dependabot-npm_and_yarn 0.216.1 → 0.216.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +27 -9
- data/lib/dependabot/npm_and_yarn/helpers.rb +8 -0
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +2 -2
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2df51373de95ce542233cbb690f059ee015534e3e57d69470031491f9dd89794
|
4
|
+
data.tar.gz: c8e33eea70d6765a96e87248ebc4b5f8cedb49ea03e9c1abf79bdaddfc6cda00
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 27c3502dd326b7b82738fa402d2e46c6054750af2e029b08f5c97b8f51e946c7090754e0679050116bbb6f572635aea77b77f4951ff19d703ff090e5308a5033
|
7
|
+
data.tar.gz: bdbfbb9f4896a58635cc9eef900f00a6e2ef02c438bb8a072fa83c199d532c9c92742ed805e8e39ddb3a5b746f50a457a7a29c4963870eddb61d0c4b7cc15957
|
@@ -10,7 +10,7 @@ require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
|
|
10
10
|
|
11
11
|
module Dependabot
|
12
12
|
module NpmAndYarn
|
13
|
-
class FileFetcher < Dependabot::FileFetchers::Base
|
13
|
+
class FileFetcher < Dependabot::FileFetchers::Base # rubocop:disable Metrics/ClassLength
|
14
14
|
require_relative "file_fetcher/path_dependency_builder"
|
15
15
|
|
16
16
|
# Npm always prefixes file paths in the lockfile "version" with "file:"
|
@@ -22,6 +22,7 @@ module Dependabot
|
|
22
22
|
# "yarn link", e.g. "link:react"
|
23
23
|
PATH_DEPENDENCY_STARTS = %w(file: link:. link:/ link:~/ / ./ ../ ~/).freeze
|
24
24
|
PATH_DEPENDENCY_CLEAN_REGEX = /^file:|^link:/
|
25
|
+
DEFAULT_NPM_REGISTRY = "https://registry.npmjs.org"
|
25
26
|
|
26
27
|
def self.required_files_in?(filenames)
|
27
28
|
filenames.include?("package.json")
|
@@ -55,6 +56,7 @@ module Dependabot
|
|
55
56
|
package_managers["npm"] = Helpers.npm_version_numeric(package_lock.content) if package_lock
|
56
57
|
package_managers["yarn"] = yarn_version if yarn_version
|
57
58
|
package_managers["shrinkwrap"] = 1 if shrinkwrap
|
59
|
+
package_managers["unknown"] = 1 if package_managers.empty?
|
58
60
|
|
59
61
|
{
|
60
62
|
ecosystem: "npm",
|
@@ -85,25 +87,41 @@ module Dependabot
|
|
85
87
|
|
86
88
|
# If every entry in the lockfile uses the same registry, we can infer
|
87
89
|
# that there is a global .npmrc file, so add it here as if it were in the repo.
|
88
|
-
|
90
|
+
|
91
|
+
def inferred_npmrc # rubocop:disable Metrics/PerceivedComplexity
|
89
92
|
return @inferred_npmrc if defined?(@inferred_npmrc)
|
90
93
|
return @inferred_npmrc = nil unless npmrc.nil? && package_lock
|
91
94
|
|
92
95
|
known_registries = []
|
93
|
-
JSON.parse(package_lock.content).fetch("dependencies", {}).each do |
|
94
|
-
resolved = details.fetch("resolved",
|
96
|
+
JSON.parse(package_lock.content).fetch("dependencies", {}).each do |dependency_name, details|
|
97
|
+
resolved = details.fetch("resolved", DEFAULT_NPM_REGISTRY)
|
98
|
+
|
95
99
|
begin
|
96
100
|
uri = URI.parse(resolved)
|
97
101
|
rescue URI::InvalidURIError
|
98
102
|
# Ignoring non-URIs since they're not registries.
|
99
|
-
# This can happen if resolved is false
|
103
|
+
# This can happen if resolved is `false`, for instance
|
104
|
+
# npm6 bug https://github.com/npm/cli/issues/1138
|
100
105
|
next
|
101
106
|
end
|
102
|
-
|
103
|
-
|
107
|
+
|
108
|
+
next unless uri.scheme && uri.host
|
109
|
+
|
110
|
+
known_registry = "#{uri.scheme}://#{uri.host}"
|
111
|
+
path = uri.path
|
112
|
+
|
113
|
+
next unless path
|
114
|
+
|
115
|
+
index = path.index(dependency_name)
|
116
|
+
if index
|
117
|
+
registry_base_path = path[0...index].delete_suffix("/")
|
118
|
+
known_registry << registry_base_path
|
119
|
+
end
|
120
|
+
|
121
|
+
known_registries << known_registry
|
104
122
|
end
|
105
123
|
|
106
|
-
if known_registries.uniq.length == 1 && known_registries.first !=
|
124
|
+
if known_registries.uniq.length == 1 && known_registries.first != DEFAULT_NPM_REGISTRY
|
107
125
|
Dependabot.logger.info("Inferred global NPM registry is: #{known_registries.first}")
|
108
126
|
return @inferred_npmrc = Dependabot::DependencyFile.new(
|
109
127
|
name: ".npmrc",
|
@@ -121,7 +139,7 @@ module Dependabot
|
|
121
139
|
if (package_manager = package.fetch("packageManager", nil))
|
122
140
|
get_yarn_version_from_package_json(package_manager)
|
123
141
|
elsif yarn_lock
|
124
|
-
|
142
|
+
Helpers.yarn_version_numeric(yarn_lock)
|
125
143
|
end
|
126
144
|
end
|
127
145
|
|
@@ -16,6 +16,14 @@ module Dependabot
|
|
16
16
|
6
|
17
17
|
end
|
18
18
|
|
19
|
+
def self.yarn_version_numeric(yarn_lock)
|
20
|
+
if yarn_berry?(yarn_lock)
|
21
|
+
3
|
22
|
+
else
|
23
|
+
1
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
19
27
|
def self.fetch_yarnrc_yml_value(key, default_value)
|
20
28
|
if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
|
21
29
|
yarnrc.fetch(key, default_value)
|
@@ -375,11 +375,11 @@ module Dependabot
|
|
375
375
|
end
|
376
376
|
|
377
377
|
def version_class
|
378
|
-
|
378
|
+
dependency.version_class
|
379
379
|
end
|
380
380
|
|
381
381
|
def requirement_class
|
382
|
-
|
382
|
+
dependency.requirement_class
|
383
383
|
end
|
384
384
|
|
385
385
|
def npmrc_file
|
@@ -642,11 +642,11 @@ module Dependabot
|
|
642
642
|
end
|
643
643
|
|
644
644
|
def version_class
|
645
|
-
|
645
|
+
dependency.version_class
|
646
646
|
end
|
647
647
|
|
648
648
|
def requirement_class
|
649
|
-
|
649
|
+
dependency.requirement_class
|
650
650
|
end
|
651
651
|
|
652
652
|
def version_regex
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.216.
|
4
|
+
version: 0.216.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-04-
|
11
|
+
date: 2023-04-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.216.
|
19
|
+
version: 0.216.2
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.216.
|
26
|
+
version: 0.216.2
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|