dependabot-npm_and_yarn 0.380.0 → 0.381.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 631095163bb149d67b2b6a84d04641a88beffea7ddbd04361548c52baeaafc75
-  data.tar.gz: fb76bf1bd8bd9773e2bac5b6362edfc096cbb998b335c86a4eb688970f039adf
+  metadata.gz: a70ee3c0913d6a9622b867d20d898019ad3453701dd1a18e1c01b62887d52351
+  data.tar.gz: 80f0ce022e8e6a30f4f72bb7928f0a865abbe05f8868b873d3a84077ab139e02
 SHA512:
-  metadata.gz: 2346f503da3529d8fb8b747cd6a1d1c9c45b51c745dd2639dab3993f892d554d529800f85171939afb1397d61f76d5ce03befb7ad81f34126f976ea9e6cb0d19
-  data.tar.gz: 2076235475c42202704ab180b1fa1c31f8c77c44f02448653f89987e880af0b2be2fa6c8f6a7c06e4a9ca47c72fcd31ea4d5d48a7ebe74e41ec40b49661b18a4
+  metadata.gz: c56af922ead64141beb7c8fefea2b706d84e90007fd33620f9892fb80d11fcc6e9eb239fa0d0220d0d93b92177de0c780048ccb17dd9ef4ae2409886beb7cda8
+  data.tar.gz: f3d511e27a4e5ca500c869e0de11729544f4323ea4776c275df99f750b947936b17dad15166571d5515c0e5d524b57eb5c7079876923cebb019a5bf288690612

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -21,7 +21,7 @@ module Dependabot
         sig { returns(T::Hash[String, T.untyped]) }
         def parsed
           json_obj = JSON.parse(T.must(@dependency_file.content))
-          @parsed ||= T.let(json_obj, T.untyped)
+          @parsed ||= T.let(json_obj, T.nilable(T::Hash[String, T.untyped]))
         rescue JSON::ParserError
           raise Dependabot::DependencyFileNotParseable, @dependency_file.path
         end

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -30,15 +30,23 @@ module Dependabot
             dependencies: T::Array[Dependabot::Dependency],
             dependency_files: T::Array[Dependabot::DependencyFile],
             repo_contents_path: T.nilable(String),
-            credentials: T::Array[Dependabot::Credential]
+            credentials: T::Array[Dependabot::Credential],
+            security_updates_only: T::Boolean
           )
             .void
         end
-        def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
+        def initialize(
+          dependencies:,
+          dependency_files:,
+          repo_contents_path:,
+          credentials:,
+          security_updates_only: false
+        )
           @dependencies = dependencies
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @security_updates_only = T.let(security_updates_only, T::Boolean)
           @error_handler = T.let(
             YarnErrorHandler.new(
               dependencies: dependencies,
@@ -222,7 +230,7 @@ module Dependabot
           # the lockfile.
 
           if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
-            Helpers.run_yarn_command("install #{yarn_berry_args}".strip)
+            Helpers.run_yarn_command("install #{yarn_berry_args}".strip, env: yarn_time_gate_env)
 
             # Yarn berry resolves ranges to the latest matching version, which
             # may differ from Dependabot's target. If the lockfile resolved to a
@@ -237,7 +245,8 @@ module Dependabot
 
             Helpers.run_yarn_command(
               "up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
-              fingerprint: "up -R <dependency_names> #{yarn_berry_args}".strip
+              fingerprint: "up -R <dependency_names> #{yarn_berry_args}".strip,
+              env: yarn_time_gate_env
             )
           end
           { yarn_lock.name => File.read(yarn_lock.name) }
@@ -291,7 +300,8 @@ module Dependabot
 
           Helpers.run_yarn_command(
             "up #{dep_name}@#{version} #{yarn_berry_args}".strip,
-            fingerprint: "up <dep>@<version> #{yarn_berry_args}".strip
+            fingerprint: "up <dep>@<version> #{yarn_berry_args}".strip,
+            env: yarn_time_gate_env
           )
 
           reqs.each do |req|
@@ -304,7 +314,7 @@ module Dependabot
           # Restore package.json and re-install to normalize lockfile descriptors,
           # same as yarn classic's replaceLockfileDeclaration flow.
           restore_package_jsons(saved_package_jsons)
-          Helpers.run_yarn_command("install #{yarn_berry_args}".strip)
+          Helpers.run_yarn_command("install #{yarn_berry_args}".strip, env: yarn_time_gate_env)
         end
 
         sig { returns(T::Hash[String, String]) }
@@ -353,6 +363,24 @@ module Dependabot
           { yarn_lock.name => updated_content }
         end
 
+        sig { returns(T::Boolean) }
+        def security_updates_only?
+          @security_updates_only
+        end
+
+        # Returns an env hash that disables Yarn Berry's npmMinimalAgeGate for security updates.
+        # npmMinimalAgeGate was introduced in Yarn 4.10.0. Setting the corresponding
+        # YARN_NPM_MINIMAL_AGE_GATE env var on older Yarn Berry releases (or Yarn classic) raises
+        # "Unrecognized or legacy configuration settings found: npmMinimalAgeGate" and aborts the
+        # install, so we gate on a version check.
+        sig { returns(T.nilable(T::Hash[String, String])) }
+        def yarn_time_gate_env
+          return nil unless security_updates_only?
+          return nil unless Helpers.yarn_berry_supports_minimal_age_gate?
+
+          { "YARN_NPM_MINIMAL_AGE_GATE" => "0" }
+        end
+
         sig { returns(String) }
         def yarn_berry_args
           @yarn_berry_args ||= T.let(
@@ -535,13 +563,15 @@ module Dependabot
         def write_temporary_dependency_files(yarn_lock, update_package_json: true)
           write_lockfiles
 
-          if Helpers.yarn_berry?(yarn_lock) && yarnrc_yml_file
-            yarnrc_yml_sanitize_content = sanitize_yarnrc_content(yarnrc_yml_content)
-            File.write(".yarnrc.yml", yarnrc_yml_sanitize_content)
-          else
-            File.write(".npmrc", npmrc_content)
-            File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_private_reg?
+          if Helpers.yarn_berry?(yarn_lock)
+            if yarnrc_yml_file
+              yarnrc_yml_sanitize_content = sanitize_yarnrc_content(yarnrc_yml_content)
+              File.write(".yarnrc.yml", yarnrc_yml_sanitize_content)
+            end
+          elsif yarnrc_specifies_private_reg?
+            File.write(".yarnrc", yarnrc_content)
           end
+          File.write(".npmrc", npmrc_content)
 
           package_files.each do |file|
             path = file.name

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -5,6 +5,7 @@ require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/file_updaters/vendor_updater"
 require "dependabot/file_updaters/artifact_updater"
+require "dependabot/errors"
 require "dependabot/npm_and_yarn/dependency_files_filterer"
 require "dependabot/npm_and_yarn/sub_dependency_files_filterer"
 require "sorbet-runtime"
@@ -22,6 +23,7 @@ module Dependabot
 
       class NoChangeError < StandardError
         extend T::Sig
+        include Dependabot::HasSentryContext
 
         sig { params(message: String, error_context: T::Hash[Symbol, T.untyped]).void }
         def initialize(message:, error_context:)
@@ -29,7 +31,7 @@ module Dependabot
           @error_context = error_context
         end
 
-        sig { returns(T::Hash[Symbol, T.untyped]) }
+        sig { override.returns(T::Hash[Symbol, T.untyped]) }
         def sentry_context
           { extra: @error_context }
         end
@@ -440,7 +442,8 @@ module Dependabot
             dependencies: dependencies,
             dependency_files: dependency_files,
             repo_contents_path: repo_contents_path,
-            credentials: credentials
+            credentials: credentials,
+            security_updates_only: options.fetch(:security_updates_only, false)
           ),
           T.nilable(Dependabot::NpmAndYarn::FileUpdater::YarnLockfileUpdater)
         )

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -248,6 +248,31 @@ module Dependabot
         yarn_major_version >= 4
       end
 
+      sig { returns(T::Boolean) }
+      def self.yarn_berry_supports_minimal_age_gate?
+        version = Version.new(run_single_yarn_command("--version"))
+        supported = version >= Version.new("4.10.0")
+        if supported
+          Dependabot.logger.info(
+            "Yarn #{version} supports npmMinimalAgeGate. " \
+            "Setting YARN_NPM_MINIMAL_AGE_GATE=0 to bypass the release-age gate for security updates."
+          )
+        else
+          Dependabot.logger.info(
+            "Yarn #{version} does not support npmMinimalAgeGate (requires 4.10.0+). " \
+            "YARN_NPM_MINIMAL_AGE_GATE will not be set."
+          )
+        end
+        supported
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Could not determine Yarn version to check npmMinimalAgeGate support: #{e.message}. " \
+          "Assuming unsupported (returning false). YARN_NPM_MINIMAL_AGE_GATE will not be set, " \
+          "so the registry's release-age gate may still block security updates."
+        )
+        false
+      end
+
       sig { returns(T.nilable(String)) }
       def self.setup_yarn_berry
         # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
@@ -362,10 +387,16 @@ module Dependabot
       end
 
       # Setup yarn and run a single yarn command returning stdout/stderr
-      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
-      def self.run_yarn_command(command, fingerprint: nil)
+      sig do
+        params(
+          command: String,
+          fingerprint: T.nilable(String),
+          env: T.nilable(T::Hash[String, String])
+        ).returns(String)
+      end
+      def self.run_yarn_command(command, fingerprint: nil, env: nil)
         setup_yarn_berry
-        run_single_yarn_command(command, fingerprint: fingerprint)
+        run_single_yarn_command(command, fingerprint: fingerprint, env: env)
       end
 
       # Run single pnpm command returning stdout/stderr
@@ -382,14 +413,21 @@ module Dependabot
       end
 
       # Run single yarn command returning stdout/stderr
-      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
-      def self.run_single_yarn_command(command, fingerprint: nil)
+      sig do
+        params(
+          command: String,
+          fingerprint: T.nilable(String),
+          env: T.nilable(T::Hash[String, String])
+        ).returns(String)
+      end
+      def self.run_single_yarn_command(command, fingerprint: nil, env: nil)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          package_manager_run_command(YarnPackageManager::NAME, command, fingerprint: fingerprint)
+          package_manager_run_command(YarnPackageManager::NAME, command, fingerprint: fingerprint, env: env)
         else
           Dependabot::SharedHelpers.run_shell_command(
             "yarn #{command}",
-            fingerprint: "yarn #{fingerprint || command}"
+            fingerprint: "yarn #{fingerprint || command}",
+            env: env
           )
         end
       end

data/lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb

@@ -259,14 +259,20 @@ module Dependabot
         sig { params(_block: T.untyped).returns(T.nilable(Dependabot::Version)) }
         def with_custom_registry_rescue(&_block)
           yield
-        rescue Excon::Error::Socket, Excon::Error::Timeout, RegistryError
-          raise unless package_fetcher.custom_registry?
+        rescue Excon::Error::Socket, Excon::Error::Timeout, RegistryError => e
+          raise unless package_fetcher.custom_registry? || eof_socket_error?(e)
 
-          # Custom registries can be flaky. We don't want to make that
-          # our problem, so quietly return `nil` here.
+          # Custom registries can be flaky, and the global npm registry can
+          # occasionally terminate connections (EOFError). Don't abort the update
+          # flow for these transient failures; quietly return `nil` here.
           nil
         end
 
+        sig { params(error: StandardError).returns(T::Boolean) }
+        def eof_socket_error?(error)
+          error.is_a?(Excon::Error::Socket) && error.socket_error.is_a?(EOFError)
+        end
+
         sig { returns(T::Boolean) }
         def valid_npm_details?
           !!package_details&.releases&.any?

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.380.0
+  version: 0.381.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.380.0
+        version: 0.381.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.380.0
+        version: 0.381.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -374,7 +374,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.380.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.381.0
 rdoc_options: []
 require_paths:
 - lib