dependabot-npm_and_yarn 0.213.0 → 0.215.0

data/helpers/package.json

@@ -10,17 +10,17 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
-    "@npmcli/arborist": "^6.0.0",
+    "@npmcli/arborist": "^6.1.4",
     "detect-indent": "^6.1.0",
     "nock": "^13.2.9",
     "npm": "6.14.17",
     "semver": "^7.3.8"
   },
   "devDependencies": {
-    "eslint": "^8.26.0",
+    "eslint": "^8.29.0",
     "eslint-config-prettier": "^8.5.0",
-    "jest": "^29.2.1",
-    "prettier": "^2.7.1",
+    "jest": "^29.3.1",
+    "prettier": "^2.8.0",
     "rimraf": "^3.0.2"
   }
 }

data/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json

@@ -446,9 +446,9 @@
       }
     },
     "minimatch": {
-      "version": "3.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz",
-      "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
       "requires": {
         "brace-expansion": "^1.1.7"
       }

data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb

@@ -4,7 +4,6 @@ require "json"
 require "dependabot/dependency_file"
 require "dependabot/errors"
 require "dependabot/npm_and_yarn/file_fetcher"
-require "dependabot/npm_and_yarn/file_parser/yarn_lockfile_parser"
 
 module Dependabot
   module NpmAndYarn
@@ -122,7 +121,17 @@ module Dependabot
           return {} unless yarn_lock
 
           @parsed_yarn_lock ||=
-            FileParser::YarnLockfileParser.new(lockfile: yarn_lock).parse
+            SharedHelpers.in_a_temporary_directory do
+              File.write("yarn.lock", yarn_lock.content)
+
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "yarn:parseLockfile",
+                args: [Dir.pwd]
+              )
+            rescue SharedHelpers::HelperSubprocessFailed
+              raise Dependabot::DependencyFileNotParseable, yarn_lock.path
+            end
         end
 
         # The path back to the root lockfile

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "json"
+require "dependabot/logger"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/npm_and_yarn/helpers"
@@ -9,6 +10,7 @@ require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
 
 module Dependabot
   module NpmAndYarn
+    # rubocop:disable Metrics/ClassLength
     class FileFetcher < Dependabot::FileFetchers::Base
       require_relative "file_fetcher/path_dependency_builder"
 
@@ -30,6 +32,24 @@ module Dependabot
         "Repo must contain a package.json."
       end
 
+      # Overridden to pull any yarn data or plugins which may be stored with Git LFS.
+      def clone_repo_contents
+        return @git_lfs_cloned_repo_contents_path if defined?(@git_lfs_cloned_repo_contents_path)
+
+        @git_lfs_cloned_repo_contents_path = super
+        begin
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(@git_lfs_cloned_repo_contents_path) do
+              cache_dir = Helpers.fetch_yarnrc_yml_value("cacheFolder", "./yarn/cache")
+              SharedHelpers.run_shell_command("git lfs pull --include .yarn,#{cache_dir}")
+            end
+            @git_lfs_cloned_repo_contents_path
+          end
+        rescue StandardError
+          @git_lfs_cloned_repo_contents_path
+        end
+      end
+
       private
 
       def fetch_files
@@ -47,9 +67,42 @@ module Dependabot
         fetched_files += path_dependencies(fetched_files)
         instrument_package_manager_version
 
+        fetched_files << inferred_npmrc if inferred_npmrc
+
         fetched_files.uniq
       end
 
+      # If every entry in the lockfile uses the same registry, we can infer
+      # that there is a global .npmrc file, so add it here as if it were in the repo.
+      def inferred_npmrc
+        return @inferred_npmrc if defined?(@inferred_npmrc)
+        return @inferred_npmrc = nil unless npmrc.nil? && package_lock
+
+        known_registries = []
+        JSON.parse(package_lock.content).fetch("dependencies", {}).each do |_name, details|
+          resolved = details.fetch("resolved", "https://registry.npmjs.org")
+          begin
+            uri = URI.parse(resolved)
+          rescue URI::InvalidURIError
+            # Ignoring non-URIs since they're not registries.
+            # This can happen if resolved is false, for instance.
+            next
+          end
+          # Check for scheme since path dependencies will not have one
+          known_registries << "#{uri.scheme}://#{uri.host}" if uri.scheme && uri.host
+        end
+
+        if known_registries.uniq.length == 1 && known_registries.first != "https://registry.npmjs.org"
+          Dependabot.logger.info("Inferred global NPM registry is: #{known_registries.first}")
+          return @inferred_npmrc = Dependabot::DependencyFile.new(
+            name: ".npmrc",
+            content: "registry=#{known_registries.first}"
+          )
+        end
+
+        @inferred_npmrc = nil
+      end
+
       def instrument_package_manager_version
         package_managers = {}
 
@@ -68,7 +121,7 @@ module Dependabot
         return @yarn_version if defined?(@yarn_version)
 
         package = JSON.parse(package_json.content)
-        if Experiments.enabled?(:yarn_berry) && (package_manager = package.fetch("packageManager", nil))
+        if (package_manager = package.fetch("packageManager", nil))
           get_yarn_version_from_package_json(package_manager)
         elsif yarn_lock
           1
@@ -152,11 +205,16 @@ module Dependabot
         @lerna_packages ||= fetch_lerna_packages
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       def path_dependencies(fetched_files)
         package_json_files = []
         unfetchable_deps = []
 
         path_dependency_details(fetched_files).each do |name, path|
+          # This happens with relative paths in the package-lock. Skipping it since it results
+          # in /package.json which is outside of the project directory.
+          next if path == "file:"
+
           path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
           raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/")
 
@@ -185,6 +243,7 @@ module Dependabot
 
         package_json_files.tap { |fs| fs.each { |f| f.support_file = true } }
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       def path_dependency_details(fetched_files)
         package_json_path_deps = []
@@ -438,6 +497,7 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable, lerna_json.path
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end
 

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -101,8 +101,8 @@ module Dependabot
             parse_yarn_lock(yarn_lock).each do |req, details|
               next unless semver_version_for(details["version"])
               next if alias_package?(req)
-              next if Experiments.enabled?(:yarn_berry) && workspace_package?(req)
-              next if Experiments.enabled?(:yarn_berry) && req == "__metadata"
+              next if workspace_package?(req)
+              next if req == "__metadata"
 
               # NOTE: The DependencySet will de-dupe our dependencies, so they
               # end up unique by name. That's not a perfect representation of
@@ -195,11 +195,7 @@ module Dependabot
         end
 
         def alias_package?(requirement)
-          if Experiments.enabled?(:yarn_berry)
-            requirement.match?(/@npm:(.+@(?!npm))/)
-          else
-            requirement.include?("@npm:")
-          end
+          requirement.match?(/@npm:(.+@(?!npm))/)
         end
 
         def workspace_package?(requirement)

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -3,7 +3,6 @@
 # See https://docs.npmjs.com/files/package.json for package.json format docs.
 
 require "dependabot/dependency"
-require "dependabot/experiments"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
 require "dependabot/shared_helpers"
@@ -105,7 +104,7 @@ module Dependabot
         # TODO: Handle aliased packages:
         # https://github.com/dependabot/dependabot-core/pull/1115
         #
-        # Ignore dependencies with an alias in the name (only supported by Yarn)
+        # Ignore dependencies with an alias in the name
         # Example: "my-fetch-factory@npm:fetch-factory"
         return if aliased_package_name?(name)
 
@@ -250,11 +249,9 @@ module Dependabot
         )
         resolved_url = lockfile_details&.fetch("resolved", nil)
 
-        if Experiments.enabled?(:yarn_berry) && resolved_url.nil?
-          resolution = lockfile_details&.fetch("resolution", nil)
-          package_match = resolution&.match(/__archiveUrl=(?<package_url>.+)/)
-          resolved_url = CGI.unescape(package_match.named_captures.fetch("package_url", "")) if package_match
-        end
+        resolution = lockfile_details&.fetch("resolution", nil)
+        package_match = resolution&.match(/__archiveUrl=(?<package_url>.+)/)
+        resolved_url = CGI.unescape(package_match.named_captures.fetch("package_url", "")) if package_match
 
         return unless resolved_url
         return unless resolved_url.start_with?("http")
@@ -337,7 +334,7 @@ module Dependabot
               dependency_files.
               select { |f| f.name.end_with?("package.json") }.
               reject { |f| f.name == "package.json" }.
-              reject { |f| f.name.include?("node_modules/") if Experiments.enabled?(:yarn_berry) }.
+              reject { |f| f.name.include?("node_modules/") }.
               reject(&:support_file?)
 
             [

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -205,7 +205,19 @@ module Dependabot
             "--ignore-scripts",
             "--package-lock-only"
           ].join(" ")
-          SharedHelpers.run_shell_command(command)
+
+          fingerprint = [
+            "npm",
+            "install",
+            "<install_args>",
+            "--force",
+            "--dry-run",
+            "false",
+            "--ignore-scripts",
+            "--package-lock-only"
+          ].join(" ")
+
+          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
           { lockfile_basename => File.read(lockfile_basename) }
         end
 
@@ -223,7 +235,7 @@ module Dependabot
 
         def run_npm8_subdependency_updater(sub_dependencies:)
           dependency_names = sub_dependencies.map(&:name)
-          SharedHelpers.run_shell_command(NativeHelpers.npm8_subdependency_update_command(dependency_names))
+          NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
           { lockfile_basename => File.read(lockfile_basename) }
         end
 

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -7,6 +7,7 @@ module Dependabot
     class FileUpdater
       # Build a .npmrc file from the lockfile content, credentials, and any
       # committed .npmrc
+      # We should refactor this to use UpdateChecker::RegistryFinder
       class NpmrcBuilder
         CENTRAL_REGISTRIES = %w(
           registry.npmjs.org
@@ -34,6 +35,20 @@ module Dependabot
           ([initial_content] + credential_lines_for_npmrc).compact.join("\n")
         end
 
+        # PROXY WORK
+        # Yarn allows registries to be defined either in an .npmrc or .yarnrc
+        # so we need to parse both files for registry keys
+        def yarnrc_content
+          initial_content =
+            if npmrc_file then complete_yarnrc_from_credentials
+            elsif yarnrc_file then build_yarnrc_from_yarnrc
+            else
+              build_yarnrc_content_from_lockfile
+            end
+
+          initial_content || ""
+        end
+
         private
 
         attr_reader :dependency_files, :credentials
@@ -45,10 +60,19 @@ module Dependabot
           registry = global_registry["registry"]
           registry = "https://#{registry}" unless registry.start_with?("http")
           "registry = #{registry}\n" \
-            "#{global_registry_auth_line}" \
+            "#{npmrc_global_registry_auth_line}" \
             "always-auth = true"
         end
 
+        def build_yarnrc_content_from_lockfile
+          return unless yarn_lock || package_lock
+          return unless global_registry
+
+          "registry \"https://#{global_registry['registry']}\"\n" \
+            "#{yarnrc_global_registry_auth_line}" \
+            "npmAlwaysAuth: true"
+        end
+
         def global_registry # rubocop:disable Metrics/PerceivedComplexity
           return @global_registry if defined?(@global_registry)
 
@@ -62,6 +86,8 @@ module Dependabot
               # Check if this registry has already been defined in .npmrc as a scoped registry
               next false if npmrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
 
+              next false if yarnrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
+
               # If any unscoped URLs include this registry, assume it's global
               dependency_urls.
                 reject { |u| u.include?("@") || u.include?("%40") }.
@@ -69,7 +95,9 @@ module Dependabot
             end
         end
 
-        def global_registry_auth_line
+        def npmrc_global_registry_auth_line
+          # This token is passed in from the Dependabot Config
+          # We write it to the .npmrc file so that it can be used by the VulnerabilityAuditor
           token = global_registry.fetch("token", nil)
           return "" unless token
 
@@ -84,6 +112,21 @@ module Dependabot
           end
         end
 
+        def yarnrc_global_registry_auth_line
+          token = global_registry.fetch("token", nil)
+          return "" unless token
+
+          if token.include?(":")
+            encoded_token = Base64.encode64(token).delete("\n")
+            "npmAuthIdent: \"#{encoded_token}\"\n"
+          elsif Base64.decode64(token).ascii_only? &&
+                Base64.decode64(token).include?(":")
+            "npmAuthIdent: \"#{token.delete("\n")}\"\n"
+          else
+            "npmAuthToken: \"#{token}\"\n"
+          end
+        end
+
         def dependency_urls
           return @dependency_urls if defined?(@dependency_urls)
 
@@ -119,15 +162,27 @@ module Dependabot
           registry = "https://#{registry}" unless registry.start_with?("http")
           initial_content +
             "registry = #{registry}\n" \
-            "#{global_registry_auth_line}" \
+            "#{npmrc_global_registry_auth_line}" \
             "always-auth = true\n"
         end
 
+        def complete_yarnrc_from_credentials
+          initial_content = yarnrc_file.content.
+                            gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
+          return initial_content unless yarn_lock || package_lock
+          return initial_content unless global_registry
+
+          initial_content +
+            "registry: \"https://#{global_registry['registry']}\"\n" \
+            "#{yarnrc_global_registry_auth_line}" \
+            "npmAlwaysAuth: true\n"
+        end
+
         def build_npmrc_from_yarnrc
           yarnrc_global_registry =
             yarnrc_file.content.
             lines.find { |line| line.match?(/^\s*registry\s/) }&.
-            match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
+            match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)&.
             named_captures&.fetch("registry")
 
           return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
@@ -135,6 +190,18 @@ module Dependabot
           build_npmrc_content_from_lockfile
         end
 
+        def build_yarnrc_from_yarnrc
+          yarnrc_global_registry =
+            yarnrc_file.content.
+            lines.find { |line| line.match?(/^\s*registry\s/) }&.
+            match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
+            named_captures&.fetch("registry")
+
+          return "registry \"#{yarnrc_global_registry}\"\n" if yarnrc_global_registry
+
+          build_yarnrc_content_from_lockfile
+        end
+
         def credential_lines_for_npmrc
           lines = []
           registry_credentials.each do |cred|
@@ -173,6 +240,14 @@ module Dependabot
             filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
         end
 
+        def yarnrc_scoped_registries
+          return [] unless yarnrc_file
+
+          @yarnrc_scoped_registries ||=
+            yarnrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }.
+            filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
+        end
+
         # rubocop:disable Metrics/PerceivedComplexity
         def registry_scopes(registry)
           # Central registries don't just apply to scopes

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -9,7 +9,6 @@ require "dependabot/npm_and_yarn/update_checker/registry_finder"
 require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
-require "dependabot/experiments"
 
 # rubocop:disable Metrics/ClassLength
 module Dependabot
@@ -55,7 +54,7 @@ module Dependabot
         def updated_yarn_lock(yarn_lock)
           base_dir = dependency_files.first.directory
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-            write_temporary_dependency_files
+            write_temporary_dependency_files(yarn_lock)
             lockfile_name = Pathname.new(yarn_lock.name).basename.to_s
             path = Pathname.new(yarn_lock.name).dirname.to_s
             updated_files = run_current_yarn_update(
@@ -107,7 +106,7 @@ module Dependabot
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               if top_level_dependency_updates.any?
-                if yarn_berry?(yarn_lock)
+                if Helpers.yarn_berry?(yarn_lock)
                   run_yarn_berry_top_level_updater(top_level_dependency_updates: top_level_dependency_updates,
                                                    yarn_lock: yarn_lock)
                 else
@@ -116,7 +115,7 @@ module Dependabot
                     top_level_dependency_updates: top_level_dependency_updates
                   )
                 end
-              elsif yarn_berry?(yarn_lock)
+              elsif Helpers.yarn_berry?(yarn_lock)
                 run_yarn_berry_subdependency_updater(yarn_lock: yarn_lock)
               else
                 run_yarn_subdependency_updater(yarn_lock: yarn_lock)
@@ -143,30 +142,25 @@ module Dependabot
 
         # rubocop:enable Metrics/PerceivedComplexity
 
-        def yarn_berry?(yarn_lock)
-          return false unless Experiments.enabled?(:yarn_berry)
-
-          yaml = YAML.safe_load(yarn_lock.content)
-          yaml.key?("__metadata")
-        rescue StandardError
-          false
-        end
-
         def run_yarn_berry_top_level_updater(top_level_dependency_updates:, yarn_lock:)
+          write_temporary_dependency_files(yarn_lock)
           # If the requirements have changed, it means we've updated the
           # package.json file(s), and we can just run yarn install to get the
           # lockfile in the right state. Otherwise we'll need to manually update
           # the lockfile.
 
-          command = if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
-                      "yarn install"
-                    else
-                      updates = top_level_dependency_updates.collect do |dep|
-                        dep[:requirements].map { |req| "#{dep[:name]}@#{req[:requirement]}" }.join(" ")
-                      end
-                      "yarn up #{updates.join(' ')}"
-                    end
-          Helpers.run_yarn_commands(command)
+          if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
+            Helpers.run_yarn_command("yarn install #{yarn_berry_args}".strip)
+          else
+            updates = top_level_dependency_updates.collect do |dep|
+              dep[:name]
+            end
+
+            Helpers.run_yarn_command(
+              "yarn up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
+              fingerprint: "yarn up -R <dependency_names> #{yarn_berry_args}".strip
+            )
+          end
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 
@@ -179,14 +173,20 @@ module Dependabot
           dep = sub_dependencies.first
           update = "#{dep.name}@#{dep.version}"
 
-          Helpers.run_yarn_commands(
-            "yarn add #{update}",
-            "yarn dedupe #{dep.name}",
-            "yarn remove #{dep.name}"
-          )
+          commands = [
+            ["yarn add #{update} #{yarn_berry_args}".strip, "yarn add <update> #{yarn_berry_args}".strip],
+            ["yarn dedupe #{dep.name} #{yarn_berry_args}".strip, "yarn dedupe <dep_name> #{yarn_berry_args}".strip],
+            ["yarn remove #{dep.name} #{yarn_berry_args}".strip, "yarn remove <dep_name> #{yarn_berry_args}".strip]
+          ]
+
+          Helpers.run_yarn_commands(*commands)
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 
+        def yarn_berry_args
+          Helpers.yarn_berry_args
+        end
+
         def run_yarn_top_level_updater(top_level_dependency_updates:)
           SharedHelpers.run_helper_subprocess(
             command: NativeHelpers.helper_path,
@@ -316,7 +316,7 @@ module Dependabot
             begin
               base_dir = dependency_files.first.directory
               SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-                write_temporary_dependency_files(update_package_json: false)
+                write_temporary_dependency_files(yarn_lock, update_package_json: false)
                 path = Pathname.new(yarn_lock.name).dirname.to_s
                 run_previous_yarn_update(path: path, yarn_lock: yarn_lock)
               end
@@ -336,11 +336,15 @@ module Dependabot
           end
         end
 
-        def write_temporary_dependency_files(update_package_json: true)
+        def write_temporary_dependency_files(yarn_lock, update_package_json: true)
           write_lockfiles
 
-          File.write(".npmrc", npmrc_content)
-          File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_npm_reg?
+          if Helpers.yarn_berry?(yarn_lock)
+            File.write(".yarnrc.yml", yarnrc_yml_content) if yarnrc_yml_file
+          else
+            File.write(".npmrc", npmrc_content) unless Helpers.yarn_berry?(yarn_lock)
+            File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_private_reg?
+          end
 
           package_files.each do |file|
             path = file.name
@@ -526,7 +530,7 @@ module Dependabot
           npmrc_content.match?(/^package-lock\s*=\s*false/)
         end
 
-        def yarnrc_specifies_npm_reg?
+        def yarnrc_specifies_private_reg?
           return false unless yarnrc_file
 
           regex = UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX
@@ -539,11 +543,16 @@ module Dependabot
 
           return false unless yarnrc_global_registry
 
-          URI(yarnrc_global_registry).host == "registry.npmjs.org"
+          UpdateChecker::RegistryFinder::CENTRAL_REGISTRIES.any? do |r|
+            r.include?(URI(yarnrc_global_registry).host)
+          end
         end
 
         def yarnrc_content
-          'registry "https://registry.npmjs.org"'
+          NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).yarnrc_content
         end
 
         def sanitized_package_json_content(content)
@@ -583,6 +592,10 @@ module Dependabot
         def yarnrc_yml_file
           dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
         end
+
+        def yarnrc_yml_content
+          yarnrc_yml_file.content
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "dependabot/experiments"
 require "dependabot/file_updaters"
 require "dependabot/file_updaters/base"
 require "dependabot/file_updaters/vendor_updater"
@@ -55,39 +54,35 @@ module Dependabot
           )
         end
 
+        vendor_updated_files(updated_files)
+      end
+
+      private
+
+      def vendor_updated_files(updated_files)
         base_dir = updated_files.first.directory
+        pnp_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
+          updated_files << file if file.name == ".pnp.cjs" || file.name == ".pnp.data.json"
+        end
         vendor_updater.updated_vendor_cache_files(base_directory: base_dir).each { |file| updated_files << file }
         install_state_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
           updated_files << file
         end
-        pnp_updater.updated_vendor_cache_files(base_directory: base_dir).each do |file|
-          updated_files << file if file.name == ".pnp.cjs" || file.name == ".pnp.data.json"
-        end
 
         updated_files
       end
 
-      private
-
       # Dynamically fetch the vendor cache folder from yarn
       def vendor_cache_dir
         return @vendor_cache_dir if defined?(@vendor_cache_dir)
 
-        @vendor_cache_dir = if File.exist?(".yarnrc.yml")
-                              YAML.load_file(".yarnrc.yml").fetch("cacheFolder", "./.yarn/cache")
-                            else
-                              "./.yarn/cache"
-                            end
+        @vendor_cache_dir = Helpers.fetch_yarnrc_yml_value("cacheFolder", "./.yarn/cache")
       end
 
       def install_state_path
         return @install_state_path if defined?(@install_state_path)
 
-        @install_state_path = if File.exist?(".yarnrc.yml")
-                                YAML.load_file(".yarnrc.yml").fetch("installStatePath", "./.yarn/install-state.gz")
-                              else
-                                "./.yarn/install-state.gz"
-                              end
+        @install_state_path = Helpers.fetch_yarnrc_yml_value("installStatePath", "./.yarn/install-state.gz")
       end
 
       def vendor_updater