dependabot-npm_and_yarn 0.95.72 → 0.95.73
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/helpers/npm/lib/updater.js +30 -14
- data/helpers/yarn/lib/updater.js +26 -50
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 19ed4fc405b5bf30bd418ddab7c68658ac38e8407ed4c6da1645a41f9d23c9b0
|
4
|
+
data.tar.gz: 5fe85ce1ba8f8a746eca22cc668527a5f68505eee7aa59cfe48a739feb69c21f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: daa58fff0cd75c4e3a10de46b7b1da58c7e81beba5cdbe7a7526c622db51d63774cf3fc237299926041805f41284c3daa42264e0c942291d0c579389499171d3
|
7
|
+
data.tar.gz: 000eaf2d256fb04d6f54188b91809856d0f9b79ecec976827e0477cc7c815b85c0fa772f7a7ab0da1b298efeb90717ce29db03a7ca954fa07fd3b3de5c022429
|
data/helpers/npm/lib/updater.js
CHANGED
@@ -39,15 +39,17 @@ async function updateDependencyFiles(directory, dependencies, lockfileName) {
|
|
39
39
|
"prefer-offline": true
|
40
40
|
}
|
41
41
|
]);
|
42
|
-
const
|
42
|
+
const manifest = JSON.parse(readFile("package.json"));
|
43
43
|
|
44
44
|
const dryRun = true;
|
45
|
+
const flattenedDependencies = flattenAllDependencies(manifest);
|
45
46
|
const args = dependencies.map(dependency => {
|
47
|
+
const existingVersionRequirement = flattenedDependencies[dependency.name];
|
46
48
|
return installArgs(
|
47
49
|
dependency.name,
|
48
50
|
dependency.version,
|
49
51
|
dependency.requirements,
|
50
|
-
|
52
|
+
existingVersionRequirement
|
51
53
|
);
|
52
54
|
});
|
53
55
|
const initialInstaller = new installer.Installer(directory, dryRun, args, {
|
@@ -89,31 +91,45 @@ async function updateDependencyFiles(directory, dependencies, lockfileName) {
|
|
89
91
|
return { [lockfileName]: updatedLockfile };
|
90
92
|
}
|
91
93
|
|
92
|
-
function flattenAllDependencies(
|
94
|
+
function flattenAllDependencies(manifest) {
|
93
95
|
return Object.assign(
|
94
96
|
{},
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
97
|
+
manifest.optionalDependencies,
|
98
|
+
manifest.peerDependencies,
|
99
|
+
manifest.devDependencies,
|
100
|
+
manifest.dependencies
|
99
101
|
);
|
100
102
|
}
|
101
103
|
|
102
|
-
function installArgs(
|
104
|
+
function installArgs(
|
105
|
+
depName,
|
106
|
+
desiredVersion,
|
107
|
+
requirements,
|
108
|
+
existingVersionRequirement
|
109
|
+
) {
|
103
110
|
const source = (requirements.find(req => req.source) || {}).source;
|
104
111
|
|
105
112
|
if (source && source.type === "git") {
|
106
|
-
|
107
|
-
|
108
|
-
if (!originalVersion) {
|
109
|
-
originalVersion = source.url;
|
113
|
+
if (!existingVersionRequirement) {
|
114
|
+
existingVersionRequirement = source.url;
|
110
115
|
}
|
111
116
|
|
112
|
-
|
117
|
+
// Git is configured to auth over https while updating
|
118
|
+
existingVersionRequirement = existingVersionRequirement.replace(
|
113
119
|
/git\+ssh:\/\/git@(.*?)[:/]/,
|
114
120
|
"git+https://$1/"
|
115
121
|
);
|
116
|
-
|
122
|
+
|
123
|
+
// Keep any semver range that has already been updated in the package
|
124
|
+
// requirement when installing the new version
|
125
|
+
if (existingVersionRequirement.match(desiredVersion)) {
|
126
|
+
return `${depName}@${existingVersionRequirement}`;
|
127
|
+
} else {
|
128
|
+
return `${depName}@${existingVersionRequirement.replace(
|
129
|
+
/#.*/,
|
130
|
+
""
|
131
|
+
)}#${desiredVersion}`;
|
132
|
+
}
|
117
133
|
} else {
|
118
134
|
return `${depName}@${desiredVersion}`;
|
119
135
|
}
|
data/helpers/yarn/lib/updater.js
CHANGED
@@ -25,7 +25,6 @@ const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
|
|
25
25
|
const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
|
26
26
|
const fixDuplicates = require("./fix-duplicates");
|
27
27
|
const replaceDeclaration = require("./replace-lockfile-declaration");
|
28
|
-
const urlParse = require("url").parse;
|
29
28
|
|
30
29
|
// Add is a subclass of the Install CLI command, which is responsible for
|
31
30
|
// adding packages to a package.json and yarn.lock. Upgrading a package is
|
@@ -66,8 +65,7 @@ class LightweightInstall extends Install {
|
|
66
65
|
}
|
67
66
|
}
|
68
67
|
|
69
|
-
|
70
|
-
const manifest = await config.readRootManifest();
|
68
|
+
function flattenAllDependencies(manifest) {
|
71
69
|
return Object.assign(
|
72
70
|
{},
|
73
71
|
manifest.optionalDependencies,
|
@@ -104,57 +102,36 @@ function optionalRequirement(requirements) {
|
|
104
102
|
);
|
105
103
|
}
|
106
104
|
|
107
|
-
const GIT_HOSTS = [
|
108
|
-
"github.com",
|
109
|
-
"gitlab.com",
|
110
|
-
"bitbucket.com",
|
111
|
-
"bitbucket.org"
|
112
|
-
];
|
113
|
-
|
114
|
-
function getGitShorthand(depName, url, lockfileJson) {
|
115
|
-
const { hostname, path } = urlParse(url);
|
116
|
-
const isSupportedHost = hostname && path && GIT_HOSTS.indexOf(hostname) >= 0;
|
117
|
-
if (!isSupportedHost) return;
|
118
|
-
|
119
|
-
const hostShorthand = hostname.replace(/\.[a-z]{3}$/, "");
|
120
|
-
const repoShorthand = path.replace(/^\//, "");
|
121
|
-
|
122
|
-
return [repoShorthand, `${hostShorthand}:${repoShorthand}`].find(
|
123
|
-
shorthand => {
|
124
|
-
return Object.keys(lockfileJson).some(name => {
|
125
|
-
return name.startsWith(`${depName}@${shorthand}`);
|
126
|
-
});
|
127
|
-
}
|
128
|
-
);
|
129
|
-
}
|
130
|
-
|
131
105
|
function installArgsWithVersion(
|
132
106
|
depName,
|
133
107
|
desiredVersion,
|
134
108
|
requirements,
|
135
|
-
|
109
|
+
existingVersionRequirement
|
136
110
|
) {
|
137
111
|
const source = requirements.source;
|
138
112
|
|
139
|
-
// TODO: Use logic from npm updater to find original version instead of doing
|
140
|
-
// all this mad git shorthand logic
|
141
|
-
// e.g. const originalVersion = flattenAllDependencies(oldPackage)[depName];
|
142
113
|
if (source && source.type === "git") {
|
143
|
-
|
144
|
-
|
145
|
-
|
146
|
-
|
147
|
-
//
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
152
|
-
|
153
|
-
|
154
|
-
|
155
|
-
|
114
|
+
if (!existingVersionRequirement) {
|
115
|
+
existingVersionRequirement = source.url;
|
116
|
+
}
|
117
|
+
|
118
|
+
// Git is configured to auth over https while updating
|
119
|
+
existingVersionRequirement = existingVersionRequirement.replace(
|
120
|
+
/git\+ssh:\/\/git@(.*?)[:/]/,
|
121
|
+
"git+https://$1/"
|
122
|
+
);
|
123
|
+
|
124
|
+
// Keep any semver range that has already been updated in the package
|
125
|
+
// requirement when installing the new version
|
126
|
+
if (existingVersionRequirement.match(desiredVersion)) {
|
127
|
+
return [`${depName}@${existingVersionRequirement}`];
|
156
128
|
} else {
|
157
|
-
return [
|
129
|
+
return [
|
130
|
+
`${depName}@${existingVersionRequirement.replace(
|
131
|
+
/#.*/,
|
132
|
+
""
|
133
|
+
)}#${desiredVersion}`
|
134
|
+
];
|
158
135
|
}
|
159
136
|
} else {
|
160
137
|
return [`${depName}@${desiredVersion}`];
|
@@ -209,12 +186,14 @@ async function updateDependencyFile(
|
|
209
186
|
|
210
187
|
// Just as if we'd run `yarn add package@version`, but using our lightweight
|
211
188
|
// implementation of Add that doesn't actually download and install packages
|
212
|
-
const
|
189
|
+
const manifest = await config.readRootManifest();
|
190
|
+
const existingVersionRequirement = flattenAllDependencies(manifest)[depName];
|
191
|
+
|
213
192
|
const args = installArgsWithVersion(
|
214
193
|
depName,
|
215
194
|
desiredVersion,
|
216
195
|
requirements,
|
217
|
-
|
196
|
+
existingVersionRequirement
|
218
197
|
);
|
219
198
|
|
220
199
|
const add = new LightweightAdd(args, flags, config, reporter, lockfile);
|
@@ -226,9 +205,6 @@ async function updateDependencyFile(
|
|
226
205
|
|
227
206
|
const newVersionRequirement = requirements.requirement;
|
228
207
|
|
229
|
-
const flattenedDependencies = await flattenAllDependencies(config);
|
230
|
-
const existingVersionRequirement = flattenedDependencies[depName];
|
231
|
-
|
232
208
|
// Replace the version requirement in the lockfile (which will currently be an
|
233
209
|
// exact version, not a requirement range)
|
234
210
|
// If we don't have new requirement (e.g. git source) use the existing version
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.95.
|
4
|
+
version: 0.95.73
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.95.
|
19
|
+
version: 0.95.73
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.95.
|
26
|
+
version: 0.95.73
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|