@coana-tech/cli 14.6.2 → 14.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/cli.mjs +39 -22
  2. package/package.json +1 -1
package/cli.mjs CHANGED
@@ -184343,20 +184343,24 @@ var NugetFixingManager = class {
184343
184343
  });
184344
184344
  const conflictCache = new Cache();
184345
184345
  await applySeries(vulnFixes, async ({ dependencyIdentifier, dependencyName, fixedVersion }) => {
184346
- const framework = dependencyTree.transitiveDependencies[dependencyIdentifier].framework;
184347
- if (framework && typeCache.get(framework)?.get(dependencyName) === "Direct") {
184348
- const nugetRange = NuGetRange.parse(requestedCache.get(framework)?.get(dependencyName) ?? "0.0.0");
184349
- const nugetFixedVersion = NuGetVersion.parse(fixedVersion);
184350
- conflictCache.computeIfAbsent(framework, Cache.create).putIfAbsent(dependencyName, !nugetRange.contains(nugetFixedVersion));
184351
- const updatedNugetRange = NuGetRange.combineRanges(nugetRange, NuGetRange.combineVersions(nugetFixedVersion));
184352
- requestedCache.computeIfAbsent(framework, Cache.create).set(dependencyName, updatedNugetRange.toString());
184353
- }
184346
+ await applySeries(
184347
+ dependencyTree.transitiveDependencies[dependencyIdentifier].frameworks?.filter(
184348
+ (framework) => typeCache.get(framework)?.get(dependencyName) === "Direct"
184349
+ ) ?? [],
184350
+ async (framework) => {
184351
+ const nugetRange = NuGetRange.parse(requestedCache.get(framework)?.get(dependencyName) ?? "0.0.0");
184352
+ const nugetFixedVersion = NuGetVersion.parse(fixedVersion);
184353
+ conflictCache.computeIfAbsent(framework, Cache.create).putIfAbsent(dependencyName, !nugetRange.contains(nugetFixedVersion));
184354
+ const updatedNugetRange = NuGetRange.combineRanges(nugetRange, NuGetRange.combineVersions(nugetFixedVersion));
184355
+ requestedCache.computeIfAbsent(framework, Cache.create).set(dependencyName, updatedNugetRange.toString());
184356
+ }
184357
+ );
184354
184358
  });
184355
184359
  await applySeries(vulnFixes, async ({ dependencyIdentifier, dependencyName, fixedVersion }) => {
184356
- const framework = dependencyTree.transitiveDependencies[dependencyIdentifier].framework;
184357
- if (framework) {
184358
- await this.addPackage(dependencyName, fixedVersion, framework, wsPath);
184359
- }
184360
+ await applySeries(
184361
+ dependencyTree.transitiveDependencies[dependencyIdentifier].frameworks ?? [],
184362
+ async (framework) => await this.addPackage(dependencyName, fixedVersion, framework, wsPath)
184363
+ );
184360
184364
  });
184361
184365
  const lockFileWithFixes = await this.restoreWorkspaceAndParseLockFile(wsPath);
184362
184366
  Object.entries(lockFileWithFixes.dependencies).forEach(([framework, nameToDetails]) => {
@@ -184376,16 +184380,29 @@ var NugetFixingManager = class {
184376
184380
  });
184377
184381
  await writeFile7(projectFilePath, initialProjectFile);
184378
184382
  await applySeries(vulnFixes, async ({ dependencyIdentifier, dependencyName }) => {
184379
- const framework = dependencyTree.transitiveDependencies[dependencyIdentifier].framework;
184380
- if (framework && conflictCache.get(framework)?.get(dependencyName)) {
184381
- const updatedRange = requestedCache.get(framework)?.get(dependencyName);
184382
- if (!updatedRange) {
184383
- throw new Error(
184384
- `unexpected empty requested cache for dependency ${dependencyName}, framework ${framework}, workspace ${wsPath}`
184385
- );
184383
+ await applySeries(
184384
+ dependencyTree.transitiveDependencies[dependencyIdentifier].frameworks?.filter(
184385
+ (framework) => conflictCache.get(framework)?.get(dependencyName)
184386
+ ) ?? [],
184387
+ // Add dependency with the updated version range that accomodates the fixed version.
184388
+ // Using this range, instead of 'fixedVersion' or '[fixedVersion]' avoids .NET downgrade error.
184389
+ // A downgrade error happens in the following case:
184390
+ // - Project file for workspace A specifies dependency D at version range r1
184391
+ // - Project file for workspace B specifies dependency on workspace A and on dependency D at range r2
184392
+ // - The lower bound for r2 is less than the lower bound for r1
184393
+ // Assuming the fix version is an upgrade, using the updated requested range will keep the lower
184394
+ // bound on r1 after applying a fix to workspace A.
184395
+ // Note, if fixed version can be a downgrade, applying a fix to workspace B *can* introduce a downgrade error!
184396
+ async (framework) => {
184397
+ const updatedRange = requestedCache.get(framework)?.get(dependencyName);
184398
+ if (!updatedRange) {
184399
+ throw new Error(
184400
+ `unexpected empty requested cache for dependency ${dependencyName}, framework ${framework}, workspace ${wsPath}`
184401
+ );
184402
+ }
184403
+ await this.addPackage(dependencyName, updatedRange.toString(), framework, wsPath);
184386
184404
  }
184387
- await this.addPackage(dependencyName, updatedRange.toString(), framework, wsPath);
184388
- }
184405
+ );
184389
184406
  });
184390
184407
  await writeFile7(this.getLockFilePath(wsPath), JSON.stringify(lockFileWithFixes, null, 2));
184391
184408
  }
@@ -202423,7 +202440,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
202423
202440
  }
202424
202441
 
202425
202442
  // dist/version.js
202426
- var version2 = "14.6.2";
202443
+ var version2 = "14.6.3";
202427
202444
 
202428
202445
  // dist/cli-core.js
202429
202446
  var { omit, partition, pick } = import_lodash12.default;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@coana-tech/cli",
3
- "version": "14.6.2",
3
+ "version": "14.6.3",
4
4
  "description": "Coana CLI",
5
5
  "type": "module",
6
6
  "bin": {