dependabot-npm_and_yarn 0.291.0 → 0.292.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 02635cf238f21d329717cb8590e2c779109f30e53edb5a18d0af02c2eb1b7b52
-  data.tar.gz: 05a8982b1c132c4560dbde94a72575a7ba62d9e9b1b3e6524d2cbcb2042f3eae
+  metadata.gz: e406eab7c13be2bea1200de0103017da062fcd4eda7b30652cc697cf2529c2de
+  data.tar.gz: c41b184b80a82577f5ed87eb4df0c0c4bff862350afe5f992b75f04ac6e69f96
 SHA512:
-  metadata.gz: 69d8f7352749ea26e0aeee9ca63943fc6d46eccf927ec217fd9d5b072b60a405b5b7a4515c120e8e05145870ac1c0bc196c27ad38d4733c15e693af40d0055fa
-  data.tar.gz: e5f8ad4e72213b0620785369b37c6cbf4d2200eea2a2ec521df6f6240694527216da0450af39cb86b7d9650d4d04649d5fc3bb4136163574ae29f2a3dc6db539
+  metadata.gz: 535024739c08d5e33e7a53a300a75f16009c8227a27b27c8c758501b6328865db2ebeaaace0bc8ae94d5f199d93bd63f76f98164e1524df7896c22784aa04975
+  data.tar.gz: e12a28a7d0933ad3fc4ccff35d36948e42b9ea9c884a132f7aed5bd9c33b67ad61037f0b29975c5fc04329a64ef7bcc8703ce3c684e4e278168706eecd1a37a7

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -41,9 +41,7 @@ module Dependabot
       # Otherwise, we are going to use old versionining npm 6
       sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
       def self.npm_version_numeric(lockfile)
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          return npm_version_numeric_latest(lockfile)
-        end
+        return npm_version_numeric_latest(lockfile) if Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
 
         fallback_version_npm8 = Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6)
 
@@ -174,7 +172,7 @@ module Dependabot
       def self.npm8?(package_lock)
         return true unless package_lock&.content
 
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+        if Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
           return npm_version_numeric_latest(package_lock) >= NPM_V8
         end
 

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -72,33 +72,40 @@ module Dependabot
 
       sig do
         params(
-          raw_version: String,
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
           requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
         ).void
       end
-      def initialize(raw_version, requirement: nil)
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
         )
       end
 
       sig { override.returns(T::Boolean) }
       def deprecated?
+        return false unless detected_version
+
         return false if unsupported?
+
         return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
 
-        deprecated_versions.include?(version)
+        deprecated_versions.include?(detected_version)
       end
 
       sig { override.returns(T::Boolean) }
       def unsupported?
+        return false unless detected_version
+
         return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
 
-        supported_versions.all? { |supported| supported > version }
+        supported_versions.all? { |supported| supported > detected_version }
       end
     end
 
@@ -123,17 +130,19 @@ module Dependabot
 
       sig do
         params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
         ).void
       end
-      def initialize(raw_version, requirement: nil)
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
         )
       end
 
@@ -168,17 +177,19 @@ module Dependabot
 
       sig do
         params(
-          raw_version: String,
-          requirement: T.nilable(Requirement)
+          detected_version: T.nilable(String),
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
         ).void
       end
-      def initialize(raw_version, requirement: nil)
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
         )
       end
 
@@ -284,17 +295,19 @@ module Dependabot
 
       sig do
         params(
+          detected_version: T.nilable(String),
           raw_version: T.nilable(String),
-          requirement: T.nilable(Requirement)
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
         ).void
       end
-      def initialize(raw_version, requirement: nil)
+      def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
-          NAME,
-          Version.new(raw_version),
-          DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS,
-          requirement
+          name: NAME,
+          detected_version: detected_version ? Version.new(detected_version) : nil,
+          version: raw_version ? Version.new(raw_version) : nil,
+          deprecated_versions: DEPRECATED_VERSIONS,
+          supported_versions: SUPPORTED_VERSIONS,
+          requirement: requirement
         )
       end
 
@@ -349,7 +362,7 @@ module Dependabot
       sig { returns(Ecosystem::VersionManager) }
       def language
         @language ||= Language.new(
-          Helpers.node_version,
+          raw_version: Helpers.node_version,
           requirement: language_requirement
         )
       end
@@ -393,6 +406,7 @@ module Dependabot
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/MethodLength
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -405,6 +419,8 @@ module Dependabot
           return
         end
 
+        return package_manager.version.to_s if package_manager.deprecated? || package_manager.unsupported?
+
         if @engines && @manifest_package_manager.nil?
           # if "packageManager" doesn't exists in manifest file,
           # we check if we can extract "engines" information
@@ -453,6 +469,24 @@ module Dependabot
       # rubocop:enable Metrics/CyclomaticComplexity
       # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/MethodLength
+
+      sig { params(name: String).returns(T.nilable(String)) }
+      def detect_version(name)
+        # we prioritize version mentioned in "packageManager" instead of "engines"
+        if @manifest_package_manager&.start_with?("#{name}@")
+          detected_version = @manifest_package_manager.split("@").last.to_s
+        end
+
+        # if "packageManager" have no version specified, we check if we can extract "engines" information
+        detected_version = check_engine_version(name) if !detected_version || detected_version.empty?
+
+        # if "packageManager" and "engines" both are not present, we check if we can infer the version
+        # from the manifest file lockfileVersion
+        detected_version = guessed_version(name) if !detected_version || detected_version.empty?
+
+        detected_version&.to_s
+      end
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
@@ -461,6 +495,16 @@ module Dependabot
         name = ensure_valid_package_manager(name)
         package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
 
+        detected_version = detect_version(name)
+
+        # if we have a detected version, we check if it is deprecated or unsupported
+        if detected_version
+          package_manager = package_manager_class.new(
+            detected_version: detected_version.to_s
+          )
+          return package_manager if package_manager.deprecated? || package_manager.unsupported?
+        end
+
         installed_version = installed_version(name)
         Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
 
@@ -472,7 +516,8 @@ module Dependabot
         end
 
         package_manager_class.new(
-          installed_version,
+          detected_version: detected_version.to_s,
+          raw_version: installed_version,
           requirement: package_manager_requirement
         )
       rescue StandardError => e

data/lib/dependabot/npm_and_yarn/version.rb

@@ -62,8 +62,10 @@ module Dependabot
 
       sig { override.params(version: VersionParameter).void }
       def initialize(version)
+        version = clean_version(version)
+
         @version_string = T.let(version.to_s, String)
-        version = version.gsub(/^v/, "") if version.is_a?(String)
+
         @build_info = T.let(nil, T.nilable(String))
 
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
@@ -71,6 +73,20 @@ module Dependabot
         super(T.must(version))
       end
 
+      sig { params(version: VersionParameter).returns(VersionParameter) }
+      def clean_version(version)
+        # Check if version is a string before attempting to match
+        if version.is_a?(String)
+          # Matches @ followed by x.y.z (digits separated by dots)
+          if (match = version.match(/@(\d+\.\d+\.\d+)/))
+            version = match[1] # Just "4.5.3"
+          end
+          version = version&.gsub(/^v/, "")
+        end
+
+        version
+      end
+
       sig { override.params(version: VersionParameter).returns(Dependabot::NpmAndYarn::Version) }
       def self.new(version)
         T.cast(super, Dependabot::NpmAndYarn::Version)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.291.0
+  version: 0.292.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.292.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.291.0
+        version: 0.292.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -347,7 +347,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.291.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.292.0
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -363,7 +363,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 3.1.0
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Provides Dependabot support for Javascript (npm and yarn)