dependabot-npm_and_yarn 0.366.0 → 0.367.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b0212799f2a2fa21c0bc9be370dbfb944652e9a34711e846e22608a05561060
-  data.tar.gz: 6a71485492ddf512478859078e298df9c5bf4e58826fe3098867504786c02242
+  metadata.gz: bd642987850077bbb8f9db021a67d28d12aa0d0274f8a544fee343a94b1305cf
+  data.tar.gz: 6cac0fa8ba502e9add46b664963d05f1014244aaf682958dc9f0788b60684077
 SHA512:
-  metadata.gz: 43e6578bbc6940db3460dd2fe91751a1d986cde35fc648de8f408079da32fe94bd074c889fdfac65d7dda40f8575bbcb219681f8449a157226e98b8a96d2905c
-  data.tar.gz: 3798ea8bee4eb841638f9f3a5ceaeaab4603f5635c2387a02bff98cd35c3eb1a6434225dd2dc89c5c0abf1ed59640e257ec6a8cbbd75b15af0874120fe977ff6
+  metadata.gz: 328b4b756719e6865bc4a3f2b5f180b69505827b6ce06764e8c3c8a266b56367bc034cbfca1f1ea916fb53700b21aff58f130f3ccd4795bdd8ab500dda767c0c
+  data.tar.gz: 45857c428d9744dc94744674ebe2951f92f4e07f914c4ad8c7e5dd67fe649e0864e246bb96a6203d443e0d96cdf9ca44f64a902d72bb1d7b32977155501c51e8

data/helpers/.prettierignore

@@ -0,0 +1,2 @@
+dist/
+test/pnpm/fixtures/**/pnpm-lock.yaml

data/helpers/.prettierrc.json

@@ -0,0 +1,3 @@
+{
+  "trailingComma": "es5"
+}

data/helpers/README.md

@@ -1,22 +1,70 @@
-Native JavaScript helpers
--------------------------
+## Native TypeScript helpers
 
-This directory contains helper functions for npm and yarn, natively written in
-Javascript so that we can utilize the package managers internal APIs and other
+This directory contains helper functions for npm, yarn, and pnpm, written in
+TypeScript, so that we can utilize the package managers' internal APIs and other
 native tooling for these ecosystems.
 
-These helpers are called from the Ruby code via `run.js`, they are passed
+These helpers are called from the Ruby code via `run.ts`, they are passed
 arguments via stdin and return JSON data to stdout.
 
-## Testing
+## Development
+
+Install dependencies:
+
+```
+npm install
+```
+
+### Building
+
+The helpers are compiled from TypeScript to JavaScript before being used at
+runtime. To build:
+
+```
+npm run build
+```
+
+The compiled output goes to `dist/`.
+
+### Type checking
+
+Run the TypeScript compiler in check-only mode (no output):
+
+```
+npm run typecheck
+```
+
+### Linting
+
+ESLint is used for code quality checks:
+
+```
+npm run lint
+```
+
+### Formatting
+
+Prettier is used for code formatting. To check for formatting issues:
+
+```
+npm run format
+```
+
+To auto-fix formatting:
+
+```
+npm run format:fix
+```
+
+### Testing
 
 When working on these helpers, it's convenient to write some high level tests in
-JavaScript to make it easier to debug the code.
+TypeScript to make it easier to debug the code.
 
-You can now run the tests from this directory by running:
+Run the tests from this directory:
 
 ```
-yarn test path/to/test.js
+npm test
 ```
 
 ### Debugging

data/helpers/build

@@ -14,7 +14,9 @@ helpers_dir="$(dirname "${BASH_SOURCE[0]}")"
 cp -r \
   "$helpers_dir/lib" \
   "$helpers_dir/test" \
-  "$helpers_dir/run.js" \
+  "$helpers_dir/run.ts" \
+  "$helpers_dir/tsconfig.json" \
+  "$helpers_dir/tsconfig.build.json" \
   "$helpers_dir/eslint.config.js" \
   "$helpers_dir/jest.config.js" \
   "$helpers_dir/package.json" \
@@ -24,3 +26,4 @@ cp -r \
 
 cd "$install_dir"
 npm ci --fetch-timeout=600000 --fetch-retries=5
+npm run build

data/helpers/eslint.config.js

@@ -1,27 +1,37 @@
 const globals = require("globals");
 const { defineConfig } = require("eslint/config");
 const js = require("@eslint/js");
+const tseslint = require("typescript-eslint");
 const eslintConfigPrettier = require("eslint-config-prettier/flat");
 
-// Rules not included before upgrading to ESLint 9. Can be enabled later
-const temporaryDisabledRules = {
+module.exports = defineConfig([
+  js.configs.recommended,
+  tseslint.configs.recommended,
+  {
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...globals.jest,
+      },
+    },
+  },
+  {
     rules: {
-        "no-unused-vars": "off",
-        "no-extra-boolean-cast": "off",
-        "no-undef": "off"
+      "@typescript-eslint/no-unused-vars": [
+        "error",
+        { argsIgnorePattern: "^_", destructuredArrayIgnorePattern: "^_" },
+      ],
+      "@typescript-eslint/consistent-type-imports": "error",
     },
-}
-
-module.exports = defineConfig([
-    js.configs.recommended,
-    {
-        languageOptions: {
-            globals: {
-                ...globals.node,
-                ...globals.jest
-            }
-        },
+  },
+  eslintConfigPrettier,
+  {
+    files: ["**/*.js"],
+    rules: {
+      "@typescript-eslint/no-require-imports": "off",
     },
-    temporaryDisabledRules,
-    eslintConfigPrettier
-])
+  },
+  {
+    ignores: ["dist/**"],
+  },
+]);

data/helpers/jest.config.js

@@ -2,4 +2,11 @@ module.exports = {
   verbose: true,
   rootDir: "test",
   testEnvironment: "node",
+  transform: {
+    "^.+\\.ts$": "ts-jest",
+  },
+  moduleFileExtensions: ["ts", "js", "json"],
+  moduleNameMapper: {
+    "^(\\.{1,2}/.*)\\.js$": "$1",
+  },
 };

data/helpers/lib/npm/conflicting-dependency-parser.ts

@@ -0,0 +1,94 @@
+/* Conflicting dependency parser for npm
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - target dependency version
+ *
+ * Outputs:
+ *  - An array of objects with conflicting dependencies
+ */
+
+import Arborist from "@npmcli/arborist";
+import semver from "semver";
+
+interface ConflictingDependency {
+  explanation: string;
+  name: string;
+  version: string;
+  requirement: string;
+}
+
+export async function findConflictingDependencies(
+  directory: string,
+  depName: string,
+  targetVersion: string
+): Promise<ConflictingDependency[]> {
+  const arb = new Arborist({
+    path: directory,
+    dryRun: true,
+    ignoreScripts: true,
+  });
+
+  return await arb.loadVirtual().then((tree) => {
+    const parents: ConflictingDependency[] = [];
+    for (const node of tree.inventory.query("name", depName)) {
+      for (const edge of node.edgesIn) {
+        if (!semver.satisfies(targetVersion, edge.spec)) {
+          findTopLevelEdges(edge).forEach((topLevel) => {
+            const explanation = buildExplanation(node, edge, topLevel);
+
+            parents.push({
+              explanation: explanation,
+              name: edge.from!.name,
+              version: edge.from!.version,
+              requirement: edge.spec,
+            });
+          });
+        }
+      }
+    }
+
+    return parents;
+  });
+}
+
+function buildExplanation(
+  node: Arborist.Node,
+  directEdge: Arborist.Edge,
+  topLevelEdge: Arborist.Edge
+): string {
+  if (directEdge.from === topLevelEdge.to) {
+    // The nodes parent is top-level
+    return `${directEdge.from!.name}@${directEdge.from!.version} requires ${directEdge.to!.name}@${directEdge.spec}`;
+  } else if (topLevelEdge.to!.edgesOut.has(directEdge.from!.name)) {
+    // The nodes parent is a direct dependency of the top-level dependency
+    return (
+      `${topLevelEdge.to!.name}@${topLevelEdge.to!.version} requires ${directEdge.to!.name}@${directEdge.spec} ` +
+      `via ${directEdge.from!.name}@${directEdge.from!.version}`
+    );
+  } else {
+    // The nodes parent is a transitive dependency of the top-level dependency
+    return (
+      `${topLevelEdge.to!.name}@${topLevelEdge.to!.version} requires ${directEdge.to!.name}@${directEdge.spec} ` +
+      `via a transitive dependency on ${directEdge.from!.name}@${directEdge.from!.version}`
+    );
+  }
+}
+
+function findTopLevelEdges(
+  edge: Arborist.Edge,
+  parents: Arborist.Edge[] = []
+): Arborist.Edge[] {
+  edge.from!.edgesIn.forEach((parent) => {
+    if (parent.from!.edgesIn.size === 0) {
+      if (!parents.includes(parent)) {
+        parents.push(parent);
+      }
+    } else {
+      findTopLevelEdges(parent, parents);
+    }
+  });
+
+  return parents;
+}

data/helpers/lib/npm/index.ts

@@ -0,0 +1,7 @@
+import { findConflictingDependencies } from "./conflicting-dependency-parser.js";
+import { findVulnerableDependencies } from "./vulnerability-auditor.js";
+
+export {
+  findConflictingDependencies,
+  findVulnerableDependencies as vulnerabilityAuditor,
+};