dependabot-npm_and_yarn 0.91.0

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/package_json_updater"
+      require_relative "file_updater/npm_lockfile_updater"
+      require_relative "file_updater/yarn_lockfile_updater"
+
+      class NoChangeError < StandardError
+        def initialize(message:, error_context:)
+          super(message)
+          @error_context = error_context
+        end
+
+        def raven_context
+          { extra: @error_context }
+        end
+      end
+
+      def self.updated_files_regex
+        [
+          /^package\.json$/,
+          /^package-lock\.json$/,
+          /^npm-shrinkwrap\.json$/,
+          /^yarn\.lock$/
+        ]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        updated_files += updated_manifest_files
+        updated_files += updated_lockfiles
+
+        if updated_files.none?
+          raise NoChangeError.new(
+            message: "No files where updated!",
+            error_context: error_context(updated_files: updated_files)
+          )
+        end
+
+        if updated_files.sort_by(&:name) == dependency_files.sort_by(&:name)
+          raise NoChangeError.new(
+            message: "Updated files are unchanged!",
+            error_context: error_context(updated_files: updated_files)
+          )
+        end
+
+        updated_files
+      end
+
+      private
+
+      def check_required_files
+        raise "No package.json!" unless get_original_file("package.json")
+      end
+
+      def error_context(updated_files:)
+        {
+          dependencies: dependencies.map(&:to_h),
+          updated_files: updated_files.map(&:name),
+          dependency_files: dependency_files.map(&:name)
+        }
+      end
+
+      def package_locks
+        @package_locks ||=
+          dependency_files.
+          select { |f| f.name.end_with?("package-lock.json") }
+      end
+
+      def yarn_locks
+        @yarn_locks ||=
+          dependency_files.
+          select { |f| f.name.end_with?("yarn.lock") }
+      end
+
+      def shrinkwraps
+        @shrinkwraps ||=
+          dependency_files.
+          select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+      end
+
+      def package_files
+        dependency_files.select { |f| f.name.end_with?("package.json") }
+      end
+
+      def yarn_lock_changed?(yarn_lock)
+        yarn_lock.content != updated_yarn_lock_content(yarn_lock)
+      end
+
+      def package_lock_changed?(package_lock)
+        package_lock.content != updated_package_lock_content(package_lock)
+      end
+
+      def shrinkwrap_changed?(shrinkwrap)
+        shrinkwrap.content != updated_package_lock_content(shrinkwrap)
+      end
+
+      def updated_manifest_files
+        package_files.map do |file|
+          updated_content = updated_package_json_content(file)
+          next if updated_content == file.content
+
+          updated_file(file: file, content: updated_content)
+        end.compact
+      end
+
+      def updated_lockfiles
+        updated_files = []
+
+        yarn_locks.each do |yarn_lock|
+          next unless yarn_lock_changed?(yarn_lock)
+
+          updated_files << updated_file(
+            file: yarn_lock,
+            content: updated_yarn_lock_content(yarn_lock)
+          )
+        end
+
+        package_locks.each do |package_lock|
+          next unless package_lock_changed?(package_lock)
+
+          updated_files << updated_file(
+            file: package_lock,
+            content: updated_package_lock_content(package_lock)
+          )
+        end
+
+        shrinkwraps.each do |shrinkwrap|
+          next unless shrinkwrap_changed?(shrinkwrap)
+
+          updated_files << updated_file(
+            file: shrinkwrap,
+            content: updated_shrinkwrap_content(shrinkwrap)
+          )
+        end
+
+        updated_files
+      end
+
+      def updated_yarn_lock_content(yarn_lock)
+        yarn_lockfile_updater.updated_yarn_lock_content(yarn_lock)
+      end
+
+      def yarn_lockfile_updater
+        @yarn_lockfile_updater ||=
+          YarnLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          )
+      end
+
+      def updated_package_lock_content(package_lock)
+        npm_lockfile_updater.updated_lockfile_content(package_lock)
+      end
+
+      def updated_shrinkwrap_content(shrinkwrap)
+        npm_lockfile_updater.updated_lockfile_content(shrinkwrap)
+      end
+
+      def npm_lockfile_updater
+        @npm_lockfile_updater ||=
+          NpmLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          )
+      end
+
+      def updated_package_json_content(file)
+        @updated_package_json_content ||= {}
+        @updated_package_json_content[file.name] ||=
+          PackageJsonUpdater.new(
+            package_json: file,
+            dependencies: dependencies
+          ).updated_package_json.content
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("npm_and_yarn", Dependabot::NpmAndYarn::FileUpdater)

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require "excon"
+require "time"
+
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+require "dependabot/shared_helpers"
+require "dependabot/npm_and_yarn/version"
+
+module Dependabot
+  module NpmAndYarn
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      def homepage_url
+        # Attempt to use version_listing first, as fetching the entire listing
+        # array can be slow (if it's large)
+        if latest_version_listing["homepage"]
+          return latest_version_listing["homepage"]
+        end
+
+        listing = all_version_listings.find { |_, l| l["homepage"] }
+        listing&.last&.fetch("homepage", nil) || super
+      end
+
+      def maintainer_changes
+        return unless npm_releaser
+        return unless npm_listing.dig("time", dependency.version)
+        return if previous_releasers.include?(npm_releaser)
+
+        "This version was pushed to npm by "\
+        "[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new "\
+        "releaser for #{dependency.name} since your current version."
+      end
+
+      private
+
+      def look_up_source
+        return find_source_from_registry if new_source.nil?
+
+        source_type = new_source[:type] || new_source.fetch("type")
+
+        case source_type
+        when "git" then find_source_from_git_url
+        when "private_registry" then find_source_from_registry
+        else raise "Unexpected source type: #{source_type}"
+        end
+      end
+
+      def npm_releaser
+        all_version_listings.
+          find { |v, _| v == dependency.version }&.
+          last&.fetch("_npmUser", nil)&.fetch("name", nil)
+      end
+
+      def previous_releasers
+        times = npm_listing.fetch("time")
+
+        cutoff =
+          if dependency.previous_version && times[dependency.previous_version]
+            Time.parse(times[dependency.previous_version])
+          elsif times[dependency.version]
+            Time.parse(times[dependency.version]) - 1
+          end
+        return unless cutoff
+
+        all_version_listings.
+          reject { |v, _| Time.parse(times[v]) > cutoff }.
+          map { |_, d| d.fetch("_npmUser", nil)&.fetch("name", nil) }.compact
+      end
+
+      def find_source_from_registry
+        # Attempt to use version_listing first, as fetching the entire listing
+        # array can be slow (if it's large)
+        potential_source_urls =
+          [
+            get_url(latest_version_listing["repository"]),
+            get_url(latest_version_listing["homepage"]),
+            get_url(latest_version_listing["bugs"])
+          ].compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        return Source.from_url(source_url) if Source.from_url(source_url)
+
+        potential_source_urls =
+          all_version_listings.flat_map do |_, listing|
+            [
+              get_url(listing["repository"]),
+              get_url(listing["homepage"]),
+              get_url(listing["bugs"])
+            ]
+          end.compact
+
+        source_url = potential_source_urls.find { |url| Source.from_url(url) }
+        Source.from_url(source_url)
+      end
+
+      def new_source
+        sources = dependency.requirements.
+                  map { |r| r.fetch(:source) }.uniq.compact
+
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first
+      end
+
+      def get_url(details)
+        case details
+        when String then details
+        when Hash then details.fetch("url", nil)
+        end
+      end
+
+      def find_source_from_git_url
+        url = new_source[:url] || new_source.fetch("url")
+        Source.from_url(url)
+      end
+
+      def latest_version_listing
+        return @latest_version_listing if defined?(@latest_version_listing)
+
+        response = Excon.get(
+          "#{dependency_url}/latest",
+          headers: registry_auth_headers,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        if response.status == 200
+          return @latest_version_listing = JSON.parse(response.body)
+        end
+
+        @latest_version_listing = {}
+      rescue JSON::ParserError, Excon::Error::Timeout
+        @latest_version_listing = {}
+      end
+
+      def all_version_listings
+        return [] if npm_listing["versions"].nil?
+
+        npm_listing["versions"].
+          reject { |_, details| details["deprecated"] }.
+          sort_by { |version, _| NpmAndYarn::Version.new(version) }.
+          reverse
+      end
+
+      def npm_listing
+        return @npm_listing unless @npm_listing.nil?
+
+        response = Excon.get(
+          dependency_url,
+          headers: registry_auth_headers,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+
+        return @npm_listing = {} if response.status >= 500
+
+        begin
+          @npm_listing = JSON.parse(response.body)
+        rescue JSON::ParserError
+          raise unless non_standard_registry?
+
+          @npm_listing = {}
+        end
+      rescue Excon::Error::Timeout
+        @npm_listing = {}
+      end
+
+      def dependency_url
+        registry_url =
+          if new_source.nil? then "https://registry.npmjs.org"
+          else new_source.fetch(:url)
+          end
+
+        # NPM registries expect slashes to be escaped
+        escaped_dependency_name = dependency.name.gsub("/", "%2F")
+        "#{registry_url}/#{escaped_dependency_name}"
+      end
+
+      def registry_auth_headers
+        return {} unless auth_token
+
+        { "Authorization" => "Bearer #{auth_token}" }
+      end
+
+      def dependency_registry
+        if new_source.nil? then "registry.npmjs.org"
+        else new_source.fetch(:url).gsub("https://", "").gsub("http://", "")
+        end
+      end
+
+      def auth_token
+        credentials.
+          select { |cred| cred["type"] == "npm_registry" }.
+          find { |cred| cred["registry"] == dependency_registry }&.
+          fetch("token")
+      end
+
+      def private_dependency_not_reachable?(npm_response)
+        # Check whether this dependency is (likely to be) private
+        if dependency_registry == "registry.npmjs.org" &&
+           !dependency.name.start_with?("@")
+          return false
+        end
+
+        [401, 403, 404].include?(npm_response.status)
+      end
+
+      def non_standard_registry?
+        dependency_registry != "registry.npmjs.org"
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("npm_and_yarn", Dependabot::NpmAndYarn::MetadataFinder)

data/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module NpmAndYarn
+    module NativeHelpers
+      def self.npm_helper_path
+        File.join(npm_helpers_dir, "bin/run.js")
+      end
+
+      def self.npm_helpers_dir
+        File.join(native_helpers_root, "npm_and_yarn/helpers/npm")
+      end
+
+      def self.yarn_helper_path
+        File.join(yarn_helpers_dir, "bin/run.js")
+      end
+
+      def self.yarn_helpers_dir
+        File.join(native_helpers_root, "npm_and_yarn/helpers/yarn")
+      end
+
+      def self.native_helpers_root
+        default_path = File.join(__dir__, "../../../..")
+        ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", default_path)
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/requirement.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/npm_and_yarn/version"
+
+module Dependabot
+  module NpmAndYarn
+    class Requirement < Gem::Requirement
+      AND_SEPARATOR = /(?<=[a-zA-Z0-9*])\s+(?:&+\s+)?(?!\s*[|-])/.freeze
+      OR_SEPARATOR = /(?<=[a-zA-Z0-9*])\s*\|+/.freeze
+
+      # Override the version pattern to allow a 'v' prefix
+      quoted = OPS.keys.map { |k| Regexp.quote(k) }.join("|")
+      version_pattern = "v?#{Gem::Version::VERSION_PATTERN}"
+
+      PATTERN_RAW = "\\s*(#{quoted})?\\s*(#{version_pattern})\\s*"
+      PATTERN = /\A#{PATTERN_RAW}\z/.freeze
+
+      def self.parse(obj)
+        if obj.is_a?(Gem::Version)
+          return ["=", NpmAndYarn::Version.new(obj.to_s)]
+        end
+
+        unless (matches = PATTERN.match(obj.to_s))
+          msg = "Illformed requirement [#{obj.inspect}]"
+          raise BadRequirementError, msg
+        end
+
+        return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
+
+        [matches[1] || "=", NpmAndYarn::Version.new(matches[2])]
+      end
+
+      # Returns an array of requirements. At least one requirement from the
+      # returned array must be satisfied for a version to be valid.
+      def self.requirements_array(requirement_string)
+        return [new(nil)] if requirement_string.nil?
+
+        # Removing parentheses is technically wrong but they are extremely
+        # rarely used.
+        # TODO: Handle complicated parenthesised requirements
+        requirement_string = requirement_string.gsub(/[()]/, "")
+        requirement_string.strip.split(OR_SEPARATOR).map do |req_string|
+          requirements = req_string.strip.split(AND_SEPARATOR)
+          new(requirements)
+        end
+      end
+
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          convert_js_constraint_to_ruby_constraint(req_string)
+        end
+
+        super(requirements)
+      end
+
+      private
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/CyclomaticComplexity
+      def convert_js_constraint_to_ruby_constraint(req_string)
+        return req_string if req_string.match?(/^([A-Za-uw-z]|v[^\d])/)
+
+        req_string = req_string.gsub(/(?:\.|^)[xX*]/, "")
+
+        if req_string.empty? then ">= 0"
+        elsif req_string.start_with?("~>") then req_string
+        elsif req_string.start_with?("~") then convert_tilde_req(req_string)
+        elsif req_string.start_with?("^") then convert_caret_req(req_string)
+        elsif req_string.include?(" - ") then convert_hyphen_req(req_string)
+        elsif req_string.match?(/[<>]/) then req_string
+        else ruby_range(req_string)
+        end
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      def convert_tilde_req(req_string)
+        version = req_string.gsub(/^~\>?/, "")
+        parts = version.split(".")
+        parts << "0" if parts.count < 3
+        "~> #{parts.join('.')}"
+      end
+
+      def convert_hyphen_req(req_string)
+        lower_bound, upper_bound = req_string.split(/\s+-\s+/)
+        lower_bound_parts = lower_bound.split(".")
+        lower_bound_parts.fill("0", lower_bound_parts.length...3)
+
+        upper_bound_parts = upper_bound.split(".")
+        upper_bound_range =
+          if upper_bound_parts.length < 3
+            # When upper bound is a partial version treat these as an X-range
+            if upper_bound_parts[-1].to_i.positive?
+              upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1
+            end
+            upper_bound_parts.fill("0", upper_bound_parts.length...3)
+            "< #{upper_bound_parts.join('.')}.a"
+          else
+            "<= #{upper_bound_parts.join('.')}"
+          end
+
+        [">= #{lower_bound_parts.join('.')}", upper_bound_range]
+      end
+
+      def ruby_range(req_string)
+        parts = req_string.split(".")
+        # If we have three or more parts then this is an exact match
+        return req_string if parts.count >= 3
+
+        # If we have fewer than three parts we do a partial match
+        parts << "0"
+        "~> #{parts.join('.')}"
+      end
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      def convert_caret_req(req_string)
+        version = req_string.gsub(/^\^/, "")
+        parts = version.split(".")
+        parts = parts.fill("x", parts.length...3)
+        first_non_zero = parts.find { |d| d != "0" }
+        first_non_zero_index =
+          first_non_zero ? parts.index(first_non_zero) : parts.count - 1
+        # If the requirement has a blank minor or patch version increment the
+        # previous index value with 1
+        first_non_zero_index -= 1 if first_non_zero == "x"
+        upper_bound = parts.map.with_index do |part, i|
+          if i < first_non_zero_index then part
+          elsif i == first_non_zero_index then (part.to_i + 1).to_s
+          elsif i > first_non_zero_index && i == 2 then "0.a"
+          else 0
+          end
+        end.join(".")
+
+        [">= #{version}", "< #{upper_bound}"]
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+    end
+  end
+end
+
+Dependabot::Utils.register_requirement_class(
+  "npm_and_yarn",
+  Dependabot::NpmAndYarn::Requirement
+)