dependabot-npm_and_yarn 0.216.2 → 0.218.0

data/helpers/package.json

@@ -14,12 +14,14 @@
     "detect-indent": "^6.1.0",
     "nock": "^13.3.0",
     "npm": "6.14.18",
+    "@pnpm/lockfile-file": "^8.0.2",
+    "@pnpm/dependency-path": "^2.1.1",
     "semver": "^7.4.0"
   },
   "devDependencies": {
-    "eslint": "^8.38.0",
+    "eslint": "^8.39.0",
     "eslint-config-prettier": "^8.8.0",
     "jest": "^29.5.0",
-    "prettier": "^2.8.7"
+    "prettier": "^2.8.8"
   }
 }

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -14,6 +14,10 @@ module Dependabot
         @updated_dependencies = updated_dependencies
       end
 
+      def paths_requiring_update_check
+        @paths_requiring_update_check ||= fetch_paths_requiring_update_check
+      end
+
       def files_requiring_update
         @files_requiring_update ||=
           dependency_files.select do |file|
@@ -34,6 +38,15 @@ module Dependabot
 
       attr_reader :dependency_files, :updated_dependencies
 
+      def fetch_paths_requiring_update_check
+        # if only a root lockfile exists, it tracks all dependencies
+        return [File.dirname(root_lockfile.name)] if lockfiles == [root_lockfile]
+
+        package_files_requiring_update.map do |file|
+          File.dirname(file.name)
+        end
+      end
+
       def dependency_manifest_requirements
         @dependency_manifest_requirements ||=
           updated_dependencies.flat_map do |dep|
@@ -50,12 +63,29 @@ module Dependabot
       end
 
       def workspaces_lockfile?(lockfile)
-        return false unless ["yarn.lock", "package-lock.json"].include?(lockfile.name)
-        return false unless parsed_root_package_json["workspaces"]
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml"].include?(lockfile.name)
+
+        return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
+          file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
+        end
 
         updated_dependencies_in_lockfile?(lockfile)
       end
 
+      def root_lockfile
+        @root_lockfile ||=
+          lockfiles.find do |file|
+            File.dirname(file.name) == "."
+          end
+      end
+
+      def lockfiles
+        @lockfiles ||=
+          dependency_files.select do |file|
+            lockfile?(file)
+          end
+      end
+
       def parsed_root_package_json
         @parsed_root_package_json ||=
           begin
@@ -88,6 +118,7 @@ module Dependabot
         file.name.end_with?(
           "package-lock.json",
           "yarn.lock",
+          "pnpm-lock.yaml",
           "npm-shrinkwrap.json"
         )
       end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
 require "json"
+require "dependabot/experiments"
 require "dependabot/logger"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/file_parser"
 require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
 
@@ -55,6 +57,7 @@ module Dependabot
 
         package_managers["npm"] = Helpers.npm_version_numeric(package_lock.content) if package_lock
         package_managers["yarn"] = yarn_version if yarn_version
+        package_managers["pnpm"] = pnpm_version if pnpm_version
         package_managers["shrinkwrap"] = 1 if shrinkwrap
         package_managers["unknown"] = 1 if package_managers.empty?
 
@@ -69,22 +72,48 @@ module Dependabot
       def fetch_files
         fetched_files = []
         fetched_files << package_json
-        fetched_files << package_lock if package_lock && !ignore_package_lock?
-        fetched_files << yarn_lock if yarn_lock
-        fetched_files << shrinkwrap if shrinkwrap
-        fetched_files << lerna_json if lerna_json
-        fetched_files << npmrc if npmrc
-        fetched_files << yarnrc if yarnrc
-        fetched_files << yarnrc_yml if yarnrc_yml
+        fetched_files += npm_files
+        fetched_files += yarn_files
+        fetched_files += pnpm_files if Experiments.enabled?(:pnpm_updates)
+        fetched_files += lerna_files
         fetched_files += workspace_package_jsons
-        fetched_files += lerna_packages
         fetched_files += path_dependencies(fetched_files)
 
-        fetched_files << inferred_npmrc if inferred_npmrc
-
         fetched_files.uniq
       end
 
+      def npm_files
+        fetched_npm_files = []
+        fetched_npm_files << package_lock if package_lock
+        fetched_npm_files << shrinkwrap if shrinkwrap
+        fetched_npm_files << npmrc if npmrc
+        fetched_npm_files << inferred_npmrc if inferred_npmrc
+        fetched_npm_files
+      end
+
+      def yarn_files
+        fetched_yarn_files = []
+        fetched_yarn_files << yarn_lock if yarn_lock
+        fetched_yarn_files << yarnrc if yarnrc
+        fetched_yarn_files << yarnrc_yml if yarnrc_yml
+        fetched_yarn_files
+      end
+
+      def pnpm_files
+        fetched_pnpm_files = []
+        fetched_pnpm_files << pnpm_lock if pnpm_lock
+        fetched_pnpm_files << pnpm_workspace_yaml if pnpm_workspace_yaml
+        fetched_pnpm_files += pnpm_workspace_package_jsons
+        fetched_pnpm_files
+      end
+
+      def lerna_files
+        fetched_lerna_files = []
+        fetched_lerna_files << lerna_json if lerna_json
+        fetched_lerna_files += lerna_packages
+        fetched_lerna_files
+      end
+
       # If every entry in the lockfile uses the same registry, we can infer
       # that there is a global .npmrc file, so add it here as if it were in the repo.
 
@@ -135,17 +164,29 @@ module Dependabot
       def yarn_version
         return @yarn_version if defined?(@yarn_version)
 
-        package = JSON.parse(package_json.content)
-        if (package_manager = package.fetch("packageManager", nil))
-          get_yarn_version_from_package_json(package_manager)
-        elsif yarn_lock
-          Helpers.yarn_version_numeric(yarn_lock)
-        end
+        @yarn_version = package_manager.locked_version("yarn") || guess_yarn_version
+      end
+
+      def guess_yarn_version
+        return unless yarn_lock
+
+        Helpers.yarn_version_numeric(yarn_lock)
+      end
+
+      def pnpm_version
+        return @pnpm_version if defined?(@pnpm_version)
+
+        @pnpm_version = package_manager.locked_version("pnpm") || guess_pnpm_version
+      end
+
+      def guess_pnpm_version
+        return unless pnpm_lock
+
+        Helpers.pnpm_major_version
       end
 
-      def get_yarn_version_from_package_json(package_manager)
-        version_match = package_manager.match(/yarn@(?<version>\d+.\d+.\d+)/)
-        version_match&.named_captures&.fetch("version", nil)
+      def package_manager
+        @package_manager ||= PackageManager.new(parsed_package_json)
       end
 
       def package_json
@@ -153,15 +194,27 @@ module Dependabot
       end
 
       def package_lock
-        @package_lock ||= fetch_file_if_present("package-lock.json")
+        return @package_lock if defined?(@package_lock)
+
+        @package_lock = fetch_file_if_present("package-lock.json") unless skip_package_lock?
       end
 
       def yarn_lock
-        @yarn_lock ||= fetch_file_if_present("yarn.lock")
+        return @yarn_lock if defined?(@yarn_lock)
+
+        @yarn_lock = fetch_file_if_present("yarn.lock")
+      end
+
+      def pnpm_lock
+        return @pnpm_lock if defined?(@pnpm_lock)
+
+        @pnpm_lock = fetch_file_if_present("pnpm-lock.yaml") unless skip_pnpm_lock?
       end
 
       def shrinkwrap
-        @shrinkwrap ||= fetch_file_if_present("npm-shrinkwrap.json")
+        return @shrinkwrap if defined?(@shrinkwrap)
+
+        @shrinkwrap = fetch_file_if_present("npm-shrinkwrap.json")
       end
 
       def npmrc
@@ -207,6 +260,11 @@ module Dependabot
                        tap { |f| f.support_file = true }
       end
 
+      def pnpm_workspace_yaml
+        @pnpm_workspace_yaml ||= fetch_file_if_present("pnpm-workspace.yaml")&.
+                                tap { |f| f.support_file = true }
+      end
+
       def lerna_json
         @lerna_json ||= fetch_file_if_present("lerna.json")&.
                         tap { |f| f.support_file = true }
@@ -220,6 +278,10 @@ module Dependabot
         @lerna_packages ||= fetch_lerna_packages
       end
 
+      def pnpm_workspace_package_jsons
+        @pnpm_workspace_package_jsons ||= fetch_pnpm_workspace_package_jsons
+      end
+
       # rubocop:disable Metrics/PerceivedComplexity
       def path_dependencies(fetched_files)
         package_json_files = []
@@ -344,50 +406,36 @@ module Dependabot
       def fetch_workspace_package_jsons
         return [] unless parsed_package_json["workspaces"]
 
-        package_json_files = []
-
-        workspace_paths(parsed_package_json["workspaces"]).each do |workspace|
-          file = File.join(workspace, "package.json")
-
-          begin
-            package_json_files << fetch_file_from_host(file)
-          rescue Dependabot::DependencyFileNotFound
-            nil
-          end
+        workspace_paths(parsed_package_json["workspaces"]).filter_map do |workspace|
+          fetch_package_json_if_present(workspace)
         end
-
-        package_json_files
       end
 
       def fetch_lerna_packages
         return [] unless parsed_lerna_json["packages"]
 
-        dependency_files = []
+        workspace_paths(parsed_lerna_json["packages"]).flat_map do |workspace|
+          fetch_lerna_packages_from_path(workspace)
+        end.compact
+      end
 
-        workspace_paths(parsed_lerna_json["packages"]).each do |workspace|
-          dependency_files += fetch_lerna_packages_from_path(workspace)
-        end
+      def fetch_pnpm_workspace_package_jsons
+        return [] unless parsed_pnpm_workspace_yaml["packages"]
 
-        dependency_files
+        workspace_paths(parsed_pnpm_workspace_yaml["packages"]).filter_map do |workspace|
+          fetch_package_json_if_present(workspace)
+        end
       end
 
       def fetch_lerna_packages_from_path(path)
-        dependency_files = []
-
-        package_json_path = File.join(path, "package.json")
-
-        begin
-          dependency_files << fetch_file_from_host(package_json_path)
-          dependency_files += [
-            fetch_file_if_present(File.join(path, "package-lock.json")),
-            fetch_file_if_present(File.join(path, "yarn.lock")),
-            fetch_file_if_present(File.join(path, "npm-shrinkwrap.json"))
-          ].compact
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
+        package_json = fetch_package_json_if_present(path)
+        return unless package_json
 
-        dependency_files
+        [package_json] + [
+          fetch_file_if_present(File.join(path, "package-lock.json")),
+          fetch_file_if_present(File.join(path, "yarn.lock")),
+          fetch_file_if_present(File.join(path, "npm-shrinkwrap.json"))
+        ]
       end
 
       def workspace_paths(workspace_object)
@@ -449,6 +497,18 @@ module Dependabot
         matching_paths(prefix + glob, paths)
       end
 
+      def fetch_package_json_if_present(workspace)
+        file = File.join(workspace, "package.json")
+
+        begin
+          fetch_file_from_host(file)
+        rescue Dependabot::DependencyFileNotFound
+          # Not all paths matched by a workspace glob may contain a package.json
+          # file. Ignore if that's the case
+          nil
+        end
+      end
+
       # The packages/!(not-this-package) syntax is unique to Yarn
       def yarn_ignored_glob(glob)
         glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
@@ -476,12 +536,26 @@ module Dependabot
         {}
       end
 
-      def ignore_package_lock?
+      def parsed_pnpm_workspace_yaml
+        return {} unless pnpm_workspace_yaml
+
+        YAML.safe_load(pnpm_workspace_yaml.content)
+      rescue Pysch::SyntaxError
+        raise Dependabot::DependencyFileNotParseable, pnpm_workspace_yaml.path
+      end
+
+      def skip_package_lock?
         return false unless npmrc
 
         npmrc.content.match?(/^package-lock\s*=\s*false/)
       end
 
+      def skip_pnpm_lock?
+        return false unless npmrc
+
+        npmrc.content.match?(/^lockfile\s*=\s*false/)
+      end
+
       def build_unfetchable_deps(unfetchable_deps)
         return [] unless package_lock || yarn_lock
 

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -9,6 +9,7 @@ module Dependabot
     class FileParser
       class LockfileParser
         require "dependabot/npm_and_yarn/file_parser/yarn_lock"
+        require "dependabot/npm_and_yarn/file_parser/pnpm_lock"
         require "dependabot/npm_and_yarn/file_parser/json_lock"
 
         def initialize(dependency_files:)
@@ -22,7 +23,7 @@ module Dependabot
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
-          (yarn_locks + package_locks + shrinkwraps).each do |file|
+          (yarn_locks + pnpm_locks + package_locks + shrinkwraps).each do |file|
             dependency_set += lockfile_for(file).dependencies
           end
 
@@ -50,10 +51,10 @@ module Dependabot
         def potential_lockfiles_for_manifest(manifest_filename)
           dir_name = File.dirname(manifest_filename)
           possible_lockfile_names =
-            %w(package-lock.json npm-shrinkwrap.json yarn.lock).map do |f|
+            %w(package-lock.json npm-shrinkwrap.json pnpm-lock.yaml yarn.lock).map do |f|
               Pathname.new(File.join(dir_name, f)).cleanpath.to_path
             end +
-            %w(yarn.lock package-lock.json npm-shrinkwrap.json)
+            %w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
 
           possible_lockfile_names.uniq.
             filter_map { |nm| dependency_files.find { |f| f.name == nm } }
@@ -67,8 +68,10 @@ module Dependabot
           @lockfiles ||= {}
           @lockfiles[file.name] ||= if [*package_locks, *shrinkwraps].include?(file)
                                       JsonLock.new(file)
-                                    else
+                                    elsif yarn_locks.include?(file)
                                       YarnLock.new(file)
+                                    else
+                                      PnpmLock.new(file)
                                     end
         end
 
@@ -78,6 +81,12 @@ module Dependabot
             select { |f| f.name.end_with?("package-lock.json") }
         end
 
+        def pnpm_locks
+          @pnpm_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("pnpm-lock.yaml") }
+        end
+
         def yarn_locks
           @yarn_locks ||=
             dependency_files.

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "dependabot/errors"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser
+      class PnpmLock
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        def parsed
+          @parsed ||= SharedHelpers.in_a_temporary_directory do
+            File.write("pnpm-lock.yaml", @dependency_file.content)
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "pnpm:parseLockfile",
+              args: [Dir.pwd]
+            )
+          rescue SharedHelpers::HelperSubprocessFailed
+            raise Dependabot::DependencyFileNotParseable, @dependency_file.path
+          end
+        end
+
+        def dependencies
+          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
+
+          parsed.each do |details|
+            next if details["aliased"]
+
+            name = details["name"]
+            version = details["version"]
+
+            dependency_args = {
+              name: name,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            if details["dev"]
+              dependency_args[:subdependency_metadata] =
+                [{ production: !details["dev"] }]
+            end
+
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependency_set
+        end
+
+        def details(dependency_name, requirement, _manifest_name)
+          details_candidates = parsed.select { |info| info["name"] == dependency_name }
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if details_candidates.one?
+            details_candidates.first
+          else
+            details_candidates.find { |info| info["specifiers"]&.include?(requirement) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -418,6 +418,12 @@ module Dependabot
             raise Dependabot::DependencyFileNotParseable, msg
           end
 
+          if error_message.include?("EBADENGINE")
+            msg = "Dependabot uses Node.js #{`node --version`} and NPM #{`npm --version`}. " \
+                  "Due to the engine-strict setting, the update will not succeed."
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -81,7 +81,9 @@ module Dependabot
               next false if CENTRAL_REGISTRIES.include?(cred["registry"])
 
               # If all the URLs include this registry, it's global
-              next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
+              next true if dependency_urls.size.positive? && dependency_urls.all? do |url|
+                             url.include?(cred["registry"])
+                           end
 
               # Check if this registry has already been defined in .npmrc as a scoped registry
               next false if npmrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
@@ -133,8 +135,8 @@ module Dependabot
           @dependency_urls = []
           if package_lock
             @dependency_urls +=
-              parsed_package_lock.fetch("dependencies", {}).
-              filter_map { |_, details| details["resolved"] }.
+              package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/).
+              flatten.
               select { |url| url.is_a?(String) }.
               reject { |url| url.start_with?("git") }
           end
@@ -267,7 +269,7 @@ module Dependabot
 
           scopes = affected_urls.map do |url|
             url.split(/\%40|@/)[1]&.split(%r{\%2[fF]|/})&.first
-          end
+          end.uniq
 
           # Registry used for unscoped packages
           return if scopes.include?(nil)

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -108,8 +108,9 @@ module Dependabot
         def update_package_json_resolutions(package_json_content:, new_req:,
                                             dependency:, old_req:)
           dep = dependency
+          parsed_json_content = JSON.parse(package_json_content)
           resolutions =
-            JSON.parse(package_json_content).fetch("resolutions", {}).
+            parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {}).
             reject { |_, v| v != old_req && v != dep.previous_version }.
             select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
 
@@ -132,7 +133,7 @@ module Dependabot
             )
 
             content = update_package_json_sections(
-              ["resolutions"], content, original_line, replacement_line
+              %w(resolutions overrides), content, original_line, replacement_line
             )
           end
           content