Reuse RegistryFinder when inferring npmrc for PNPM

dependabot · Sep 26, 2023 · 0eb24bc · 0eb24bc
1 parent 0c0cc10
commit 0eb24bc
Show file tree

Hide file tree

Showing 5 changed files with 118 additions and 6 deletions.
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
@@ -17,9 +17,10 @@ class NpmrcBuilder
 
         SCOPED_REGISTRY = /^\s*@(?<scope>\S+):registry\s*=\s*(?<registry>\S+)/
 
-        def initialize(dependency_files:, credentials:)
+        def initialize(dependency_files:, credentials:, dependencies: [])
           @dependency_files = dependency_files
           @credentials = credentials
+          @dependencies = dependencies
         end
 
         # PROXY WORK
@@ -52,7 +53,7 @@ def yarnrc_content
 
         private
 
-        attr_reader :dependency_files, :credentials
+        attr_reader :dependency_files, :credentials, :dependencies
 
         def build_npmrc_content_from_lockfile
           return unless yarn_lock || package_lock
@@ -134,6 +135,17 @@ def dependency_urls
           return @dependency_urls if defined?(@dependency_urls)
 
           @dependency_urls = []
+
+          if dependencies.any?
+            @dependency_urls = dependencies.map do |dependency|
+              UpdateChecker::RegistryFinder.new(
+                dependency: dependency,
+                credentials: credentials
+              ).dependency_url
+            end
+            return @dependency_urls
+          end
+
           if package_lock
             @dependency_urls +=
               package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)

diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
@@ -39,7 +39,7 @@ def updated_pnpm_lock_content(pnpm_lock)
 
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-            File.write(".npmrc", npmrc_content)
+            File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
               run_pnpm_updater
@@ -123,10 +123,11 @@ def write_final_package_json_files
           end
         end
 
-        def npmrc_content
+        def npmrc_content(pnpm_lock)
           NpmrcBuilder.new(
             credentials: credentials,
-            dependency_files: dependency_files
+            dependency_files: dependency_files,
+            dependencies: lockfile_dependencies(pnpm_lock)
           ).npmrc_content
         end
 

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
@@ -9,7 +9,8 @@
   let(:npmrc_builder) do
     described_class.new(
       dependency_files: dependency_files,
-      credentials: credentials
+      credentials: credentials,
+      dependencies: dependencies
     )
   end
 
@@ -22,6 +23,10 @@
     }]
   end
 
+  let(:dependencies) do
+    []
+  end
+
   describe "#npmrc_content" do
     subject(:npmrc_content) { npmrc_builder.npmrc_content }
 
@@ -777,6 +782,39 @@
       end
     end
 
+    context "with a pnpm-lock.yaml" do
+      let(:dependency_files) { project_dependency_files("pnpm/private_source") }
+      let(:dependencies) do
+        [
+          Dependabot::Dependency.new(name: "@dependabot/etag", version: "1.8.1", package_manager: "npm_and_yarn", requirements: []),
+          Dependabot::Dependency.new(name: "semver", version: "7.5.4", package_manager: "npm_and_yarn", requirements: [])
+        ]
+      end
+
+      context "and a private registry configured that lists a specific dependency" do
+        let(:credentials) do
+          [{
+             "type" => "npm_registry",
+             "registry" => "pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/",
+             "token" => "my_token"
+           }]
+        end
+
+        before do
+          stub_request(:get, "https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/@dependabot%2Fetag")
+            .with(headers: { "Authorization" => "Bearer my_token" })
+            .to_return(status: 200, body: "{}")
+          stub_request(:get, "https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/semver")
+            .with(headers: { "Authorization" => "Bearer my_token" })
+            .to_return(status: 404)
+        end
+
+        it "adds a scoped registry for the dependency" do
+          expect(npmrc_content).to include("@dependabot:registry=https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/")
+        end
+      end
+    end
+
     context "registry scope generation" do
       let(:credentials) do
         [{

diff --git a/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json
@@ -0,0 +1,23 @@
+{
+  "name": "test",
+  "version": "1.0.0",
+  "description": "testing out private registry usage",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/waltfy/PROTO_TEST.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/waltfy/PROTO_TEST/issues"
+  },
+  "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
+  "dependencies": {
+    "@dependabot/etag": "^1.8.0",
+    "semver": "^7.5.4"
+  }
+}
diff --git a/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml