class Dependabot::NpmAndYarn::UpdateChecker

Public Instance Methods

conflicting_dependencies() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 97
def conflicting_dependencies
  ConflictingDependencyResolver.new(
    dependency_files: dependency_files,
    credentials: credentials
  ).conflicting_dependencies(
    dependency: dependency,
    target_version: lowest_security_fix_version
  )
end
latest_resolvable_previous_version(updated_version) click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 63
def latest_resolvable_previous_version(updated_version)
  version_resolver.latest_resolvable_previous_version(updated_version)
end
latest_resolvable_version() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 27
def latest_resolvable_version
  return unless latest_version

  @latest_resolvable_version ||=
    if dependency.top_level?
      version_resolver.latest_resolvable_version
    else
      # If the dependency is indirect its version is constrained  by the
      # requirements placed on it by dependencies lower down the tree
      subdependency_version_resolver.latest_resolvable_version
    end
end
latest_resolvable_version_with_no_unlock() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 55
def latest_resolvable_version_with_no_unlock
  return latest_resolvable_version unless dependency.top_level?

  return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?

  latest_version_finder.latest_version_with_no_unlock
end
latest_version() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 18
def latest_version
  @latest_version ||=
    if git_dependency?
      latest_version_for_git_dependency
    else
      latest_version_details&.fetch(:version)
    end
end
lowest_resolvable_security_fix_version() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 44
def lowest_resolvable_security_fix_version
  raise "Dependency not vulnerable!" unless vulnerable?
  # NOTE: we currently don't resolve transitive/sub-dependencies as
  # npm/yarn don't provide any control over updating to a specific
  # sub-dependency
  return latest_resolvable_version unless dependency.top_level?

  # TODO: Might want to check resolvability here?
  lowest_security_fix_version
end
lowest_security_fix_version() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 40
def lowest_security_fix_version
  latest_version_finder.lowest_security_fix_version
end
requirements_update_strategy() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 89
def requirements_update_strategy
  # If passed in as an option (in the base class) honour that option
  return @requirements_update_strategy.to_sym if @requirements_update_strategy

  # Otherwise, widen ranges for libraries and bump versions for apps
  library? ? :widen_ranges : :bump_versions
end
updated_requirements() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 67
def updated_requirements
  resolvable_version =
    if preferred_resolvable_version.is_a?(version_class)
      preferred_resolvable_version.to_s
    elsif preferred_resolvable_version.nil?
      nil
    else
      # If the preferred_resolvable_version came back as anything other
      # than a version class or `nil` it must be because this is a git
      # dependency, for which we don't check resolvability.
      latest_version_details&.fetch(:version, nil)&.to_s
    end

  @updated_requirements ||=
    RequirementsUpdater.new(
      requirements: dependency.requirements,
      updated_source: updated_source,
      latest_resolvable_version: resolvable_version,
      update_strategy: requirements_update_strategy
    ).updated_requirements
end

Private Instance Methods

build_updated_dependency(update_details) click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 123
def build_updated_dependency(update_details)
  original_dep = update_details.fetch(:dependency)
  version = update_details.fetch(:version).to_s
  previous_version = update_details.fetch(:previous_version)&.to_s

  Dependency.new(
    name: original_dep.name,
    version: version,
    requirements: RequirementsUpdater.new(
      requirements: original_dep.requirements,
      updated_source: original_dep == dependency ? updated_source : nil,
      latest_resolvable_version: version,
      update_strategy: requirements_update_strategy
    ).updated_requirements,
    previous_version: previous_version,
    previous_requirements: original_dep.requirements,
    package_manager: original_dep.package_manager
  )
end
dependency_source_details() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 298
def dependency_source_details
  sources =
    dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact.
    sort_by { |source| RegistryFinder.central_registry?(source[:url]) ? 1 : 0 }

  sources.first
end
git_branch_or_ref_in_latest_release?() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 191
def git_branch_or_ref_in_latest_release?
  return false unless latest_released_version

  return @git_branch_or_ref_in_latest_release if defined?(@git_branch_or_ref_in_latest_release)

  @git_branch_or_ref_in_latest_release ||=
    git_commit_checker.branch_or_ref_in_release?(latest_released_version)
end
git_commit_checker() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 311
def git_commit_checker
  @git_commit_checker ||=
    GitCommitChecker.new(
      dependency: dependency,
      credentials: credentials,
      ignored_versions: ignored_versions,
      raise_on_ignored: raise_on_ignored
    )
end
git_dependency?() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 243
def git_dependency?
  git_commit_checker.git_dependency?
end
latest_git_version_details() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 247
def latest_git_version_details
  semver_req =
    dependency.requirements.
    find { |req| req.dig(:source, :type) == "git" }&.
    fetch(:requirement)

  # If there was a semver requirement provided or the dependency was
  # pinned to a version, look for the latest tag
  if semver_req || git_commit_checker.pinned_ref_looks_like_version?
    latest_tag = git_commit_checker.local_tag_for_latest_version
    return {
      sha: latest_tag&.fetch(:commit_sha),
      version: latest_tag&.fetch(:tag)&.gsub(/^[^\d]*/, "")
    }
  end

  # Otherwise, if the gem isn't pinned, the latest version is just the
  # latest commit for the specified branch.
  return { sha: git_commit_checker.head_commit_for_current_branch } unless git_commit_checker.pinned?

  # If the dependency is pinned to a tag that doesn't look like a
  # version then there's nothing we can do.
  { sha: dependency.version }
end
latest_released_version() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 178
def latest_released_version
  @latest_released_version ||=
    latest_version_finder.latest_version_from_registry
end
latest_resolvable_version_with_no_unlock_for_git_dependency() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 143
def latest_resolvable_version_with_no_unlock_for_git_dependency
  reqs = dependency.requirements.map do |r|
    next if r.fetch(:requirement).nil?

    requirement_class.requirements_array(r.fetch(:requirement))
  end.compact

  current_version =
    if existing_version_is_sha? ||
       !version_class.correct?(dependency.version)
      dependency.version
    else
      version_class.new(dependency.version)
    end

  return current_version if git_commit_checker.pinned?

  # TODO: Really we should get a tag that satisfies the semver req
  return current_version if reqs.any?

  git_commit_checker.head_commit_for_current_branch
end
latest_version_details() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 200
def latest_version_details
  @latest_version_details ||=
    if git_dependency? && !should_switch_source_from_git_to_registry?
      latest_git_version_details
    else
      { version: latest_released_version }
    end
end
latest_version_finder() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 209
def latest_version_finder
  @latest_version_finder ||=
    LatestVersionFinder.new(
      dependency: dependency,
      credentials: credentials,
      dependency_files: dependency_files,
      ignored_versions: ignored_versions,
      raise_on_ignored: raise_on_ignored,
      security_advisories: security_advisories
    )
end
latest_version_for_git_dependency() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 166
def latest_version_for_git_dependency
  @latest_version_for_git_dependency ||=
    if git_branch_or_ref_in_latest_release?
      latest_released_version
    elsif version_class.correct?(dependency.version)
      latest_git_version_details[:version] &&
        version_class.new(latest_git_version_details[:version])
    else
      latest_git_version_details[:sha]
    end
end
latest_version_resolvable_with_full_unlock?() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 109
def latest_version_resolvable_with_full_unlock?
  return unless latest_version

  # No support for full unlocks for subdependencies yet
  return false unless dependency.top_level?

  version_resolver.latest_version_resolvable_with_full_unlock?
end
library?() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 290
def library?
  return true unless dependency.version
  return true if dependency_files.any? { |f| f.name == "lerna.json" }

  @library =
    LibraryDetector.new(package_json_file: package_json).library?
end
package_json() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 306
def package_json
  @package_json ||=
    dependency_files.find { |f| f.name == "package.json" }
end
should_switch_source_from_git_to_registry?() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 183
def should_switch_source_from_git_to_registry?
  return false unless git_dependency?
  return false unless git_branch_or_ref_in_latest_release?
  return false if latest_version_for_git_dependency.nil?

  version_class.correct?(latest_version_for_git_dependency)
end
subdependency_version_resolver() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 232
def subdependency_version_resolver
  @subdependency_version_resolver ||=
    SubdependencyVersionResolver.new(
      dependency: dependency,
      credentials: credentials,
      dependency_files: dependency_files,
      ignored_versions: ignored_versions,
      latest_allowable_version: latest_version
    )
end
updated_dependencies_after_full_unlock() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 118
def updated_dependencies_after_full_unlock
  version_resolver.dependency_updates_from_full_unlock.
    map { |update_details| build_updated_dependency(update_details) }
end
updated_source() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 272
def updated_source
  # Never need to update source, unless a git_dependency
  return dependency_source_details unless git_dependency?

  # Source becomes `nil` if switching to default rubygems
  return nil if should_switch_source_from_git_to_registry?

  # Update the git tag if updating a pinned version
  if git_commit_checker.pinned_ref_looks_like_version? &&
     !git_commit_checker.local_tag_for_latest_version.nil?
    new_tag = git_commit_checker.local_tag_for_latest_version
    return dependency_source_details.merge(ref: new_tag.fetch(:tag))
  end

  # Otherwise return the original source
  dependency_source_details
end
version_resolver() click to toggle source
# File lib/dependabot/npm_and_yarn/update_checker.rb, line 221
def version_resolver
  @version_resolver ||=
    VersionResolver.new(
      dependency: dependency,
      credentials: credentials,
      dependency_files: dependency_files,
      latest_allowable_version: latest_version,
      latest_version_finder: latest_version_finder
    )
end