dependabot-npm_and_yarn 0.111.9 → 0.111.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d80c18925b8d339cb6c455371ca928d6bd530ab8b44f8dd3e5f11902346ee047
-  data.tar.gz: d2163f0a4d4abf909da6780f4d765e0dbe81763c2a756485eb5dc99381b1cf63
+  metadata.gz: 930753aeafdf37fcadf92d65ea055a5108fdac701c7386f3a2965533ad7defd6
+  data.tar.gz: '08d9fbec1dfd2f0d491e7f0177d4c0f2033f4206c88fdcf68d2d956a32dbba27'
 SHA512:
-  metadata.gz: 5d75e048fa35d4d00d88ea46c0c68ad5aa52c92f243b7747aeec49688354ec9e752d357725c772be4b28d6060e9e9f3a4c355bbf11245ab092966d92ceaec8a4
-  data.tar.gz: 8553de6423ce4523ef0f3966bb47c106f10165bc669b0ac091ac6308091c33976085763c65ffa262ca3986711882a58db128ccd7c6a415b6b1d89943c37fcd40
+  metadata.gz: f7eafd19e3f36ae4beb44ea3dc73a33fded179a6f5982a114de53c7597161c9d67ed14459e9d94f2b9b6233aa37b9d7c0812a21207f70d32e306e7993d7789a3
+  data.tar.gz: c75fe724c3d80fd13d9b64d19169a552aa3d1ad0c6753763bff1f1355013bcd8000595a0777932bf3a9675243b1463f7d8dd33e6f870f514f2d46b382c0d34b2

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -7,6 +7,7 @@ require "dependabot/npm_and_yarn/file_parser"
 
 module Dependabot
   module NpmAndYarn
+    # rubocop:disable Metrics/ClassLength
     class FileFetcher < Dependabot::FileFetchers::Base
       require_relative "file_fetcher/path_dependency_builder"
 
@@ -164,6 +165,7 @@ module Dependabot
         ].uniq
       end
 
+      # rubocop:disable Metrics/AbcSize
       def path_dependency_details_from_manifest(file)
         return [] unless file.name.end_with?("package.json")
 
@@ -171,20 +173,23 @@ module Dependabot
         current_dir = nil if current_dir == ""
         path_dep_starts = %w(file: / ./ ../ ~/ link:.)
 
-        # Fetch yarn "file:" path "resolutions" so that we can resolve the
-        # lockfile. This pattern seems to be used to replace a sub-dependency
-        # with a local mock version.
-        dependency_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES +
-                           ["resolutions"]
-        dependency_objects = JSON.parse(file.content).
-                             values_at(*dependency_types).
-                             compact
+        dep_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES
+        parsed_manifest = JSON.parse(file.content)
+        dependency_objects = parsed_manifest.values_at(*dep_types).compact
+        # Fetch yarn "file:" path "resolutions" so the lockfile can be resolved
+        resolution_objects = parsed_manifest.values_at("resolutions").compact
+        manifest_objects = dependency_objects + resolution_objects
 
-        unless dependency_objects.all? { |o| o.is_a?(Hash) }
+        unless manifest_objects.all? { |o| o.is_a?(Hash) }
           raise Dependabot::DependencyFileNotParseable, file.path
         end
 
-        dependency_objects.flat_map(&:to_a).
+        resolution_deps = resolution_objects.flat_map(&:to_a).
+                          map do |path, value|
+                            convert_dependency_path_to_name(path, value)
+                          end
+
+        (dependency_objects.flat_map(&:to_a) + resolution_deps).
           select { |_, v| v.is_a?(String) && v.start_with?(*path_dep_starts) }.
           map do |name, path|
             path = path.sub(/^file:/, "").sub(/^link:/, "")
@@ -194,6 +199,17 @@ module Dependabot
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, file.path
       end
+      # rubocop:enable Metrics/AbcSize
+
+      # Re-write the glob name to the targeted dependency name (which is used
+      # in the lockfile), for example "parent-pacakge/**/sub-dep/target-dep" >
+      # "target-dep"
+      def convert_dependency_path_to_name(path, value)
+        # Picking the last two parts that might include a scope
+        parts = path.split("/").last(2)
+        parts.shift if parts.count == 2 && !parts.first.start_with?("@")
+        [parts.join("/"), value]
+      end
 
       def fetch_workspace_package_jsons
         return [] unless parsed_package_json["workspaces"]
@@ -273,6 +289,7 @@ module Dependabot
         end
       end
 
+      # Only expands globs one level deep, so path/**/* gets expanded to path/
       def expanded_paths(path)
         ignored_paths = path.scan(/!\((.*?)\)/).flatten
 
@@ -338,6 +355,7 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable, lerna_json.path
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end
 

data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb

@@ -4,6 +4,7 @@ require "json"
 require "dependabot/dependency_file"
 require "dependabot/errors"
 require "dependabot/npm_and_yarn/file_fetcher"
+require "dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser"
 
 module Dependabot
   module NpmAndYarn
@@ -114,20 +115,8 @@ module Dependabot
         def parsed_yarn_lock
           return {} unless yarn_lock
 
-          # This is *extremely* crude, but saves us from having to shell out
-          # to Yarn, which may not be safe
           @parsed_yarn_lock ||=
-            begin
-              content = yarn_lock.content.
-                        lines.
-                        map { |l| l.match?(/^[\w"]/) ? l.split(", ").last : l }.
-                        join.
-                        gsub(/(?<=\w|")\s(?=\w|")/, ": ")
-
-              YAML.safe_load(content)
-            end
-        rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias
-          @parsed_yarn_lock ||= {}
+            FileParser::YarnLockfileParser.new(lockfile: yarn_lock).parse
         end
 
         # The path back to the root lockfile

data/lib/dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/npm_and_yarn/file_parser"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser
+      class YarnLockfileParser
+        def initialize(lockfile:)
+          @content = lockfile.content
+        end
+
+        # This is *extremely* crude, but saves us from having to shell out
+        # to Yarn, which may not be safe
+        def parse
+          yaml = convert_to_yaml
+          lockfile_object = parse_as_yaml(yaml)
+          expand_lockfile_requirements(lockfile_object)
+        end
+
+        private
+
+        attr_reader :content
+
+        # Transform lockfile to parseable YAML by wrapping requirements in
+        # quotes, e.g. ("pkg@1.0.0":) and adding colon to nested
+        # properties (version: "1.0.0")
+        def convert_to_yaml
+          sanitize_requirement = lambda do |line|
+            return line unless line.match?(/^[\w"]/)
+
+            "\"#{line.gsub(/\"|:\n$/, '')}\":\n"
+          end
+          add_missing_colon = ->(l) { l.sub(/(?<=\w|")\s(?=\w|")/, ": ") }
+
+          content.lines.map(&sanitize_requirement).map(&add_missing_colon).join
+        end
+
+        def parse_as_yaml(yaml)
+          YAML.safe_load(yaml)
+        rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias
+          {}
+        end
+
+        # Split all comma separated keys and duplicate the lockfile entry
+        # so we get one entry per version requirement, this is needed when
+        # one of the requirements specifies a file: requirement, e.g.
+        # "pkga@file:./pkg, pkgb@1.0.0 and we want to check this in
+        # `details_from_yarn_lock`
+        def expand_lockfile_requirements(lockfile_object)
+          lockfile_object.to_a.each_with_object({}) do |(names, val), res|
+            names.split(", ").each { |name| res[name] = val }
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.111.9
+  version: 0.111.10
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.111.9
+        version: 0.111.10
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.111.9
+        version: 0.111.10
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -183,6 +183,7 @@ files:
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
 - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser.rb
 - lib/dependabot/npm_and_yarn/file_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb