RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.326.1 → 0.328.0 - Mend

dependabot-npm_and_yarn 0.326.1 → 0.328.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 033f2461268e8978305ec559b96b0067a33475b0326b6ba5e6bb5aa64134e7d1
-  data.tar.gz: 6497cd3f3b7e8ad082dd51341a2c52eeacbab331e1d7364382ae77b55cd9b7df
+  metadata.gz: e519785e577c328749802bf44c2ef0066c8e4f7823d3c21c36855149986f6ddb
+  data.tar.gz: b33e8268583d2aef788f944a93cc5a824b6bf0b2fa3b06d1250ed852d9d063e6
 SHA512:
-  metadata.gz: 723ee5329c03807930e6c0ecb75901721277c5307ffd81a472c2afebcb55f3bbef94a5a117bc54ff1302da28f39b7eccb4a25d4f675d701da8dfadaff8a3169a
-  data.tar.gz: 1cbb7f8c7653de3509516f5aa9abdd13be8c9e277f97242346e1c0b97a0d9e32770e97f2eb356e23c0d496e2d2c71508c2242811ab025f9eede4cbcc8f9d9df4
+  metadata.gz: 7fd574e8ac36593a84220d970a243f7d03c91ea6c24ffd14211bcbd1781692dc90ae0e5be4e6677ab1460a875927afa883e7143bf41c528dfcf1df6f8717623a
+  data.tar.gz: f160c66603ce809739ad481214c290b58d704861d5bd037177f00bb331f660b6e4c1119d25f1792951ff9da828d39e4eafb3f05e1cc7ea85e30e78fe8fff3d9a

data/helpers/lib/npm/vulnerability-auditor.js CHANGED Viewed

@@ -73,7 +73,8 @@ async function findVulnerableDependencies(directory, advisories) {
       return response
     }
     const vuln = auditReport.get(name)
-    const version = [...vuln.nodes][0].version
+    const vulnNodesHighestLevelFirst = [...vuln.nodes].sort((a, b) => a.depth - b.depth);
+    const version = vulnNodesHighestLevelFirst[0].version
     const fixAvailable = vuln.fixAvailable
     response.current_version = version
@@ -113,6 +114,7 @@ async function findVulnerableDependencies(directory, advisories) {
       response.fix_updates.push({
         dependency_name: fixUpdateNode.name,
+        dependency_location: fixUpdateNode.location,
         current_version: fixUpdateNode.version,
         top_level_ancestors: fixUpdateNodeTopLevelAncestors,
       })
@@ -128,7 +130,8 @@ async function findVulnerableDependencies(directory, advisories) {
     for (const update of response.fix_updates) {
       update.target_version =
-        fixTree.children.get(update.dependency_name)?.version
+        lookupChildLocation(fixTree, update.dependency_location)?.version
+      delete update.dependency_location // Not needed in the output.
     }
     return response
@@ -217,6 +220,30 @@ function groupBy(elems, fn) {
   return groups
 }
+/**
+ * Look up the child node at the given location in the tree rooted at `root`.
+ * `root` is an ArboristNode, and `location` is a string containing the normalized
+ * path to the child node, relative to the root. This string can be taken from
+ * ArboristNode.location and will be of the form "node_modules/foo/node_modules/bar".
+ */
+function lookupChildLocation(root, location) {
+  if (!location.startsWith('node_modules/')) {
+    // The location must start with 'node_modules/' to be valid.
+    return null;
+  }
+  const parts = location
+    .substring('node_modules/'.length)
+    .split('/node_modules/')
+  let current = root
+  for (const part of parts) {
+    current = current.children.get(part)
+    if (!current) {
+      return null
+    }
+  }
+  return current
+}
 async function loadNpmConfig() {
   const configOutput = await exec('npm config ls --json')
   return JSON.parse(configOutput.stdout)

data/helpers/test/npm/fixtures/vulnerability-auditor/simple/package-lock.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "test-vulnerability-auditor-simple",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-auditor-simple",
+      "version": "1.0.0",
+      "dependencies": {
+        "@dependabot-fixtures/npm-parent-dependency": "^2.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-intermediate-dependency": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-intermediate-dependency/-/npm-intermediate-dependency-0.0.1.tgz",
+      "integrity": "sha512-/N77Dzpfg8BIfFgpJrMk86ueUYTVhmpc4RobuHpIpKSc3GZr4Ltu4au92brnUGk66UkzgrMmtgqRXO8OrOspKQ==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-transitive-dependency": "1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-parent-dependency": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-parent-dependency/-/npm-parent-dependency-2.0.0.tgz",
+      "integrity": "sha512-5LtLEL1yzO2TdkNX3R9cvr+nKmhw5h4xM0wkFTJeK14wxlI9d8gEYA+I2hUi+IP96ucBSztAnOgZVwoJHEZb6A==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-intermediate-dependency": "0.0.1"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-transitive-dependency": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz",
+      "integrity": "sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg==",
+      "license": "ISC"
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/simple/package.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "name": "test-vulnerability-auditor-simple",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@dependabot-fixtures/npm-parent-dependency": "^2.0.0"
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package-lock.json ADDED Viewed

@@ -0,0 +1,92 @@
+{
+  "name": "test-vulnerability-update-needed-across-two-versions",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-update-needed-across-two-versions",
+      "version": "1.0.0",
+      "dependencies": {
+        "@msgpack/msgpack": "^2.7.2",
+        "wireql-client": "^1.0.3"
+      }
+    },
+    "node_modules/@msgpack/msgpack": {
+      "version": "2.7.2",
+      "resolved": "https://registry.npmjs.org/@msgpack/msgpack/-/msgpack-2.7.2.tgz",
+      "integrity": "sha512-rYEi46+gIzufyYUAoHDnRzkWGxajpD9vVXFQ3g1vbjrBm6P7MBmm+s/fqPa46sxa+8FOUdEuRQKaugo5a4JWpw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 10"
+      }
+    },
+    "node_modules/eventemitter3": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-5.0.1.tgz",
+      "integrity": "sha512-GWkBvjiSZK87ELrYOSESUYeVIc9mvLLf/nXalMOS5dYrgZq9o5OVkbZAVM06CVxYsCwH9BDZFPlQTlPA1j4ahA==",
+      "license": "MIT"
+    },
+    "node_modules/typescript": {
+      "version": "5.9.2",
+      "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.2.tgz",
+      "integrity": "sha512-CWBzXQrc/qOkhidw1OzBTQuYRbfyxDXJMVJ1XNwUHGROVmuaeiEm3OslpZ1RV96d7SKKjZKrSJu3+t/xlw3R9A==",
+      "license": "Apache-2.0",
+      "peer": true,
+      "bin": {
+        "tsc": "bin/tsc",
+        "tsserver": "bin/tsserver"
+      },
+      "engines": {
+        "node": ">=14.17"
+      }
+    },
+    "node_modules/wireql-client": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/wireql-client/-/wireql-client-1.0.3.tgz",
+      "integrity": "sha512-qHCV0s+QSPEVrg4QXFewW2gPqAunuF7QdEX3Q1mcWr7FpSue6WRendyjRyr/u2vOEKuucF052vf41/dpmgLh8A==",
+      "license": "MIT",
+      "dependencies": {
+        "@msgpack/msgpack": "^3.0.0",
+        "eventemitter3": "^5.0.1",
+        "ws": "^8.16.0"
+      },
+      "engines": {
+        "node": ">=16.0.0"
+      },
+      "peerDependencies": {
+        "typescript": ">=4.5.0"
+      }
+    },
+    "node_modules/wireql-client/node_modules/@msgpack/msgpack": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@msgpack/msgpack/-/msgpack-3.0.0.tgz",
+      "integrity": "sha512-s/OZQ1QUtSYr9tgFZh4HSFLvTR2o81r0zfQj7pClC7oFUqZaAgkQ+vADV9JBioJLK9lJoAjBEhuPhVuOIJnbhg==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/ws": {
+      "version": "8.18.3",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
+      "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "name": "test-vulnerability-update-needed-across-two-versions",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@msgpack/msgpack": "^2.7.2",
+    "wireql-client": "^1.0.3"
+  }
+}

data/helpers/test/npm/helpers.js ADDED Viewed

@@ -0,0 +1,21 @@
+const path = require("path");
+const fs = require("fs");
+module.exports = {
+  loadFixture: (fixturePath) =>
+    fs.readFileSync(path.join(__dirname, "fixtures", fixturePath)).toString(),
+  copyDependencies: (sourceDir, destDir) => {
+    const srcPackageJson = path.join(
+      __dirname,
+      `fixtures/${sourceDir}/package.json`
+    );
+    fs.copyFileSync(srcPackageJson, `${destDir}/package.json`);
+    const srcLockfile = path.join(
+      __dirname,
+      `fixtures/${sourceDir}/package-lock.json`
+    );
+    fs.copyFileSync(srcLockfile, `${destDir}/package-lock.json`);
+  },
+};

data/helpers/test/npm/vulnerability-auditor.test.js ADDED Viewed

@@ -0,0 +1,85 @@
+const path = require("path");
+const os = require("os");
+const fs = require("fs");
+const {
+  findVulnerableDependencies,
+} = require("../../lib/npm/vulnerability-auditor");
+const helpers = require("./helpers");
+describe("findVulnerableDependencies", () => {
+  let tempDir;
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
+  });
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
+  it("finds vulnerable dependencies", async () => {
+    helpers.copyDependencies("vulnerability-auditor/simple", tempDir);
+    const advisories = [{
+      dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+      affected_versions: [
+        ">= 0, < 2.0.2",
+      ]
+    }];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+      fix_updates: [
+        {
+          dependency_name: "@dependabot-fixtures/npm-parent-dependency",
+          current_version: "2.0.0",
+          top_level_ancestors: [],
+          target_version: "2.0.2"
+        },
+      ],
+      top_level_ancestors: [
+        "@dependabot-fixtures/npm-parent-dependency"
+      ],
+      current_version: "2.0.0",
+      fix_available: true,
+      target_version: "2.0.2"
+    };
+    expect(actual).toEqual(expected);
+  });
+  it("finds vulnerable dependencies when multiple versions of the same package are affected", async () => {
+    helpers.copyDependencies("vulnerability-auditor/update-needed-across-two-versions", tempDir);
+    const advisories = [{
+      dependency_name: "@msgpack/msgpack",
+      affected_versions: [
+        ">= 2.0.0, < 2.8.0",
+        ">= 3.0.0, < 3.1.2"
+      ]
+    }];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      dependency_name: "@msgpack/msgpack",
+      fix_updates: [
+         {
+          dependency_name: "@msgpack/msgpack",
+          current_version: "2.7.2",
+          top_level_ancestors: [],
+          target_version: "2.8.0"
+        },
+        {
+        dependency_name: "@msgpack/msgpack",
+        current_version: "3.0.0",
+        top_level_ancestors: [
+            "wireql-client"
+          ],
+          target_version: "3.1.2"
+        }
+      ],
+      top_level_ancestors: [
+        "@msgpack/msgpack",
+        "wireql-client"
+      ],
+      current_version: "2.7.2",
+      fix_available: true,
+      target_version: "2.8.0"
+    };
+    expect(actual).toEqual(expected);
+  });
+});

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb CHANGED Viewed

@@ -15,6 +15,9 @@ module Dependabot
         sig { params(dependency_file: DependencyFile).void }
         def initialize(dependency_file)
           @dependency_file = dependency_file
+          # Set this file to priority 1 to indicate it should override manifests for purposes of a graph
+          dependency_file.priority = 1
+          @direct_dependencies = T.let(fetch_direct_dependencies, T::Array[String])
         end
         sig { returns(T::Hash[String, T.untyped]) }
@@ -48,6 +51,31 @@ module Dependabot
         private
+        # Only V3 lockfiles contain information on the package itself, so we use `npm ls` to generate
+        # a graph we can pluck the direct dependency list from at parse-time for this lockfile.
+        sig { returns(T::Array[String]) }
+        def fetch_direct_dependencies
+          # TODO(brrygrdn): Implement a 'verbose' flag that runs this extra step?
+          #
+          # For now, don't run this extra native command if we aren't using the submission experiment
+          return [] unless Dependabot::Experiments.enabled?(:enable_dependency_submission_poc)
+          SharedHelpers.in_a_temporary_repo_directory do |_|
+            write_temporary_dependency_files
+            npm_ls_json = Helpers.run_npm_command("ls --all --package-lock-only --json")
+            JSON.parse(npm_ls_json).fetch("dependencies", {}).keys
+          end
+        end
+        sig { void }
+        def write_temporary_dependency_files
+          path = @dependency_file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, @dependency_file.content)
+        end
         sig do
           params(object_with_dependencies: T::Hash[String, T.untyped])
             .returns(Dependabot::FileParsers::Base::DependencySet)
@@ -64,13 +92,18 @@ module Dependabot
             version = Version.semver_for(details["version"])
             next unless version
+            package_name = name.split("node_modules/").last
             version = version.to_s
             dependency_args = {
-              name: name.split("node_modules/").last,
+              name: package_name,
               version: version,
               package_manager: "npm_and_yarn",
-              requirements: []
+              requirements: [],
+              direct_relationship: @direct_dependencies.include?(package_name),
+              metadata: {
+                depends_on: details&.fetch("dependencies", {})&.keys || []
+              }
             }
             if details["bundled"]
@@ -87,6 +120,7 @@ module Dependabot
             dependency_set += recursively_fetch_dependencies(details)
           end
+          @dependency_file.dependencies = dependency_set.dependencies.to_set
           dependency_set
         end

data/lib/dependabot/npm_and_yarn/file_parser.rb CHANGED Viewed

@@ -226,7 +226,10 @@ module Dependabot
             dep = build_dependency(
               file: file, type: type, name: name, requirement: requirement
             )
-            dependency_set << dep if dep
+            if dep
+              file.dependencies << dep
+              dependency_set << dep
+            end
           end
         end

data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED Viewed

@@ -267,14 +267,21 @@ module Dependabot
       # NOTE: Needs to be explicitly run through corepack to respect the
       # `packageManager` setting in `package.json`, because corepack does not
       # add shims for NPM.
-      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
-      def self.run_npm_command(command, fingerprint: command)
+      sig do
+        params(
+          command: String,
+          fingerprint: T.nilable(String),
+          env: T.nilable(T::Hash[String, String])
+        ).returns(String)
+      end
+      def self.run_npm_command(command, fingerprint: command, env: nil)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           package_manager_run_command(
             NpmPackageManager::NAME,
             command,
             fingerprint: fingerprint,
-            output_observer: ->(output) { command_observer(output) }
+            output_observer: ->(output) { command_observer(output) },
+            env: env
           )
         else
           Dependabot::SharedHelpers.run_shell_command(
@@ -506,14 +513,16 @@ module Dependabot
           name: String,
           command: String,
           fingerprint: T.nilable(String),
-          output_observer: CommandHelpers::OutputObserver
+          output_observer: CommandHelpers::OutputObserver,
+          env: T.nilable(T::Hash[String, String])
         ).returns(String)
       end
       def self.package_manager_run_command(
         name,
         command,
         fingerprint: nil,
-        output_observer: nil
+        output_observer: nil,
+        env: nil
       )
         return run_bun_command(command, fingerprint: fingerprint) if name == BunPackageManager::NAME
@@ -524,7 +533,8 @@ module Dependabot
           return Dependabot::SharedHelpers.run_shell_command(
             full_command,
             fingerprint: fingerprint,
-            output_observer: output_observer
+            output_observer: output_observer,
+            env: env
           ).strip
         else
           Dependabot::SharedHelpers.run_shell_command(full_command, fingerprint: fingerprint)

data/lib/dependabot/npm_and_yarn/package/registry_finder.rb CHANGED Viewed

@@ -55,7 +55,7 @@ module Dependabot
         def registry
           return @registry if @registry
-          @registry = locked_registry || configured_registry || first_registry_with_dependency_details
+          @registry = configured_registry || locked_registry || first_registry_with_dependency_details
           T.must(@registry)
         end

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb CHANGED Viewed

@@ -828,9 +828,10 @@ module Dependabot
           ).returns(T.nilable(T.any(T::Hash[String, T.untyped], String, T::Array[T::Hash[String, T.untyped]])))
         end
         def run_npm8_checker(version:)
+          env = corepack_registry_override_env
           cmd =
             "install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
-          output = Helpers.run_npm_command(cmd)
+          output = Helpers.run_npm_command(cmd, env: env)
           if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
             error_context = { command: cmd, process_exit_value: 1 }
             raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
@@ -839,6 +840,19 @@ module Dependabot
           raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
         end
+        sig { returns(T.nilable(T::Hash[String, String])) }
+        def corepack_registry_override_env
+          return nil unless Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          replaces_base_cred = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
+          registry_url = replaces_base_cred&.[]("registry")
+          return nil unless registry_url
+          registry_url = "https://#{registry_url}" unless registry_url.start_with?("http")
+          { "npm_config_registry" => registry_url }
+        end
         sig do
           params(
             version: T.nilable(T.any(String, Gem::Version))

data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED Viewed

@@ -259,6 +259,7 @@ module Dependabot
       end
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::Dependency]) }
       def conflicting_updated_dependencies
         top_level_dependencies = top_level_dependency_lookup
@@ -266,7 +267,11 @@ module Dependabot
         updated_deps = []
         vulnerability_audit["fix_updates"].each do |update|
           dependency_name = update["dependency_name"]
-          requirements = top_level_dependencies[dependency_name]&.requirements || []
+          requirements = if top_level_dependencies[dependency_name]&.version == update["current_version"]
+                           top_level_dependencies[dependency_name]&.requirements || []
+                         else
+                           []
+                         end
           updated_deps << build_updated_dependency(
             dependency: Dependency.new(
@@ -299,6 +304,7 @@ module Dependabot
         updated_deps.select { |dep| dep.name == dependency.name } +
           updated_deps.reject { |dep| dep.name == dependency.name }
       end
+      # rubocop:enable Metrics/PerceivedComplexity
       sig { returns(T::Hash[String, Dependabot::Dependency]) }
       def top_level_dependency_lookup

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.326.1
+  version: 0.328.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.326.1
+        version: 0.328.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.326.1
+        version: 0.328.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -269,6 +269,12 @@ files:
 - helpers/package.json
 - helpers/patches/npm++pacote+9.5.12.patch
 - helpers/run.js
+- helpers/test/npm/fixtures/vulnerability-auditor/simple/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/simple/package.json
+- helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package.json
+- helpers/test/npm/helpers.js
+- helpers/test/npm/vulnerability-auditor.test.js
 - helpers/test/npm6/conflicting-dependency-parser.test.js
 - helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json
 - helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package.json
@@ -356,7 +362,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.326.1
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.328.0
 rdoc_options: []
 require_paths:
 - lib