dependabot-npm_and_yarn 0.113.3 → 0.113.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_parser.rb +9 -6
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +9 -5
- data/lib/dependabot/npm_and_yarn/update_checker.rb +9 -3
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +11 -5
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +44 -4
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8a9017a5f237612771fdf551da5eaed55fa1d4838b4eabf9d4cfcc756d5cd6cf
|
|
4
|
+
data.tar.gz: e2b2d8751f6afd28fb5c2f81a21db5f2e51d587b0c01de9940858c953b72cdf8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e3c82abdf1efa61e7f4841b2a9e8eea221852d376cce2ab4eee146645b700a349a52bc8d6a20335cfbb3b6debe12cb0410cc9a8cb572145dab7c20c9005f3c6e
|
|
7
|
+
data.tar.gz: dd25f70d2771bbd0f9812a2a4171efbe63a8ba8f84bf1d3176d51a3221d7ba3b0163209b362912bca18929f29ec8cc2c357403b79511d03821908467629a3133
|
|
@@ -216,7 +216,7 @@ module Dependabot
|
|
|
216
216
|
|
|
217
217
|
version = t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX).
|
|
218
218
|
named_captures.fetch("version")
|
|
219
|
-
next unless
|
|
219
|
+
next unless version_class.correct?(version)
|
|
220
220
|
|
|
221
221
|
return version
|
|
222
222
|
end
|
|
@@ -233,11 +233,10 @@ module Dependabot
|
|
|
233
233
|
manifest_name: manifest_name
|
|
234
234
|
)&.fetch("version", nil)
|
|
235
235
|
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
return
|
|
240
|
-
return if lock_version.include?("#")
|
|
236
|
+
# This line is to guard against improperly formatted versions in a
|
|
237
|
+
# lockfile, such as additional characters. NPM/yarn fixes these when
|
|
238
|
+
# running an update, so we can safely ignore these versions.
|
|
239
|
+
return unless version_class.correct?(lock_version)
|
|
241
240
|
|
|
242
241
|
lock_version
|
|
243
242
|
end
|
|
@@ -337,6 +336,10 @@ module Dependabot
|
|
|
337
336
|
].compact
|
|
338
337
|
end
|
|
339
338
|
end
|
|
339
|
+
|
|
340
|
+
def version_class
|
|
341
|
+
NpmAndYarn::Version
|
|
342
|
+
end
|
|
340
343
|
end
|
|
341
344
|
end
|
|
342
345
|
end
|
|
@@ -153,12 +153,12 @@ module Dependabot
|
|
|
153
153
|
end
|
|
154
154
|
|
|
155
155
|
def semver_version_for(version_string)
|
|
156
|
-
|
|
156
|
+
# The next two lines are to guard against improperly formatted
|
|
157
|
+
# versions in a lockfile, such as an empty string or additional
|
|
158
|
+
# characters. NPM/yarn fixes these when running an update, so we can
|
|
159
|
+
# safely ignore these versions.
|
|
157
160
|
return if version_string == ""
|
|
158
|
-
return
|
|
159
|
-
return if version_string.include?("file:")
|
|
160
|
-
return if version_string.include?("link:")
|
|
161
|
-
return if version_string.include?("#")
|
|
161
|
+
return unless version_class.correct?(version_string)
|
|
162
162
|
|
|
163
163
|
version_string
|
|
164
164
|
end
|
|
@@ -216,6 +216,10 @@ module Dependabot
|
|
|
216
216
|
dependency_files.
|
|
217
217
|
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
|
218
218
|
end
|
|
219
|
+
|
|
220
|
+
def version_class
|
|
221
|
+
NpmAndYarn::Version
|
|
222
|
+
end
|
|
219
223
|
end
|
|
220
224
|
end
|
|
221
225
|
end
|
|
@@ -54,6 +54,10 @@ module Dependabot
|
|
|
54
54
|
latest_version_finder.latest_version_with_no_unlock
|
|
55
55
|
end
|
|
56
56
|
|
|
57
|
+
def latest_resolvable_previous_version
|
|
58
|
+
version_resolver.latest_resolvable_previous_version
|
|
59
|
+
end
|
|
60
|
+
|
|
57
61
|
def updated_requirements
|
|
58
62
|
resolvable_version =
|
|
59
63
|
if preferred_resolvable_version.is_a?(version_class)
|
|
@@ -104,17 +108,19 @@ module Dependabot
|
|
|
104
108
|
|
|
105
109
|
def build_updated_dependency(update_details)
|
|
106
110
|
original_dep = update_details.fetch(:dependency)
|
|
111
|
+
version = update_details.fetch(:version).to_s
|
|
112
|
+
previous_version = update_details.fetch(:previous_version)&.to_s
|
|
107
113
|
|
|
108
114
|
Dependency.new(
|
|
109
115
|
name: original_dep.name,
|
|
110
|
-
version:
|
|
116
|
+
version: version,
|
|
111
117
|
requirements: RequirementsUpdater.new(
|
|
112
118
|
requirements: original_dep.requirements,
|
|
113
119
|
updated_source: original_dep == dependency ? updated_source : nil,
|
|
114
|
-
latest_resolvable_version:
|
|
120
|
+
latest_resolvable_version: version,
|
|
115
121
|
update_strategy: requirements_update_strategy
|
|
116
122
|
).updated_requirements,
|
|
117
|
-
previous_version:
|
|
123
|
+
previous_version: previous_version,
|
|
118
124
|
previous_requirements: original_dep.requirements,
|
|
119
125
|
package_manager: original_dep.package_manager
|
|
120
126
|
)
|
|
@@ -73,13 +73,19 @@ module Dependabot
|
|
|
73
73
|
# our problem, so we quietly return `nil` here.
|
|
74
74
|
end
|
|
75
75
|
|
|
76
|
+
def possible_previous_versions_with_details
|
|
77
|
+
@possible_previous_versions_with_details ||= begin
|
|
78
|
+
npm_details.fetch("versions", {}).
|
|
79
|
+
transform_keys { |k| version_class.new(k) }.
|
|
80
|
+
reject { |v, _| v.prerelease? && !related_to_current_pre?(v) }.
|
|
81
|
+
sort_by(&:first).reverse
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
76
85
|
def possible_versions_with_details
|
|
77
|
-
|
|
86
|
+
possible_previous_versions_with_details.
|
|
78
87
|
reject { |_, details| details["deprecated"] }.
|
|
79
|
-
|
|
80
|
-
reject { |k, _| k.prerelease? && !related_to_current_pre?(k) }.
|
|
81
|
-
reject { |k, _| ignore_reqs.any? { |r| r.satisfied_by?(k) } }.
|
|
82
|
-
sort_by(&:first).reverse
|
|
88
|
+
reject { |v, _| ignore_reqs.any? { |r| r.satisfied_by?(v) } }
|
|
83
89
|
end
|
|
84
90
|
|
|
85
91
|
def possible_versions
|
|
@@ -73,6 +73,10 @@ module Dependabot
|
|
|
73
73
|
true
|
|
74
74
|
end
|
|
75
75
|
|
|
76
|
+
def latest_resolvable_previous_version
|
|
77
|
+
resolve_latest_previous_version(dependency)
|
|
78
|
+
end
|
|
79
|
+
|
|
76
80
|
def dependency_updates_from_full_unlock
|
|
77
81
|
return if git_dependency?(dependency)
|
|
78
82
|
if part_of_tightly_locked_monorepo?
|
|
@@ -80,8 +84,11 @@ module Dependabot
|
|
|
80
84
|
end
|
|
81
85
|
return if newly_broken_peer_reqs_from_dep.any?
|
|
82
86
|
|
|
83
|
-
updates =
|
|
84
|
-
|
|
87
|
+
updates = [{
|
|
88
|
+
dependency: dependency,
|
|
89
|
+
version: latest_allowable_version,
|
|
90
|
+
previous_version: latest_resolvable_previous_version
|
|
91
|
+
}]
|
|
85
92
|
newly_broken_peer_reqs_on_dep.each do |peer_req|
|
|
86
93
|
dep_name = peer_req.fetch(:requiring_dep_name)
|
|
87
94
|
dep = top_level_dependencies.find { |d| d.name == dep_name }
|
|
@@ -94,7 +101,11 @@ module Dependabot
|
|
|
94
101
|
latest_version_of_dep_with_satisfied_peer_reqs(dep)
|
|
95
102
|
return nil unless updated_version
|
|
96
103
|
|
|
97
|
-
updates << {
|
|
104
|
+
updates << {
|
|
105
|
+
dependency: dep,
|
|
106
|
+
version: updated_version,
|
|
107
|
+
previous_version: resolve_latest_previous_version(dep)
|
|
108
|
+
}
|
|
98
109
|
end
|
|
99
110
|
updates.uniq
|
|
100
111
|
end
|
|
@@ -115,6 +126,31 @@ module Dependabot
|
|
|
115
126
|
)
|
|
116
127
|
end
|
|
117
128
|
|
|
129
|
+
def resolve_latest_previous_version(dep)
|
|
130
|
+
if dep.version && version_class.correct?(dep.version)
|
|
131
|
+
return version_class.new(dep.version)
|
|
132
|
+
end
|
|
133
|
+
|
|
134
|
+
@resolve_latest_previous_version ||= {}
|
|
135
|
+
@resolve_latest_previous_version[dep] ||= begin
|
|
136
|
+
relevant_versions = latest_version_finder(dependency).
|
|
137
|
+
possible_previous_versions_with_details.
|
|
138
|
+
map(&:first)
|
|
139
|
+
reqs = dep.requirements.map { |r| r[:requirement] }.compact.
|
|
140
|
+
map { |r| requirement_class.requirements_array(r) }
|
|
141
|
+
|
|
142
|
+
# Pick the lowest version from the max possible version from all
|
|
143
|
+
# requirements. This matches the logic when combining the same
|
|
144
|
+
# dependency in DependencySet from multiple manifest files where we
|
|
145
|
+
# pick the lowest version from the duplicates.
|
|
146
|
+
reqs.flat_map do |req|
|
|
147
|
+
relevant_versions.select do |version|
|
|
148
|
+
req.any? { |r| r.satisfied_by?(version) }
|
|
149
|
+
end.max
|
|
150
|
+
end.min
|
|
151
|
+
end
|
|
152
|
+
end
|
|
153
|
+
|
|
118
154
|
def part_of_tightly_locked_monorepo?
|
|
119
155
|
monorepo_dep_names =
|
|
120
156
|
TIGHTLY_COUPLED_MONOREPOS.values.
|
|
@@ -149,7 +185,11 @@ module Dependabot
|
|
|
149
185
|
find { |v| v == latest_allowable_version }
|
|
150
186
|
next unless updated_version
|
|
151
187
|
|
|
152
|
-
updates << {
|
|
188
|
+
updates << {
|
|
189
|
+
dependency: dep,
|
|
190
|
+
version: updated_version,
|
|
191
|
+
previous_version: resolve_latest_previous_version(dep)
|
|
192
|
+
}
|
|
153
193
|
end
|
|
154
194
|
|
|
155
195
|
updates
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.113.
|
|
4
|
+
version: 0.113.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-09-
|
|
11
|
+
date: 2019-09-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.113.
|
|
19
|
+
version: 0.113.4
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.113.
|
|
26
|
+
version: 0.113.4
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|