dependabot-npm_and_yarn 0.111.10 → 0.111.11

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/dependabot/npm_and_yarn/file_fetcher.rb +29 -17
  3. data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb +18 -12
  4. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 930753aeafdf37fcadf92d65ea055a5108fdac701c7386f3a2965533ad7defd6
4
- data.tar.gz: '08d9fbec1dfd2f0d491e7f0177d4c0f2033f4206c88fdcf68d2d956a32dbba27'
3
+ metadata.gz: 9b694006465da091f8f16f2a4405be227dc6b165598ef646c7ce463dec0ba6c8
4
+ data.tar.gz: 4ed1cc40a97c3905d8d76eb30013378f42593db3cf18d5c7e9acec284e814fdf
5
5
  SHA512:
6
- metadata.gz: f7eafd19e3f36ae4beb44ea3dc73a33fded179a6f5982a114de53c7597161c9d67ed14459e9d94f2b9b6233aa37b9d7c0812a21207f70d32e306e7993d7789a3
7
- data.tar.gz: c75fe724c3d80fd13d9b64d19169a552aa3d1ad0c6753763bff1f1355013bcd8000595a0777932bf3a9675243b1463f7d8dd33e6f870f514f2d46b382c0d34b2
6
+ metadata.gz: 9bbd695712ed10c8786126e59ed97fd33f108972b04d8c687e4f1edf8bffa9ae2680ff8c673305882c825378bd3284d0e4a94136059cbf391a9d679cff2f8112
7
+ data.tar.gz: 19f56e1bee9bef643b3522d354d483f5825892a7719fb4e6d490a89d27c47a1f1a64236abd7e43ee4589222b89ab9da7d3d93191cd901bb5aefedb10da96f53d
data/lib/dependabot/npm_and_yarn/file_fetcher.rb CHANGED
@@ -11,6 +11,17 @@ module Dependabot
11
11
  class FileFetcher < Dependabot::FileFetchers::Base
12
12
  require_relative "file_fetcher/path_dependency_builder"
13
13
 
14
+ # Npm always prefixes file paths in the lockfile "version" with "file:"
15
+ # even when a naked path is used (e.g. "../dep")
16
+ NPM_PATH_DEPENDENCY_STARTS = %w(file:).freeze
17
+ # "link:" is only supported by Yarn but is interchangeable with "file:"
18
+ # when it specifies a path. Only include Yarn "link:"'s that start with a
19
+ # path and ignore symlinked package names that have been registered with
20
+ # "yarn link", e.g. "link:react"
21
+ PATH_DEPENDENCY_STARTS =
22
+ %w(file: link:. link:/ link:~/ / ./ ../ ~/).freeze
23
+ PATH_DEPENDENCY_CLEAN_REGEX = /^file:|^link:/.freeze
24
+
14
25
  def self.required_files_in?(filenames)
15
26
  filenames.include?("package.json")
16
27
  end
@@ -113,7 +124,7 @@ module Dependabot
113
124
  unfetchable_deps = []
114
125
 
115
126
  path_dependency_details(fetched_files).each do |name, path|
116
- path = path.sub(/^file:/, "").sub(/^link:/, "")
127
+ path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
117
128
  filename = File.join(path, "package.json")
118
129
  cleaned_name = Pathname.new(filename).cleanpath.to_path
119
130
  next if fetched_files.map(&:name).include?(cleaned_name)
@@ -144,19 +155,12 @@ module Dependabot
144
155
  path_dependency_details_from_manifest(file)
145
156
  end
146
157
 
147
- path_starts = %w(file: link:.)
148
-
149
- package_lock_path_deps =
150
- parsed_package_lock.fetch("dependencies", []).to_a.
151
- select { |_, v| v.is_a?(Hash) }.
152
- select { |_, v| v.fetch("version", "").start_with?(*path_starts) }.
153
- map { |k, v| [k, v.fetch("version")] }
154
-
155
- shrinkwrap_path_deps =
156
- parsed_shrinkwrap.fetch("dependencies", []).to_a.
157
- select { |_, v| v.is_a?(Hash) }.
158
- select { |_, v| v.fetch("version", "").start_with?(*path_starts) }.
159
- map { |k, v| [k, v.fetch("version")] }
158
+ package_lock_path_deps = path_dependency_details_from_npm_lockfile(
159
+ parsed_package_lock
160
+ )
161
+ shrinkwrap_path_deps = path_dependency_details_from_npm_lockfile(
162
+ parsed_shrinkwrap
163
+ )
160
164
 
161
165
  [
162
166
  *package_json_path_deps,
@@ -171,7 +175,6 @@ module Dependabot
171
175
 
172
176
  current_dir = file.name.rpartition("/").first
173
177
  current_dir = nil if current_dir == ""
174
- path_dep_starts = %w(file: / ./ ../ ~/ link:.)
175
178
 
176
179
  dep_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES
177
180
  parsed_manifest = JSON.parse(file.content)
@@ -189,10 +192,11 @@ module Dependabot
189
192
  convert_dependency_path_to_name(path, value)
190
193
  end
191
194
 
195
+ path_starts = PATH_DEPENDENCY_STARTS
192
196
  (dependency_objects.flat_map(&:to_a) + resolution_deps).
193
- select { |_, v| v.is_a?(String) && v.start_with?(*path_dep_starts) }.
197
+ select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }.
194
198
  map do |name, path|
195
- path = path.sub(/^file:/, "").sub(/^link:/, "")
199
+ path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
196
200
  path = File.join(current_dir, path) unless current_dir.nil?
197
201
  [name, Pathname.new(path).cleanpath.to_path]
198
202
  end
@@ -201,6 +205,14 @@ module Dependabot
201
205
  end
202
206
  # rubocop:enable Metrics/AbcSize
203
207
 
208
+ def path_dependency_details_from_npm_lockfile(parsed_lockfile)
209
+ path_starts = NPM_PATH_DEPENDENCY_STARTS
210
+ parsed_lockfile.fetch("dependencies", []).to_a.
211
+ select { |_, v| v.is_a?(Hash) }.
212
+ select { |_, v| v.fetch("version", "").start_with?(*path_starts) }.
213
+ map { |k, v| [k, v.fetch("version")] }
214
+ end
215
+
204
216
  # Re-write the glob name to the targeted dependency name (which is used
205
217
  # in the lockfile), for example "parent-pacakge/**/sub-dep/target-dep" >
206
218
  # "target-dep"
data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb CHANGED
@@ -36,19 +36,22 @@ module Dependabot
36
36
  :directory
37
37
 
38
38
  def details_from_yarn_lock
39
+ path_starts = FileFetcher::PATH_DEPENDENCY_STARTS
39
40
  parsed_yarn_lock.to_a.
40
41
  find do |n, _|
41
42
  next false unless n.split(/(?<=\w)\@/).first == dependency_name
42
43
 
43
- n.split(/(?<=\w)\@/).last.start_with?("file:")
44
+ n.split(/(?<=\w)\@/).last.start_with?(*path_starts)
44
45
  end&.last
45
46
  end
46
47
 
47
48
  def details_from_npm_lock
48
- parsed_package_lock.fetch("dependencies", []).to_a.
49
- select { |_, v| v.fetch("version", "").start_with?("file:") }.
50
- find { |n, _| n == dependency_name }&.
51
- last
49
+ path_starts = FileFetcher::NPM_PATH_DEPENDENCY_STARTS
50
+ path_deps = parsed_package_lock.fetch("dependencies", []).to_a.
51
+ select do |_, v|
52
+ v.fetch("version", "").start_with?(*path_starts)
53
+ end
54
+ path_deps.find { |n, _| n == dependency_name }&.last
52
55
  end
53
56
 
54
57
  def build_path_dep_content(dependency_name)
@@ -86,21 +89,24 @@ module Dependabot
86
89
  def replace_yarn_lock_file_paths(dependencies_hash)
87
90
  return unless dependencies_hash
88
91
 
89
- dependencies_hash.each_with_object({}) do |(k, v), obj|
90
- obj[k] = v
91
- next unless v.start_with?("file:")
92
+ dependencies_hash.each_with_object({}) do |(name, value), obj|
93
+ obj[name] = value
94
+ next unless value.start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
92
95
 
93
96
  path_from_base =
94
97
  parsed_yarn_lock.to_a.
95
98
  find do |n, _|
96
- next false unless n.split(/(?<=\w)\@/).first == k
99
+ next false unless n.split(/(?<=\w)\@/).first == name
97
100
 
98
- n.split(/(?<=\w)\@/).last.start_with?("file:")
99
- end&.first&.split(/(?<=\w)\@/)&.last&.gsub("file:", "")
101
+ n.split(/(?<=\w)\@/).last.
102
+ start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
103
+ end&.first&.split(/(?<=\w)\@/)&.last
100
104
 
101
105
  next unless path_from_base
102
106
 
103
- obj[k] = "file:" + File.join(inverted_path, path_from_base)
107
+ cleaned_path = path_from_base.
108
+ gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
109
+ obj[name] = "file:" + File.join(inverted_path, cleaned_path)
104
110
  end
105
111
  end
106
112
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.111.10
4
+ version: 0.111.11
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-15 00:00:00.000000000 Z
11
+ date: 2019-07-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.111.10
19
+ version: 0.111.11
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.111.10
26
+ version: 0.111.11
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: byebug
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -100,14 +100,14 @@ dependencies:
100
100
  requirements:
101
101
  - - "~>"
102
102
  - !ruby/object:Gem::Version
103
- version: 0.72.0
103
+ version: 0.73.0
104
104
  type: :development
105
105
  prerelease: false
106
106
  version_requirements: !ruby/object:Gem::Requirement
107
107
  requirements:
108
108
  - - "~>"
109
109
  - !ruby/object:Gem::Version
110
- version: 0.72.0
110
+ version: 0.73.0
111
111
  - !ruby/object:Gem::Dependency
112
112
  name: vcr
113
113
  requirement: !ruby/object:Gem::Requirement