dependabot-npm_and_yarn 0.214.0 → 0.215.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/package-lock.json +20 -20
- data/helpers/package.json +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +14 -2
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +23 -15
- data/lib/dependabot/npm_and_yarn/file_updater.rb +1 -4
- data/lib/dependabot/npm_and_yarn/helpers.rb +11 -4
- data/lib/dependabot/npm_and_yarn/native_helpers.rb +15 -2
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +4 -3
- data/lib/dependabot/npm_and_yarn/update_checker.rb +2 -24
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ab218ae4b2f9134c67ada69180e938eae5fae986f8fe340347b1e8bac37395cd
|
4
|
+
data.tar.gz: 1ccf4e04ea21683fb92133dd8491dc005e06b57c8d00d7922704cd7749208378
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 572b409e78fd0ee17ab23164240ba4ac6364c73237011f7d799abad39d9c1acc47710094bac6c13afc6d7be4a4851b77fe546d4aa35974b2ad44e6c0494a0d71
|
7
|
+
data.tar.gz: ae73b9b051c07d6d58d310087865020a4888155ac3464ffc3a9f2565d4e02f3af6e48f0c5ffb11ef9ce38d5a871c0e0d25316f5bc8952aa36edf199e494fea39
|
data/helpers/package-lock.json
CHANGED
@@ -7,7 +7,7 @@
|
|
7
7
|
"name": "@dependabot/helper",
|
8
8
|
"dependencies": {
|
9
9
|
"@dependabot/yarn-lib": "^1.22.19",
|
10
|
-
"@npmcli/arborist": "^6.1.
|
10
|
+
"@npmcli/arborist": "^6.1.4",
|
11
11
|
"detect-indent": "^6.1.0",
|
12
12
|
"nock": "^13.2.9",
|
13
13
|
"npm": "6.14.17",
|
@@ -17,7 +17,7 @@
|
|
17
17
|
"helper": "run.js"
|
18
18
|
},
|
19
19
|
"devDependencies": {
|
20
|
-
"eslint": "^8.
|
20
|
+
"eslint": "^8.29.0",
|
21
21
|
"eslint-config-prettier": "^8.5.0",
|
22
22
|
"jest": "^29.3.1",
|
23
23
|
"prettier": "^2.8.0",
|
@@ -1709,9 +1709,9 @@
|
|
1709
1709
|
}
|
1710
1710
|
},
|
1711
1711
|
"node_modules/@npmcli/arborist": {
|
1712
|
-
"version": "6.1.
|
1713
|
-
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.
|
1714
|
-
"integrity": "sha512-
|
1712
|
+
"version": "6.1.4",
|
1713
|
+
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.4.tgz",
|
1714
|
+
"integrity": "sha512-lEYtEydnF+N5kkGa6wdjH80js//DcCT4lovuaXMRSPthhXv8sqYAzRGljboF3p+MlcoTOQVS7wzfhUbbUf57nA==",
|
1715
1715
|
"dependencies": {
|
1716
1716
|
"@isaacs/string-locale-compare": "^1.1.0",
|
1717
1717
|
"@npmcli/fs": "^3.1.0",
|
@@ -3324,9 +3324,9 @@
|
|
3324
3324
|
}
|
3325
3325
|
},
|
3326
3326
|
"node_modules/decode-uri-component": {
|
3327
|
-
"version": "0.2.
|
3328
|
-
"resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.
|
3329
|
-
"integrity": "
|
3327
|
+
"version": "0.2.2",
|
3328
|
+
"resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz",
|
3329
|
+
"integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==",
|
3330
3330
|
"engines": {
|
3331
3331
|
"node": ">=0.10"
|
3332
3332
|
}
|
@@ -3567,9 +3567,9 @@
|
|
3567
3567
|
}
|
3568
3568
|
},
|
3569
3569
|
"node_modules/eslint": {
|
3570
|
-
"version": "8.
|
3571
|
-
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.
|
3572
|
-
"integrity": "sha512-
|
3570
|
+
"version": "8.29.0",
|
3571
|
+
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.29.0.tgz",
|
3572
|
+
"integrity": "sha512-isQ4EEiyUjZFbEKvEGJKKGBwXtvXX+zJbkVKCgTuB9t/+jUBcy8avhkEwWJecI15BkRkOYmvIM5ynbhRjEkoeg==",
|
3573
3573
|
"dev": true,
|
3574
3574
|
"dependencies": {
|
3575
3575
|
"@eslint/eslintrc": "^1.3.3",
|
@@ -15739,9 +15739,9 @@
|
|
15739
15739
|
}
|
15740
15740
|
},
|
15741
15741
|
"@npmcli/arborist": {
|
15742
|
-
"version": "6.1.
|
15743
|
-
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.
|
15744
|
-
"integrity": "sha512-
|
15742
|
+
"version": "6.1.4",
|
15743
|
+
"resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-6.1.4.tgz",
|
15744
|
+
"integrity": "sha512-lEYtEydnF+N5kkGa6wdjH80js//DcCT4lovuaXMRSPthhXv8sqYAzRGljboF3p+MlcoTOQVS7wzfhUbbUf57nA==",
|
15745
15745
|
"requires": {
|
15746
15746
|
"@isaacs/string-locale-compare": "^1.1.0",
|
15747
15747
|
"@npmcli/fs": "^3.1.0",
|
@@ -17002,9 +17002,9 @@
|
|
17002
17002
|
}
|
17003
17003
|
},
|
17004
17004
|
"decode-uri-component": {
|
17005
|
-
"version": "0.2.
|
17006
|
-
"resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.
|
17007
|
-
"integrity": "
|
17005
|
+
"version": "0.2.2",
|
17006
|
+
"resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz",
|
17007
|
+
"integrity": "sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ=="
|
17008
17008
|
},
|
17009
17009
|
"dedent": {
|
17010
17010
|
"version": "0.7.0",
|
@@ -17196,9 +17196,9 @@
|
|
17196
17196
|
"integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ="
|
17197
17197
|
},
|
17198
17198
|
"eslint": {
|
17199
|
-
"version": "8.
|
17200
|
-
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.
|
17201
|
-
"integrity": "sha512-
|
17199
|
+
"version": "8.29.0",
|
17200
|
+
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.29.0.tgz",
|
17201
|
+
"integrity": "sha512-isQ4EEiyUjZFbEKvEGJKKGBwXtvXX+zJbkVKCgTuB9t/+jUBcy8avhkEwWJecI15BkRkOYmvIM5ynbhRjEkoeg==",
|
17202
17202
|
"dev": true,
|
17203
17203
|
"requires": {
|
17204
17204
|
"@eslint/eslintrc": "^1.3.3",
|
data/helpers/package.json
CHANGED
@@ -10,14 +10,14 @@
|
|
10
10
|
},
|
11
11
|
"dependencies": {
|
12
12
|
"@dependabot/yarn-lib": "^1.22.19",
|
13
|
-
"@npmcli/arborist": "^6.1.
|
13
|
+
"@npmcli/arborist": "^6.1.4",
|
14
14
|
"detect-indent": "^6.1.0",
|
15
15
|
"nock": "^13.2.9",
|
16
16
|
"npm": "6.14.17",
|
17
17
|
"semver": "^7.3.8"
|
18
18
|
},
|
19
19
|
"devDependencies": {
|
20
|
-
"eslint": "^8.
|
20
|
+
"eslint": "^8.29.0",
|
21
21
|
"eslint-config-prettier": "^8.5.0",
|
22
22
|
"jest": "^29.3.1",
|
23
23
|
"prettier": "^2.8.0",
|
@@ -205,7 +205,19 @@ module Dependabot
|
|
205
205
|
"--ignore-scripts",
|
206
206
|
"--package-lock-only"
|
207
207
|
].join(" ")
|
208
|
-
|
208
|
+
|
209
|
+
fingerprint = [
|
210
|
+
"npm",
|
211
|
+
"install",
|
212
|
+
"<install_args>",
|
213
|
+
"--force",
|
214
|
+
"--dry-run",
|
215
|
+
"false",
|
216
|
+
"--ignore-scripts",
|
217
|
+
"--package-lock-only"
|
218
|
+
].join(" ")
|
219
|
+
|
220
|
+
SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
|
209
221
|
{ lockfile_basename => File.read(lockfile_basename) }
|
210
222
|
end
|
211
223
|
|
@@ -223,7 +235,7 @@ module Dependabot
|
|
223
235
|
|
224
236
|
def run_npm8_subdependency_updater(sub_dependencies:)
|
225
237
|
dependency_names = sub_dependencies.map(&:name)
|
226
|
-
|
238
|
+
NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
|
227
239
|
{ lockfile_basename => File.read(lockfile_basename) }
|
228
240
|
end
|
229
241
|
|
@@ -149,16 +149,18 @@ module Dependabot
|
|
149
149
|
# lockfile in the right state. Otherwise we'll need to manually update
|
150
150
|
# the lockfile.
|
151
151
|
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
152
|
+
if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
|
153
|
+
Helpers.run_yarn_command("yarn install #{yarn_berry_args}".strip)
|
154
|
+
else
|
155
|
+
updates = top_level_dependency_updates.collect do |dep|
|
156
|
+
dep[:name]
|
157
|
+
end
|
158
|
+
|
159
|
+
Helpers.run_yarn_command(
|
160
|
+
"yarn up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
|
161
|
+
fingerprint: "yarn up -R <dependency_names> #{yarn_berry_args}".strip
|
162
|
+
)
|
163
|
+
end
|
162
164
|
{ yarn_lock.name => File.read(yarn_lock.name) }
|
163
165
|
end
|
164
166
|
|
@@ -171,14 +173,20 @@ module Dependabot
|
|
171
173
|
dep = sub_dependencies.first
|
172
174
|
update = "#{dep.name}@#{dep.version}"
|
173
175
|
|
174
|
-
|
175
|
-
"yarn add #{update} #{
|
176
|
-
"yarn dedupe #{dep.name} #{
|
177
|
-
"yarn remove #{dep.name} #{
|
178
|
-
|
176
|
+
commands = [
|
177
|
+
["yarn add #{update} #{yarn_berry_args}".strip, "yarn add <update> #{yarn_berry_args}".strip],
|
178
|
+
["yarn dedupe #{dep.name} #{yarn_berry_args}".strip, "yarn dedupe <dep_name> #{yarn_berry_args}".strip],
|
179
|
+
["yarn remove #{dep.name} #{yarn_berry_args}".strip, "yarn remove <dep_name> #{yarn_berry_args}".strip]
|
180
|
+
]
|
181
|
+
|
182
|
+
Helpers.run_yarn_commands(*commands)
|
179
183
|
{ yarn_lock.name => File.read(yarn_lock.name) }
|
180
184
|
end
|
181
185
|
|
186
|
+
def yarn_berry_args
|
187
|
+
Helpers.yarn_berry_args
|
188
|
+
end
|
189
|
+
|
182
190
|
def run_yarn_top_level_updater(top_level_dependency_updates:)
|
183
191
|
SharedHelpers.run_helper_subprocess(
|
184
192
|
command: NativeHelpers.helper_path,
|
@@ -64,10 +64,7 @@ module Dependabot
|
|
64
64
|
pnp_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
|
65
65
|
updated_files << file if file.name == ".pnp.cjs" || file.name == ".pnp.data.json"
|
66
66
|
end
|
67
|
-
|
68
|
-
if updated_files.find { |f| f.name == ".pnp.cjs" }
|
69
|
-
vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
|
70
|
-
end
|
67
|
+
vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
|
71
68
|
install_state_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
|
72
69
|
updated_files << file
|
73
70
|
end
|
@@ -40,12 +40,19 @@ module Dependabot
|
|
40
40
|
File.exist?(".pnp.cjs")
|
41
41
|
end
|
42
42
|
|
43
|
+
def self.yarn_offline_cache?
|
44
|
+
yarn_cache_dir = fetch_yarnrc_yml_value("cacheFolder", ".yarn/cache")
|
45
|
+
File.exist?(yarn_cache_dir) && (fetch_yarnrc_yml_value("nodeLinker", "") == "node-modules")
|
46
|
+
end
|
47
|
+
|
43
48
|
def self.yarn_berry_args
|
44
49
|
if yarn_major_version == 2
|
45
50
|
""
|
46
|
-
elsif yarn_major_version >= 3 && yarn_zero_install?
|
51
|
+
elsif yarn_major_version >= 3 && (yarn_zero_install? || yarn_offline_cache?)
|
47
52
|
"--mode=skip-build"
|
48
53
|
else
|
54
|
+
# We only want this mode if the cache is not being updated/managed
|
55
|
+
# as this improperly leaves old versions in the cache
|
49
56
|
"--mode=update-lockfile"
|
50
57
|
end
|
51
58
|
end
|
@@ -78,13 +85,13 @@ module Dependabot
|
|
78
85
|
# contain malicious code.
|
79
86
|
def self.run_yarn_commands(*commands)
|
80
87
|
setup_yarn_berry
|
81
|
-
commands.each { |cmd| SharedHelpers.run_shell_command(cmd) }
|
88
|
+
commands.each { |cmd, fingerprint| SharedHelpers.run_shell_command(cmd, fingerprint: fingerprint) }
|
82
89
|
end
|
83
90
|
|
84
91
|
# Run a single yarn command returning stdout/stderr
|
85
|
-
def self.run_yarn_command(command)
|
92
|
+
def self.run_yarn_command(command, fingerprint: nil)
|
86
93
|
setup_yarn_berry
|
87
|
-
SharedHelpers.run_shell_command(command)
|
94
|
+
SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
|
88
95
|
end
|
89
96
|
|
90
97
|
def self.dependencies_with_all_versions_metadata(dependency_set)
|
@@ -14,14 +14,14 @@ module Dependabot
|
|
14
14
|
File.join(__dir__, "../../../helpers")
|
15
15
|
end
|
16
16
|
|
17
|
-
def self.
|
17
|
+
def self.run_npm8_subdependency_update_command(dependency_names)
|
18
18
|
# NOTE: npm options
|
19
19
|
# - `--force` ignores checks for platform (os, cpu) and engines
|
20
20
|
# - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
|
21
21
|
# work around an issue in npm 6, we don't want that here
|
22
22
|
# - `--ignore-scripts` disables prepare and prepack scripts which are run
|
23
23
|
# when installing git dependencies
|
24
|
-
[
|
24
|
+
command = [
|
25
25
|
"npm",
|
26
26
|
"update",
|
27
27
|
*dependency_names,
|
@@ -31,6 +31,19 @@ module Dependabot
|
|
31
31
|
"--ignore-scripts",
|
32
32
|
"--package-lock-only"
|
33
33
|
].join(" ")
|
34
|
+
|
35
|
+
fingerprint = [
|
36
|
+
"npm",
|
37
|
+
"update",
|
38
|
+
"<dependency_names>",
|
39
|
+
"--force",
|
40
|
+
"--dry-run",
|
41
|
+
"false",
|
42
|
+
"--ignore-scripts",
|
43
|
+
"--package-lock-only"
|
44
|
+
].join(" ")
|
45
|
+
|
46
|
+
SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
|
34
47
|
end
|
35
48
|
end
|
36
49
|
end
|
@@ -116,8 +116,9 @@ module Dependabot
|
|
116
116
|
def run_yarn_berry_updater(path, lockfile_name)
|
117
117
|
SharedHelpers.with_git_configured(credentials: credentials) do
|
118
118
|
Dir.chdir(path) do
|
119
|
-
Helpers.
|
120
|
-
"yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip
|
119
|
+
Helpers.run_yarn_command(
|
120
|
+
"yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
|
121
|
+
fingerprint: "yarn up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
|
121
122
|
)
|
122
123
|
{ lockfile_name => File.read(lockfile_name) }
|
123
124
|
end
|
@@ -130,7 +131,7 @@ module Dependabot
|
|
130
131
|
npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
|
131
132
|
|
132
133
|
if npm_version == "npm8"
|
133
|
-
|
134
|
+
NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
|
134
135
|
{ lockfile_name => File.read(lockfile_name) }
|
135
136
|
else
|
136
137
|
SharedHelpers.run_helper_subprocess(
|
@@ -279,9 +279,7 @@ module Dependabot
|
|
279
279
|
|
280
280
|
def latest_version_for_git_dependency
|
281
281
|
@latest_version_for_git_dependency ||=
|
282
|
-
if
|
283
|
-
latest_released_version
|
284
|
-
elsif version_class.correct?(dependency.version)
|
282
|
+
if version_class.correct?(dependency.version)
|
285
283
|
latest_git_version_details[:version] &&
|
286
284
|
version_class.new(latest_git_version_details[:version])
|
287
285
|
else
|
@@ -294,26 +292,9 @@ module Dependabot
|
|
294
292
|
latest_version_finder.latest_version_from_registry
|
295
293
|
end
|
296
294
|
|
297
|
-
def should_switch_source_from_git_to_registry?
|
298
|
-
return false unless git_dependency?
|
299
|
-
return false unless git_branch_or_ref_in_latest_release?
|
300
|
-
return false if latest_version_for_git_dependency.nil?
|
301
|
-
|
302
|
-
version_class.correct?(latest_version_for_git_dependency)
|
303
|
-
end
|
304
|
-
|
305
|
-
def git_branch_or_ref_in_latest_release?
|
306
|
-
return false unless latest_released_version
|
307
|
-
|
308
|
-
return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)
|
309
|
-
|
310
|
-
@git_branch_or_ref_in_latest_release ||=
|
311
|
-
git_commit_checker.branch_or_ref_in_release?(latest_released_version)
|
312
|
-
end
|
313
|
-
|
314
295
|
def latest_version_details
|
315
296
|
@latest_version_details ||=
|
316
|
-
if git_dependency?
|
297
|
+
if git_dependency?
|
317
298
|
latest_git_version_details
|
318
299
|
else
|
319
300
|
{ version: latest_released_version }
|
@@ -389,9 +370,6 @@ module Dependabot
|
|
389
370
|
# Never need to update source, unless a git_dependency
|
390
371
|
return dependency_source_details unless git_dependency?
|
391
372
|
|
392
|
-
# Source becomes `nil` if switching to default rubygems
|
393
|
-
return nil if should_switch_source_from_git_to_registry?
|
394
|
-
|
395
373
|
# Update the git tag if updating a pinned version
|
396
374
|
if git_commit_checker.pinned_ref_looks_like_version? &&
|
397
375
|
!git_commit_checker.local_tag_for_latest_version.nil?
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.215.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-12-
|
11
|
+
date: 2022-12-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.215.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.215.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|