Add support for npm 7 lockfiles

npm_and_yarn/helpers/lib/npm6/updater.js

@@ -113,6 +113,7 @@ function flattenAllDependencies(manifest) {
   );
 }
 
+// NOTE: Re-used in npm 7 updater
 function installArgs(
   depName,
   desiredVersion,

npm_and_yarn/helpers/lib/npm7/index.js

@@ -0,0 +1,9 @@
+const updater = require("./updater");
+const peerDependencyChecker = require("./peer-dependency-checker");
+const subdependencyUpdater = require("./subdependency-updater");
+
+module.exports = {
+  update: updater.updateDependencyFiles,
+  updateSubdependency: subdependencyUpdater.updateDependencyFile,
+  checkPeerDependencies: peerDependencyChecker.checkPeerDependencies,
+};

npm_and_yarn/helpers/lib/npm7/peer-dependency-checker.js

@@ -0,0 +1,77 @@
+/* PEER DEPENDENCY CHECKER
+ *
+ * Inputs:
+ *  - directory containing a package.json and a yarn.lock
+ *  - dependency name
+ *  - new dependency version
+ *  - requirements for this dependency
+ *
+ * Outputs:
+ *  - successful completion, or an error if there are peer dependency warnings
+ */
+
+const npm = require("npm7");
+const Arborist = require("@npmcli/arborist");
+const { promisify } = require("util");
+
+async function checkPeerDependencies(
+  directory,
+  depName,
+  desiredVersion,
+  requirements,
+  _topLevelDependencies // included for compatibility with npm 6 implementation
+) {
+  await promisify(npm.load).bind(npm)();
+
+  // `ignoreScripts` is used to disable prepare and prepack scripts which are
+  // run when installing git dependencies
+  const arb = new Arborist({
+    ...npm.flatOptions,
+    path: directory,
+    packageLockOnly: true,
+    dryRun: true,
+    save: false,
+    ignoreScripts: true,
+    engineStrict: false,
+    // NOTE: there seems to be no way to disable platform checks in arborist
+    // without force installing invalid peer dependencies
+    //
+    // TODO: ignore platform checks
+    force: false,
+  });
+
+  // Returns dep name and version for npm install, example: ["react@16.6.0"]
+  let args = installArgsWithVersion(depName, desiredVersion, requirements);
+
+  return await arb
+    .buildIdealTree({
+      add: args,
+    })
+    .catch((er) => {
+      if (er.code === "ERESOLVE") {
+        // NOTE: Emulate the error message in npm 6 for compatibility with the
+        // version resolver
+        const conflictingDependencies = [
+          `${er.edge.from.name}@${er.edge.from.version} requires a peer of ${er.current.name}@${er.edge.spec} but none is installed.`,
+        ];
+        throw new Error(conflictingDependencies.join("\n"));
+      } else {
+        // NOTE: Hand over exception handling to the file updater. This is
+        // consistent with npm6 behaviour.
+        return [];
+      }
+    })
+    .then(() => []);
+}
+
+function installArgsWithVersion(depName, desiredVersion, reqs) {
+  const source = (reqs.find((req) => req.source) || {}).source;
+
+  if (source && source.type === "git") {
+    return [`${depName}@${source.url}#${desiredVersion}`];
+  } else {
+    return [`${depName}@${desiredVersion}`];
+  }
+}
+
+module.exports = { checkPeerDependencies };

npm_and_yarn/helpers/lib/npm7/subdependency-updater.js

@@ -0,0 +1,39 @@
+const fs = require("fs");
+const path = require("path");
+const execa = require("execa");
+
+const updateDependencyFile = async (directory, lockfileName, dependencies) => {
+  const dependencyNames = dependencies.map((dep) => dep.name);
+
+  try {
+    // NOTE:
+    // - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
+    //   work around an issue in npm 6, we don't want that here
+    // - `--force` ignores checks for platform (os, cpu) and engines
+    // - `--ignore-scripts` disables prepare and prepack scripts which are run
+    //   when installing git dependencies
+    await execa(
+      "npm",
+      [
+        "update",
+        ...dependencyNames,
+        "--force",
+        "--dry-run",
+        "false",
+        "--ignore-scripts",
+        "--package-lock-only",
+      ],
+      { cwd: directory }
+    );
+  } catch (e) {
+    throw new Error(e.stderr);
+  }
+
+  const updatedLockfile = fs
+    .readFileSync(path.join(directory, lockfileName))
+    .toString();
+
+  return { [lockfileName]: updatedLockfile };
+};
+
+module.exports = { updateDependencyFile };

npm_and_yarn/helpers/lib/npm7/updater.js

@@ -0,0 +1,110 @@
+/* DEPENDENCY FILE UPDATER
+ *
+ * Inputs:
+ *  - directory containing an up-to-date package.json and a package-lock.json to
+ *    be updated
+ *  - the name of the lockfile (package-lock.json or npm-shrinkwrap.json)
+ *  - array of dependencies to be updated [{name, version, requirements}]
+ *
+ * Outputs:
+ *  - updated package-lock.json
+ *
+ * Update the dependency to the version specified and rewrite the
+ * package-lock.json files.
+ */
+const fs = require("fs");
+const path = require("path");
+const execa = require("execa");
+
+const updateDependencyFiles = async (directory, lockfileName, dependencies) => {
+  const manifest = JSON.parse(
+    fs.readFileSync(path.join(directory, "package.json")).toString()
+  );
+  const flattenedDependencies = flattenAllDependencies(manifest);
+  const args = dependencies.map((dependency) => {
+    const existingVersionRequirement = flattenedDependencies[dependency.name];
+    return installArgs(
+      dependency.name,
+      dependency.version,
+      dependency.requirements,
+      existingVersionRequirement
+    );
+  });
+
+  try {
+    // NOTE:
+    // - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
+    //   work around an issue in npm 6, we don't want that here
+    // - `--force` ignores checks for platform (os, cpu) and engines
+    // - `--ignore-scripts` disables prepare and prepack scripts which are run
+    //   when installing git dependencies
+    await execa(
+      "npm",
+      [
+        "install",
+        ...args,
+        "--force",
+        "--dry-run",
+        "false",
+        "--ignore-scripts",
+        "--package-lock-only",
+      ],
+      { cwd: directory }
+    );
+  } catch (e) {
+    throw new Error(e.stderr);
+  }
+
+  const updatedLockfile = fs
+    .readFileSync(path.join(directory, lockfileName))
+    .toString();
+
+  return { [lockfileName]: updatedLockfile };
+};
+
+function flattenAllDependencies(manifest) {
+  return Object.assign(
+    {},
+    manifest.optionalDependencies,
+    manifest.peerDependencies,
+    manifest.devDependencies,
+    manifest.dependencies
+  );
+}
+
+// NOTE: Copied from npm 6 updater
+function installArgs(
+  depName,
+  desiredVersion,
+  requirements,
+  existingVersionRequirement
+) {
+  const source = (requirements.find((req) => req.source) || {}).source;
+
+  if (source && source.type === "git") {
+    if (!existingVersionRequirement) {
+      existingVersionRequirement = source.url;
+    }
+
+    // Git is configured to auth over https while updating
+    existingVersionRequirement = existingVersionRequirement.replace(
+      /git\+ssh:\/\/git@(.*?)[:/]/,
+      "git+https://$1/"
+    );
+
+    // Keep any semver range that has already been updated in the package
+    // requirement when installing the new version
+    if (existingVersionRequirement.match(desiredVersion)) {
+      return `${depName}@${existingVersionRequirement}`;
+    } else {
+      return `${depName}@${existingVersionRequirement.replace(
+        /#.*/,
+        ""
+      )}#${desiredVersion}`;
+    }
+  } else {
+    return `${depName}@${desiredVersion}`;
+  }
+}
+
+module.exports = { updateDependencyFiles };

npm_and_yarn/helpers/package.json

@@ -12,6 +12,7 @@
     "@dependabot/yarn-lib": "^1.21.1",
     "@npmcli/arborist": "^2.2.0",
     "detect-indent": "^6.0.0",
+    "execa": "^5.0.0",
     "npm6": "npm:npm@6.14.11",
     "npm7": "npm:npm@7.4.0",
     "semver": "^7.3.4"

npm_and_yarn/helpers/test/npm7/conflicting-dependency-parser.test.js

@@ -0,0 +1,67 @@
+const path = require("path");
+const os = require("os");
+const fs = require("fs");
+const rimraf = require("rimraf");
+const {
+  findConflictingDependencies,
+} = require("../../lib/npm/conflicting-dependency-parser");
+const helpers = require("./helpers");
+
+describe("findConflictingDependencies", () => {
+  let tempDir;
+  beforeEach(() => {
+    tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
+  });
+  afterEach(() => rimraf.sync(tempDir));
+
+  it("finds conflicting dependencies", async () => {
+    helpers.copyDependencies("conflicting-dependency-parser/simple", tempDir);
+
+    const result = await findConflictingDependencies(tempDir, "abind", "2.0.0");
+    expect(result).toEqual([
+      {
+        explanation: "objnest@4.1.2 requires abind@^1.0.0",
+        name: "objnest",
+        version: "4.1.2",
+        requirement: "^1.0.0",
+      },
+    ]);
+  });
+
+  it("finds the top-level conflicting dependency", async () => {
+    helpers.copyDependencies("conflicting-dependency-parser/nested", tempDir);
+
+    const result = await findConflictingDependencies(tempDir, "abind", "2.0.0");
+    expect(result).toEqual([
+      {
+        explanation: "askconfig@4.0.4 requires abind@^1.0.5 via objnest@5.1.0",
+        name: "objnest",
+        version: "5.1.0",
+        requirement: "^1.0.5",
+      },
+    ]);
+  });
+
+  it("explains a deeply nested dependency", async () => {
+    helpers.copyDependencies(
+      "conflicting-dependency-parser/deeply-nested",
+      tempDir
+    );
+
+    const result = await findConflictingDependencies(tempDir, "abind", "2.0.0");
+    expect(result).toEqual([
+      {
+        explanation: "apass@1.1.0 requires abind@^1.0.0 via cipherjson@2.1.0",
+        name: "cipherjson",
+        version: "2.1.0",
+        requirement: "^1.0.0",
+      },
+      {
+        explanation: `apass@1.1.0 requires abind@^1.0.0 via a transitive dependency on objnest@3.0.9`,
+        name: "objnest",
+        version: "3.0.9",
+        requirement: "^1.0.0",
+      },
+    ]);
+  });
+});