dependabot-npm_and_yarn 0.91.0

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -0,0 +1,282 @@
+# frozen_string_literal: true
+
+require "dependabot/git_commit_checker"
+require "dependabot/update_checkers"
+require "dependabot/update_checkers/base"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker < Dependabot::UpdateCheckers::Base
+      require_relative "update_checker/requirements_updater"
+      require_relative "update_checker/library_detector"
+      require_relative "update_checker/latest_version_finder"
+      require_relative "update_checker/version_resolver"
+      require_relative "update_checker/subdependency_version_resolver"
+
+      def latest_version
+        @latest_version ||=
+          if git_dependency?
+            latest_version_for_git_dependency
+          else
+            latest_version_details&.fetch(:version)
+          end
+      end
+
+      def latest_resolvable_version
+        return unless latest_version
+
+        @latest_resolvable_version ||=
+          if dependency.top_level?
+            version_resolver.latest_resolvable_version
+          else
+            # If the dependency is indirect its version is constrained  by the
+            # requirements placed on it by dependencies lower down the tree
+            subdependency_version_resolver.latest_resolvable_version
+          end
+      end
+
+      def latest_resolvable_version_with_no_unlock
+        return latest_resolvable_version unless dependency.top_level?
+
+        if git_dependency?
+          return latest_resolvable_version_with_no_unlock_for_git_dependency
+        end
+
+        latest_version_finder.latest_resolvable_version_with_no_unlock
+      end
+
+      def updated_requirements
+        resolvable_version =
+          if latest_resolvable_version.is_a?(version_class)
+            latest_resolvable_version.to_s
+          elsif latest_resolvable_version.nil?
+            nil
+          else
+            latest_version_details&.fetch(:version, nil)&.to_s
+          end
+
+        @updated_requirements ||=
+          RequirementsUpdater.new(
+            requirements: dependency.requirements,
+            updated_source: updated_source,
+            latest_version:
+              latest_version_details&.fetch(:version, nil)&.to_s,
+            latest_resolvable_version: resolvable_version,
+            update_strategy: requirements_update_strategy
+          ).updated_requirements
+      end
+
+      def requirements_update_strategy
+        # If passed in as an option (in the base class) honour that option
+        if @requirements_update_strategy
+          return @requirements_update_strategy.to_sym
+        end
+
+        # Otherwise, widen ranges for libraries and bump versions for apps
+        library? ? :widen_ranges : :bump_versions
+      end
+
+      private
+
+      def latest_version_resolvable_with_full_unlock?
+        return unless latest_version
+
+        # No support for full unlocks for subdependencies yet
+        return false unless dependency.top_level?
+
+        version_resolver.latest_version_resolvable_with_full_unlock?
+      end
+
+      def updated_dependencies_after_full_unlock
+        version_resolver.dependency_updates_from_full_unlock.
+          map { |update_details| build_updated_dependency(update_details) }
+      end
+
+      def build_updated_dependency(update_details)
+        original_dep = update_details.fetch(:dependency)
+
+        Dependency.new(
+          name: original_dep.name,
+          version: update_details.fetch(:version).to_s,
+          requirements: RequirementsUpdater.new(
+            requirements: original_dep.requirements,
+            updated_source: original_dep == dependency ? updated_source : nil,
+            latest_version: update_details[:version].to_s,
+            latest_resolvable_version: update_details[:version].to_s,
+            update_strategy: requirements_update_strategy
+          ).updated_requirements,
+          previous_version: original_dep.version,
+          previous_requirements: original_dep.requirements,
+          package_manager: original_dep.package_manager
+        )
+      end
+
+      def latest_resolvable_version_with_no_unlock_for_git_dependency
+        reqs = dependency.requirements.map do |r|
+          next if r.fetch(:requirement).nil?
+
+          requirement_class.requirements_array(r.fetch(:requirement))
+        end.compact
+
+        return dependency.version if git_commit_checker.pinned?
+
+        # TODO: Really we should get a tag that satisfies the semver req
+        return dependency.version if reqs.any?
+
+        git_commit_checker.head_commit_for_current_branch
+      end
+
+      def latest_version_for_git_dependency
+        @latest_version_for_git_dependency ||=
+          begin
+            latest_release = latest_version_finder.
+                             latest_version_details_from_registry
+
+            # If there's been a release that includes the current pinned ref
+            # or that the current branch is behind, we switch to that release.
+            if git_branch_or_ref_in_release?(latest_release&.fetch(:version))
+              latest_release.fetch(:version)
+            else
+              latest_git_version_details[:sha]
+            end
+          end
+      end
+
+      def should_switch_source_from_git_to_registry?
+        return false unless git_dependency?
+        return false if latest_version_for_git_dependency.nil?
+
+        version_class.correct?(latest_version_for_git_dependency)
+      end
+
+      def git_branch_or_ref_in_release?(release)
+        return false unless release
+
+        git_commit_checker.branch_or_ref_in_release?(release)
+      end
+
+      def latest_version_details
+        @latest_version_details ||=
+          if git_dependency? && !should_switch_source_from_git_to_registry?
+            latest_git_version_details
+          else
+            latest_version_finder.latest_version_details_from_registry
+          end
+      end
+
+      def latest_version_finder
+        @latest_version_finder ||=
+          LatestVersionFinder.new(
+            dependency: dependency,
+            credentials: credentials,
+            dependency_files: dependency_files,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def version_resolver
+        @version_resolver ||=
+          VersionResolver.new(
+            dependency: dependency,
+            credentials: credentials,
+            dependency_files: dependency_files,
+            latest_allowable_version: latest_version,
+            latest_version_finder: latest_version_finder
+          )
+      end
+
+      def subdependency_version_resolver
+        @subdependency_version_resolver ||=
+          SubdependencyVersionResolver.new(
+            dependency: dependency,
+            credentials: credentials,
+            dependency_files: dependency_files,
+            ignored_versions: ignored_versions
+          )
+      end
+
+      def git_dependency?
+        git_commit_checker.git_dependency?
+      end
+
+      def latest_git_version_details
+        semver_req =
+          dependency.requirements.
+          find { |req| req.dig(:source, :type) == "git" }&.
+          fetch(:requirement)
+
+        # If there was a semver requirement provided or the dependency was
+        # pinned to a version, look for the latest tag
+        if semver_req || git_commit_checker.pinned_ref_looks_like_version?
+          latest_tag = git_commit_checker.local_tag_for_latest_version
+          return {
+            sha: latest_tag&.fetch(:commit_sha),
+            version: latest_tag&.fetch(:tag)&.gsub(/^[^\d]*/, "")
+          }
+        end
+
+        # Otherwise, if the gem isn't pinned, the latest version is just the
+        # latest commit for the specified branch.
+        unless git_commit_checker.pinned?
+          return { sha: git_commit_checker.head_commit_for_current_branch }
+        end
+
+        # If the dependency is pinned to a tag that doesn't look like a
+        # version then there's nothing we can do.
+        { sha: dependency.version }
+      end
+
+      def updated_source
+        # Never need to update source, unless a git_dependency
+        return dependency_source_details unless git_dependency?
+
+        # Source becomes `nil` if switching to default rubygems
+        return nil if should_switch_source_from_git_to_registry?
+
+        # Update the git tag if updating a pinned version
+        if git_commit_checker.pinned_ref_looks_like_version? &&
+           !git_commit_checker.local_tag_for_latest_version.nil?
+          new_tag = git_commit_checker.local_tag_for_latest_version
+          return dependency_source_details.merge(ref: new_tag.fetch(:tag))
+        end
+
+        # Otherwise return the original source
+        dependency_source_details
+      end
+
+      def library?
+        return true unless dependency.version
+        return true if dependency_files.any? { |f| f.name == "lerna.json" }
+
+        @library =
+          LibraryDetector.new(package_json_file: package_json).library?
+      end
+
+      def dependency_source_details
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def package_json
+        @package_json ||=
+          dependency_files.find { |f| f.name == "package.json" }
+      end
+
+      def git_commit_checker
+        @git_commit_checker ||=
+          GitCommitChecker.new(
+            dependency: dependency,
+            credentials: credentials
+          )
+      end
+    end
+  end
+end
+
+Dependabot::UpdateCheckers.
+  register("npm_and_yarn", Dependabot::NpmAndYarn::UpdateChecker)

data/lib/dependabot/npm_and_yarn/version.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "rubygems_version_patch"
+
+# JavaScript pre-release versions use 1.0.1-rc1 syntax, which Gem::Version
+# converts into 1.0.1.pre.rc1. We override the `to_s` method to stop that
+# alteration.
+#
+# See https://semver.org/ for details of node's version syntax.
+
+module Dependabot
+  module NpmAndYarn
+    class Version < Gem::Version
+      def self.correct?(version)
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+        super(version)
+      end
+
+      def initialize(version)
+        @version_string = version.to_s
+        version = version.gsub(/^v/, "") if version.is_a?(String)
+        super
+      end
+
+      def to_s
+        @version_string
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_version_class("npm_and_yarn", Dependabot::NpmAndYarn::Version)

data/lib/dependabot/npm_and_yarn.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# These all need to be required so the various classes can be registered in a
+# lookup table of package manager names to concrete classes.
+require "dependabot/npm_and_yarn/file_fetcher"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/file_updater"
+require "dependabot/npm_and_yarn/metadata_finder"
+require "dependabot/npm_and_yarn/requirement"
+require "dependabot/npm_and_yarn/version"

metadata

@@ -0,0 +1,226 @@
+--- !ruby/object:Gem::Specification
+name: dependabot-npm_and_yarn
+version: !ruby/object:Gem::Version
+  version: 0.91.0
+platform: ruby
+authors:
+- Dependabot
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-01-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dependabot-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.91.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.91.0
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.61'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+description: Automated dependency management for Ruby, JavaScript, Python, PHP, Elixir,
+  Rust, Java, .NET, Elm and Go
+email: support@dependabot.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- helpers/build
+- helpers/npm/.eslintrc
+- helpers/npm/bin/run.js
+- helpers/npm/lib/helpers.js
+- helpers/npm/lib/peer-dependency-checker.js
+- helpers/npm/lib/subdependency-updater.js
+- helpers/npm/lib/updater.js
+- helpers/npm/package-lock.json
+- helpers/npm/package.json
+- helpers/npm/test/fixtures/npm-left-pad.json
+- helpers/npm/test/fixtures/updater/original/package-lock.json
+- helpers/npm/test/fixtures/updater/original/package.json
+- helpers/npm/test/fixtures/updater/updated/package-lock.json
+- helpers/npm/test/helpers.js
+- helpers/npm/test/updater.test.js
+- helpers/npm/yarn.lock
+- helpers/yarn/.eslintrc
+- helpers/yarn/bin/run.js
+- helpers/yarn/lib/fix-duplicates.js
+- helpers/yarn/lib/helpers.js
+- helpers/yarn/lib/lockfile-parser.js
+- helpers/yarn/lib/peer-dependency-checker.js
+- helpers/yarn/lib/replace-lockfile-declaration.js
+- helpers/yarn/lib/subdependency-updater.js
+- helpers/yarn/lib/updater.js
+- helpers/yarn/package.json
+- helpers/yarn/test/fixtures/updater/original/package.json
+- helpers/yarn/test/fixtures/updater/original/yarn.lock
+- helpers/yarn/test/fixtures/updater/updated/yarn.lock
+- helpers/yarn/test/fixtures/updater/with-version-comments/package.json
+- helpers/yarn/test/fixtures/updater/with-version-comments/yarn.lock
+- helpers/yarn/test/fixtures/yarnpkg-is-positive.json
+- helpers/yarn/test/fixtures/yarnpkg-left-pad.json
+- helpers/yarn/test/helpers.js
+- helpers/yarn/test/updater.test.js
+- helpers/yarn/yarn.lock
+- lib/dependabot/npm_and_yarn.rb
+- lib/dependabot/npm_and_yarn/file_fetcher.rb
+- lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
+- lib/dependabot/npm_and_yarn/file_parser.rb
+- lib/dependabot/npm_and_yarn/file_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
+- lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
+- lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
+- lib/dependabot/npm_and_yarn/metadata_finder.rb
+- lib/dependabot/npm_and_yarn/native_helpers.rb
+- lib/dependabot/npm_and_yarn/requirement.rb
+- lib/dependabot/npm_and_yarn/update_checker.rb
+- lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb
+- lib/dependabot/npm_and_yarn/update_checker/library_detector.rb
+- lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb
+- lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb
+- lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb
+- lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb
+- lib/dependabot/npm_and_yarn/version.rb
+homepage: https://github.com/dependabot/dependabot-core
+licenses:
+- Nonstandard
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.5.0
+requirements: []
+rubygems_version: 3.0.1
+signing_key: 
+specification_version: 4
+summary: JS support for dependabot-core
+test_files: []