dependabot-npm_and_yarn 0.327.0 → 0.328.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9caa8e27e4f8a3e9572f91367b5b781657cd85c3c4e71a723ac95098f799b64a
-  data.tar.gz: 60e07515a118c5ff572be0b10a20a4e7884c23d53ca4461e9fa9675232b15dfd
+  metadata.gz: e519785e577c328749802bf44c2ef0066c8e4f7823d3c21c36855149986f6ddb
+  data.tar.gz: b33e8268583d2aef788f944a93cc5a824b6bf0b2fa3b06d1250ed852d9d063e6
 SHA512:
-  metadata.gz: aeb056544931600953d773a5b3564a4d8ba42aeb970363894499fe0a768dddbede3cd4ee872a25bdedf10c765b44230648dfa349909bb5cac88158e6c22edb49
-  data.tar.gz: f38ca1a0d104851e80320a8a9927138d66a31c9fa096c3bb37711fe4aa99cfae9e944233e5cdd7ba32f58cab4e5ca99bc7b53e9d39b55c25a8fbce4b3636eebc
+  metadata.gz: 7fd574e8ac36593a84220d970a243f7d03c91ea6c24ffd14211bcbd1781692dc90ae0e5be4e6677ab1460a875927afa883e7143bf41c528dfcf1df6f8717623a
+  data.tar.gz: f160c66603ce809739ad481214c290b58d704861d5bd037177f00bb331f660b6e4c1119d25f1792951ff9da828d39e4eafb3f05e1cc7ea85e30e78fe8fff3d9a

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -15,6 +15,9 @@ module Dependabot
         sig { params(dependency_file: DependencyFile).void }
         def initialize(dependency_file)
           @dependency_file = dependency_file
+          # Set this file to priority 1 to indicate it should override manifests for purposes of a graph
+          dependency_file.priority = 1
+          @direct_dependencies = T.let(fetch_direct_dependencies, T::Array[String])
         end
 
         sig { returns(T::Hash[String, T.untyped]) }
@@ -48,6 +51,31 @@ module Dependabot
 
         private
 
+        # Only V3 lockfiles contain information on the package itself, so we use `npm ls` to generate
+        # a graph we can pluck the direct dependency list from at parse-time for this lockfile.
+        sig { returns(T::Array[String]) }
+        def fetch_direct_dependencies
+          # TODO(brrygrdn): Implement a 'verbose' flag that runs this extra step?
+          #
+          # For now, don't run this extra native command if we aren't using the submission experiment
+          return [] unless Dependabot::Experiments.enabled?(:enable_dependency_submission_poc)
+
+          SharedHelpers.in_a_temporary_repo_directory do |_|
+            write_temporary_dependency_files
+
+            npm_ls_json = Helpers.run_npm_command("ls --all --package-lock-only --json")
+
+            JSON.parse(npm_ls_json).fetch("dependencies", {}).keys
+          end
+        end
+
+        sig { void }
+        def write_temporary_dependency_files
+          path = @dependency_file.name
+          FileUtils.mkdir_p(Pathname.new(path).dirname)
+          File.write(path, @dependency_file.content)
+        end
+
         sig do
           params(object_with_dependencies: T::Hash[String, T.untyped])
             .returns(Dependabot::FileParsers::Base::DependencySet)
@@ -64,13 +92,18 @@ module Dependabot
             version = Version.semver_for(details["version"])
             next unless version
 
+            package_name = name.split("node_modules/").last
             version = version.to_s
 
             dependency_args = {
-              name: name.split("node_modules/").last,
+              name: package_name,
               version: version,
               package_manager: "npm_and_yarn",
-              requirements: []
+              requirements: [],
+              direct_relationship: @direct_dependencies.include?(package_name),
+              metadata: {
+                depends_on: details&.fetch("dependencies", {})&.keys || []
+              }
             }
 
             if details["bundled"]
@@ -87,6 +120,7 @@ module Dependabot
             dependency_set += recursively_fetch_dependencies(details)
           end
 
+          @dependency_file.dependencies = dependency_set.dependencies.to_set
           dependency_set
         end
 

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -226,7 +226,10 @@ module Dependabot
             dep = build_dependency(
               file: file, type: type, name: name, requirement: requirement
             )
-            dependency_set << dep if dep
+            if dep
+              file.dependencies << dep
+              dependency_set << dep
+            end
           end
         end
 

data/lib/dependabot/npm_and_yarn/package/registry_finder.rb

@@ -55,7 +55,7 @@ module Dependabot
         def registry
           return @registry if @registry
 
-          @registry = locked_registry || configured_registry || first_registry_with_dependency_details
+          @registry = configured_registry || locked_registry || first_registry_with_dependency_details
           T.must(@registry)
         end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.327.0
+  version: 0.328.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.327.0
+        version: 0.328.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.327.0
+        version: 0.328.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -362,7 +362,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.327.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.328.0
 rdoc_options: []
 require_paths:
 - lib