dependabot-npm_and_yarn 0.148.2 → 0.148.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0934c52ae2134457fb26aa2e441bf7c5b5f107edfaa28d411f4ceabca11e7025'
-  data.tar.gz: fc29a3b01a901d5043f2e19c3fa9898eb3f34dab5f79dafc5e867d09e5a1619e
+  metadata.gz: 4b40cff952bef4f82021885dda1255e523fe13f1f178fc20cb458f240bc9a782
+  data.tar.gz: 6feac5795b74ef7e7370a8fc611aee70ac880d9134b476517f34fe3115facf2e
 SHA512:
-  metadata.gz: 76d46b06ec8ec0debf85956c988067a1faeab79679c5f3247a7aeb0c87b1cfaf32b7ccc140ec6a81f1dce0afe0ff4181c8ee4c310c537c8744be68713a691d55
-  data.tar.gz: 636eab52435577682ec8db9f80691e7d713e9a5e73e2f57b3e1069d45401b69952e44c0b0bf1d543e90a481fd9cda9b4479b2eaa216598da7f2cc665120b7def
+  metadata.gz: 34964357c3f0f42fae7a66d1a548546b13beaa1d325960fae1784384e411359547f866238a13f2fe0d1b852e532a6c85a5a0f81511f87d300cbadfd6208ee06d
+  data.tar.gz: 661f53b8ecadb665fa2ce903a671c42b38ace02423a97301d460ed0830eaa71836325344a2bc3845e19711f49632a4c80124afb6bdecb92b8896673911163c53

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -20,11 +20,6 @@ module Dependabot
 
       DEPENDENCY_TYPES =
         %w(dependencies devDependencies optionalDependencies).freeze
-      CENTRAL_REGISTRIES = %w(
-        https://registry.npmjs.org
-        http://registry.npmjs.org
-        https://registry.yarnpkg.com
-      ).freeze
       GIT_URL_REGEX = %r{
         (?<git_prefix>^|^git.*?|^github:|^bitbucket:|^gitlab:|github\.com/)
         (?<username>[a-z0-9-]+)/

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -436,17 +436,11 @@ module Dependabot
                          find { |f| f.name.end_with?(".yarnrc") }
           ).registry
 
-          return if central_registry?(reg) && !package_name.start_with?("@")
+          return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
 
           raise Dependabot::PrivateSourceAuthenticationFailure, reg
         end
 
-        def central_registry?(registry)
-          NpmAndYarn::FileParser::CENTRAL_REGISTRIES.any? do |r|
-            r.include?(registry)
-          end
-        end
-
         def resolvable_before_update?
           return @resolvable_before_update if defined?(@resolvable_before_update)
 

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -420,15 +420,11 @@ module Dependabot
             yarnrc_file: yarnrc_file
           ).registry
 
-          return if central_registry?(reg) && !package_name.start_with?("@")
+          return if UpdateChecker::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
 
           raise PrivateSourceAuthenticationFailure, reg
         end
 
-        def central_registry?(registry)
-          FileParser::CENTRAL_REGISTRIES.any? { |r| r.include?(registry) }
-        end
-
         def raise_resolvability_error(error_message, yarn_lock)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in "\

data/lib/dependabot/npm_and_yarn/metadata_finder.rb

@@ -6,6 +6,7 @@ require "time"
 require "dependabot/metadata_finders"
 require "dependabot/metadata_finders/base"
 require "dependabot/shared_helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
 require "dependabot/npm_and_yarn/version"
 
 module Dependabot
@@ -92,9 +93,8 @@ module Dependabot
 
       def new_source
         sources = dependency.requirements.
-                  map { |r| r.fetch(:source) }.uniq.compact
-
-        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+                  map { |r| r.fetch(:source) }.uniq.compact.
+                  sort_by { |source| UpdateChecker::RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }
 
         sources.first
       end

data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb

@@ -8,6 +8,11 @@ module Dependabot
   module NpmAndYarn
     class UpdateChecker
       class RegistryFinder
+        CENTRAL_REGISTRIES = %w(
+          https://registry.npmjs.org
+          http://registry.npmjs.org
+          https://registry.yarnpkg.com
+        ).freeze
         NPM_AUTH_TOKEN_REGEX =
           %r{//(?<registry>.*)/:_authToken=(?<token>.*)$}.freeze
         NPM_GLOBAL_REGISTRY_REGEX =
@@ -35,6 +40,12 @@ module Dependabot
           "#{registry_url.gsub(%r{/+$}, '')}/#{escaped_dependency_name}"
         end
 
+        def self.central_registry?(registry)
+          CENTRAL_REGISTRIES.any? do |r|
+            r.include?(registry)
+          end
+        end
+
         private
 
         attr_reader :dependency, :credentials, :npmrc_file, :yarnrc_file
@@ -212,13 +223,9 @@ module Dependabot
 
         def registry_source_url
           sources = dependency.requirements.
-                    map { |r| r.fetch(:source) }.uniq.compact
-
-          # If there are multiple source types, or multiple source URLs, then
-          # it's unclear how we should proceed
-          raise "Multiple sources! #{sources.join(', ')}" if sources.map { |s| [s[:type], s[:url]] }.uniq.count > 1
+                    map { |r| r.fetch(:source) }.uniq.compact.
+                    sort_by { |source| self.class.central_registry?(source[:url]) ? 1 : 0 }
 
-          # Otherwise we just take the URL of the first registry
           sources.find { |s| s[:type] == "registry" }&.fetch(:url)
         end
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.148.2
+  version: 0.148.3
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.148.2
+        version: 0.148.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.148.2
+        version: 0.148.3
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement