Module: Dependabot::NpmAndYarn::NativeHelpers

Extended by:: T::Sig

Defined in:: lib/dependabot/npm_and_yarn/native_helpers.rb

Class Method Summary collapse

.helper_path ⇒ Object
.native_helpers_root ⇒ Object
.run_npm8_subdependency_update_command(dependency_names, security_updates_only: false) ⇒ Object
.run_npm_audit_fix_command(security_updates_only: false) ⇒ Object
.run_pnpm_audit_fix_command ⇒ Object
.run_pnpm_deep_update_command(dependency_name, recursive: false) ⇒ Object
.run_yarn_audit_fix_command ⇒ Object

Class Method Details

.helper_path ⇒ `Object`



12
13
14

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 12

def self.helper_path
  "node #{File.join(native_helpers_root, 'dist', 'run.js')}"
end

.native_helpers_root ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 17

def self.native_helpers_root
  helpers_root = ENV.fetch("DEPENDABOT_NATIVE_HELPERS_PATH", nil)
  return File.join(helpers_root, "npm_and_yarn") unless helpers_root.nil?

  File.join(__dir__, "../../../helpers")
end

.run_npm8_subdependency_update_command(dependency_names, security_updates_only: false) ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 25

def self.run_npm8_subdependency_update_command(dependency_names, security_updates_only: false)
  # NOTE: npm options
  # - `--force` ignores checks for platform (os, cpu) and engines
  # - `--ignore-scripts` disables prepare and prepack scripts which are run
  #   when installing git dependencies
  command_args = [
    "update",
    *dependency_names,
    "--force",
    "--ignore-scripts",
    "--package-lock-only"
  ]
  # Override any min-release-age set in .npmrc: security fixes must not be
  # blocked by a release-age gate the user configured for regular updates.
  command_args << "--min-release-age=0" if security_updates_only
  command = command_args.join(" ")

  fingerprint_args = [
    "update",
    "<dependency_names>",
    "--force",
    "--ignore-scripts",
    "--package-lock-only"
  ]
  fingerprint_args << "--min-release-age=0" if security_updates_only
  fingerprint = fingerprint_args.join(" ")

  Helpers.run_npm_command(command, fingerprint: fingerprint)
end

.run_npm_audit_fix_command(security_updates_only: false) ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 56

def self.run_npm_audit_fix_command(security_updates_only: false)
  # Fallback for transitive dependencies in workspace repos where
  # `npm update` is a no-op because the package isn't in package.json.
  # `npm audit fix` updates all fixable vulnerabilities in the lockfile.
  # `--force` ignores checks for platform (os, cpu) and engines,
  # matching the flags used by run_npm8_subdependency_update_command.
  command = "audit fix --force --package-lock-only --ignore-scripts"
  # Override any min-release-age set in .npmrc: security fixes must not be
  # blocked by a release-age gate the user configured for regular updates.
  command += " --min-release-age=0" if security_updates_only
  fingerprint = command

  Helpers.run_npm_command(command, fingerprint: fingerprint)
end

.run_pnpm_audit_fix_command ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 72

def self.run_pnpm_audit_fix_command
  # Fallback for transitive dependencies where `pnpm update` is a no-op.
  # `pnpm audit --fix` adds overrides to the manifest for vulnerable deps.
  Helpers.run_pnpm_command(
    "audit --fix",
    fingerprint: "audit --fix"
  )
end

.run_pnpm_deep_update_command(dependency_name, recursive: false) ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 82

def self.run_pnpm_deep_update_command(dependency_name, recursive: false)
  # `pnpm update --depth Infinity <dep>` traverses the full dependency
  # graph, allowing transitive dependencies to be updated in the lockfile
  # without modifying any package.json (unlike `pnpm audit --fix`).
  # `-r --include-workspace-root` is required for workspace repos so the
  # update is applied across all packages.
  flags = recursive ? "-r --include-workspace-root " : ""
  Helpers.run_pnpm_command(
    "#{flags}update #{dependency_name} --depth Infinity --lockfile-only",
    fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only"
  )
end

.run_yarn_audit_fix_command ⇒ `Object`

# File 'lib/dependabot/npm_and_yarn/native_helpers.rb', line 96

def self.run_yarn_audit_fix_command
  # Fallback for transitive dependencies where `yarn up -R` is a no-op.
  # `yarn npm audit --fix` updates vulnerable deps in the lockfile.
  Helpers.run_yarn_command(
    "npm audit --fix --mode update-lockfile",
    fingerprint: "npm audit --fix --mode update-lockfile"
  )
end

Module: Dependabot::NpmAndYarn::NativeHelpers

Class Method Summary collapse

Class Method Details

.helper_path ⇒ Object

.native_helpers_root ⇒ Object

.run_npm8_subdependency_update_command(dependency_names, security_updates_only: false) ⇒ Object

.run_npm_audit_fix_command(security_updates_only: false) ⇒ Object

.run_pnpm_audit_fix_command ⇒ Object

.run_pnpm_deep_update_command(dependency_name, recursive: false) ⇒ Object

.run_yarn_audit_fix_command ⇒ Object

.helper_path ⇒ `Object`

.native_helpers_root ⇒ `Object`

.run_npm8_subdependency_update_command(dependency_names, security_updates_only: false) ⇒ `Object`

.run_npm_audit_fix_command(security_updates_only: false) ⇒ `Object`

.run_pnpm_audit_fix_command ⇒ `Object`

.run_pnpm_deep_update_command(dependency_name, recursive: false) ⇒ `Object`

.run_yarn_audit_fix_command ⇒ `Object`