Class: Dependabot::NpmAndYarn::DependencyGrapher

Inherits:

DependencyGraphers::Base

Object
DependencyGraphers::Base
Dependabot::NpmAndYarn::DependencyGrapher

show all

Extended by:: T::Sig

Defined in:: lib/dependabot/npm_and_yarn/dependency_grapher.rb,
lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb,
lib/dependabot/npm_and_yarn/dependency_grapher/npm_relationship_resolver.rb,
lib/dependabot/npm_and_yarn/dependency_grapher/pnpm_relationship_resolver.rb,
lib/dependabot/npm_and_yarn/dependency_grapher/yarn_relationship_resolver.rb

Defined Under Namespace

Classes: LockfileGenerator, NpmRelationshipResolver, PnpmRelationshipResolver, YarnRelationshipResolver

Instance Method Details

#prepare! ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/dependency_grapher.rb', line 58

def prepare!
  # Enable alias extraction for graph jobs so aliased packages appear
  # in the dependency graph for security scanning.
  file_parser.dealias_packages!

  if lockfile.nil?
    Dependabot.logger.info("No lockfile found, generating ephemeral lockfile for dependency graphing")
    generate_ephemeral_lockfile!
    emit_missing_lockfile_warning! if @ephemeral_lockfile_generated
  end
  super
end

#relevant_dependency_file ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/dependency_grapher.rb', line 24

def relevant_dependency_file
  # An ephemerally generated lockfile should not be reported as the
  # relevant file since it doesn't exist in the repository.
  return package_json if @ephemeral_lockfile_generated

  lockfile || package_json
end

#resolved_dependencies ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/dependency_grapher.rb', line 37

def resolved_dependencies
  prepare! unless prepared

  @dependencies.each_with_object({}) do |dep, resolved|
    all_versions = dep.metadata[:all_versions] || [dep]

    all_versions.each do |version_dep|
      purl = build_purl(version_dep)
      next if resolved.key?(purl)

      resolved[purl] = Dependabot::DependencyGraphers::ResolvedDependency.new(
        package_url: purl,
        direct: version_dep.top_level? || !version_dep.metadata[:alias].nil?,
        runtime: version_dep.production?,
        dependencies: subdependency_purls_for(version_dep)
      )
    end
  end
end

Class: Dependabot::NpmAndYarn::DependencyGrapher

Defined Under Namespace

Instance Method Summary collapse

Instance Method Details

#prepare! ⇒ Object

#relevant_dependency_file ⇒ Object

#resolved_dependencies ⇒ Object

#prepare! ⇒ `Object`

#relevant_dependency_file ⇒ `Object`

#resolved_dependencies ⇒ `Object`