fix(npm): avoid transitive remediation of bundled dependencies (#14019)

renovatebot · Feb 5, 2022 · 9023b8a · 9023b8a
1 parent ff332d1
commit 9023b8a
Show file tree

Hide file tree

Showing 8 changed files with 4,506 additions and 4 deletions.
diff --git a/lib/manager/npm/update/locked-dependency/index.spec.ts b/lib/manager/npm/update/locked-dependency/index.spec.ts
@@ -14,6 +14,14 @@ const serveStaticJson = JSON.parse(
 );
 const sendJson = JSON.parse(loadFixture('send.json', './package-lock'));
 const typeIsJson = JSON.parse(loadFixture('type-is.json', './package-lock'));
+const bundledPackageJson = loadFixture(
+  'bundled.package.json',
+  './package-lock'
+);
+const bundledPackageLockJson = loadFixture(
+  'bundled.package-lock.json',
+  './package-lock'
+);
 
 describe('manager/npm/update/locked-dependency/index', () => {
   describe('updateLockedDependency()', () => {
@@ -153,5 +161,14 @@ describe('manager/npm/update/locked-dependency/index', () => {
       const res = await updateLockedDependency(config);
       expect(res.status).toBe('update-failed');
     });
+    it('fails remediation if bundled', async () => {
+      config.depName = 'ansi-regex';
+      config.currentVersion = '3.0.0';
+      config.newVersion = '5.0.1';
+      config.packageFileContent = bundledPackageJson;
+      config.lockFileContent = bundledPackageLockJson;
+      const res = await updateLockedDependency(config);
+      expect(res.status).toBe('update-failed');
+    });
   });
 });