dependabot-npm_and_yarn 0.330.0 → 0.332.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb +4 -1
- data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +4 -31
- data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb +6 -2
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +4 -1
- data/lib/dependabot/npm_and_yarn/file_parser.rb +5 -5
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +4 -2
- data/lib/dependabot/npm_and_yarn/update_checker.rb +2 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 752dcfa198d045fc29e5dafd0496d2c796f7c9a8ff4916e0fc5deffe8e3574b8
|
|
4
|
+
data.tar.gz: ca0c56b6911e85fad52ceae0cbe98764bbd92745333cfb46d7602ee04c22099a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9ab7e4c83fc107b5b80f38ec024e7a0dbd8b7d9de9ca2973614f2e9a418aad8549f97dcaa47c6ee13c9227d7d664aa3bec610f86488aaaaf895e5f32524ad1b7
|
|
7
|
+
data.tar.gz: 1d8e6fe55e6a2a0bbd1773806510cc6e35eaba8b2364f52e4f46ead217f0801b264e19159aada801b233bf2d9a3715a6ae4c0f51ba6ff95c3381d8be14f36b80
|
|
@@ -40,6 +40,8 @@ module Dependabot
|
|
|
40
40
|
def dependencies
|
|
41
41
|
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
|
42
42
|
|
|
43
|
+
origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
|
|
44
|
+
|
|
43
45
|
# bun.lock v0 format:
|
|
44
46
|
# https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
|
|
45
47
|
|
|
@@ -62,7 +64,8 @@ module Dependabot
|
|
|
62
64
|
name: name,
|
|
63
65
|
version: semver.to_s,
|
|
64
66
|
package_manager: "npm_and_yarn",
|
|
65
|
-
requirements: []
|
|
67
|
+
requirements: [],
|
|
68
|
+
origin_files: [origin_file]
|
|
66
69
|
)
|
|
67
70
|
end
|
|
68
71
|
|
|
@@ -15,9 +15,6 @@ module Dependabot
|
|
|
15
15
|
sig { params(dependency_file: DependencyFile).void }
|
|
16
16
|
def initialize(dependency_file)
|
|
17
17
|
@dependency_file = dependency_file
|
|
18
|
-
# Set this file to priority 1 to indicate it should override manifests for purposes of a graph
|
|
19
|
-
dependency_file.priority = 1
|
|
20
|
-
@direct_dependencies = T.let(fetch_direct_dependencies, T::Array[String])
|
|
21
18
|
end
|
|
22
19
|
|
|
23
20
|
sig { returns(T::Hash[String, T.untyped]) }
|
|
@@ -51,31 +48,6 @@ module Dependabot
|
|
|
51
48
|
|
|
52
49
|
private
|
|
53
50
|
|
|
54
|
-
# Only V3 lockfiles contain information on the package itself, so we use `npm ls` to generate
|
|
55
|
-
# a graph we can pluck the direct dependency list from at parse-time for this lockfile.
|
|
56
|
-
sig { returns(T::Array[String]) }
|
|
57
|
-
def fetch_direct_dependencies
|
|
58
|
-
# TODO(brrygrdn): Implement a 'verbose' flag that runs this extra step?
|
|
59
|
-
#
|
|
60
|
-
# For now, don't run this extra native command if we aren't using the submission experiment
|
|
61
|
-
return [] unless Dependabot::Experiments.enabled?(:enable_dependency_submission_poc)
|
|
62
|
-
|
|
63
|
-
SharedHelpers.in_a_temporary_repo_directory do |_|
|
|
64
|
-
write_temporary_dependency_files
|
|
65
|
-
|
|
66
|
-
npm_ls_json = Helpers.run_npm_command("ls --all --package-lock-only --json")
|
|
67
|
-
|
|
68
|
-
JSON.parse(npm_ls_json).fetch("dependencies", {}).keys
|
|
69
|
-
end
|
|
70
|
-
end
|
|
71
|
-
|
|
72
|
-
sig { void }
|
|
73
|
-
def write_temporary_dependency_files
|
|
74
|
-
path = @dependency_file.name
|
|
75
|
-
FileUtils.mkdir_p(Pathname.new(path).dirname)
|
|
76
|
-
File.write(path, @dependency_file.content)
|
|
77
|
-
end
|
|
78
|
-
|
|
79
51
|
sig do
|
|
80
52
|
params(object_with_dependencies: T::Hash[String, T.untyped])
|
|
81
53
|
.returns(Dependabot::FileParsers::Base::DependencySet)
|
|
@@ -95,15 +67,17 @@ module Dependabot
|
|
|
95
67
|
package_name = name.split("node_modules/").last
|
|
96
68
|
version = version.to_s
|
|
97
69
|
|
|
70
|
+
origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
|
|
71
|
+
|
|
98
72
|
dependency_args = {
|
|
99
73
|
name: package_name,
|
|
100
74
|
version: version,
|
|
101
75
|
package_manager: "npm_and_yarn",
|
|
102
76
|
requirements: [],
|
|
103
|
-
direct_relationship: @direct_dependencies.include?(package_name),
|
|
104
77
|
metadata: {
|
|
105
78
|
depends_on: details&.fetch("dependencies", {})&.keys || []
|
|
106
|
-
}
|
|
79
|
+
},
|
|
80
|
+
origin_files: [origin_file]
|
|
107
81
|
}
|
|
108
82
|
|
|
109
83
|
if details["bundled"]
|
|
@@ -120,7 +94,6 @@ module Dependabot
|
|
|
120
94
|
dependency_set += recursively_fetch_dependencies(details)
|
|
121
95
|
end
|
|
122
96
|
|
|
123
|
-
@dependency_file.dependencies = dependency_set.dependencies.to_set
|
|
124
97
|
dependency_set
|
|
125
98
|
end
|
|
126
99
|
|
|
@@ -75,6 +75,8 @@ module Dependabot
|
|
|
75
75
|
end
|
|
76
76
|
end
|
|
77
77
|
|
|
78
|
+
origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
|
|
79
|
+
|
|
78
80
|
# Add prioritized dependencies to the dependency set.
|
|
79
81
|
dependencies_with_specifiers.each do |dependency_args|
|
|
80
82
|
dependency_set << Dependency.new(
|
|
@@ -82,7 +84,8 @@ module Dependabot
|
|
|
82
84
|
version: dependency_args[:version],
|
|
83
85
|
package_manager: dependency_args[:package_manager],
|
|
84
86
|
requirements: dependency_args[:requirements],
|
|
85
|
-
subdependency_metadata: dependency_args[:subdependency_metadata]
|
|
87
|
+
subdependency_metadata: dependency_args[:subdependency_metadata],
|
|
88
|
+
origin_files: [origin_file]
|
|
86
89
|
)
|
|
87
90
|
end
|
|
88
91
|
|
|
@@ -92,7 +95,8 @@ module Dependabot
|
|
|
92
95
|
version: dependency_args[:version],
|
|
93
96
|
package_manager: dependency_args[:package_manager],
|
|
94
97
|
requirements: dependency_args[:requirements],
|
|
95
|
-
subdependency_metadata: dependency_args[:subdependency_metadata]
|
|
98
|
+
subdependency_metadata: dependency_args[:subdependency_metadata],
|
|
99
|
+
origin_files: [origin_file]
|
|
96
100
|
)
|
|
97
101
|
end
|
|
98
102
|
|
|
@@ -46,6 +46,8 @@ module Dependabot
|
|
|
46
46
|
def dependencies
|
|
47
47
|
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
|
48
48
|
|
|
49
|
+
origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
|
|
50
|
+
|
|
49
51
|
parsed.each do |reqs, details|
|
|
50
52
|
reqs.split(", ").each do |req|
|
|
51
53
|
version = Version.semver_for(details["version"])
|
|
@@ -58,7 +60,8 @@ module Dependabot
|
|
|
58
60
|
name: T.must(req.split(/(?<=\w)\@/).first),
|
|
59
61
|
version: version.to_s,
|
|
60
62
|
package_manager: "npm_and_yarn",
|
|
61
|
-
requirements: []
|
|
63
|
+
requirements: [],
|
|
64
|
+
origin_files: [origin_file]
|
|
62
65
|
)
|
|
63
66
|
end
|
|
64
67
|
end
|
|
@@ -226,10 +226,7 @@ module Dependabot
|
|
|
226
226
|
dep = build_dependency(
|
|
227
227
|
file: file, type: type, name: name, requirement: requirement
|
|
228
228
|
)
|
|
229
|
-
if dep
|
|
230
|
-
file.dependencies << dep
|
|
231
|
-
dependency_set << dep
|
|
232
|
-
end
|
|
229
|
+
dependency_set << dep if dep
|
|
233
230
|
end
|
|
234
231
|
end
|
|
235
232
|
|
|
@@ -302,6 +299,8 @@ module Dependabot
|
|
|
302
299
|
# Example: "my-fetch-factory@npm:fetch-factory"
|
|
303
300
|
return if aliased_package_name?(name)
|
|
304
301
|
|
|
302
|
+
origin_file = Pathname.new(file.directory).join(file.name).to_s
|
|
303
|
+
|
|
305
304
|
Dependency.new(
|
|
306
305
|
name: name,
|
|
307
306
|
version: converted_version,
|
|
@@ -311,7 +310,8 @@ module Dependabot
|
|
|
311
310
|
file: file.name,
|
|
312
311
|
groups: [type],
|
|
313
312
|
source: source_for(name, requirement, lockfile_details)
|
|
314
|
-
}]
|
|
313
|
+
}],
|
|
314
|
+
origin_files: [origin_file]
|
|
315
315
|
)
|
|
316
316
|
end
|
|
317
317
|
|
|
@@ -207,7 +207,8 @@ module Dependabot
|
|
|
207
207
|
version: d.previous_version,
|
|
208
208
|
previous_version: d.previous_version,
|
|
209
209
|
requirements: T.must(d.previous_requirements),
|
|
210
|
-
previous_requirements: d.previous_requirements
|
|
210
|
+
previous_requirements: d.previous_requirements,
|
|
211
|
+
origin_files: d.origin_files
|
|
211
212
|
)
|
|
212
213
|
end
|
|
213
214
|
|
|
@@ -218,7 +219,8 @@ module Dependabot
|
|
|
218
219
|
version: d.previous_version,
|
|
219
220
|
previous_version: d.previous_version,
|
|
220
221
|
requirements: [],
|
|
221
|
-
previous_requirements: []
|
|
222
|
+
previous_requirements: [],
|
|
223
|
+
origin_files: d.origin_files
|
|
222
224
|
)
|
|
223
225
|
end
|
|
224
226
|
|
|
@@ -31,6 +31,7 @@ module Dependabot
|
|
|
31
31
|
requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
|
|
32
32
|
dependency_group: T.nilable(Dependabot::DependencyGroup),
|
|
33
33
|
update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
|
|
34
|
+
exclude_paths: T.nilable(T::Array[String]),
|
|
34
35
|
options: T::Hash[Symbol, T.untyped]
|
|
35
36
|
)
|
|
36
37
|
.void
|
|
@@ -39,7 +40,7 @@ module Dependabot
|
|
|
39
40
|
repo_contents_path: nil, ignored_versions: [],
|
|
40
41
|
raise_on_ignored: false, security_advisories: [],
|
|
41
42
|
requirements_update_strategy: nil, dependency_group: nil,
|
|
42
|
-
update_cooldown: nil, options: {})
|
|
43
|
+
update_cooldown: nil, exclude_paths: [], options: {})
|
|
43
44
|
@latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
|
|
44
45
|
@latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
|
|
45
46
|
@updated_requirements = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.332.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -15,14 +15,14 @@ dependencies:
|
|
|
15
15
|
requirements:
|
|
16
16
|
- - '='
|
|
17
17
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: 0.
|
|
18
|
+
version: 0.332.0
|
|
19
19
|
type: :runtime
|
|
20
20
|
prerelease: false
|
|
21
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
22
22
|
requirements:
|
|
23
23
|
- - '='
|
|
24
24
|
- !ruby/object:Gem::Version
|
|
25
|
-
version: 0.
|
|
25
|
+
version: 0.332.0
|
|
26
26
|
- !ruby/object:Gem::Dependency
|
|
27
27
|
name: debug
|
|
28
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -362,7 +362,7 @@ licenses:
|
|
|
362
362
|
- MIT
|
|
363
363
|
metadata:
|
|
364
364
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
365
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
365
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.332.0
|
|
366
366
|
rdoc_options: []
|
|
367
367
|
require_paths:
|
|
368
368
|
- lib
|