dependabot-npm_and_yarn 0.215.0 → 0.216.1

data/helpers/package.json

@@ -10,17 +10,16 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
-    "@npmcli/arborist": "^6.1.4",
+    "@npmcli/arborist": "^6.2.7",
     "detect-indent": "^6.1.0",
-    "nock": "^13.2.9",
-    "npm": "6.14.17",
-    "semver": "^7.3.8"
+    "nock": "^13.3.0",
+    "npm": "6.14.18",
+    "semver": "^7.4.0"
   },
   "devDependencies": {
-    "eslint": "^8.29.0",
-    "eslint-config-prettier": "^8.5.0",
-    "jest": "^29.3.1",
-    "prettier": "^2.8.0",
-    "rimraf": "^3.0.2"
+    "eslint": "^8.38.0",
+    "eslint-config-prettier": "^8.8.0",
+    "jest": "^29.5.0",
+    "prettier": "^2.8.7"
   }
 }

data/helpers/test/npm6/conflicting-dependency-parser.test.js

@@ -1,7 +1,6 @@
 const path = require("path");
 const os = require("os");
 const fs = require("fs");
-const rimraf = require("rimraf");
 const {
   findConflictingDependencies,
 } = require("../../lib/npm/conflicting-dependency-parser");
@@ -12,7 +11,7 @@ describe("findConflictingDependencies", () => {
   beforeEach(() => {
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => rimraf.sync(tempDir));
+  afterEach(() => fs.rmdir(tempDir, { recursive: true }, () => {}));
 
   it("finds conflicting dependencies", async () => {
     helpers.copyDependencies("conflicting-dependency-parser/simple", tempDir);

data/helpers/test/npm6/fixtures/conflicting-dependency-parser/deeply-nested/package-lock.json

@@ -454,9 +454,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.5",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz",
-      "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw=="
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA=="
     },
     "mkdirp": {
       "version": "0.5.5",

data/helpers/test/npm6/updater.test.js

@@ -1,7 +1,6 @@
 const path = require("path");
 const os = require("os");
 const fs = require("fs");
-const rimraf = require("rimraf");
 const { updateDependencyFiles } = require("../../lib/npm6/updater");
 const helpers = require("./helpers");
 
@@ -10,7 +9,7 @@ describe("updater", () => {
   beforeEach(() => {
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => rimraf.sync(tempDir));
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
 
   it("generates an updated package-lock.json", async () => {
     helpers.copyDependencies("updater/original", tempDir);

data/helpers/test/yarn/conflicting-dependency-parser.test.js

@@ -1,7 +1,6 @@
 const path = require("path");
 const os = require("os");
 const fs = require("fs");
-const rimraf = require("rimraf");
 const {
   findConflictingDependencies,
 } = require("../../lib/yarn/conflicting-dependency-parser");
@@ -12,7 +11,7 @@ fdescribe("findConflictingDependencies", () => {
   beforeEach(() => {
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => rimraf.sync(tempDir));
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
 
   it("finds conflicting dependencies", async () => {
     helpers.copyDependencies("conflicting-dependency-parser/simple", tempDir);

data/helpers/test/yarn/fixtures/conflicting-dependency-parser/deeply-nested/yarn.lock

@@ -399,9 +399,9 @@ minimatch@^3.0.4:
     brace-expansion "^1.1.7"
 
 minimist@^1.2.5:
-  version "1.2.5"
-  resolved "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
-  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==
+  version "1.2.8"
+  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
+  integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==
 
 mkdirp@^0.5.1:
   version "0.5.5"

data/helpers/test/yarn/updater.test.js

@@ -1,7 +1,6 @@
 const path = require("path");
 const os = require("os");
 const fs = require("fs");
-const rimraf = require("rimraf");
 const { updateDependencyFiles } = require("../../lib/yarn/updater");
 const helpers = require("./helpers");
 
@@ -10,7 +9,7 @@ describe("updater", () => {
   beforeEach(() => {
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => rimraf.sync(tempDir));
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
 
   function copyDependencies(sourceDir, destDir) {
     const srcPackageJson = path.join(

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -10,7 +10,6 @@ require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
 
 module Dependabot
   module NpmAndYarn
-    # rubocop:disable Metrics/ClassLength
     class FileFetcher < Dependabot::FileFetchers::Base
       require_relative "file_fetcher/path_dependency_builder"
 
@@ -50,6 +49,19 @@ module Dependabot
         end
       end
 
+      def package_manager_version
+        package_managers = {}
+
+        package_managers["npm"] = Helpers.npm_version_numeric(package_lock.content) if package_lock
+        package_managers["yarn"] = yarn_version if yarn_version
+        package_managers["shrinkwrap"] = 1 if shrinkwrap
+
+        {
+          ecosystem: "npm",
+          package_managers: package_managers
+        }
+      end
+
       private
 
       def fetch_files
@@ -65,7 +77,6 @@ module Dependabot
         fetched_files += workspace_package_jsons
         fetched_files += lerna_packages
         fetched_files += path_dependencies(fetched_files)
-        instrument_package_manager_version
 
         fetched_files << inferred_npmrc if inferred_npmrc
 
@@ -103,20 +114,6 @@ module Dependabot
         @inferred_npmrc = nil
       end
 
-      def instrument_package_manager_version
-        package_managers = {}
-
-        package_managers["npm"] = Helpers.npm_version_numeric(package_lock.content) if package_lock
-        package_managers["yarn"] = yarn_version if yarn_version
-        package_managers["shrinkwrap"] = 1 if shrinkwrap
-
-        Dependabot.instrument(
-          Notifications::FILE_PARSER_PACKAGE_MANAGER_VERSION_PARSED,
-          ecosystem: "npm",
-          package_managers: package_managers
-        )
-      end
-
       def yarn_version
         return @yarn_version if defined?(@yarn_version)
 
@@ -275,6 +272,9 @@ module Dependabot
         current_dir = file.name.rpartition("/").first
         current_dir = nil if current_dir == ""
 
+        current_depth = File.join(directory, file.name).split("/").count { |path| !path.empty? }
+        path_to_directory = "../" * current_depth
+
         dep_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES
         parsed_manifest = JSON.parse(file.content)
         dependency_objects = parsed_manifest.values_at(*dep_types).compact
@@ -294,7 +294,7 @@ module Dependabot
           select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }.
           map do |name, path|
             path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
-            raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/")
+            raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/", "#{path_to_directory}..")
 
             path = File.join(current_dir, path) unless current_dir.nil?
             [name, Pathname.new(path).cleanpath.to_path]
@@ -353,7 +353,7 @@ module Dependabot
         dependency_files
       end
 
-      def fetch_lerna_packages_from_path(path, nested = false)
+      def fetch_lerna_packages_from_path(path)
         dependency_files = []
 
         package_json_path = File.join(path, "package.json")
@@ -366,19 +366,7 @@ module Dependabot
             fetch_file_if_present(File.join(path, "npm-shrinkwrap.json"))
           ].compact
         rescue Dependabot::DependencyFileNotFound
-          matches_double_glob =
-            parsed_lerna_json["packages"].any? do |globbed_path|
-              next false unless globbed_path.include?("**")
-
-              File.fnmatch?(globbed_path, path)
-            end
-
-          if matches_double_glob && !nested
-            dependency_files +=
-              find_directories(File.join(path, "*")).flat_map do |nested_path|
-                fetch_lerna_packages_from_path(nested_path, true)
-              end
-          end
+          nil
         end
 
         dependency_files
@@ -396,7 +384,6 @@ module Dependabot
         paths_array.flat_map { |path| recursive_find_directories(path) }
       end
 
-      # Only expands globs one level deep, so path/**/* gets expanded to path/
       def find_directories(glob)
         return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
 
@@ -418,11 +405,12 @@ module Dependabot
       def matching_paths(glob, paths)
         ignored_glob = yarn_ignored_glob(glob)
         glob = glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+        glob = "#{glob}/*" if glob.end_with?("**")
 
-        results = paths.select { |filename| File.fnmatch?(glob, filename) }
+        results = paths.select { |filename| File.fnmatch?(glob, filename, File::FNM_PATHNAME) }
         return results unless ignored_glob
 
-        results.reject { |filename| File.fnmatch?(ignored_glob, filename) }
+        results.reject { |filename| File.fnmatch?(ignored_glob, filename, File::FNM_PATHNAME) }
       end
 
       def recursive_find_directories(glob, prefix = "")
@@ -431,11 +419,12 @@ module Dependabot
         glob = glob.gsub(%r{^\./}, "")
         glob_parts = glob.split("/")
 
-        paths = find_directories(prefix + glob_parts.first)
-        next_parts = glob_parts.drop(1)
+        current_glob = glob_parts.first
+        paths = find_directories(prefix + current_glob)
+        next_parts = current_glob == "**" ? glob_parts : glob_parts.drop(1)
         return paths if next_parts.empty?
 
-        paths = paths.flat_map do |expanded_path|
+        paths += paths.flat_map do |expanded_path|
           recursive_find_directories(next_parts.join("/"), "#{expanded_path}/")
         end
 
@@ -497,7 +486,6 @@ module Dependabot
         raise Dependabot::DependencyFileNotParseable, lerna_json.path
       end
     end
-    # rubocop:enable Metrics/ClassLength
   end
 end
 

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "json"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser
+      class JsonLock
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        def parsed
+          @parsed ||= JSON.parse(@dependency_file.content)
+        rescue JSON::ParserError
+          raise Dependabot::DependencyFileNotParseable, @dependency_file.path
+        end
+
+        def dependencies
+          recursively_fetch_dependencies(parsed)
+        end
+
+        def details(dependency_name, _requirement, manifest_name)
+          if Helpers.npm_version(@dependency_file.content) == "npm8"
+            # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
+            # workspace folder so we need to fallback to checking top-level
+            nested_details = parsed.dig("packages", node_modules_path(manifest_name, dependency_name))
+            details = nested_details || parsed.dig("packages", "node_modules/#{dependency_name}")
+            details&.slice("version", "resolved", "integrity", "dev")
+          else
+            parsed.dig("dependencies", dependency_name)
+          end
+        end
+
+        private
+
+        def recursively_fetch_dependencies(object_with_dependencies)
+          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
+
+          dependencies = object_with_dependencies["dependencies"]
+          dependencies ||= object_with_dependencies.fetch("packages", {})
+
+          dependencies.each do |name, details|
+            next if name.empty? # v3 lockfiles include an empty key holding info of the current package
+
+            version = Version.semver_for(details["version"])
+            next unless version
+
+            dependency_args = {
+              name: name.split("node_modules/").last,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            if details["bundled"]
+              dependency_args[:subdependency_metadata] =
+                [{ npm_bundled: details["bundled"] }]
+            end
+
+            if details["dev"]
+              dependency_args[:subdependency_metadata] =
+                [{ production: !details["dev"] }]
+            end
+
+            dependency_set << Dependency.new(**dependency_args)
+            dependency_set += recursively_fetch_dependencies(details)
+          end
+
+          dependency_set
+        end
+
+        def node_modules_path(manifest_name, dependency_name)
+          return "node_modules/#{dependency_name}" if manifest_name == "package.json"
+
+          workspace_path = manifest_name.gsub("/package.json", "")
+          File.join(workspace_path, "node_modules", dependency_name)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -8,15 +8,23 @@ module Dependabot
   module NpmAndYarn
     class FileParser
       class LockfileParser
+        require "dependabot/npm_and_yarn/file_parser/yarn_lock"
+        require "dependabot/npm_and_yarn/file_parser/json_lock"
+
         def initialize(dependency_files:)
           @dependency_files = dependency_files
         end
 
         def parse_set
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-          dependency_set += yarn_lock_dependencies if yarn_locks.any?
-          dependency_set += package_lock_dependencies if package_locks.any?
-          dependency_set += shrinkwrap_dependencies if shrinkwraps.any?
+
+          # NOTE: The DependencySet will de-dupe our dependencies, so they
+          # end up unique by name. That's not a perfect representation of
+          # the nested nature of JS resolution, but it makes everything work
+          # comparably to other flat-resolution strategies
+          (yarn_locks + package_locks + shrinkwraps).each do |file|
+            dependency_set += lockfile_for(file).dependencies
+          end
 
           dependency_set
         end
@@ -27,12 +35,7 @@ module Dependabot
 
         def lockfile_details(dependency_name:, requirement:, manifest_name:)
           potential_lockfiles_for_manifest(manifest_name).each do |lockfile|
-            details =
-              if [*package_locks, *shrinkwraps].include?(lockfile)
-                npm_lockfile_details(lockfile, dependency_name, manifest_name)
-              else
-                yarn_lockfile_details(lockfile, dependency_name, requirement, manifest_name)
-              end
+            details = lockfile_for(lockfile).details(dependency_name, requirement, manifest_name)
 
             return details if details
           end
@@ -56,182 +59,17 @@ module Dependabot
             filter_map { |nm| dependency_files.find { |f| f.name == nm } }
         end
 
-        def npm_lockfile_details(lockfile, dependency_name, manifest_name)
-          parsed_lockfile = parse_package_lock(lockfile)
-
-          if Helpers.npm_version(lockfile.content) == "npm8"
-            # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
-            # workspace folder so we need to fallback to checking top-level
-            nested_details = parsed_lockfile.dig("packages", node_modules_path(manifest_name, dependency_name))
-            details = nested_details || parsed_lockfile.dig("packages", "node_modules/#{dependency_name}")
-            details&.slice("version", "resolved", "integrity", "dev")
-          else
-            parsed_lockfile.dig("dependencies", dependency_name)
-          end
-        end
-
-        def yarn_lockfile_details(lockfile, dependency_name, requirement, _manifest_name)
-          parsed_yarn_lock = parse_yarn_lock(lockfile)
-          details_candidates =
-            parsed_yarn_lock.
-            select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
-
-          # If there's only one entry for this dependency, use it, even if
-          # the requirement in the lockfile doesn't match
-          if details_candidates.one?
-            details_candidates.first.last
-          else
-            details_candidates.find do |k, _|
-              k.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
-            end&.last
-          end
-        end
-
-        def node_modules_path(manifest_name, dependency_name)
-          return "node_modules/#{dependency_name}" if manifest_name == "package.json"
-
-          workspace_path = manifest_name.gsub("/package.json", "")
-          File.join(workspace_path, "node_modules", dependency_name)
-        end
-
-        def yarn_lock_dependencies
-          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-
-          yarn_locks.each do |yarn_lock|
-            parse_yarn_lock(yarn_lock).each do |req, details|
-              next unless semver_version_for(details["version"])
-              next if alias_package?(req)
-              next if workspace_package?(req)
-              next if req == "__metadata"
-
-              # NOTE: The DependencySet will de-dupe our dependencies, so they
-              # end up unique by name. That's not a perfect representation of
-              # the nested nature of JS resolution, but it makes everything work
-              # comparably to other flat-resolution strategies
-              dependency_set << Dependency.new(
-                name: req.split(/(?<=\w)\@/).first,
-                version: semver_version_for(details["version"]),
-                package_manager: "npm_and_yarn",
-                requirements: []
-              )
-            end
-          end
-
-          dependency_set
-        end
-
-        def package_lock_dependencies
-          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-
-          # NOTE: The DependencySet will de-dupe our dependencies, so they
-          # end up unique by name. That's not a perfect representation of
-          # the nested nature of JS resolution, but it makes everything work
-          # comparably to other flat-resolution strategies
-          package_locks.each do |package_lock|
-            parsed_lockfile = parse_package_lock(package_lock)
-            deps = recursively_fetch_npm_lock_dependencies(parsed_lockfile)
-            dependency_set += deps
-          end
-
-          dependency_set
-        end
-
-        def shrinkwrap_dependencies
-          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-
-          # NOTE: The DependencySet will de-dupe our dependencies, so they
-          # end up unique by name. That's not a perfect representation of
-          # the nested nature of JS resolution, but it makes everything work
-          # comparably to other flat-resolution strategies
-          shrinkwraps.each do |shrinkwrap|
-            parsed_lockfile = parse_shrinkwrap(shrinkwrap)
-            deps = recursively_fetch_npm_lock_dependencies(parsed_lockfile)
-            dependency_set += deps
-          end
-
-          dependency_set
-        end
-
-        def recursively_fetch_npm_lock_dependencies(object_with_dependencies)
-          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
-
-          object_with_dependencies.
-            fetch("dependencies", {}).each do |name, details|
-              next unless semver_version_for(details["version"])
-
-              dependency_args = {
-                name: name,
-                version: semver_version_for(details["version"]),
-                package_manager: "npm_and_yarn",
-                requirements: []
-              }
-
-              if details["bundled"]
-                dependency_args[:subdependency_metadata] =
-                  [{ npm_bundled: details["bundled"] }]
-              end
-
-              if details["dev"]
-                dependency_args[:subdependency_metadata] =
-                  [{ production: !details["dev"] }]
-              end
-
-              dependency_set << Dependency.new(**dependency_args)
-              dependency_set += recursively_fetch_npm_lock_dependencies(details)
-            end
-
-          dependency_set
-        end
-
-        def semver_version_for(version_string)
-          # The next two lines are to guard against improperly formatted
-          # versions in a lockfile, such as an empty string or additional
-          # characters. NPM/yarn fixes these when running an update, so we can
-          # safely ignore these versions.
-          return if version_string == ""
-          return unless version_class.correct?(version_string)
-
-          version_string
+        def parsed_lockfile(file)
+          lockfile_for(file).parsed
         end
 
-        def alias_package?(requirement)
-          requirement.match?(/@npm:(.+@(?!npm))/)
-        end
-
-        def workspace_package?(requirement)
-          requirement.include?("@workspace:")
-        end
-
-        def parse_package_lock(package_lock)
-          @parse_package_lock ||= {}
-          @parse_package_lock[package_lock.name] ||=
-            JSON.parse(package_lock.content)
-        rescue JSON::ParserError
-          raise Dependabot::DependencyFileNotParseable, package_lock.path
-        end
-
-        def parse_shrinkwrap(shrinkwrap)
-          @parse_shrinkwrap ||= {}
-          @parse_shrinkwrap[shrinkwrap.name] ||=
-            JSON.parse(shrinkwrap.content)
-        rescue JSON::ParserError
-          raise Dependabot::DependencyFileNotParseable, shrinkwrap.path
-        end
-
-        def parse_yarn_lock(yarn_lock)
-          @parsed_yarn_lock ||= {}
-          @parsed_yarn_lock[yarn_lock.name] ||=
-            SharedHelpers.in_a_temporary_directory do
-              File.write("yarn.lock", yarn_lock.content)
-
-              SharedHelpers.run_helper_subprocess(
-                command: NativeHelpers.helper_path,
-                function: "yarn:parseLockfile",
-                args: [Dir.pwd]
-              )
-            rescue SharedHelpers::HelperSubprocessFailed
-              raise Dependabot::DependencyFileNotParseable, yarn_lock.path
-            end
+        def lockfile_for(file)
+          @lockfiles ||= {}
+          @lockfiles[file.name] ||= if [*package_locks, *shrinkwraps].include?(file)
+                                      JsonLock.new(file)
+                                    else
+                                      YarnLock.new(file)
+                                    end
         end
 
         def package_locks

data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/native_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser
+      class YarnLock
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        def parsed
+          @parsed ||= SharedHelpers.in_a_temporary_directory do
+            File.write("yarn.lock", @dependency_file.content)
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "yarn:parseLockfile",
+              args: [Dir.pwd]
+            )
+          rescue SharedHelpers::HelperSubprocessFailed
+            raise Dependabot::DependencyFileNotParseable, @dependency_file.path
+          end
+        end
+
+        def dependencies
+          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
+
+          parsed.each do |reqs, details|
+            reqs.split(", ").each do |req|
+              version = Version.semver_for(details["version"])
+              next unless version
+              next if alias_package?(req)
+              next if workspace_package?(req)
+              next if req == "__metadata"
+
+              dependency_set << Dependency.new(
+                name: req.split(/(?<=\w)\@/).first,
+                version: version,
+                package_manager: "npm_and_yarn",
+                requirements: []
+              )
+            end
+          end
+
+          dependency_set
+        end
+
+        def details(dependency_name, requirement, _manifest_name)
+          details_candidates =
+            parsed.
+            select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if details_candidates.one?
+            details_candidates.first.last
+          else
+            details_candidates.find do |k, _|
+              k.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
+            end&.last
+          end
+        end
+
+        private
+
+        def alias_package?(requirement)
+          requirement.match?(/@npm:(.+@(?!npm))/)
+        end
+
+        def workspace_package?(requirement)
+          requirement.include?("@workspace:")
+        end
+      end
+    end
+  end
+end