dependabot-npm_and_yarn 0.108.16 → 0.108.17
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e525d81bf0de3ab994798a2b25d30afe6f6d7cb4465118d8520b4f3071025fe1
|
4
|
+
data.tar.gz: 8f362917f008bed4459024b5ed7d503b190503d6315e936babbd935ccb3aacd7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0af34c73b4f6a6afac2013549bf158ae2261b9a44d37a0218cc52b163b0e8769498b6062cd55f25cb9c070bbc841db3f0a203642ece5449ac995a97d7f696362
|
7
|
+
data.tar.gz: bcc87e805f58d4054fe33e33b3cc232ff51d7d8def12f57e9966841ad56b786a6260970e6b6aebc988d1adac451e618d0832226b80d741509341b3885f2259ab
|
@@ -128,13 +128,20 @@ module Dependabot
|
|
128
128
|
fetch("dependencies", {}).each do |name, details|
|
129
129
|
next unless semver_version_for(details["version"])
|
130
130
|
|
131
|
-
|
131
|
+
dependency_args = {
|
132
132
|
name: name,
|
133
133
|
version: semver_version_for(details["version"]),
|
134
134
|
package_manager: "npm_and_yarn",
|
135
135
|
requirements: []
|
136
|
-
|
136
|
+
}
|
137
|
+
|
138
|
+
if details["bundled"]
|
139
|
+
dependency_args[:subdependency_metadata] = {
|
140
|
+
npm_bundled: details["bundled"]
|
141
|
+
}
|
142
|
+
end
|
137
143
|
|
144
|
+
dependency_set << Dependency.new(dependency_args)
|
138
145
|
dependency_set += recursively_fetch_npm_lock_dependencies(details)
|
139
146
|
end
|
140
147
|
|
@@ -26,6 +26,7 @@ module Dependabot
|
|
26
26
|
|
27
27
|
def latest_resolvable_version
|
28
28
|
raise "Not a subdependency!" if dependency.requirements.any?
|
29
|
+
return if bundled_dependency?
|
29
30
|
|
30
31
|
SharedHelpers.in_a_temporary_directory do
|
31
32
|
write_temporary_dependency_files
|
@@ -214,6 +215,26 @@ module Dependabot
|
|
214
215
|
dependency_files.
|
215
216
|
select { |f| f.name.end_with?("package.json") }
|
216
217
|
end
|
218
|
+
|
219
|
+
# TODO: We should try and fix this by updating the parent that's not
|
220
|
+
# bundled. For this case: `chokidar > fsevents > node-pre-gyp > tar` we
|
221
|
+
# would need to update `fsevents`
|
222
|
+
#
|
223
|
+
# We shouldn't update bundled sub-dependencies as they have been bundled
|
224
|
+
# into the release at an exact version by a parent using
|
225
|
+
# `bundledDependencies`.
|
226
|
+
#
|
227
|
+
# For example, fsevents < 2 bundles node-pre-gyp meaning all it's
|
228
|
+
# sub-dependnecies get bundled into the release tarball at publish time
|
229
|
+
# so you always get the same sub-dependency versions if you re-install a
|
230
|
+
# specific version of fsevents.
|
231
|
+
#
|
232
|
+
# Updating the sub-dependency by deleting the entry works but it gets
|
233
|
+
# removed from the bundled set of dependencies and moved top level
|
234
|
+
# resulting in a bunch of package duplication which is pretty confusing.
|
235
|
+
def bundled_dependency?
|
236
|
+
dependency.subdependency_metadata&.fetch(:npm_bundled, false) || false
|
237
|
+
end
|
217
238
|
end
|
218
239
|
end
|
219
240
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.108.
|
4
|
+
version: 0.108.17
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.108.
|
19
|
+
version: 0.108.17
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.108.
|
26
|
+
version: 0.108.17
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|