Class: Dependabot::NpmAndYarn::MetadataFinder

Inherits:

MetadataFinders::Base

• Object
• MetadataFinders::Base
• Dependabot::NpmAndYarn::MetadataFinder

Extended by:

T::Sig

Defined in:

lib/dependabot/npm_and_yarn/metadata_finder.rb

Constant Summary

INSTALL_SCRIPTS =

Lifecycle scripts that run automatically during package installation. These are security-relevant because they execute with user privileges. docs.npmjs.com/cli/v11/using-npm/scripts#npm-install

T.let(
  %w(preinstall install postinstall prepublish preprepare prepare postprepare).freeze,
  T::Array[String]
)

Instance Method Summary

• #attestation_changes ⇒ Object
• #homepage_url ⇒ Object
• #install_script_changes ⇒ Object
• #maintainer_changes ⇒ Object

Instance Method Details

#attestation_changes ⇒ Object

# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 55

def attestation_changes
  return unless dependency.previous_version
  return if non_standard_registry?

  previous_attested = version_has_attestation?(dependency.previous_version)
  current_attested = version_has_attestation?(dependency.version)

  return unless previous_attested && !current_attested

  "This version has no provenance attestation, while the previous version " \
    "(#{dependency.previous_version}) was attested. Review the " \
    "[package versions](https://www.npmjs.com/package/#{dependency.name}?activeTab=versions) " \
    "before updating."
end

#homepage_url ⇒ Object

# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 32

def homepage_url
  # Attempt to use version_listing first, as fetching the entire listing
  # array can be slow (if it's large)
  return latest_version_listing["homepage"] if latest_version_listing["homepage"]

  listing = all_version_listings.find { |_, l| l["homepage"] }
  listing&.last&.fetch("homepage", nil) || super
end

#install_script_changes ⇒ Object

# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 71

def install_script_changes
  return unless dependency.previous_version

  previous_scripts = install_scripts_for_version(dependency.previous_version)
  current_scripts = install_scripts_for_version(dependency.version)

  return if previous_scripts == current_scripts

  added = current_scripts.keys - previous_scripts.keys
  modified = (current_scripts.keys & previous_scripts.keys).reject do |script|
    current_scripts[script] == previous_scripts[script]
  end

  changes = []
  changes << format_script_list("adds", added) if added.any?
  changes << format_script_list("modifies", modified) if modified.any?

  return if changes.empty?

  total_scripts = added.size + modified.size
  verb = total_scripts == 1 ? "runs" : "run"

  "This version #{changes.join(' and ')} that #{verb} during installation. " \
    "Review the package contents before updating."
end

#maintainer_changes ⇒ Object

# File 'lib/dependabot/npm_and_yarn/metadata_finder.rb', line 42

def maintainer_changes
  releaser = npm_releaser
  return unless releaser
  return unless npm_listing.dig("time", dependency.version)
  return if previous_releasers&.include?(releaser)

  encoded_releaser = encode_npm_releaser(releaser)
  "This version was pushed to npm by " \
    "[#{releaser}](https://www.npmjs.com/~#{encoded_releaser}), a new " \
    "releaser for #{dependency.name} since your current version."
end