dependabot-npm_and_yarn 0.214.0 → 0.215.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (11) hide show
  1. checksums.yaml +4 -4
  2. data/helpers/package-lock.json +20 -20
  3. data/helpers/package.json +2 -2
  4. data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +14 -2
  5. data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +23 -15
  6. data/lib/dependabot/npm_and_yarn/file_updater.rb +1 -4
  7. data/lib/dependabot/npm_and_yarn/helpers.rb +11 -4
  8. data/lib/dependabot/npm_and_yarn/native_helpers.rb +15 -2
  9. data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +4 -3
  10. data/lib/dependabot/npm_and_yarn/update_checker.rb +2 -24
  11. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6f056274186e20cfd09b6ed8bbf84249b6676461533bb76de51ecf4025e189a6
4
- data.tar.gz: 4e30b85987104e3d79fb89d62d51e2dbff8c57337700b6a646633feaae47aadf
3
+ metadata.gz: ab218ae4b2f9134c67ada69180e938eae5fae986f8fe340347b1e8bac37395cd
4
+ data.tar.gz: 1ccf4e04ea21683fb92133dd8491dc005e06b57c8d00d7922704cd7749208378
5
5
  SHA512:
6
- metadata.gz: fa8d78e12bb014909be03e084887d429f9bd2295d69f6cff6df0f9058c4a8e49e19c465470659010917be9c13c7a95a57ad970b2875e0be8fb2b050755b89a84
7
- data.tar.gz: 54d9510b40145d16a62453ef2613503fcc87f336c14bd5a0809c71dfa99242cc91c3722504d87d737af3a0213ecc2383081a129a459124dc2079df91009a4ac9
6
+ metadata.gz: 572b409e78fd0ee17ab23164240ba4ac6364c73237011f7d799abad39d9c1acc47710094bac6c13afc6d7be4a4851b77fe546d4aa35974b2ad44e6c0494a0d71
7
+ data.tar.gz: ae73b9b051c07d6d58d310087865020a4888155ac3464ffc3a9f2565d4e02f3af6e48f0c5ffb11ef9ce38d5a871c0e0d25316f5bc8952aa36edf199e494fea39
data/helpers/package-lock.json CHANGED
@@ -7,7 +7,7 @@
7
7
  "name": "@dependabot/helper",
8
8
  "dependencies": {
9
9
  "@dependabot/yarn-lib": "^1.22.19",
10
- "@npmcli/arborist": "^6.1.3",
10
+ "@npmcli/arborist": "^6.1.4",
11
11
  "detect-indent": "^6.1.0",
12
12
  "nock": "^13.2.9",
13
13
  "npm": "6.14.17",
@@ -17,7 +17,7 @@
17
17
  "helper": "run.js"
18
18
  },
19
19
  "devDependencies": {
20
- "eslint": "^8.28.0",
20
+ "eslint": "^8.29.0",
21
21
  "eslint-config-prettier": "^8.5.0",
22
22
  "jest": "^29.3.1",
23
23
  "prettier": "^2.8.0",
@@ -1709,9 +1709,9 @@
1709
1709
  }
1710
1710
  },
1711
1711
  "node_modules/@npmcli/arborist": {
1712
- "version": "6.1.3",
1713
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.3.tgz",
1714
- "integrity": "sha512-oPYO8WO21aB9ojhREzCbzdNnR+SNuloOtxqQ0Q4Mj8tZuUPdTS5SuatSIpPGKpdtpLi5642hr2sirrikqj33Vg==",
1712
+ "version": "6.1.4",
1713
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.4.tgz",
1714
+ "integrity": "sha512-lEYtEydnF+N5kkGa6wdjH80js//DcCT4lovuaXMRSPthhXv8sqYAzRGljboF3p+MlcoTOQVS7wzfhUbbUf57nA==",
1715
1715
  "dependencies": {
1716
1716
  "@isaacs/string-locale-compare": "^1.1.0",
1717
1717
  "@npmcli/fs": "^3.1.0",
@@ -3324,9 +3324,9 @@
3324
3324
  }
3325
3325
  },
3326
3326
  "node_modules/decode-uri-component": {
3327
- "version": "0.2.0",
3328
- "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz",
3329
- "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=",
3327
+ "version": "0.2.2",
3328
+ "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz",
3329
+ "integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==",
3330
3330
  "engines": {
3331
3331
  "node": ">=0.10"
3332
3332
  }
@@ -3567,9 +3567,9 @@
3567
3567
  }
3568
3568
  },
3569
3569
  "node_modules/eslint": {
3570
- "version": "8.28.0",
3571
- "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.28.0.tgz",
3572
- "integrity": "sha512-S27Di+EVyMxcHiwDrFzk8dJYAaD+/5SoWKxL1ri/71CRHsnJnRDPNt2Kzj24+MT9FDupf4aqqyqPrvI8MvQ4VQ==",
3570
+ "version": "8.29.0",
3571
+ "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.29.0.tgz",
3572
+ "integrity": "sha512-isQ4EEiyUjZFbEKvEGJKKGBwXtvXX+zJbkVKCgTuB9t/+jUBcy8avhkEwWJecI15BkRkOYmvIM5ynbhRjEkoeg==",
3573
3573
  "dev": true,
3574
3574
  "dependencies": {
3575
3575
  "@eslint/eslintrc": "^1.3.3",
@@ -15739,9 +15739,9 @@
15739
15739
  }
15740
15740
  },
15741
15741
  "@npmcli/arborist": {
15742
- "version": "6.1.3",
15743
- "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.3.tgz",
15744
- "integrity": "sha512-oPYO8WO21aB9ojhREzCbzdNnR+SNuloOtxqQ0Q4Mj8tZuUPdTS5SuatSIpPGKpdtpLi5642hr2sirrikqj33Vg==",
15742
+ "version": "6.1.4",
15743
+ "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.4.tgz",
15744
+ "integrity": "sha512-lEYtEydnF+N5kkGa6wdjH80js//DcCT4lovuaXMRSPthhXv8sqYAzRGljboF3p+MlcoTOQVS7wzfhUbbUf57nA==",
15745
15745
  "requires": {
15746
15746
  "@isaacs/string-locale-compare": "^1.1.0",
15747
15747
  "@npmcli/fs": "^3.1.0",
@@ -17002,9 +17002,9 @@
17002
17002
  }
17003
17003
  },
17004
17004
  "decode-uri-component": {
17005
- "version": "0.2.0",
17006
- "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz",
17007
- "integrity": "sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU="
17005
+ "version": "0.2.2",
17006
+ "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz",
17007
+ "integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ=="
17008
17008
  },
17009
17009
  "dedent": {
17010
17010
  "version": "0.7.0",
@@ -17196,9 +17196,9 @@
17196
17196
  "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
17197
17197
  },
17198
17198
  "eslint": {
17199
- "version": "8.28.0",
17200
- "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.28.0.tgz",
17201
- "integrity": "sha512-S27Di+EVyMxcHiwDrFzk8dJYAaD+/5SoWKxL1ri/71CRHsnJnRDPNt2Kzj24+MT9FDupf4aqqyqPrvI8MvQ4VQ==",
17199
+ "version": "8.29.0",
17200
+ "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.29.0.tgz",
17201
+ "integrity": "sha512-isQ4EEiyUjZFbEKvEGJKKGBwXtvXX+zJbkVKCgTuB9t/+jUBcy8avhkEwWJecI15BkRkOYmvIM5ynbhRjEkoeg==",
17202
17202
  "dev": true,
17203
17203
  "requires": {
17204
17204
  "@eslint/eslintrc": "^1.3.3",
data/helpers/package.json CHANGED
@@ -10,14 +10,14 @@
10
10
  },
11
11
  "dependencies": {
12
12
  "@dependabot/yarn-lib": "^1.22.19",
13
- "@npmcli/arborist": "^6.1.3",
13
+ "@npmcli/arborist": "^6.1.4",
14
14
  "detect-indent": "^6.1.0",
15
15
  "nock": "^13.2.9",
16
16
  "npm": "6.14.17",
17
17
  "semver": "^7.3.8"
18
18
  },
19
19
  "devDependencies": {
20
- "eslint": "^8.28.0",
20
+ "eslint": "^8.29.0",
21
21
  "eslint-config-prettier": "^8.5.0",
22
22
  "jest": "^29.3.1",
23
23
  "prettier": "^2.8.0",
data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb CHANGED
@@ -205,7 +205,19 @@ module Dependabot
205
205
  "--ignore-scripts",
206
206
  "--package-lock-only"
207
207
  ].join(" ")
208
- SharedHelpers.run_shell_command(command)
208
+
209
+ fingerprint = [
210
+ "npm",
211
+ "install",
212
+ "<install_args>",
213
+ "--force",
214
+ "--dry-run",
215
+ "false",
216
+ "--ignore-scripts",
217
+ "--package-lock-only"
218
+ ].join(" ")
219
+
220
+ SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
209
221
  { lockfile_basename => File.read(lockfile_basename) }
210
222
  end
211
223
 
@@ -223,7 +235,7 @@ module Dependabot
223
235
 
224
236
  def run_npm8_subdependency_updater(sub_dependencies:)
225
237
  dependency_names = sub_dependencies.map(&:name)
226
- SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
238
+ NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
227
239
  { lockfile_basename => File.read(lockfile_basename) }
228
240
  end
229
241
 
data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb CHANGED
@@ -149,16 +149,18 @@ module Dependabot
149
149
  # lockfile in the right state. Otherwise we'll need to manually update
150
150
  # the lockfile.
151
151
 
152
- command = if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
153
- "yarn install #{Helpers.yarn_berry_args}".strip
154
- else
155
- updates = top_level_dependency_updates.collect do |dep|
156
- dep[:name]
157
- end
158
-
159
- "yarn up -R #{updates.join(' ')} #{Helpers.yarn_berry_args}".strip
160
- end
161
- Helpers.run_yarn_commands(command)
152
+ if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
153
+ Helpers.run_yarn_command("yarn install #{yarn_berry_args}".strip)
154
+ else
155
+ updates = top_level_dependency_updates.collect do |dep|
156
+ dep[:name]
157
+ end
158
+
159
+ Helpers.run_yarn_command(
160
+ "yarn up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
161
+ fingerprint: "yarn up -R <dependency_names> #{yarn_berry_args}".strip
162
+ )
163
+ end
162
164
  { yarn_lock.name => File.read(yarn_lock.name) }
163
165
  end
164
166
 
@@ -171,14 +173,20 @@ module Dependabot
171
173
  dep = sub_dependencies.first
172
174
  update = "#{dep.name}@#{dep.version}"
173
175
 
174
- Helpers.run_yarn_commands(
175
- "yarn add #{update} #{Helpers.yarn_berry_args}".strip,
176
- "yarn dedupe #{dep.name} #{Helpers.yarn_berry_args}".strip,
177
- "yarn remove #{dep.name} #{Helpers.yarn_berry_args}".strip
178
- )
176
+ commands = [
177
+ ["yarn add #{update} #{yarn_berry_args}".strip, "yarn add <update> #{yarn_berry_args}".strip],
178
+ ["yarn dedupe #{dep.name} #{yarn_berry_args}".strip, "yarn dedupe <dep_name> #{yarn_berry_args}".strip],
179
+ ["yarn remove #{dep.name} #{yarn_berry_args}".strip, "yarn remove <dep_name> #{yarn_berry_args}".strip]
180
+ ]
181
+
182
+ Helpers.run_yarn_commands(*commands)
179
183
  { yarn_lock.name => File.read(yarn_lock.name) }
180
184
  end
181
185
 
186
+ def yarn_berry_args
187
+ Helpers.yarn_berry_args
188
+ end
189
+
182
190
  def run_yarn_top_level_updater(top_level_dependency_updates:)
183
191
  SharedHelpers.run_helper_subprocess(
184
192
  command: NativeHelpers.helper_path,
data/lib/dependabot/npm_and_yarn/file_updater.rb CHANGED
@@ -64,10 +64,7 @@ module Dependabot
64
64
  pnp_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
65
65
  updated_files << file if file.name == ".pnp.cjs" || file.name == ".pnp.data.json"
66
66
  end
67
- # updated .pnp.cjs means zero install, include cache
68
- if updated_files.find { |f| f.name == ".pnp.cjs" }
69
- vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
70
- end
67
+ vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
71
68
  install_state_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
72
69
  updated_files << file
73
70
  end
data/lib/dependabot/npm_and_yarn/helpers.rb CHANGED
@@ -40,12 +40,19 @@ module Dependabot
40
40
  File.exist?(".pnp.cjs")
41
41
  end
42
42
 
43
+ def self.yarn_offline_cache?
44
+ yarn_cache_dir = fetch_yarnrc_yml_value("cacheFolder", ".yarn/cache")
45
+ File.exist?(yarn_cache_dir) && (fetch_yarnrc_yml_value("nodeLinker", "") == "node-modules")
46
+ end
47
+
43
48
  def self.yarn_berry_args
44
49
  if yarn_major_version == 2
45
50
  ""
46
- elsif yarn_major_version >= 3 && yarn_zero_install?
51
+ elsif yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
47
52
  "--mode=skip-build"
48
53
  else
54
+ # We only want this mode if the cache is not being updated/managed
55
+ # as this improperly leaves old versions in the cache
49
56
  "--mode=update-lockfile"
50
57
  end
51
58
  end
@@ -78,13 +85,13 @@ module Dependabot
78
85
  # contain malicious code.
79
86
  def self.run_yarn_commands(*commands)
80
87
  setup_yarn_berry
81
- commands.each { |cmd| SharedHelpers.run_shell_command(cmd) }
88
+ commands.each { |cmd, fingerprint| SharedHelpers.run_shell_command(cmd, fingerprint: fingerprint) }
82
89
  end
83
90
 
84
91
  # Run a single yarn command returning stdout/stderr
85
- def self.run_yarn_command(command)
92
+ def self.run_yarn_command(command, fingerprint: nil)
86
93
  setup_yarn_berry
87
- SharedHelpers.run_shell_command(command)
94
+ SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
88
95
  end
89
96
 
90
97
  def self.dependencies_with_all_versions_metadata(dependency_set)
data/lib/dependabot/npm_and_yarn/native_helpers.rb CHANGED
@@ -14,14 +14,14 @@ module Dependabot
14
14
  File.join(__dir__, "../../../helpers")
15
15
  end
16
16
 
17
- def self.npm8_subdependency_update_command(dependency_names)
17
+ def self.run_npm8_subdependency_update_command(dependency_names)
18
18
  # NOTE: npm options
19
19
  # - `--force` ignores checks for platform (os, cpu) and engines
20
20
  # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
21
21
  # work around an issue in npm 6, we don't want that here
22
22
  # - `--ignore-scripts` disables prepare and prepack scripts which are run
23
23
  # when installing git dependencies
24
- [
24
+ command = [
25
25
  "npm",
26
26
  "update",
27
27
  *dependency_names,
@@ -31,6 +31,19 @@ module Dependabot
31
31
  "--ignore-scripts",
32
32
  "--package-lock-only"
33
33
  ].join(" ")
34
+
35
+ fingerprint = [
36
+ "npm",
37
+ "update",
38
+ "<dependency_names>",
39
+ "--force",
40
+ "--dry-run",
41
+ "false",
42
+ "--ignore-scripts",
43
+ "--package-lock-only"
44
+ ].join(" ")
45
+
46
+ SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
34
47
  end
35
48
  end
36
49
  end
data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb CHANGED
@@ -116,8 +116,9 @@ module Dependabot
116
116
  def run_yarn_berry_updater(path, lockfile_name)
117
117
  SharedHelpers.with_git_configured(credentials: credentials) do
118
118
  Dir.chdir(path) do
119
- Helpers.run_yarn_commands(
120
- "yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip
119
+ Helpers.run_yarn_command(
120
+ "yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
121
+ fingerprint: "yarn up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
121
122
  )
122
123
  { lockfile_name => File.read(lockfile_name) }
123
124
  end
@@ -130,7 +131,7 @@ module Dependabot
130
131
  npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
131
132
 
132
133
  if npm_version == "npm8"
133
- SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command([dependency.name]))
134
+ NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
134
135
  { lockfile_name => File.read(lockfile_name) }
135
136
  else
136
137
  SharedHelpers.run_helper_subprocess(
data/lib/dependabot/npm_and_yarn/update_checker.rb CHANGED
@@ -279,9 +279,7 @@ module Dependabot
279
279
 
280
280
  def latest_version_for_git_dependency
281
281
  @latest_version_for_git_dependency ||=
282
- if git_branch_or_ref_in_latest_release?
283
- latest_released_version
284
- elsif version_class.correct?(dependency.version)
282
+ if version_class.correct?(dependency.version)
285
283
  latest_git_version_details[:version] &&
286
284
  version_class.new(latest_git_version_details[:version])
287
285
  else
@@ -294,26 +292,9 @@ module Dependabot
294
292
  latest_version_finder.latest_version_from_registry
295
293
  end
296
294
 
297
- def should_switch_source_from_git_to_registry?
298
- return false unless git_dependency?
299
- return false unless git_branch_or_ref_in_latest_release?
300
- return false if latest_version_for_git_dependency.nil?
301
-
302
- version_class.correct?(latest_version_for_git_dependency)
303
- end
304
-
305
- def git_branch_or_ref_in_latest_release?
306
- return false unless latest_released_version
307
-
308
- return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
309
-
310
- @git_branch_or_ref_in_latest_release ||=
311
- git_commit_checker.branch_or_ref_in_release?(latest_released_version)
312
- end
313
-
314
295
  def latest_version_details
315
296
  @latest_version_details ||=
316
- if git_dependency? && !should_switch_source_from_git_to_registry?
297
+ if git_dependency?
317
298
  latest_git_version_details
318
299
  else
319
300
  { version: latest_released_version }
@@ -389,9 +370,6 @@ module Dependabot
389
370
  # Never need to update source, unless a git_dependency
390
371
  return dependency_source_details unless git_dependency?
391
372
 
392
- # Source becomes `nil` if switching to default rubygems
393
- return nil if should_switch_source_from_git_to_registry?
394
-
395
373
  # Update the git tag if updating a pinned version
396
374
  if git_commit_checker.pinned_ref_looks_like_version? &&
397
375
  !git_commit_checker.local_tag_for_latest_version.nil?
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dependabot-npm_and_yarn
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.214.0
4
+ version: 0.215.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dependabot
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-12-01 00:00:00.000000000 Z
11
+ date: 2022-12-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 0.214.0
19
+ version: 0.215.0
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 0.214.0
26
+ version: 0.215.0
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: debug
29
29
  requirement: !ruby/object:Gem::Requirement