dependabot-npm_and_yarn 0.331.0 → 0.333.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3ead6dbe56920db49b2451679cdb66303af4c2968b7d61d37faf04ac9b0623a4
-  data.tar.gz: fe8c3c14c55c99ad445105f89f54b5b6a8bd322661ba2bf64c36567d992fa4a0
+  metadata.gz: 7be0417677733584b0aa5f37a0c8633a20c930f0d97142aa5b40ff12ec8eddeb
+  data.tar.gz: 1bf3f2fb844f57104a4073c14cb7b02fa4eb5f48535161f0890c8d25f076db18
 SHA512:
-  metadata.gz: a4e7fae1ef42c26ba9327815a93d1850e27dd17ef9d8a26eb85ac932ec817b6f14ce8312456cd024a07c63770fdfd4465e4eeae9628c7b167211c7fa7d65d778
-  data.tar.gz: b92350117f5b5059b36a2a96c0da36e2e0d4d45c5ebaa8fe3698b69b17007ad4968a71e0f87a79eff1251b1ee80dc80836c97a7c71ee93c11aa0c0fd5004fee3
+  metadata.gz: 4638ea644ac982c9d4fe016b81b5b2b7e40a0fb286388eb6acf6abc1674531d6f71cb72536fb4963b104d0bd8f16c6e0ae2dc3f4dbb54624280e21386c88384d
+  data.tar.gz: 247ed7731f5ceac78c3886edb8fdf8ebaf4c98d6d955a186039fd320ddcce02c173a5e2c0503517e70c1910ce75f9348a0de176fe1d1059aa70aaefc48e5807c

data/lib/dependabot/npm_and_yarn/bun_package_manager.rb

@@ -5,6 +5,7 @@ module Dependabot
   module NpmAndYarn
     class BunPackageManager < Ecosystem::VersionManager
       extend T::Sig
+
       NAME = "bun"
       LOCKFILE_NAME = "bun.lock"
 

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -7,6 +7,7 @@ require "dependabot/experiments"
 require "dependabot/logger"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
+require "dependabot/file_filtering"
 require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/file_parser"
@@ -89,7 +90,13 @@ module Dependabot
         fetched_files += workspace_package_jsons
         fetched_files += path_dependencies(fetched_files)
 
-        fetched_files.uniq
+        # Filter excluded files from final collection
+        filtered_files = fetched_files.uniq.reject do |file|
+          Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files) &&
+            !@exclude_paths.empty? && Dependabot::FileFiltering.exclude_path?(file.name, @exclude_paths)
+        end
+
+        filtered_files
       end
 
       private
@@ -371,7 +378,7 @@ module Dependabot
 
       # rubocop:disable Metrics/PerceivedComplexity
       sig { params(fetched_files: T::Array[DependencyFile]).returns(T::Array[DependencyFile]) }
-      def path_dependencies(fetched_files)
+      def path_dependencies(fetched_files) # rubocop:disable Metrics/AbcSize
         package_json_files = T.let([], T::Array[DependencyFile])
         unfetchable_deps = T.let([], T::Array[[String, String]])
 
@@ -390,6 +397,16 @@ module Dependabot
           cleaned_name = Pathname.new(filename).cleanpath.to_path
           next if fetched_files.map(&:name).include?(cleaned_name)
 
+          # Skip excluded path dependencies
+          if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files) &&
+             !@exclude_paths.empty? && Dependabot::FileFiltering.exclude_path?(cleaned_name, @exclude_paths)
+            Dependabot.logger.warn(
+              "Skipping excluded path dependency '#{cleaned_name}' for package '#{name}'. " \
+              "This file is excluded by exclude_paths configuration: #{@exclude_paths}"
+            )
+            next
+          end
+
           begin
             file = fetch_file_from_host(filename, fetch_submodules: true)
             package_json_files << file
@@ -610,6 +627,16 @@ module Dependabot
       def fetch_package_json_if_present(workspace)
         file = File.join(workspace, MANIFEST_FILENAME)
 
+        # Skip excluded workspace packages
+        if Dependabot::Experiments.enabled?(:enable_exclude_paths_subdirectory_manifest_files) &&
+           !@exclude_paths.empty? && Dependabot::FileFiltering.exclude_path?(file, @exclude_paths)
+          Dependabot.logger.info(
+            "Skipping excluded workspace package '#{file}' from workspace '#{workspace}'. " \
+            "This file is excluded by exclude_paths configuration: #{@exclude_paths}"
+          )
+          return nil
+        end
+
         begin
           fetch_file_from_host(file)
         rescue Dependabot::DependencyFileNotFound

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -40,8 +40,6 @@ module Dependabot
         def dependencies
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
-
           # bun.lock v0 format:
           # https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
 
@@ -64,8 +62,7 @@ module Dependabot
               name: name,
               version: semver.to_s,
               package_manager: "npm_and_yarn",
-              requirements: [],
-              origin_files: [origin_file]
+              requirements: []
             )
           end
 

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -15,9 +15,6 @@ module Dependabot
         sig { params(dependency_file: DependencyFile).void }
         def initialize(dependency_file)
           @dependency_file = dependency_file
-          # Set this file to priority 1 to indicate it should override manifests for purposes of a graph
-          dependency_file.priority = 1
-          @direct_dependencies = T.let(fetch_direct_dependencies, T::Array[String])
         end
 
         sig { returns(T::Hash[String, T.untyped]) }
@@ -51,36 +48,11 @@ module Dependabot
 
         private
 
-        # Only V3 lockfiles contain information on the package itself, so we use `npm ls` to generate
-        # a graph we can pluck the direct dependency list from at parse-time for this lockfile.
-        sig { returns(T::Array[String]) }
-        def fetch_direct_dependencies
-          # TODO(brrygrdn): Implement a 'verbose' flag that runs this extra step?
-          #
-          # For now, don't run this extra native command if we aren't using the submission experiment
-          return [] unless Dependabot::Experiments.enabled?(:enable_dependency_submission_poc)
-
-          SharedHelpers.in_a_temporary_repo_directory do |_|
-            write_temporary_dependency_files
-
-            npm_ls_json = Helpers.run_npm_command("ls --all --package-lock-only --json")
-
-            JSON.parse(npm_ls_json).fetch("dependencies", {}).keys
-          end
-        end
-
-        sig { void }
-        def write_temporary_dependency_files
-          path = @dependency_file.name
-          FileUtils.mkdir_p(Pathname.new(path).dirname)
-          File.write(path, @dependency_file.content)
-        end
-
         sig do
           params(object_with_dependencies: T::Hash[String, T.untyped])
             .returns(Dependabot::FileParsers::Base::DependencySet)
         end
-        def recursively_fetch_dependencies(object_with_dependencies) # rubocop:disable Metrics/AbcSize
+        def recursively_fetch_dependencies(object_with_dependencies)
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           dependencies = object_with_dependencies["dependencies"]
@@ -95,18 +67,14 @@ module Dependabot
             package_name = name.split("node_modules/").last
             version = version.to_s
 
-            origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
-
             dependency_args = {
               name: package_name,
               version: version,
               package_manager: "npm_and_yarn",
               requirements: [],
-              direct_relationship: @direct_dependencies.include?(package_name),
               metadata: {
                 depends_on: details&.fetch("dependencies", {})&.keys || []
-              },
-              origin_files: [origin_file]
+              }
             }
 
             if details["bundled"]
@@ -123,7 +91,6 @@ module Dependabot
             dependency_set += recursively_fetch_dependencies(details)
           end
 
-          @dependency_file.dependencies = dependency_set.dependencies.to_set
           dependency_set
         end
 

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -75,8 +75,6 @@ module Dependabot
             end
           end
 
-          origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
-
           # Add prioritized dependencies to the dependency set.
           dependencies_with_specifiers.each do |dependency_args|
             dependency_set << Dependency.new(
@@ -84,8 +82,7 @@ module Dependabot
               version: dependency_args[:version],
               package_manager: dependency_args[:package_manager],
               requirements: dependency_args[:requirements],
-              subdependency_metadata: dependency_args[:subdependency_metadata],
-              origin_files: [origin_file]
+              subdependency_metadata: dependency_args[:subdependency_metadata]
             )
           end
 
@@ -95,8 +92,7 @@ module Dependabot
               version: dependency_args[:version],
               package_manager: dependency_args[:package_manager],
               requirements: dependency_args[:requirements],
-              subdependency_metadata: dependency_args[:subdependency_metadata],
-              origin_files: [origin_file]
+              subdependency_metadata: dependency_args[:subdependency_metadata]
             )
           end
 

data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb

@@ -46,8 +46,6 @@ module Dependabot
         def dependencies
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          origin_file = Pathname.new(@dependency_file.directory).join(@dependency_file.name).to_s
-
           parsed.each do |reqs, details|
             reqs.split(", ").each do |req|
               version = Version.semver_for(details["version"])
@@ -60,8 +58,7 @@ module Dependabot
                 name: T.must(req.split(/(?<=\w)\@/).first),
                 version: version.to_s,
                 package_manager: "npm_and_yarn",
-                requirements: [],
-                origin_files: [origin_file]
+                requirements: []
               )
             end
           end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -226,10 +226,7 @@ module Dependabot
             dep = build_dependency(
               file: file, type: type, name: name, requirement: requirement
             )
-            if dep
-              file.dependencies << dep
-              dependency_set << dep
-            end
+            dependency_set << dep if dep
           end
         end
 
@@ -302,8 +299,6 @@ module Dependabot
         # Example: "my-fetch-factory@npm:fetch-factory"
         return if aliased_package_name?(name)
 
-        origin_file = Pathname.new(file.directory).join(file.name).to_s
-
         Dependency.new(
           name: name,
           version: converted_version,
@@ -313,8 +308,7 @@ module Dependabot
             file: file.name,
             groups: [type],
             source: source_for(name, requirement, lockfile_details)
-          }],
-          origin_files: [origin_file]
+          }]
         )
       end
 

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -207,8 +207,7 @@ module Dependabot
               version: d.previous_version,
               previous_version: d.previous_version,
               requirements: T.must(d.previous_requirements),
-              previous_requirements: d.previous_requirements,
-              origin_files: d.origin_files
+              previous_requirements: d.previous_requirements
             )
           end
 
@@ -219,8 +218,7 @@ module Dependabot
               version: d.previous_version,
               previous_version: d.previous_version,
               requirements: [],
-              previous_requirements: [],
-              origin_files: d.origin_files
+              previous_requirements: []
             )
           end
 

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -167,7 +167,6 @@ module Dependabot
           end
         end
 
-        # rubocop:disable Metrics/AbcSize
         sig { returns(T.nilable(T::Array[String])) }
         def dependency_urls
           return @dependency_urls if defined?(@dependency_urls)
@@ -191,8 +190,7 @@ module Dependabot
           if npm_lockfile
             @dependency_urls +=
               T.must(npm_lockfile.content).scan(/"resolved"\s*:\s*"(.*)"/)
-               .flatten
-               .select { |url| url.is_a?(String) }
+               .flatten.grep(String)
                .reject { |url| url.start_with?("git") }
           end
           if yarn_lock
@@ -210,8 +208,6 @@ module Dependabot
             T.nilable(T::Array[String])
           )
         end
-        # rubocop:enable Metrics/AbcSize
-
         sig { returns(String) }
         def complete_npmrc_from_credentials
           # removes attribute timeout to allow for job update,

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -60,7 +60,7 @@ module Dependabot
               )
 
               if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
-                 (content == new_content && unique_deps_count > 1)
+                 content == new_content && unique_deps_count > 1
 
                 # (we observed that) package.json does not always contains the same dependencies compared to
                 # "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -80,10 +80,10 @@ module Dependabot
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
         INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"
         UNREACHABLE_GIT = %r{Command failed with exit code 128: git ls-remote (?<url>.*github\.com/[^/]+/[^ ]+)}
-        UNREACHABLE_GIT_V8 = %r{ERR_PNPM_FETCH_404[ [^:print:]]+GET (?<url>https://codeload\.github\.com/[^/]+/[^/]+)/}
-        FORBIDDEN_PACKAGE = /ERR_PNPM_FETCH_403[ [^:print:]]+GET (?<dependency_url>.*): Forbidden - 403/
-        MISSING_PACKAGE = /ERR_PNPM_FETCH_404[ [^:print:]]+GET (?<dependency_url>.*): (?:Not Found)? - 404/
-        UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print:]]+GET (?<dependency_url>.*): Unauthorized - 401/
+        UNREACHABLE_GIT_V8 = %r{ERR_PNPM_FETCH_404[ [^:print]]+GET (?<url>https://codeload\.github\.com/[^/]+/[^/]+)/}
+        FORBIDDEN_PACKAGE = /ERR_PNPM_FETCH_403[ [^:print]]+GET (?<dependency_url>.*): Forbidden - 403/
+        MISSING_PACKAGE = /ERR_PNPM_FETCH_404[ [^:print]]+GET (?<dependency_url>.*): (?:Not Found)? - 404/
+        UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print]]+GET (?<dependency_url>.*): Unauthorized - 401/
 
         # ERR_PNPM_FETCH ERROR CODES
         ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):/

data/lib/dependabot/npm_and_yarn/language.rb

@@ -7,6 +7,7 @@ module Dependabot
   module NpmAndYarn
     class Language < Ecosystem::VersionManager
       extend T::Sig
+
       NAME = "node"
 
       SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -56,7 +56,7 @@ module Dependabot
       def npm_releaser
         all_version_listings
           .find { |v, _| v == dependency.version }
-          &.last&.fetch("_npmUser", nil)&.fetch("name", nil)
+          &.last&.dig("_npmUser", "name")
       end
 
       sig { returns(T.nilable(T::Array[String])) }
@@ -73,7 +73,7 @@ module Dependabot
 
         all_version_listings
           .reject { |v, _| Time.parse(times[v]) > cutoff }
-          .filter_map { |_, d| d.fetch("_npmUser", nil)&.fetch("name", nil) }
+          .filter_map { |_, d| d.dig("_npmUser", "name") }
       end
 
       sig { returns(T.nilable(Dependabot::Source)) }

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb

@@ -7,6 +7,7 @@ module Dependabot
   module NpmAndYarn
     class NpmPackageManager < Ecosystem::VersionManager
       extend T::Sig
+
       NAME = "npm"
       RC_FILENAME = ".npmrc"
       LOCKFILE_NAME = "package-lock.json"

data/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb

@@ -7,6 +7,7 @@ module Dependabot
   module NpmAndYarn
     class PNPMPackageManager < Ecosystem::VersionManager
       extend T::Sig
+
       NAME = "pnpm"
       LOCKFILE_NAME = "pnpm-lock.yaml"
       PNPM_WS_YML_FILENAME = "pnpm-workspace.yaml"

data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb

@@ -154,7 +154,7 @@ module Dependabot
           updated_requirement =
             if reqs.any? { |r| r.match?(/(<|-\s)/i) }
               update_range_requirement(current_requirement)
-            elsif current_requirement.strip.split(SEPARATOR).count == 1
+            elsif current_requirement.strip.split(SEPARATOR).one?
               update_version_string(current_requirement)
             else
               current_requirement
@@ -174,7 +174,7 @@ module Dependabot
           range_requirements =
             req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
 
-          if range_requirements.count == 1
+          if range_requirements.one?
             range_requirement = T.must(range_requirements.first)
             versions = range_requirement.scan(VERSION_REGEX)
             version_objects = versions.map { |v| version_class.new(v.to_s) }

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -11,6 +11,7 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker < Dependabot::UpdateCheckers::Base # rubocop:disable Metrics/ClassLength
       extend T::Sig
+
       require_relative "update_checker/requirements_updater"
       require_relative "update_checker/library_detector"
       require_relative "update_checker/latest_version_finder"
@@ -31,7 +32,6 @@ module Dependabot
           requirements_update_strategy: T.nilable(Dependabot::RequirementsUpdateStrategy),
           dependency_group: T.nilable(Dependabot::DependencyGroup),
           update_cooldown: T.nilable(Dependabot::Package::ReleaseCooldownOptions),
-          exclude_paths: T.nilable(T::Array[String]),
           options: T::Hash[Symbol, T.untyped]
         )
           .void
@@ -40,7 +40,7 @@ module Dependabot
                      repo_contents_path: nil, ignored_versions: [],
                      raise_on_ignored: false, security_advisories: [],
                      requirements_update_strategy: nil, dependency_group: nil,
-                     update_cooldown: nil, exclude_paths: [], options: {})
+                     update_cooldown: nil, options: {})
         @latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
         @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
         @updated_requirements = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))

data/lib/dependabot/npm_and_yarn/yarn_package_manager.rb

@@ -7,6 +7,7 @@ module Dependabot
   module NpmAndYarn
     class YarnPackageManager < Ecosystem::VersionManager
       extend T::Sig
+
       NAME = "yarn"
       RC_FILENAME = ".yarnrc"
       RC_YML_FILENAME = ".yarnrc.yml"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.331.0
+  version: 0.333.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.331.0
+        version: 0.333.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.331.0
+        version: 0.333.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -211,14 +211,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.18'
+        version: '3.25'
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -362,7 +362,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.331.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.333.0
 rdoc_options: []
 require_paths:
 - lib