dependabot-npm_and_yarn 0.246.0 → 0.247.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_fetcher.rb +1 -5
- data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +12 -0
- data/lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb +15 -6
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +2 -0
- data/lib/dependabot/npm_and_yarn/update_checker.rb +7 -5
- data/lib/dependabot/npm_and_yarn/version.rb +4 -41
- metadata +19 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c4a5d0e2b8378c9540d4094bb5cc01c1d41be121ea9b7ad495267c9ace61c029
|
4
|
+
data.tar.gz: e9a81c3bec5d7eb432cf78b25e8695f7beddd0432e86c67afc7b5111c2c73808
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 83105432cc7b80df01084418d0429bb788a03f23bb2eaf33ea68d4370db76e70b735c4aec2b0ebbeda3949084f7bbc9f61a5f3338edcf36fd2cd0263981b2605
|
7
|
+
data.tar.gz: b48188962c0d5779cfef7a473173824945b371fd09a7a72f52c13f60fcf28b4593d2bacce52b1bca42bae2cfb514e1ecfe9fc67d349379aa5af1bfc89be14cc7
|
@@ -87,10 +87,6 @@ module Dependabot
|
|
87
87
|
|
88
88
|
private
|
89
89
|
|
90
|
-
def recurse_submodules_when_cloning?
|
91
|
-
true
|
92
|
-
end
|
93
|
-
|
94
90
|
def npm_files
|
95
91
|
fetched_npm_files = []
|
96
92
|
fetched_npm_files << package_lock if package_lock && !skip_package_lock?
|
@@ -550,7 +546,7 @@ module Dependabot
|
|
550
546
|
return {} unless pnpm_workspace_yaml
|
551
547
|
|
552
548
|
YAML.safe_load(pnpm_workspace_yaml.content)
|
553
|
-
rescue
|
549
|
+
rescue Psych::SyntaxError
|
554
550
|
raise Dependabot::DependencyFileNotParseable, pnpm_workspace_yaml.path
|
555
551
|
end
|
556
552
|
|
@@ -38,7 +38,7 @@ module Dependabot
|
|
38
38
|
private
|
39
39
|
|
40
40
|
def recursively_fetch_dependencies(object_with_dependencies)
|
41
|
-
dependency_set = Dependabot::
|
41
|
+
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
42
42
|
|
43
43
|
dependencies = object_with_dependencies["dependencies"]
|
44
44
|
dependencies ||= object_with_dependencies.fetch("packages", {})
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "dependabot/dependency_file"
|
@@ -18,7 +18,7 @@ module Dependabot
|
|
18
18
|
end
|
19
19
|
|
20
20
|
def parse_set
|
21
|
-
dependency_set = Dependabot::
|
21
|
+
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
22
22
|
|
23
23
|
# NOTE: The DependencySet will de-dupe our dependencies, so they
|
24
24
|
# end up unique by name. That's not a perfect representation of
|
@@ -1,4 +1,4 @@
|
|
1
|
-
# typed:
|
1
|
+
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
4
|
require "dependabot/errors"
|
@@ -26,7 +26,7 @@ module Dependabot
|
|
26
26
|
end
|
27
27
|
|
28
28
|
def dependencies
|
29
|
-
dependency_set = Dependabot::
|
29
|
+
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
30
30
|
|
31
31
|
parsed.each do |details|
|
32
32
|
next if details["aliased"]
|
@@ -32,7 +32,7 @@ module Dependabot
|
|
32
32
|
end
|
33
33
|
|
34
34
|
def dependencies
|
35
|
-
dependency_set = Dependabot::
|
35
|
+
dependency_set = Dependabot::FileParsers::Base::DependencySet.new
|
36
36
|
|
37
37
|
parsed.each do |reqs, details|
|
38
38
|
reqs.split(", ").each do |req|
|
@@ -9,10 +9,14 @@ require "dependabot/npm_and_yarn/version"
|
|
9
9
|
require "dependabot/npm_and_yarn/requirement"
|
10
10
|
require "dependabot/shared_helpers"
|
11
11
|
require "dependabot/errors"
|
12
|
+
require "sorbet-runtime"
|
13
|
+
|
12
14
|
module Dependabot
|
13
15
|
module NpmAndYarn
|
14
16
|
class UpdateChecker
|
15
17
|
class LatestVersionFinder
|
18
|
+
extend T::Sig
|
19
|
+
|
16
20
|
class RegistryError < StandardError
|
17
21
|
attr_reader :status
|
18
22
|
|
@@ -111,6 +115,7 @@ module Dependabot
|
|
111
115
|
!npm_details&.fetch("dist-tags", nil).nil?
|
112
116
|
end
|
113
117
|
|
118
|
+
sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
|
114
119
|
def filter_ignored_versions(versions_array)
|
115
120
|
filtered = versions_array.reject do |v, _|
|
116
121
|
ignore_requirements.any? { |r| r.satisfied_by?(v) }
|
@@ -120,9 +125,15 @@ module Dependabot
|
|
120
125
|
raise AllVersionsIgnored
|
121
126
|
end
|
122
127
|
|
128
|
+
if versions_array.count > filtered.count
|
129
|
+
diff = versions_array.count - filtered.count
|
130
|
+
Dependabot.logger.info("Filtered out #{diff} ignored versions")
|
131
|
+
end
|
132
|
+
|
123
133
|
filtered
|
124
134
|
end
|
125
135
|
|
136
|
+
sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
|
126
137
|
def filter_out_of_range_versions(versions_array)
|
127
138
|
reqs = dependency.requirements.filter_map do |r|
|
128
139
|
NpmAndYarn::Requirement.requirements_array(r.fetch(:requirement))
|
@@ -132,6 +143,7 @@ module Dependabot
|
|
132
143
|
.select { |v| reqs.all? { |r| r.any? { |o| o.satisfied_by?(v) } } }
|
133
144
|
end
|
134
145
|
|
146
|
+
sig { params(versions_array: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
|
135
147
|
def filter_lower_versions(versions_array)
|
136
148
|
return versions_array unless dependency.numeric_version
|
137
149
|
|
@@ -156,7 +156,7 @@ module Dependabot
|
|
156
156
|
begin
|
157
157
|
registries = []
|
158
158
|
registries += credentials
|
159
|
-
.select { |cred| cred["type"] == "npm_registry" }
|
159
|
+
.select { |cred| cred["type"] == "npm_registry" && cred["registry"] }
|
160
160
|
.tap { |arr| arr.each { |c| c["token"] ||= nil } }
|
161
161
|
registries += npmrc_registries
|
162
162
|
registries += yarnrc_registries
|
@@ -6,9 +6,10 @@
|
|
6
6
|
# https://docs.npmjs.com/misc/semver #
|
7
7
|
################################################################################
|
8
8
|
|
9
|
+
require "dependabot/npm_and_yarn/requirement"
|
9
10
|
require "dependabot/npm_and_yarn/update_checker"
|
10
11
|
require "dependabot/npm_and_yarn/version"
|
11
|
-
require "dependabot/
|
12
|
+
require "dependabot/requirements_update_strategy"
|
12
13
|
|
13
14
|
module Dependabot
|
14
15
|
module NpmAndYarn
|
@@ -16,7 +17,15 @@ module Dependabot
|
|
16
17
|
class RequirementsUpdater
|
17
18
|
VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
|
18
19
|
SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
|
19
|
-
ALLOWED_UPDATE_STRATEGIES =
|
20
|
+
ALLOWED_UPDATE_STRATEGIES = T.let(
|
21
|
+
[
|
22
|
+
RequirementsUpdateStrategy::LockfileOnly,
|
23
|
+
RequirementsUpdateStrategy::WidenRanges,
|
24
|
+
RequirementsUpdateStrategy::BumpVersions,
|
25
|
+
RequirementsUpdateStrategy::BumpVersionsIfNecessary
|
26
|
+
].freeze,
|
27
|
+
T::Array[Dependabot::RequirementsUpdateStrategy]
|
28
|
+
)
|
20
29
|
|
21
30
|
def initialize(requirements:, updated_source:, update_strategy:,
|
22
31
|
latest_resolvable_version:)
|
@@ -33,7 +42,7 @@ module Dependabot
|
|
33
42
|
end
|
34
43
|
|
35
44
|
def updated_requirements
|
36
|
-
return requirements if update_strategy ==
|
45
|
+
return requirements if update_strategy == RequirementsUpdateStrategy::LockfileOnly
|
37
46
|
|
38
47
|
requirements.map do |req|
|
39
48
|
req = req.merge(source: updated_source)
|
@@ -42,9 +51,9 @@ module Dependabot
|
|
42
51
|
next req if req[:requirement].match?(/^([A-Za-uw-z]|v[^\d])/)
|
43
52
|
|
44
53
|
case update_strategy
|
45
|
-
when
|
46
|
-
when
|
47
|
-
when
|
54
|
+
when RequirementsUpdateStrategy::WidenRanges then widen_requirement(req)
|
55
|
+
when RequirementsUpdateStrategy::BumpVersions then update_version_requirement(req)
|
56
|
+
when RequirementsUpdateStrategy::BumpVersionsIfNecessary
|
48
57
|
update_version_requirement_if_needed(req)
|
49
58
|
else raise "Unexpected update strategy: #{update_strategy}"
|
50
59
|
end
|
@@ -270,6 +270,8 @@ module Dependabot
|
|
270
270
|
def types_update_available?
|
271
271
|
return false if types_package.nil?
|
272
272
|
|
273
|
+
return false if latest_types_package_version.nil?
|
274
|
+
|
273
275
|
return false unless latest_allowable_version.backwards_compatible_with?(latest_types_package_version)
|
274
276
|
|
275
277
|
return false unless version_class.correct?(types_package.version)
|
@@ -1,11 +1,13 @@
|
|
1
1
|
# typed: true
|
2
2
|
# frozen_string_literal: true
|
3
3
|
|
4
|
+
require "set"
|
5
|
+
|
4
6
|
require "dependabot/git_commit_checker"
|
7
|
+
require "dependabot/requirements_update_strategy"
|
8
|
+
require "dependabot/shared_helpers"
|
5
9
|
require "dependabot/update_checkers"
|
6
10
|
require "dependabot/update_checkers/base"
|
7
|
-
require "dependabot/shared_helpers"
|
8
|
-
require "set"
|
9
11
|
|
10
12
|
module Dependabot
|
11
13
|
module NpmAndYarn
|
@@ -104,15 +106,15 @@ module Dependabot
|
|
104
106
|
end
|
105
107
|
|
106
108
|
def requirements_unlocked_or_can_be?
|
107
|
-
requirements_update_strategy !=
|
109
|
+
requirements_update_strategy != RequirementsUpdateStrategy::LockfileOnly
|
108
110
|
end
|
109
111
|
|
110
112
|
def requirements_update_strategy
|
111
113
|
# If passed in as an option (in the base class) honour that option
|
112
|
-
return @requirements_update_strategy
|
114
|
+
return @requirements_update_strategy if @requirements_update_strategy
|
113
115
|
|
114
116
|
# Otherwise, widen ranges for libraries and bump versions for apps
|
115
|
-
library? ?
|
117
|
+
library? ? RequirementsUpdateStrategy::WidenRanges : RequirementsUpdateStrategy::BumpVersions
|
116
118
|
end
|
117
119
|
|
118
120
|
def conflicting_dependencies
|
@@ -21,20 +21,7 @@ module Dependabot
|
|
21
21
|
VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
|
22
22
|
ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
|
23
23
|
|
24
|
-
sig
|
25
|
-
override
|
26
|
-
.overridable
|
27
|
-
.params(
|
28
|
-
version: T.any(
|
29
|
-
String,
|
30
|
-
Integer,
|
31
|
-
Float,
|
32
|
-
Gem::Version,
|
33
|
-
NilClass
|
34
|
-
)
|
35
|
-
)
|
36
|
-
.returns(T::Boolean)
|
37
|
-
end
|
24
|
+
sig { override.params(version: VersionParameter).returns(T::Boolean) }
|
38
25
|
def self.correct?(version)
|
39
26
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
40
27
|
|
@@ -43,7 +30,7 @@ module Dependabot
|
|
43
30
|
version.to_s.match?(ANCHORED_VERSION_PATTERN)
|
44
31
|
end
|
45
32
|
|
46
|
-
sig { params(version:
|
33
|
+
sig { params(version: VersionParameter).returns(VersionParameter) }
|
47
34
|
def self.semver_for(version)
|
48
35
|
# The next two lines are to guard against improperly formatted
|
49
36
|
# versions in a lockfile, such as an empty string or additional
|
@@ -55,19 +42,7 @@ module Dependabot
|
|
55
42
|
version
|
56
43
|
end
|
57
44
|
|
58
|
-
sig
|
59
|
-
override
|
60
|
-
.params(
|
61
|
-
version: T.any(
|
62
|
-
String,
|
63
|
-
Integer,
|
64
|
-
Float,
|
65
|
-
Gem::Version,
|
66
|
-
NilClass
|
67
|
-
)
|
68
|
-
)
|
69
|
-
.void
|
70
|
-
end
|
45
|
+
sig { override.params(version: VersionParameter).void }
|
71
46
|
def initialize(version)
|
72
47
|
@version_string = T.let(version.to_s, String)
|
73
48
|
version = version.gsub(/^v/, "") if version.is_a?(String)
|
@@ -77,19 +52,7 @@ module Dependabot
|
|
77
52
|
super(T.must(version))
|
78
53
|
end
|
79
54
|
|
80
|
-
sig
|
81
|
-
override
|
82
|
-
.params(
|
83
|
-
version: T.any(
|
84
|
-
String,
|
85
|
-
Integer,
|
86
|
-
Float,
|
87
|
-
Gem::Version,
|
88
|
-
NilClass
|
89
|
-
)
|
90
|
-
)
|
91
|
-
.returns(Dependabot::NpmAndYarn::Version)
|
92
|
-
end
|
55
|
+
sig { override.params(version: VersionParameter).returns(Dependabot::NpmAndYarn::Version) }
|
93
56
|
def self.new(version)
|
94
57
|
T.cast(super, Dependabot::NpmAndYarn::Version)
|
95
58
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.247.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-03-
|
11
|
+
date: 2024-03-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: dependabot-common
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.
|
19
|
+
version: 0.247.0
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.
|
26
|
+
version: 0.247.0
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: debug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -136,6 +136,20 @@ dependencies:
|
|
136
136
|
- - "~>"
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: 1.19.0
|
139
|
+
- !ruby/object:Gem::Dependency
|
140
|
+
name: rubocop-rspec
|
141
|
+
requirement: !ruby/object:Gem::Requirement
|
142
|
+
requirements:
|
143
|
+
- - "~>"
|
144
|
+
- !ruby/object:Gem::Version
|
145
|
+
version: 2.27.1
|
146
|
+
type: :development
|
147
|
+
prerelease: false
|
148
|
+
version_requirements: !ruby/object:Gem::Requirement
|
149
|
+
requirements:
|
150
|
+
- - "~>"
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 2.27.1
|
139
153
|
- !ruby/object:Gem::Dependency
|
140
154
|
name: rubocop-sorbet
|
141
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -324,7 +338,7 @@ licenses:
|
|
324
338
|
- Nonstandard
|
325
339
|
metadata:
|
326
340
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
327
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
341
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.247.0
|
328
342
|
post_install_message:
|
329
343
|
rdoc_options: []
|
330
344
|
require_paths:
|