dependabot-bun 0.296.2 → 0.296.3

data/lib/dependabot/bun/constraint_helper.rb

@@ -0,0 +1,359 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module Bun
+    module ConstraintHelper
+      extend T::Sig
+
+      # Regex Components for Semantic Versioning
+      DIGIT = "\\d+"                             # Matches a single number (e.g., "1")
+      PRERELEASE = "(?:-[a-zA-Z0-9.-]+)?"        # Matches optional pre-release tag (e.g., "-alpha")
+      BUILD_METADATA = "(?:\\+[a-zA-Z0-9.-]+)?"  # Matches optional build metadata (e.g., "+001")
+
+      # Matches semantic versions:
+      VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
+
+      VERSION_REGEX = T.let(/^#{VERSION}$/, Regexp)
+
+      # Base regex for SemVer (major.minor.patch[-prerelease][+build])
+      # This pattern extracts valid semantic versioning strings based on the SemVer 2.0 specification.
+      SEMVER_REGEX = T.let(/
+        (?<version>\d+\.\d+\.\d+)               # Match major.minor.patch (e.g., 1.2.3)
+        (?:-(?<prerelease>[a-zA-Z0-9.-]+))?     # Optional prerelease (e.g., -alpha.1, -rc.1, -beta.5)
+        (?:\+(?<build>[a-zA-Z0-9.-]+))?         # Optional build metadata (e.g., +build.20231101, +exp.sha.5114f85)
+      /x, Regexp)
+
+      # Full SemVer validation regex (ensures the entire string is a valid SemVer)
+      # This ensures the entire input strictly follows SemVer, without extra characters before/after.
+      SEMVER_VALIDATION_REGEX = T.let(/^#{SEMVER_REGEX}$/, Regexp)
+
+      # SemVer constraint regex (supports package.json version constraints)
+      # This pattern ensures proper parsing of SemVer versions with optional operators.
+      SEMVER_CONSTRAINT_REGEX = T.let(/
+        (?: (>=|<=|>|<|=|~|\^)\s*)?  # Make operators optional (e.g., >=, ^, ~)
+        (\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)  # Match full SemVer versions
+        | (\*|latest) # Match wildcard (*) or 'latest'
+      /x, Regexp)
+
+      # /(>=|<=|>|<|=|~|\^)\s*(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)|(\*|latest)/
+
+      SEMVER_OPERATOR_REGEX = /^(>=|<=|>|<|~|\^|=)$/
+
+      # Constraint Types as Constants
+      CARET_CONSTRAINT_REGEX = T.let(/^\^\s*(#{VERSION})$/, Regexp)
+      TILDE_CONSTRAINT_REGEX = T.let(/^~\s*(#{VERSION})$/, Regexp)
+      EXACT_CONSTRAINT_REGEX = T.let(/^\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_EQUAL_REGEX = T.let(/^>=\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_EQUAL_REGEX = T.let(/^<=\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_REGEX = T.let(/^>\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_REGEX = T.let(/^<\s*(#{VERSION})$/, Regexp)
+      WILDCARD_REGEX = T.let(/^\*$/, Regexp)
+      LATEST_REGEX = T.let(/^latest$/, Regexp)
+      SEMVER_CONSTANTS = ["*", "latest"].freeze
+
+      # Unified Regex for Valid Constraints
+      VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
+        CARET_CONSTRAINT_REGEX,
+        TILDE_CONSTRAINT_REGEX,
+        EXACT_CONSTRAINT_REGEX,
+        GREATER_THAN_EQUAL_REGEX,
+        LESS_THAN_EQUAL_REGEX,
+        GREATER_THAN_REGEX,
+        LESS_THAN_REGEX,
+        WILDCARD_REGEX,
+        LATEST_REGEX
+      ).freeze, Regexp)
+
+      # Extract unique constraints from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T::Array[String]] The list of unique Ruby-compatible constraints.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.extract_ruby_constraints(constraint_expression, dependabot_versions = nil)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints.filter_map { |parsed| parsed[:constraint] }
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(constraint_expression: T.nilable(String))
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.split_constraints(constraint_expression)
+        normalized_constraint = constraint_expression&.strip
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Split constraints by logical OR (`||`)
+        constraint_groups = normalized_constraint.split("||")
+
+        # Split constraints by logical AND (`,`)
+        constraint_groups = constraint_groups.map do |or_constraint|
+          or_constraint.split(",").map(&:strip)
+        end.flatten
+
+        constraint_groups = constraint_groups.map do |constraint|
+          tokens = constraint.split(/\s+/).map(&:strip)
+
+          and_constraints = []
+
+          previous = T.let(nil, T.nilable(String))
+          operator = T.let(false, T.nilable(T::Boolean))
+          wildcard = T.let(false, T::Boolean)
+
+          tokens.each do |token|
+            token = token.strip
+            next if token.empty?
+
+            # Invalid constraint if wildcard and anything else
+            return nil if wildcard
+
+            # If token is one of the operators (>=, <=, >, <, ~, ^, =)
+            if token.match?(SEMVER_OPERATOR_REGEX)
+              wildcard = false
+              operator = true
+            # If token is wildcard or latest
+            elsif token.match?(/(\*|latest)/)
+              and_constraints << token
+              wildcard = true
+              operator = false
+            # If token is exact version (e.g., "1.2.3")
+            elsif token.match(VERSION_REGEX)
+              and_constraints << if operator
+                                   "#{previous}#{token}"
+                                 else
+                                   token
+                                 end
+              wildcard = false
+              operator = false
+            # If token is a valid constraint (e.g., ">=1.2.3", "<=2.0.0")
+            elsif token.match(VALID_CONSTRAINT_REGEX)
+              return nil if operator
+
+              and_constraints << token
+
+              wildcard = false
+              operator = false
+            else
+              # invalid constraint
+              return nil
+            end
+            previous = token
+          end
+          and_constraints.uniq
+        end.flatten
+        constraint_groups if constraint_groups.any?
+      end
+
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      # Find the highest version from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T.nilable(String)] The highest version, or nil if no versions are available.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(String))
+      end
+      def self.find_highest_version_from_constraint_expression(constraint_expression, dependabot_versions = nil)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints
+          .filter_map { |parsed| parsed[:version] } # Extract all versions
+          .max_by { |version| Version.new(version) }
+      end
+
+      # Parse all constraints (split by logical OR `||`) and convert to Ruby-compatible constraints.
+      # Return:
+      #   - `nil` if the constraint expression is invalid
+      #   - `[]` if the constraint expression is valid but represents "no constraints"
+      #   - An array of hashes for valid constraints with details about the constraint and version
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]]))
+      end
+      def self.parse_constraints(constraint_expression, dependabot_versions = nil)
+        splitted_constraints = split_constraints(constraint_expression)
+
+        return unless splitted_constraints
+
+        constraints = to_ruby_constraints_with_versions(splitted_constraints, dependabot_versions)
+        constraints
+      end
+
+      sig do
+        params(
+          constraints: T::Array[String],
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        ).returns(T::Array[T::Hash[Symbol, T.nilable(String)]])
+      end
+      def self.to_ruby_constraints_with_versions(constraints, dependabot_versions = [])
+        constraints.filter_map do |constraint|
+          parsed = to_ruby_constraint_with_version(constraint, dependabot_versions)
+          parsed if parsed
+        end.uniq
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # Converts a semver constraint to a Ruby-compatible constraint and extracts the version, if available.
+      # @param constraint [String] The semver constraint to parse.
+      # @return [T.nilable(T::Hash[Symbol, T.nilable(String)])] Returns the Ruby-compatible constraint and the version,
+      # if available, or nil if the constraint is invalid.
+      #
+      # @example
+      #  to_ruby_constraint_with_version("=1.2.3") # => { constraint: "=1.2.3", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("^1.2.3") # => { constraint: ">=1.2.3 <2.0.0", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("*")      # => { constraint: nil, version: nil }
+      #  to_ruby_constraint_with_version("invalid") # => nil
+      sig do
+        params(
+          constraint: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
+      def self.to_ruby_constraint_with_version(constraint, dependabot_versions = [])
+        return nil if constraint.empty?
+
+        case constraint
+        when EXACT_CONSTRAINT_REGEX # Exact version, e.g., "1.2.3-alpha"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "=#{full_version}", version: full_version }
+        when CARET_CONSTRAINT_REGEX # Caret constraint, e.g., "^1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          return nil if major.nil?
+
+          ruby_constraint =
+            if major.to_i.zero?
+              minor.nil? ? ">=#{full_version} <1.0.0" : ">=#{full_version} <0.#{minor.to_i + 1}.0"
+            else
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when TILDE_CONSTRAINT_REGEX # Tilde constraint, e.g., "~1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          ruby_constraint =
+            if minor.nil?
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            else
+              ">=#{full_version} <#{major}.#{minor.to_i + 1}.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when GREATER_THAN_EQUAL_REGEX # Greater than or equal, e.g., ">=1.2.3"
+
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version >= Version.new(constraint_version)
+          end
+          { constraint: ">=#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_EQUAL_REGEX # Less than or equal, e.g., "<=1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "<=#{full_version}", version: full_version }
+        when GREATER_THAN_REGEX # Greater than, e.g., ">1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version > Version.new(constraint_version)
+          end
+          { constraint: ">#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_REGEX # Less than, e.g., "<1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version < Version.new(constraint_version)
+          end
+          { constraint: "<#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when WILDCARD_REGEX # No specific constraint, resolves to the highest available version
+          { constraint: nil, version: dependabot_versions&.max&.to_s }
+        when LATEST_REGEX
+          { constraint: nil, version: dependabot_versions&.max&.to_s } # Resolves to the latest available version
+        end
+      end
+
+      sig do
+        params(
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version]),
+          constraint_version: String,
+          condition: T.proc.params(version: Dependabot::Version, constraint: Dependabot::Version).returns(T::Boolean)
+        )
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def self.highest_matching_version(dependabot_versions, constraint_version, &condition)
+        return unless dependabot_versions&.any?
+
+        # Returns the highest version that satisfies the condition, or nil if none.
+        dependabot_versions
+          .sort
+          .reverse
+          .find { |version| condition.call(version, Version.new(constraint_version)) } # rubocop:disable Performance/RedundantBlockCall
+      end
+
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      # Parses a semantic version string into its components as per the SemVer spec
+      # Example: "1.2.3-alpha+001" → ["1.2.3", "1", "2", "3", "alpha", "001"]
+      sig { params(full_version: T.nilable(String)).returns(T.nilable(T::Array[String])) }
+      def self.version_components(full_version)
+        return [] if full_version.nil?
+
+        match = full_version.match(SEMVER_VALIDATION_REGEX)
+        return [] unless match
+
+        version = match[:version]
+        return [] unless version
+
+        major, minor, patch = version.split(".")
+        [version, major, minor, patch, match[:prerelease], match[:build]].compact
+      end
+    end
+  end
+end

data/lib/dependabot/bun/dependency_files_filterer.rb

@@ -0,0 +1,157 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/utils"
+require "dependabot/bun/file_parser/lockfile_parser"
+require "sorbet-runtime"
+
+# Used in the version resolver and file updater to only run yarn/npm helpers on
+# dependency files that require updates. This is useful for large monorepos with
+# lots of sub-projects that don't all have the same dependencies.
+module Dependabot
+  module Bun
+    class DependencyFilesFilterer
+      extend T::Sig
+
+      sig { params(dependency_files: T::Array[DependencyFile], updated_dependencies: T::Array[Dependency]).void }
+      def initialize(dependency_files:, updated_dependencies:)
+        @dependency_files = dependency_files
+        @updated_dependencies = updated_dependencies
+      end
+
+      sig { returns(T::Array[String]) }
+      def paths_requiring_update_check
+        @paths_requiring_update_check ||= T.let(fetch_paths_requiring_update_check, T.nilable(T::Array[String]))
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def files_requiring_update
+        @files_requiring_update ||= T.let(
+          dependency_files.select do |file|
+            package_files_requiring_update.include?(file) ||
+              package_required_lockfile?(file) ||
+              workspaces_lockfile?(file)
+          end, T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def package_files_requiring_update
+        @package_files_requiring_update ||= T.let(
+          dependency_files.select do |file|
+            dependency_manifest_requirements.include?(file.name)
+          end, T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      private
+
+      sig { returns(T::Array[DependencyFile]) }
+      attr_reader :dependency_files
+
+      sig { returns(T::Array[Dependency]) }
+      attr_reader :updated_dependencies
+
+      sig { returns(T::Array[String]) }
+      def fetch_paths_requiring_update_check
+        # if only a root lockfile exists, it tracks all dependencies
+        return [File.dirname(T.must(root_lockfile).name)] if lockfiles == [root_lockfile]
+
+        package_files_requiring_update.map do |file|
+          File.dirname(file.name)
+        end
+      end
+
+      sig { returns(T::Array[String]) }
+      def dependency_manifest_requirements
+        @dependency_manifest_requirements ||= T.let(
+          updated_dependencies.flat_map do |dep|
+            dep.requirements.map { |requirement| requirement[:file] }
+          end, T.nilable(T::Array[String])
+        )
+      end
+
+      sig { params(lockfile: DependencyFile).returns(T::Boolean) }
+      def package_required_lockfile?(lockfile)
+        return false unless lockfile?(lockfile)
+
+        package_files_requiring_update.any? do |package_file|
+          File.dirname(package_file.name) == File.dirname(lockfile.name)
+        end
+      end
+
+      sig { params(lockfile: DependencyFile).returns(T::Boolean) }
+      def workspaces_lockfile?(lockfile)
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml", "bun.lock"].include?(lockfile.name)
+
+        return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
+          file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
+        end
+
+        updated_dependencies_in_lockfile?(lockfile)
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def root_lockfile
+        @root_lockfile ||= T.let(
+          lockfiles.find do |file|
+            File.dirname(file.name) == "."
+          end, T.nilable(DependencyFile)
+        )
+      end
+
+      sig { returns(T::Array[DependencyFile]) }
+      def lockfiles
+        @lockfiles ||= T.let(
+          dependency_files.select do |file|
+            lockfile?(file)
+          end, T.nilable(T::Array[DependencyFile])
+        )
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def parsed_root_package_json
+        @parsed_root_package_json ||= T.let(
+          begin
+            package = T.must(dependency_files.find { |f| f.name == "package.json" })
+            JSON.parse(T.must(package.content))
+          end, T.nilable(T::Hash[String, T.untyped])
+        )
+      end
+
+      sig { params(lockfile: Dependabot::DependencyFile).returns(T::Boolean) }
+      def updated_dependencies_in_lockfile?(lockfile)
+        lockfile_dependencies(lockfile).any? do |sub_dep|
+          updated_dependencies.any? do |updated_dep|
+            sub_dep.name == updated_dep.name
+          end
+        end
+      end
+
+      sig { params(lockfile: DependencyFile).returns(T::Array[Dependency]) }
+      def lockfile_dependencies(lockfile)
+        @lockfile_dependencies ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependency]]))
+        @lockfile_dependencies[lockfile.name] ||=
+          Bun::FileParser::LockfileParser.new(
+            dependency_files: [lockfile]
+          ).parse
+      end
+
+      sig { params(file: DependencyFile).returns(T::Boolean) }
+      def manifest?(file)
+        file.name.end_with?("package.json")
+      end
+
+      sig { params(file: DependencyFile).returns(T::Boolean) }
+      def lockfile?(file)
+        file.name.end_with?(
+          "package-lock.json",
+          "yarn.lock",
+          "pnpm-lock.yaml",
+          "bun.lock",
+          "npm-shrinkwrap.json"
+        )
+      end
+    end
+  end
+end

data/lib/dependabot/bun/file_fetcher/path_dependency_builder.rb

@@ -0,0 +1,184 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "json"
+require "dependabot/dependency_file"
+require "dependabot/errors"
+require "dependabot/bun/file_fetcher"
+require "sorbet-runtime"
+
+module Dependabot
+  module Bun
+    class FileFetcher
+      class PathDependencyBuilder
+        extend T::Sig
+
+        sig do
+          params(
+            dependency_name: String,
+            path: String,
+            directory: String,
+            package_lock: T.nilable(DependencyFile),
+            yarn_lock: T.nilable(DependencyFile)
+          )
+            .void
+        end
+        def initialize(dependency_name:, path:, directory:, package_lock:,
+                       yarn_lock:)
+          @dependency_name = dependency_name
+          @path = path
+          @directory = directory
+          @package_lock = package_lock
+          @yarn_lock = yarn_lock
+        end
+
+        sig { returns(DependencyFile) }
+        def dependency_file
+          filename = File.join(path, "package.json")
+
+          DependencyFile.new(
+            name: Pathname.new(filename).cleanpath.to_path,
+            content: build_path_dep_content(dependency_name),
+            directory: directory,
+            support_file: true
+          )
+        end
+
+        private
+
+        sig { returns(String) }
+        attr_reader :dependency_name
+
+        sig { returns(String) }
+        attr_reader :path
+
+        sig { returns(T.nilable(DependencyFile)) }
+        attr_reader :package_lock
+
+        sig { returns(T.nilable(DependencyFile)) }
+        attr_reader :yarn_lock
+
+        sig { returns(String) }
+        attr_reader :directory
+
+        sig { returns(T.untyped) }
+        def details_from_yarn_lock
+          path_starts = FileFetcher::PATH_DEPENDENCY_STARTS
+          parsed_yarn_lock.to_a
+                          .find do |n, _|
+            next false unless n.split(/(?<=\w)\@/).first == dependency_name
+
+            T.must(n.split(/(?<=\w)\@/).last).start_with?(*path_starts)
+          end&.last
+        end
+
+        sig { returns(T.untyped) }
+        def details_from_npm_lock
+          path_starts = FileFetcher::NPM_PATH_DEPENDENCY_STARTS
+          path_deps = parsed_package_lock.fetch("dependencies", []).to_a
+                                         .select do |_, v|
+            v.fetch("version", "").start_with?(*path_starts)
+          end
+          path_deps.find { |n, _| n == dependency_name }&.last
+        end
+
+        sig { params(dependency_name: String).returns(String) }
+        def build_path_dep_content(dependency_name)
+          unless details_from_yarn_lock || details_from_npm_lock
+            raise Dependabot::PathDependenciesNotReachable, [dependency_name]
+          end
+
+          if details_from_yarn_lock
+            {
+              name: dependency_name,
+              version: details_from_yarn_lock["version"] || "0.0.1",
+              dependencies:
+                replace_yarn_lockfile_paths(
+                  details_from_yarn_lock["dependencies"]
+                ),
+              optionalDependencies:
+                replace_yarn_lockfile_paths(
+                  details_from_yarn_lock["optionalDependencies"]
+                )
+            }.compact.to_json
+          else
+            {
+              name: dependency_name,
+              version: "0.0.1",
+              dependencies: details_from_npm_lock["requires"]
+            }.compact.to_json
+          end
+        end
+
+        # If an unfetchable path dependency itself has path dependencies
+        # then the paths in the yarn.lock for them will be absolute, not
+        # relative. Worse, they may point to the user's local cache.
+        # We work around this by constructing a relative path to the
+        # (second-level) path dependencies.
+        sig { params(dependencies_hash: T.nilable(T::Hash[String, T.untyped])).returns(T.untyped) }
+        def replace_yarn_lockfile_paths(dependencies_hash)
+          return unless dependencies_hash
+
+          dependencies_hash.each_with_object({}) do |(name, value), obj|
+            obj[name] = value
+            next unless value.start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
+
+            path_from_base =
+              parsed_yarn_lock.to_a
+                              .find do |n, _|
+                next false unless n.split(/(?<=\w)\@/).first == name
+
+                T.must(n.split(/(?<=\w)\@/).last)
+                 .start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
+              end&.first&.split(/(?<=\w)\@/)&.last
+
+            next unless path_from_base
+
+            cleaned_path = path_from_base
+                           .gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
+            obj[name] = "file:" + File.join(inverted_path, cleaned_path)
+          end
+        end
+
+        sig { returns(T.untyped) }
+        def parsed_package_lock
+          return {} unless package_lock
+
+          JSON.parse(T.must(T.must(package_lock).content))
+        rescue JSON::ParserError
+          {}
+        end
+
+        sig { returns(T.nilable(T::Hash[String, T.untyped])) }
+        def parsed_yarn_lock
+          return unless yarn_lock
+          return @parsed_yarn_lock if defined?(@parsed_yarn_lock)
+
+          parsed = T.cast(SharedHelpers.in_a_temporary_directory do
+            File.write("yarn.lock", T.must(yarn_lock).content)
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "yarn:parseLockfile",
+              args: [Dir.pwd]
+            )
+          rescue SharedHelpers::HelperSubprocessFailed
+            raise Dependabot::DependencyFileNotParseable, T.must(yarn_lock).path
+          end, T::Hash[String, T.untyped])
+          @parsed_yarn_lock = T.let(parsed, T.nilable(T::Hash[String, T.untyped]))
+        end
+
+        # The path back to the root lockfile
+        sig { returns(String) }
+        def inverted_path
+          path.split("/").map do |part|
+            next part if part == "."
+            next "tmp" if part == ".."
+
+            ".."
+          end.join("/")
+        end
+      end
+    end
+  end
+end