Class: Dependabot::NpmAndYarn::MetadataFinder

Inherits:
MetadataFinders::Base
  • Object
show all
Extended by:
T::Sig
Defined in:
lib/dependabot/npm_and_yarn/metadata_finder.rb

Constant Summary collapse

INSTALL_SCRIPTS =

Lifecycle scripts that run automatically during package installation. These are security-relevant because they execute with user privileges. docs.npmjs.com/cli/v11/using-npm/scripts#npm-install

T.let(
  %w(preinstall install postinstall prepublish preprepare prepare postprepare).freeze,
  T::Array[String]
)

Instance Method Summary collapse

Instance Method Details

#attestation_changesObject 



49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 49

def attestation_changes
  return unless dependency.previous_version
  return if non_standard_registry?

  previous_attested = version_has_attestation?(dependency.previous_version)
  current_attested = version_has_attestation?(dependency.version)

  return unless previous_attested && !current_attested

  "This version has no provenance attestation, while the previous version " \
    "(#{dependency.previous_version}) was attested. Review the " \
    "[package versions](https://www.npmjs.com/package/#{dependency.name}?activeTab=versions) " \
    "before updating."
end

#homepage_urlObject 



28
29
30
31
32
33
34
35
 
# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 28

def homepage_url
  # Attempt to use version_listing first, as fetching the entire listing
  # array can be slow (if it's large)
  return latest_version_listing["homepage"] if latest_version_listing["homepage"]

  listing = all_version_listings.find { |_, l| l["homepage"] }
  listing&.last&.fetch("homepage", nil) || super
end

#install_script_changesObject 



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
 
# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 65

def install_script_changes
  return unless dependency.previous_version

  previous_scripts = install_scripts_for_version(dependency.previous_version)
  current_scripts = install_scripts_for_version(dependency.version)

  return if previous_scripts == current_scripts

  added = current_scripts.keys - previous_scripts.keys
  modified = (current_scripts.keys & previous_scripts.keys).reject do |script|
    current_scripts[script] == previous_scripts[script]
  end

  changes = []
  changes << format_script_list("adds", added) if added.any?
  changes << format_script_list("modifies", modified) if modified.any?

  return if changes.empty?

  total_scripts = added.size + modified.size
  verb = total_scripts == 1 ? "runs" : "run"

  "This version #{changes.join(' and ')} that #{verb} during installation. " \
    "Review the package contents before updating."
end

#maintainer_changesObject 



38
39
40
41
42
43
44
45
46
 
# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 38

def maintainer_changes
  return unless npm_releaser
  return unless npm_listing.dig("time", dependency.version)
  return if previous_releasers&.include?(npm_releaser)

  "This version was pushed to npm by " \
    "[#{npm_releaser}](https://www.npmjs.com/~#{npm_releaser}), a new " \
    "releaser for #{dependency.name} since your current version."
end