dependabot-npm_and_yarn 0.91.0 → 0.91.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb +80 -0
- data/lib/dependabot/npm_and_yarn/file_updater.rb +27 -8
- data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb +23 -19
- data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb +22 -5
- metadata +5 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3d6bcfcfd51b0a98e5d9c8b40cdbc54ec6d0ebd262761a15457b62cc98a3e0a4
|
|
4
|
+
data.tar.gz: 260920bfe49c0e05543f0c06d0bea03a78374ff6b5e820397f21184520d8681d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '0691cf13a0fd9d508f246b4c66d4faf9927cbf0d76d6801dbe2110f02ad08ad35e78d4b300deb163cc780319deb32f98a1a9251c9b5dac911ce9501cfe949976'
|
|
7
|
+
data.tar.gz: 4c4959da35cde273639ce088fa56c0fe8c17fc0f2cafe3330d7f69ac060dc52c4d8fc6a78d67a40e76f701a7725d7065f128d48706c54f7ff59bcb016031b1b9
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "dependabot/utils"
|
|
4
|
+
|
|
5
|
+
module Dependabot
|
|
6
|
+
module NpmAndYarn
|
|
7
|
+
class DependencyFilesFilterer
|
|
8
|
+
def initialize(dependency_files:, dependencies:)
|
|
9
|
+
@dependencies = dependencies
|
|
10
|
+
@dependency_files = dependency_files
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def filtered_files
|
|
14
|
+
dependency_files.select do |file|
|
|
15
|
+
if manifest?(file)
|
|
16
|
+
package_manifests.include?(file)
|
|
17
|
+
elsif lockfile?(file)
|
|
18
|
+
package_manifests.any? do |package_file|
|
|
19
|
+
File.dirname(package_file.name) == File.dirname(file.name)
|
|
20
|
+
end
|
|
21
|
+
else
|
|
22
|
+
# Include all non-manifest/lockfiles
|
|
23
|
+
# e.g. .npmrc, lerna.json
|
|
24
|
+
true
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def filtered_package_files
|
|
30
|
+
filtered_files.select { |f| manifest?(f) }
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def filtered_lockfiles
|
|
34
|
+
filtered_files.select { |f| lockfile?(f) }
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
private
|
|
38
|
+
|
|
39
|
+
attr_reader :dependency_files, :dependencies
|
|
40
|
+
|
|
41
|
+
def dependency_manifest_requirements
|
|
42
|
+
@dependency_manifest_requirements ||=
|
|
43
|
+
dependencies.flat_map do |dep|
|
|
44
|
+
dep.requirements.map { |requirement| requirement[:file] }
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def package_manifests
|
|
49
|
+
@package_manifests ||=
|
|
50
|
+
dependency_files.select do |file|
|
|
51
|
+
next unless manifest?(file)
|
|
52
|
+
|
|
53
|
+
root_manifest?(file) ||
|
|
54
|
+
dependency_manifest_requirements.include?(file.name)
|
|
55
|
+
end
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def root_manifest?(file)
|
|
59
|
+
file.name == "package.json"
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def manifest?(file)
|
|
63
|
+
file.name.end_with?("package.json")
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def lockfile?(file)
|
|
67
|
+
file.name.end_with?(
|
|
68
|
+
"package-lock.json",
|
|
69
|
+
"yarn.lock",
|
|
70
|
+
"npm-shrinkwrap.json"
|
|
71
|
+
)
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
Dependabot::Utils.register_version_class(
|
|
78
|
+
"npm_and_yarn",
|
|
79
|
+
Dependabot::NpmAndYarn::DependencyFilesFilterer
|
|
80
|
+
)
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
require "dependabot/file_updaters"
|
|
4
4
|
require "dependabot/file_updaters/base"
|
|
5
|
+
require "dependabot/npm_and_yarn/dependency_files_filterer"
|
|
5
6
|
|
|
6
7
|
module Dependabot
|
|
7
8
|
module NpmAndYarn
|
|
@@ -43,7 +44,8 @@ module Dependabot
|
|
|
43
44
|
)
|
|
44
45
|
end
|
|
45
46
|
|
|
46
|
-
|
|
47
|
+
sorted_updated_files = updated_files.sort_by(&:name)
|
|
48
|
+
if sorted_updated_files == filtered_dependency_files.sort_by(&:name)
|
|
47
49
|
raise NoChangeError.new(
|
|
48
50
|
message: "Updated files are unchanged!",
|
|
49
51
|
error_context: error_context(updated_files: updated_files)
|
|
@@ -55,6 +57,14 @@ module Dependabot
|
|
|
55
57
|
|
|
56
58
|
private
|
|
57
59
|
|
|
60
|
+
def filtered_dependency_files
|
|
61
|
+
@filtered_dependency_files ||=
|
|
62
|
+
DependencyFilesFilterer.new(
|
|
63
|
+
dependency_files: dependency_files,
|
|
64
|
+
dependencies: dependencies
|
|
65
|
+
).filtered_files
|
|
66
|
+
end
|
|
67
|
+
|
|
58
68
|
def check_required_files
|
|
59
69
|
raise "No package.json!" unless get_original_file("package.json")
|
|
60
70
|
end
|
|
@@ -69,24 +79,27 @@ module Dependabot
|
|
|
69
79
|
|
|
70
80
|
def package_locks
|
|
71
81
|
@package_locks ||=
|
|
72
|
-
|
|
82
|
+
filtered_dependency_files.
|
|
73
83
|
select { |f| f.name.end_with?("package-lock.json") }
|
|
74
84
|
end
|
|
75
85
|
|
|
76
86
|
def yarn_locks
|
|
77
87
|
@yarn_locks ||=
|
|
78
|
-
|
|
88
|
+
filtered_dependency_files.
|
|
79
89
|
select { |f| f.name.end_with?("yarn.lock") }
|
|
80
90
|
end
|
|
81
91
|
|
|
82
92
|
def shrinkwraps
|
|
83
93
|
@shrinkwraps ||=
|
|
84
|
-
|
|
94
|
+
filtered_dependency_files.
|
|
85
95
|
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
|
86
96
|
end
|
|
87
97
|
|
|
88
98
|
def package_files
|
|
89
|
-
|
|
99
|
+
@package_files ||=
|
|
100
|
+
filtered_dependency_files.select do |f|
|
|
101
|
+
f.name.end_with?("package.json")
|
|
102
|
+
end
|
|
90
103
|
end
|
|
91
104
|
|
|
92
105
|
def yarn_lock_changed?(yarn_lock)
|
|
@@ -144,7 +157,9 @@ module Dependabot
|
|
|
144
157
|
end
|
|
145
158
|
|
|
146
159
|
def updated_yarn_lock_content(yarn_lock)
|
|
147
|
-
|
|
160
|
+
@updated_yarn_lock_content ||= {}
|
|
161
|
+
@updated_yarn_lock_content[yarn_lock.name] ||=
|
|
162
|
+
yarn_lockfile_updater.updated_yarn_lock_content(yarn_lock)
|
|
148
163
|
end
|
|
149
164
|
|
|
150
165
|
def yarn_lockfile_updater
|
|
@@ -157,11 +172,15 @@ module Dependabot
|
|
|
157
172
|
end
|
|
158
173
|
|
|
159
174
|
def updated_package_lock_content(package_lock)
|
|
160
|
-
|
|
175
|
+
@updated_package_lock_content ||= {}
|
|
176
|
+
@updated_package_lock_content[package_lock.name] ||=
|
|
177
|
+
npm_lockfile_updater.updated_lockfile_content(package_lock)
|
|
161
178
|
end
|
|
162
179
|
|
|
163
180
|
def updated_shrinkwrap_content(shrinkwrap)
|
|
164
|
-
|
|
181
|
+
@updated_shrinkwrap_content ||= {}
|
|
182
|
+
@updated_shrinkwrap_content[shrinkwrap.name] ||=
|
|
183
|
+
npm_lockfile_updater.updated_lockfile_content(shrinkwrap)
|
|
165
184
|
end
|
|
166
185
|
|
|
167
186
|
def npm_lockfile_updater
|
|
@@ -24,15 +24,18 @@ module Dependabot
|
|
|
24
24
|
def latest_resolvable_version
|
|
25
25
|
raise "Not a subdependency!" if dependency.requirements.any?
|
|
26
26
|
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
updated_content = update_subdependency_in_lockfile(lockfile)
|
|
30
|
-
updated_lockfile = lockfile.dup
|
|
31
|
-
updated_lockfile.content = updated_content
|
|
32
|
-
updated_lockfile
|
|
33
|
-
end
|
|
27
|
+
SharedHelpers.in_a_temporary_directory do
|
|
28
|
+
write_temporary_dependency_files
|
|
34
29
|
|
|
35
|
-
|
|
30
|
+
updated_lockfiles = lockfiles.map do |lockfile|
|
|
31
|
+
updated_content = update_subdependency_in_lockfile(lockfile)
|
|
32
|
+
updated_lockfile = lockfile.dup
|
|
33
|
+
updated_lockfile.content = updated_content
|
|
34
|
+
updated_lockfile
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
version_from_updated_lockfiles(updated_lockfiles)
|
|
38
|
+
end
|
|
36
39
|
rescue SharedHelpers::HelperSubprocessFailed
|
|
37
40
|
# TODO: Move error handling logic from the FileUpdater to this class
|
|
38
41
|
|
|
@@ -46,19 +49,16 @@ module Dependabot
|
|
|
46
49
|
:ignored_versions
|
|
47
50
|
|
|
48
51
|
def update_subdependency_in_lockfile(lockfile)
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
lockfile_name = Pathname.new(lockfile.name).basename.to_s
|
|
52
|
-
path = Pathname.new(lockfile.name).dirname.to_s
|
|
52
|
+
lockfile_name = Pathname.new(lockfile.name).basename.to_s
|
|
53
|
+
path = Pathname.new(lockfile.name).dirname.to_s
|
|
53
54
|
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
55
|
+
updated_files = if lockfile.name.end_with?("yarn.lock")
|
|
56
|
+
run_yarn_updater(path, lockfile_name)
|
|
57
|
+
else
|
|
58
|
+
run_npm_updater(path, lockfile_name)
|
|
59
|
+
end
|
|
59
60
|
|
|
60
|
-
|
|
61
|
-
end
|
|
61
|
+
updated_files.fetch(lockfile_name)
|
|
62
62
|
end
|
|
63
63
|
|
|
64
64
|
def version_from_updated_lockfiles(updated_lockfiles)
|
|
@@ -204,6 +204,10 @@ module Dependabot
|
|
|
204
204
|
select { |f| f.name.end_with?("npm-shrinkwrap.json") }
|
|
205
205
|
end
|
|
206
206
|
|
|
207
|
+
def lockfiles
|
|
208
|
+
[*package_locks, *shrinkwraps, *yarn_locks]
|
|
209
|
+
end
|
|
210
|
+
|
|
207
211
|
def package_files
|
|
208
212
|
@package_files ||=
|
|
209
213
|
dependency_files.
|
|
@@ -6,6 +6,7 @@ require "dependabot/npm_and_yarn/file_parser"
|
|
|
6
6
|
require "dependabot/npm_and_yarn/version"
|
|
7
7
|
require "dependabot/npm_and_yarn/requirement"
|
|
8
8
|
require "dependabot/npm_and_yarn/native_helpers"
|
|
9
|
+
require "dependabot/npm_and_yarn/dependency_files_filterer"
|
|
9
10
|
require "dependabot/shared_helpers"
|
|
10
11
|
require "dependabot/errors"
|
|
11
12
|
require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
|
|
@@ -181,7 +182,7 @@ module Dependabot
|
|
|
181
182
|
SharedHelpers.in_a_temporary_directory do
|
|
182
183
|
write_temporary_dependency_files
|
|
183
184
|
|
|
184
|
-
|
|
185
|
+
filtered_package_files.flat_map do |file|
|
|
185
186
|
path = Pathname.new(file.name).dirname
|
|
186
187
|
run_checker(path: path, version: version)
|
|
187
188
|
rescue SharedHelpers::HelperSubprocessFailed => error
|
|
@@ -316,13 +317,21 @@ module Dependabot
|
|
|
316
317
|
select { |dep| dep[:requiring_dep_name] == dependency.name }
|
|
317
318
|
end
|
|
318
319
|
|
|
320
|
+
def lockfiles_for_path(lockfiles:, path:)
|
|
321
|
+
lockfiles.select do |lockfile|
|
|
322
|
+
File.dirname(lockfile.name) == File.dirname(path)
|
|
323
|
+
end
|
|
324
|
+
end
|
|
325
|
+
|
|
319
326
|
def run_checker(path:, version:)
|
|
320
|
-
|
|
321
|
-
|
|
327
|
+
# If there are both yarn lockfiles and npm lockfiles only run the
|
|
328
|
+
# yarn updater, yarn is also used when only a package.json exists
|
|
329
|
+
if lockfiles_for_path(lockfiles: yarn_locks, path: path).any? ||
|
|
330
|
+
lockfiles_for_path(lockfiles: lockfiles, path: path).none?
|
|
331
|
+
return run_yarn_checker(path: path, version: version)
|
|
322
332
|
end
|
|
323
333
|
|
|
324
|
-
|
|
325
|
-
run_yarn_checker(path: path, version: version) if lockfiles.none?
|
|
334
|
+
run_npm_checker(path: path, version: version)
|
|
326
335
|
end
|
|
327
336
|
|
|
328
337
|
def run_yarn_checker(path:, version:)
|
|
@@ -455,6 +464,14 @@ module Dependabot
|
|
|
455
464
|
select { |f| f.name.end_with?("package.json") }
|
|
456
465
|
end
|
|
457
466
|
|
|
467
|
+
def filtered_package_files
|
|
468
|
+
@filtered_package_files ||=
|
|
469
|
+
DependencyFilesFilterer.new(
|
|
470
|
+
dependency_files: dependency_files,
|
|
471
|
+
dependencies: [dependency]
|
|
472
|
+
).filtered_package_files
|
|
473
|
+
end
|
|
474
|
+
|
|
458
475
|
def yarn_helper_path
|
|
459
476
|
NativeHelpers.yarn_helper_path
|
|
460
477
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dependabot-npm_and_yarn
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.91.
|
|
4
|
+
version: 0.91.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dependabot
|
|
@@ -16,14 +16,14 @@ dependencies:
|
|
|
16
16
|
requirements:
|
|
17
17
|
- - '='
|
|
18
18
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.91.
|
|
19
|
+
version: 0.91.1
|
|
20
20
|
type: :runtime
|
|
21
21
|
prerelease: false
|
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
23
|
requirements:
|
|
24
24
|
- - '='
|
|
25
25
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.91.
|
|
26
|
+
version: 0.91.1
|
|
27
27
|
- !ruby/object:Gem::Dependency
|
|
28
28
|
name: byebug
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -180,6 +180,7 @@ files:
|
|
|
180
180
|
- helpers/yarn/test/updater.test.js
|
|
181
181
|
- helpers/yarn/yarn.lock
|
|
182
182
|
- lib/dependabot/npm_and_yarn.rb
|
|
183
|
+
- lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
|
|
183
184
|
- lib/dependabot/npm_and_yarn/file_fetcher.rb
|
|
184
185
|
- lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
|
|
185
186
|
- lib/dependabot/npm_and_yarn/file_parser.rb
|
|
@@ -219,7 +220,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
219
220
|
- !ruby/object:Gem::Version
|
|
220
221
|
version: 2.5.0
|
|
221
222
|
requirements: []
|
|
222
|
-
rubygems_version: 3.0.
|
|
223
|
+
rubygems_version: 3.0.2
|
|
223
224
|
signing_key:
|
|
224
225
|
specification_version: 4
|
|
225
226
|
summary: JS support for dependabot-core
|