diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb index 3bfb17259c4..9dfa9025757 100644 --- a/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb +++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker.rb @@ -96,13 +96,19 @@ def requirements_update_strategy end def conflicting_dependencies - ConflictingDependencyResolver.new( + conflicts = ConflictingDependencyResolver.new( dependency_files: dependency_files, credentials: credentials ).conflicting_dependencies( dependency: dependency, target_version: lowest_security_fix_version ) + + vulnerable = [vulnerability_audit].select do |hash| + !hash["fix_available"] && hash["explanation"] + end + + conflicts + vulnerable end private diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb index 2c722842497..1db80213d6d 100644 --- a/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb +++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/vulnerability_auditor.rb @@ -21,6 +21,7 @@ def initialize(dependency_files:, credentials:, allow_removal: false) @allow_removal = allow_removal end + # rubocop:disable Metrics/MethodLength # Finds any dependencies in the `package-lock.json` or `npm-shrinkwrap.json` that have # a subdependency on the given dependency that is locked to a vuln version range. # @@ -41,6 +42,7 @@ def initialize(dependency_files:, credentials:, allow_removal: false) # dependency on the blocking dependency # * :top_level_ancestors [Array] the names of all top-level dependencies with a transitive # dependency on the dependency + # * :explanation [String] an explanation for why the project failed the vulnerability auditor run def audit(dependency:, security_advisories:) fix_unavailable = { "dependency_name" => dependency.name, @@ -74,7 +76,12 @@ def audit(dependency:, security_advisories:) function: "npm:vulnerabilityAuditor", args: [Dir.pwd, vuln_versions] ) - return fix_unavailable unless viable_audit_result?(audit_result, security_advisories) + + validation_result = validate_audit_result(audit_result, security_advisories) + unless viable_audit_result?(validation_result) + fix_unavailable["explanation"] = explain_fix_unavailable(validation_result, dependency) + return fix_unavailable + end audit_result end @@ -82,13 +89,23 @@ def audit(dependency:, security_advisories:) log_helper_subprocess_failure(dependency, e) fix_unavailable end + # rubocop:enable Metrics/MethodLength private attr_reader :dependency_files, :credentials - def viable_audit_result?(audit_result, security_advisories) - validation_result = validate_audit_result(audit_result, security_advisories) + def explain_fix_unavailable(validation_result, dependency) + case validation_result + when :fix_unavailable, :dependency_still_vulnerable, :downgrades_dependencies + "No patched version available for #{dependency.name}" + when :vulnerable_dependency_removed + "#{dependency.name} was removed in the update. Dependabot is not able to " \ + "deal with this yet, but you can still upgrade manually." + end + end + + def viable_audit_result?(validation_result) return true if validation_result == :viable Dependabot.logger.info("VulnerabilityAuditor: audit result not viable: #{validation_result}") diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/vulnerability_auditor_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/vulnerability_auditor_spec.rb index 83de366e4c0..64394577c5d 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/vulnerability_auditor_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/vulnerability_auditor_spec.rb @@ -110,7 +110,11 @@ expect(Dependabot.logger).to receive(:info).with(/audit result not viable: vulnerable_dependency_removed/i) expect(subject.audit(dependency: dependency, security_advisories: security_advisories)). - to include("fix_available" => false) + to include( + "fix_available" => false, + "explanation" => "#{dependency.name} was removed in the update. " \ + "Dependabot is not able to deal with this yet, but you can still upgrade manually." + ) end end end @@ -137,7 +141,10 @@ expect(Dependabot.logger).to receive(:info).with(/audit result not viable: dependency_still_vulnerable/i) expect(subject.audit(dependency: dependency, security_advisories: security_advisories)). - to include("fix_available" => false) + to include( + "fix_available" => false, + "explanation" => "No patched version available for #{dependency.name}" + ) end end @@ -172,7 +179,10 @@ expect(Dependabot.logger).to receive(:info).with(/audit result not viable: downgrades_dependencies/i) expect(subject.audit(dependency: dependency, security_advisories: security_advisories)). - to include("fix_available" => false) + to include( + "fix_available" => false, + "explanation" => "No patched version available for #{dependency.name}" + ) end end diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb index 98a043cef76..030f87e171a 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker_spec.rb @@ -1491,6 +1491,119 @@ end end + describe "#conflicting_dependencies" do + let(:registry_listing_url) { "https://registry.npmjs.org/locked-transitive-dependency" } + let(:options) { { npm_transitive_security_updates: true } } + let(:credentials) do + [{ + "type" => "git_source", + "host" => "github.com", + "username" => "x-access-token", + "password" => "token" + }] + end + + let(:dependency) do + Dependabot::Dependency.new( + name: "@dependabot-fixtures/npm-transitive-dependency", + version: dependency_version, + requirements: [], + package_manager: "npm_and_yarn" + ) + end + + context "with a conflicting dependency" do + let(:dependency_files) { project_dependency_files("npm8/locked_transitive_dependency") } + let(:dependency_version) { "1.0.0" } + let(:target_version) { Dependabot::NpmAndYarn::Version.new("1.0.1") } + + it "delegates to the ConflictingDependencyResolver and VulnerabilityAuditor and explains the conflict", :vcr do + expect(described_class::ConflictingDependencyResolver). + to receive(:new). + with( + dependency_files: dependency_files, + credentials: credentials + ).and_call_original + + expect(described_class::VulnerabilityAuditor). + to receive(:new). + with( + dependency_files: dependency_files, + credentials: credentials, + allow_removal: false + ).and_call_original + + conflicting_dependencies_result = checker.send(:conflicting_dependencies) + + expect(conflicting_dependencies_result.count).to eq(1) + expect(conflicting_dependencies_result.first). + to eq( + "explanation" => "@dependabot-fixtures/npm-parent-dependency@2.0.0 requires " \ + "@dependabot-fixtures/npm-transitive-dependency@1.0.0 via " \ + "@dependabot-fixtures/npm-intermediate-dependency@0.0.1", + "name" => "@dependabot-fixtures/npm-intermediate-dependency", + "requirement" => "1.0.0", + "version" => "0.0.1" + ) + end + end + + context "with a conflicting dependency and an unsatisfiable vulnerablity" do + let(:dependency_files) { project_dependency_files("npm8/locked_transitive_dependency") } + let(:dependency_version) { "1.0.0" } + let(:target_version) { Dependabot::NpmAndYarn::Version.new("1.0.1") } + let(:security_advisories) do + [ + Dependabot::SecurityAdvisory.new( + dependency_name: "@dependabot-fixtures/npm-transitive-dependency", + package_manager: "npm_and_yarn", + vulnerable_versions: ["< 1.0.2"] + ) + ] + end + + it "delegates to the ConflictingDependencyResolver and VulnerabilityAuditor and explains the conflict", :vcr do + expect(described_class::ConflictingDependencyResolver). + to receive(:new). + with( + dependency_files: dependency_files, + credentials: credentials + ).and_call_original + + expect(described_class::VulnerabilityAuditor). + to receive(:new). + with( + dependency_files: dependency_files, + credentials: credentials, + allow_removal: false + ).and_call_original + + conflicting_dependencies_result = checker.send(:conflicting_dependencies) + + expect(conflicting_dependencies_result.count).to eq(2) + + expect(conflicting_dependencies_result.first). + to eq( + "explanation" => "@dependabot-fixtures/npm-parent-dependency@2.0.0 requires " \ + "@dependabot-fixtures/npm-transitive-dependency@1.0.0 via " \ + "@dependabot-fixtures/npm-intermediate-dependency@0.0.1", + "name" => "@dependabot-fixtures/npm-intermediate-dependency", + "requirement" => "1.0.0", + "version" => "0.0.1" + ) + + expect(conflicting_dependencies_result.last). + to eq( + "dependency_name" => "@dependabot-fixtures/npm-transitive-dependency", + "explanation" => "No patched version available for @dependabot-fixtures/npm-transitive-dependency", + "fix_available" => false, + "fix_updates" => [], + "top_level_ancestors" => [] + ) + end + end + end + context "when types dependency specified" do let(:registry_listing_url) { "https://registry.npmjs.org/jquery" } let(:registry_response) do diff --git a/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml b/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml new file mode 100644 index 00000000000..fd537da1eae --- /dev/null +++ b/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml @@ -0,0 +1,99 @@ +--- +http_interactions: +- request: + method: get + uri: https://registry.npmjs.org/@dependabot-fixtures%2Fnpm-transitive-dependency + body: + encoding: US-ASCII + string: '' + headers: + user-agent: + - dependabot-core/0.212.0 excon/0.92.4 ruby/2.7.6 (x86_64-linux) (+https://github.com/dependabot/dependabot-core) + response: + status: + code: 200 + message: OK + headers: + date: + - Wed, 07 Sep 2022 21:03:35 GMT + content-type: + - application/json + connection: + - keep-alive + cf-ray: + - 74726453ccf0e3be-ATL + access-control-allow-origin: + - "*" + age: + - '62' + cache-control: + - public, max-age=300 + etag: + - W/"bec53a4510574acfeb4ed10a4ac2fafe" + last-modified: + - Fri, 10 Jun 2022 17:08:32 GMT + vary: + - accept-encoding, accept + cf-cache-status: + - HIT + x-amz-replication-status: + - COMPLETED + server: + - cloudflare + content-encoding: + - '' + body: + encoding: UTF-8 + string: '{"_id":"@dependabot-fixtures/npm-transitive-dependency","_rev":"2-a24e904986d72cc37c235292711c96f8","name":"@dependabot-fixtures/npm-transitive-dependency","dist-tags":{"latest":"1.0.1"},"versions":{"1.0.0":{"name":"@dependabot-fixtures/npm-transitive-dependency","version":"1.0.0","description":"a + test fixture for testing transitive dependency updates","main":"index.js","scripts":{"test":"echo + \"Error: no test specified\" && exit 1"},"repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"author":"","license":"ISC","bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","gitHead":"ed979391400cfecc58469424e6db9601a5a09e36","_id":"@dependabot-fixtures/npm-transitive-dependency@1.0.0","_nodeVersion":"16.15.0","_npmVersion":"8.5.5","dist":{"integrity":"sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg==","shasum":"b70e2381996ba06233c2a703c73f9ef3674beb2c","tarball":"https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz","fileCount":2,"unpackedSize":688,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEUCIQCgpRAyARsDA1NfJvzQs1/rsk3Nfbbf2fmNynsoPjU8DwIgSC0qB6Vg7C+BFzN/kkl+mKl0AzihRTUZZoz2PNSmx1Y="}],"npm-signature":"-----BEGIN + PGP SIGNATURE-----\r\nVersion: OpenPGP.js v4.10.10\r\nComment: https://openpgpjs.org\r\n\r\nwsFzBAEBCAAGBQJioR9nACEJED1NWxICdlZqFiEECWMYAoorWMhJKdjhPU1b\r\nEgJ2VmrXBA/6AuhKeO/ZWLXnw2NO4IGPQ/maGX6wTbW0M0CQEsJo7S0ORbzL\r\nGFrNMF2hyqUnshj3GjaWdZu2fT9S70Pze93eQMAai+dU2kQPTvYtMysMWT1U\r\nKhhj26cS0fmJzK8DjZwfEfhAl2BVTVxulivAsTVTKeBeu/tIOCW3GXquw3kb\r\n/AqyNxPBl33sjOjH2LSEUgE4YKsL8wIN1/4HKn0sXqfDBN/X+4eBjdVQjpON\r\nAHNOZKdF6pxkw5q7dYdoMenx7MGDrowDCtMVrZDjl1SRW5k+CY3zTOrosgAJ\r\nYUMUll13oYL9GLT61zZECFVIaF2RIULgklnLy2REHqu1fyE8uzA7305hE/PB\r\nEew0tR0cPQHeczgBUGs3V7Q5ZNKcEGj2cVycmXmN7dRNKEoq6PxgLGPN1sOo\r\nvdUnC9m8Vt0bqdhXorlk5WTIqXRFgIXw5ahoyAXGMcD3UCLnr/E2Udp/LcoN\r\nq5ZDg6OoEvgikM5vlcVTBbKILpc689bkem2dY7EGYrrwdpB/DEsg8KV0aoYP\r\nW7SdtbGxQ+nCBQKzx2igBmk62neSzKxWZxJo+GXSf8dJnkbPWkRZLFaUoRLO\r\nJGEdtUqKcl3gagmTgOTlNEj2CBMs2wmab13dMmwXBnKn4/Lokzrzqw4uZCbr\r\n0Z5ciR7Xqsjrdzpi/74XHyS9FHDr+eUulfU=\r\n=JwaA\r\n-----END + PGP SIGNATURE-----\r\n"},"_npmUser":{"name":"mctofu","email":"mctofu@github.com"},"directories":{},"maintainers":[{"name":"nishnha","email":"nishnha@gmail.com"},{"name":"mctofu","email":"mctofu@github.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/npm-transitive-dependency_1.0.0_1654726503635_0.2532339791507354"},"_hasShrinkwrap":false},"1.0.1":{"name":"@dependabot-fixtures/npm-transitive-dependency","version":"1.0.1","description":"a + test fixture for testing transitive dependency updates","main":"index.js","scripts":{"test":"echo + \"Error: no test specified\" && exit 1"},"repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"author":"","license":"ISC","bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","gitHead":"89457a1a5b8071ca9f602bed33fd869532db9ad9","_id":"@dependabot-fixtures/npm-transitive-dependency@1.0.1","_nodeVersion":"16.15.0","_npmVersion":"8.5.5","dist":{"integrity":"sha512-nWQzJEqSqKZu+mgNSVdsO69NG6vCGIN9FuM+Vip5nqItqrNeQoITZM6/q6+tqgdM48XkQEOUpEiYpAdoMbxniw==","shasum":"fe20ae5230674c08fa5600c9cfb8b72ea3e7e066","tarball":"https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.1.tgz","fileCount":2,"unpackedSize":688,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEYCIQCA7kCA+qIaCh9QdYfVdHznok0CCgEaC8ssZMY74avehAIhAOLg3oYmjuIibpM3aaE6PbQ9H9d2Zs0IeDpFCMETSPyo"}],"npm-signature":"-----BEGIN + PGP SIGNATURE-----\r\nVersion: OpenPGP.js v4.10.10\r\nComment: https://openpgpjs.org\r\n\r\nwsFzBAEBCAAGBQJioSCiACEJED1NWxICdlZqFiEECWMYAoorWMhJKdjhPU1b\r\nEgJ2Vmo+Og//YEfPtruI3VkwmFKSzIp+WUUScfZm1RK5V9U+04j9re8a7JCh\r\n5yY4H/YjIYGQg8p0yDfdGVk8Hoj6Kh0fdOD8sSziy1sspA1kx3w+6s18FX0n\r\nc/JeO5xhLAdx0vNVYZjNLxo9QEHLQ6kSsglIgxbmj+T6QAjAZ/obMNA+roOd\r\nq/GyU4/6Hw+RCTDQttRMKHmcxy7GZe4Mvb12M14kK+2kbSs4rKqepa1+0MH+\r\nAlRbRoKPIaqtu4jWTl1UFMnU5v2qMyOFUEI77JVSqK9TeFlt8ShrC+EZIgAT\r\nZI+Lrucz5zNgu4nGKEQoqMcETmKLBTqsa4HB7Aras8O4bEuNsJ24GvQb0JRh\r\nsT5BCP9yknWNf1LW04Bc1yRI058PDWYE0Sk4voNkR7P37P2OpLhVhWiIy90u\r\neT6Hj3uNGYnJaCIShpaiTGZXkVVseW6rJjf2I+otKXqlkpxQaE/tXfe5QclF\r\nVDcjGVzk9PhWgdjVxfIymVDGawmuQ0wdLV7FEOc4NBxnzCf+NfDjKVVu5V+f\r\nCiO8moDW10WULrtq7YtAJ1RL9lj3YcT8wcALGxytV5Fcz4Mu6IFdDuGRdO4w\r\nToPP0Kzqhc2veGAMKMwGdwP6vyHDACsYWp5tPYi6Lib3iHayWggzHhmGrpUE\r\noBZhS1Gglw9QBM+QE+pC+VeQsb3wQhIC/JM=\r\n=zgHz\r\n-----END + PGP SIGNATURE-----\r\n"},"_npmUser":{"name":"mctofu","email":"mctofu@github.com"},"directories":{},"maintainers":[{"name":"nishnha","email":"nishnha@gmail.com"},{"name":"mctofu","email":"mctofu@github.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/npm-transitive-dependency_1.0.1_1654726818213_0.4396995531588652"},"_hasShrinkwrap":false}},"time":{"created":"2022-06-08T22:15:03.583Z","1.0.0":"2022-06-08T22:15:03.799Z","modified":"2022-06-10T17:08:31.026Z","1.0.1":"2022-06-08T22:20:18.465Z"},"maintainers":[{"email":"bdragon@github.com","name":"bryandragon"},{"email":"nishnha@gmail.com","name":"nishnha"},{"email":"mctofu@github.com","name":"mctofu"}],"description":"a + test fixture for testing transitive dependency updates","homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"license":"ISC","readme":"# + npm-transitive-dependency\nA dependency used by npm-parent-dependency\n","readmeFilename":"README.md"}' + recorded_at: Wed, 07 Sep 2022 21:03:35 GMT +- request: + method: get + uri: https://registry.npmjs.org/@dependabot-fixtures%2Fnpm-transitive-dependency/1.0.1 + body: + encoding: US-ASCII + string: '' + headers: + user-agent: + - dependabot-core/0.212.0 excon/0.92.4 ruby/2.7.6 (x86_64-linux) (+https://github.com/dependabot/dependabot-core) + response: + status: + code: 200 + message: OK + headers: + date: + - Wed, 07 Sep 2022 21:03:35 GMT + content-type: + - application/json + connection: + - keep-alive + cf-ray: + - 747264557ce6b11d-ATL + access-control-allow-origin: + - "*" + content-encoding: + - '' + vary: + - Accept-Encoding + cf-cache-status: + - DYNAMIC + server: + - cloudflare + body: + encoding: UTF-8 + string: '{"name":"@dependabot-fixtures/npm-transitive-dependency","version":"1.0.1","description":"a + test fixture for testing transitive dependency updates","main":"index.js","scripts":{"test":"echo + \"Error: no test specified\" && exit 1"},"repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"author":"","license":"ISC","bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","gitHead":"89457a1a5b8071ca9f602bed33fd869532db9ad9","_id":"@dependabot-fixtures/npm-transitive-dependency@1.0.1","_nodeVersion":"16.15.0","_npmVersion":"8.5.5","dist":{"integrity":"sha512-nWQzJEqSqKZu+mgNSVdsO69NG6vCGIN9FuM+Vip5nqItqrNeQoITZM6/q6+tqgdM48XkQEOUpEiYpAdoMbxniw==","shasum":"fe20ae5230674c08fa5600c9cfb8b72ea3e7e066","tarball":"https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.1.tgz","fileCount":2,"unpackedSize":688,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEYCIQCA7kCA+qIaCh9QdYfVdHznok0CCgEaC8ssZMY74avehAIhAOLg3oYmjuIibpM3aaE6PbQ9H9d2Zs0IeDpFCMETSPyo"}],"npm-signature":"-----BEGIN + PGP SIGNATURE-----\r\nVersion: OpenPGP.js v4.10.10\r\nComment: https://openpgpjs.org\r\n\r\nwsFzBAEBCAAGBQJioSCiACEJED1NWxICdlZqFiEECWMYAoorWMhJKdjhPU1b\r\nEgJ2Vmo+Og//YEfPtruI3VkwmFKSzIp+WUUScfZm1RK5V9U+04j9re8a7JCh\r\n5yY4H/YjIYGQg8p0yDfdGVk8Hoj6Kh0fdOD8sSziy1sspA1kx3w+6s18FX0n\r\nc/JeO5xhLAdx0vNVYZjNLxo9QEHLQ6kSsglIgxbmj+T6QAjAZ/obMNA+roOd\r\nq/GyU4/6Hw+RCTDQttRMKHmcxy7GZe4Mvb12M14kK+2kbSs4rKqepa1+0MH+\r\nAlRbRoKPIaqtu4jWTl1UFMnU5v2qMyOFUEI77JVSqK9TeFlt8ShrC+EZIgAT\r\nZI+Lrucz5zNgu4nGKEQoqMcETmKLBTqsa4HB7Aras8O4bEuNsJ24GvQb0JRh\r\nsT5BCP9yknWNf1LW04Bc1yRI058PDWYE0Sk4voNkR7P37P2OpLhVhWiIy90u\r\neT6Hj3uNGYnJaCIShpaiTGZXkVVseW6rJjf2I+otKXqlkpxQaE/tXfe5QclF\r\nVDcjGVzk9PhWgdjVxfIymVDGawmuQ0wdLV7FEOc4NBxnzCf+NfDjKVVu5V+f\r\nCiO8moDW10WULrtq7YtAJ1RL9lj3YcT8wcALGxytV5Fcz4Mu6IFdDuGRdO4w\r\nToPP0Kzqhc2veGAMKMwGdwP6vyHDACsYWp5tPYi6Lib3iHayWggzHhmGrpUE\r\noBZhS1Gglw9QBM+QE+pC+VeQsb3wQhIC/JM=\r\n=zgHz\r\n-----END + PGP SIGNATURE-----\r\n"},"_npmUser":{"name":"mctofu","email":"mctofu@github.com"},"directories":{},"maintainers":[{"name":"nishnha","email":"nishnha@gmail.com"},{"name":"mctofu","email":"mctofu@github.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/npm-transitive-dependency_1.0.1_1654726818213_0.4396995531588652"},"_hasShrinkwrap":false}' + recorded_at: Wed, 07 Sep 2022 21:03:35 GMT +recorded_with: VCR 6.1.0 diff --git a/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency_and_an_unsatisfiable_vulnerablity/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml b/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency_and_an_unsatisfiable_vulnerablity/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml new file mode 100644 index 00000000000..be7c9a5f771 --- /dev/null +++ b/npm_and_yarn/spec/fixtures/vcr_cassettes/Dependabot_NpmAndYarn_UpdateChecker/_conflicting_dependencies/with_a_conflicting_dependency_and_an_unsatisfiable_vulnerablity/delegates_to_the_ConflictingDependencyResolver_and_VulnerabilityAuditor_and_explains_the_conflict.yml @@ -0,0 +1,57 @@ +--- +http_interactions: +- request: + method: get + uri: https://registry.npmjs.org/@dependabot-fixtures%2Fnpm-transitive-dependency + body: + encoding: US-ASCII + string: '' + headers: + user-agent: + - dependabot-core/0.212.0 excon/0.92.4 ruby/2.7.6 (x86_64-linux) (+https://github.com/dependabot/dependabot-core) + response: + status: + code: 200 + message: OK + headers: + date: + - Wed, 07 Sep 2022 21:03:31 GMT + content-type: + - application/json + connection: + - keep-alive + cf-ray: + - 74726439cfb0ada0-ATL + access-control-allow-origin: + - "*" + cache-control: + - public, max-age=300 + etag: + - W/"bec53a4510574acfeb4ed10a4ac2fafe" + last-modified: + - Fri, 10 Jun 2022 17:08:32 GMT + vary: + - accept-encoding, accept + cf-cache-status: + - REVALIDATED + x-amz-replication-status: + - COMPLETED + server: + - cloudflare + content-encoding: + - '' + body: + encoding: UTF-8 + string: '{"_id":"@dependabot-fixtures/npm-transitive-dependency","_rev":"2-a24e904986d72cc37c235292711c96f8","name":"@dependabot-fixtures/npm-transitive-dependency","dist-tags":{"latest":"1.0.1"},"versions":{"1.0.0":{"name":"@dependabot-fixtures/npm-transitive-dependency","version":"1.0.0","description":"a + test fixture for testing transitive dependency updates","main":"index.js","scripts":{"test":"echo + \"Error: no test specified\" && exit 1"},"repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"author":"","license":"ISC","bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","gitHead":"ed979391400cfecc58469424e6db9601a5a09e36","_id":"@dependabot-fixtures/npm-transitive-dependency@1.0.0","_nodeVersion":"16.15.0","_npmVersion":"8.5.5","dist":{"integrity":"sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg==","shasum":"b70e2381996ba06233c2a703c73f9ef3674beb2c","tarball":"https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz","fileCount":2,"unpackedSize":688,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEUCIQCgpRAyARsDA1NfJvzQs1/rsk3Nfbbf2fmNynsoPjU8DwIgSC0qB6Vg7C+BFzN/kkl+mKl0AzihRTUZZoz2PNSmx1Y="}],"npm-signature":"-----BEGIN + PGP SIGNATURE-----\r\nVersion: OpenPGP.js v4.10.10\r\nComment: https://openpgpjs.org\r\n\r\nwsFzBAEBCAAGBQJioR9nACEJED1NWxICdlZqFiEECWMYAoorWMhJKdjhPU1b\r\nEgJ2VmrXBA/6AuhKeO/ZWLXnw2NO4IGPQ/maGX6wTbW0M0CQEsJo7S0ORbzL\r\nGFrNMF2hyqUnshj3GjaWdZu2fT9S70Pze93eQMAai+dU2kQPTvYtMysMWT1U\r\nKhhj26cS0fmJzK8DjZwfEfhAl2BVTVxulivAsTVTKeBeu/tIOCW3GXquw3kb\r\n/AqyNxPBl33sjOjH2LSEUgE4YKsL8wIN1/4HKn0sXqfDBN/X+4eBjdVQjpON\r\nAHNOZKdF6pxkw5q7dYdoMenx7MGDrowDCtMVrZDjl1SRW5k+CY3zTOrosgAJ\r\nYUMUll13oYL9GLT61zZECFVIaF2RIULgklnLy2REHqu1fyE8uzA7305hE/PB\r\nEew0tR0cPQHeczgBUGs3V7Q5ZNKcEGj2cVycmXmN7dRNKEoq6PxgLGPN1sOo\r\nvdUnC9m8Vt0bqdhXorlk5WTIqXRFgIXw5ahoyAXGMcD3UCLnr/E2Udp/LcoN\r\nq5ZDg6OoEvgikM5vlcVTBbKILpc689bkem2dY7EGYrrwdpB/DEsg8KV0aoYP\r\nW7SdtbGxQ+nCBQKzx2igBmk62neSzKxWZxJo+GXSf8dJnkbPWkRZLFaUoRLO\r\nJGEdtUqKcl3gagmTgOTlNEj2CBMs2wmab13dMmwXBnKn4/Lokzrzqw4uZCbr\r\n0Z5ciR7Xqsjrdzpi/74XHyS9FHDr+eUulfU=\r\n=JwaA\r\n-----END + PGP SIGNATURE-----\r\n"},"_npmUser":{"name":"mctofu","email":"mctofu@github.com"},"directories":{},"maintainers":[{"name":"nishnha","email":"nishnha@gmail.com"},{"name":"mctofu","email":"mctofu@github.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/npm-transitive-dependency_1.0.0_1654726503635_0.2532339791507354"},"_hasShrinkwrap":false},"1.0.1":{"name":"@dependabot-fixtures/npm-transitive-dependency","version":"1.0.1","description":"a + test fixture for testing transitive dependency updates","main":"index.js","scripts":{"test":"echo + \"Error: no test specified\" && exit 1"},"repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"author":"","license":"ISC","bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","gitHead":"89457a1a5b8071ca9f602bed33fd869532db9ad9","_id":"@dependabot-fixtures/npm-transitive-dependency@1.0.1","_nodeVersion":"16.15.0","_npmVersion":"8.5.5","dist":{"integrity":"sha512-nWQzJEqSqKZu+mgNSVdsO69NG6vCGIN9FuM+Vip5nqItqrNeQoITZM6/q6+tqgdM48XkQEOUpEiYpAdoMbxniw==","shasum":"fe20ae5230674c08fa5600c9cfb8b72ea3e7e066","tarball":"https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.1.tgz","fileCount":2,"unpackedSize":688,"signatures":[{"keyid":"SHA256:jl3bwswu80PjjokCgh0o2w5c2U4LhQAE57gj9cz1kzA","sig":"MEYCIQCA7kCA+qIaCh9QdYfVdHznok0CCgEaC8ssZMY74avehAIhAOLg3oYmjuIibpM3aaE6PbQ9H9d2Zs0IeDpFCMETSPyo"}],"npm-signature":"-----BEGIN + PGP SIGNATURE-----\r\nVersion: OpenPGP.js v4.10.10\r\nComment: https://openpgpjs.org\r\n\r\nwsFzBAEBCAAGBQJioSCiACEJED1NWxICdlZqFiEECWMYAoorWMhJKdjhPU1b\r\nEgJ2Vmo+Og//YEfPtruI3VkwmFKSzIp+WUUScfZm1RK5V9U+04j9re8a7JCh\r\n5yY4H/YjIYGQg8p0yDfdGVk8Hoj6Kh0fdOD8sSziy1sspA1kx3w+6s18FX0n\r\nc/JeO5xhLAdx0vNVYZjNLxo9QEHLQ6kSsglIgxbmj+T6QAjAZ/obMNA+roOd\r\nq/GyU4/6Hw+RCTDQttRMKHmcxy7GZe4Mvb12M14kK+2kbSs4rKqepa1+0MH+\r\nAlRbRoKPIaqtu4jWTl1UFMnU5v2qMyOFUEI77JVSqK9TeFlt8ShrC+EZIgAT\r\nZI+Lrucz5zNgu4nGKEQoqMcETmKLBTqsa4HB7Aras8O4bEuNsJ24GvQb0JRh\r\nsT5BCP9yknWNf1LW04Bc1yRI058PDWYE0Sk4voNkR7P37P2OpLhVhWiIy90u\r\neT6Hj3uNGYnJaCIShpaiTGZXkVVseW6rJjf2I+otKXqlkpxQaE/tXfe5QclF\r\nVDcjGVzk9PhWgdjVxfIymVDGawmuQ0wdLV7FEOc4NBxnzCf+NfDjKVVu5V+f\r\nCiO8moDW10WULrtq7YtAJ1RL9lj3YcT8wcALGxytV5Fcz4Mu6IFdDuGRdO4w\r\nToPP0Kzqhc2veGAMKMwGdwP6vyHDACsYWp5tPYi6Lib3iHayWggzHhmGrpUE\r\noBZhS1Gglw9QBM+QE+pC+VeQsb3wQhIC/JM=\r\n=zgHz\r\n-----END + PGP SIGNATURE-----\r\n"},"_npmUser":{"name":"mctofu","email":"mctofu@github.com"},"directories":{},"maintainers":[{"name":"nishnha","email":"nishnha@gmail.com"},{"name":"mctofu","email":"mctofu@github.com"}],"_npmOperationalInternal":{"host":"s3://npm-registry-packages","tmp":"tmp/npm-transitive-dependency_1.0.1_1654726818213_0.4396995531588652"},"_hasShrinkwrap":false}},"time":{"created":"2022-06-08T22:15:03.583Z","1.0.0":"2022-06-08T22:15:03.799Z","modified":"2022-06-10T17:08:31.026Z","1.0.1":"2022-06-08T22:20:18.465Z"},"maintainers":[{"email":"bdragon@github.com","name":"bryandragon"},{"email":"nishnha@gmail.com","name":"nishnha"},{"email":"mctofu@github.com","name":"mctofu"}],"description":"a + test fixture for testing transitive dependency updates","homepage":"https://github.com/dependabot-fixtures/npm-transitive-dependency#readme","repository":{"type":"git","url":"git+https://github.com/dependabot-fixtures/npm-transitive-dependency.git"},"bugs":{"url":"https://github.com/dependabot-fixtures/npm-transitive-dependency/issues"},"license":"ISC","readme":"# + npm-transitive-dependency\nA dependency used by npm-parent-dependency\n","readmeFilename":"README.md"}' + recorded_at: Wed, 07 Sep 2022 21:03:31 GMT +recorded_with: VCR 6.1.0