dependabot-npm_and_yarn 0.176.0 → 0.177.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 584536d769129c8c4ec7b91ed6f3e3b61a67480202507c1fb8f447cf92597123
4
- data.tar.gz: 787fea358f2e07bf4e1633034bdf4a88e1a35f9451d5fb0154466a49dd18d103
3
+ metadata.gz: 52a42523d67ccc035c219c5bfe10dc5a2dfbdfc94f9861bf4a4c059d060fcc23
4
+ data.tar.gz: '0631281fdc085c071457a35c165fd30c12932a43d3db2c482d30d76a2536fa0d'
5
5
  SHA512:
6
- metadata.gz: c76654e95d7337e5d3200e84598d6f06a8cd3ecdbba511ed20b703727e9b08a2542ae8b587bc23d8ce4c533d111a9b1c1bcc30eb663506f918610e212f4370a5
7
- data.tar.gz: 16aa94ffcd7a1209e8c8ec520421de5d1d52362a644ac19129788433ad118ca749da51eed4c58003690d8a9f59c8a48f57001ec08a71bb222e4935f50d02db47
6
+ metadata.gz: 2438424284f5903523fdbecc7336a8e9b160e2038d997d58c51a9270e58de10b41f193d9cb64b02fb4162b00ed67dc0351f308a68bce3e4ed7f92d3ccc6743d7
7
+ data.tar.gz: 24a57ea220261c9bbb6f6ecd8a25fd297de28f807a1ad4da2ba0a622dd15c0dc2f8c0abf6c18857318e9062f76258bf87cc75944319ffb6450db6bd6c2042699
@@ -12003,9 +12003,9 @@
12003
12003
  }
12004
12004
  },
12005
12005
  "node_modules/object-path": {
12006
- "version": "0.11.5",
12007
- "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
12008
- "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg==",
12006
+ "version": "0.11.8",
12007
+ "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
12008
+ "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA==",
12009
12009
  "engines": {
12010
12010
  "node": ">= 10.12.0"
12011
12011
  }
@@ -23163,9 +23163,9 @@
23163
23163
  "integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
23164
23164
  },
23165
23165
  "object-path": {
23166
- "version": "0.11.5",
23167
- "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.5.tgz",
23168
- "integrity": "sha512-jgSbThcoR/s+XumvGMTMf81QVBmah+/Q7K7YduKeKVWL7N111unR2d6pZZarSk6kY/caeNxUDyxOvMWyzoU2eg=="
23166
+ "version": "0.11.8",
23167
+ "resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
23168
+ "integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA=="
23169
23169
  },
23170
23170
  "object.omit": {
23171
23171
  "version": "2.0.1",
@@ -55,8 +55,8 @@ module Dependabot
55
55
  def npm_lockfile_details(lockfile, dependency_name, manifest_name)
56
56
  parsed_lockfile = parse_package_lock(lockfile)
57
57
 
58
- if Helpers.npm_version(lockfile.content) == "npm7"
59
- # NOTE: npm 7 sometimes doesn't install workspace dependencies in the
58
+ if Helpers.npm_version(lockfile.content) == "npm8"
59
+ # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
60
60
  # workspace folder so we need to fallback to checking top-level
61
61
  nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
62
62
  details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
@@ -45,9 +45,9 @@ module Dependabot
45
45
  # TODO: look into fixing this in npm, seems like a bug in the git
46
46
  # downloader introduced in npm 7
47
47
  #
48
- # NOTE: error message returned from arborist/npm 7 when trying to
48
+ # NOTE: error message returned from arborist/npm 8 when trying to
49
49
  # fetching a invalid/non-existent git ref
50
- NPM7_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
50
+ NPM8_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
51
51
  NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
52
52
 
53
53
  def updated_lockfile_content
@@ -141,8 +141,8 @@ module Dependabot
141
141
  end
142
142
 
143
143
  def run_npm_top_level_updater(top_level_dependencies:)
144
- if npm7?
145
- run_npm_7_top_level_updater(top_level_dependencies: top_level_dependencies)
144
+ if npm8?
145
+ run_npm8_top_level_updater(top_level_dependencies: top_level_dependencies)
146
146
  else
147
147
  SharedHelpers.run_helper_subprocess(
148
148
  command: NativeHelpers.helper_path,
@@ -156,7 +156,7 @@ module Dependabot
156
156
  end
157
157
  end
158
158
 
159
- def run_npm_7_top_level_updater(top_level_dependencies:)
159
+ def run_npm8_top_level_updater(top_level_dependencies:)
160
160
  dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
161
161
  dependency_in_package_json?(dependency)
162
162
  end
@@ -195,8 +195,8 @@ module Dependabot
195
195
  end
196
196
 
197
197
  def run_npm_subdependency_updater
198
- if npm7?
199
- run_npm_7_subdependency_updater
198
+ if npm8?
199
+ run_npm8_subdependency_updater
200
200
  else
201
201
  SharedHelpers.run_helper_subprocess(
202
202
  command: NativeHelpers.helper_path,
@@ -206,9 +206,9 @@ module Dependabot
206
206
  end
207
207
  end
208
208
 
209
- def run_npm_7_subdependency_updater
209
+ def run_npm8_subdependency_updater
210
210
  dependency_names = sub_dependencies.map(&:name)
211
- SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command(dependency_names))
211
+ SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
212
212
  { lockfile_basename => File.read(lockfile_basename) }
213
213
  end
214
214
 
@@ -365,12 +365,12 @@ module Dependabot
365
365
  error_message.include?("Non-registry package missing package") ||
366
366
  error_message.include?("Invalid tag name") ||
367
367
  error_message.match?(NPM6_MISSING_GIT_REF) ||
368
- error_message.match?(NPM7_MISSING_GIT_REF)) &&
368
+ error_message.match?(NPM8_MISSING_GIT_REF)) &&
369
369
  !resolvable_before_update?
370
370
  raise_resolvability_error(error_message)
371
371
  end
372
372
 
373
- # NOTE: This check was introduced in npm7/arborist
373
+ # NOTE: This check was introduced in npm8/arborist
374
374
  if error_message.include?("must provide string spec")
375
375
  msg = "Error parsing your package.json manifest: the version requirement must be a string"
376
376
  raise Dependabot::DependencyFileNotParseable, msg
@@ -609,10 +609,10 @@ module Dependabot
609
609
  # Restore lockfile name attribute from the original lockfile
610
610
  updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
611
611
 
612
- # Restore npm 7 "packages" "name" entry from package.json if previously set
612
+ # Restore npm 8 "packages" "name" entry from package.json if previously set
613
613
  updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
614
614
 
615
- # Switch back npm 7 lockfile "packages" requirements from the package.json
615
+ # Switch back npm 8 lockfile "packages" requirements from the package.json
616
616
  updated_lockfile_content = restore_locked_package_dependencies(
617
617
  updated_lockfile_content, parsed_updated_lockfile_content
618
618
  )
@@ -634,7 +634,7 @@ module Dependabot
634
634
  end
635
635
 
636
636
  def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
637
- return updated_lockfile_content unless npm7?
637
+ return updated_lockfile_content unless npm8?
638
638
 
639
639
  current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
640
640
  original_name = parsed_lockfile.dig("packages", "", "name")
@@ -679,7 +679,7 @@ module Dependabot
679
679
  end
680
680
 
681
681
  # NOTE: This is a workaround to "sync" what's in package.json
682
- # requirements and the `packages.""` entry in npm 7 v2 lockfiles. These
682
+ # requirements and the `packages.""` entry in npm 8 v2 lockfiles. These
683
683
  # get out of sync because we lock git dependencies (that are not being
684
684
  # updated) to a specific sha to prevent unrelated updates and the way we
685
685
  # invoke the `npm install` cli, where we might tell npm to install a
@@ -688,7 +688,7 @@ module Dependabot
688
688
  # need to copy this from the manifest to the lockfile after the update
689
689
  # has finished.
690
690
  def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
691
- return updated_lockfile_content unless npm7?
691
+ return updated_lockfile_content unless npm8?
692
692
 
693
693
  dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
694
694
 
@@ -729,10 +729,10 @@ module Dependabot
729
729
  # updates the lockfile "from" field to the new git commit when we
730
730
  # run npm install
731
731
  original_from = %("from": "#{details[:from]}")
732
- if npm7?
732
+ if npm8?
733
733
  # NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
734
- npm7_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
735
- updated_lockfile_content = updated_lockfile_content.gsub(npm7_locked_from, original_from)
734
+ npm8_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
735
+ updated_lockfile_content = updated_lockfile_content.gsub(npm8_locked_from, original_from)
736
736
  else
737
737
  npm6_locked_from = %("from": "#{details[:version]}")
738
738
  updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
@@ -796,10 +796,10 @@ module Dependabot
796
796
  npmrc_content.match?(/^package-lock\s*=\s*false/)
797
797
  end
798
798
 
799
- def npm7?
800
- return @npm7 if defined?(@npm7)
799
+ def npm8?
800
+ return @npm8 if defined?(@npm8)
801
801
 
802
- @npm7 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm7"
802
+ @npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
803
803
  end
804
804
 
805
805
  def sanitized_package_json_content(content)
@@ -4,8 +4,8 @@ module Dependabot
4
4
  module NpmAndYarn
5
5
  module Helpers
6
6
  def self.npm_version(lockfile_content)
7
- return "npm7" unless lockfile_content
8
- return "npm7" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
7
+ return "npm8" unless lockfile_content
8
+ return "npm8" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
9
9
 
10
10
  "npm6"
11
11
  rescue JSON::ParserError
@@ -14,7 +14,7 @@ module Dependabot
14
14
  File.join(__dir__, "../../../helpers")
15
15
  end
16
16
 
17
- def self.npm7_subdependency_update_command(dependency_names)
17
+ def self.npm8_subdependency_update_command(dependency_names)
18
18
  # NOTE: npm options
19
19
  # - `--force` ignores checks for platform (os, cpu) and engines
20
20
  # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
@@ -114,8 +114,8 @@ module Dependabot
114
114
  Dir.chdir(path) do
115
115
  npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
116
116
 
117
- if npm_version == "npm7"
118
- SharedHelpers.run_shell_command(NativeHelpers.npm7_subdependency_update_command([dependency.name]))
117
+ if npm_version == "npm8"
118
+ SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
119
119
  { lockfile_name => File.read(lockfile_name) }
120
120
  else
121
121
  SharedHelpers.run_helper_subprocess(
@@ -54,7 +54,7 @@ module Dependabot
54
54
  # or with two semver constraints:
55
55
  # npm ERR! Could not resolve dependency:
56
56
  # npm ERR! peer @opentelemetry/api@">=1.0.0 <1.1.0" from @opentelemetry/context-async-hooks@1.0.1
57
- NPM7_PEER_DEP_ERROR_REGEX =
57
+ NPM8_PEER_DEP_ERROR_REGEX =
58
58
  /
59
59
  npm\s(?:WARN|ERR!)\sCould\snot\sresolve\sdependency:\n
60
60
  npm\s(?:WARN|ERR!)\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
@@ -258,8 +258,8 @@ module Dependabot
258
258
  e.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
259
259
  errors << Regexp.last_match.named_captures
260
260
  end
261
- elsif e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
262
- e.message.scan(NPM7_PEER_DEP_ERROR_REGEX) do
261
+ elsif e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
262
+ e.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
263
263
  errors << Regexp.last_match.named_captures
264
264
  end
265
265
  elsif e.message.match?(YARN_PEER_DEP_ERROR_REGEX)
@@ -440,7 +440,7 @@ module Dependabot
440
440
  end
441
441
  npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
442
442
 
443
- return run_npm7_checker(version: version) if npm_version == "npm7"
443
+ return run_npm8_checker(version: version) if npm_version == "npm8"
444
444
 
445
445
  SharedHelpers.run_helper_subprocess(
446
446
  command: NativeHelpers.helper_path,
@@ -457,16 +457,16 @@ module Dependabot
457
457
  end
458
458
  end
459
459
 
460
- def run_npm7_checker(version:)
460
+ def run_npm8_checker(version:)
461
461
  cmd =
462
462
  "npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
463
463
  output = SharedHelpers.run_shell_command(cmd)
464
- if output.match?(NPM7_PEER_DEP_ERROR_REGEX)
464
+ if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
465
465
  error_context = { command: cmd, process_exit_value: 1 }
466
466
  raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
467
467
  end
468
468
  rescue SharedHelpers::HelperSubprocessFailed => e
469
- raise if e.message.match?(NPM7_PEER_DEP_ERROR_REGEX)
469
+ raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
470
470
  end
471
471
 
472
472
  def version_install_arg(version:)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.176.0
4
+ version: 0.177.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-02-28 00:00:00.000000000 Z
11
+ date: 2022-03-04 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.176.0
19
+ version: 0.177.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.176.0
26
+ version: 0.177.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement