RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.95.38 → 0.95.39 - Mend

dependabot-npm_and_yarn 0.95.38 → 0.95.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

checksums.yaml +4 -4
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +9 -5
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43000948df07f8f5e73901ba2642157ccd9ff445f0afc57e49068341eb02b5ab
-  data.tar.gz: 9ccf2c58473dfe18f77297f815ca8222a1173afcd4a8bcbe0a962806cc93a2d5
+  metadata.gz: 2290921443159d73086ecbdba38e96c95c5974e920898bdb3db6eb954ee0749d
+  data.tar.gz: 1b6c37363bc74eb6fc897fc8d8383215a417e0f74360e51cbcccb0443c44cbbc
 SHA512:
-  metadata.gz: 9ce89b2ffd6a64c02f61a295b1e63b2f1be78ea18df634126b71976229eea355f0d1bf35748f8fd9f2e55fc896307161dc18e34d20965d6e8fe10d2aa8e907ab
-  data.tar.gz: 2e77e3a0688ebe8e009a3e58ade91f2415e4170f9aadf14c7a26af45b947ba92a81d4da3a25f3d39be9bf2c1ad42bf13b8bf7a0942524553504ba3acdf9f9964
+  metadata.gz: a6c304fab965e69f111505f9319a2392d6f9db0086b240e3804aa6f845dec72e60844483116e4ec3c2c4d61890f1dd6285aeb37414a40d5b7acc453669adb23c
+  data.tar.gz: c74472ed4161591d84c959d1a9b18902b06844e812ae603a0a345e2107ed9721bc254ff056a0f30ec93a7ce9c3afbca33f66796c38dcf07962df2ffa4feb3ede

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED Viewed

@@ -465,11 +465,15 @@ module Dependabot
           # Switch from details back for git dependencies (they will have
           # changed because we locked them)
           git_dependencies_to_lock.each do |_, details|
-            next unless details[:from]
-            new_r = /"from": "#{Regexp.quote(details[:from])}#[^\"]+"/
-            old_r = %("from": "#{details[:from]}")
-            updated_content = updated_content.gsub(new_r, old_r)
+            next unless details[:version] && details[:from]
+            # When locking git dependencies in package.json we set the version
+            # to be the git commit from the lockfile "version" field which
+            # updates the lockfile "from" field to the new git commit when we
+            # run npm install
+            locked_from = %("from": "#{details[:version]}")
+            original_from = %("from": "#{details[:from]}")
+            updated_content = updated_content.gsub(locked_from, original_from)
           end
           # Switch back the protocol of tarball resolutions if they've changed

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.95.38
+  version: 0.95.39
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.95.38
+        version: 0.95.39
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.95.38
+        version: 0.95.39
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement