dependabot-npm_and_yarn 0.98.32 → 0.98.33

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6655cb532c302e030c5ec06c40e4569033f100ace191c95db7d85f285577c3c5
-  data.tar.gz: fa4fd1fb4289e2407655c2ce94d263c43770077e81ae3684900e078ff22efaba
+  metadata.gz: 6e6327a5956505106a441156cb9848c3e4ebaab9f3231e74293cb5aa3dc59089
+  data.tar.gz: fff9e97f74fbfdba88a58dd0343f51b0ae290b881fe5e6320fbd6130f3cdf206
 SHA512:
-  metadata.gz: 46787e598b4b0aec3ef9b08bd95fafcd269a70e06c1ec2cfa2f6efe7028d651b55a93a71a844de2b292f7d9182eef46f966c2ba0038df34595b9d3468474e05f
-  data.tar.gz: d87a529b8f15deb3f740d4aa6667d06a985b0cb2243de9a34378d6dc85328d421c547c51b2184745ef8f22f7f2f997dfef76e110598997eb663d22ed719f675f
+  metadata.gz: daaecb855d18ffdf7ef03bdf0184b8f29b7d5a36f2d34effee5d9ada80a173d27a4771dae4571ca79b194737539f67538186fb3d3a05d9983a413cdebb46d934
+  data.tar.gz: 130f940d6ab13bc6fdddb0afad03bdd14c3b11782a6c3543ab128cdfb63460470378dceee25d9784904fe396d8acae93ba24514eef9c290e01bcb53748456832

data/helpers/lib/yarn/helpers.js

@@ -1,5 +1,47 @@
+const { Add } = require("@dependabot/yarn-lib/lib/cli/commands/add");
+const { Install } = require("@dependabot/yarn-lib/lib/cli/commands/install");
+
 function isString(value) {
   return Object.prototype.toString.call(value) === "[object String]";
 }
 
-module.exports = { isString };
+// Add is a subclass of the Install CLI command, which is responsible for
+// adding packages to a package.json and yarn.lock. Upgrading a package is
+// exactly the same as adding, except the package already exists in the
+// manifests.
+//
+// Usually, calling Add.init() would execute a series of steps: resolve, fetch,
+// link, run lifecycle scripts, cleanup, then save new manifest (package.json).
+// We only care about the first and last steps: resolve, then save the new
+// manifest. Fotunately, overriding bailout() gives us an opportunity to skip
+// over the intermediate steps in a relatively painless fashion.
+class LightweightAdd extends Add {
+  // This method is called by init() at the end of the resolve step, and is
+  // responsible for checking if any dependnecies need to be updated locally.
+  // If everything is up to date, it'll save a new lockfile and return true,
+  // which causes init() to skip over the next few steps (fetching and
+  // installing packages). If there are packages that need updating, it'll
+  // return false, and init() will continue on to the fetching and installing
+  // steps.
+  //
+  // Add overrides Install's implementation to always return false - meaning
+  // that it will always continue to the fetch and install steps. We want to
+  // do the opposite - just save the new lockfile and stop there.
+  async bailout(patterns, workspaceLayout) {
+    // This is the only part of the original bailout implementation that
+    // matters: saving the new lockfile
+    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
+
+    // Skip over the unnecessary steps - fetching and linking packages, etc.
+    return true;
+  }
+}
+
+class LightweightInstall extends Install {
+  async bailout(patterns, workspaceLayout) {
+    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
+    return true;
+  }
+}
+
+module.exports = { isString, LightweightAdd, LightweightInstall };

data/helpers/lib/yarn/subdependency-updater.js

@@ -1,28 +1,14 @@
-/* DEPENDENCY FILE UPDATER
- *
- * Inputs:
- *  - directory containing a package.json and a yarn.lock
- *  - dependency name
- *
- * Outputs:
- *  - yarn.lock file
- *
- * Update the sub-dependency versions for this dependency to that latest
- * possible versions, without unlocking any other dependencies
- */
 const fs = require("fs");
+const os = require("os");
 const path = require("path");
-const { Install } = require("@dependabot/yarn-lib/lib/cli/commands/install");
 const Config = require("@dependabot/yarn-lib/lib/config").default;
 const { EventReporter } = require("@dependabot/yarn-lib/lib/reporters");
 const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
-
-class LightweightInstall extends Install {
-  async bailout(patterns, workspaceLayout) {
-    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
-    return true;
-  }
-}
+const fixDuplicates = require("./fix-duplicates");
+const { LightweightAdd, LightweightInstall } = require("./helpers");
+const { parse } = require("./lockfile-parser");
+const stringify = require("@dependabot/yarn-lib/lib/lockfile/stringify")
+  .default;
 
 // Replace the version comments in the new lockfile with the ones from the old
 // lockfile. If they weren't present in the old lockfile, delete them.
@@ -35,7 +21,42 @@ function recoverVersionComments(oldLockfile, newLockfile) {
     .replace(nodeRegex, () => oldMatch(nodeRegex) || "");
 }
 
-async function updateDependencyFile(directory, lockfileName) {
+// Installs exact version and returns lockfile entry
+async function getLockfileEntryForUpdate(depName, depVersion) {
+  const directory = fs.mkdtempSync(`${os.tmpdir()}${path.sep}`);
+  const readFile = fileName =>
+    fs.readFileSync(path.join(directory, fileName)).toString();
+
+  const flags = {
+    ignoreScripts: true,
+    ignoreWorkspaceRootCheck: true,
+    ignoreEngines: true
+  };
+  const reporter = new EventReporter();
+  const config = new Config(reporter);
+  await config.init({
+    cwd: directory,
+    nonInteractive: true,
+    enableDefaultRc: true
+  });
+
+  // Empty lockfile
+  const lockfile = await Lockfile.fromDirectory(directory, reporter);
+
+  const arg = [`${depName}@${depVersion}`];
+  await new LightweightAdd(arg, flags, config, reporter, lockfile).init();
+
+  const lockfileObject = await parse(directory);
+  const noHeader = true;
+  const enableLockfileVersions = false;
+  return stringify(lockfileObject, noHeader, enableLockfileVersions);
+}
+
+async function updateDependencyFile(
+  directory,
+  lockfileName,
+  updatedDependency
+) {
   const readFile = fileName =>
     fs.readFileSync(path.join(directory, fileName)).toString();
   const originalYarnLock = readFile(lockfileName);
@@ -53,16 +74,35 @@ async function updateDependencyFile(directory, lockfileName) {
     enableDefaultRc: true
   });
   config.enableLockfileVersions = Boolean(originalYarnLock.match(/^# yarn v/m));
+  const depName = updatedDependency && updatedDependency.name;
+  const depVersion = updatedDependency && updatedDependency.version;
+
+  // SubDependencyVersionResolver relies on the install finding the latest
+  // version of a sub-dependency that's been removed from the lockfile
+  // YarnLockFileUpdater passes a specific version to be updated
+  if (depName && depVersion) {
+    const lockfileEntryForUpdate = await getLockfileEntryForUpdate(
+      depName,
+      depVersion
+    );
+    const lockfileContent = `${originalYarnLock}\n${lockfileEntryForUpdate}`;
+
+    const dedupedYarnLock = fixDuplicates(lockfileContent, depName);
+    fs.writeFileSync(path.join(directory, lockfileName), dedupedYarnLock);
+  }
 
   const lockfile = await Lockfile.fromDirectory(directory, reporter);
   const install = new LightweightInstall(flags, config, reporter, lockfile);
   await install.init();
-  var updatedYarnLock = readFile(lockfileName);
 
-  updatedYarnLock = recoverVersionComments(originalYarnLock, updatedYarnLock);
+  const updatedYarnLock = readFile(lockfileName);
+  const updatedYarnLockWithVersion = recoverVersionComments(
+    originalYarnLock,
+    updatedYarnLock
+  );
 
   return {
-    [lockfileName]: updatedYarnLock
+    [lockfileName]: updatedYarnLockWithVersion
   };
 }
 

data/helpers/lib/yarn/updater.js

@@ -25,45 +25,7 @@ const Lockfile = require("@dependabot/yarn-lib/lib/lockfile").default;
 const parse = require("@dependabot/yarn-lib/lib/lockfile/parse").default;
 const fixDuplicates = require("./fix-duplicates");
 const replaceDeclaration = require("./replace-lockfile-declaration");
-
-// Add is a subclass of the Install CLI command, which is responsible for
-// adding packages to a package.json and yarn.lock. Upgrading a package is
-// exactly the same as adding, except the package already exists in the
-// manifests.
-//
-// Usually, calling Add.init() would execute a series of steps: resolve, fetch,
-// link, run lifecycle scripts, cleanup, then save new manifest (package.json).
-// We only care about the first and last steps: resolve, then save the new
-// manifest. Fotunately, overriding bailout() gives us an opportunity to skip
-// over the intermediate steps in a relatively painless fashion.
-class LightweightAdd extends Add {
-  // This method is called by init() at the end of the resolve step, and is
-  // responsible for checking if any dependnecies need to be updated locally.
-  // If everything is up to date, it'll save a new lockfile and return true,
-  // which causes init() to skip over the next few steps (fetching and
-  // installing packages). If there are packages that need updating, it'll
-  // return false, and init() will continue on to the fetching and installing
-  // steps.
-  //
-  // Add overrides Install's implementation to always return false - meaning
-  // that it will always continue to the fetch and install steps. We want to
-  // do the opposite - just save the new lockfile and stop there.
-  async bailout(patterns, workspaceLayout) {
-    // This is the only part of the original bailout implementation that
-    // matters: saving the new lockfile
-    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
-
-    // Skip over the unnecessary steps - fetching and linking packages, etc.
-    return true;
-  }
-}
-
-class LightweightInstall extends Install {
-  async bailout(patterns, workspaceLayout) {
-    await this.saveLockfileAndIntegrity(patterns, workspaceLayout);
-    return true;
-  }
-}
+const { LightweightAdd, LightweightInstall } = require("./helpers");
 
 function flattenAllDependencies(manifest) {
   return Object.assign(

data/helpers/package.json

@@ -16,7 +16,6 @@
   "devDependencies": {
     "eslint": "^5.15.3",
     "eslint-plugin-prettier": "^3.0.1",
-    "fs-extra": "^7.0.1",
     "jest": "^24.5.0",
     "nock": "^10.0.6",
     "prettier": "^1.16.4"

data/helpers/test/npm/updater.test.js

@@ -1,6 +1,6 @@
 const path = require("path");
 const os = require("os");
-const fs = require("fs-extra");
+const fs = require("fs");
 const nock = require("nock");
 const {
   updateDependencyFiles,
@@ -17,20 +17,20 @@ describe("updater", () => {
 
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => fs.removeSync(tempDir));
+  afterEach(() => fs.rmdirSync(tempDir));
 
   async function copyDependencies(sourceDir, destDir) {
     const srcPackageJson = path.join(
       __dirname,
       `fixtures/updater/${sourceDir}/package.json`
     );
-    await fs.copy(srcPackageJson, `${destDir}/package.json`);
+    await fs.copyFile(srcPackageJson, `${destDir}/package.json`);
 
     const srcLockfile = path.join(
       __dirname,
       `fixtures/updater/${sourceDir}/package-lock.json`
     );
-    await fs.copy(srcLockfile, `${destDir}/package-lock.json`);
+    await fs.copyFile(srcLockfile, `${destDir}/package-lock.json`);
   }
 
   it("generates an updated package-lock.json", async () => {

data/helpers/test/yarn/updater.test.js

@@ -1,6 +1,6 @@
 const path = require("path");
 const os = require("os");
-const fs = require("fs-extra");
+const fs = require("fs");
 const nock = require("nock");
 const {
   updateDependencyFiles,
@@ -20,20 +20,20 @@ describe("updater", () => {
 
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => fs.removeSync(tempDir));
+  afterEach(() => fs.rmdirSync(tempDir));
 
   async function copyDependencies(sourceDir, destDir) {
     const srcPackageJson = path.join(
       __dirname,
       `fixtures/updater/${sourceDir}/package.json`
     );
-    await fs.copy(srcPackageJson, `${destDir}/package.json`);
+    await fs.copyFile(srcPackageJson, `${destDir}/package.json`);
 
     const srcYarnLock = path.join(
       __dirname,
       `fixtures/updater/${sourceDir}/yarn.lock`
     );
-    await fs.copy(srcYarnLock, `${destDir}/yarn.lock`);
+    await fs.copyFile(srcYarnLock, `${destDir}/yarn.lock`);
   }
 
   it("generates an updated yarn.lock", async () => {

data/helpers/yarn.lock

@@ -2039,15 +2039,6 @@ fs-constants@^1.0.0:
   resolved "https://registry.yarnpkg.com/fs-constants/-/fs-constants-1.0.0.tgz#6be0de9be998ce16af8afc24497b9ee9b7ccd9ad"
   integrity sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==
 
-fs-extra@^7.0.1:
-  version "7.0.1"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-7.0.1.tgz#4f189c44aa123b895f722804f55ea23eadc348e9"
-  integrity sha512-YJDaCJZEnBmcbw13fvdAM9AwNOJwOzrE4pqMqBq5nFiEqXUqHwlK4B+3pUw6JNvfSPtX05xFHtYy/1ni01eGCw==
-  dependencies:
-    graceful-fs "^4.1.2"
-    jsonfile "^4.0.0"
-    universalify "^0.1.0"
-
 fs-minipass@^1.2.5:
   version "1.2.5"
   resolved "https://registry.yarnpkg.com/fs-minipass/-/fs-minipass-1.2.5.tgz#06c277218454ec288df77ada54a03b8702aacb9d"
@@ -2233,7 +2224,7 @@ got@^6.7.1:
     unzip-response "^2.0.1"
     url-parse-lax "^1.0.0"
 
-graceful-fs@^4.1.11, graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.1.6:
+graceful-fs@^4.1.11, graceful-fs@^4.1.15, graceful-fs@^4.1.2:
   version "4.1.15"
   resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.1.15.tgz#ffb703e1066e8a0eeaa4c8b80ba9253eeefbfb00"
   integrity sha512-6uHUhOPEBgQ24HM+r6b/QwWfZq+yiFcipKFrOFiBEnWdy5sdzYoi+pJeQaPI5qOLRFqWmAXUPQNsielzdLoecA==
@@ -3373,13 +3364,6 @@ json5@^2.1.0:
   dependencies:
     minimist "^1.2.0"
 
-jsonfile@^4.0.0:
-  version "4.0.0"
-  resolved "https://registry.yarnpkg.com/jsonfile/-/jsonfile-4.0.0.tgz#8771aae0799b64076b76640fca058f9c10e33ecb"
-  integrity sha1-h3Gq4HmbZAdrdmQPygWPnBDjPss=
-  optionalDependencies:
-    graceful-fs "^4.1.6"
-
 jsonparse@^1.2.0:
   version "1.3.1"
   resolved "https://registry.yarnpkg.com/jsonparse/-/jsonparse-1.3.1.tgz#3f4dae4a91fac315f71062f8521cc239f1366280"
@@ -4303,7 +4287,6 @@ npm@^6.9.0:
     cmd-shim "~2.0.2"
     columnify "~1.5.4"
     config-chain "^1.1.12"
-    debuglog "*"
     detect-indent "~5.0.0"
     detect-newline "^2.1.0"
     dezalgo "~1.0.3"
@@ -4318,7 +4301,6 @@ npm@^6.9.0:
     has-unicode "~2.0.1"
     hosted-git-info "^2.7.1"
     iferr "^1.0.2"
-    imurmurhash "*"
     inflight "~1.0.6"
     inherits "~2.0.3"
     ini "^1.3.5"
@@ -4328,22 +4310,12 @@ npm@^6.9.0:
     lazy-property "~1.0.0"
     libcipm "^3.0.3"
     libnpm "^2.0.1"
-    libnpmaccess "*"
     libnpmhook "^5.0.2"
-    libnpmorg "*"
-    libnpmsearch "*"
-    libnpmteam "*"
     libnpx "^10.2.0"
     lock-verify "^2.1.0"
     lockfile "^1.0.4"
-    lodash._baseindexof "*"
     lodash._baseuniq "~4.6.0"
-    lodash._bindcallback "*"
-    lodash._cacheindexof "*"
-    lodash._createcache "*"
-    lodash._getnative "*"
     lodash.clonedeep "~4.5.0"
-    lodash.restparam "*"
     lodash.union "~4.6.0"
     lodash.uniq "~4.5.0"
     lodash.without "~4.4.0"
@@ -4362,7 +4334,6 @@ npm@^6.9.0:
     npm-package-arg "^6.1.0"
     npm-packlist "^1.4.1"
     npm-pick-manifest "^2.2.3"
-    npm-profile "*"
     npm-registry-fetch "^3.9.0"
     npm-user-validate "~1.0.0"
     npmlog "~4.1.2"
@@ -4381,7 +4352,6 @@ npm@^6.9.0:
     read-package-json "^2.0.13"
     read-package-tree "^5.2.2"
     readable-stream "^3.1.1"
-    readdir-scoped-modules "*"
     request "^2.88.0"
     retry "^0.12.0"
     rimraf "^2.6.3"
@@ -6121,11 +6091,6 @@ unique-string@^1.0.0:
   dependencies:
     crypto-random-string "^1.0.0"
 
-universalify@^0.1.0:
-  version "0.1.2"
-  resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.1.2.tgz#b646f69be3942dabcecc9d6639c80dc105efaa66"
-  integrity sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==
-
 unpipe@~1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/unpipe/-/unpipe-1.0.0.tgz#b2bf4ee8514aae6165b4817829d21b2ef49904ec"

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -149,7 +149,7 @@ module Dependabot
           SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
             function: "yarn:updateSubdependency",
-            args: [Dir.pwd, lockfile_name]
+            args: [Dir.pwd, lockfile_name, sub_dependencies.first.to_h]
           )
         end
 
@@ -314,21 +314,7 @@ module Dependabot
         def write_lockfiles
           yarn_locks.each do |f|
             FileUtils.mkdir_p(Pathname.new(f.name).dirname)
-
-            if top_level_dependencies.any?
-              File.write(f.name, f.content)
-            else
-              File.write(f.name, prepared_yarn_lockfile_content(f.content))
-            end
-          end
-        end
-
-        # Duplicated in SubdependencyVersionResolver
-        # Remove the dependency we want to update from the lockfile and let
-        # yarn find the latest resolvable version and fix the lockfile
-        def prepared_yarn_lockfile_content(content)
-          sub_dependencies.map(&:name).reduce(content) do |result, name|
-            result.gsub(/^#{Regexp.quote(name)}\@.*?\n\n/m, "")
+            File.write(f.name, f.content)
           end
         end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.98.32
+  version: 0.98.33
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.32
+        version: 0.98.33
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.98.32
+        version: 0.98.33
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement