RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.106.7 → 0.106.8 - Mend

dependabot-npm_and_yarn 0.106.7 → 0.106.8

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +19 -3
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +7 -2
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c961ab7805e7dd947d46ce078c3ecf500424d56502ee1dd8e4bbef73b5f3c0c0
-  data.tar.gz: 18968e93dd6f0fc20b0cf25b567f3ae02520cdcc895ada5ef62538c5c16ad253
+  metadata.gz: 00c72f1179cc258aaef0f95b50949485a1339ac751c648d3a1bc7ec7f27c739e
+  data.tar.gz: b411e002ad634b342b5a41a59bb2b952b825a7ece6b6cbfddd4ab2580509fc69
 SHA512:
-  metadata.gz: e921541792db8831cf8e2a08352922df1dd09ddc2d46c97a1dd94e100ef1c0b0b5ff35816a2eaa0ef03d0d554030a64584be6a3f5e9a760f2e35bc5f91cc6cc2
-  data.tar.gz: 3be4f1a98ed319cb3c7e461b7555aadea0428438133669d654981a622d26d71e13c853be7219e91fc6d2218c82a82b637ae4e10b896230e44d93e3b8f9ef815c
+  metadata.gz: e22c0d535f790a504dddbfc37e44bc982a23980dd3ddab6362e8c6671ad1b35ae3a00ec15290715107e13d92e9b860548a34e6831dc05cecb2f04fd0664e497d
+  data.tar.gz: 7ed355fe57b3a89532f4121a4cd923b06b38247725bc22aa5290c66d4a70117cce7019b9ec6a402cf757779cec07ca5b96e86ee06e0dde1d70d712f7d36e84f2

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED Viewed

@@ -49,6 +49,8 @@ module Dependabot
           /ls-remote (?:(-h -t)|(--tags --heads)) (?<url>.*)/.freeze
         FORBIDDEN_PACKAGE =
           %r{(?<package_req>[^/]+) - (Forbidden|Unauthorized)}.freeze
+        FORBIDDEN_PACKAGE_403 = %r{^403\sForbidden\s
+          -\sGET\shttps?://(?<source>[^/]+)/(?<package_req>[^/\s]+)}x.freeze
         MISSING_PACKAGE = %r{(?<package_req>[^/]+) - Not found}.freeze
         INVALID_PACKAGE = /Can't install (?<package_req>.*): Missing/.freeze
@@ -178,10 +180,15 @@ module Dependabot
             handle_missing_package(package_name, error, lockfile)
           end
-          # When the package.json doesn't include a name or version, or name
-          # has non url-friendly characters
+          # Invalid package: When the package.json doesn't include a name or
+          # version, or name has non url-friendly characters
+          # Local path error: When installing a git dependency which
+          # is using local file paths for sub-dependencies (e.g. unbuilt yarn
+          # workspace project)
+          sub_dep_local_path_error = "does not contain a package.json file"
           if error.message.match?(INVALID_PACKAGE) ||
-             error.message.start_with?("Invalid package name")
+             error.message.start_with?("Invalid package name") ||
+             error.message.include?(sub_dep_local_path_error)
             raise_resolvability_error(error, lockfile)
           end
@@ -222,6 +229,15 @@ module Dependabot
             handle_missing_package(package_name, error, lockfile)
           end
+          # Some private registries return a 403 when the user is readonly
+          if error.message.match?(FORBIDDEN_PACKAGE_403)
+            package_name =
+              error.message.match(FORBIDDEN_PACKAGE_403).
+              named_captures["package_req"].
+              gsub("%2f", "/")
+            handle_missing_package(package_name, error, lockfile)
+          end
           if error.message.match?(UNREACHABLE_GIT)
             dependency_url =
               error.message.match(UNREACHABLE_GIT).

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED Viewed

@@ -168,8 +168,13 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
         def handle_yarn_lock_updater_error(error, yarn_lock)
-          # When the package.json doesn't include a name or version
-          if error.message.match?(INVALID_PACKAGE)
+          # Invalid package: When package.json doesn't include a name or version
+          # Local path error: When installing a git dependency which
+          # is using local file paths for sub-dependencies (e.g. unbuilt yarn
+          # workspace project)
+          sub_dep_local_path_err = "Package \"\" refers to a non-existing file"
+          if error.message.match?(INVALID_PACKAGE) ||
+             error.message.start_with?(sub_dep_local_path_err)
             raise_resolvability_error(error, yarn_lock)
           end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.106.7
+  version: 0.106.8
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.106.7
+        version: 0.106.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.106.7
+        version: 0.106.8
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement