dependabot-npm_and_yarn 0.176.0 → 0.177.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +6 -6
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +22 -22
- data/lib/dependabot/npm_and_yarn/helpers.rb +2 -2
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +7 -7
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 52a42523d67ccc035c219c5bfe10dc5a2dfbdfc94f9861bf4a4c059d060fcc23
|
|
4
|
+
data.tar.gz: '0631281fdc085c071457a35c165fd30c12932a43d3db2c482d30d76a2536fa0d'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2438424284f5903523fdbecc7336a8e9b160e2038d997d58c51a9270e58de10b41f193d9cb64b02fb4162b00ed67dc0351f308a68bce3e4ed7f92d3ccc6743d7
|
|
7
|
+
data.tar.gz: 24a57ea220261c9bbb6f6ecd8a25fd297de28f807a1ad4da2ba0a622dd15c0dc2f8c0abf6c18857318e9062f76258bf87cc75944319ffb6450db6bd6c2042699
|
data/helpers/package-lock.json
CHANGED
|
@@ -12003,9 +12003,9 @@
|
|
|
12003
12003
|
}
|
|
12004
12004
|
},
|
|
12005
12005
|
"node_modules/object-path": {
|
|
12006
|
-
"version": "0.11.
|
|
12007
|
-
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.
|
|
12008
|
-
"integrity": "sha512-
|
|
12006
|
+
"version": "0.11.8",
|
|
12007
|
+
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
|
|
12008
|
+
"integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA==",
|
|
12009
12009
|
"engines": {
|
|
12010
12010
|
"node": ">= 10.12.0"
|
|
12011
12011
|
}
|
|
@@ -23163,9 +23163,9 @@
|
|
|
23163
23163
|
"integrity": "sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA=="
|
|
23164
23164
|
},
|
|
23165
23165
|
"object-path": {
|
|
23166
|
-
"version": "0.11.
|
|
23167
|
-
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.
|
|
23168
|
-
"integrity": "sha512-
|
|
23166
|
+
"version": "0.11.8",
|
|
23167
|
+
"resolved": "https://registry.npmjs.org/object-path/-/object-path-0.11.8.tgz",
|
|
23168
|
+
"integrity": "sha512-YJjNZrlXJFM42wTBn6zgOJVar9KFJvzx6sTWDte8sWZF//cnjl0BxHNpfZx+ZffXX63A9q0b1zsFiBX4g4X5KA=="
|
|
23169
23169
|
},
|
|
23170
23170
|
"object.omit": {
|
|
23171
23171
|
"version": "2.0.1",
|
|
@@ -55,8 +55,8 @@ module Dependabot
|
|
|
55
55
|
def npm_lockfile_details(lockfile, dependency_name, manifest_name)
|
|
56
56
|
parsed_lockfile = parse_package_lock(lockfile)
|
|
57
57
|
|
|
58
|
-
if Helpers.npm_version(lockfile.content) == "
|
|
59
|
-
# NOTE: npm
|
|
58
|
+
if Helpers.npm_version(lockfile.content) == "npm8"
|
|
59
|
+
# NOTE: npm 8 sometimes doesn't install workspace dependencies in the
|
|
60
60
|
# workspace folder so we need to fallback to checking top-level
|
|
61
61
|
nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
|
|
62
62
|
details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
|
|
@@ -45,9 +45,9 @@ module Dependabot
|
|
|
45
45
|
# TODO: look into fixing this in npm, seems like a bug in the git
|
|
46
46
|
# downloader introduced in npm 7
|
|
47
47
|
#
|
|
48
|
-
# NOTE: error message returned from arborist/npm
|
|
48
|
+
# NOTE: error message returned from arborist/npm 8 when trying to
|
|
49
49
|
# fetching a invalid/non-existent git ref
|
|
50
|
-
|
|
50
|
+
NPM8_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
|
|
51
51
|
NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
|
|
52
52
|
|
|
53
53
|
def updated_lockfile_content
|
|
@@ -141,8 +141,8 @@ module Dependabot
|
|
|
141
141
|
end
|
|
142
142
|
|
|
143
143
|
def run_npm_top_level_updater(top_level_dependencies:)
|
|
144
|
-
if
|
|
145
|
-
|
|
144
|
+
if npm8?
|
|
145
|
+
run_npm8_top_level_updater(top_level_dependencies: top_level_dependencies)
|
|
146
146
|
else
|
|
147
147
|
SharedHelpers.run_helper_subprocess(
|
|
148
148
|
command: NativeHelpers.helper_path,
|
|
@@ -156,7 +156,7 @@ module Dependabot
|
|
|
156
156
|
end
|
|
157
157
|
end
|
|
158
158
|
|
|
159
|
-
def
|
|
159
|
+
def run_npm8_top_level_updater(top_level_dependencies:)
|
|
160
160
|
dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
|
|
161
161
|
dependency_in_package_json?(dependency)
|
|
162
162
|
end
|
|
@@ -195,8 +195,8 @@ module Dependabot
|
|
|
195
195
|
end
|
|
196
196
|
|
|
197
197
|
def run_npm_subdependency_updater
|
|
198
|
-
if
|
|
199
|
-
|
|
198
|
+
if npm8?
|
|
199
|
+
run_npm8_subdependency_updater
|
|
200
200
|
else
|
|
201
201
|
SharedHelpers.run_helper_subprocess(
|
|
202
202
|
command: NativeHelpers.helper_path,
|
|
@@ -206,9 +206,9 @@ module Dependabot
|
|
|
206
206
|
end
|
|
207
207
|
end
|
|
208
208
|
|
|
209
|
-
def
|
|
209
|
+
def run_npm8_subdependency_updater
|
|
210
210
|
dependency_names = sub_dependencies.map(&:name)
|
|
211
|
-
SharedHelpers.run_shell_command(NativeHelpers.
|
|
211
|
+
SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
|
|
212
212
|
{ lockfile_basename => File.read(lockfile_basename) }
|
|
213
213
|
end
|
|
214
214
|
|
|
@@ -365,12 +365,12 @@ module Dependabot
|
|
|
365
365
|
error_message.include?("Non-registry package missing package") ||
|
|
366
366
|
error_message.include?("Invalid tag name") ||
|
|
367
367
|
error_message.match?(NPM6_MISSING_GIT_REF) ||
|
|
368
|
-
error_message.match?(
|
|
368
|
+
error_message.match?(NPM8_MISSING_GIT_REF)) &&
|
|
369
369
|
!resolvable_before_update?
|
|
370
370
|
raise_resolvability_error(error_message)
|
|
371
371
|
end
|
|
372
372
|
|
|
373
|
-
# NOTE: This check was introduced in
|
|
373
|
+
# NOTE: This check was introduced in npm8/arborist
|
|
374
374
|
if error_message.include?("must provide string spec")
|
|
375
375
|
msg = "Error parsing your package.json manifest: the version requirement must be a string"
|
|
376
376
|
raise Dependabot::DependencyFileNotParseable, msg
|
|
@@ -609,10 +609,10 @@ module Dependabot
|
|
|
609
609
|
# Restore lockfile name attribute from the original lockfile
|
|
610
610
|
updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
|
611
611
|
|
|
612
|
-
# Restore npm
|
|
612
|
+
# Restore npm 8 "packages" "name" entry from package.json if previously set
|
|
613
613
|
updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
|
614
614
|
|
|
615
|
-
# Switch back npm
|
|
615
|
+
# Switch back npm 8 lockfile "packages" requirements from the package.json
|
|
616
616
|
updated_lockfile_content = restore_locked_package_dependencies(
|
|
617
617
|
updated_lockfile_content, parsed_updated_lockfile_content
|
|
618
618
|
)
|
|
@@ -634,7 +634,7 @@ module Dependabot
|
|
|
634
634
|
end
|
|
635
635
|
|
|
636
636
|
def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
|
|
637
|
-
return updated_lockfile_content unless
|
|
637
|
+
return updated_lockfile_content unless npm8?
|
|
638
638
|
|
|
639
639
|
current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
|
|
640
640
|
original_name = parsed_lockfile.dig("packages", "", "name")
|
|
@@ -679,7 +679,7 @@ module Dependabot
|
|
|
679
679
|
end
|
|
680
680
|
|
|
681
681
|
# NOTE: This is a workaround to "sync" what's in package.json
|
|
682
|
-
# requirements and the `packages.""` entry in npm
|
|
682
|
+
# requirements and the `packages.""` entry in npm 8 v2 lockfiles. These
|
|
683
683
|
# get out of sync because we lock git dependencies (that are not being
|
|
684
684
|
# updated) to a specific sha to prevent unrelated updates and the way we
|
|
685
685
|
# invoke the `npm install` cli, where we might tell npm to install a
|
|
@@ -688,7 +688,7 @@ module Dependabot
|
|
|
688
688
|
# need to copy this from the manifest to the lockfile after the update
|
|
689
689
|
# has finished.
|
|
690
690
|
def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
|
|
691
|
-
return updated_lockfile_content unless
|
|
691
|
+
return updated_lockfile_content unless npm8?
|
|
692
692
|
|
|
693
693
|
dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
|
|
694
694
|
|
|
@@ -729,10 +729,10 @@ module Dependabot
|
|
|
729
729
|
# updates the lockfile "from" field to the new git commit when we
|
|
730
730
|
# run npm install
|
|
731
731
|
original_from = %("from": "#{details[:from]}")
|
|
732
|
-
if
|
|
732
|
+
if npm8?
|
|
733
733
|
# NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
|
|
734
|
-
|
|
735
|
-
updated_lockfile_content = updated_lockfile_content.gsub(
|
|
734
|
+
npm8_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
|
|
735
|
+
updated_lockfile_content = updated_lockfile_content.gsub(npm8_locked_from, original_from)
|
|
736
736
|
else
|
|
737
737
|
npm6_locked_from = %("from": "#{details[:version]}")
|
|
738
738
|
updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
|
|
@@ -796,10 +796,10 @@ module Dependabot
|
|
|
796
796
|
npmrc_content.match?(/^package-lock\s*=\s*false/)
|
|
797
797
|
end
|
|
798
798
|
|
|
799
|
-
def
|
|
800
|
-
return @
|
|
799
|
+
def npm8?
|
|
800
|
+
return @npm8 if defined?(@npm8)
|
|
801
801
|
|
|
802
|
-
@
|
|
802
|
+
@npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
|
|
803
803
|
end
|
|
804
804
|
|
|
805
805
|
def sanitized_package_json_content(content)
|
|
@@ -4,8 +4,8 @@ module Dependabot
|
|
|
4
4
|
module NpmAndYarn
|
|
5
5
|
module Helpers
|
|
6
6
|
def self.npm_version(lockfile_content)
|
|
7
|
-
return "
|
|
8
|
-
return "
|
|
7
|
+
return "npm8" unless lockfile_content
|
|
8
|
+
return "npm8" if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
|
|
9
9
|
|
|
10
10
|
"npm6"
|
|
11
11
|
rescue JSON::ParserError
|
|
@@ -14,7 +14,7 @@ module Dependabot
|
|
|
14
14
|
File.join(__dir__, "../../../helpers")
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
-
def self.
|
|
17
|
+
def self.npm8_subdependency_update_command(dependency_names)
|
|
18
18
|
# NOTE: npm options
|
|
19
19
|
# - `--force` ignores checks for platform (os, cpu) and engines
|
|
20
20
|
# - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
|
|
@@ -114,8 +114,8 @@ module Dependabot
|
|
|
114
114
|
Dir.chdir(path) do
|
|
115
115
|
npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
|
|
116
116
|
|
|
117
|
-
if npm_version == "
|
|
118
|
-
SharedHelpers.run_shell_command(NativeHelpers.
|
|
117
|
+
if npm_version == "npm8"
|
|
118
|
+
SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
|
|
119
119
|
{ lockfile_name => File.read(lockfile_name) }
|
|
120
120
|
else
|
|
121
121
|
SharedHelpers.run_helper_subprocess(
|
|
@@ -54,7 +54,7 @@ module Dependabot
|
|
|
54
54
|
# or with two semver constraints:
|
|
55
55
|
# npm ERR! Could not resolve dependency:
|
|
56
56
|
# npm ERR! peer @opentelemetry/api@">=1.0.0 <1.1.0" from @opentelemetry/context-async-hooks@1.0.1
|
|
57
|
-
|
|
57
|
+
NPM8_PEER_DEP_ERROR_REGEX =
|
|
58
58
|
/
|
|
59
59
|
npm\s(?:WARN|ERR!)\sCould\snot\sresolve\sdependency:\n
|
|
60
60
|
npm\s(?:WARN|ERR!)\speer\s(?<required_dep>\S+@\S+(\s\S+)?)\sfrom\s(?<requiring_dep>\S+@\S+)
|
|
@@ -258,8 +258,8 @@ module Dependabot
|
|
|
258
258
|
e.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
|
|
259
259
|
errors << Regexp.last_match.named_captures
|
|
260
260
|
end
|
|
261
|
-
elsif e.message.match?(
|
|
262
|
-
e.message.scan(
|
|
261
|
+
elsif e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
|
262
|
+
e.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
|
|
263
263
|
errors << Regexp.last_match.named_captures
|
|
264
264
|
end
|
|
265
265
|
elsif e.message.match?(YARN_PEER_DEP_ERROR_REGEX)
|
|
@@ -440,7 +440,7 @@ module Dependabot
|
|
|
440
440
|
end
|
|
441
441
|
npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
|
|
442
442
|
|
|
443
|
-
return
|
|
443
|
+
return run_npm8_checker(version: version) if npm_version == "npm8"
|
|
444
444
|
|
|
445
445
|
SharedHelpers.run_helper_subprocess(
|
|
446
446
|
command: NativeHelpers.helper_path,
|
|
@@ -457,16 +457,16 @@ module Dependabot
|
|
|
457
457
|
end
|
|
458
458
|
end
|
|
459
459
|
|
|
460
|
-
def
|
|
460
|
+
def run_npm8_checker(version:)
|
|
461
461
|
cmd =
|
|
462
462
|
"npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
|
|
463
463
|
output = SharedHelpers.run_shell_command(cmd)
|
|
464
|
-
if output.match?(
|
|
464
|
+
if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
|
465
465
|
error_context = { command: cmd, process_exit_value: 1 }
|
|
466
466
|
raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)
|
|
467
467
|
end
|
|
468
468
|
rescue SharedHelpers::HelperSubprocessFailed => e
|
|
469
|
-
raise if e.message.match?(
|
|
469
|
+
raise if e.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
|
|
470
470
|
end
|
|
471
471
|
|
|
472
472
|
def version_install_arg(version:)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.177.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-03-04 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.177.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.177.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|