dependabot-npm_and_yarn 0.108.4 → 0.108.5
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 668c3a306ce8245e7f12dac315bee4fbcb0980300bddc7443d4e49c642c9a91b
|
4
|
+
data.tar.gz: dc043e67a5185b66d4b6959d8495bdf0bfa27dc1eb5f60b717a827e50050f33b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6b28a3383adab4bfb325703a2830525a63e4a090c8619e00357d584b2edf4812b70243f2cf41855e7360eeeccbdecc53ba2839a706c73d389f71ca7aaab39055
|
7
|
+
data.tar.gz: 512da59c8ad90c253c451350c39bd7b972a781e2adab2df84303bdc573559cb3008a4dcde8a39dd25032b01d8ccd95af46ba25692acd13865006e7ac6b02bff6
|
@@ -172,12 +172,13 @@ module Dependabot
|
|
172
172
|
# rubocop:disable Metrics/PerceivedComplexity
|
173
173
|
# rubocop:disable Metrics/MethodLength
|
174
174
|
def handle_npm_updater_error(error, lockfile)
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
|
175
|
+
error_message = error.message
|
176
|
+
if error_message.match?(MISSING_PACKAGE)
|
177
|
+
package_name = error_message.match(MISSING_PACKAGE).
|
178
|
+
named_captures["package_req"]
|
179
|
+
sanitized_name = sanitize_package_name(package_name)
|
180
|
+
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
181
|
+
handle_missing_package(sanitized_name, sanitized_error, lockfile)
|
181
182
|
end
|
182
183
|
|
183
184
|
# Invalid package: When the package.json doesn't include a name or
|
@@ -186,10 +187,10 @@ module Dependabot
|
|
186
187
|
# is using local file paths for sub-dependencies (e.g. unbuilt yarn
|
187
188
|
# workspace project)
|
188
189
|
sub_dep_local_path_error = "does not contain a package.json file"
|
189
|
-
if
|
190
|
-
|
191
|
-
|
192
|
-
raise_resolvability_error(
|
190
|
+
if error_message.match?(INVALID_PACKAGE) ||
|
191
|
+
error_message.start_with?("Invalid package name") ||
|
192
|
+
error_message.include?(sub_dep_local_path_error)
|
193
|
+
raise_resolvability_error(error_message, lockfile)
|
193
194
|
end
|
194
195
|
|
195
196
|
# TODO: Move this logic to the version resolver and check if a new
|
@@ -211,36 +212,36 @@ module Dependabot
|
|
211
212
|
# This happens if a new version has been published but npm is having
|
212
213
|
# consistency issues and the version isn't fully available on all
|
213
214
|
# queries
|
214
|
-
if
|
215
|
-
dependencies_in_error_message?(
|
215
|
+
if error_message.start_with?("No matching vers") &&
|
216
|
+
dependencies_in_error_message?(error_message) &&
|
216
217
|
resolvable_before_update?(lockfile)
|
217
218
|
|
218
219
|
# Raise a bespoke error so we can capture and ignore it if
|
219
220
|
# we're trying to create a new PR (which will be created
|
220
221
|
# successfully at a later date)
|
221
|
-
raise Dependabot::InconsistentRegistryResponse,
|
222
|
+
raise Dependabot::InconsistentRegistryResponse, error_message
|
222
223
|
end
|
223
224
|
|
224
|
-
if
|
225
|
-
package_name =
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
handle_missing_package(
|
225
|
+
if error_message.match?(FORBIDDEN_PACKAGE)
|
226
|
+
package_name = error_message.match(FORBIDDEN_PACKAGE).
|
227
|
+
named_captures["package_req"]
|
228
|
+
sanitized_name = sanitize_package_name(package_name)
|
229
|
+
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
230
|
+
handle_missing_package(sanitized_name, sanitized_error, lockfile)
|
230
231
|
end
|
231
232
|
|
232
233
|
# Some private registries return a 403 when the user is readonly
|
233
|
-
if
|
234
|
-
package_name =
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
handle_missing_package(
|
234
|
+
if error_message.match?(FORBIDDEN_PACKAGE_403)
|
235
|
+
package_name = error_message.match(FORBIDDEN_PACKAGE_403).
|
236
|
+
named_captures["package_req"]
|
237
|
+
sanitized_name = sanitize_package_name(package_name)
|
238
|
+
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
239
|
+
handle_missing_package(sanitized_name, sanitized_error, lockfile)
|
239
240
|
end
|
240
241
|
|
241
|
-
if
|
242
|
+
if error_message.match?(UNREACHABLE_GIT)
|
242
243
|
dependency_url =
|
243
|
-
|
244
|
+
error_message.match(UNREACHABLE_GIT).
|
244
245
|
named_captures.fetch("url")
|
245
246
|
|
246
247
|
raise Dependabot::GitDependenciesNotReachable, dependency_url
|
@@ -253,17 +254,18 @@ module Dependabot
|
|
253
254
|
# In this case we want to raise a more helpful error message asking
|
254
255
|
# people to re-generate their lockfiles (Future feature idea: add a
|
255
256
|
# way to click-to-fix the lockfile from the issue)
|
256
|
-
if
|
257
|
+
if error_message.include?("Cannot read property 'match' of ") &&
|
257
258
|
!resolvable_before_update?(lockfile)
|
258
|
-
raise_missing_lockfile_version_resolvability_error(
|
259
|
+
raise_missing_lockfile_version_resolvability_error(error_message,
|
260
|
+
lockfile)
|
259
261
|
end
|
260
262
|
|
261
|
-
if (
|
262
|
-
|
263
|
-
|
264
|
-
|
263
|
+
if (error_message.start_with?("No matching vers", "404 Not Found") ||
|
264
|
+
error_message.include?("not match any file(s) known to git") ||
|
265
|
+
error_message.include?("Non-registry package missing package") ||
|
266
|
+
error_message.include?("Invalid tag name")) &&
|
265
267
|
!resolvable_before_update?(lockfile)
|
266
|
-
raise_resolvability_error(
|
268
|
+
raise_resolvability_error(error_message, lockfile)
|
267
269
|
end
|
268
270
|
|
269
271
|
raise error
|
@@ -273,14 +275,15 @@ module Dependabot
|
|
273
275
|
# rubocop:enable Metrics/PerceivedComplexity
|
274
276
|
# rubocop:enable Metrics/MethodLength
|
275
277
|
|
276
|
-
def raise_resolvability_error(
|
278
|
+
def raise_resolvability_error(error_message, lockfile)
|
277
279
|
dependency_names = dependencies.map(&:name).join(", ")
|
278
280
|
msg = "Error whilst updating #{dependency_names} in "\
|
279
|
-
"#{lockfile.path}:\n#{
|
281
|
+
"#{lockfile.path}:\n#{error_message}"
|
280
282
|
raise Dependabot::DependencyFileNotResolvable, msg
|
281
283
|
end
|
282
284
|
|
283
|
-
def raise_missing_lockfile_version_resolvability_error(
|
285
|
+
def raise_missing_lockfile_version_resolvability_error(error_message,
|
286
|
+
lockfile)
|
284
287
|
lockfile_dir = Pathname.new(lockfile.name).dirname
|
285
288
|
modules_path = lockfile_dir.join("node_modules")
|
286
289
|
# Note: don't include the dependency names to prevent opening
|
@@ -289,7 +292,7 @@ module Dependabot
|
|
289
292
|
#
|
290
293
|
# ToDo: add an error ID to issues to make it easier to unique them
|
291
294
|
msg = "Error whilst updating dependencies in #{lockfile.name}:\n"\
|
292
|
-
"#{
|
295
|
+
"#{error_message}\n\n"\
|
293
296
|
"It looks like your lockfile has some corrupt entries with "\
|
294
297
|
"missing versions and needs to be re-generated.\n"\
|
295
298
|
"You'll need to remove #{lockfile.name} and #{modules_path} "\
|
@@ -297,11 +300,11 @@ module Dependabot
|
|
297
300
|
raise Dependabot::DependencyFileNotResolvable, msg
|
298
301
|
end
|
299
302
|
|
300
|
-
def handle_missing_package(package_name,
|
303
|
+
def handle_missing_package(package_name, error_message, lockfile)
|
301
304
|
missing_dep = lockfile_dependencies(lockfile).
|
302
305
|
find { |dep| dep.name == package_name }
|
303
306
|
|
304
|
-
raise_resolvability_error(
|
307
|
+
raise_resolvability_error(error_message, lockfile) unless missing_dep
|
305
308
|
|
306
309
|
reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
|
307
310
|
dependency: missing_dep,
|
@@ -350,12 +353,12 @@ module Dependabot
|
|
350
353
|
end
|
351
354
|
end
|
352
355
|
|
353
|
-
def dependencies_in_error_message?(
|
356
|
+
def dependencies_in_error_message?(error_message)
|
354
357
|
names = dependencies.map { |dep| dep.name.split("/").first }
|
355
358
|
# Example foramt: No matching version found for
|
356
359
|
# @dependabot/dummy-pkg-b@^1.3.0
|
357
360
|
names.any? do |name|
|
358
|
-
|
361
|
+
error_message.match?(%r{#{Regexp.quote(name)}[\/@]})
|
359
362
|
end
|
360
363
|
end
|
361
364
|
|
@@ -567,6 +570,10 @@ module Dependabot
|
|
567
570
|
gsub(%r{^\s*//.*}, " ") # comments are not allowed
|
568
571
|
end
|
569
572
|
|
573
|
+
def sanitize_package_name(package_name)
|
574
|
+
package_name.gsub("%2f", "/").gsub("%2F", "/")
|
575
|
+
end
|
576
|
+
|
570
577
|
def package_locks
|
571
578
|
@package_locks ||=
|
572
579
|
dependency_files.
|
@@ -168,31 +168,33 @@ module Dependabot
|
|
168
168
|
# rubocop:disable Metrics/PerceivedComplexity
|
169
169
|
# rubocop:disable Metrics/MethodLength
|
170
170
|
def handle_yarn_lock_updater_error(error, yarn_lock)
|
171
|
+
error_message = error.message
|
171
172
|
# Invalid package: When package.json doesn't include a name or version
|
172
173
|
# Local path error: When installing a git dependency which
|
173
174
|
# is using local file paths for sub-dependencies (e.g. unbuilt yarn
|
174
175
|
# workspace project)
|
175
176
|
sub_dep_local_path_err = "Package \"\" refers to a non-existing file"
|
176
|
-
if
|
177
|
-
|
178
|
-
raise_resolvability_error(
|
177
|
+
if error_message.match?(INVALID_PACKAGE) ||
|
178
|
+
error_message.start_with?(sub_dep_local_path_err)
|
179
|
+
raise_resolvability_error(error_message, yarn_lock)
|
179
180
|
end
|
180
181
|
|
181
|
-
if
|
182
|
-
package_name =
|
183
|
-
|
184
|
-
|
185
|
-
|
186
|
-
|
187
|
-
handle_missing_package(
|
182
|
+
if error_message.include?("Couldn't find package")
|
183
|
+
package_name = error_message.match(/package "(?<package_req>.*?)"/).
|
184
|
+
named_captures["package_req"].
|
185
|
+
split(/(?<=\w)\@/).first
|
186
|
+
sanitized_name = sanitize_package_name(package_name)
|
187
|
+
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
188
|
+
handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
|
188
189
|
end
|
189
190
|
|
190
|
-
if
|
191
|
-
package_name =
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
191
|
+
if error_message.match?(%r{/[^/]+: Not found})
|
192
|
+
package_name = error_message.
|
193
|
+
match(%r{/(?<package_name>[^/]+): Not found}).
|
194
|
+
named_captures["package_name"]
|
195
|
+
sanitized_name = sanitize_package_name(package_name)
|
196
|
+
sanitized_error = error_message.gsub(package_name, sanitized_name)
|
197
|
+
handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
|
196
198
|
end
|
197
199
|
|
198
200
|
# TODO: Move this logic to the version resolver and check if a new
|
@@ -214,36 +216,36 @@ module Dependabot
|
|
214
216
|
# This happens if a new version has been published but npm is having
|
215
217
|
# consistency issues and the version isn't fully available on all
|
216
218
|
# queries
|
217
|
-
if
|
218
|
-
dependencies_in_error_message?(
|
219
|
+
if error_message.start_with?("Couldn't find any versions") &&
|
220
|
+
dependencies_in_error_message?(error_message) &&
|
219
221
|
resolvable_before_update?(yarn_lock)
|
220
222
|
|
221
223
|
# Raise a bespoke error so we can capture and ignore it if
|
222
224
|
# we're trying to create a new PR (which will be created
|
223
225
|
# successfully at a later date)
|
224
|
-
raise Dependabot::InconsistentRegistryResponse,
|
226
|
+
raise Dependabot::InconsistentRegistryResponse, error_message
|
225
227
|
end
|
226
228
|
|
227
|
-
if
|
228
|
-
raise Dependabot::DependencyFileNotEvaluatable,
|
229
|
+
if error_message.include?("Workspaces can only be enabled in priva")
|
230
|
+
raise Dependabot::DependencyFileNotEvaluatable, error_message
|
229
231
|
end
|
230
232
|
|
231
|
-
if
|
232
|
-
dependency_url =
|
233
|
+
if error_message.match?(UNREACHABLE_GIT)
|
234
|
+
dependency_url = error_message.match(UNREACHABLE_GIT).
|
233
235
|
named_captures.fetch("url")
|
234
236
|
|
235
237
|
raise Dependabot::GitDependenciesNotReachable, dependency_url
|
236
238
|
end
|
237
239
|
|
238
|
-
if
|
239
|
-
handle_timeout(
|
240
|
+
if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
|
241
|
+
handle_timeout(error_message, yarn_lock)
|
240
242
|
end
|
241
243
|
|
242
|
-
if
|
243
|
-
|
244
|
+
if error_message.start_with?("Couldn't find any versions") ||
|
245
|
+
error_message.include?(": Not found")
|
244
246
|
|
245
247
|
unless resolvable_before_update?(yarn_lock)
|
246
|
-
raise_resolvability_error(
|
248
|
+
raise_resolvability_error(error_message, yarn_lock)
|
247
249
|
end
|
248
250
|
|
249
251
|
# Dependabot has probably messed something up with the update and we
|
@@ -411,11 +413,11 @@ module Dependabot
|
|
411
413
|
).parse
|
412
414
|
end
|
413
415
|
|
414
|
-
def handle_missing_package(package_name,
|
416
|
+
def handle_missing_package(package_name, error_message, yarn_lock)
|
415
417
|
missing_dep = lockfile_dependencies(yarn_lock).
|
416
418
|
find { |dep| dep.name == package_name }
|
417
419
|
|
418
|
-
raise_resolvability_error(
|
420
|
+
raise_resolvability_error(error_message, yarn_lock) unless missing_dep
|
419
421
|
|
420
422
|
reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
|
421
423
|
dependency: missing_dep,
|
@@ -439,23 +441,24 @@ module Dependabot
|
|
439
441
|
end
|
440
442
|
end
|
441
443
|
|
442
|
-
def raise_resolvability_error(
|
444
|
+
def raise_resolvability_error(error_message, yarn_lock)
|
443
445
|
dependency_names = dependencies.map(&:name).join(", ")
|
444
446
|
msg = "Error whilst updating #{dependency_names} in "\
|
445
|
-
"#{yarn_lock.path}:\n#{
|
447
|
+
"#{yarn_lock.path}:\n#{error_message}"
|
446
448
|
raise Dependabot::DependencyFileNotResolvable, msg
|
447
449
|
end
|
448
450
|
|
449
|
-
def handle_timeout(
|
450
|
-
url =
|
451
|
+
def handle_timeout(error_message, yarn_lock)
|
452
|
+
url = error_message.match(TIMEOUT_FETCHING_PACKAGE).
|
453
|
+
named_captures["url"]
|
451
454
|
return if url.start_with?("https://registry.npmjs.org")
|
452
455
|
|
453
|
-
package_name =
|
454
|
-
|
455
|
-
|
456
|
+
package_name = error_message.match(TIMEOUT_FETCHING_PACKAGE).
|
457
|
+
named_captures["package"]
|
458
|
+
sanitized_name = sanitize_package_name(package_name)
|
456
459
|
|
457
460
|
dep = lockfile_dependencies(yarn_lock).
|
458
|
-
find { |d| d.name ==
|
461
|
+
find { |d| d.name == sanitized_name }
|
459
462
|
return unless dep
|
460
463
|
|
461
464
|
raise PrivateSourceTimedOut, url.gsub(%r{https?://}, "")
|
@@ -493,6 +496,10 @@ module Dependabot
|
|
493
496
|
json.to_json
|
494
497
|
end
|
495
498
|
|
499
|
+
def sanitize_package_name(package_name)
|
500
|
+
package_name.gsub("%2f", "/").gsub("%2F", "/")
|
501
|
+
end
|
502
|
+
|
496
503
|
def yarn_locks
|
497
504
|
@yarn_locks ||=
|
498
505
|
dependency_files.
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.108.
|
4
|
+
version: 0.108.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.108.
|
19
|
+
version: 0.108.5
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.108.
|
26
|
+
version: 0.108.5
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|