Exception handling for npm and yarn errors (#10595)

dependabot · Sep 13, 2024 · 0b8032a · 0b8032a
1 parent fc2312a
commit 0b8032a
Show file tree

Hide file tree

Showing 4 changed files with 74 additions and 0 deletions.
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn.rb
@@ -165,6 +165,9 @@ module NpmAndYarn
       REQUIREMENT_NOT_PROVIDED: /(?<dep>.*)(.*?)doesn't provide (?<pkg>.*)(.*?), requested by (?<parent>.*)/
     }.freeze, T::Hash[String, Regexp])
 
+    # registry returns malformed response
+    REGISTRY_NOT_REACHABLE = /Received malformed response from registry for "(?<ver>.*)". The registry may be down./
+
     class Utils
       extend T::Sig
 
@@ -580,6 +583,15 @@ def self.sanitize_resolvability_message(error_message, dependencies, yarn_lock)
         },
         in_usage: false,
         matchfn: nil
+      },
+      {
+        patterns: [REGISTRY_NOT_REACHABLE],
+        handler: lambda { |message, _error, _params|
+          msg = message.match(REGISTRY_NOT_REACHABLE)
+          Dependabot::DependencyFileNotResolvable.new(msg)
+        },
+        in_usage: false,
+        matchfn: nil
       }
     ].freeze, T::Array[{
       patterns: T::Array[T.any(String, Regexp)],

diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
@@ -107,6 +107,12 @@ def updated_lockfile_reponse(response)
         # issue related when dependency url is not mentioned correctly
         UNRESOLVED_REFERENCE = /Unable to resolve reference (?<deps>.*)/
 
+        # npm git related error for dependencies
+        GIT_CHECKOUT_ERROR_REGEX = /Command failed: git checkout (?<sha>.*)/
+
+        # Invalid version format found for dependency in package.json file
+        INVALID_VERSION = /Invalid Version: (?<ver>.*)/
+
         # TODO: look into fixing this in npm, seems like a bug in the git
         # downloader introduced in npm 7
         #
@@ -616,6 +622,15 @@ def handle_npm_updater_error(error)
             raise Dependabot::DependencyFileNotResolvable, msg
           end
 
+          if (error_msg = error_message.match(GIT_CHECKOUT_ERROR_REGEX))
+            raise Dependabot::DependencyFileNotResolvable, error_msg
+          end
+
+          if (error_msg = error_message.match(INVALID_VERSION))
+            msg = "Found invalid version \"#{error_msg.named_captures.fetch('ver')}\" while updating"
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater_spec.rb
@@ -1011,6 +1011,41 @@
         end
       end
     end
+
+    context "with a npm error response that returns a git checkout error" do
+      let(:response) do
+        "Command failed: git checkout 8cb9036b503920679c95528fa584d3e973b64f75
+      fatal: reference is not a tree: 8cb9036b503920679c95528fa584d3e973b64f75"
+      end
+
+      it "raises a helpful error" do
+        expect { updated_npm_lock }.to raise_error(Dependabot::DependencyFileNotResolvable) do |error|
+          expect(error.message)
+            .to include(
+              "Command failed: git checkout 8cb9036b503920679c95528fa584d3e973b64f75"
+            )
+        end
+      end
+    end
+
+    context "with a npm error response that invalid version error" do
+      let(:response) do
+        "npm WARN using --force Recommended protections disabled.
+        npm ERR! Invalid Version: ^8.0.1
+
+        npm ERR! A complete log of this run can be found in: " \
+        "/home/dependabot/.npm/_logs/2024-09-12T06_08_54_947Z-debug-0.log"
+      end
+
+      it "raises a helpful error" do
+        expect { updated_npm_lock }.to raise_error(Dependabot::DependencyFileNotResolvable) do |error|
+          expect(error.message)
+            .to include(
+              "Found invalid version \"^8.0.1\" while updating"
+            )
+        end
+      end
+    end
   end
 
   context "with a override that conflicts with direct dependency" do

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/yarn_error_handler_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/yarn_error_handler_spec.rb
@@ -699,6 +699,18 @@
       end
     end
 
+    context "when the exception message contains malformed registry error response" do
+      let(:error_message) do
+        "Received malformed response from registry for \"teste-react-jv\". The registry may be down."
+      end
+
+      it "raises the corresponding error class with the correct message" do
+        expect { error_handler.handle_group_patterns(error, usage_error_message, { yarn_lock: yarn_lock }) }
+          .to raise_error(Dependabot::DependencyFileNotResolvable,
+                          "Received malformed response from registry for \"teste-react-jv\". The registry may be down.")
+      end
+    end
+
     context "when the error message contains Permission denied error" do
       let(:error_message) do
         "https://npm.pkg.github.com/breakthroughbehavioralinc/webpack: Permission denied"