dependabot-npm_and_yarn 0.212.0 → 0.213.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/.eslintrc +1 -1
- data/helpers/README.md +2 -2
- data/helpers/lib/npm/vulnerability-auditor.js +7 -7
- data/helpers/package-lock.json +2585 -2386
- data/helpers/package.json +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +30 -5
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +19 -4
- data/lib/dependabot/npm_and_yarn/file_parser.rb +17 -5
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +35 -21
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +7 -3
- data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +83 -24
- data/lib/dependabot/npm_and_yarn/file_updater.rb +54 -0
- data/lib/dependabot/npm_and_yarn/helpers.rb +48 -0
- data/lib/dependabot/npm_and_yarn/package_name.rb +2 -2
- data/lib/dependabot/npm_and_yarn/requirement.rb +3 -3
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +6 -1
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +16 -3
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +67 -19
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +3 -4
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +23 -1
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +3 -3
- data/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +33 -8
- data/lib/dependabot/npm_and_yarn/update_checker.rb +72 -19
- data/lib/dependabot/npm_and_yarn/version.rb +1 -1
- metadata +13 -55
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8461e9323e6bcb02cdaa77e8d2c899cb3a9657c08e31a548a8b32f89d462e807
|
4
|
+
data.tar.gz: 8b2455cc54d1098df6de9bf1e7f2dc0dbed789174215c6c63ea1ee5666d36bc6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 64952d698c5c11ee8ee6c7c32bba2588028c1baa07a535f5061475b1dbc1afa98ab627695d859ac57b7eb34256aa19e6d0c6a4b57d838e08e16f34c3252991eb
|
7
|
+
data.tar.gz: dce94a154ba1dc8e15ce85e715d6bff9ce382d4d08d27b58a7b75b965ef8d1ddd4e238e56318e96cde4214902c8d9563b1c35656c8aa424019ba912870882f52
|
data/helpers/.eslintrc
CHANGED
data/helpers/README.md
CHANGED
@@ -24,6 +24,6 @@ yarn test path/to/test.js
|
|
24
24
|
In order to run an interactive debugger:
|
25
25
|
|
26
26
|
- `node --inspect-brk node_modules/.bin/jest --runInBand path/to/test/test.js`
|
27
|
-
- In Chrome,
|
27
|
+
- In Chrome, navigate to `chrome://inspect`
|
28
28
|
- Click `Open dedicated DevTools for Node`
|
29
|
-
- You'll now be able to interactively debug using the
|
29
|
+
- You'll now be able to interactively debug using the Chrome dev tools.
|
@@ -139,11 +139,6 @@ async function findVulnerableDependencies(directory, advisories) {
|
|
139
139
|
}
|
140
140
|
|
141
141
|
function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
142
|
-
// npm audit differentiates advisories by `id`. In order to prevent
|
143
|
-
// advisories from being clobbered, we maintain a counter so that each
|
144
|
-
// advisory gets a unique `id`.
|
145
|
-
let nextAdvisoryId = 1
|
146
|
-
|
147
142
|
return advisories.reduce((formattedAdvisories, advisory) => {
|
148
143
|
if (!formattedAdvisories[advisory.dependency_name]) {
|
149
144
|
formattedAdvisories[advisory.dependency_name] = []
|
@@ -151,7 +146,7 @@ function convertAdvisoriesToRegistryBulkFormat(advisories) {
|
|
151
146
|
let formattedVersions =
|
152
147
|
advisory.affected_versions.reduce((memo, version) => {
|
153
148
|
memo.push({
|
154
|
-
id:
|
149
|
+
id: Math.floor(Math.random() * Number.MAX_SAFE_INTEGER),
|
155
150
|
vulnerable_versions: version
|
156
151
|
})
|
157
152
|
return memo
|
@@ -192,7 +187,12 @@ function buildDependencyChains(auditReport, name) {
|
|
192
187
|
}
|
193
188
|
if (auditReport.has(node.name)) {
|
194
189
|
const vuln = auditReport.get(node.name)
|
195
|
-
|
190
|
+
if (vuln.isVulnerable(node)) {
|
191
|
+
return [{ fixAvailable: vuln.fixAvailable, nodes: [node, ...chain.nodes] }]
|
192
|
+
} else if (node.name == name) {
|
193
|
+
// This is a non-vulnerable version of the advisory dependency; end path.
|
194
|
+
return []
|
195
|
+
}
|
196
196
|
}
|
197
197
|
if (!node.edgesOut.size) {
|
198
198
|
// This is a leaf node that is unaffected by the vuln; end path.
|