dependabot-npm_and_yarn 0.196.1 → 0.196.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/lib/npm/vulnerability-auditor.js +37 -0
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +43 -19
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 17d091442f5535aee32eff806235c2c2fd5a003c1a0462020b66ed72877193c5
|
4
|
+
data.tar.gz: 0bc5a3ea0d891b2b146b576fa173e335b61e6495eb7d5246fffc9c7742dc2e55
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 488838fc133bb86735d241857ce6ce2825a2b00d555568999c435426e64b94a01f657f685f53b4f354daeb2437d257dcd319b4e935303bc8eb2237379ef25bd7
|
7
|
+
data.tar.gz: 239df30dd2eb4694e28f7382c1bfa6c75dc64b94d3d086c7831bbe893d1d06c5cb86244ad93635a192f0e96f6d3aa91aba6cefb535464f77492bad8796454c4b
|
@@ -34,6 +34,8 @@ const exec = promisify(require('child_process').exec)
|
|
34
34
|
async function findVulnerableDependencies(directory, advisories) {
|
35
35
|
const npmConfig = await loadNpmConfig()
|
36
36
|
const caCerts = loadCACerts(npmConfig)
|
37
|
+
const registryOpts = extractRegistryOptions(npmConfig)
|
38
|
+
const registryCreds = loadNpmConfigCredentials(directory)
|
37
39
|
|
38
40
|
const arb = new Arborist({
|
39
41
|
path: directory,
|
@@ -41,6 +43,8 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
41
43
|
ca: caCerts,
|
42
44
|
force: true,
|
43
45
|
dryRun: true,
|
46
|
+
...registryOpts,
|
47
|
+
...registryCreds,
|
44
48
|
})
|
45
49
|
|
46
50
|
const scope = nock('http://localhost:9999')
|
@@ -170,6 +174,39 @@ async function loadNpmConfig() {
|
|
170
174
|
return JSON.parse(configOutput.stdout)
|
171
175
|
}
|
172
176
|
|
177
|
+
function extractRegistryOptions(npmConfig) {
|
178
|
+
const opts = []
|
179
|
+
for (const [key, value] of Object.entries(npmConfig)) {
|
180
|
+
if (key == "registry" || key.endsWith(":registry")) {
|
181
|
+
opts.push([key, value])
|
182
|
+
}
|
183
|
+
}
|
184
|
+
return Object.fromEntries(opts)
|
185
|
+
}
|
186
|
+
|
187
|
+
// loadNpmConfig doesn't return registry credentials so we need to manually extract them. If available,
|
188
|
+
// Dependabot will have written them to the project's .npmrc file.
|
189
|
+
const ini = require('ini')
|
190
|
+
const path = require('path')
|
191
|
+
|
192
|
+
const credKeys = ['token', '_authToken', '_auth']
|
193
|
+
|
194
|
+
function loadNpmConfigCredentials(projectDir) {
|
195
|
+
const projectNpmrc = maybeReadFile(path.join(projectDir, '.npmrc'))
|
196
|
+
if (!projectNpmrc) {
|
197
|
+
return {}
|
198
|
+
}
|
199
|
+
|
200
|
+
const credentials = []
|
201
|
+
const config = ini.parse(projectNpmrc)
|
202
|
+
for (const [key, value] of Object.entries(config)) {
|
203
|
+
if (credKeys.includes(key) || credKeys.some((credKey) => key.endsWith(':' + credKey))) {
|
204
|
+
credentials.push([key, value])
|
205
|
+
}
|
206
|
+
}
|
207
|
+
return Object.fromEntries(credentials)
|
208
|
+
}
|
209
|
+
|
173
210
|
// sourced from npm's cli/lib/utils/config/definitions.js for reading certs from the cafile option
|
174
211
|
const fs = require('fs')
|
175
212
|
const maybeReadFile = file => {
|
@@ -291,7 +291,7 @@ module Dependabot
|
|
291
291
|
|
292
292
|
if matches_double_glob && !nested
|
293
293
|
dependency_files +=
|
294
|
-
|
294
|
+
find_directories(File.join(path, "*")).flat_map do |nested_path|
|
295
295
|
fetch_lerna_packages_from_path(nested_path, true)
|
296
296
|
end
|
297
297
|
end
|
@@ -309,34 +309,58 @@ module Dependabot
|
|
309
309
|
[] # Invalid lerna.json, which must not be in use
|
310
310
|
end
|
311
311
|
|
312
|
-
paths_array.flat_map
|
313
|
-
# The packages/!(not-this-package) syntax is unique to Yarn
|
314
|
-
if path.include?("*") || path.include?("!(")
|
315
|
-
expanded_paths(path)
|
316
|
-
else
|
317
|
-
path
|
318
|
-
end
|
319
|
-
end
|
312
|
+
paths_array.flat_map { |path| recursive_find_directories(path) }
|
320
313
|
end
|
321
314
|
|
322
315
|
# Only expands globs one level deep, so path/**/* gets expanded to path/
|
323
|
-
def
|
324
|
-
|
316
|
+
def find_directories(glob)
|
317
|
+
return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
|
318
|
+
|
319
|
+
unglobbed_path =
|
320
|
+
glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
|
321
|
+
split("*").
|
322
|
+
first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
|
325
323
|
|
326
324
|
dir = directory.gsub(%r{(^/|/$)}, "")
|
327
|
-
path = path.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
328
|
-
unglobbed_path = path.split("*").first&.gsub(%r{(?<=/)[^/]*$}, "") ||
|
329
|
-
"."
|
330
325
|
|
331
|
-
|
326
|
+
paths =
|
332
327
|
repo_contents(dir: unglobbed_path, raise_errors: false).
|
333
328
|
select { |file| file.type == "dir" }.
|
334
|
-
map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
335
|
-
|
329
|
+
map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
|
330
|
+
|
331
|
+
matching_paths(glob, paths)
|
332
|
+
end
|
333
|
+
|
334
|
+
def matching_paths(glob, paths)
|
335
|
+
ignored_glob = yarn_ignored_glob(glob)
|
336
|
+
glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
|
337
|
+
|
338
|
+
results = paths.select { |filename| File.fnmatch?(glob, filename) }
|
339
|
+
return results unless ignored_glob
|
336
340
|
|
337
|
-
|
341
|
+
results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
|
342
|
+
end
|
343
|
+
|
344
|
+
def recursive_find_directories(glob, prefix = "")
|
345
|
+
return [prefix + glob] unless glob.include?("*") || yarn_ignored_glob(glob)
|
346
|
+
|
347
|
+
glob = glob.gsub(%r{^\./}, "")
|
348
|
+
glob_parts = glob.split("/")
|
349
|
+
|
350
|
+
paths = find_directories(prefix + glob_parts.first)
|
351
|
+
next_parts = glob_parts.drop(1)
|
352
|
+
return paths if next_parts.empty?
|
353
|
+
|
354
|
+
paths = paths.flat_map do |expanded_path|
|
355
|
+
recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
|
356
|
+
end
|
357
|
+
|
358
|
+
matching_paths(prefix + glob, paths)
|
359
|
+
end
|
338
360
|
|
339
|
-
|
361
|
+
# The packages/!(not-this-package) syntax is unique to Yarn
|
362
|
+
def yarn_ignored_glob(glob)
|
363
|
+
glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
|
340
364
|
end
|
341
365
|
|
342
366
|
def parsed_package_json
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.196.
|
4
|
+
version: 0.196.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-06-
|
11
|
+
date: 2022-06-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.196.
|
19
|
+
version: 0.196.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.196.
|
26
|
+
version: 0.196.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debase
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|