dependabot-npm_and_yarn 0.98.61 → 0.98.62
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 35656968fb496f5e4b9ec72d78970c3d0a8addb4d6624547f8ec6a89b4ae0734
|
4
|
+
data.tar.gz: f1189c0cbd576af29732e5615ebbaed52930002f459856751e3f05c53885a7b3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 03c31a5046a551135cf9e56306e67c220314fb6f92a6551c242ded15f64b929618e963c33bb17762f35538eb417ca573631556c054912364438ba3920802ea34
|
7
|
+
data.tar.gz: 6649977e4451edf84fb55afdb8f427c5807b7a17aeab841a09af53855360de743f9053fc74c92e234a6e22a4d2277800e0f0435513bba5c669e8117538d42f9f
|
@@ -93,21 +93,23 @@ module Dependabot
|
|
93
93
|
def build_dependency(file:, type:, name:, requirement:)
|
94
94
|
lockfile_details = lockfile_parser.lockfile_details(
|
95
95
|
dependency_name: name,
|
96
|
-
requirement: requirement
|
96
|
+
requirement: requirement,
|
97
|
+
manifest_name: file.name
|
97
98
|
)
|
98
|
-
|
99
|
+
version = version_for(name, requirement, file.name)
|
100
|
+
return if lockfile_details && !version
|
99
101
|
return if ignore_requirement?(requirement)
|
100
102
|
return if workspace_package_names.include?(name)
|
101
103
|
|
102
104
|
Dependency.new(
|
103
105
|
name: name,
|
104
|
-
version:
|
106
|
+
version: version,
|
105
107
|
package_manager: "npm_and_yarn",
|
106
108
|
requirements: [{
|
107
109
|
requirement: requirement_for(requirement),
|
108
110
|
file: file.name,
|
109
111
|
groups: [type],
|
110
|
-
source: source_for(name, requirement)
|
112
|
+
source: source_for(name, requirement, file.name)
|
111
113
|
}]
|
112
114
|
)
|
113
115
|
end
|
@@ -151,26 +153,27 @@ module Dependabot
|
|
151
153
|
package_files.map { |f| JSON.parse(f.content)["name"] }.compact
|
152
154
|
end
|
153
155
|
|
154
|
-
def version_for(name, requirement)
|
156
|
+
def version_for(name, requirement, manifest_name)
|
155
157
|
if git_url_with_semver?(requirement)
|
156
|
-
semver_version = semver_version_for(name, requirement)
|
158
|
+
semver_version = semver_version_for(name, requirement, manifest_name)
|
157
159
|
return semver_version if semver_version
|
158
160
|
|
159
|
-
git_revision = git_revision_for(name, requirement)
|
161
|
+
git_revision = git_revision_for(name, requirement, manifest_name)
|
160
162
|
version_from_git_revision(requirement, git_revision) || git_revision
|
161
163
|
elsif git_url?(requirement)
|
162
|
-
git_revision_for(name, requirement)
|
164
|
+
git_revision_for(name, requirement, manifest_name)
|
163
165
|
else
|
164
|
-
semver_version_for(name, requirement)
|
166
|
+
semver_version_for(name, requirement, manifest_name)
|
165
167
|
end
|
166
168
|
end
|
167
169
|
|
168
|
-
def git_revision_for(name, requirement)
|
170
|
+
def git_revision_for(name, requirement, manifest_name)
|
169
171
|
return unless git_url?(requirement)
|
170
172
|
|
171
173
|
lockfile_details = lockfile_parser.lockfile_details(
|
172
174
|
dependency_name: name,
|
173
|
-
requirement: requirement
|
175
|
+
requirement: requirement,
|
176
|
+
manifest_name: manifest_name
|
174
177
|
)
|
175
178
|
lock_version = lockfile_details&.fetch("version", nil)
|
176
179
|
lock_res = lockfile_details&.fetch("resolved", nil)
|
@@ -208,10 +211,11 @@ module Dependabot
|
|
208
211
|
nil
|
209
212
|
end
|
210
213
|
|
211
|
-
def semver_version_for(name, requirement)
|
214
|
+
def semver_version_for(name, requirement, manifest_name)
|
212
215
|
lock_version = lockfile_parser.lockfile_details(
|
213
216
|
dependency_name: name,
|
214
|
-
requirement: requirement
|
217
|
+
requirement: requirement,
|
218
|
+
manifest_name: manifest_name
|
215
219
|
)&.fetch("version", nil)
|
216
220
|
|
217
221
|
return unless lock_version
|
@@ -223,12 +227,13 @@ module Dependabot
|
|
223
227
|
lock_version
|
224
228
|
end
|
225
229
|
|
226
|
-
def source_for(name, requirement)
|
230
|
+
def source_for(name, requirement, manifest_name)
|
227
231
|
return git_source_for(requirement) if git_url?(requirement)
|
228
232
|
|
229
233
|
resolved_url = lockfile_parser.lockfile_details(
|
230
234
|
dependency_name: name,
|
231
|
-
requirement: requirement
|
235
|
+
requirement: requirement,
|
236
|
+
manifest_name: manifest_name
|
232
237
|
)&.fetch("resolved", nil)
|
233
238
|
|
234
239
|
return unless resolved_url
|
@@ -19,32 +19,28 @@ module Dependabot
|
|
19
19
|
dependency_set.dependencies
|
20
20
|
end
|
21
21
|
|
22
|
-
def lockfile_details(dependency_name:, requirement:)
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
find do |k, _|
|
45
|
-
k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
|
46
|
-
end&.
|
47
|
-
last
|
22
|
+
def lockfile_details(dependency_name:, requirement:, manifest_name:)
|
23
|
+
potential_lockfiles_for_manifest(manifest_name).each do |lockfile|
|
24
|
+
details =
|
25
|
+
if [*package_locks, *shrinkwraps].include?(lockfile)
|
26
|
+
parsed_lockfile = parse_package_lock(lockfile)
|
27
|
+
parsed_lockfile.dig("dependencies", dependency_name)
|
28
|
+
else
|
29
|
+
parsed_yarn_lock = parse_yarn_lock(lockfile)
|
30
|
+
details_candidates =
|
31
|
+
parsed_yarn_lock.
|
32
|
+
select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
|
33
|
+
|
34
|
+
# If there's only one entry for this dependency, use it, even if
|
35
|
+
# the requirement in the lockfile doesn't match
|
36
|
+
if details_candidates.one?
|
37
|
+
details_candidates.first.last
|
38
|
+
else
|
39
|
+
details_candidates.find do |k, _|
|
40
|
+
k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
|
41
|
+
end&.last
|
42
|
+
end
|
43
|
+
end
|
48
44
|
|
49
45
|
return details if details
|
50
46
|
end
|
@@ -56,6 +52,19 @@ module Dependabot
|
|
56
52
|
|
57
53
|
attr_reader :dependency_files
|
58
54
|
|
55
|
+
def potential_lockfiles_for_manifest(manifest_filename)
|
56
|
+
dir_name = File.dirname(manifest_filename)
|
57
|
+
possible_lockfile_names =
|
58
|
+
%w(package-lock.json npm-shrinkwrap.json yarn.lock).map do |f|
|
59
|
+
Pathname.new(File.join(dir_name, f)).cleanpath.to_path
|
60
|
+
end +
|
61
|
+
%w(yarn.lock package-lock.json npm-shrinkwrap.json)
|
62
|
+
|
63
|
+
possible_lockfile_names.uniq.
|
64
|
+
map { |nm| dependency_files.find { |f| f.name == nm } }.
|
65
|
+
compact
|
66
|
+
end
|
67
|
+
|
59
68
|
def yarn_lock_dependencies
|
60
69
|
dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
|
61
70
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dependabot-npm_and_yarn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.98.
|
4
|
+
version: 0.98.62
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Dependabot
|
@@ -16,14 +16,14 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - '='
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: 0.98.
|
19
|
+
version: 0.98.62
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
24
|
- - '='
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: 0.98.
|
26
|
+
version: 0.98.62
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: byebug
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|