dependabot-npm_and_yarn 0.101.2 → 0.102.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e065249385d5d40fa7a235a1f3eae13f38cc1e3f4da10599f195b4701cdc5421
|
4
|
+
data.tar.gz: 8e02e117d6956a77d0ee4af6f7468ea40638d3a4889cd82d84e5b2151b57b003
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7d4c25c44cc1b8e03508f635a9c74cc91930191214f42782786110b2fabc832a1c8199381eddb5832898783c770e31c31c6b210498de24a079f0c6f4b95708ee
|
7
|
+
data.tar.gz: 6e9205e22f72554828eb6c86d9ac9020c0189caed145f19abf7be4f434c6052d8512b4acab5daa247f9a2f56b06f81c4ccd8324e0688bc24d5b1ec79731cbaff
|
@@ -39,8 +39,8 @@ module Dependabot
|
|
39
39
|
def lowest_resolvable_security_fix_version
|
40
40
|
raise "Dependency not vulnerable!" unless vulnerable?
|
41
41
|
|
42
|
-
# TODO:
|
43
|
-
|
42
|
+
# TODO: Might want to check resolvability here?
|
43
|
+
latest_version_finder.lowest_security_fix_version
|
44
44
|
end
|
45
45
|
|
46
46
|
def latest_resolvable_version_with_no_unlock
|
@@ -70,8 +70,6 @@ module Dependabot
|
|
70
70
|
RequirementsUpdater.new(
|
71
71
|
requirements: dependency.requirements,
|
72
72
|
updated_source: updated_source,
|
73
|
-
latest_version:
|
74
|
-
latest_version_details&.fetch(:version, nil)&.to_s,
|
75
73
|
latest_resolvable_version: resolvable_version,
|
76
74
|
update_strategy: requirements_update_strategy
|
77
75
|
).updated_requirements
|
@@ -112,7 +110,6 @@ module Dependabot
|
|
112
110
|
requirements: RequirementsUpdater.new(
|
113
111
|
requirements: original_dep.requirements,
|
114
112
|
updated_source: original_dep == dependency ? updated_source : nil,
|
115
|
-
latest_version: update_details[:version].to_s,
|
116
113
|
latest_resolvable_version: update_details[:version].to_s,
|
117
114
|
update_strategy: requirements_update_strategy
|
118
115
|
).updated_requirements,
|
@@ -48,6 +48,24 @@ module Dependabot
|
|
48
48
|
# our problem, so we quietly return `nil` here.
|
49
49
|
end
|
50
50
|
|
51
|
+
def lowest_security_fix_version
|
52
|
+
return unless valid_npm_details?
|
53
|
+
|
54
|
+
versions_array =
|
55
|
+
if specified_dist_tag_requirement?
|
56
|
+
[version_from_dist_tags].compact
|
57
|
+
else possible_versions
|
58
|
+
end
|
59
|
+
|
60
|
+
secure_versions = filter_vulnerable_versions(versions_array)
|
61
|
+
secure_versions = filter_lower_versions(secure_versions)
|
62
|
+
secure_versions.reverse.find { |version| !yanked?(version) }
|
63
|
+
rescue Excon::Error::Socket, Excon::Error::Timeout
|
64
|
+
raise if dependency_registry == "registry.npmjs.org"
|
65
|
+
# Sometimes custom registries are flaky. We don't want to make that
|
66
|
+
# our problem, so we quietly return `nil` here.
|
67
|
+
end
|
68
|
+
|
51
69
|
def possible_versions_with_details
|
52
70
|
npm_details.fetch("versions", {}).
|
53
71
|
reject { |_, details| details["deprecated"] }.
|
@@ -70,15 +88,32 @@ module Dependabot
|
|
70
88
|
!npm_details&.fetch("dist-tags", nil).nil?
|
71
89
|
end
|
72
90
|
|
73
|
-
def filter_out_of_range_versions(
|
91
|
+
def filter_out_of_range_versions(versions_array)
|
74
92
|
reqs = dependency.requirements.map do |r|
|
75
93
|
NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
|
76
94
|
end.compact
|
77
95
|
|
78
|
-
|
96
|
+
versions_array.
|
79
97
|
select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
80
98
|
end
|
81
99
|
|
100
|
+
def filter_vulnerable_versions(versions_array)
|
101
|
+
updated_versions_array = versions_array
|
102
|
+
|
103
|
+
security_advisories.each do |advisory|
|
104
|
+
updated_versions_array =
|
105
|
+
updated_versions_array.
|
106
|
+
reject { |v| advisory.vulnerable?(v) }
|
107
|
+
end
|
108
|
+
|
109
|
+
updated_versions_array
|
110
|
+
end
|
111
|
+
|
112
|
+
def filter_lower_versions(versions_array)
|
113
|
+
versions_array.
|
114
|
+
select { |version| version > version_class.new(dependency.version) }
|
115
|
+
end
|
116
|
+
|
82
117
|
def version_from_dist_tags
|
83
118
|
dist_tags = npm_details["dist-tags"].keys
|
84
119
|
|
@@ -19,14 +19,13 @@ module Dependabot
|
|
19
19
|
%i(widen_ranges bump_versions bump_versions_if_necessary).freeze
|
20
20
|
|
21
21
|
def initialize(requirements:, updated_source:, update_strategy:,
|
22
|
-
|
22
|
+
latest_resolvable_version:)
|
23
23
|
@requirements = requirements
|
24
24
|
@updated_source = updated_source
|
25
25
|
@update_strategy = update_strategy
|
26
26
|
|
27
27
|
check_update_strategy
|
28
28
|
|
29
|
-
@latest_version = version_class.new(latest_version) if latest_version
|
30
29
|
return unless latest_resolvable_version
|
31
30
|
|
32
31
|
@latest_resolvable_version =
|
@@ -53,7 +52,7 @@ module Dependabot
|
|
53
52
|
private
|
54
53
|
|
55
54
|
attr_reader :requirements, :updated_source, :update_strategy,
|
56
|
-
:
|
55
|
+
:latest_resolvable_version
|
57
56
|
|
58
57
|
def check_update_strategy
|
59
58
|
return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.102.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.102.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.102.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|