dependabot-npm_and_yarn 0.268.0 → 0.270.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 473cf091eca02d2d3e0ff9920708779183b7a9a9dba2771c35ffe602eda18003
-  data.tar.gz: 3ff951a1e1970c6818b615b5f10b78950e5cc53c01b3a2b9540a28f3451ac294
+  metadata.gz: b2276d76c9fe0718302cab8ccf1044b0a4ff7f20c84e29d34805e7defed16c78
+  data.tar.gz: 4e08e01d7b52645d0c5d3283dc509fe9a06ad2fde18bdaec55d8ac64ec89648f
 SHA512:
-  metadata.gz: 73a7da3b2062a4adaa70d33616698d418bcda9684e8cf301279bac6756537079136872cc68d6623af7f1ea8bd09197d7ac98edd287da6aafef63f1f6f25243c1
-  data.tar.gz: 68e3d2e1a3b50ccad6359b961a1e3093d6095d08fb8e79175aa83025c57716f080ca03dd5aea9e4f1dead654fa881cf4f20698971150ac5b361a25efbaa74b04
+  metadata.gz: 4942e5053f375513c9c5e0666848fb05a1abacd4bd276b7642f3aa08282bcd437e46a7334174a34117d81f23dbaa57b78a9e4116366afbb4c64deeaf494ec2c8
+  data.tar.gz: 47ac31be39537d7f54b1d0683ddf51db345e6b05fa6bab37dd1addceb611387ae5a82c405ecb555268f34ec330736eff776fb04150fe337663d1e28508c50291

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -166,7 +166,7 @@ module Dependabot
 
       sig { override.void }
       def check_required_files
-        raise "No package.json!" unless get_original_file("package.json")
+        raise DependencyFileNotFound.new(nil, "package.json not found.") unless get_original_file("package.json")
       end
 
       sig { params(requirement: String).returns(T::Boolean) }

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -72,7 +72,8 @@ module Dependabot
           -\sGET\shttps?://(?<source>[^/]+)/(?<package_req>[^/\s]+)}x
         MISSING_PACKAGE = %r{(?<package_req>[^/]+) - Not found}
         INVALID_PACKAGE = /Can't install (?<package_req>.*): Missing/
-        SOCKET_HANG_UP = /request to (?<url>.*) failed, reason: socket hang up/
+        SOCKET_HANG_UP = /(?:request to )?(?<url>.*): socket hang up/
+        ESOCKETTIMEDOUT = /(?<url>.*): ESOCKETTIMEDOUT/
         UNABLE_TO_AUTH_NPMRC = /Unable to authenticate, need: Basic, Bearer/
         UNABLE_TO_AUTH_REGISTRY = /Unable to authenticate, need: *.*(Basic|BASIC) *.*realm="(?<url>.*)"/
         MISSING_AUTH_TOKEN = /401 Unauthorized - GET (?<url>.*) - authentication token not provided/
@@ -83,10 +84,12 @@ module Dependabot
         NESTED_ALIAS = /nested aliases not supported/
         PEER_DEPS_PATTERNS = T.let([/Cannot read properties of null/,
                                     /ERESOLVE overriding peer dependency/].freeze, T::Array[Regexp])
-
+        PREMATURE_CLOSE = /premature close/
+        EMPTY_OBJECT_ERROR = /Object for dependency "(?<package>.*)" is empty/
         ERROR_E401 = /code E401/
         ERROR_E403 = /code E403/
         ERROR_EAI_AGAIN = /request to (?<url>.*) failed, reason: getaddrinfo EAI_AGAIN/
+        PACKAGE_DISCOVERY_FAIL = /Couldn't find package "(?<pkg>.*)" *.* on the "(?<regis>.*)" registry./
 
         # TODO: look into fixing this in npm, seems like a bug in the git
         # downloader introduced in npm 7
@@ -513,7 +516,12 @@ module Dependabot
 
           # NOTE: This check was introduced in npm8/arborist
           if error_message.include?("must provide string spec")
-            msg = "Error parsing your package.json manifest: the version requirement must be a string"
+            msg = "Error parsing your package.json manifest: the version requirement must be a string."
+            raise Dependabot::DependencyFileNotParseable, msg
+          end
+
+          if error_message.match?(PREMATURE_CLOSE)
+            msg = "Error parsing your package.json manifest"
             raise Dependabot::DependencyFileNotParseable, msg
           end
 
@@ -523,15 +531,21 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
-          if (git_source = error_message.match(SOCKET_HANG_UP))
-            msg = git_source.named_captures.fetch("url")
-            raise Dependabot::PrivateSourceTimedOut, T.must(msg)
+          if (git_source = error_message.match(SOCKET_HANG_UP) || error_message.match(ESOCKETTIMEDOUT))
+            msg = sanitize_uri(git_source.named_captures.fetch("url"))
+            raise Dependabot::PrivateSourceTimedOut, msg
+          end
+
+          if (package = error_message.match(EMPTY_OBJECT_ERROR))
+            msg = "Error resolving package-lock.json file. " \
+                  "Object for dependency \"#{package.named_captures.fetch('package')}\" is empty."
+            raise Dependabot::DependencyFileNotResolvable, msg
           end
 
           # Error handled when no authentication info ( _auth = user:pass )
           # is provided in config file (.npmrc) to access private registry
           if error_message.match?(UNABLE_TO_AUTH_NPMRC)
-            msg = "check .npmrc config file"
+            msg = "check .npmrc config file."
             raise Dependabot::PrivateSourceAuthenticationFailure, msg
           end
 
@@ -553,7 +567,7 @@ module Dependabot
           end
 
           if (dep = error_message.match(EOVERRIDE))
-            msg = "Override for #{dep.named_captures.fetch('deps')} conflicts with direct dependency"
+            msg = "Override for #{dep.named_captures.fetch('deps')} conflicts with direct dependency."
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
@@ -562,6 +576,8 @@ module Dependabot
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
+          raise Dependabot::DependencyFileNotResolvable, error_message if error_message.match(PACKAGE_DISCOVERY_FAIL)
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize
@@ -1067,6 +1083,11 @@ module Dependabot
           )
         end
 
+        sig { params(uri: T.nilable(String)).returns(String) }
+        def sanitize_uri(uri)
+          URI.decode_www_form_component(T.must(URI.extract(T.must(uri)).first))
+        end
+
         sig { returns(T::Hash[String, T.untyped]) }
         def parsed_package_json
           return {} unless package_json

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -45,6 +45,27 @@ module Dependabot
         MISSING_PACKAGE = /ERR_PNPM_FETCH_404[ [^:print:]]+GET (?<dependency_url>.*): (?:Not Found)? - 404/
         UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print:]]+GET (?<dependency_url>.*): Unauthorized - 401/
 
+        # ERR_PNPM_FETCH ERROR CODES
+        ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):  - 401/
+        ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):  - 403/
+        ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):  - 500/
+        ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):  - 502/
+
+        # ERR_PNPM_UNSUPPORTED_ENGINE
+        ERR_PNPM_UNSUPPORTED_ENGINE = /ERR_PNPM_UNSUPPORTED_ENGINE/
+        PACAKGE_MANAGER = /Your (?<pkg_mgr>.*) version is incompatible with/
+        VERSION_REQUIREMENT = /Expected version: (?<supported_ver>.*)\nGot: (?<detected_ver>.*)\n/
+
+        ERR_PNPM_TARBALL_INTEGRITY = /ERR_PNPM_TARBALL_INTEGRITY/
+
+        ERR_PNPM_PATCH_NOT_APPLIED = /ERR_PNPM_PATCH_NOT_APPLIED/
+
+        # ERR_PNPM_UNSUPPORTED_PLATFORM
+        ERR_PNPM_UNSUPPORTED_PLATFORM = /ERR_PNPM_UNSUPPORTED_PLATFORM/
+        PLATFORM_PACAKGE_DEP = /Unsupported platform for (?<dep>.*)\: wanted/
+        PLATFORM_VERSION_REQUIREMENT = /wanted {(?<supported_ver>.*)} \(current: (?<detected_ver>.*)\)/
+        PLATFORM_PACAKGE_MANAGER = "pnpm"
+
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
@@ -88,6 +109,8 @@ module Dependabot
             ).parse
         end
 
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/PerceivedComplexity
         def handle_pnpm_lock_updater_error(error, pnpm_lock)
           error_message = error.message
 
@@ -107,16 +130,36 @@ module Dependabot
             raise Dependabot::GitDependenciesNotReachable, url
           end
 
-          [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE].each do |regexp|
+          [FORBIDDEN_PACKAGE, MISSING_PACKAGE, UNAUTHORIZED_PACKAGE, ERR_PNPM_FETCH_401,
+           ERR_PNPM_FETCH_403, ERR_PNPM_FETCH_500, ERR_PNPM_FETCH_502].each do |regexp|
             next unless error_message.match?(regexp)
 
             dependency_url = error_message.match(regexp).named_captures["dependency_url"]
+            raise_package_access_error(error_message, dependency_url, pnpm_lock)
+          end
+
+          # TO-DO : subclassifcation of ERR_PNPM_TARBALL_INTEGRITY errors
+          if error_message.match?(ERR_PNPM_TARBALL_INTEGRITY)
+            dependency_names = dependencies.map(&:name).join(", ")
 
-            raise_package_access_error(dependency_url, pnpm_lock)
+            msg = "Error (ERR_PNPM_TARBALL_INTEGRITY) while resolving \"#{dependency_names}\"."
+            Dependabot.logger.warn(error_message)
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          raise_patch_dependency_error(error_message) if error_message.match?(ERR_PNPM_PATCH_NOT_APPLIED)
+
+          raise_unsupported_engine_error(error_message, pnpm_lock) if error_message.match?(ERR_PNPM_UNSUPPORTED_ENGINE)
+
+          if error_message.match?(ERR_PNPM_UNSUPPORTED_PLATFORM)
+            raise_unsupported_platform_error(error_message,
+                                             pnpm_lock)
           end
 
           raise
         end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/PerceivedComplexity
 
         def raise_resolvability_error(error_message, pnpm_lock)
           dependency_names = dependencies.map(&:name).join(", ")
@@ -125,7 +168,28 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def raise_package_access_error(dependency_url, pnpm_lock)
+        def raise_patch_dependency_error(error_message)
+          dependency_names = dependencies.map(&:name).join(", ")
+          msg = "Error while updating \"#{dependency_names}\" in " \
+                "update group \"patchedDependencies\"."
+          Dependabot.logger.warn(error_message)
+          raise Dependabot::DependencyFileNotResolvable, msg
+        end
+
+        def raise_unsupported_engine_error(error_message, _pnpm_lock)
+          unless error_message.match(PACAKGE_MANAGER) &&
+                 error_message.match(VERSION_REQUIREMENT)
+            return
+          end
+
+          package_manager = error_message.match(PACAKGE_MANAGER).named_captures["pkg_mgr"]
+          supported_version = error_message.match(VERSION_REQUIREMENT).named_captures["supported_ver"]
+          detected_version = error_message.match(VERSION_REQUIREMENT).named_captures["detected_ver"]
+
+          raise Dependabot::ToolVersionNotSupported.new(package_manager, supported_version, detected_version)
+        end
+
+        def raise_package_access_error(error_message, dependency_url, pnpm_lock)
           package_name = RegistryParser.new(resolved_url: dependency_url, credentials: credentials).dependency_name
           missing_dep = lockfile_dependencies(pnpm_lock)
                         .find { |dep| dep.name == package_name }
@@ -136,7 +200,7 @@ module Dependabot
             credentials: credentials,
             npmrc_file: npmrc_file
           ).registry
-
+          Dependabot.logger.warn("Error while accessing #{reg}. Response (truncated) - #{error_message[0..500]}...")
           raise PrivateSourceAuthenticationFailure, reg
         end
 
@@ -148,6 +212,23 @@ module Dependabot
           end
         end
 
+        def raise_unsupported_platform_error(error_message, _pnpm_lock)
+          unless error_message.match(PLATFORM_PACAKGE_DEP) &&
+                 error_message.match(PLATFORM_VERSION_REQUIREMENT)
+            return
+          end
+
+          supported_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
+                                           .named_captures["supported_ver"]
+                                           .then { sanitize_message(_1) }
+          detected_version = error_message.match(PLATFORM_VERSION_REQUIREMENT)
+                                          .named_captures["detected_ver"]
+                                          .then { sanitize_message(_1) }
+
+          Dependabot.logger.warn(error_message)
+          raise Dependabot::ToolVersionNotSupported.new(PLATFORM_PACAKGE_MANAGER, supported_version, detected_version)
+        end
+
         def npmrc_content(pnpm_lock)
           NpmrcBuilder.new(
             credentials: credentials,
@@ -176,6 +257,10 @@ module Dependabot
         def npmrc_file
           dependency_files.find { |f| f.name == ".npmrc" }
         end
+
+        def sanitize_message(message)
+          message.gsub(/"|\[|\]|\}|\{/, "")
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -278,7 +278,8 @@ module Dependabot
              error_message.include?(DEPENDENCY_MATCH_NOT_FOUND)
 
             unless resolvable_before_update?(yarn_lock)
-              error_handler.raise_resolvability_error(error_message, yarn_lock)
+              error_handler.raise_resolvability_error(error_message,
+                                                      yarn_lock)
             end
 
             # Dependabot has probably messed something up with the update and we
@@ -632,7 +633,7 @@ module Dependabot
         ).void
       end
       def handle_group_patterns(error, usage_error_message, params) # rubocop:disable Metrics/PerceivedComplexity
-        error_message = error.message
+        error_message = error.message.gsub(/\e\[\d+(;\d+)*m/, "")
         VALIDATION_GROUP_PATTERNS.each do |group|
           patterns = group[:patterns]
           matchfn = group[:matchfn]
@@ -644,8 +645,8 @@ module Dependabot
           message = usage_error_message.empty? ? error_message : usage_error_message
           if in_usage && pattern_in_message(patterns, usage_error_message)
             raise create_error(handler, message, error, params)
-          elsif !in_usage && pattern_in_message(patterns, error.message)
-            raise create_error(handler, error.message, error, params)
+          elsif !in_usage && pattern_in_message(patterns, error_message)
+            raise create_error(handler, error_message, error, params)
           end
 
           raise create_error(handler, message, error, params) if matchfn&.call(usage_error_message, error_message)

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -30,15 +30,26 @@ module Dependabot
         end
       end
 
-      sig { override.returns(T::Array[Regexp]) }
-      def self.updated_files_regex
-        [
-          /^package\.json$/,
-          /^package-lock\.json$/,
-          /^npm-shrinkwrap\.json$/,
-          /^yarn\.lock$/,
-          /^pnpm-lock\.yaml$/
-        ]
+      sig { override.params(allowlist_enabled: T::Boolean).returns(T::Array[Regexp]) }
+      def self.updated_files_regex(allowlist_enabled = false)
+        if allowlist_enabled
+          [
+            %r{^(?:.*\/)?package\.json$},
+            %r{^(?:.*\/)?package-lock\.json$},
+            %r{^(?:.*\/)?npm-shrinkwrap\.json$},
+            %r{^(?:.*\/)?yarn\.lock$},
+            %r{^(?:.*\/)?pnpm-lock\.yaml$}
+          ]
+        else
+          # Old regex. After 100% rollout of the allowlist, this will be removed.
+          [
+            /^package\.json$/,
+            /^package-lock\.json$/,
+            /^npm-shrinkwrap\.json$/,
+            /^yarn\.lock$/,
+            /^pnpm-lock\.yaml$/
+          ]
+        end
       end
 
       sig { override.returns(T::Array[DependencyFile]) }
@@ -139,7 +150,7 @@ module Dependabot
 
       sig { override.void }
       def check_required_files
-        raise "No package.json!" unless get_original_file("package.json")
+        raise DependencyFileNotFound.new(nil, "package.json not found.") unless get_original_file("package.json")
       end
 
       sig { params(updated_files: T::Array[DependencyFile]).returns(T::Hash[Symbol, T.untyped]) }

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -338,7 +338,22 @@ module Dependabot
             raise PrivateSourceAuthenticationFailure, dependency_registry
           end
 
+          # handles scenario when private registry returns a server error 5xx
+          if private_dependency_server_error?(npm_response)
+            msg = "Server error #{npm_response.status} returned while accessing registry" \
+                  " #{dependency_registry}."
+            raise DependencyFileNotResolvable, msg
+          end
+
           status = npm_response.status
+
+          # handles issue when status 200 is returned from registry but with an invalid JSON object
+          if status.to_s.start_with?("2") && response_invalid_json?(npm_response)
+            msg = "Invalid JSON object returned from registry #{dependency_registry}."
+            Dependabot.logger.warn("#{msg} Response body (truncated) : #{npm_response.body[0..500]}...")
+            raise DependencyFileNotResolvable, msg
+          end
+
           return if status.to_s.start_with?("2")
 
           # Ignore 404s from the registry for updates where a lockfile doesn't
@@ -373,6 +388,23 @@ module Dependabot
           true
         end
 
+        def private_dependency_server_error?(npm_response)
+          if [500, 501, 502, 503].include?(npm_response.status)
+            Dependabot.logger.warn("#{dependency_registry} returned code #{npm_response.status} with " \
+                                   "body #{npm_response.body}.")
+            return true
+          end
+          false
+        end
+
+        def response_invalid_json?(npm_response)
+          result = JSON.parse(npm_response.body)
+          result.is_a?(Hash) || result.is_a?(Array)
+          false
+        rescue JSON::ParserError, TypeError
+          true
+        end
+
         def dependency_url
           registry_finder.dependency_url
         end

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -57,17 +57,29 @@ module Dependabot
       end
 
       def lowest_security_fix_version
+        # This will require a full unlock to update multiple top level ancestors.
+        return if vulnerability_audit["fix_available"] && vulnerability_audit["top_level_ancestors"].count > 1
+
         latest_version_finder.lowest_security_fix_version
       end
 
       def lowest_resolvable_security_fix_version
         raise "Dependency not vulnerable!" unless vulnerable?
-        # NOTE: we currently don't resolve transitive/sub-dependencies as
+
+        # NOTE: Currently, we don't resolve transitive/sub-dependencies as
         # npm/yarn don't provide any control over updating to a specific
-        # sub-dependency version
+        # sub-dependency version.
+
+        # Return nil for vulnerable transitive dependencies if there are conflicting dependencies.
+        # This helps catch errors in such cases.
+        return nil if !dependency.top_level? && conflicting_dependencies.any?
+
+        # For transitive dependencies without conflicts, return the latest resolvable transitive
+        # security fix version that does not require unlocking other dependencies.
         return latest_resolvable_transitive_security_fix_version_with_no_unlock unless dependency.top_level?
 
-        # TODO: Might want to check resolvability here?
+        # For top-level dependencies, return the lowest security fix version.
+        # TODO: Consider checking resolvability here in the future.
         lowest_security_fix_version
       end
 
@@ -174,7 +186,7 @@ module Dependabot
       end
 
       def updated_dependencies_after_full_unlock
-        return conflicting_updated_dependencies if !dependency.top_level? && security_advisories.any?
+        return conflicting_updated_dependencies if security_advisories.any? && vulnerability_audit["fix_available"]
 
         version_resolver.dependency_updates_from_full_unlock
                         .map { |update_details| build_updated_dependency(update_details) }

data/lib/dependabot/npm_and_yarn.rb

@@ -56,6 +56,10 @@ module Dependabot
     # Used to check if error message contains timeout fetching package
     TIMEOUT_FETCHING_PACKAGE_REGEX = %r{(?<url>.+)/(?<package>[^/]+): ETIMEDOUT}
 
+    ESOCKETTIMEDOUT = /(?<package>.*?): ESOCKETTIMEDOUT/
+
+    SOCKET_HANG_UP = /(?<url>.*?): socket hang up/
+
     # Used to identify git unreachable error
     UNREACHABLE_GIT_CHECK_REGEX = /ls-remote --tags --heads (?<url>.*)/
 
@@ -79,6 +83,8 @@ module Dependabot
       FAILED_TO_RETRIEVE: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): The remote server failed to provide the requested resource} # rubocop:disable Layout/LineLength
     }.freeze, T::Hash[String, Regexp])
 
+    YN0082_PACKAGE_NOT_FOUND_REGEX = /YN0082:.*?(\S+@\S+): No candidates found/
+
     PACKAGE_NOT_FOUND2 = %r{/[^/]+: Not found}
     PACKAGE_NOT_FOUND2_PACKAGE_NAME_REGEX = %r{/(?<package_name>[^/]+): Not found}
     PACKAGE_NOT_FOUND2_PACKAGE_NAME_CAPTURE = "package_name"
@@ -102,6 +108,7 @@ module Dependabot
     # Used to identify if authentication failure error
     AUTHENTICATION_TOKEN_NOT_PROVIDED = "authentication token not provided"
     AUTHENTICATION_IS_NOT_CONFIGURED = "No authentication configured for request"
+    AUTHENTICATION_HEADER_NOT_PROVIDED = "Unauthenticated: request did not include an Authorization header."
 
     # Used to identify if error message is related to yarn workspaces
     DEPENDENCY_FILE_NOT_RESOLVABLE = "conflicts with direct dependency"
@@ -241,6 +248,18 @@ module Dependabot
         handler: lambda { |message, _error, _params|
           Dependabot::NetworkUnsafeHTTP.new(message)
         }
+      },
+      "YN0082" => {
+        message: "No candidates found",
+        handler: lambda { |message, _error, _params|
+          match_data = message.match(YN0082_PACKAGE_NOT_FOUND_REGEX)
+          if match_data
+            package_req = match_data[1]
+            Dependabot::DependencyNotFound.new("#{package_req} Detail: #{message}")
+          else
+            Dependabot::DependencyNotFound.new(message)
+          end
+        }
       }
     }.freeze, T::Hash[String, {
       message: T.any(String, NilClass),
@@ -303,7 +322,8 @@ module Dependabot
         matchfn: nil
       },
       {
-        patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED],
+        patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED,
+                   AUTHENTICATION_HEADER_NOT_PROVIDED],
         handler: lambda { |message, _error, _params|
           Dependabot::PrivateSourceAuthenticationFailure.new(message)
         },
@@ -345,7 +365,28 @@ module Dependabot
         },
         in_usage: false,
         matchfn: nil
+      },
+      {
+        patterns: [SOCKET_HANG_UP],
+        handler: lambda { |message, _error, _params|
+          url = message.match(SOCKET_HANG_UP).named_captures.fetch(URL_CAPTURE)
+
+          Dependabot::PrivateSourceTimedOut.new(url.gsub(HTTP_CHECK_REGEX, ""))
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ESOCKETTIMEDOUT],
+        handler: lambda { |message, _error, _params|
+          package_req = message.match(ESOCKETTIMEDOUT).named_captures.fetch("package")
+
+          Dependabot::PrivateSourceTimedOut.new(package_req.gsub(HTTP_CHECK_REGEX, ""))
+        },
+        in_usage: false,
+        matchfn: nil
       }
+
     ].freeze, T::Array[{
       patterns: T::Array[T.any(String, Regexp)],
       handler: ErrorHandler,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.268.0
+  version: 0.270.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-08-02 00:00:00.000000000 Z
+date: 2024-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.268.0
+        version: 0.270.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.268.0
+        version: 0.270.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.268.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.270.0
 post_install_message: 
 rdoc_options: []
 require_paths: