Module: Dependabot::NpmAndYarn::NativeHelpers

Extended by:
T::Sig
Defined in:
lib/dependabot/npm_and_yarn/native_helpers.rb

Class Method Summary collapse

Class Method Details

.helper_pathObject 



12
13
14
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 12

def self.helper_path
  "node #{File.join(native_helpers_root, 'dist', 'run.js')}"
end

.native_helpers_rootObject 



17
18
19
20
21
22
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 17

def self.native_helpers_root
  helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
  return File.join(helpers_root, "npm_and_yarn") unless helpers_root.nil?

  File.join(__dir__, "../../../helpers")
end

.run_npm8_subdependency_update_command(dependency_names) ⇒ Object 



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 25

def self.run_npm8_subdependency_update_command(dependency_names)
  # NOTE: npm options
  # - `--force` ignores checks for platform (os, cpu) and engines
  # - `--ignore-scripts` disables prepare and prepack scripts which are run
  #   when installing git dependencies
  command = [
    "update",
    *dependency_names,
    "--force",
    "--ignore-scripts",
    "--package-lock-only"
  ].join(" ")

  fingerprint = [
    "update",
    "<dependency_names>",
    "--force",
    "--ignore-scripts",
    "--package-lock-only"
  ].join(" ")

  Helpers.run_npm_command(command, fingerprint: fingerprint)
end

.run_npm_audit_fix_commandObject 



50
51
52
53
54
55
56
57
58
59
60
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 50

def self.run_npm_audit_fix_command
  # Fallback for transitive dependencies in workspace repos where
  # `npm update` is a no-op because the package isn't in package.json.
  # `npm audit fix` updates all fixable vulnerabilities in the lockfile.
  # `--force` ignores checks for platform (os, cpu) and engines,
  # matching the flags used by run_npm8_subdependency_update_command.
  command = "audit fix --force --package-lock-only --ignore-scripts"
  fingerprint = "audit fix --force --package-lock-only --ignore-scripts"

  Helpers.run_npm_command(command, fingerprint: fingerprint)
end

.run_pnpm_audit_fix_commandObject 



63
64
65
66
67
68
69
70
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 63

def self.run_pnpm_audit_fix_command
  # Fallback for transitive dependencies where `pnpm update` is a no-op.
  # `pnpm audit --fix` adds overrides to the manifest for vulnerable deps.
  Helpers.run_pnpm_command(
    "audit --fix",
    fingerprint: "audit --fix"
  )
end

.run_pnpm_deep_update_command(dependency_name, recursive: false) ⇒ Object 



73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 73

def self.run_pnpm_deep_update_command(dependency_name, recursive: false)
  # `pnpm update --depth Infinity <dep>` traverses the full dependency
  # graph, allowing transitive dependencies to be updated in the lockfile
  # without modifying any package.json (unlike `pnpm audit --fix`).
  # `-r --include-workspace-root` is required for workspace repos so the
  # update is applied across all packages.
  flags = recursive ? "-r --include-workspace-root " : ""
  Helpers.run_pnpm_command(
    "#{flags}update #{dependency_name} --depth Infinity --lockfile-only",
    fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only"
  )
end

.run_yarn_audit_fix_commandObject 



87
88
89
90
91
92
93
94
 
# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 87

def self.run_yarn_audit_fix_command
  # Fallback for transitive dependencies where `yarn up -R` is a no-op.
  # `yarn npm audit --fix` updates vulnerable deps in the lockfile.
  Helpers.run_yarn_command(
    "npm audit --fix --mode update-lockfile",
    fingerprint: "npm audit --fix --mode update-lockfile"
  )
end