dependabot-npm_and_yarn 0.91.0

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/file_updater"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      # Build a .npmrc file from the lockfile content, credentials, and any
+      # committed .npmrc
+      class NpmrcBuilder
+        CENTRAL_REGISTRIES = %w(
+          registry.npmjs.org
+          registry.yarnpkg.com
+        ).freeze
+
+        def initialize(dependency_files:, credentials:)
+          @dependency_files = dependency_files
+          @credentials = credentials
+        end
+
+        def npmrc_content
+          initial_content =
+            if npmrc_file then complete_npmrc_from_credentials
+            elsif yarnrc_file then build_npmrc_from_yarnrc
+            else build_npmrc_content_from_lockfile
+            end
+
+          return initial_content || "" unless registry_credentials.any?
+
+          ([initial_content] + credential_lines_for_npmrc).compact.join("\n")
+        end
+
+        private
+
+        attr_reader :dependency_files, :credentials
+
+        def build_npmrc_content_from_lockfile
+          return unless yarn_lock || package_lock
+          return unless global_registry
+
+          "registry = https://#{global_registry['registry']}\n"\
+          "#{global_registry_auth_line}\n"\
+          "always-auth = true"
+        end
+
+        def global_registry
+          @global_registry ||=
+            registry_credentials.find do |cred|
+              next false if CENTRAL_REGISTRIES.include?(cred["registry"])
+
+              # If all the URLs include this registry, it's global
+              if dependency_urls.all? { |url| url.include?(cred["registry"]) }
+                next true
+              end
+
+              # If any unscoped URLs include this registry, it's global
+              dependency_urls.
+                reject { |u| u.include?("@") || u.include?("%40") }.
+                any? { |url| url.include?(cred["registry"]) }
+            end
+        end
+
+        def global_registry_auth_line
+          token = global_registry.fetch("token")
+
+          if token.include?(":")
+            encoded_token = Base64.encode64(token).delete("\n")
+            "_auth = #{encoded_token}"
+          elsif Base64.decode64(token).ascii_only? &&
+                Base64.decode64(token).include?(":")
+            "_auth = #{token.delete("\n")}"
+          else
+            "_authToken = #{token}"
+          end
+        end
+
+        def dependency_urls
+          if package_lock
+            parsed_package_lock.fetch("dependencies", {}).
+              map { |_, details| details["resolved"] }.compact.
+              select { |url| url.is_a?(String) }.
+              reject { |url| url.start_with?("git") }
+          elsif yarn_lock
+            yarn_lock.content.scan(/ resolved "(.*?)"/).flatten
+          end
+        end
+
+        def complete_npmrc_from_credentials
+          initial_content = npmrc_file.content.
+                            gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
+          return initial_content unless yarn_lock || package_lock
+          return initial_content unless global_registry
+
+          initial_content +
+            "registry = https://#{global_registry['registry']}\n"\
+            "#{global_registry_auth_line}\n"\
+            "always-auth = true\n"
+        end
+
+        def build_npmrc_from_yarnrc
+          yarnrc_global_registry =
+            yarnrc_file.content.
+            lines.find { |line| line.match?(/^\s*registry\s/) }&.
+            match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
+            named_captures&.fetch("registry")
+
+          if yarnrc_global_registry
+            return "registry = #{yarnrc_global_registry}\n"
+          end
+
+          build_npmrc_content_from_lockfile
+        end
+
+        def credential_lines_for_npmrc
+          lines = []
+          registry_credentials.each do |cred|
+            registry = cred.fetch("registry")
+
+            lines << registry_scope(registry) if registry_scope(registry)
+
+            token = cred.fetch("token")
+            if token.include?(":")
+              encoded_token = Base64.encode64(token).delete("\n")
+              lines << "//#{registry}/:_auth=#{encoded_token}"
+            elsif Base64.decode64(token).ascii_only? &&
+                  Base64.decode64(token).include?(":")
+              lines << %(//#{registry}/:_auth=#{token.delete("\n")})
+            else
+              lines << "//#{registry}/:_authToken=#{token}"
+            end
+          end
+
+          return lines unless lines.any? { |str| str.include?("auth=") }
+
+          # Work around a suspected yarn bug
+          ["always-auth = true"] + lines
+        end
+
+        def registry_scope(registry)
+          # Central registries don't just apply to scopes
+          return if CENTRAL_REGISTRIES.include?(registry)
+
+          return unless dependency_urls
+
+          affected_urls = dependency_urls.
+                          select { |url| url.include?(registry) }
+
+          scopes = affected_urls.map do |url|
+            url.split(/\%40|@/)[1]&.split(%r{\%2F|/})&.first
+          end
+
+          # Registry used for unscoped packages
+          return if scopes.include?(nil)
+
+          # This just seems unlikely
+          return unless scopes.uniq.count == 1
+
+          "@#{scopes.first}:registry=https://#{registry}/"
+        end
+
+        def registry_credentials
+          credentials.select { |cred| cred.fetch("type") == "npm_registry" }
+        end
+
+        def parsed_package_lock
+          @parsed_package_lock ||= JSON.parse(package_lock.content)
+        end
+
+        def npmrc_file
+          @npmrc_file ||= dependency_files.
+                          find { |f| f.name.end_with?(".npmrc") }
+        end
+
+        def yarnrc_file
+          @yarnrc_file ||= dependency_files.
+                           find { |f| f.name.end_with?(".yarnrc") }
+        end
+
+        def yarn_lock
+          @yarn_lock ||= dependency_files.find { |f| f.name == "yarn.lock" }
+        end
+
+        def package_lock
+          @package_lock ||=
+            dependency_files.find { |f| f.name == "package-lock.json" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/file_updater"
+require "dependabot/npm_and_yarn/file_parser"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      class PackageJsonPreparer
+        def initialize(package_json_content:)
+          @package_json_content = package_json_content
+        end
+
+        def prepared_content
+          content = package_json_content
+          content = replace_ssh_sources(content)
+          content = remove_workspace_path_prefixes(content)
+          content = remove_invalid_characters(content)
+          content
+        end
+
+        def replace_ssh_sources(content)
+          updated_content = content
+
+          git_ssh_requirements_to_swap.each do |req|
+            new_req = req.gsub(%r{git\+ssh://git@(.*?)[:/]}, 'https://\1/')
+            updated_content = updated_content.gsub(req, new_req)
+          end
+
+          updated_content
+        end
+
+        # A bug prevents Yarn recognising that a directory is part of a
+        # workspace if it is specified with a `./` prefix.
+        def remove_workspace_path_prefixes(content)
+          json = JSON.parse(content)
+          return content unless json.key?("workspaces")
+
+          workspace_object = json.fetch("workspaces")
+          paths_array =
+            if workspace_object.is_a?(Hash)
+              workspace_object.values_at("packages", "nohoist").
+                flatten.compact
+            elsif workspace_object.is_a?(Array) then workspace_object
+            else raise "Unexpected workspace object"
+            end
+
+          paths_array.each { |path| path.gsub!(%r{^\./}, "") }
+
+          json.to_json
+        end
+
+        def remove_invalid_characters(content)
+          content.
+            gsub(/\{\{.*?\}\}/, "something"). # {{ name }} syntax not allowed
+            gsub(/(?<!\\)\\ /, " ").          # escaped whitespace not allowed
+            gsub(%r{^\s*//.*}, " ")           # comments are not allowed
+        end
+
+        def swapped_ssh_requirements
+          git_ssh_requirements_to_swap
+        end
+
+        private
+
+        attr_reader :package_json_content
+
+        def git_ssh_requirements_to_swap
+          return @git_ssh_requirements_to_swap if @git_ssh_requirements_to_swap
+
+          @git_ssh_requirements_to_swap = []
+
+          NpmAndYarn::FileParser::DEPENDENCY_TYPES.each do |t|
+            JSON.parse(package_json_content).fetch(t, {}).each do |_, req|
+              next unless req.start_with?("git+ssh:")
+
+              req = req.split("#").first
+              @git_ssh_requirements_to_swap << req
+            end
+          end
+
+          @git_ssh_requirements_to_swap
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/file_updater"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      class PackageJsonUpdater
+        def initialize(package_json:, dependencies:)
+          @package_json = package_json
+          @dependencies = dependencies
+        end
+
+        def updated_package_json
+          updated_file = package_json.dup
+          updated_file.content = updated_package_json_content
+          updated_file
+        end
+
+        private
+
+        attr_reader :package_json, :dependencies
+
+        def updated_package_json_content
+          dependencies.reduce(package_json.content.dup) do |content, dep|
+            updated_requirements(dep).each do |new_req|
+              old_req = old_requirement(dep, new_req)
+
+              new_content = update_package_json_declaration(
+                package_json_content: content,
+                dependency_name: dep.name,
+                old_req: old_req,
+                new_req: new_req
+              )
+
+              raise "Expected content to change!" if content == new_content
+
+              content = new_content
+            end
+
+            new_requirements(dep).each do |new_req|
+              old_req = old_requirement(dep, new_req)
+
+              content = update_package_json_resolutions(
+                package_json_content: content,
+                new_req: new_req,
+                dependency: dep,
+                old_req: old_req
+              )
+            end
+
+            content
+          end
+        end
+
+        def old_requirement(dependency, new_requirement)
+          dependency.previous_requirements.
+            select { |r| r[:file] == package_json.name }.
+            find { |r| r[:groups] == new_requirement[:groups] }
+        end
+
+        def new_requirements(dependency)
+          dependency.requirements.select { |r| r[:file] == package_json.name }
+        end
+
+        def updated_requirements(dependency)
+          new_requirements(dependency).
+            reject { |r| dependency.previous_requirements.include?(r) }
+        end
+
+        def update_package_json_declaration(package_json_content:, new_req:,
+                                            dependency_name:, old_req:)
+          original_line = declaration_line(
+            dependency_name: dependency_name,
+            dependency_req: old_req,
+            content: package_json_content
+          )
+
+          replacement_line = replacement_declaration_line(
+            original_line: original_line,
+            old_req: old_req,
+            new_req: new_req
+          )
+
+          groups = new_req.fetch(:groups)
+
+          update_package_json_sections(
+            groups,
+            package_json_content,
+            original_line,
+            replacement_line
+          )
+        end
+
+        # For full details on how Yarn resolutions work, see
+        # https://github.com/yarnpkg/rfcs/blob/master/implemented/
+        # 0000-selective-versions-resolutions.md
+        def update_package_json_resolutions(package_json_content:, new_req:,
+                                            dependency:, old_req:)
+          dep = dependency
+          resolutions =
+            JSON.parse(package_json_content).fetch("resolutions", {}).
+            reject { |_, v| v != old_req && v != dep.previous_version }.
+            select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
+
+          return package_json_content unless resolutions.any?
+
+          content = package_json_content
+          resolutions.each do |_, resolution|
+            original_line = declaration_line(
+              dependency_name: dep.name,
+              dependency_req: { requirement: resolution },
+              content: content
+            )
+
+            new_resolution = resolution == old_req ? new_req : dep.version
+
+            replacement_line = replacement_declaration_line(
+              original_line: original_line,
+              old_req: { requirement: resolution },
+              new_req: { requirement: new_resolution }
+            )
+
+            content = update_package_json_sections(
+              ["resolutions"], content, original_line, replacement_line
+            )
+          end
+          content
+        end
+
+        def declaration_line(dependency_name:, dependency_req:, content:)
+          git_dependency = dependency_req.dig(:source, :type) == "git"
+
+          unless git_dependency
+            requirement = dependency_req.fetch(:requirement)
+            return content.match(/"#{Regexp.escape(dependency_name)}"\s*:\s*
+                                  "#{Regexp.escape(requirement)}"/x).to_s
+          end
+
+          username, repo =
+            dependency_req.dig(:source, :url).split("/").last(2)
+
+          content.match(
+            %r{"#{Regexp.escape(dependency_name)}"\s*:\s*
+               ".*?#{Regexp.escape(username)}/#{Regexp.escape(repo)}.*"}x
+          ).to_s
+        end
+
+        def replacement_declaration_line(original_line:, old_req:, new_req:)
+          was_git_dependency = old_req.dig(:source, :type) == "git"
+          now_git_dependency = new_req.dig(:source, :type) == "git"
+
+          unless was_git_dependency
+            return original_line.gsub(
+              %("#{old_req.fetch(:requirement)}"),
+              %("#{new_req.fetch(:requirement)}")
+            )
+          end
+
+          unless now_git_dependency
+            return original_line.gsub(
+              /(?<=\s").*[^\\](?=")/,
+              new_req.fetch(:requirement)
+            )
+          end
+
+          if original_line.include?("semver:")
+            return original_line.gsub(
+              %(semver:#{old_req.fetch(:requirement)}"),
+              %(semver:#{new_req.fetch(:requirement)}")
+            )
+          end
+
+          original_line.gsub(
+            %(\##{old_req.dig(:source, :ref)}"),
+            %(\##{new_req.dig(:source, :ref)}")
+          )
+        end
+
+        def update_package_json_sections(sections, content, old_line,
+                                         new_line)
+          # Currently, Dependabot doesn't update peerDependencies. However,
+          # if a development dependency is being updated and its requirement
+          # matches the requirement on a peer dependency we probably want to
+          # update the peer too.
+          #
+          # TODO: Move this logic to the UpdateChecker (and parse peer deps)
+          sections += ["peerDependencies"]
+          sections_regex = /#{sections.join("|")}/
+
+          declaration_blocks = []
+
+          content.scan(/['"]#{sections_regex}['"]\s*:\s*\{/m) do
+            mtch = Regexp.last_match
+            declaration_blocks <<
+              mtch.to_s +
+              mtch.post_match[0..closing_bracket_index(mtch.post_match)]
+          end
+
+          declaration_blocks.reduce(content.dup) do |new_content, block|
+            updated_block = block.sub(old_line, new_line)
+            new_content.sub!(block, updated_block)
+          end
+        end
+
+        def closing_bracket_index(string)
+          closes_required = 1
+
+          string.chars.each_with_index do |char, index|
+            closes_required += 1 if char == "{"
+            closes_required -= 1 if char == "}"
+            return index if closes_required.zero?
+          end
+        end
+      end
+    end
+  end
+end