RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.350.0 → 0.352.0 - Mend

dependabot-npm_and_yarn 0.350.0 → 0.352.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/helpers/build +1 -1
data/helpers/lib/npm6/peer-dependency-checker.js +0 -1
data/helpers/lib/npm6/subdependency-updater.js +0 -1
data/helpers/lib/npm6/updater.js +0 -1
data/helpers/package-lock.json +1027 -1010
data/helpers/package.json +3 -3
data/lib/dependabot/npm_and_yarn/constraint_helper.rb +9 -2
data/lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb +217 -0
data/lib/dependabot/npm_and_yarn/dependency_grapher.rb +174 -0
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +34 -15
data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb +4 -0
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +4 -0
data/lib/dependabot/npm_and_yarn/helpers.rb +59 -1
data/lib/dependabot/npm_and_yarn/native_helpers.rb +0 -6
data/lib/dependabot/npm_and_yarn/registry_helper.rb +12 -4
data/lib/dependabot/npm_and_yarn.rb +1 -0
metadata +6 -4

data/lib/dependabot/npm_and_yarn/registry_helper.rb CHANGED Viewed

@@ -46,7 +46,8 @@ module Dependabot
           env_variables[COREPACK_NPM_REGISTRY_ENV] = registry
         end
-        env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
+        # NOTE: We only set the registry, not the token
+        # The token should be configured in .npmrc for security
         env_variables
       end
@@ -87,7 +88,15 @@ module Dependabot
         @credentials.each do |cred|
           next unless cred["type"] == "npm_registry" # Skip if not an npm registry
-          next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
+          # Handle both Credential objects and plain hashes
+          replaces_base = if cred.respond_to?(:replaces_base?)
+                            cred.replaces_base?
+                          else
+                            cred["replaces-base"]
+                          end
+          next unless replaces_base # Skip if not a reverse-proxy registry
           # Set the registry if it's not already set
           registries[:registry] ||= cred["registry"]
@@ -95,10 +104,9 @@ module Dependabot
           # Set the token if it's not already set
           registries[:auth_token] ||= cred["token"]
         end
         registries
       end
-      # Find registry and token in .npmrc or .yarnrc file
       sig do
         params(
           file: T.nilable(Dependabot::DependencyFile),

data/lib/dependabot/npm_and_yarn.rb CHANGED Viewed

@@ -10,6 +10,7 @@ require "dependabot/npm_and_yarn/file_updater"
 require "dependabot/npm_and_yarn/metadata_finder"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version"
+require "dependabot/npm_and_yarn/dependency_grapher"
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.350.0
+  version: 0.352.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.352.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.352.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -313,6 +313,8 @@ files:
 - lib/dependabot/npm_and_yarn.rb
 - lib/dependabot/npm_and_yarn/constraint_helper.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
+- lib/dependabot/npm_and_yarn/dependency_grapher.rb
+- lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
@@ -359,7 +361,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.350.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.352.0
 rdoc_options: []
 require_paths:
 - lib