RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.326.0 → 0.327.0 - Mend

dependabot-npm_and_yarn 0.326.0 → 0.327.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b4842f09d3dc4cb14c7092b9281109ab583e8bad0d47db88961a09c6a7e58fc3
-  data.tar.gz: 6497cd3f3b7e8ad082dd51341a2c52eeacbab331e1d7364382ae77b55cd9b7df
+  metadata.gz: 9caa8e27e4f8a3e9572f91367b5b781657cd85c3c4e71a723ac95098f799b64a
+  data.tar.gz: 60e07515a118c5ff572be0b10a20a4e7884c23d53ca4461e9fa9675232b15dfd
 SHA512:
-  metadata.gz: 8fee137d5966dfff6fb1e689f98a060ecc86fe186f2c2f11d6a9df527aae7efe41e0d3d63faa23fe246708887c975cabc8257986bf2c8dad681b498ee6bb5bd7
-  data.tar.gz: 1cbb7f8c7653de3509516f5aa9abdd13be8c9e277f97242346e1c0b97a0d9e32770e97f2eb356e23c0d496e2d2c71508c2242811ab025f9eede4cbcc8f9d9df4
+  metadata.gz: aeb056544931600953d773a5b3564a4d8ba42aeb970363894499fe0a768dddbede3cd4ee872a25bdedf10c765b44230648dfa349909bb5cac88158e6c22edb49
+  data.tar.gz: f38ca1a0d104851e80320a8a9927138d66a31c9fa096c3bb37711fe4aa99cfae9e944233e5cdd7ba32f58cab4e5ca99bc7b53e9d39b55c25a8fbce4b3636eebc

data/helpers/lib/npm/vulnerability-auditor.js CHANGED Viewed

@@ -73,7 +73,8 @@ async function findVulnerableDependencies(directory, advisories) {
       return response
     }
     const vuln = auditReport.get(name)
-    const version = [...vuln.nodes][0].version
+    const vulnNodesHighestLevelFirst = [...vuln.nodes].sort((a, b) => a.depth - b.depth);
+    const version = vulnNodesHighestLevelFirst[0].version
     const fixAvailable = vuln.fixAvailable
     response.current_version = version
@@ -113,6 +114,7 @@ async function findVulnerableDependencies(directory, advisories) {
       response.fix_updates.push({
         dependency_name: fixUpdateNode.name,
+        dependency_location: fixUpdateNode.location,
         current_version: fixUpdateNode.version,
         top_level_ancestors: fixUpdateNodeTopLevelAncestors,
       })
@@ -128,7 +130,8 @@ async function findVulnerableDependencies(directory, advisories) {
     for (const update of response.fix_updates) {
       update.target_version =
-        fixTree.children.get(update.dependency_name)?.version
+        lookupChildLocation(fixTree, update.dependency_location)?.version
+      delete update.dependency_location // Not needed in the output.
     }
     return response
@@ -217,6 +220,30 @@ function groupBy(elems, fn) {
   return groups
 }
+/**
+ * Look up the child node at the given location in the tree rooted at `root`.
+ * `root` is an ArboristNode, and `location` is a string containing the normalized
+ * path to the child node, relative to the root. This string can be taken from
+ * ArboristNode.location and will be of the form "node_modules/foo/node_modules/bar".
+ */
+function lookupChildLocation(root, location) {
+  if (!location.startsWith('node_modules/')) {
+    // The location must start with 'node_modules/' to be valid.
+    return null;
+  }
+  const parts = location
+    .substring('node_modules/'.length)
+    .split('/node_modules/')
+  let current = root
+  for (const part of parts) {
+    current = current.children.get(part)
+    if (!current) {
+      return null
+    }
+  }
+  return current
+}
 async function loadNpmConfig() {
   const configOutput = await exec('npm config ls --json')
   return JSON.parse(configOutput.stdout)

data/helpers/test/npm/fixtures/vulnerability-auditor/simple/package-lock.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "test-vulnerability-auditor-simple",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-auditor-simple",
+      "version": "1.0.0",
+      "dependencies": {
+        "@dependabot-fixtures/npm-parent-dependency": "^2.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-intermediate-dependency": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-intermediate-dependency/-/npm-intermediate-dependency-0.0.1.tgz",
+      "integrity": "sha512-/N77Dzpfg8BIfFgpJrMk86ueUYTVhmpc4RobuHpIpKSc3GZr4Ltu4au92brnUGk66UkzgrMmtgqRXO8OrOspKQ==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-transitive-dependency": "1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-parent-dependency": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-parent-dependency/-/npm-parent-dependency-2.0.0.tgz",
+      "integrity": "sha512-5LtLEL1yzO2TdkNX3R9cvr+nKmhw5h4xM0wkFTJeK14wxlI9d8gEYA+I2hUi+IP96ucBSztAnOgZVwoJHEZb6A==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-intermediate-dependency": "0.0.1"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-transitive-dependency": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz",
+      "integrity": "sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg==",
+      "license": "ISC"
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/simple/package.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "name": "test-vulnerability-auditor-simple",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@dependabot-fixtures/npm-parent-dependency": "^2.0.0"
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package-lock.json ADDED Viewed

@@ -0,0 +1,92 @@
+{
+  "name": "test-vulnerability-update-needed-across-two-versions",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-update-needed-across-two-versions",
+      "version": "1.0.0",
+      "dependencies": {
+        "@msgpack/msgpack": "^2.7.2",
+        "wireql-client": "^1.0.3"
+      }
+    },
+    "node_modules/@msgpack/msgpack": {
+      "version": "2.7.2",
+      "resolved": "https://registry.npmjs.org/@msgpack/msgpack/-/msgpack-2.7.2.tgz",
+      "integrity": "sha512-rYEi46+gIzufyYUAoHDnRzkWGxajpD9vVXFQ3g1vbjrBm6P7MBmm+s/fqPa46sxa+8FOUdEuRQKaugo5a4JWpw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/eventemitter3": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-5.0.1.tgz",
+      "integrity": "sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==",
+      "license": "MIT"
+    },
+    "node_modules/typescript": {
+      "version": "5.9.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/wireql-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/wireql-client/-/wireql-client-1.0.3.tgz",
+      "integrity": "sha512-qHCV0s+QSPEVrg4QXFewW2gPqAunuF7QdEX3Q1mcWr7FpSue6WRendyjRyr/u2vOEKuucF052vf41/dpmgLh8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@msgpack/msgpack": "^3.0.0",
+        "eventemitter3": "^5.0.1",
+        "ws": "^8.16.0"
+      },
+      "engines": {
+        "node": ">=16.0.0"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.5.0"
+      }
+    },
+    "node_modules/wireql-client/node_modules/@msgpack/msgpack": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@msgpack/msgpack/-/msgpack-3.0.0.tgz",
+      "integrity": "sha512-s/OZQ1QUtSYr9tgFZh4HSFLvTR2o81r0zfQj7pClC7oFUqZaAgkQ+vADV9JBioJLK9lJoAjBEhuPhVuOIJnbhg==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/ws": {
+      "version": "8.18.3",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
+      "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "name": "test-vulnerability-update-needed-across-two-versions",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@msgpack/msgpack": "^2.7.2",
+    "wireql-client": "^1.0.3"
+  }
+}

data/helpers/test/npm/helpers.js ADDED Viewed

@@ -0,0 +1,21 @@
+const path = require("path");
+const fs = require("fs");
+module.exports = {
+  loadFixture: (fixturePath) =>
+    fs.readFileSync(path.join(__dirname, "fixtures", fixturePath)).toString(),
+  copyDependencies: (sourceDir, destDir) => {
+    const srcPackageJson = path.join(
+      __dirname,
+      `fixtures/${sourceDir}/package.json`
+    );
+    fs.copyFileSync(srcPackageJson, `${destDir}/package.json`);
+    const srcLockfile = path.join(
+      __dirname,
+      `fixtures/${sourceDir}/package-lock.json`
+    );
+    fs.copyFileSync(srcLockfile, `${destDir}/package-lock.json`);
+  },
+};

data/helpers/test/npm/vulnerability-auditor.test.js ADDED Viewed

@@ -0,0 +1,85 @@
+const path = require("path");
+const os = require("os");
+const fs = require("fs");
+const {
+  findVulnerableDependencies,
+} = require("../../lib/npm/vulnerability-auditor");
+const helpers = require("./helpers");
+describe("findVulnerableDependencies", () => {
+  let tempDir;
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
+  });
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
+  it("finds vulnerable dependencies", async () => {
+    helpers.copyDependencies("vulnerability-auditor/simple", tempDir);
+    const advisories = [{
+      dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+      affected_versions: [
+        ">= 0, < 2.0.2",
+      ]
+    }];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+      fix_updates: [
+        {
+          dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+          current_version: "2.0.0",
+          top_level_ancestors: [],
+          target_version: "2.0.2"
+        },
+      ],
+      top_level_ancestors: [
+        "@dependabot-fixtures/npm-parent-dependency"
+      ],
+      current_version: "2.0.0",
+      fix_available: true,
+      target_version: "2.0.2"
+    };
+    expect(actual).toEqual(expected);
+  });
+  it("finds vulnerable dependencies when multiple versions of the same package are affected", async () => {
+    helpers.copyDependencies("vulnerability-auditor/update-needed-across-two-versions", tempDir);
+    const advisories = [{
+      dependency_name: "@msgpack/msgpack",
+      affected_versions: [
+        ">= 2.0.0, < 2.8.0",
+        ">= 3.0.0, < 3.1.2"
+      ]
+    }];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      dependency_name: "@msgpack/msgpack",
+      fix_updates: [
+         {
+          dependency_name: "@msgpack/msgpack",
+          current_version: "2.7.2",
+          top_level_ancestors: [],
+          target_version: "2.8.0"
+        },
+        {
+        dependency_name: "@msgpack/msgpack",
+        current_version: "3.0.0",
+        top_level_ancestors: [
+            "wireql-client"
+          ],
+          target_version: "3.1.2"
+        }
+      ],
+      top_level_ancestors: [
+        "@msgpack/msgpack",
+        "wireql-client"
+      ],
+      current_version: "2.7.2",
+      fix_available: true,
+      target_version: "2.8.0"
+    };
+    expect(actual).toEqual(expected);
+  });
+});

data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED Viewed

@@ -267,14 +267,21 @@ module Dependabot
       # NOTE: Needs to be explicitly run through corepack to respect the
       # `packageManager` setting in `package.json`, because corepack does not
       # add shims for NPM.
-      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
-      def self.run_npm_command(command, fingerprint: command)
+      sig do
+        params(
+          command: String,
+          fingerprint: T.nilable(String),
+          env: T.nilable(T::Hash[String, String])
+        ).returns(String)
+      end
+      def self.run_npm_command(command, fingerprint: command, env: nil)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           package_manager_run_command(
             NpmPackageManager::NAME,
             command,
             fingerprint: fingerprint,
-            output_observer: ->(output) { command_observer(output) }
+            output_observer: ->(output) { command_observer(output) },
+            env: env
           )
         else
           Dependabot::SharedHelpers.run_shell_command(
@@ -506,14 +513,16 @@ module Dependabot
           name: String,
           command: String,
           fingerprint: T.nilable(String),
-          output_observer: CommandHelpers::OutputObserver
+          output_observer: CommandHelpers::OutputObserver,
+          env: T.nilable(T::Hash[String, String])
         ).returns(String)
       end
       def self.package_manager_run_command(
         name,
         command,
         fingerprint: nil,
-        output_observer: nil
+        output_observer: nil,
+        env: nil
       )
         return run_bun_command(command, fingerprint: fingerprint) if name == BunPackageManager::NAME
@@ -524,7 +533,8 @@ module Dependabot
           return Dependabot::SharedHelpers.run_shell_command(
             full_command,
             fingerprint: fingerprint,
-            output_observer: output_observer
+            output_observer: output_observer,
+            env: env
           ).strip
         else
           Dependabot::SharedHelpers.run_shell_command(full_command, fingerprint: fingerprint)

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED Viewed

@@ -828,9 +828,10 @@ module Dependabot
           ).returns(T.nilable(T.any(T::Hash[String, T.untyped], String, T::Array[T::Hash[String, T.untyped]])))
         end
         def run_npm8_checker(version:)
+          env = corepack_registry_override_env
           cmd =
             "install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
-          output = Helpers.run_npm_command(cmd)
+          output = Helpers.run_npm_command(cmd, env: env)
           if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
             error_context = { command: cmd, process_exit_value: 1 }
             raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
@@ -839,6 +840,19 @@ module Dependabot
           raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
         end
+        sig { returns(T.nilable(T::Hash[String, String])) }
+        def corepack_registry_override_env
+          return nil unless Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          replaces_base_cred = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
+          registry_url = replaces_base_cred&.[]("registry")
+          return nil unless registry_url
+          registry_url = "https://#{registry_url}" unless registry_url.start_with?("http")
+          { "npm_config_registry" => registry_url }
+        end
         sig do
           params(
             version: T.nilable(T.any(String, Gem::Version))

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -259,6 +259,7 @@ module Dependabot
       end
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::Dependency]) }
       def conflicting_updated_dependencies
         top_level_dependencies = top_level_dependency_lookup
@@ -266,7 +267,11 @@ module Dependabot
         updated_deps = []
         vulnerability_audit["fix_updates"].each do |update|
           dependency_name = update["dependency_name"]
-          requirements = top_level_dependencies[dependency_name]&.requirements || []
+          requirements = if top_level_dependencies[dependency_name]&.version == update["current_version"]
+                           top_level_dependencies[dependency_name]&.requirements || []
+                         else
+                           []
+                         end
           updated_deps << build_updated_dependency(
             dependency: Dependency.new(
@@ -299,6 +304,7 @@ module Dependabot
         updated_deps.select { |dep| dep.name == dependency.name } +
           updated_deps.reject { |dep| dep.name == dependency.name }
       end
+      # rubocop:enable Metrics/PerceivedComplexity
       sig { returns(T::Hash[String, Dependabot::Dependency]) }
       def top_level_dependency_lookup

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.326.0
+  version: 0.327.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.326.0
+        version: 0.327.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.326.0
+        version: 0.327.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -269,6 +269,12 @@ files:
 - helpers/package.json
 - helpers/patches/npm++pacote+9.5.12.patch
 - helpers/run.js
+- helpers/test/npm/fixtures/vulnerability-auditor/simple/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/simple/package.json
+- helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package.json
+- helpers/test/npm/helpers.js
+- helpers/test/npm/vulnerability-auditor.test.js
 - helpers/test/npm6/conflicting-dependency-parser.test.js
 - helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json
 - helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package.json
@@ -356,7 +362,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.326.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.327.0
 rdoc_options: []
 require_paths:
 - lib