RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.108.4 → 0.108.5 - Mend

dependabot-npm_and_yarn 0.108.4 → 0.108.5

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +49 -42
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +45 -38
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4dfcfd6a1bf61bf3550cada787d45023473f2e76493b02e4137fe284b113cb67
-  data.tar.gz: 75fa779665d17e1c2a8bd1cebf728cd5d511051ad733d024acb391100066b3fa
+  metadata.gz: 668c3a306ce8245e7f12dac315bee4fbcb0980300bddc7443d4e49c642c9a91b
+  data.tar.gz: dc043e67a5185b66d4b6959d8495bdf0bfa27dc1eb5f60b717a827e50050f33b
 SHA512:
-  metadata.gz: 6e6f04e86f95e50b051fa675ebfa0a2a89000d7aec78eef38e9b3c7234697a5a05ab4a548287b031e9c200928d187270c06ed502d4ea24c23ae4ba43c4ce8551
-  data.tar.gz: fb89212e6471903069339319a425d36667f20f337c5131cac15f46f0e9922d053da4f0ce9f74b8b78b5926dbaf053288b7af8e8f995c16b9fef834455a67da57
+  metadata.gz: 6b28a3383adab4bfb325703a2830525a63e4a090c8619e00357d584b2edf4812b70243f2cf41855e7360eeeccbdecc53ba2839a706c73d389f71ca7aaab39055
+  data.tar.gz: 512da59c8ad90c253c451350c39bd7b972a781e2adab2df84303bdc573559cb3008a4dcde8a39dd25032b01d8ccd95af46ba25692acd13865006e7ac6b02bff6

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED Viewed

@@ -172,12 +172,13 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
         def handle_npm_updater_error(error, lockfile)
-          if error.message.match?(MISSING_PACKAGE)
-            package_name =
-              error.message.match(MISSING_PACKAGE).
-              named_captures["package_req"].
-              gsub("%2f", "/")
-            handle_missing_package(package_name, error, lockfile)
+          error_message = error.message
+          if error_message.match?(MISSING_PACKAGE)
+            package_name = error_message.match(MISSING_PACKAGE).
+                           named_captures["package_req"]
+            sanitized_name = sanitize_package_name(package_name)
+            sanitized_error = error_message.gsub(package_name, sanitized_name)
+            handle_missing_package(sanitized_name, sanitized_error, lockfile)
           end
           # Invalid package: When the package.json doesn't include a name or
@@ -186,10 +187,10 @@ module Dependabot
           # is using local file paths for sub-dependencies (e.g. unbuilt yarn
           # workspace project)
           sub_dep_local_path_error = "does not contain a package.json file"
-          if error.message.match?(INVALID_PACKAGE) ||
-             error.message.start_with?("Invalid package name") ||
-             error.message.include?(sub_dep_local_path_error)
-            raise_resolvability_error(error, lockfile)
+          if error_message.match?(INVALID_PACKAGE) ||
+             error_message.start_with?("Invalid package name") ||
+             error_message.include?(sub_dep_local_path_error)
+            raise_resolvability_error(error_message, lockfile)
           end
           # TODO: Move this logic to the version resolver and check if a new
@@ -211,36 +212,36 @@ module Dependabot
           # This happens if a new version has been published but npm is having
           # consistency issues and the version isn't fully available on all
           # queries
-          if error.message.start_with?("No matching vers") &&
-             dependencies_in_error_message?(error.message) &&
+          if error_message.start_with?("No matching vers") &&
+             dependencies_in_error_message?(error_message) &&
              resolvable_before_update?(lockfile)
             # Raise a bespoke error so we can capture and ignore it if
             # we're trying to create a new PR (which will be created
             # successfully at a later date)
-            raise Dependabot::InconsistentRegistryResponse, error.message
+            raise Dependabot::InconsistentRegistryResponse, error_message
           end
-          if error.message.match?(FORBIDDEN_PACKAGE)
-            package_name =
-              error.message.match(FORBIDDEN_PACKAGE).
-              named_captures["package_req"].
-              gsub("%2f", "/")
-            handle_missing_package(package_name, error, lockfile)
+          if error_message.match?(FORBIDDEN_PACKAGE)
+            package_name = error_message.match(FORBIDDEN_PACKAGE).
+                           named_captures["package_req"]
+            sanitized_name = sanitize_package_name(package_name)
+            sanitized_error = error_message.gsub(package_name, sanitized_name)
+            handle_missing_package(sanitized_name, sanitized_error, lockfile)
           end
           # Some private registries return a 403 when the user is readonly
-          if error.message.match?(FORBIDDEN_PACKAGE_403)
-            package_name =
-              error.message.match(FORBIDDEN_PACKAGE_403).
-              named_captures["package_req"].
-              gsub("%2f", "/")
-            handle_missing_package(package_name, error, lockfile)
+          if error_message.match?(FORBIDDEN_PACKAGE_403)
+            package_name = error_message.match(FORBIDDEN_PACKAGE_403).
+                           named_captures["package_req"]
+            sanitized_name = sanitize_package_name(package_name)
+            sanitized_error = error_message.gsub(package_name, sanitized_name)
+            handle_missing_package(sanitized_name, sanitized_error, lockfile)
           end
-          if error.message.match?(UNREACHABLE_GIT)
+          if error_message.match?(UNREACHABLE_GIT)
             dependency_url =
-              error.message.match(UNREACHABLE_GIT).
+              error_message.match(UNREACHABLE_GIT).
               named_captures.fetch("url")
             raise Dependabot::GitDependenciesNotReachable, dependency_url
@@ -253,17 +254,18 @@ module Dependabot
           # In this case we want to raise a more helpful error message asking
           # people to re-generate their lockfiles (Future feature idea: add a
           # way to click-to-fix the lockfile from the issue)
-          if error.message.include?("Cannot read property 'match' of ") &&
+          if error_message.include?("Cannot read property 'match' of ") &&
              !resolvable_before_update?(lockfile)
-            raise_missing_lockfile_version_resolvability_error(error, lockfile)
+            raise_missing_lockfile_version_resolvability_error(error_message,
+                                                               lockfile)
           end
-          if (error.message.start_with?("No matching vers", "404 Not Found") ||
-             error.message.include?("not match any file(s) known to git") ||
-             error.message.include?("Non-registry package missing package") ||
-             error.message.include?("Invalid tag name")) &&
+          if (error_message.start_with?("No matching vers", "404 Not Found") ||
+             error_message.include?("not match any file(s) known to git") ||
+             error_message.include?("Non-registry package missing package") ||
+             error_message.include?("Invalid tag name")) &&
              !resolvable_before_update?(lockfile)
-            raise_resolvability_error(error, lockfile)
+            raise_resolvability_error(error_message, lockfile)
           end
           raise error
@@ -273,14 +275,15 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
         # rubocop:enable Metrics/MethodLength
-        def raise_resolvability_error(error, lockfile)
+        def raise_resolvability_error(error_message, lockfile)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in "\
-                "#{lockfile.path}:\n#{error.message}"
+                "#{lockfile.path}:\n#{error_message}"
           raise Dependabot::DependencyFileNotResolvable, msg
         end
-        def raise_missing_lockfile_version_resolvability_error(error, lockfile)
+        def raise_missing_lockfile_version_resolvability_error(error_message,
+                                                               lockfile)
           lockfile_dir = Pathname.new(lockfile.name).dirname
           modules_path = lockfile_dir.join("node_modules")
           # Note: don't include the dependency names to prevent opening
@@ -289,7 +292,7 @@ module Dependabot
           #
           # ToDo: add an error ID to issues to make it easier to unique them
           msg = "Error whilst updating dependencies in #{lockfile.name}:\n"\
-                "#{error.message}\n\n"\
+                "#{error_message}\n\n"\
                 "It looks like your lockfile has some corrupt entries with "\
                 "missing versions and needs to be re-generated.\n"\
                 "You'll need to remove #{lockfile.name} and #{modules_path} "\
@@ -297,11 +300,11 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
-        def handle_missing_package(package_name, error, lockfile)
+        def handle_missing_package(package_name, error_message, lockfile)
           missing_dep = lockfile_dependencies(lockfile).
                         find { |dep| dep.name == package_name }
-          raise_resolvability_error(error, lockfile) unless missing_dep
+          raise_resolvability_error(error_message, lockfile) unless missing_dep
           reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
             dependency: missing_dep,
@@ -350,12 +353,12 @@ module Dependabot
             end
         end
-        def dependencies_in_error_message?(message)
+        def dependencies_in_error_message?(error_message)
           names = dependencies.map { |dep| dep.name.split("/").first }
           # Example foramt: No matching version found for
           # @dependabot/dummy-pkg-b@^1.3.0
           names.any? do |name|
-            message.match?(%r{#{Regexp.quote(name)}[\/@]})
+            error_message.match?(%r{#{Regexp.quote(name)}[\/@]})
           end
         end
@@ -567,6 +570,10 @@ module Dependabot
             gsub(%r{^\s*//.*}, " ")           # comments are not allowed
         end
+        def sanitize_package_name(package_name)
+          package_name.gsub("%2f", "/").gsub("%2F", "/")
+        end
         def package_locks
           @package_locks ||=
             dependency_files.

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED Viewed

@@ -168,31 +168,33 @@ module Dependabot
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
         def handle_yarn_lock_updater_error(error, yarn_lock)
+          error_message = error.message
           # Invalid package: When package.json doesn't include a name or version
           # Local path error: When installing a git dependency which
           # is using local file paths for sub-dependencies (e.g. unbuilt yarn
           # workspace project)
           sub_dep_local_path_err = "Package \"\" refers to a non-existing file"
-          if error.message.match?(INVALID_PACKAGE) ||
-             error.message.start_with?(sub_dep_local_path_err)
-            raise_resolvability_error(error, yarn_lock)
+          if error_message.match?(INVALID_PACKAGE) ||
+             error_message.start_with?(sub_dep_local_path_err)
+            raise_resolvability_error(error_message, yarn_lock)
           end
-          if error.message.include?("Couldn't find package")
-            package_name =
-              error.message.match(/package "(?<package_req>.*?)"/).
-              named_captures["package_req"].
-              split(/(?<=\w)\@/).first.
-              gsub("%2f", "/")
-            handle_missing_package(package_name, error, yarn_lock)
+          if error_message.include?("Couldn't find package")
+            package_name = error_message.match(/package "(?<package_req>.*?)"/).
+                           named_captures["package_req"].
+                           split(/(?<=\w)\@/).first
+            sanitized_name = sanitize_package_name(package_name)
+            sanitized_error = error_message.gsub(package_name, sanitized_name)
+            handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
           end
-          if error.message.match?(%r{/[^/]+: Not found})
-            package_name =
-              error.message.match(%r{/(?<package_name>[^/]+): Not found}).
-              named_captures["package_name"].
-              gsub("%2f", "/")
-            handle_missing_package(package_name, error, yarn_lock)
+          if error_message.match?(%r{/[^/]+: Not found})
+            package_name = error_message.
+                           match(%r{/(?<package_name>[^/]+): Not found}).
+                           named_captures["package_name"]
+            sanitized_name = sanitize_package_name(package_name)
+            sanitized_error = error_message.gsub(package_name, sanitized_name)
+            handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
           end
           # TODO: Move this logic to the version resolver and check if a new
@@ -214,36 +216,36 @@ module Dependabot
           # This happens if a new version has been published but npm is having
           # consistency issues and the version isn't fully available on all
           # queries
-          if error.message.start_with?("Couldn't find any versions") &&
-             dependencies_in_error_message?(error.message) &&
+          if error_message.start_with?("Couldn't find any versions") &&
+             dependencies_in_error_message?(error_message) &&
              resolvable_before_update?(yarn_lock)
             # Raise a bespoke error so we can capture and ignore it if
             # we're trying to create a new PR (which will be created
             # successfully at a later date)
-            raise Dependabot::InconsistentRegistryResponse, error.message
+            raise Dependabot::InconsistentRegistryResponse, error_message
           end
-          if error.message.include?("Workspaces can only be enabled in priva")
-            raise Dependabot::DependencyFileNotEvaluatable, error.message
+          if error_message.include?("Workspaces can only be enabled in priva")
+            raise Dependabot::DependencyFileNotEvaluatable, error_message
           end
-          if error.message.match?(UNREACHABLE_GIT)
-            dependency_url = error.message.match(UNREACHABLE_GIT).
+          if error_message.match?(UNREACHABLE_GIT)
+            dependency_url = error_message.match(UNREACHABLE_GIT).
                              named_captures.fetch("url")
             raise Dependabot::GitDependenciesNotReachable, dependency_url
           end
-          if error.message.match?(TIMEOUT_FETCHING_PACKAGE)
-            handle_timeout(error.message, yarn_lock)
+          if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
+            handle_timeout(error_message, yarn_lock)
           end
-          if error.message.start_with?("Couldn't find any versions") ||
-             error.message.include?(": Not found")
+          if error_message.start_with?("Couldn't find any versions") ||
+             error_message.include?(": Not found")
             unless resolvable_before_update?(yarn_lock)
-              raise_resolvability_error(error, yarn_lock)
+              raise_resolvability_error(error_message, yarn_lock)
             end
             # Dependabot has probably messed something up with the update and we
@@ -411,11 +413,11 @@ module Dependabot
             ).parse
         end
-        def handle_missing_package(package_name, error, yarn_lock)
+        def handle_missing_package(package_name, error_message, yarn_lock)
           missing_dep = lockfile_dependencies(yarn_lock).
                         find { |dep| dep.name == package_name }
-          raise_resolvability_error(error, yarn_lock) unless missing_dep
+          raise_resolvability_error(error_message, yarn_lock) unless missing_dep
           reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
             dependency: missing_dep,
@@ -439,23 +441,24 @@ module Dependabot
           end
         end
-        def raise_resolvability_error(error, yarn_lock)
+        def raise_resolvability_error(error_message, yarn_lock)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in "\
-                "#{yarn_lock.path}:\n#{error.message}"
+                "#{yarn_lock.path}:\n#{error_message}"
           raise Dependabot::DependencyFileNotResolvable, msg
         end
-        def handle_timeout(message, yarn_lock)
-          url = message.match(TIMEOUT_FETCHING_PACKAGE).named_captures["url"]
+        def handle_timeout(error_message, yarn_lock)
+          url = error_message.match(TIMEOUT_FETCHING_PACKAGE).
+                named_captures["url"]
           return if url.start_with?("https://registry.npmjs.org")
-          package_name =
-            message.match(TIMEOUT_FETCHING_PACKAGE).
-            named_captures["package"].gsub("%2f", "/").gsub("%2F", "/")
+          package_name = error_message.match(TIMEOUT_FETCHING_PACKAGE).
+                         named_captures["package"]
+          sanitized_name = sanitize_package_name(package_name)
           dep = lockfile_dependencies(yarn_lock).
-                find { |d| d.name == package_name }
+                find { |d| d.name == sanitized_name }
           return unless dep
           raise PrivateSourceTimedOut, url.gsub(%r{https?://}, "")
@@ -493,6 +496,10 @@ module Dependabot
           json.to_json
         end
+        def sanitize_package_name(package_name)
+          package_name.gsub("%2f", "/").gsub("%2F", "/")
+        end
         def yarn_locks
           @yarn_locks ||=
             dependency_files.

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.108.4
+  version: 0.108.5
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.108.4
+        version: 0.108.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.108.4
+        version: 0.108.5
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement