dependabot-npm_and_yarn 0.125.0 → 0.125.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +2 -6
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +1 -3
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +2 -6
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +5 -15
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +3 -9
- data/lib/dependabot/npm_and_yarn/requirement.rb +2 -6
- data/lib/dependabot/npm_and_yarn/update_checker.rb +4 -12
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -6
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +1 -3
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +4 -12
- data/lib/dependabot/npm_and_yarn/version.rb +1 -3
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 65dfd24b6ebd21aecc0ca0e3b729df18dbba9a06e0e45634b3c8b162710c567e
|
|
4
|
+
data.tar.gz: a44ac914df569143c14632f921b89c7da81f64b53a194f8113ab6822f6c923a2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6f0521114bc5e902ff20bb60721128b99bd7082966186f1e787810cea0d76e45ae6df35ece0158a06bb99843daf304eb02f74233230209d98fd7bbf08bf894cd
|
|
7
|
+
data.tar.gz: 2c24652f44989903e0cdf20a9d7a319387eba7095d467b4377e21c0c805789b355b567681f7bad0b4938d8f2c46940b8593bb2c33f5590a5eae0b6b9e9d2619b
|
|
@@ -123,9 +123,7 @@ module Dependabot
|
|
|
123
123
|
filename = path
|
|
124
124
|
# NPM/Yarn support loading path dependencies from tarballs:
|
|
125
125
|
# https://docs.npmjs.com/cli/pack.html
|
|
126
|
-
unless filename.end_with?(".tgz")
|
|
127
|
-
filename = File.join(filename, "package.json")
|
|
128
|
-
end
|
|
126
|
+
filename = File.join(filename, "package.json") unless filename.end_with?(".tgz")
|
|
129
127
|
cleaned_name = Pathname.new(filename).cleanpath.to_path
|
|
130
128
|
next if fetched_files.map(&:name).include?(cleaned_name)
|
|
131
129
|
|
|
@@ -185,9 +183,7 @@ module Dependabot
|
|
|
185
183
|
resolution_objects = parsed_manifest.values_at("resolutions").compact
|
|
186
184
|
manifest_objects = dependency_objects + resolution_objects
|
|
187
185
|
|
|
188
|
-
unless manifest_objects.all? { |o| o.is_a?(Hash) }
|
|
189
|
-
raise Dependabot::DependencyFileNotParseable, file.path
|
|
190
|
-
end
|
|
186
|
+
raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all? { |o| o.is_a?(Hash) }
|
|
191
187
|
|
|
192
188
|
resolution_deps = resolution_objects.flat_map(&:to_a).
|
|
193
189
|
map do |path, value|
|
|
@@ -328,9 +328,7 @@ module Dependabot
|
|
|
328
328
|
|
|
329
329
|
def resolvable_before_update?(lockfile)
|
|
330
330
|
@resolvable_before_update ||= {}
|
|
331
|
-
if @resolvable_before_update.key?(lockfile.name)
|
|
332
|
-
return @resolvable_before_update[lockfile.name]
|
|
333
|
-
end
|
|
331
|
+
return @resolvable_before_update[lockfile.name] if @resolvable_before_update.key?(lockfile.name)
|
|
334
332
|
|
|
335
333
|
@resolvable_before_update[lockfile.name] =
|
|
336
334
|
begin
|
|
@@ -50,9 +50,7 @@ module Dependabot
|
|
|
50
50
|
next false if CENTRAL_REGISTRIES.include?(cred["registry"])
|
|
51
51
|
|
|
52
52
|
# If all the URLs include this registry, it's global
|
|
53
|
-
if dependency_urls.all? { |url| url.include?(cred["registry"]) }
|
|
54
|
-
next true
|
|
55
|
-
end
|
|
53
|
+
next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
|
|
56
54
|
|
|
57
55
|
# If any unscoped URLs include this registry, it's global
|
|
58
56
|
dependency_urls.
|
|
@@ -120,9 +118,7 @@ module Dependabot
|
|
|
120
118
|
match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
|
|
121
119
|
named_captures&.fetch("registry")
|
|
122
120
|
|
|
123
|
-
if yarnrc_global_registry
|
|
124
|
-
return "registry = #{yarnrc_global_registry}\n"
|
|
125
|
-
end
|
|
121
|
+
return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
|
|
126
122
|
|
|
127
123
|
build_npmrc_content_from_lockfile
|
|
128
124
|
end
|
|
@@ -23,9 +23,7 @@ module Dependabot
|
|
|
23
23
|
|
|
24
24
|
def updated_yarn_lock_content(yarn_lock)
|
|
25
25
|
@updated_yarn_lock_content ||= {}
|
|
26
|
-
if @updated_yarn_lock_content[yarn_lock.name]
|
|
27
|
-
return @updated_yarn_lock_content[yarn_lock.name]
|
|
28
|
-
end
|
|
26
|
+
return @updated_yarn_lock_content[yarn_lock.name] if @updated_yarn_lock_content[yarn_lock.name]
|
|
29
27
|
|
|
30
28
|
new_content = updated_yarn_lock(yarn_lock)
|
|
31
29
|
|
|
@@ -235,16 +233,12 @@ module Dependabot
|
|
|
235
233
|
raise Dependabot::GitDependenciesNotReachable, dependency_url
|
|
236
234
|
end
|
|
237
235
|
|
|
238
|
-
if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
|
|
239
|
-
handle_timeout(error_message, yarn_lock)
|
|
240
|
-
end
|
|
236
|
+
handle_timeout(error_message, yarn_lock) if error_message.match?(TIMEOUT_FETCHING_PACKAGE)
|
|
241
237
|
|
|
242
238
|
if error_message.start_with?("Couldn't find any versions") ||
|
|
243
239
|
error_message.include?(": Not found")
|
|
244
240
|
|
|
245
|
-
unless resolvable_before_update?(yarn_lock)
|
|
246
|
-
raise_resolvability_error(error_message, yarn_lock)
|
|
247
|
-
end
|
|
241
|
+
raise_resolvability_error(error_message, yarn_lock) unless resolvable_before_update?(yarn_lock)
|
|
248
242
|
|
|
249
243
|
# Dependabot has probably messed something up with the update and we
|
|
250
244
|
# want to hear about it
|
|
@@ -259,9 +253,7 @@ module Dependabot
|
|
|
259
253
|
|
|
260
254
|
def resolvable_before_update?(yarn_lock)
|
|
261
255
|
@resolvable_before_update ||= {}
|
|
262
|
-
if @resolvable_before_update.key?(yarn_lock.name)
|
|
263
|
-
return @resolvable_before_update[yarn_lock.name]
|
|
264
|
-
end
|
|
256
|
+
return @resolvable_before_update[yarn_lock.name] if @resolvable_before_update.key?(yarn_lock.name)
|
|
265
257
|
|
|
266
258
|
@resolvable_before_update[yarn_lock.name] =
|
|
267
259
|
begin
|
|
@@ -392,9 +384,7 @@ module Dependabot
|
|
|
392
384
|
'https://\1/'
|
|
393
385
|
)
|
|
394
386
|
|
|
395
|
-
if remove_integrity_lines?
|
|
396
|
-
updated_content = remove_integrity_lines(updated_content)
|
|
397
|
-
end
|
|
387
|
+
updated_content = remove_integrity_lines(updated_content) if remove_integrity_lines?
|
|
398
388
|
|
|
399
389
|
updated_content
|
|
400
390
|
end
|
|
@@ -14,9 +14,7 @@ module Dependabot
|
|
|
14
14
|
def homepage_url
|
|
15
15
|
# Attempt to use version_listing first, as fetching the entire listing
|
|
16
16
|
# array can be slow (if it's large)
|
|
17
|
-
if latest_version_listing["homepage"]
|
|
18
|
-
return latest_version_listing["homepage"]
|
|
19
|
-
end
|
|
17
|
+
return latest_version_listing["homepage"] if latest_version_listing["homepage"]
|
|
20
18
|
|
|
21
19
|
listing = all_version_listings.find { |_, l| l["homepage"] }
|
|
22
20
|
listing&.last&.fetch("homepage", nil) || super
|
|
@@ -136,9 +134,7 @@ module Dependabot
|
|
|
136
134
|
# Special case DefinitelyTyped, which has predictable URLs.
|
|
137
135
|
# This can be removed once this PR is merged:
|
|
138
136
|
# https://github.com/Microsoft/types-publisher/pull/578
|
|
139
|
-
if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
|
|
140
|
-
return dependency.name.gsub(/^@/, "")
|
|
141
|
-
end
|
|
137
|
+
return dependency.name.gsub(/^@/, "") if source_from_url.repo == "DefinitelyTyped/DefinitelyTyped"
|
|
142
138
|
|
|
143
139
|
# Only return a directory if it is explicitly specified
|
|
144
140
|
return unless details.is_a?(Hash)
|
|
@@ -160,9 +156,7 @@ module Dependabot
|
|
|
160
156
|
**SharedHelpers.excon_defaults(headers: registry_auth_headers)
|
|
161
157
|
)
|
|
162
158
|
|
|
163
|
-
if response.status == 200
|
|
164
|
-
return @latest_version_listing = JSON.parse(response.body)
|
|
165
|
-
end
|
|
159
|
+
return @latest_version_listing = JSON.parse(response.body) if response.status == 200
|
|
166
160
|
|
|
167
161
|
@latest_version_listing = {}
|
|
168
162
|
rescue JSON::ParserError, Excon::Error::Timeout
|
|
@@ -17,9 +17,7 @@ module Dependabot
|
|
|
17
17
|
PATTERN = /\A#{PATTERN_RAW}\z/.freeze
|
|
18
18
|
|
|
19
19
|
def self.parse(obj)
|
|
20
|
-
if obj.is_a?(Gem::Version)
|
|
21
|
-
return ["=", NpmAndYarn::Version.new(obj.to_s)]
|
|
22
|
-
end
|
|
20
|
+
return ["=", NpmAndYarn::Version.new(obj.to_s)] if obj.is_a?(Gem::Version)
|
|
23
21
|
|
|
24
22
|
unless (matches = PATTERN.match(obj.to_s))
|
|
25
23
|
msg = "Illformed requirement [#{obj.inspect}]"
|
|
@@ -88,9 +86,7 @@ module Dependabot
|
|
|
88
86
|
upper_bound_range =
|
|
89
87
|
if upper_bound_parts.length < 3
|
|
90
88
|
# When upper bound is a partial version treat these as an X-range
|
|
91
|
-
if upper_bound_parts[-1].to_i.positive?
|
|
92
|
-
upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1
|
|
93
|
-
end
|
|
89
|
+
upper_bound_parts[-1] = upper_bound_parts[-1].to_i + 1 if upper_bound_parts[-1].to_i.positive?
|
|
94
90
|
upper_bound_parts.fill("0", upper_bound_parts.length...3)
|
|
95
91
|
"< #{upper_bound_parts.join('.')}.a"
|
|
96
92
|
else
|
|
@@ -54,9 +54,7 @@ module Dependabot
|
|
|
54
54
|
def latest_resolvable_version_with_no_unlock
|
|
55
55
|
return latest_resolvable_version unless dependency.top_level?
|
|
56
56
|
|
|
57
|
-
if git_dependency?
|
|
58
|
-
return latest_resolvable_version_with_no_unlock_for_git_dependency
|
|
59
|
-
end
|
|
57
|
+
return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?
|
|
60
58
|
|
|
61
59
|
latest_version_finder.latest_version_with_no_unlock
|
|
62
60
|
end
|
|
@@ -89,9 +87,7 @@ module Dependabot
|
|
|
89
87
|
|
|
90
88
|
def requirements_update_strategy
|
|
91
89
|
# If passed in as an option (in the base class) honour that option
|
|
92
|
-
if @requirements_update_strategy
|
|
93
|
-
return @requirements_update_strategy.to_sym
|
|
94
|
-
end
|
|
90
|
+
return @requirements_update_strategy.to_sym if @requirements_update_strategy
|
|
95
91
|
|
|
96
92
|
# Otherwise, widen ranges for libraries and bump versions for apps
|
|
97
93
|
library? ? :widen_ranges : :bump_versions
|
|
@@ -188,9 +184,7 @@ module Dependabot
|
|
|
188
184
|
def git_branch_or_ref_in_latest_release?
|
|
189
185
|
return false unless latest_released_version
|
|
190
186
|
|
|
191
|
-
if defined?(@git_branch_or_ref_in_latest_release)
|
|
192
|
-
return @git_branch_or_ref_in_latest_release
|
|
193
|
-
end
|
|
187
|
+
return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
|
|
194
188
|
|
|
195
189
|
@git_branch_or_ref_in_latest_release ||=
|
|
196
190
|
git_commit_checker.branch_or_ref_in_release?(latest_released_version)
|
|
@@ -261,9 +255,7 @@ module Dependabot
|
|
|
261
255
|
|
|
262
256
|
# Otherwise, if the gem isn't pinned, the latest version is just the
|
|
263
257
|
# latest commit for the specified branch.
|
|
264
|
-
unless git_commit_checker.pinned?
|
|
265
|
-
return { sha: git_commit_checker.head_commit_for_current_branch }
|
|
266
|
-
end
|
|
258
|
+
return { sha: git_commit_checker.head_commit_for_current_branch } unless git_commit_checker.pinned?
|
|
267
259
|
|
|
268
260
|
# If the dependency is pinned to a tag that doesn't look like a
|
|
269
261
|
# version then there's nothing we can do.
|
|
@@ -111,9 +111,7 @@ module Dependabot
|
|
|
111
111
|
ignore_reqs.any? { |r| r.satisfied_by?(v) }
|
|
112
112
|
end
|
|
113
113
|
|
|
114
|
-
if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
115
|
-
raise AllVersionsIgnored
|
|
116
|
-
end
|
|
114
|
+
raise AllVersionsIgnored if @raise_on_ignored && filtered.empty? && versions_array.any?
|
|
117
115
|
|
|
118
116
|
filtered
|
|
119
117
|
end
|
|
@@ -261,9 +259,7 @@ module Dependabot
|
|
|
261
259
|
def version_endpoint_working?
|
|
262
260
|
return true if dependency_registry == "registry.npmjs.org"
|
|
263
261
|
|
|
264
|
-
if defined?(@version_endpoint_working)
|
|
265
|
-
return @version_endpoint_working
|
|
266
|
-
end
|
|
262
|
+
return @version_endpoint_working if defined?(@version_endpoint_working)
|
|
267
263
|
|
|
268
264
|
@version_endpoint_working =
|
|
269
265
|
begin
|
|
@@ -216,9 +216,7 @@ module Dependabot
|
|
|
216
216
|
|
|
217
217
|
# If there are multiple source types, or multiple source URLs, then
|
|
218
218
|
# it's unclear how we should proceed
|
|
219
|
-
if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
|
|
220
|
-
raise "Multiple sources! #{sources.join(', ')}"
|
|
221
|
-
end
|
|
219
|
+
raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
|
|
222
220
|
|
|
223
221
|
# Otherwise we just take the URL of the first private registry
|
|
224
222
|
sources.find { |s| s[:type] == "private_registry" }&.fetch(:url)
|
|
@@ -60,9 +60,7 @@ module Dependabot
|
|
|
60
60
|
return latest_allowable_version if git_dependency?(dependency)
|
|
61
61
|
return if part_of_tightly_locked_monorepo?
|
|
62
62
|
|
|
63
|
-
unless relevant_unmet_peer_dependencies.any?
|
|
64
|
-
return latest_allowable_version
|
|
65
|
-
end
|
|
63
|
+
return latest_allowable_version unless relevant_unmet_peer_dependencies.any?
|
|
66
64
|
|
|
67
65
|
satisfying_versions.first
|
|
68
66
|
end
|
|
@@ -79,9 +77,7 @@ module Dependabot
|
|
|
79
77
|
|
|
80
78
|
def dependency_updates_from_full_unlock
|
|
81
79
|
return if git_dependency?(dependency)
|
|
82
|
-
if part_of_tightly_locked_monorepo?
|
|
83
|
-
return updated_monorepo_dependencies
|
|
84
|
-
end
|
|
80
|
+
return updated_monorepo_dependencies if part_of_tightly_locked_monorepo?
|
|
85
81
|
return if newly_broken_peer_reqs_from_dep.any?
|
|
86
82
|
|
|
87
83
|
updates = [{
|
|
@@ -219,9 +215,7 @@ module Dependabot
|
|
|
219
215
|
end
|
|
220
216
|
|
|
221
217
|
def old_peer_dependency_errors
|
|
222
|
-
if @old_peer_dependency_errors_checked
|
|
223
|
-
return @old_peer_dependency_errors
|
|
224
|
-
end
|
|
218
|
+
return @old_peer_dependency_errors if @old_peer_dependency_errors_checked
|
|
225
219
|
|
|
226
220
|
@old_peer_dependency_errors_checked = true
|
|
227
221
|
|
|
@@ -534,9 +528,7 @@ module Dependabot
|
|
|
534
528
|
end
|
|
535
529
|
|
|
536
530
|
def version_for_dependency(dep)
|
|
537
|
-
if dep.version && version_class.correct?(dep.version)
|
|
538
|
-
return version_class.new(dep.version)
|
|
539
|
-
end
|
|
531
|
+
return version_class.new(dep.version) if dep.version && version_class.correct?(dep.version)
|
|
540
532
|
|
|
541
533
|
dep.requirements.map { |r| r[:requirement] }.compact.
|
|
542
534
|
reject { |req_string| req_string.start_with?("<") }.
|
|
@@ -29,9 +29,7 @@ module Dependabot
|
|
|
29
29
|
@version_string = version.to_s
|
|
30
30
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
|
31
31
|
|
|
32
|
-
if version.to_s.include?("+")
|
|
33
|
-
version, @build_info = version.to_s.split("+")
|
|
34
|
-
end
|
|
32
|
+
version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
|
|
35
33
|
|
|
36
34
|
super
|
|
37
35
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.125.
|
|
4
|
+
version: 0.125.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.125.
|
|
19
|
+
version: 0.125.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.125.
|
|
26
|
+
version: 0.125.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|