dependabot-npm_and_yarn 0.302.0 → 0.303.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb +3 -3
- data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb +3 -3
- data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb +2 -2
- data/lib/dependabot/npm_and_yarn/file_updater/pnpm_workspace_updater.rb +1 -1
- data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb +5 -5
- data/lib/dependabot/npm_and_yarn/metadata_finder.rb +2 -2
- data/lib/dependabot/npm_and_yarn/package/package_details_fetcher.rb +315 -0
- data/lib/dependabot/npm_and_yarn/{update_checker → package}/registry_finder.rb +3 -1
- data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb +2 -2
- data/lib/dependabot/npm_and_yarn/update_checker/library_detector.rb +1 -1
- data/lib/dependabot/npm_and_yarn/update_checker.rb +6 -2
- metadata +9 -8
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: ad45cf35ecbd2646efac000b10b1e75788d1b14717df839f7cecbdd8b0f528da
|
|
4
|
+
data.tar.gz: a5263324b67553166c24f348da59a0845fec2d9c97562fc4db80474fd936feaf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f7e9fc7913ca0366e0eb18b31ab9add1e7007d575993b1e85f10401b66ffcd003a5d517de9c31ab0e39628d3f00aad1a904076fe0ca1de297c3b3985c4071734
|
|
7
|
+
data.tar.gz: 04e7fa3cc8372cd13778b191bd68e5e9aecd5cf33989f8e2c7e10bbb1b98f3daa10b3da59d5b4bbf6d2c6cb04d7a63a0e665712bbf623822d68cf7f755f1e0c5
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/npm_and_yarn/helpers"
|
|
5
|
-
require "dependabot/npm_and_yarn/
|
|
5
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
6
6
|
require "dependabot/npm_and_yarn/registry_parser"
|
|
7
7
|
require "dependabot/shared_helpers"
|
|
8
8
|
|
|
@@ -10,7 +10,7 @@ require "dependabot/npm_and_yarn/file_parser"
|
|
|
10
10
|
require "dependabot/npm_and_yarn/file_updater"
|
|
11
11
|
require "dependabot/npm_and_yarn/helpers"
|
|
12
12
|
require "dependabot/npm_and_yarn/native_helpers"
|
|
13
|
-
require "dependabot/npm_and_yarn/
|
|
13
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
14
14
|
require "dependabot/shared_helpers"
|
|
15
15
|
|
|
16
16
|
# rubocop:disable Metrics/ClassLength
|
|
@@ -669,7 +669,7 @@ module Dependabot
|
|
|
669
669
|
|
|
670
670
|
raise_resolvability_error(error_message) unless missing_dep
|
|
671
671
|
|
|
672
|
-
reg =
|
|
672
|
+
reg = Package::RegistryFinder.new(
|
|
673
673
|
dependency: missing_dep,
|
|
674
674
|
credentials: credentials,
|
|
675
675
|
npmrc_file: dependency_files. find { |f| f.name.end_with?(".npmrc") },
|
|
@@ -677,7 +677,7 @@ module Dependabot
|
|
|
677
677
|
yarnrc_yml_file: dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
|
|
678
678
|
).registry
|
|
679
679
|
|
|
680
|
-
return if
|
|
680
|
+
return if Package::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
|
|
681
681
|
|
|
682
682
|
raise Dependabot::PrivateSourceAuthenticationFailure, reg
|
|
683
683
|
end
|
|
@@ -10,7 +10,7 @@ module Dependabot
|
|
|
10
10
|
class FileUpdater < Dependabot::FileUpdaters::Base
|
|
11
11
|
# Build a .npmrc file from the lockfile content, credentials, and any
|
|
12
12
|
# committed .npmrc
|
|
13
|
-
# We should refactor this to use
|
|
13
|
+
# We should refactor this to use Package::RegistryFinder
|
|
14
14
|
class NpmrcBuilder
|
|
15
15
|
extend T::Sig
|
|
16
16
|
|
|
@@ -176,7 +176,7 @@ module Dependabot
|
|
|
176
176
|
|
|
177
177
|
if dependencies.any?
|
|
178
178
|
@dependency_urls = dependencies.map do |dependency|
|
|
179
|
-
|
|
179
|
+
Package::RegistryFinder.new(
|
|
180
180
|
dependency: dependency,
|
|
181
181
|
credentials: credentials,
|
|
182
182
|
npmrc_file: npmrc_file,
|
|
@@ -249,7 +249,7 @@ module Dependabot
|
|
|
249
249
|
yarnrc_file&.content
|
|
250
250
|
&.lines
|
|
251
251
|
&.find { |line| line.match?(/^\s*registry\s/) }
|
|
252
|
-
&.match(
|
|
252
|
+
&.match(Package::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
|
|
253
253
|
&.named_captures&.fetch("registry")
|
|
254
254
|
|
|
255
255
|
return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/npm_and_yarn/helpers"
|
|
5
|
-
require "dependabot/npm_and_yarn/
|
|
5
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
6
6
|
require "dependabot/npm_and_yarn/registry_parser"
|
|
7
7
|
require "dependabot/shared_helpers"
|
|
8
8
|
|
|
@@ -309,7 +309,7 @@ module Dependabot
|
|
|
309
309
|
.find { |dep| dep.name == package_name }
|
|
310
310
|
raise DependencyNotFound, package_name unless missing_dep
|
|
311
311
|
|
|
312
|
-
reg =
|
|
312
|
+
reg = Package::RegistryFinder.new(
|
|
313
313
|
dependency: missing_dep,
|
|
314
314
|
credentials: credentials,
|
|
315
315
|
npmrc_file: npmrc_file
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
# frozen_string_literal: true
|
|
3
3
|
|
|
4
4
|
require "dependabot/npm_and_yarn/helpers"
|
|
5
|
-
require "dependabot/npm_and_yarn/
|
|
5
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
6
6
|
require "dependabot/npm_and_yarn/registry_parser"
|
|
7
7
|
require "dependabot/shared_helpers"
|
|
8
8
|
|
|
@@ -7,7 +7,7 @@ require "dependabot/npm_and_yarn"
|
|
|
7
7
|
require "dependabot/npm_and_yarn/file_updater"
|
|
8
8
|
require "dependabot/npm_and_yarn/file_parser"
|
|
9
9
|
require "dependabot/npm_and_yarn/helpers"
|
|
10
|
-
require "dependabot/npm_and_yarn/
|
|
10
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
11
11
|
require "dependabot/npm_and_yarn/native_helpers"
|
|
12
12
|
require "dependabot/shared_helpers"
|
|
13
13
|
require "dependabot/errors"
|
|
@@ -429,7 +429,7 @@ module Dependabot
|
|
|
429
429
|
|
|
430
430
|
error_handler.raise_resolvability_error(error_message, yarn_lock) unless missing_dep
|
|
431
431
|
|
|
432
|
-
reg =
|
|
432
|
+
reg = Package::RegistryFinder.new(
|
|
433
433
|
dependency: missing_dep,
|
|
434
434
|
credentials: credentials,
|
|
435
435
|
npmrc_file: npmrc_file,
|
|
@@ -437,7 +437,7 @@ module Dependabot
|
|
|
437
437
|
yarnrc_yml_file: yarnrc_yml_file
|
|
438
438
|
).registry
|
|
439
439
|
|
|
440
|
-
return if
|
|
440
|
+
return if Package::RegistryFinder.central_registry?(reg) && !package_name.start_with?("@")
|
|
441
441
|
|
|
442
442
|
raise PrivateSourceAuthenticationFailure, reg
|
|
443
443
|
end
|
|
@@ -489,7 +489,7 @@ module Dependabot
|
|
|
489
489
|
def yarnrc_specifies_private_reg?
|
|
490
490
|
return false unless yarnrc_file
|
|
491
491
|
|
|
492
|
-
regex =
|
|
492
|
+
regex = Package::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX
|
|
493
493
|
yarnrc_global_registry =
|
|
494
494
|
yarnrc_file.content
|
|
495
495
|
.lines.find { |line| line.match?(regex) }
|
|
@@ -499,7 +499,7 @@ module Dependabot
|
|
|
499
499
|
|
|
500
500
|
return false unless yarnrc_global_registry
|
|
501
501
|
|
|
502
|
-
|
|
502
|
+
Package::RegistryFinder::CENTRAL_REGISTRIES.any? do |r|
|
|
503
503
|
r.include?(T.must(URI(yarnrc_global_registry).host))
|
|
504
504
|
end
|
|
505
505
|
end
|
|
@@ -7,7 +7,7 @@ require "time"
|
|
|
7
7
|
require "dependabot/metadata_finders"
|
|
8
8
|
require "dependabot/metadata_finders/base"
|
|
9
9
|
require "dependabot/registry_client"
|
|
10
|
-
require "dependabot/npm_and_yarn/
|
|
10
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
11
11
|
require "dependabot/npm_and_yarn/version"
|
|
12
12
|
|
|
13
13
|
module Dependabot
|
|
@@ -95,7 +95,7 @@ module Dependabot
|
|
|
95
95
|
def new_source
|
|
96
96
|
sources = dependency.requirements
|
|
97
97
|
.map { |r| r.fetch(:source) }.uniq.compact
|
|
98
|
-
.sort_by { |source|
|
|
98
|
+
.sort_by { |source| Package::RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }
|
|
99
99
|
|
|
100
100
|
sources.first
|
|
101
101
|
end
|
|
@@ -0,0 +1,315 @@
|
|
|
1
|
+
# typed: strict
|
|
2
|
+
# frozen_string_literal: true
|
|
3
|
+
|
|
4
|
+
require "json"
|
|
5
|
+
require "excon"
|
|
6
|
+
require "time"
|
|
7
|
+
require "dependabot/package/package_release"
|
|
8
|
+
require "dependabot/package/package_details"
|
|
9
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
10
|
+
|
|
11
|
+
module Dependabot
|
|
12
|
+
module NpmAndYarn
|
|
13
|
+
module Package
|
|
14
|
+
class PackageDetailsFetcher
|
|
15
|
+
extend T::Sig
|
|
16
|
+
|
|
17
|
+
sig do
|
|
18
|
+
params(
|
|
19
|
+
dependency: Dependabot::Dependency,
|
|
20
|
+
dependency_files: T::Array[Dependabot::DependencyFile],
|
|
21
|
+
credentials: T::Array[Dependabot::Credential]
|
|
22
|
+
).void
|
|
23
|
+
end
|
|
24
|
+
def initialize(
|
|
25
|
+
dependency:,
|
|
26
|
+
dependency_files:,
|
|
27
|
+
credentials:
|
|
28
|
+
)
|
|
29
|
+
@dependency = T.let(dependency, Dependabot::Dependency)
|
|
30
|
+
@dependency_files = T.let(dependency_files, T::Array[Dependabot::DependencyFile])
|
|
31
|
+
@credentials = T.let(credentials, T::Array[Dependabot::Credential])
|
|
32
|
+
|
|
33
|
+
@npm_details = T.let(nil, T.nilable(T::Hash[String, T.untyped]))
|
|
34
|
+
@dist_tags = T.let(nil, T.nilable(T::Hash[String, String]))
|
|
35
|
+
@registry_finder = T.let(nil, T.nilable(Package::RegistryFinder))
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
sig { returns(Dependabot::Dependency) }
|
|
39
|
+
attr_reader :dependency
|
|
40
|
+
|
|
41
|
+
sig { returns(T::Array[Dependabot::Credential]) }
|
|
42
|
+
attr_reader :credentials
|
|
43
|
+
|
|
44
|
+
sig { returns(T::Array[Dependabot::DependencyFile]) }
|
|
45
|
+
attr_reader :dependency_files
|
|
46
|
+
|
|
47
|
+
sig { returns(T.nilable(Dependabot::Package::PackageDetails)) }
|
|
48
|
+
def fetch
|
|
49
|
+
package_data = fetch_npm_details
|
|
50
|
+
Dependabot::Package::PackageDetails.new(
|
|
51
|
+
dependency: @dependency,
|
|
52
|
+
releases: package_data ? parse_versions(package_data) : [],
|
|
53
|
+
dist_tags: dist_tags
|
|
54
|
+
)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
sig { returns(T::Boolean) }
|
|
58
|
+
def valid_npm_details?
|
|
59
|
+
!dist_tags.nil?
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
sig { returns(T.nilable(T::Hash[String, T.untyped])) }
|
|
63
|
+
def npm_details
|
|
64
|
+
@npm_details ||= fetch_npm_details
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
private
|
|
68
|
+
|
|
69
|
+
sig do
|
|
70
|
+
params(
|
|
71
|
+
npm_data: T::Hash[String, T.untyped]
|
|
72
|
+
).returns(T::Array[Dependabot::Package::PackageRelease])
|
|
73
|
+
end
|
|
74
|
+
def parse_versions(npm_data)
|
|
75
|
+
time_data = npm_data["time"] || {}
|
|
76
|
+
versions_data = npm_data["versions"] || {}
|
|
77
|
+
|
|
78
|
+
latest_version = npm_data.dig("dist-tags", "latest")
|
|
79
|
+
|
|
80
|
+
versions_data.filter_map do |version, details|
|
|
81
|
+
next unless Dependabot::NpmAndYarn::Version.correct?(version)
|
|
82
|
+
|
|
83
|
+
package_type = details.dig("repository", "type")
|
|
84
|
+
|
|
85
|
+
deprecated = details["deprecated"]
|
|
86
|
+
|
|
87
|
+
puts "version: #{version}, #{latest_version}"
|
|
88
|
+
|
|
89
|
+
Dependabot::Package::PackageRelease.new(
|
|
90
|
+
version: Version.new(version),
|
|
91
|
+
released_at: time_data[version] ? Time.parse(time_data[version]) : nil,
|
|
92
|
+
yanked: deprecated ? true : false,
|
|
93
|
+
yanked_reason: deprecated.is_a?(String) ? deprecated : nil,
|
|
94
|
+
downloads: nil,
|
|
95
|
+
latest: latest_version.to_s == version,
|
|
96
|
+
url: package_version_url(version),
|
|
97
|
+
package_type: package_type,
|
|
98
|
+
language: package_language(details)
|
|
99
|
+
)
|
|
100
|
+
end.sort_by(&:version).reverse
|
|
101
|
+
end
|
|
102
|
+
|
|
103
|
+
sig { params(version: String).returns(String) }
|
|
104
|
+
def package_version_url(version)
|
|
105
|
+
"#{dependency_registry}/#{@dependency.name}/v/#{version}"
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
sig do
|
|
109
|
+
params(version_details: T::Hash[String, T.untyped])
|
|
110
|
+
.returns(T.nilable(Dependabot::Package::PackageLanguage))
|
|
111
|
+
end
|
|
112
|
+
def package_language(version_details)
|
|
113
|
+
node_requirement = version_details.dig("engines", "node")
|
|
114
|
+
|
|
115
|
+
return nil unless node_requirement
|
|
116
|
+
|
|
117
|
+
if node_requirement
|
|
118
|
+
Dependabot::Package::PackageLanguage.new(
|
|
119
|
+
name: "node",
|
|
120
|
+
version: nil,
|
|
121
|
+
requirement: Requirement.new(node_requirement)
|
|
122
|
+
)
|
|
123
|
+
end
|
|
124
|
+
rescue Gem::Requirement::BadRequirementError
|
|
125
|
+
nil
|
|
126
|
+
end
|
|
127
|
+
|
|
128
|
+
sig { returns(T.nilable(T::Hash[String, String])) }
|
|
129
|
+
def dist_tags
|
|
130
|
+
@dist_tags ||= npm_details&.fetch("dist-tags", nil)
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
sig { returns(T.nilable(T::Hash[String, T.untyped])) }
|
|
134
|
+
def fetch_npm_details
|
|
135
|
+
npm_response = fetch_npm_response
|
|
136
|
+
check_npm_response(npm_response) if npm_response
|
|
137
|
+
JSON.parse(npm_response.body)
|
|
138
|
+
rescue JSON::ParserError, Excon::Error::Timeout, Excon::Error::Socket, RegistryError => e
|
|
139
|
+
return nil if git_dependency?
|
|
140
|
+
|
|
141
|
+
raise_npm_details_error(e)
|
|
142
|
+
end
|
|
143
|
+
|
|
144
|
+
sig { returns(Excon::Response) }
|
|
145
|
+
def fetch_npm_response
|
|
146
|
+
response = Dependabot::RegistryClient.get(
|
|
147
|
+
url: dependency_url,
|
|
148
|
+
headers: registry_auth_headers
|
|
149
|
+
)
|
|
150
|
+
|
|
151
|
+
# If response is successful, return it
|
|
152
|
+
return response if response.status.to_s.start_with?("2")
|
|
153
|
+
|
|
154
|
+
# If the registry is public (not explicitly private) and the request fails, return the response as is
|
|
155
|
+
return response if dependency_registry == "registry.npmjs.org"
|
|
156
|
+
|
|
157
|
+
# If a private registry returns a 500 error, check authentication
|
|
158
|
+
return response unless response.status == 500
|
|
159
|
+
return response unless registry_auth_headers["Authorization"]
|
|
160
|
+
|
|
161
|
+
auth = registry_auth_headers["Authorization"]
|
|
162
|
+
return response unless auth&.start_with?("Basic")
|
|
163
|
+
|
|
164
|
+
decoded_token = Base64.decode64(auth.gsub("Basic ", "")).strip
|
|
165
|
+
|
|
166
|
+
# Ensure decoded token is not empty and contains a colon
|
|
167
|
+
if decoded_token.empty? || !decoded_token.include?(":")
|
|
168
|
+
raise PrivateSourceAuthenticationFailure, "Malformed basic auth credentials for #{dependency_registry}"
|
|
169
|
+
end
|
|
170
|
+
|
|
171
|
+
username, password = decoded_token.split(":")
|
|
172
|
+
|
|
173
|
+
Dependabot::RegistryClient.get(
|
|
174
|
+
url: dependency_url,
|
|
175
|
+
options: {
|
|
176
|
+
user: username,
|
|
177
|
+
password: password
|
|
178
|
+
}
|
|
179
|
+
)
|
|
180
|
+
rescue URI::InvalidURIError => e
|
|
181
|
+
raise DependencyFileNotResolvable, e.message
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
sig { params(npm_response: Excon::Response).void }
|
|
185
|
+
def check_npm_response(npm_response)
|
|
186
|
+
return if git_dependency?
|
|
187
|
+
|
|
188
|
+
if private_dependency_not_reachable?(npm_response)
|
|
189
|
+
raise PrivateSourceAuthenticationFailure, dependency_registry
|
|
190
|
+
end
|
|
191
|
+
|
|
192
|
+
# handles scenario when private registry returns a server error 5xx
|
|
193
|
+
if private_dependency_server_error?(npm_response)
|
|
194
|
+
msg = "Server error #{npm_response.status} returned while accessing registry" \
|
|
195
|
+
" #{dependency_registry}."
|
|
196
|
+
raise DependencyFileNotResolvable, msg
|
|
197
|
+
end
|
|
198
|
+
|
|
199
|
+
status = npm_response.status
|
|
200
|
+
|
|
201
|
+
# handles issue when status 200 is returned from registry but with an invalid JSON object
|
|
202
|
+
if status.to_s.start_with?("2") && response_invalid_json?(npm_response)
|
|
203
|
+
msg = "Invalid JSON object returned from registry #{dependency_registry}."
|
|
204
|
+
Dependabot.logger.warn("#{msg} Response body (truncated) : #{npm_response.body[0..500]}...")
|
|
205
|
+
raise DependencyFileNotResolvable, msg
|
|
206
|
+
end
|
|
207
|
+
|
|
208
|
+
return if status.to_s.start_with?("2")
|
|
209
|
+
|
|
210
|
+
# Ignore 404s from the registry for updates where a lockfile doesn't
|
|
211
|
+
# need to be generated. The 404 won't cause problems later.
|
|
212
|
+
return if status == 404 && dependency.version.nil?
|
|
213
|
+
|
|
214
|
+
msg = "Got #{status} response with body #{npm_response.body}"
|
|
215
|
+
raise RegistryError.new(status, msg)
|
|
216
|
+
end
|
|
217
|
+
|
|
218
|
+
sig { params(error: StandardError).void }
|
|
219
|
+
def raise_npm_details_error(error)
|
|
220
|
+
raise if dependency_registry == "registry.npmjs.org"
|
|
221
|
+
raise unless error.is_a?(Excon::Error::Timeout)
|
|
222
|
+
|
|
223
|
+
raise PrivateSourceTimedOut, dependency_registry
|
|
224
|
+
end
|
|
225
|
+
|
|
226
|
+
sig { params(npm_response: Excon::Response).returns(T::Boolean) }
|
|
227
|
+
def private_dependency_not_reachable?(npm_response)
|
|
228
|
+
return true if npm_response.body.start_with?(/user ".*?" is not a /)
|
|
229
|
+
return false unless [401, 402, 403, 404].include?(npm_response.status)
|
|
230
|
+
|
|
231
|
+
# Check whether this dependency is (likely to be) private
|
|
232
|
+
if dependency_registry == "registry.npmjs.org"
|
|
233
|
+
return false unless dependency.name.start_with?("@")
|
|
234
|
+
|
|
235
|
+
web_response = Dependabot::RegistryClient.get(url: "https://www.npmjs.com/package/#{dependency.name}")
|
|
236
|
+
# NOTE: returns 429 when the login page is rate limited
|
|
237
|
+
return web_response.body.include?("Forgot password?") ||
|
|
238
|
+
web_response.status == 429
|
|
239
|
+
end
|
|
240
|
+
|
|
241
|
+
true
|
|
242
|
+
end
|
|
243
|
+
|
|
244
|
+
sig { params(npm_response: Excon::Response).returns(T::Boolean) }
|
|
245
|
+
def private_dependency_server_error?(npm_response)
|
|
246
|
+
if [500, 501, 502, 503].include?(npm_response.status)
|
|
247
|
+
Dependabot.logger.warn("#{dependency_registry} returned code #{npm_response.status} with " \
|
|
248
|
+
"body #{npm_response.body}.")
|
|
249
|
+
return true
|
|
250
|
+
end
|
|
251
|
+
false
|
|
252
|
+
end
|
|
253
|
+
|
|
254
|
+
sig { params(npm_response: Excon::Response).returns(T::Boolean) }
|
|
255
|
+
def response_invalid_json?(npm_response)
|
|
256
|
+
result = JSON.parse(npm_response.body)
|
|
257
|
+
result.is_a?(Hash) || result.is_a?(Array)
|
|
258
|
+
false
|
|
259
|
+
rescue JSON::ParserError, TypeError
|
|
260
|
+
true
|
|
261
|
+
end
|
|
262
|
+
|
|
263
|
+
sig { returns(String) }
|
|
264
|
+
def dependency_url
|
|
265
|
+
registry_finder.dependency_url
|
|
266
|
+
end
|
|
267
|
+
|
|
268
|
+
sig { returns(T::Hash[String, String]) }
|
|
269
|
+
def registry_auth_headers
|
|
270
|
+
registry_finder.auth_headers
|
|
271
|
+
end
|
|
272
|
+
|
|
273
|
+
sig { returns(String) }
|
|
274
|
+
def dependency_registry
|
|
275
|
+
registry_finder.registry
|
|
276
|
+
end
|
|
277
|
+
|
|
278
|
+
sig { returns(Package::RegistryFinder) }
|
|
279
|
+
def registry_finder
|
|
280
|
+
@registry_finder ||= Package::RegistryFinder.new(
|
|
281
|
+
dependency: dependency,
|
|
282
|
+
credentials: credentials,
|
|
283
|
+
npmrc_file: npmrc_file,
|
|
284
|
+
yarnrc_file: yarnrc_file,
|
|
285
|
+
yarnrc_yml_file: yarnrc_yml_file
|
|
286
|
+
)
|
|
287
|
+
end
|
|
288
|
+
|
|
289
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
290
|
+
def npmrc_file
|
|
291
|
+
dependency_files.find { |f| f.name.end_with?(".npmrc") }
|
|
292
|
+
end
|
|
293
|
+
|
|
294
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
295
|
+
def yarnrc_file
|
|
296
|
+
dependency_files.find { |f| f.name.end_with?(".yarnrc") }
|
|
297
|
+
end
|
|
298
|
+
|
|
299
|
+
sig { returns(T.nilable(Dependabot::DependencyFile)) }
|
|
300
|
+
def yarnrc_yml_file
|
|
301
|
+
dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
|
|
302
|
+
end
|
|
303
|
+
|
|
304
|
+
sig { returns(T::Boolean) }
|
|
305
|
+
def git_dependency?
|
|
306
|
+
# ignored_version/raise_on_ignored are irrelevant.
|
|
307
|
+
GitCommitChecker.new(
|
|
308
|
+
dependency: dependency,
|
|
309
|
+
credentials: credentials
|
|
310
|
+
).git_dependency?
|
|
311
|
+
end
|
|
312
|
+
end
|
|
313
|
+
end
|
|
314
|
+
end
|
|
315
|
+
end
|
|
@@ -110,7 +110,7 @@ module Dependabot
|
|
|
110
110
|
def yarnrc_specifies_private_reg?
|
|
111
111
|
return false unless yarnrc_file
|
|
112
112
|
|
|
113
|
-
regex =
|
|
113
|
+
regex = Package::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX
|
|
114
114
|
yarnrc_global_registry =
|
|
115
115
|
yarnrc_file.content
|
|
116
116
|
.lines.find { |line| line.match?(regex) }
|
|
@@ -120,7 +120,7 @@ module Dependabot
|
|
|
120
120
|
|
|
121
121
|
return false unless yarnrc_global_registry
|
|
122
122
|
|
|
123
|
-
|
|
123
|
+
Package::RegistryFinder::CENTRAL_REGISTRIES.none? do |r|
|
|
124
124
|
r.include?(T.must(URI(yarnrc_global_registry).host))
|
|
125
125
|
end
|
|
126
126
|
end
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
require "excon"
|
|
5
5
|
require "dependabot/npm_and_yarn/update_checker"
|
|
6
6
|
require "dependabot/update_checkers/version_filters"
|
|
7
|
-
require "dependabot/npm_and_yarn/
|
|
7
|
+
require "dependabot/npm_and_yarn/package/registry_finder"
|
|
8
8
|
require "dependabot/npm_and_yarn/version"
|
|
9
9
|
require "dependabot/npm_and_yarn/requirement"
|
|
10
10
|
require "dependabot/shared_helpers"
|
|
@@ -411,7 +411,7 @@ module Dependabot
|
|
|
411
411
|
end
|
|
412
412
|
|
|
413
413
|
def registry_finder
|
|
414
|
-
@registry_finder ||= RegistryFinder.new(
|
|
414
|
+
@registry_finder ||= Package::RegistryFinder.new(
|
|
415
415
|
dependency: dependency,
|
|
416
416
|
credentials: credentials,
|
|
417
417
|
npmrc_file: npmrc_file,
|
|
@@ -427,8 +427,12 @@ module Dependabot
|
|
|
427
427
|
|
|
428
428
|
def original_source(updated_dependency)
|
|
429
429
|
sources =
|
|
430
|
-
updated_dependency
|
|
431
|
-
|
|
430
|
+
updated_dependency
|
|
431
|
+
.requirements.map { |r| r.fetch(:source) }
|
|
432
|
+
.uniq.compact
|
|
433
|
+
.sort_by do |source|
|
|
434
|
+
Package::RegistryFinder.central_registry?(source[:url]) ? 1 : 0
|
|
435
|
+
end
|
|
432
436
|
|
|
433
437
|
sources.first
|
|
434
438
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.303.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-03-
|
|
11
|
+
date: 2025-03-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dependabot-common
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.
|
|
19
|
+
version: 0.303.0
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.
|
|
26
|
+
version: 0.303.0
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: debug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -156,14 +156,14 @@ dependencies:
|
|
|
156
156
|
requirements:
|
|
157
157
|
- - "~>"
|
|
158
158
|
- !ruby/object:Gem::Version
|
|
159
|
-
version: 0.8.
|
|
159
|
+
version: 0.8.7
|
|
160
160
|
type: :development
|
|
161
161
|
prerelease: false
|
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
|
163
163
|
requirements:
|
|
164
164
|
- - "~>"
|
|
165
165
|
- !ruby/object:Gem::Version
|
|
166
|
-
version: 0.8.
|
|
166
|
+
version: 0.8.7
|
|
167
167
|
- !ruby/object:Gem::Dependency
|
|
168
168
|
name: simplecov
|
|
169
169
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -331,6 +331,8 @@ files:
|
|
|
331
331
|
- lib/dependabot/npm_and_yarn/metadata_finder.rb
|
|
332
332
|
- lib/dependabot/npm_and_yarn/native_helpers.rb
|
|
333
333
|
- lib/dependabot/npm_and_yarn/npm_package_manager.rb
|
|
334
|
+
- lib/dependabot/npm_and_yarn/package/package_details_fetcher.rb
|
|
335
|
+
- lib/dependabot/npm_and_yarn/package/registry_finder.rb
|
|
334
336
|
- lib/dependabot/npm_and_yarn/package_manager.rb
|
|
335
337
|
- lib/dependabot/npm_and_yarn/package_name.rb
|
|
336
338
|
- lib/dependabot/npm_and_yarn/pnpm_package_manager.rb
|
|
@@ -343,7 +345,6 @@ files:
|
|
|
343
345
|
- lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb
|
|
344
346
|
- lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb
|
|
345
347
|
- lib/dependabot/npm_and_yarn/update_checker/library_detector.rb
|
|
346
|
-
- lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb
|
|
347
348
|
- lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb
|
|
348
349
|
- lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb
|
|
349
350
|
- lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb
|
|
@@ -356,7 +357,7 @@ licenses:
|
|
|
356
357
|
- MIT
|
|
357
358
|
metadata:
|
|
358
359
|
bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
|
|
359
|
-
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.
|
|
360
|
+
changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.303.0
|
|
360
361
|
post_install_message:
|
|
361
362
|
rdoc_options: []
|
|
362
363
|
require_paths:
|