Class: Dependabot::NpmAndYarn::UpdateChecker

Inherits:

UpdateCheckers::Base

• Object
• UpdateCheckers::Base
• Dependabot::NpmAndYarn::UpdateChecker

Defined in:

lib/dependabot/npm_and_yarn/update_checker.rb,
lib/dependabot/npm_and_yarn/update_checker/registry_finder.rb,
lib/dependabot/npm_and_yarn/update_checker/library_detector.rb,
lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb,
lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb,
lib/dependabot/npm_and_yarn/update_checker/latest_version_finder.rb,
lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb,
lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb,
lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb,
lib/dependabot/npm_and_yarn/update_checker/conflicting_dependency_resolver.rb

Defined Under Namespace

Classes: ConflictingDependencyResolver, DependencyFilesBuilder, LatestVersionFinder, LibraryDetector, RegistryFinder, RequirementsUpdater, SubdependencyVersionResolver, VersionResolver, VulnerabilityAuditor

Instance Method Summary

• #conflicting_dependencies ⇒ Object
• #latest_resolvable_previous_version(updated_version) ⇒ Object
• #latest_resolvable_version ⇒ Object
• #latest_resolvable_version_with_no_unlock ⇒ Object
• #latest_version ⇒ Object
• #lowest_resolvable_security_fix_version ⇒ Object
• #lowest_security_fix_version ⇒ Object
• #requirements_unlocked_or_can_be? ⇒ Boolean
• #requirements_update_strategy ⇒ Object
• #up_to_date? ⇒ Boolean
• #updated_requirements ⇒ Object
• #vulnerable? ⇒ Boolean

Instance Method Details

#conflicting_dependencies ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 132

def conflicting_dependencies
  conflicts = ConflictingDependencyResolver.new(
    dependency_files: dependency_files,
    credentials: credentials
  ).conflicting_dependencies(
    dependency: dependency,
    target_version: lowest_security_fix_version
  )
  return conflicts unless vulnerability_audit_performed?

  vulnerable = [vulnerability_audit].select do |hash|
    !hash["fix_available"] && hash["explanation"]
  end

  conflicts + vulnerable
end

#latest_resolvable_previous_version(updated_version) ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 94

def latest_resolvable_previous_version(updated_version)
  version_resolver.latest_resolvable_previous_version(updated_version)
end

#latest_resolvable_version ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 46

def latest_resolvable_version
  return unless latest_version

  @latest_resolvable_version ||=
    if dependency.top_level?
      version_resolver.latest_resolvable_version
    else
      # If the dependency is indirect its version is constrained  by the
      # requirements placed on it by dependencies lower down the tree
      subdependency_version_resolver.latest_resolvable_version
    end
end

#latest_resolvable_version_with_no_unlock ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 86

def latest_resolvable_version_with_no_unlock
  return latest_resolvable_version unless dependency.top_level?

  return latest_resolvable_version_with_no_unlock_for_git_dependency if git_dependency?

  latest_version_finder.latest_version_with_no_unlock
end

#latest_version ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 37

def latest_version
  @latest_version ||=
    if git_dependency?
      latest_version_for_git_dependency
    else
      latest_version_details&.fetch(:version)
    end
end

#lowest_resolvable_security_fix_version ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 66

def lowest_resolvable_security_fix_version
  raise "Dependency not vulnerable!" unless vulnerable?

  # NOTE: Currently, we don't resolve transitive/sub-dependencies as
  # npm/yarn don't provide any control over updating to a specific
  # sub-dependency version.

  # Return nil for vulnerable transitive dependencies if there are conflicting dependencies.
  # This helps catch errors in such cases.
  return nil if !dependency.top_level? && conflicting_dependencies.any?

  # For transitive dependencies without conflicts, return the latest resolvable transitive
  # security fix version that does not require unlocking other dependencies.
  return latest_resolvable_transitive_security_fix_version_with_no_unlock unless dependency.top_level?

  # For top-level dependencies, return the lowest security fix version.
  # TODO: Consider checking resolvability here in the future.
  lowest_security_fix_version
end

#lowest_security_fix_version ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 59

def lowest_security_fix_version
  # This will require a full unlock to update multiple top level ancestors.
  return if vulnerability_audit["fix_available"] && vulnerability_audit["top_level_ancestors"].count > 1

  latest_version_finder.lowest_security_fix_version
end

#requirements_unlocked_or_can_be? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 120

def requirements_unlocked_or_can_be?
  !requirements_update_strategy.lockfile_only?
end

#requirements_update_strategy ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 124

def requirements_update_strategy
  # If passed in as an option (in the base class) honour that option
  return @requirements_update_strategy if @requirements_update_strategy

  # Otherwise, widen ranges for libraries and bump versions for apps
  library? ? RequirementsUpdateStrategy::WidenRanges : RequirementsUpdateStrategy::BumpVersions
end

#up_to_date? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 23

def up_to_date?
  return false if security_update? &&
                  dependency.version &&
                  version_class.correct?(dependency.version) &&
                  vulnerable_versions.any? &&
                  !vulnerable_versions.include?(current_version)

  super
end

#updated_requirements ⇒ Object

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 98

def updated_requirements
  resolvable_version =
    if preferred_resolvable_version.is_a?(version_class)
      preferred_resolvable_version.to_s
    elsif preferred_resolvable_version.nil?
      nil
    else
      # If the preferred_resolvable_version came back as anything other
      # than a version class or `nil` it must be because this is a git
      # dependency, for which we don't check resolvability.
      latest_version_details&.fetch(:version, nil)&.to_s
    end

  @updated_requirements ||=
    RequirementsUpdater.new(
      requirements: dependency.requirements,
      updated_source: updated_source,
      latest_resolvable_version: resolvable_version,
      update_strategy: requirements_update_strategy
    ).updated_requirements
end

#vulnerable? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dependabot/npm_and_yarn/update_checker.rb', line 33

def vulnerable?
  super || vulnerable_versions.any?
end