Fix test failures

Author: Electroid

npm_and_yarn/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -82,8 +82,7 @@ def package_required_lockfile?(lockfile)
 
       sig { params(lockfile: DependencyFile).returns(T::Boolean) }
       def workspaces_lockfile?(lockfile)
-        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml",
-                             Bun::LOCKFILE_NAME].include?(lockfile.name)
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml", "bun.lock"].include?(lockfile.name)
 
         return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
           file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
@@ -150,7 +149,7 @@ def lockfile?(file)
           "yarn.lock",
           "pnpm-lock.yaml",
           "npm-shrinkwrap.json",
-          Bun::LOCKFILE_NAME
+          "bun.lock"
         )
       end
     end

npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -19,40 +19,61 @@ def initialize(dependency_file)
 
         sig { returns(T::Hash[String, T.untyped]) }
         def parsed
+          return @content if @content
+
           # Since bun.lock is a JSONC file, which is a subset of YAML, we can use YAML to parse it
-          json_obj = YAML.load(T.must(@dependency_file.content))
-          @parsed ||= T.let(json_obj, T.nilable(T::Hash[String, T.untyped]))
-        rescue Psych::SyntaxError
-          raise Dependabot::DependencyFileNotParseable.new(@dependency_file.path, "Invalid bun.lock file")
+          content = YAML.load(T.must(@dependency_file.content))
+          raise_invalid!("expected to be an object") unless content.is_a?(Hash)
+
+          version = content["lockfileVersion"]
+          raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
+          raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
+          unless version.zero?
+            raise_invalid!(<<~ERROR
+              unsupported 'lockfileVersion' = #{version}, please open an issue with Dependabot to support this:
+              https://github.com/dependabot/dependabot/issues/new
+            ERROR
+                          )
+          end
+
+          @content = content
+        rescue Psych::SyntaxError => e
+          raise_invalid!("malformed JSONC at line #{e.line}, column #{e.column}")
+        end
+
+        sig { returns(Integer) }
+        def version
+          parsed["lockfileVersion"]
         end
 
         sig { returns(Dependabot::FileParsers::Base::DependencySet) }
         def dependencies
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
-          lockfile_version = parsed["lockfileVersion"]
-          if lockfile_version.zero?
-            packages = parsed["packages"]
-            raise_invalid_lock!("expected 'packages' to be an object") unless packages.is_a?(Hash)
+          # bun.lock v0 format:
+          # https://github.com/oven-sh/bun/blob/c130df6c589fdf28f9f3c7f23ed9901140bc9349/src/install/bun.lock.zig#L595-L605
+
+          packages = parsed["packages"]
+          raise_invalid!("expected 'packages' to be an object") unless packages.is_a?(Hash)
 
-            packages.each do |key, details|
-              raise_invalid_lock!("expected 'packages.#{key}' to be an array") unless details.is_a?(Array)
+          packages.each do |key, details|
+            raise_invalid!("expected 'packages.#{key}' to be an array") unless details.is_a?(Array)
 
-              entry = details.first
-              raise_invalid_lock!("expected 'packages.#{key}[0]' to be a string") unless entry.is_a?(String)
+            resolution = details.first
+            raise_invalid!("expected 'packages.#{key}[0]' to be a string") unless resolution.is_a?(String)
 
-              name, version = entry.split(/(?<=\w)\@/)
-              next if name.empty? || version.start_with?("workspace:")
+            name, version = resolution.split(/(?<=\w)\@/)
+            next if name.empty?
 
-              dependency_set << Dependency.new(
-                name: name,
-                version: version,
-                package_manager: "npm_and_yarn",
-                requirements: []
-              )
-            end
-          else
-            raise_invalid_lock!("expected 'lockfileVersion' to be 0")
+            semver = Version.semver_for(version)
+            next unless semver
+
+            dependency_set << Dependency.new(
+              name: name,
+              version: semver.to_s,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            )
           end
 
           dependency_set
@@ -63,9 +84,6 @@ def dependencies
             .returns(T.nilable(T::Hash[String, T.untyped]))
         end
         def details(dependency_name, requirement, _manifest_name)
-          lockfile_version = parsed["lockfileVersion"]
-          return unless lockfile_version.zero?
-
           packages = parsed["packages"]
           return unless packages.is_a?(Hash)
 
@@ -77,39 +95,54 @@ def details(dependency_name, requirement, _manifest_name)
           # If there's only one entry for this dependency, use it, even if
           # the requirement in the lockfile doesn't match
           if candidates.one?
-            format_details(lockfile_version, candidates.first)
+            parse_details(candidates.first)
           else
             candidate = candidates.find do |label, _|
               label.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
             end&.last
-            format_details(lockfile_version, candidate)
+            parse_details(candidate)
           end
         end
 
         private
 
         sig { params(message: String).void }
-        def raise_invalid_lock!(message)
+        def raise_invalid!(message)
           raise Dependabot::DependencyFileNotParseable.new(@dependency_file.path, "Invalid bun.lock file: #{message}")
         end
 
         sig do
-          params(lockfile_version: T.nilable(Integer),
-                 entry: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Hash[String, T.untyped]))
+          params(entry: T.nilable(T::Array[T.untyped])).returns(T.nilable(T::Hash[String, T.untyped]))
         end
-        def format_details(lockfile_version, entry)
-          return unless lockfile_version.zero?
+        def parse_details(entry)
           return unless entry.is_a?(Array)
 
-          label, registry, details, hash = entry
-          name, version = label.split(/(?<=\w)\@/)
-          {
-            "name" => name,
-            "version" => version,
-            "registry" => registry,
-            "details" => details,
-            "hash" => hash
-          }
+          # Either:
+          # - "{name}@{version}", registry, details, integrity
+          # - "{name}@{resolution}", details
+          resolution = entry.first
+          return unless resolution.is_a?(String)
+
+          name, version = resolution.split(/(?<=\w)\@/)
+          semver = Version.semver_for(version)
+
+          if semver
+            registry, details, integrity = entry[1..3]
+            {
+              "name" => name,
+              "version" => semver.to_s,
+              "registry" => registry,
+              "details" => details,
+              "integrity" => integrity
+            }
+          else
+            details = entry[1]
+            {
+              "name" => name,
+              "resolution" => version,
+              "details" => details
+            }
+          end
         end
       end
     end

npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -109,7 +109,7 @@ def pnpm_locks
         def bun_locks
           @bun_locks ||= T.let(
             dependency_files
-            .select { |f| f.name.end_with?(Bun::LOCKFILE_NAME) }, T.nilable(T::Array[DependencyFile])
+            .select { |f| f.name.end_with?("bun.lock") }, T.nilable(T::Array[DependencyFile])
           )
         end
 

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -194,7 +194,7 @@ def pnpm_locks
       def bun_locks
         @bun_locks ||= T.let(
           filtered_dependency_files
-          .select { |f| f.name.end_with?(Bun::LOCKFILE_NAME) },
+          .select { |f| f.name.end_with?("bun.lock") },
           T.nilable(T::Array[Dependabot::DependencyFile])
         )
       end

npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -227,7 +227,7 @@ def deprecated?
 
       sig { override.returns(T::Boolean) }
       def unsupported?
-        version && version < MIN_SUPPORTED_VERSION
+        supported_versions.all? { |supported| supported > version }
       end
     end
 

npm_and_yarn/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb

@@ -69,7 +69,7 @@ def lockfile?(file)
           "yarn.lock",
           "npm-shrinkwrap.json",
           "pnpm-lock.yaml",
-          Bun::LOCKFILE_NAME
+          "bun.lock"
         )
       end
 

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -52,7 +52,7 @@ def pnpm_locks
         def bun_locks
           @bun_locks ||=
             dependency_files
-            .select { |f| f.name.end_with?(Bun::LOCKFILE_NAME) }
+            .select { |f| f.name.end_with?("bun.lock") }
         end
 
         def root_yarn_lock
@@ -70,7 +70,7 @@ def root_pnpm_lock
         def root_bun_lock
           @root_bun_lock ||=
             dependency_files
-            .find { |f| f.name == Bun::LOCKFILE_NAME }
+            .find { |f| f.name == "bun.lock" }
         end
 
         def shrinkwraps

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -64,7 +64,7 @@ def update_subdependency_in_lockfile(lockfile)
           lockfile_name = Pathname.new(lockfile.name).basename.to_s
           path = Pathname.new(lockfile.name).dirname.to_s
 
-          updated_files = if lockfile.name.end_with?(Bun::LOCKFILE_NAME)
+          updated_files = if lockfile.name.end_with?("bun.lock")
                             run_bun_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("yarn.lock") && Helpers.yarn_berry?(lockfile)
                             run_yarn_berry_updater(path, lockfile_name)

npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb

@@ -379,6 +379,20 @@
             body: nil,
             headers: json_header
           )
+        stub_request(:get, File.join(url, "bun.lock?ref=sha"))
+          .with(headers: { "Authorization" => "token token" })
+          .to_return(
+            status: 404,
+            body: nil,
+            headers: json_header
+          )
+        stub_request(:get, File.join(url, "packages/bun.lock?ref=sha"))
+          .with(headers: { "Authorization" => "token token" })
+          .to_return(
+            status: 404,
+            body: nil,
+            headers: json_header
+          )
         # FileFetcher will iterate trying to find `pnpm-lock.yaml` upwards in the folder tree
         stub_request(:get, File.join(url, "packages/pnpm-lock.yaml?ref=sha"))
           .with(headers: { "Authorization" => "token token" })
@@ -1304,6 +1318,12 @@
             "pnpm-lock.yaml?ref=sha"
           ).with(headers: { "Authorization" => "token token" })
             .to_return(status: 404)
+          stub_request(
+            :get,
+            "https://api.github.com/repos/gocardless/bump/contents/" \
+            "bun.lock?ref=sha"
+          ).with(headers: { "Authorization" => "token token" })
+            .to_return(status: 404)
         end
 
         it "fetches package.json from the workspace dependencies" do

npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser/lockfile_parser_spec.rb

@@ -328,7 +328,7 @@
           expect { dependencies }
             .to raise_error(Dependabot::DependencyFileNotParseable) do |error|
               expect(error.file_name).to eq("bun.lock")
-              expect(error.message).to eq("Invalid bun.lock file")
+              expect(error.message).to eq("Invalid bun.lock file: malformed JSONC at line 3, column 1")
             end
         end
       end
@@ -688,14 +688,16 @@
       let(:manifest_name) { "package.json" }
 
       it "finds the dependency" do
+        # rubocop:disable Layout/LineLength
         expect(lockfile_details).to eq({
           "name" => "fetch-factory",
           "version" => "0.0.1",
           "registry" => "",
           "details" => { "dependencies" => { "es6-promise" => "^3.0.2", "isomorphic-fetch" => "^2.1.1",
                                              "lodash" => "^3.10.1" } },
-          "hash" => "sha512-gexRwqIhwzDJ2pJvL0UYfiZwW06/bdYWxAmswFFts7C87CF8i6liApihTk7TZFYMDcQjvvDIvyHv0q379z0aWA=="
+          "integrity" => "sha512-gexRwqIhwzDJ2pJvL0UYfiZwW06/bdYWxAmswFFts7C87CF8i6liApihTk7TZFYMDcQjvvDIvyHv0q379z0aWA=="
         })
+        # rubocop:enable Layout/LineLength
       end
     end
   end

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/bun_lockfile_updater_spec.rb

@@ -56,7 +56,7 @@
   let(:files) { project_dependency_files(project_name) }
 
   let(:bun_lock) do
-    files.find { |f| f.name == Bun::LOCKFILE_NAME }
+    files.find { |f| f.name == "bun.lock" }
   end
 
   let(:tmp_path) { Dependabot::Utils::BUMP_TMP_DIR_PATH }