dependabot-npm_and_yarn 0.98.61 → 0.98.62
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 35656968fb496f5e4b9ec72d78970c3d0a8addb4d6624547f8ec6a89b4ae0734
|
|
4
|
+
data.tar.gz: f1189c0cbd576af29732e5615ebbaed52930002f459856751e3f05c53885a7b3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 03c31a5046a551135cf9e56306e67c220314fb6f92a6551c242ded15f64b929618e963c33bb17762f35538eb417ca573631556c054912364438ba3920802ea34
|
|
7
|
+
data.tar.gz: 6649977e4451edf84fb55afdb8f427c5807b7a17aeab841a09af53855360de743f9053fc74c92e234a6e22a4d2277800e0f0435513bba5c669e8117538d42f9f
|
|
@@ -93,21 +93,23 @@ module Dependabot
|
|
|
93
93
|
def build_dependency(file:, type:, name:, requirement:)
|
|
94
94
|
lockfile_details = lockfile_parser.lockfile_details(
|
|
95
95
|
dependency_name: name,
|
|
96
|
-
requirement: requirement
|
|
96
|
+
requirement: requirement,
|
|
97
|
+
manifest_name: file.name
|
|
97
98
|
)
|
|
98
|
-
|
|
99
|
+
version = version_for(name, requirement, file.name)
|
|
100
|
+
return if lockfile_details && !version
|
|
99
101
|
return if ignore_requirement?(requirement)
|
|
100
102
|
return if workspace_package_names.include?(name)
|
|
101
103
|
|
|
102
104
|
Dependency.new(
|
|
103
105
|
name: name,
|
|
104
|
-
version:
|
|
106
|
+
version: version,
|
|
105
107
|
package_manager: "npm_and_yarn",
|
|
106
108
|
requirements: [{
|
|
107
109
|
requirement: requirement_for(requirement),
|
|
108
110
|
file: file.name,
|
|
109
111
|
groups: [type],
|
|
110
|
-
source: source_for(name, requirement)
|
|
112
|
+
source: source_for(name, requirement, file.name)
|
|
111
113
|
}]
|
|
112
114
|
)
|
|
113
115
|
end
|
|
@@ -151,26 +153,27 @@ module Dependabot
|
|
|
151
153
|
package_files.map { |f| JSON.parse(f.content)["name"] }.compact
|
|
152
154
|
end
|
|
153
155
|
|
|
154
|
-
def version_for(name, requirement)
|
|
156
|
+
def version_for(name, requirement, manifest_name)
|
|
155
157
|
if git_url_with_semver?(requirement)
|
|
156
|
-
semver_version = semver_version_for(name, requirement)
|
|
158
|
+
semver_version = semver_version_for(name, requirement, manifest_name)
|
|
157
159
|
return semver_version if semver_version
|
|
158
160
|
|
|
159
|
-
git_revision = git_revision_for(name, requirement)
|
|
161
|
+
git_revision = git_revision_for(name, requirement, manifest_name)
|
|
160
162
|
version_from_git_revision(requirement, git_revision) || git_revision
|
|
161
163
|
elsif git_url?(requirement)
|
|
162
|
-
git_revision_for(name, requirement)
|
|
164
|
+
git_revision_for(name, requirement, manifest_name)
|
|
163
165
|
else
|
|
164
|
-
semver_version_for(name, requirement)
|
|
166
|
+
semver_version_for(name, requirement, manifest_name)
|
|
165
167
|
end
|
|
166
168
|
end
|
|
167
169
|
|
|
168
|
-
def git_revision_for(name, requirement)
|
|
170
|
+
def git_revision_for(name, requirement, manifest_name)
|
|
169
171
|
return unless git_url?(requirement)
|
|
170
172
|
|
|
171
173
|
lockfile_details = lockfile_parser.lockfile_details(
|
|
172
174
|
dependency_name: name,
|
|
173
|
-
requirement: requirement
|
|
175
|
+
requirement: requirement,
|
|
176
|
+
manifest_name: manifest_name
|
|
174
177
|
)
|
|
175
178
|
lock_version = lockfile_details&.fetch("version", nil)
|
|
176
179
|
lock_res = lockfile_details&.fetch("resolved", nil)
|
|
@@ -208,10 +211,11 @@ module Dependabot
|
|
|
208
211
|
nil
|
|
209
212
|
end
|
|
210
213
|
|
|
211
|
-
def semver_version_for(name, requirement)
|
|
214
|
+
def semver_version_for(name, requirement, manifest_name)
|
|
212
215
|
lock_version = lockfile_parser.lockfile_details(
|
|
213
216
|
dependency_name: name,
|
|
214
|
-
requirement: requirement
|
|
217
|
+
requirement: requirement,
|
|
218
|
+
manifest_name: manifest_name
|
|
215
219
|
)&.fetch("version", nil)
|
|
216
220
|
|
|
217
221
|
return unless lock_version
|
|
@@ -223,12 +227,13 @@ module Dependabot
|
|
|
223
227
|
lock_version
|
|
224
228
|
end
|
|
225
229
|
|
|
226
|
-
def source_for(name, requirement)
|
|
230
|
+
def source_for(name, requirement, manifest_name)
|
|
227
231
|
return git_source_for(requirement) if git_url?(requirement)
|
|
228
232
|
|
|
229
233
|
resolved_url = lockfile_parser.lockfile_details(
|
|
230
234
|
dependency_name: name,
|
|
231
|
-
requirement: requirement
|
|
235
|
+
requirement: requirement,
|
|
236
|
+
manifest_name: manifest_name
|
|
232
237
|
)&.fetch("resolved", nil)
|
|
233
238
|
|
|
234
239
|
return unless resolved_url
|
|
@@ -19,32 +19,28 @@ module Dependabot
|
|
|
19
19
|
dependency_set.dependencies
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
def lockfile_details(dependency_name:, requirement:)
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
find do |k, _|
|
|
45
|
-
k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
|
|
46
|
-
end&.
|
|
47
|
-
last
|
|
22
|
+
def lockfile_details(dependency_name:, requirement:, manifest_name:)
|
|
23
|
+
potential_lockfiles_for_manifest(manifest_name).each do |lockfile|
|
|
24
|
+
details =
|
|
25
|
+
if [*package_locks, *shrinkwraps].include?(lockfile)
|
|
26
|
+
parsed_lockfile = parse_package_lock(lockfile)
|
|
27
|
+
parsed_lockfile.dig("dependencies", dependency_name)
|
|
28
|
+
else
|
|
29
|
+
parsed_yarn_lock = parse_yarn_lock(lockfile)
|
|
30
|
+
details_candidates =
|
|
31
|
+
parsed_yarn_lock.
|
|
32
|
+
select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
|
|
33
|
+
|
|
34
|
+
# If there's only one entry for this dependency, use it, even if
|
|
35
|
+
# the requirement in the lockfile doesn't match
|
|
36
|
+
if details_candidates.one?
|
|
37
|
+
details_candidates.first.last
|
|
38
|
+
else
|
|
39
|
+
details_candidates.find do |k, _|
|
|
40
|
+
k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
|
|
41
|
+
end&.last
|
|
42
|
+
end
|
|
43
|
+
end
|
|
48
44
|
|
|
49
45
|
return details if details
|
|
50
46
|
end
|
|
@@ -56,6 +52,19 @@ module Dependabot
|
|
|
56
52
|
|
|
57
53
|
attr_reader :dependency_files
|
|
58
54
|
|
|
55
|
+
def potential_lockfiles_for_manifest(manifest_filename)
|
|
56
|
+
dir_name = File.dirname(manifest_filename)
|
|
57
|
+
possible_lockfile_names =
|
|
58
|
+
%w(package-lock.json npm-shrinkwrap.json yarn.lock).map do |f|
|
|
59
|
+
Pathname.new(File.join(dir_name, f)).cleanpath.to_path
|
|
60
|
+
end +
|
|
61
|
+
%w(yarn.lock package-lock.json npm-shrinkwrap.json)
|
|
62
|
+
|
|
63
|
+
possible_lockfile_names.uniq.
|
|
64
|
+
map { |nm| dependency_files.find { |f| f.name == nm } }.
|
|
65
|
+
compact
|
|
66
|
+
end
|
|
67
|
+
|
|
59
68
|
def yarn_lock_dependencies
|
|
60
69
|
dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
|
|
61
70
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.98.
|
|
4
|
+
version: 0.98.62
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.98.
|
|
19
|
+
version: 0.98.62
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.98.
|
|
26
|
+
version: 0.98.62
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|