dependabot-npm_and_yarn 0.334.0 → 0.335.0

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -150,7 +150,7 @@ module Dependabot
           )
         end
 
-        # rubocop:disable Metrics/PerceivedComplexity
+        # rubocop:disable Metrics/PerceivedComplexity, Metrics/MethodLength
         sig do
           params(
             path: String,
@@ -163,8 +163,10 @@ module Dependabot
             Dir.chdir(path) do
               if top_level_dependency_updates.any?
                 if Helpers.yarn_berry?(yarn_lock)
-                  run_yarn_berry_top_level_updater(top_level_dependency_updates: top_level_dependency_updates,
-                                                   yarn_lock: yarn_lock)
+                  run_yarn_berry_top_level_updater(
+                    top_level_dependency_updates: top_level_dependency_updates,
+                    yarn_lock: yarn_lock
+                  )
                 else
                   run_yarn_top_level_updater(
                     top_level_dependency_updates: top_level_dependency_updates
@@ -181,9 +183,12 @@ module Dependabot
           package_missing = error_handler.package_missing(e.message)
 
           unless package_missing
-            error_handler.handle_error(e, {
-              yarn_lock: yarn_lock
-            })
+            error_handler.handle_error(
+              e,
+              {
+                yarn_lock: yarn_lock
+              }
+            )
           end
 
           raise unless package_missing
@@ -195,7 +200,7 @@ module Dependabot
           sleep(rand(3.0..10.0))
           retry
         end
-        # rubocop:enable Metrics/PerceivedComplexity
+        # rubocop:enable Metrics/PerceivedComplexity, Metrics/MethodLength
 
         sig do
           params(
@@ -268,10 +273,12 @@ module Dependabot
             SharedHelpers.run_helper_subprocess(
               command: NativeHelpers.helper_path,
               function: "yarn:update",
-              args: T.unsafe([
-                Dir.pwd,
-                top_level_dependency_updates
-              ])
+              args: T.unsafe(
+                [
+                  Dir.pwd,
+                  top_level_dependency_updates
+                ]
+              )
             ),
             T::Hash[String, String]
           )
@@ -322,9 +329,12 @@ module Dependabot
         def handle_yarn_lock_updater_error(error, yarn_lock)
           error_message = error.message
 
-          error_handler.handle_error(error, {
-            yarn_lock: yarn_lock
-          })
+          error_handler.handle_error(
+            error,
+            {
+              yarn_lock: yarn_lock
+            }
+          )
 
           package_not_found = error_handler.handle_package_not_found(error_message, yarn_lock)
 
@@ -372,8 +382,10 @@ module Dependabot
              error_message.include?(DEPENDENCY_MATCH_NOT_FOUND)
 
             unless resolvable_before_update?(yarn_lock)
-              error_handler.raise_resolvability_error(error_message,
-                                                      yarn_lock)
+              error_handler.raise_resolvability_error(
+                error_message,
+                yarn_lock
+              )
             end
 
             # Dependabot has probably messed something up with the update and we
@@ -587,10 +599,11 @@ module Dependabot
                 .find { |d| d.name == sanitized_name }
           return unless dep
 
-          raise PrivateSourceTimedOut, url.gsub(
-            HTTP_CHECK_REGEX,
-            ""
-          )
+          raise PrivateSourceTimedOut,
+                url.gsub(
+                  HTTP_CHECK_REGEX,
+                  ""
+                )
         end
 
         sig { returns(String) }
@@ -814,11 +827,15 @@ module Dependabot
         ).returns(Dependabot::DependabotError)
       end
       def create_error(handler, message, error, params)
-        handler.call(message, error, {
-          dependencies: dependencies,
-          dependency_files: dependency_files,
-          **params
-        })
+        handler.call(
+          message,
+          error,
+          {
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            **params
+          }
+        )
       end
 
       # Raises a resolvability error for a dependency file

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -216,7 +216,8 @@ module Dependabot
               dependency_files: dependency_files,
               updated_dependencies: dependencies
             ).files_requiring_update
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 
@@ -311,7 +312,8 @@ module Dependabot
         @package_files ||= T.let(
           filtered_dependency_files.select do |f|
             f.name.end_with?("package.json")
-          end, T.nilable(T::Array[DependencyFile])
+          end,
+          T.nilable(T::Array[DependencyFile])
         )
       end
 

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -112,7 +112,7 @@ module Dependabot
 
       sig do
         params(
-          details: T.nilable(T.any(String, T::Hash[String, T.untyped]))
+          details: T.nilable(T.any(String, T::Array[T.untyped], T::Hash[String, T.untyped]))
         )
           .returns(T.nilable(Dependabot::Source))
       end
@@ -151,7 +151,7 @@ module Dependabot
 
       sig do
         params(
-          details: T.nilable(T.any(String, T::Hash[String, T.untyped]))
+          details: T.nilable(T.any(String, T::Array[T.untyped], T::Hash[String, T.untyped]))
         )
           .returns(T.nilable(String))
       end

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb

@@ -25,12 +25,15 @@ module Dependabot
       NPM_V10 = "10"
 
       # Keep versions in ascending order
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(NPM_V7),
-        Version.new(NPM_V8),
-        Version.new(NPM_V9),
-        Version.new(NPM_V10)
-      ].freeze, T::Array[Dependabot::Version])
+      SUPPORTED_VERSIONS = T.let(
+        [
+          Version.new(NPM_V7),
+          Version.new(NPM_V8),
+          Version.new(NPM_V9),
+          Version.new(NPM_V10)
+        ].freeze,
+        T::Array[Dependabot::Version]
+      )
 
       DEPRECATED_VERSIONS = T.let([Version.new(NPM_V6)].freeze, T::Array[Dependabot::Version])
 

data/lib/dependabot/npm_and_yarn/package/registry_finder.rb

@@ -35,8 +35,13 @@ module Dependabot
             yarnrc_yml_file: T.nilable(Dependabot::DependencyFile)
           ).void
         end
-        def initialize(dependency:, credentials:, npmrc_file: nil,
-                       yarnrc_file: nil, yarnrc_yml_file: nil)
+        def initialize(
+          dependency:,
+          credentials:,
+          npmrc_file: nil,
+          yarnrc_file: nil,
+          yarnrc_yml_file: nil
+        )
           @dependency = dependency
           @credentials = credentials
           @npmrc_file = npmrc_file
@@ -103,10 +108,13 @@ module Dependabot
 
         sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :npmrc_file
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :yarnrc_file
+
         sig { returns(T.nilable(Dependabot::DependencyFile)) }
         attr_reader :yarnrc_yml_file
 

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -65,12 +65,15 @@ module Dependabot
       )
     end
 
-    PACKAGE_MANAGER_CLASSES = T.let({
-      NpmPackageManager::NAME => NpmPackageManager,
-      YarnPackageManager::NAME => YarnPackageManager,
-      PNPMPackageManager::NAME => PNPMPackageManager,
-      BunPackageManager::NAME => BunPackageManager
-    }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
+    PACKAGE_MANAGER_CLASSES = T.let(
+      {
+        NpmPackageManager::NAME => NpmPackageManager,
+        YarnPackageManager::NAME => YarnPackageManager,
+        PNPMPackageManager::NAME => PNPMPackageManager,
+        BunPackageManager::NAME => BunPackageManager
+      }.freeze,
+      T::Hash[String, NpmAndYarnPackageManagerClassType]
+    )
 
     # Error malformed version number string
     ERROR_MALFORMED_VERSION_NUMBER = "Malformed version number"

data/lib/dependabot/npm_and_yarn/package_name.rb

@@ -98,7 +98,8 @@ module Dependabot
             self.class.new("@types/#{@scope}__#{@name}")
           else
             self.class.new("@types/#{@name}")
-          end, T.nilable(PackageName)
+          end,
+          T.nilable(PackageName)
         )
       end
 

data/lib/dependabot/npm_and_yarn/pnpm_package_manager.rb

@@ -22,12 +22,15 @@ module Dependabot
       PNPM_V9 = "9"
       PNPM_V10 = "10"
 
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(PNPM_V7),
-        Version.new(PNPM_V8),
-        Version.new(PNPM_V9),
-        Version.new(PNPM_V10)
-      ].freeze, T::Array[Dependabot::Version])
+      SUPPORTED_VERSIONS = T.let(
+        [
+          Version.new(PNPM_V7),
+          Version.new(PNPM_V8),
+          Version.new(PNPM_V9),
+          Version.new(PNPM_V10)
+        ].freeze,
+        T::Array[Dependabot::Version]
+      )
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -48,8 +48,14 @@ module Dependabot
             repo_contents_path: T.nilable(String)
           ).void
         end
-        def initialize(dependency:, credentials:, dependency_files:,
-                       ignored_versions:, latest_allowable_version:, repo_contents_path:)
+        def initialize(
+          dependency:,
+          credentials:,
+          dependency_files:,
+          ignored_versions:,
+          latest_allowable_version:,
+          repo_contents_path:
+        )
           @dependency = dependency
           @credentials = credentials
           @dependency_files = dependency_files

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -27,9 +27,12 @@ module Dependabot
 
         require_relative "latest_version_finder"
 
-        TIGHTLY_COUPLED_MONOREPOS = T.let({
-          "vue" => %w(vue vue-template-compiler)
-        }.freeze, T::Hash[String, T::Array[String]])
+        TIGHTLY_COUPLED_MONOREPOS = T.let(
+          {
+            "vue" => %w(vue vue-template-compiler)
+          }.freeze,
+          T::Hash[String, T::Array[String]]
+        )
 
         # Error message returned by `yarn add` (for Yarn classic):
         # " > @reach/router@1.2.1" has incorrect peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
@@ -105,10 +108,15 @@ module Dependabot
           ).void
         end
         def initialize( # rubocop:disable Metrics/AbcSize
-          dependency:, dependency_files:, credentials:,
-          latest_allowable_version:, latest_version_finder:,
-          repo_contents_path:, dependency_group: nil,
-          raise_on_ignored: false, update_cooldown: nil
+          dependency:,
+          dependency_files:,
+          credentials:,
+          latest_allowable_version:,
+          latest_version_finder:,
+          repo_contents_path:,
+          dependency_group: nil,
+          raise_on_ignored: false,
+          update_cooldown: nil
         )
           @dependency               = dependency
           @dependency_files         = dependency_files
@@ -209,22 +217,29 @@ module Dependabot
 
         sig { returns(Dependabot::Dependency) }
         attr_reader :dependency
+
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         attr_reader :dependency_files
+
         sig { returns(T::Array[Dependabot::Credential]) }
         attr_reader :credentials
+
         sig { returns(T.nilable(T.any(String, Gem::Version))) }
         attr_reader :latest_allowable_version
+
         sig { returns(T.nilable(String)) }
         attr_reader :repo_contents_path
+
         sig { returns(T.nilable(Dependabot::DependencyGroup)) }
         attr_reader :dependency_group
+
         sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
         attr_reader :update_cooldown
+
         sig { returns(T::Boolean) }
         attr_reader :raise_on_ignored
 
-        sig { params(dep: Dependabot::Dependency) .returns(PackageLatestVersionFinder) }
+        sig { params(dep: Dependabot::Dependency).returns(PackageLatestVersionFinder) }
         def latest_version_finder(dep)
           @latest_version_finder[dep] ||=
             PackageLatestVersionFinder.new(

data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb

@@ -200,8 +200,10 @@ module Dependabot
         end
 
         sig do
-          params(dependency: Dependabot::Dependency,
-                 error: Dependabot::SharedHelpers::HelperSubprocessFailed).void
+          params(
+            dependency: Dependabot::Dependency,
+            error: Dependabot::SharedHelpers::HelperSubprocessFailed
+          ).void
         end
         def log_helper_subprocess_failure(dependency, error)
           # See `Dependabot::SharedHelpers.run_helper_subprocess` for details on error context

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -36,11 +36,19 @@ module Dependabot
         )
           .void
       end
-      def initialize(dependency:, dependency_files:, credentials:, # rubocop:disable Metrics/AbcSize
-                     repo_contents_path: nil, ignored_versions: [],
-                     raise_on_ignored: false, security_advisories: [],
-                     requirements_update_strategy: nil, dependency_group: nil,
-                     update_cooldown: nil, options: {})
+      def initialize( # rubocop:disable Metrics/AbcSize
+        dependency:,
+        dependency_files:,
+        credentials:,
+        repo_contents_path: nil,
+        ignored_versions: [],
+        raise_on_ignored: false,
+        security_advisories: [],
+        requirements_update_strategy: nil,
+        dependency_group: nil,
+        update_cooldown: nil,
+        options: {}
+      )
         @latest_version = T.let(nil, T.nilable(T.any(String, Gem::Version)))
         @latest_resolvable_version = T.let(nil, T.nilable(T.any(String, Dependabot::Version)))
         @updated_requirements = T.let(nil, T.nilable(T::Array[T::Hash[Symbol, T.untyped]]))
@@ -391,8 +399,10 @@ module Dependabot
       def latest_version_for_git_dependency
         @latest_version_for_git_dependency ||=
           if version_class.correct?(dependency.version)
-            T.unsafe(latest_git_version_details[:version] &&
-              version_class.new(latest_git_version_details[:version]))
+            T.unsafe(
+              latest_git_version_details[:version] &&
+                            version_class.new(latest_git_version_details[:version])
+            )
           else
             latest_git_version_details[:sha]
           end

data/lib/dependabot/npm_and_yarn/version.rb

@@ -21,20 +21,23 @@ module Dependabot
 
       # These are possible npm versioning tags that can be used in place of a version.
       # See https://docs.npmjs.com/cli/v10/commands/npm-dist-tag#purpose for more details.
-      VERSION_TAGS = T.let([
-        "alpha",        # Alpha version, early testing phase
-        "beta",         # Beta version, more stable than alpha
-        "canary",       # Canary version, often used for cutting-edge builds
-        "dev",          # Development version, ongoing development
-        "experimental", # Experimental version, unstable and new features
-        "latest",       # Latest stable version, used by npm to identify the current version of a package
-        "legacy",       # Legacy version, older version maintained for compatibility
-        "next",         # Next version, used by some projects to identify the upcoming version
-        "nightly",      # Nightly build, daily builds often including latest changes
-        "rc",           # Release candidate, potential final version
-        "release",      # General release version
-        "stable"        # Stable version, thoroughly tested and stable
-      ].freeze.map(&:freeze), T::Array[String])
+      VERSION_TAGS = T.let(
+        [
+          "alpha", # Alpha version, early testing phase
+          "beta",         # Beta version, more stable than alpha
+          "canary",       # Canary version, often used for cutting-edge builds
+          "dev",          # Development version, ongoing development
+          "experimental", # Experimental version, unstable and new features
+          "latest",       # Latest stable version, used by npm to identify the current version of a package
+          "legacy",       # Legacy version, older version maintained for compatibility
+          "next",         # Next version, used by some projects to identify the upcoming version
+          "nightly",      # Nightly build, daily builds often including latest changes
+          "rc",           # Release candidate, potential final version
+          "release",      # General release version
+          "stable"        # Stable version, thoroughly tested and stable
+        ].freeze.map(&:freeze),
+        T::Array[String]
+      )
 
       VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/

data/lib/dependabot/npm_and_yarn/yarn_package_manager.rb

@@ -23,12 +23,15 @@ module Dependabot
       YARN_V3 = "3"
       YARN_V4 = "4"
 
-      SUPPORTED_VERSIONS = T.let([
-        Version.new(YARN_V1),
-        Version.new(YARN_V2),
-        Version.new(YARN_V3),
-        Version.new(YARN_V4)
-      ].freeze, T::Array[Dependabot::Version])
+      SUPPORTED_VERSIONS = T.let(
+        [
+          Version.new(YARN_V1),
+          Version.new(YARN_V2),
+          Version.new(YARN_V3),
+          Version.new(YARN_V4)
+        ].freeze,
+        T::Array[Dependabot::Version]
+      )
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])