sig do
+          params(
+            audit_result: T::Hash[String, T.untyped],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          ).returns(Symbol)
+        end
         def validate_audit_result(audit_result, security_advisories)
           return :fix_unavailable unless audit_result["fix_available"]
           return :dependency_still_vulnerable if dependency_still_vulnerable?(audit_result, security_advisories)
@@ -121,6 +154,13 @@ module Dependabot
           :viable
         end
+        sig do
+          params(
+            audit_result: T::Hash[String, T.untyped],
+            security_advisories: T::Array[Dependabot::SecurityAdvisory]
+          )
+            .returns(T::Boolean)
+        end
         def dependency_still_vulnerable?(audit_result, security_advisories)
           # vulnerable dependency is removed if the target version is nil
           return false unless audit_result["target_version"]
@@ -129,6 +169,7 @@ module Dependabot
           security_advisories.any? { |a| a.vulnerable?(version) }
         end
+        sig { params(audit_result: T::Hash[String, T.untyped]).returns(T::Boolean) }
         def downgrades_dependencies?(audit_result)
           return true if downgrades_version?(audit_result["current_version"], audit_result["target_version"])
@@ -137,6 +178,13 @@ module Dependabot
           end
         end
+        sig do
+          params(
+            current_version: T.nilable(T.any(String, Integer, Gem::Version)),
+            target_version: T.nilable(T.any(String, Integer, Gem::Version))
+          )
+            .returns(T::Boolean)
+        end
         def downgrades_version?(current_version, target_version)
           return false unless target_version
@@ -145,14 +193,19 @@ module Dependabot
           current > target
         end
+        sig { params(audit_result: T::Hash[String, T.untyped]).returns(T::Boolean) }
         def fix_incomplete?(audit_result)
           audit_result["fix_updates"].any? { |update| !update.key?("target_version") } ||
             audit_result["fix_updates"].empty?
         end
+        sig do
+          params(dependency: Dependabot::Dependency,
+                 error: Dependabot::SharedHelpers::HelperSubprocessFailed).void
+        end
         def log_helper_subprocess_failure(dependency, error)
           # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context
-          context = error.error_context || {}
+          context = error.error_context
           builder = ::StringIO.new
           builder << "VulnerabilityAuditor: "

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -43,7 +43,7 @@ module Dependabot
                      requirements_update_strategy: nil, dependency_group: nil,
                      update_cooldown: nil, options: {})
         @latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
-        @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
+        @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
         @updated_requirements = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
         @vulnerability_audit = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
         @vulnerable_versions = T.let(nil, T.nilable(T::Array[T.any(String, Gem::Version)]))
@@ -88,17 +88,23 @@ module Dependabot
           end
       end
-      sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
+      sig { override.returns(T.nilable(T.any(String, Gem::Version))) }
       def latest_resolvable_version
         return unless latest_version
         @latest_resolvable_version ||=
           if dependency.top_level?
-            version_resolver.latest_resolvable_version
+            T.cast(
+              version_resolver.latest_resolvable_version,
+              T.nilable(T.any(String, Dependabot::Version))
+            )
           else
             # If the dependency is indirect its version is constrained  by the
             # requirements placed on it by dependencies lower down the tree
-            subdependency_version_resolver.latest_resolvable_version
+            T.cast(
+              subdependency_version_resolver.latest_resolvable_version,
+              T.nilable(T.any(String, Dependabot::Version))
+            )
           end
       end
@@ -133,7 +139,11 @@ module Dependabot
       sig { override.returns(T.nilable(T.any(String, Dependabot::Version))) }
       def latest_resolvable_version_with_no_unlock
-        return latest_resolvable_version unless dependency.top_level?
+        unless dependency.top_level?
+          # TODO: We should use `Dependabot::Version` everywhere
+          return T.cast(latest_resolvable_version,
+                        T.nilable(T.any(String, Dependabot::Version)))
+        end
         return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?
@@ -167,7 +177,7 @@ module Dependabot
             requirements: dependency.requirements,
             updated_source: updated_source,
             latest_resolvable_version: resolvable_version,
-            update_strategy: requirements_update_strategy
+            update_strategy: T.must(requirements_update_strategy)
           ).updated_requirements
       end
@@ -326,7 +336,7 @@ module Dependabot
             requirements: original_dep.requirements,
             updated_source: original_dep == dependency ? updated_source : original_source(original_dep),
             latest_resolvable_version: version,
-            update_strategy: requirements_update_strategy
+            update_strategy: T.must(requirements_update_strategy)
           ).updated_requirements,
           previous_version: previous_version,
           previous_requirements: original_dep.requirements,
@@ -516,7 +526,7 @@ module Dependabot
         @library =
           LibraryDetector.new(
-            package_json_file: package_json,
+            package_json_file: T.must(package_json),
             credentials: credentials,
             dependency_files: dependency_files
           ).library?

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.309.0
+  version: 0.311.0
 platform: ruby
 authors:
 - Dependabot
 bindir: bin
 cert_chain: []
-date: 2025-04-17 00:00:00.000000000 Z
+date: 2025-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.309.0
+        version: 0.311.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.309.0
+        version: 0.311.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -223,16 +223,16 @@ dependencies:
   name: webrick
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.9'
 description: Dependabot-NPM_And_Yarn provides support for bumping Javascript (npm
   and yarn) libraries via Dependabot. If you want support for multiple package managers,
   you probably want the meta-gem dependabot-omnibus.
@@ -356,7 +356,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.309.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.311.0
 rdoc_options: []
 require_paths:
 - lib