dependabot-npm_and_yarn 0.131.2 → 0.133.2

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -20,7 +20,7 @@ module Dependabot
             dependency_files.select do |file|
               package_files_requiring_update.include?(file) ||
                 package_required_lockfile?(file) ||
-                yarn_workspaces_lockfile?(file)
+                workspaces_lockfile?(file)
             end
           end
       end
@@ -51,8 +51,8 @@ module Dependabot
         end
       end
 
-      def yarn_workspaces_lockfile?(lockfile)
-        return false unless lockfile.name == "yarn.lock"
+      def workspaces_lockfile?(lockfile)
+        return false unless ["yarn.lock", "package-lock.json"].include?(lockfile.name)
         return false unless parsed_root_package_json["workspaces"]
 
         updated_dependencies_in_lockfile?(lockfile)

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -2,6 +2,7 @@
 
 require "dependabot/dependency_file"
 require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/helpers"
 
 module Dependabot
   module NpmAndYarn
@@ -23,23 +24,9 @@ module Dependabot
           potential_lockfiles_for_manifest(manifest_name).each do |lockfile|
             details =
               if [*package_locks, *shrinkwraps].include?(lockfile)
-                parsed_lockfile = parse_package_lock(lockfile)
-                parsed_lockfile.dig("dependencies", dependency_name)
+                npm_lockfile_details(lockfile, dependency_name, manifest_name)
               else
-                parsed_yarn_lock = parse_yarn_lock(lockfile)
-                details_candidates =
-                  parsed_yarn_lock.
-                  select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
-
-                # If there's only one entry for this dependency, use it, even if
-                # the requirement in the lockfile doesn't match
-                if details_candidates.one?
-                  details_candidates.first.last
-                else
-                  details_candidates.find do |k, _|
-                    k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
-                  end&.last
-                end
+                yarn_lockfile_details(lockfile, dependency_name, requirement, manifest_name)
               end
 
             return details if details
@@ -65,6 +52,43 @@ module Dependabot
             compact
         end
 
+        def npm_lockfile_details(lockfile, dependency_name, manifest_name)
+          parsed_lockfile = parse_package_lock(lockfile)
+
+          if Helpers.npm_version(lockfile.content) == "npm7"
+            parsed_lockfile.dig(
+              "packages",
+              node_modules_path(manifest_name, dependency_name)
+            )&.slice("version", "resolved", "integrity", "dev")
+          else
+            parsed_lockfile.dig("dependencies", dependency_name)
+          end
+        end
+
+        def yarn_lockfile_details(lockfile, dependency_name, requirement, _manifest_name)
+          parsed_yarn_lock = parse_yarn_lock(lockfile)
+          details_candidates =
+            parsed_yarn_lock.
+            select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if details_candidates.one?
+            details_candidates.first.last
+          else
+            details_candidates.find do |k, _|
+              k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
+            end&.last
+          end
+        end
+
+        def node_modules_path(manifest_name, dependency_name)
+          return "node_modules/#{dependency_name}" if manifest_name == "package.json"
+
+          workspace_path = manifest_name.gsub("/package.json", "")
+          File.join(workspace_path, "node_modules", dependency_name)
+        end
+
         def yarn_lock_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
 

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -117,11 +117,11 @@ module Dependabot
       end
 
       def package_lock_changed?(package_lock)
-        package_lock.content != updated_package_lock_content(package_lock)
+        package_lock.content != updated_lockfile_content(package_lock)
       end
 
       def shrinkwrap_changed?(shrinkwrap)
-        shrinkwrap.content != updated_package_lock_content(shrinkwrap)
+        shrinkwrap.content != updated_lockfile_content(shrinkwrap)
       end
 
       def updated_manifest_files
@@ -150,7 +150,7 @@ module Dependabot
 
           updated_files << updated_file(
             file: package_lock,
-            content: updated_package_lock_content(package_lock)
+            content: updated_lockfile_content(package_lock)
           )
         end
 
@@ -159,7 +159,7 @@ module Dependabot
 
           updated_files << updated_file(
             file: shrinkwrap,
-            content: updated_shrinkwrap_content(shrinkwrap)
+            content: updated_lockfile_content(shrinkwrap)
           )
         end
 
@@ -181,25 +181,15 @@ module Dependabot
           )
       end
 
-      def updated_package_lock_content(package_lock)
-        @updated_package_lock_content ||= {}
-        @updated_package_lock_content[package_lock.name] ||=
-          npm_lockfile_updater.updated_lockfile_content(package_lock)
-      end
-
-      def updated_shrinkwrap_content(shrinkwrap)
-        @updated_shrinkwrap_content ||= {}
-        @updated_shrinkwrap_content[shrinkwrap.name] ||=
-          npm_lockfile_updater.updated_lockfile_content(shrinkwrap)
-      end
-
-      def npm_lockfile_updater
-        @npm_lockfile_updater ||=
+      def updated_lockfile_content(file)
+        @updated_lockfile_content ||= {}
+        @updated_lockfile_content[file.name] ||=
           NpmLockfileUpdater.new(
+            lockfile: file,
             dependencies: dependencies,
             dependency_files: dependency_files,
             credentials: credentials
-          )
+          ).updated_lockfile.content
       end
 
       def updated_package_json_content(file)

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -17,45 +17,54 @@ module Dependabot
         require_relative "npmrc_builder"
         require_relative "package_json_updater"
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(lockfile:, dependencies:, dependency_files:, credentials:)
+          @lockfile = lockfile
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
         end
 
-        def updated_lockfile_content(lockfile)
-          return lockfile.content if npmrc_disables_lockfile?
-          return lockfile.content if updatable_dependencies(lockfile).empty?
-
-          @updated_lockfile_content ||= {}
-          @updated_lockfile_content[lockfile.name] ||=
-            SharedHelpers.in_a_temporary_directory do
-              path = Pathname.new(lockfile.name).dirname.to_s
-              lockfile_name = Pathname.new(lockfile.name).basename.to_s
-              write_temporary_dependency_files(lockfile.name)
-              updated_files = Dir.chdir(path) do
-                run_current_npm_update(lockfile_name: lockfile_name, lockfile_content: lockfile.content)
-              end
-              updated_content = updated_files.fetch(lockfile_name)
-              post_process_npm_lockfile(lockfile.content, updated_content)
-            end
-        rescue SharedHelpers::HelperSubprocessFailed => e
-          handle_npm_updater_error(e, lockfile)
+        def updated_lockfile
+          updated_file = lockfile.dup
+          updated_file.content = updated_lockfile_content
+          updated_file
         end
 
         private
 
-        attr_reader :dependencies, :dependency_files, :credentials
+        attr_reader :lockfile, :dependencies, :dependency_files, :credentials
 
-        UNREACHABLE_GIT =
-          /ls-remote (?:(-h -t)|(--tags --heads)) (?<url>.*)/.freeze
-        FORBIDDEN_PACKAGE =
-          %r{(?<package_req>[^/]+) - (Forbidden|Unauthorized)}.freeze
+        UNREACHABLE_GIT = /fatal: repository '(?<url>.*)' not found/.freeze
+        FORBIDDEN_GIT = /fatal: Authentication failed for '(?<url>.*)'/.freeze
+        FORBIDDEN_PACKAGE = %r{(?<package_req>[^/]+) - (Forbidden|Unauthorized)}.freeze
         FORBIDDEN_PACKAGE_403 = %r{^403\sForbidden\s
           -\sGET\shttps?://(?<source>[^/]+)/(?<package_req>[^/\s]+)}x.freeze
         MISSING_PACKAGE = %r{(?<package_req>[^/]+) - Not found}.freeze
         INVALID_PACKAGE = /Can't install (?<package_req>.*): Missing/.freeze
 
+        # TODO: look into fixing this in npm, seems like a bug in the git
+        # downloader introduced in npm 7
+        #
+        # NOTE: error message returned from arborist/npm 7 when trying to
+        # fetching a invalid/non-existent git ref
+        NPM7_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
+        NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
+
+        def updated_lockfile_content
+          return lockfile.content if npmrc_disables_lockfile?
+          return lockfile.content unless updatable_dependencies.any?
+
+          @updated_lockfile_content ||=
+            SharedHelpers.in_a_temporary_directory do
+              write_temporary_dependency_files
+              updated_files = Dir.chdir(lockfile_directory) { run_current_npm_update }
+              updated_lockfile_content = updated_files.fetch(lockfile_basename)
+              post_process_npm_lockfile(updated_lockfile_content)
+            end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_npm_updater_error(e)
+        end
+
         def top_level_dependencies
           dependencies.select(&:top_level?)
         end
@@ -64,18 +73,14 @@ module Dependabot
           dependencies.reject(&:top_level?)
         end
 
-        def updatable_dependencies(lockfile)
-          lockfile_dir = Pathname.new(lockfile.name).dirname.to_s
+        def updatable_dependencies
           dependencies.reject do |dependency|
-            dependency_up_to_date?(lockfile, dependency) ||
-              top_level_dependency_update_not_required?(dependency,
-                                                        lockfile_dir)
+            dependency_up_to_date?(dependency) || top_level_dependency_update_not_required?(dependency)
           end
         end
 
-        def lockfile_dependencies(lockfile)
-          @lockfile_dependencies ||= {}
-          @lockfile_dependencies[lockfile.name] ||=
+        def lockfile_dependencies
+          @lockfile_dependencies ||=
             NpmAndYarn::FileParser.new(
               dependency_files: [lockfile, *package_files],
               source: nil,
@@ -83,9 +88,8 @@ module Dependabot
             ).parse
         end
 
-        def dependency_up_to_date?(lockfile, dependency)
-          existing_dep = lockfile_dependencies(lockfile).
-                         find { |dep| dep.name == dependency.name }
+        def dependency_up_to_date?(dependency)
+          existing_dep = lockfile_dependencies.find { |dep| dep.name == dependency.name }
 
           # If the dependency is missing but top level it should be treated as
           # not up to date
@@ -96,99 +100,204 @@ module Dependabot
           existing_dep&.version == dependency.version
         end
 
-        # Prevent changes to the lockfile when the dependency has been
+        # NOTE: Prevent changes to npm 6 lockfiles when the dependency has been
         # required in a package.json outside the current folder (e.g. lerna
-        # proj)
-        def top_level_dependency_update_not_required?(dependency,
-                                                      lockfile_dir)
-          requirements_for_path = dependency.requirements.select do |req|
-            req_dir = Pathname.new(req[:file]).dirname.to_s
-            req_dir == lockfile_dir
-          end
-
-          dependency.top_level? && requirements_for_path.empty?
+        # proj). npm 7 introduces workspace support so we explitly want to
+        # update the root lockfile and check if the dependency is in the
+        # lockfile
+        def top_level_dependency_update_not_required?(dependency)
+          dependency.top_level? &&
+            !dependency_in_package_json?(dependency) &&
+            !dependency_in_lockfile?(dependency)
         end
 
-        def run_current_npm_update(lockfile_name:, lockfile_content:)
-          top_level_dependency_updates = top_level_dependencies.map do |d|
-            { name: d.name, version: d.version, requirements: d.requirements }
-          end
-
-          run_npm_updater(
-            lockfile_name: lockfile_name,
-            top_level_dependency_updates: top_level_dependency_updates,
-            lockfile_content: lockfile_content
-          )
+        def run_current_npm_update
+          run_npm_updater(top_level_dependencies: top_level_dependencies)
         end
 
-        def run_previous_npm_update(lockfile_name:, lockfile_content:)
+        def run_previous_npm_update
           previous_top_level_dependencies = top_level_dependencies.map do |d|
-            {
+            Dependabot::Dependency.new(
               name: d.name,
+              package_manager: d.package_manager,
               version: d.previous_version,
-              requirements: d.previous_requirements
-            }
+              previous_version: d.previous_version,
+              requirements: d.previous_requirements,
+              previous_requirements: d.previous_requirements
+            )
           end
 
-          run_npm_updater(
-            lockfile_name: lockfile_name,
-            top_level_dependency_updates: previous_top_level_dependencies,
-            lockfile_content: lockfile_content
-          )
+          run_npm_updater(top_level_dependencies: previous_top_level_dependencies)
         end
 
-        def run_npm_updater(lockfile_name:, top_level_dependency_updates:, lockfile_content:)
+        def run_npm_updater(top_level_dependencies:)
           SharedHelpers.with_git_configured(credentials: credentials) do
-            if top_level_dependency_updates.any?
-              run_npm_top_level_updater(
-                lockfile_name: lockfile_name,
-                top_level_dependency_updates: top_level_dependency_updates,
-                lockfile_content: lockfile_content
-              )
+            if top_level_dependencies.any?
+              run_npm_top_level_updater(top_level_dependencies: top_level_dependencies)
             else
-              run_npm_subdependency_updater(lockfile_name: lockfile_name, lockfile_content: lockfile_content)
+              run_npm_subdependency_updater
             end
           end
         end
 
-        def run_npm_top_level_updater(lockfile_name:, top_level_dependency_updates:, lockfile_content:)
-          npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
-          Dependabot.logger.info(npm_version)
+        def run_npm_top_level_updater(top_level_dependencies:)
+          if npm7?
+            run_npm_7_top_level_updater(top_level_dependencies: top_level_dependencies)
+          else
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "npm6:update",
+              args: [
+                Dir.pwd,
+                lockfile_basename,
+                top_level_dependencies.map(&:to_h)
+              ]
+            )
+          end
+        end
 
-          SharedHelpers.run_helper_subprocess(
-            command: NativeHelpers.helper_path,
-            function: "npm6:update",
-            args: [
-              Dir.pwd,
-              lockfile_name,
-              top_level_dependency_updates
-            ]
-          )
+        def run_npm_7_top_level_updater(top_level_dependencies:)
+          dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
+            dependency_in_package_json?(dependency)
+          end
+
+          # NOTE: When updating a dependency in a nested workspace project we
+          # need to run `npm install` without any arguments to update the root
+          # level lockfile after having updated the nested packages package.json
+          # requirement, otherwise npm will add the dependency as a new
+          # top-level dependency to the root lockfile.
+          install_args = ""
+          if dependencies_in_current_package_json
+            # TODO: Update the npm 6 updater to use these args as we currently
+            # do the same in the js updater helper, we've kept it seperate for
+            # the npm 7 rollout
+            install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
+          end
+
+          # NOTE: npm options
+          # - `--force` ignores checks for platform (os, cpu) and engines
+          # - `--dry-run=false` the updater sets a global .npmrc with dry-run:
+          #   true to work around an issue in npm 6, we don't want that here
+          # - `--ignore-scripts` disables prepare and prepack scripts which are
+          #   run when installing git dependencies
+          command = [
+            "npm",
+            "install",
+            *install_args,
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+          SharedHelpers.run_shell_command(command)
+          { lockfile_basename => File.read(lockfile_basename) }
+        end
+
+        def run_npm_subdependency_updater
+          if npm7?
+            run_npm_7_subdependency_updater
+          else
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "npm6:updateSubdependency",
+              args: [Dir.pwd, lockfile_basename, sub_dependencies.map(&:to_h)]
+            )
+          end
         end
 
-        def run_npm_subdependency_updater(lockfile_name:, lockfile_content:)
-          npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
-          Dependabot.logger.info(npm_version)
+        def run_npm_7_subdependency_updater
+          dependency_names = sub_dependencies.map(&:name)
+          # NOTE: npm options
+          # - `--force` ignores checks for platform (os, cpu) and engines
+          # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
+          #   work around an issue in npm 6, we don't want that here
+          # - `--ignore-scripts` disables prepare and prepack scripts which are run
+          #   when installing git dependencies
+          command = [
+            "npm",
+            "update",
+            *dependency_names,
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+          SharedHelpers.run_shell_command(command)
+          { lockfile_basename => File.read(lockfile_basename) }
+        end
+
+        def updated_version_requirement_for_dependency(dependency)
+          flattenend_manifest_dependencies[dependency.name]
+        end
+
+        # TODO: Add the raw updated requirement to the Dependency instance
+        # instead of fishing it out of the updated package json, we need to do
+        # this because we don't store the same requirement in
+        # Dependency#requirements for git dependencies - see PackageJsonUpdater
+        def flattenend_manifest_dependencies
+          return @flattenend_manifest_dependencies if defined?(@flattenend_manifest_dependencies)
+
+          @flattenend_manifest_dependencies =
+            NpmAndYarn::FileParser::DEPENDENCY_TYPES.inject({}) do |deps, type|
+              deps.merge(parsed_package_json[type] || {})
+            end
+        end
 
-          SharedHelpers.run_helper_subprocess(
-            command: NativeHelpers.helper_path,
-            function: "npm6:updateSubdependency",
-            args: [Dir.pwd, lockfile_name, sub_dependencies.map(&:to_h)]
-          )
+        def npm_install_args(dependency)
+          git_requirement = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
+
+          if git_requirement
+            # NOTE: For git dependencies we loose some information about the
+            # requirement that's only available in the package.json, e.g. when
+            # specifying a semver tag:
+            # `dependabot/depeendabot-core#semver:^0.1` - this is required to
+            # pass the correct install argument to `npm install`
+            updated_version_requirement = updated_version_requirement_for_dependency(dependency)
+            updated_version_requirement ||= git_requirement[:source][:url]
+
+            # NOTE: Git is configured to auth over https while updating
+            updated_version_requirement = updated_version_requirement.gsub(
+              %r{git\+ssh://git@(.*?)[:/]}, 'https://\1/'
+            )
+
+            # NOTE: Keep any semver range that has already been updated by the
+            # PackageJsonUpdater when installing the new version
+            if updated_version_requirement.include?(dependency.version)
+              "#{dependency.name}@#{updated_version_requirement}"
+            else
+              "#{dependency.name}@#{updated_version_requirement.sub(/#.*/, '')}##{dependency.version}"
+            end
+          else
+            "#{dependency.name}@#{dependency.version}"
+          end
+        end
+
+        def dependency_in_package_json?(dependency)
+          dependency.requirements.any? do |req|
+            req[:file] == package_json.name
+          end
+        end
+
+        def dependency_in_lockfile?(dependency)
+          lockfile_dependencies.any? do |dep|
+            dep.name == dependency.name
+          end
         end
 
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
-        def handle_npm_updater_error(error, lockfile)
+        def handle_npm_updater_error(error)
           error_message = error.message
           if error_message.match?(MISSING_PACKAGE)
             package_name = error_message.match(MISSING_PACKAGE).
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
           # Invalid package: When the package.json doesn't include a name or
@@ -198,9 +307,9 @@ module Dependabot
           # workspace project)
           sub_dep_local_path_error = "does not contain a package.json file"
           if error_message.match?(INVALID_PACKAGE) ||
-             error_message.start_with?("Invalid package name") ||
+             error_message.include?("Invalid package name") ||
              error_message.include?(sub_dep_local_path_error)
-            raise_resolvability_error(error_message, lockfile)
+            raise_resolvability_error(error_message)
           end
 
           # TODO: Move this logic to the version resolver and check if a new
@@ -222,9 +331,9 @@ module Dependabot
           # This happens if a new version has been published but npm is having
           # consistency issues and the version isn't fully available on all
           # queries
-          if error_message.start_with?("No matching vers") &&
+          if error_message.include?("No matching vers") &&
              dependencies_in_error_message?(error_message) &&
-             resolvable_before_update?(lockfile)
+             resolvable_before_update?
 
             # Raise a bespoke error so we can capture and ignore it if
             # we're trying to create a new PR (which will be created
@@ -237,7 +346,7 @@ module Dependabot
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
           # Some private registries return a 403 when the user is readonly
@@ -246,13 +355,11 @@ module Dependabot
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
-          if error_message.match?(UNREACHABLE_GIT)
-            dependency_url =
-              error_message.match(UNREACHABLE_GIT).
-              named_captures.fetch("url")
+          if (git_error = error_message.match(UNREACHABLE_GIT) || error_message.match(FORBIDDEN_GIT))
+            dependency_url = git_error.named_captures.fetch("url")
 
             raise Dependabot::GitDependenciesNotReachable, dependency_url
           end
@@ -265,17 +372,24 @@ module Dependabot
           # people to re-generate their lockfiles (Future feature idea: add a
           # way to click-to-fix the lockfile from the issue)
           if error_message.include?("Cannot read property 'match' of ") &&
-             !resolvable_before_update?(lockfile)
-            raise_missing_lockfile_version_resolvability_error(error_message,
-                                                               lockfile)
+             !resolvable_before_update?
+            raise_missing_lockfile_version_resolvability_error(error_message)
           end
 
-          if (error_message.start_with?("No matching vers", "404 Not Found") ||
-             error_message.include?("not match any file(s) known to git") ||
+          if (error_message.include?("No matching vers") ||
+             error_message.include?("404 Not Found") ||
              error_message.include?("Non-registry package missing package") ||
-             error_message.include?("Invalid tag name")) &&
-             !resolvable_before_update?(lockfile)
-            raise_resolvability_error(error_message, lockfile)
+             error_message.include?("Invalid tag name") ||
+             error_message.match?(NPM6_MISSING_GIT_REF) ||
+             error_message.match?(NPM7_MISSING_GIT_REF)) &&
+             !resolvable_before_update?
+            raise_resolvability_error(error_message)
+          end
+
+          # NOTE: This check was introduced in npm7/arborist
+          if error_message.include?("must provide string spec")
+            msg = "Error parsing your package.json manifest: the version requirement must be a string"
+            raise Dependabot::DependencyFileNotParseable, msg
           end
 
           raise error
@@ -285,17 +399,15 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
         # rubocop:enable Metrics/MethodLength
 
-        def raise_resolvability_error(error_message, lockfile)
+        def raise_resolvability_error(error_message)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in "\
                 "#{lockfile.path}:\n#{error_message}"
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def raise_missing_lockfile_version_resolvability_error(error_message,
-                                                               lockfile)
-          lockfile_dir = Pathname.new(lockfile.name).dirname
-          modules_path = lockfile_dir.join("node_modules")
+        def raise_missing_lockfile_version_resolvability_error(error_message)
+          modules_path = File.join(lockfile_directory, "node_modules")
           # NOTE: don't include the dependency names to prevent opening
           # multiple issues for each dependency that fails because we unique
           # issues on the error message (issue detail) on the backend
@@ -310,11 +422,10 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def handle_missing_package(package_name, error_message, lockfile)
-          missing_dep = lockfile_dependencies(lockfile).
-                        find { |dep| dep.name == package_name }
+        def handle_missing_package(package_name, error_message)
+          missing_dep = lockfile_dependencies.find { |dep| dep.name == package_name }
 
-          raise_resolvability_error(error_message, lockfile) unless missing_dep
+          raise_resolvability_error(error_message) unless missing_dep
 
           reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
             dependency: missing_dep,
@@ -336,23 +447,14 @@ module Dependabot
           end
         end
 
-        def resolvable_before_update?(lockfile)
-          @resolvable_before_update ||= {}
-          return @resolvable_before_update[lockfile.name] if @resolvable_before_update.key?(lockfile.name)
+        def resolvable_before_update?
+          return @resolvable_before_update if defined?(@resolvable_before_update)
 
-          @resolvable_before_update[lockfile.name] =
+          @resolvable_before_update =
             begin
               SharedHelpers.in_a_temporary_directory do
-                write_temporary_dependency_files(
-                  lockfile.name,
-                  update_package_json: false
-                )
-
-                lockfile_name = Pathname.new(lockfile.name).basename.to_s
-                path = Pathname.new(lockfile.name).dirname.to_s
-                Dir.chdir(path) do
-                  run_previous_npm_update(lockfile_name: lockfile_name, lockfile_content: lockfile.content)
-                end
+                write_temporary_dependency_files(update_package_json: false)
+                Dir.chdir(lockfile_directory) { run_previous_npm_update }
               end
 
               true
@@ -370,12 +472,10 @@ module Dependabot
           end
         end
 
-        def write_temporary_dependency_files(lockfile_name,
-                                             update_package_json: true)
-          write_lockfiles(lockfile_name)
+        def write_temporary_dependency_files(update_package_json: true)
+          write_lockfiles
 
-          dir = Pathname.new(lockfile_name).dirname
-          File.write(File.join(dir, ".npmrc"), npmrc_content)
+          File.write(File.join(lockfile_directory, ".npmrc"), npmrc_content)
 
           package_files.each do |file|
             path = file.name
@@ -388,8 +488,11 @@ module Dependabot
                 file.content
               end
 
-            # When updating a package-lock.json we have to manually lock all
-            # git dependencies, otherwise npm will (unhelpfully) update them
+            # TODO: Figure out if we need to lock git deps for npm 7 and can
+            # start deprecating this hornets nest
+            #
+            # NOTE: When updating a package-lock.json we have to manually lock
+            # all git dependencies, otherwise npm will (unhelpfully) update them
             updated_content = lock_git_deps(updated_content)
             updated_content = replace_ssh_sources(updated_content)
             updated_content = lock_deps_with_latest_reqs(updated_content)
@@ -399,9 +502,9 @@ module Dependabot
           end
         end
 
-        def write_lockfiles(lockfile_name)
+        def write_lockfiles
           excluded_lock =
-            case lockfile_name
+            case lockfile.name
             when "package-lock.json" then "npm-shrinkwrap.json"
             when "npm-shrinkwrap.json" then "package-lock.json"
             end
@@ -502,57 +605,166 @@ module Dependabot
           @git_ssh_requirements_to_swap
         end
 
-        def post_process_npm_lockfile(original_content, updated_content)
-          updated_content =
-            replace_project_metadata(updated_content, original_content)
-
+        def post_process_npm_lockfile(updated_lockfile_content)
           # Switch SSH requirements back for git dependencies
+          updated_lockfile_content = replace_swapped_git_ssh_requirements(updated_lockfile_content)
+
+          # Switch from details back for git dependencies (they will have
+          # changed because we locked them)
+          updated_lockfile_content = replace_locked_git_dependencies(updated_lockfile_content)
+
+          parsed_updated_lockfile_content = JSON.parse(updated_lockfile_content)
+
+          # Restore lockfile name attribute from the original lockfile
+          updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
+
+          # Restore npm 7 "packages" "name" entry from package.json if previously set
+          updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
+
+          # Switch back npm 7 lockfile "pacakages" requirements from the package.json
+          updated_lockfile_content = restore_locked_package_dependencies(
+            updated_lockfile_content, parsed_updated_lockfile_content
+          )
+
+          # Switch back the protocol of tarball resolutions if they've changed
+          # (fixes an npm bug, which appears to be applied inconsistently)
+          replace_tarball_urls(updated_lockfile_content)
+        end
+
+        def replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
+          current_name = parsed_updated_lockfile_content["name"]
+          original_name = parsed_lockfile["name"]
+          if original_name
+            updated_lockfile_content = replace_lockfile_name_attribute(
+              current_name, original_name, updated_lockfile_content
+            )
+          end
+          updated_lockfile_content
+        end
+
+        def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
+          return updated_lockfile_content unless npm7?
+
+          current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
+          original_name = parsed_lockfile.dig("packages", "", "name")
+
+          # TODO: Submit a patch to npm fixing this issue making `npm install`
+          # consistent with `npm install --package-lock-only`
+          #
+          # NOTE: This is a workaround for npm adding a `name` attribute to the
+          # packages section in the lockfile because we install using
+          # `--package-lock-only`
+          if !original_name
+            updated_lockfile_content = remove_lockfile_packages_name_attribute(
+              current_name, updated_lockfile_content
+            )
+          elsif original_name && original_name != current_name
+            updated_lockfile_content = replace_lockfile_packages_name_attribute(
+              current_name, original_name, updated_lockfile_content
+            )
+          end
+
+          updated_lockfile_content
+        end
+
+        def replace_lockfile_name_attribute(current_name, original_name, updated_lockfile_content)
+          updated_lockfile_content.sub(
+            /"name":\s"#{current_name}"/,
+            "\"name\": \"#{original_name}\""
+          )
+        end
+
+        def replace_lockfile_packages_name_attribute(current_name, original_name, updated_lockfile_content)
+          packages_key_line = '"": {'
+          updated_lockfile_content.sub(
+            /(#{packages_key_line}[\n\s]+"name":\s)"#{current_name}"/,
+            '\1"' + original_name + '"'
+          )
+        end
+
+        def remove_lockfile_packages_name_attribute(current_name, updated_lockfile_content)
+          packages_key_line = '"": {'
+          updated_lockfile_content.gsub(/(#{packages_key_line})[\n\s]+"name":\s"#{current_name}",/, '\1')
+        end
+
+        # NOTE: This is a workaround to "sync" what's in package.json
+        # requirements and the `packages.""` entry in npm 7 v2 lockfiles. These
+        # get out of sync because we lock git dependencies (that are not being
+        # updated) to a specific sha to prevent unrelated updates and the way we
+        # invoke the `npm install` cli, where we might tell npm to install a
+        # specific versionm e.g. `npm install eslint@1.1.8` but we keep the
+        # `package.json` requirement for eslint at `^1.0.0`, in which case we
+        # need to copy this from the manifest to the lockfile after the update
+        # has finished.
+        def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
+          return updated_lockfile_content unless npm7?
+
+          dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
+
+          NpmAndYarn::FileParser::DEPENDENCY_TYPES.each do |type|
+            parsed_package_json.fetch(type, {}).each do |dependency_name, original_requirement|
+              next unless dependency_names_to_restore.include?(dependency_name)
+
+              locked_requirement = parsed_updated_lockfile_content.dig("packages", "", type, dependency_name)
+              next unless locked_requirement
+
+              locked_req = %("#{dependency_name}": "#{locked_requirement}")
+              original_req = %("#{dependency_name}": "#{original_requirement}")
+              updated_lockfile_content = updated_lockfile_content.gsub(locked_req, original_req)
+            end
+          end
+
+          updated_lockfile_content
+        end
+
+        def replace_swapped_git_ssh_requirements(updated_lockfile_content)
           git_ssh_requirements_to_swap.each do |req|
             new_r = req.gsub(%r{git\+ssh://git@(.*?)[:/]}, 'git+https://\1/')
             old_r = req.gsub(%r{git@(.*?)[:/]}, 'git@\1/')
-            updated_content = updated_content.gsub(new_r, old_r)
+            updated_lockfile_content = updated_lockfile_content.gsub(new_r, old_r)
           end
 
+          updated_lockfile_content
+        end
+
+        def replace_locked_git_dependencies(updated_lockfile_content)
           # Switch from details back for git dependencies (they will have
           # changed because we locked them)
-          git_dependencies_to_lock.each do |_, details|
+          git_dependencies_to_lock.each do |dependency_name, details|
             next unless details[:version] && details[:from]
 
             # When locking git dependencies in package.json we set the version
             # to be the git commit from the lockfile "version" field which
             # updates the lockfile "from" field to the new git commit when we
             # run npm install
-            locked_from = %("from": "#{details[:version]}")
             original_from = %("from": "#{details[:from]}")
-            updated_content = updated_content.gsub(locked_from, original_from)
+            if npm7?
+              # NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
+              npm7_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
+              updated_lockfile_content = updated_lockfile_content.gsub(npm7_locked_from, original_from)
+            else
+              npm6_locked_from = %("from": "#{details[:version]}")
+              updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
+            end
           end
 
-          # Switch back the protocol of tarball resolutions if they've changed
-          # (fixes an npm bug, which appears to be applied inconsistently)
+          updated_lockfile_content
+        end
+
+        def replace_tarball_urls(updated_lockfile_content)
           tarball_urls.each do |url|
             trimmed_url = url.gsub(/(\d+\.)*tgz$/, "")
             incorrect_url = if url.start_with?("https")
                               trimmed_url.gsub(/^https:/, "http:")
                             else trimmed_url.gsub(/^http:/, "https:")
                             end
-            updated_content = updated_content.gsub(
+            updated_lockfile_content = updated_lockfile_content.gsub(
               /#{Regexp.quote(incorrect_url)}(?=(\d+\.)*tgz")/,
               trimmed_url
             )
           end
 
-          updated_content
-        end
-
-        def replace_project_metadata(new_content, old_content)
-          old_name = old_content.match(/(?<="name": ").*(?=",)/)&.to_s
-
-          if old_name
-            new_content = new_content.
-                          sub(/(?<="name": ").*(?=",)/, old_name)
-          end
-
-          new_content
+          updated_lockfile_content
         end
 
         def tarball_urls
@@ -592,6 +804,12 @@ module Dependabot
           npmrc_content.match?(/^package-lock\s*=\s*false/)
         end
 
+        def npm7?
+          return @npm7 if defined?(@npm7)
+
+          @npm7 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm7"
+        end
+
         def sanitized_package_json_content(content)
           content.
             gsub(/\{\{[^\}]*?\}\}/, "something"). # {{ nm }} syntax not allowed
@@ -603,6 +821,30 @@ module Dependabot
           package_name.gsub("%2f", "/").gsub("%2F", "/")
         end
 
+        def lockfile_directory
+          Pathname.new(lockfile.name).dirname.to_s
+        end
+
+        def lockfile_basename
+          Pathname.new(lockfile.name).basename.to_s
+        end
+
+        def parsed_lockfile
+          @parsed_lockfile ||= JSON.parse(lockfile.content)
+        end
+
+        def parsed_package_json
+          return {} unless package_json
+          return @parsed_package_json if defined?(@parsed_package_json)
+
+          @parsed_package_json = JSON.parse(updated_package_json_content(package_json))
+        end
+
+        def package_json
+          package_name = lockfile.name.sub(lockfile_basename, "package.json")
+          package_files.find { |f| f.name == package_name }
+        end
+
         def package_locks
           @package_locks ||=
             dependency_files.