dependabot-npm_and_yarn 0.111.9 → 0.111.10
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 930753aeafdf37fcadf92d65ea055a5108fdac701c7386f3a2965533ad7defd6
|
4
|
+
data.tar.gz: '08d9fbec1dfd2f0d491e7f0177d4c0f2033f4206c88fdcf68d2d956a32dbba27'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f7eafd19e3f36ae4beb44ea3dc73a33fded179a6f5982a114de53c7597161c9d67ed14459e9d94f2b9b6233aa37b9d7c0812a21207f70d32e306e7993d7789a3
|
7
|
+
data.tar.gz: c75fe724c3d80fd13d9b64d19169a552aa3d1ad0c6753763bff1f1355013bcd8000595a0777932bf3a9675243b1463f7d8dd33e6f870f514f2d46b382c0d34b2
|
@@ -7,6 +7,7 @@ require "dependabot/npm_and_yarn/file_parser"
|
|
7
7
|
|
8
8
|
module Dependabot
|
9
9
|
module NpmAndYarn
|
10
|
+
# rubocop:disable Metrics/ClassLength
|
10
11
|
class FileFetcher < Dependabot::FileFetchers::Base
|
11
12
|
require_relative "file_fetcher/path_dependency_builder"
|
12
13
|
|
@@ -164,6 +165,7 @@ module Dependabot
|
|
164
165
|
].uniq
|
165
166
|
end
|
166
167
|
|
168
|
+
# rubocop:disable Metrics/AbcSize
|
167
169
|
def path_dependency_details_from_manifest(file)
|
168
170
|
return [] unless file.name.end_with?("package.json")
|
169
171
|
|
@@ -171,20 +173,23 @@ module Dependabot
|
|
171
173
|
current_dir = nil if current_dir == ""
|
172
174
|
path_dep_starts = %w(file: / ./ ../ ~/ link:.)
|
173
175
|
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
180
|
-
values_at(*dependency_types).
|
181
|
-
compact
|
176
|
+
dep_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES
|
177
|
+
parsed_manifest = JSON.parse(file.content)
|
178
|
+
dependency_objects = parsed_manifest.values_at(*dep_types).compact
|
179
|
+
# Fetch yarn "file:" path "resolutions" so the lockfile can be resolved
|
180
|
+
resolution_objects = parsed_manifest.values_at("resolutions").compact
|
181
|
+
manifest_objects = dependency_objects + resolution_objects
|
182
182
|
|
183
|
-
unless
|
183
|
+
unless manifest_objects.all? { |o| o.is_a?(Hash) }
|
184
184
|
raise Dependabot::DependencyFileNotParseable, file.path
|
185
185
|
end
|
186
186
|
|
187
|
-
|
187
|
+
resolution_deps = resolution_objects.flat_map(&:to_a).
|
188
|
+
map do |path, value|
|
189
|
+
convert_dependency_path_to_name(path, value)
|
190
|
+
end
|
191
|
+
|
192
|
+
(dependency_objects.flat_map(&:to_a) + resolution_deps).
|
188
193
|
select { |_, v| v.is_a?(String) && v.start_with?(*path_dep_starts) }.
|
189
194
|
map do |name, path|
|
190
195
|
path = path.sub(/^file:/, "").sub(/^link:/, "")
|
@@ -194,6 +199,17 @@ module Dependabot
|
|
194
199
|
rescue JSON::ParserError
|
195
200
|
raise Dependabot::DependencyFileNotParseable, file.path
|
196
201
|
end
|
202
|
+
# rubocop:enable Metrics/AbcSize
|
203
|
+
|
204
|
+
# Re-write the glob name to the targeted dependency name (which is used
|
205
|
+
# in the lockfile), for example "parent-pacakge/**/sub-dep/target-dep" >
|
206
|
+
# "target-dep"
|
207
|
+
def convert_dependency_path_to_name(path, value)
|
208
|
+
# Picking the last two parts that might include a scope
|
209
|
+
parts = path.split("/").last(2)
|
210
|
+
parts.shift if parts.count == 2 && !parts.first.start_with?("@")
|
211
|
+
[parts.join("/"), value]
|
212
|
+
end
|
197
213
|
|
198
214
|
def fetch_workspace_package_jsons
|
199
215
|
return [] unless parsed_package_json["workspaces"]
|
@@ -273,6 +289,7 @@ module Dependabot
|
|
273
289
|
end
|
274
290
|
end
|
275
291
|
|
292
|
+
# Only expands globs one level deep, so path/**/* gets expanded to path/
|
276
293
|
def expanded_paths(path)
|
277
294
|
ignored_paths = path.scan(/!\((.*?)\)/).flatten
|
278
295
|
|
@@ -338,6 +355,7 @@ module Dependabot
|
|
338
355
|
raise Dependabot::DependencyFileNotParseable, lerna_json.path
|
339
356
|
end
|
340
357
|
end
|
358
|
+
# rubocop:enable Metrics/ClassLength
|
341
359
|
end
|
342
360
|
end
|
343
361
|
|
@@ -4,6 +4,7 @@ require "json"
|
|
4
4
|
require "dependabot/dependency_file"
|
5
5
|
require "dependabot/errors"
|
6
6
|
require "dependabot/npm_and_yarn/file_fetcher"
|
7
|
+
require "dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser"
|
7
8
|
|
8
9
|
module Dependabot
|
9
10
|
module NpmAndYarn
|
@@ -114,20 +115,8 @@ module Dependabot
|
|
114
115
|
def parsed_yarn_lock
|
115
116
|
return {} unless yarn_lock
|
116
117
|
|
117
|
-
# This is *extremely* crude, but saves us from having to shell out
|
118
|
-
# to Yarn, which may not be safe
|
119
118
|
@parsed_yarn_lock ||=
|
120
|
-
|
121
|
-
content = yarn_lock.content.
|
122
|
-
lines.
|
123
|
-
map { |l| l.match?(/^[\w"]/) ? l.split(", ").last : l }.
|
124
|
-
join.
|
125
|
-
gsub(/(?<=\w|")\s(?=\w|")/, ": ")
|
126
|
-
|
127
|
-
YAML.safe_load(content)
|
128
|
-
end
|
129
|
-
rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias
|
130
|
-
@parsed_yarn_lock ||= {}
|
119
|
+
FileParser::YarnLockfileParser.new(lockfile: yarn_lock).parse
|
131
120
|
end
|
132
121
|
|
133
122
|
# The path back to the root lockfile
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "dependabot/dependency_file"
|
4
|
+
require "dependabot/npm_and_yarn/file_parser"
|
5
|
+
|
6
|
+
module Dependabot
|
7
|
+
module NpmAndYarn
|
8
|
+
class FileParser
|
9
|
+
class YarnLockfileParser
|
10
|
+
def initialize(lockfile:)
|
11
|
+
@content = lockfile.content
|
12
|
+
end
|
13
|
+
|
14
|
+
# This is *extremely* crude, but saves us from having to shell out
|
15
|
+
# to Yarn, which may not be safe
|
16
|
+
def parse
|
17
|
+
yaml = convert_to_yaml
|
18
|
+
lockfile_object = parse_as_yaml(yaml)
|
19
|
+
expand_lockfile_requirements(lockfile_object)
|
20
|
+
end
|
21
|
+
|
22
|
+
private
|
23
|
+
|
24
|
+
attr_reader :content
|
25
|
+
|
26
|
+
# Transform lockfile to parseable YAML by wrapping requirements in
|
27
|
+
# quotes, e.g. ("pkg@1.0.0":) and adding colon to nested
|
28
|
+
# properties (version: "1.0.0")
|
29
|
+
def convert_to_yaml
|
30
|
+
sanitize_requirement = lambda do |line|
|
31
|
+
return line unless line.match?(/^[\w"]/)
|
32
|
+
|
33
|
+
"\"#{line.gsub(/\"|:\n$/, '')}\":\n"
|
34
|
+
end
|
35
|
+
add_missing_colon = ->(l) { l.sub(/(?<=\w|")\s(?=\w|")/, ": ") }
|
36
|
+
|
37
|
+
content.lines.map(&sanitize_requirement).map(&add_missing_colon).join
|
38
|
+
end
|
39
|
+
|
40
|
+
def parse_as_yaml(yaml)
|
41
|
+
YAML.safe_load(yaml)
|
42
|
+
rescue Psych::SyntaxError, Psych::DisallowedClass, Psych::BadAlias
|
43
|
+
{}
|
44
|
+
end
|
45
|
+
|
46
|
+
# Split all comma separated keys and duplicate the lockfile entry
|
47
|
+
# so we get one entry per version requirement, this is needed when
|
48
|
+
# one of the requirements specifies a file: requirement, e.g.
|
49
|
+
# "pkga@file:./pkg, pkgb@1.0.0 and we want to check this in
|
50
|
+
# `details_from_yarn_lock`
|
51
|
+
def expand_lockfile_requirements(lockfile_object)
|
52
|
+
lockfile_object.to_a.each_with_object({}) do |(names, val), res|
|
53
|
+
names.split(", ").each { |name| res[name] = val }
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.111.
|
4
|
+
version: 0.111.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.111.
|
19
|
+
version: 0.111.10
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.111.
|
26
|
+
version: 0.111.10
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -183,6 +183,7 @@ files:
|
|
183
183
|
- lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
|
184
184
|
- lib/dependabot/npm_and_yarn/file_parser.rb
|
185
185
|
- lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
|
186
|
+
- lib/dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser.rb
|
186
187
|
- lib/dependabot/npm_and_yarn/file_updater.rb
|
187
188
|
- lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
|
188
189
|
- lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
|