dependabot-npm_and_yarn 0.217.0 → 0.218.0

data/helpers/package.json

@@ -14,6 +14,8 @@
     "detect-indent": "^6.1.0",
     "nock": "^13.3.0",
     "npm": "6.14.18",
+    "@pnpm/lockfile-file": "^8.0.2",
+    "@pnpm/dependency-path": "^2.1.1",
     "semver": "^7.4.0"
   },
   "devDependencies": {

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -14,6 +14,10 @@ module Dependabot
         @updated_dependencies = updated_dependencies
       end
 
+      def paths_requiring_update_check
+        @paths_requiring_update_check ||= fetch_paths_requiring_update_check
+      end
+
       def files_requiring_update
         @files_requiring_update ||=
           dependency_files.select do |file|
@@ -34,6 +38,15 @@ module Dependabot
 
       attr_reader :dependency_files, :updated_dependencies
 
+      def fetch_paths_requiring_update_check
+        # if only a root lockfile exists, it tracks all dependencies
+        return [File.dirname(root_lockfile.name)] if lockfiles == [root_lockfile]
+
+        package_files_requiring_update.map do |file|
+          File.dirname(file.name)
+        end
+      end
+
       def dependency_manifest_requirements
         @dependency_manifest_requirements ||=
           updated_dependencies.flat_map do |dep|
@@ -50,12 +63,29 @@ module Dependabot
       end
 
       def workspaces_lockfile?(lockfile)
-        return false unless ["yarn.lock", "package-lock.json"].include?(lockfile.name)
-        return false unless parsed_root_package_json["workspaces"]
+        return false unless ["yarn.lock", "package-lock.json", "pnpm-lock.yaml"].include?(lockfile.name)
+
+        return false unless parsed_root_package_json["workspaces"] || dependency_files.any? do |file|
+          file.name.end_with?("pnpm-workspace.yaml") && File.dirname(file.name) == File.dirname(lockfile.name)
+        end
 
         updated_dependencies_in_lockfile?(lockfile)
       end
 
+      def root_lockfile
+        @root_lockfile ||=
+          lockfiles.find do |file|
+            File.dirname(file.name) == "."
+          end
+      end
+
+      def lockfiles
+        @lockfiles ||=
+          dependency_files.select do |file|
+            lockfile?(file)
+          end
+      end
+
       def parsed_root_package_json
         @parsed_root_package_json ||=
           begin
@@ -88,6 +118,7 @@ module Dependabot
         file.name.end_with?(
           "package-lock.json",
           "yarn.lock",
+          "pnpm-lock.yaml",
           "npm-shrinkwrap.json"
         )
       end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
 require "json"
+require "dependabot/experiments"
 require "dependabot/logger"
 require "dependabot/file_fetchers"
 require "dependabot/file_fetchers/base"
 require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/file_parser"
 require "dependabot/npm_and_yarn/file_parser/lockfile_parser"
 
@@ -55,6 +57,7 @@ module Dependabot
 
         package_managers["npm"] = Helpers.npm_version_numeric(package_lock.content) if package_lock
         package_managers["yarn"] = yarn_version if yarn_version
+        package_managers["pnpm"] = pnpm_version if pnpm_version
         package_managers["shrinkwrap"] = 1 if shrinkwrap
         package_managers["unknown"] = 1 if package_managers.empty?
 
@@ -71,6 +74,7 @@ module Dependabot
         fetched_files << package_json
         fetched_files += npm_files
         fetched_files += yarn_files
+        fetched_files += pnpm_files if Experiments.enabled?(:pnpm_updates)
         fetched_files += lerna_files
         fetched_files += workspace_package_jsons
         fetched_files += path_dependencies(fetched_files)
@@ -80,7 +84,7 @@ module Dependabot
 
       def npm_files
         fetched_npm_files = []
-        fetched_npm_files << package_lock if package_lock && !ignore_package_lock?
+        fetched_npm_files << package_lock if package_lock
         fetched_npm_files << shrinkwrap if shrinkwrap
         fetched_npm_files << npmrc if npmrc
         fetched_npm_files << inferred_npmrc if inferred_npmrc
@@ -95,6 +99,14 @@ module Dependabot
         fetched_yarn_files
       end
 
+      def pnpm_files
+        fetched_pnpm_files = []
+        fetched_pnpm_files << pnpm_lock if pnpm_lock
+        fetched_pnpm_files << pnpm_workspace_yaml if pnpm_workspace_yaml
+        fetched_pnpm_files += pnpm_workspace_package_jsons
+        fetched_pnpm_files
+      end
+
       def lerna_files
         fetched_lerna_files = []
         fetched_lerna_files << lerna_json if lerna_json
@@ -152,17 +164,29 @@ module Dependabot
       def yarn_version
         return @yarn_version if defined?(@yarn_version)
 
-        package = JSON.parse(package_json.content)
-        if (package_manager = package.fetch("packageManager", nil))
-          get_yarn_version_from_package_json(package_manager)
-        elsif yarn_lock
-          Helpers.yarn_version_numeric(yarn_lock)
-        end
+        @yarn_version = package_manager.locked_version("yarn") || guess_yarn_version
       end
 
-      def get_yarn_version_from_package_json(package_manager)
-        version_match = package_manager.match(/yarn@(?<version>\d+.\d+.\d+)/)
-        version_match&.named_captures&.fetch("version", nil)
+      def guess_yarn_version
+        return unless yarn_lock
+
+        Helpers.yarn_version_numeric(yarn_lock)
+      end
+
+      def pnpm_version
+        return @pnpm_version if defined?(@pnpm_version)
+
+        @pnpm_version = package_manager.locked_version("pnpm") || guess_pnpm_version
+      end
+
+      def guess_pnpm_version
+        return unless pnpm_lock
+
+        Helpers.pnpm_major_version
+      end
+
+      def package_manager
+        @package_manager ||= PackageManager.new(parsed_package_json)
       end
 
       def package_json
@@ -170,15 +194,27 @@ module Dependabot
       end
 
       def package_lock
-        @package_lock ||= fetch_file_if_present("package-lock.json")
+        return @package_lock if defined?(@package_lock)
+
+        @package_lock = fetch_file_if_present("package-lock.json") unless skip_package_lock?
       end
 
       def yarn_lock
-        @yarn_lock ||= fetch_file_if_present("yarn.lock")
+        return @yarn_lock if defined?(@yarn_lock)
+
+        @yarn_lock = fetch_file_if_present("yarn.lock")
+      end
+
+      def pnpm_lock
+        return @pnpm_lock if defined?(@pnpm_lock)
+
+        @pnpm_lock = fetch_file_if_present("pnpm-lock.yaml") unless skip_pnpm_lock?
       end
 
       def shrinkwrap
-        @shrinkwrap ||= fetch_file_if_present("npm-shrinkwrap.json")
+        return @shrinkwrap if defined?(@shrinkwrap)
+
+        @shrinkwrap = fetch_file_if_present("npm-shrinkwrap.json")
       end
 
       def npmrc
@@ -224,6 +260,11 @@ module Dependabot
                        tap { |f| f.support_file = true }
       end
 
+      def pnpm_workspace_yaml
+        @pnpm_workspace_yaml ||= fetch_file_if_present("pnpm-workspace.yaml")&.
+                                tap { |f| f.support_file = true }
+      end
+
       def lerna_json
         @lerna_json ||= fetch_file_if_present("lerna.json")&.
                         tap { |f| f.support_file = true }
@@ -237,6 +278,10 @@ module Dependabot
         @lerna_packages ||= fetch_lerna_packages
       end
 
+      def pnpm_workspace_package_jsons
+        @pnpm_workspace_package_jsons ||= fetch_pnpm_workspace_package_jsons
+      end
+
       # rubocop:disable Metrics/PerceivedComplexity
       def path_dependencies(fetched_files)
         package_json_files = []
@@ -361,50 +406,36 @@ module Dependabot
       def fetch_workspace_package_jsons
         return [] unless parsed_package_json["workspaces"]
 
-        package_json_files = []
-
-        workspace_paths(parsed_package_json["workspaces"]).each do |workspace|
-          file = File.join(workspace, "package.json")
-
-          begin
-            package_json_files << fetch_file_from_host(file)
-          rescue Dependabot::DependencyFileNotFound
-            nil
-          end
+        workspace_paths(parsed_package_json["workspaces"]).filter_map do |workspace|
+          fetch_package_json_if_present(workspace)
         end
-
-        package_json_files
       end
 
       def fetch_lerna_packages
         return [] unless parsed_lerna_json["packages"]
 
-        dependency_files = []
+        workspace_paths(parsed_lerna_json["packages"]).flat_map do |workspace|
+          fetch_lerna_packages_from_path(workspace)
+        end.compact
+      end
 
-        workspace_paths(parsed_lerna_json["packages"]).each do |workspace|
-          dependency_files += fetch_lerna_packages_from_path(workspace)
-        end
+      def fetch_pnpm_workspace_package_jsons
+        return [] unless parsed_pnpm_workspace_yaml["packages"]
 
-        dependency_files
+        workspace_paths(parsed_pnpm_workspace_yaml["packages"]).filter_map do |workspace|
+          fetch_package_json_if_present(workspace)
+        end
       end
 
       def fetch_lerna_packages_from_path(path)
-        dependency_files = []
-
-        package_json_path = File.join(path, "package.json")
+        package_json = fetch_package_json_if_present(path)
+        return unless package_json
 
-        begin
-          dependency_files << fetch_file_from_host(package_json_path)
-          dependency_files += [
-            fetch_file_if_present(File.join(path, "package-lock.json")),
-            fetch_file_if_present(File.join(path, "yarn.lock")),
-            fetch_file_if_present(File.join(path, "npm-shrinkwrap.json"))
-          ].compact
-        rescue Dependabot::DependencyFileNotFound
-          nil
-        end
-
-        dependency_files
+        [package_json] + [
+          fetch_file_if_present(File.join(path, "package-lock.json")),
+          fetch_file_if_present(File.join(path, "yarn.lock")),
+          fetch_file_if_present(File.join(path, "npm-shrinkwrap.json"))
+        ]
       end
 
       def workspace_paths(workspace_object)
@@ -466,6 +497,18 @@ module Dependabot
         matching_paths(prefix + glob, paths)
       end
 
+      def fetch_package_json_if_present(workspace)
+        file = File.join(workspace, "package.json")
+
+        begin
+          fetch_file_from_host(file)
+        rescue Dependabot::DependencyFileNotFound
+          # Not all paths matched by a workspace glob may contain a package.json
+          # file. Ignore if that's the case
+          nil
+        end
+      end
+
       # The packages/!(not-this-package) syntax is unique to Yarn
       def yarn_ignored_glob(glob)
         glob.match?(/!\(.*?\)/) && glob.gsub(/(!\((.*?)\))/, '\2')
@@ -493,12 +536,26 @@ module Dependabot
         {}
       end
 
-      def ignore_package_lock?
+      def parsed_pnpm_workspace_yaml
+        return {} unless pnpm_workspace_yaml
+
+        YAML.safe_load(pnpm_workspace_yaml.content)
+      rescue Pysch::SyntaxError
+        raise Dependabot::DependencyFileNotParseable, pnpm_workspace_yaml.path
+      end
+
+      def skip_package_lock?
         return false unless npmrc
 
         npmrc.content.match?(/^package-lock\s*=\s*false/)
       end
 
+      def skip_pnpm_lock?
+        return false unless npmrc
+
+        npmrc.content.match?(/^lockfile\s*=\s*false/)
+      end
+
       def build_unfetchable_deps(unfetchable_deps)
         return [] unless package_lock || yarn_lock
 

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -9,6 +9,7 @@ module Dependabot
     class FileParser
       class LockfileParser
         require "dependabot/npm_and_yarn/file_parser/yarn_lock"
+        require "dependabot/npm_and_yarn/file_parser/pnpm_lock"
         require "dependabot/npm_and_yarn/file_parser/json_lock"
 
         def initialize(dependency_files:)
@@ -22,7 +23,7 @@ module Dependabot
           # end up unique by name. That's not a perfect representation of
           # the nested nature of JS resolution, but it makes everything work
           # comparably to other flat-resolution strategies
-          (yarn_locks + package_locks + shrinkwraps).each do |file|
+          (yarn_locks + pnpm_locks + package_locks + shrinkwraps).each do |file|
             dependency_set += lockfile_for(file).dependencies
           end
 
@@ -50,10 +51,10 @@ module Dependabot
         def potential_lockfiles_for_manifest(manifest_filename)
           dir_name = File.dirname(manifest_filename)
           possible_lockfile_names =
-            %w(package-lock.json npm-shrinkwrap.json yarn.lock).map do |f|
+            %w(package-lock.json npm-shrinkwrap.json pnpm-lock.yaml yarn.lock).map do |f|
               Pathname.new(File.join(dir_name, f)).cleanpath.to_path
             end +
-            %w(yarn.lock package-lock.json npm-shrinkwrap.json)
+            %w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
 
           possible_lockfile_names.uniq.
             filter_map { |nm| dependency_files.find { |f| f.name == nm } }
@@ -67,8 +68,10 @@ module Dependabot
           @lockfiles ||= {}
           @lockfiles[file.name] ||= if [*package_locks, *shrinkwraps].include?(file)
                                       JsonLock.new(file)
-                                    else
+                                    elsif yarn_locks.include?(file)
                                       YarnLock.new(file)
+                                    else
+                                      PnpmLock.new(file)
                                     end
         end
 
@@ -78,6 +81,12 @@ module Dependabot
             select { |f| f.name.end_with?("package-lock.json") }
         end
 
+        def pnpm_locks
+          @pnpm_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("pnpm-lock.yaml") }
+        end
+
         def yarn_locks
           @yarn_locks ||=
             dependency_files.

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "dependabot/errors"
+
+module Dependabot
+  module NpmAndYarn
+    class FileParser
+      class PnpmLock
+        def initialize(dependency_file)
+          @dependency_file = dependency_file
+        end
+
+        def parsed
+          @parsed ||= SharedHelpers.in_a_temporary_directory do
+            File.write("pnpm-lock.yaml", @dependency_file.content)
+
+            SharedHelpers.run_helper_subprocess(
+              command: NativeHelpers.helper_path,
+              function: "pnpm:parseLockfile",
+              args: [Dir.pwd]
+            )
+          rescue SharedHelpers::HelperSubprocessFailed
+            raise Dependabot::DependencyFileNotParseable, @dependency_file.path
+          end
+        end
+
+        def dependencies
+          dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
+
+          parsed.each do |details|
+            next if details["aliased"]
+
+            name = details["name"]
+            version = details["version"]
+
+            dependency_args = {
+              name: name,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            if details["dev"]
+              dependency_args[:subdependency_metadata] =
+                [{ production: !details["dev"] }]
+            end
+
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependency_set
+        end
+
+        def details(dependency_name, requirement, _manifest_name)
+          details_candidates = parsed.select { |info| info["name"] == dependency_name }
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if details_candidates.one?
+            details_candidates.first
+          else
+            details_candidates.find { |info| info["specifiers"]&.include?(requirement) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -418,6 +418,12 @@ module Dependabot
             raise Dependabot::DependencyFileNotParseable, msg
           end
 
+          if error_message.include?("EBADENGINE")
+            msg = "Dependabot uses Node.js #{`node --version`} and NPM #{`npm --version`}. " \
+                  "Due to the engine-strict setting, the update will not succeed."
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -81,7 +81,9 @@ module Dependabot
               next false if CENTRAL_REGISTRIES.include?(cred["registry"])
 
               # If all the URLs include this registry, it's global
-              next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
+              next true if dependency_urls.size.positive? && dependency_urls.all? do |url|
+                             url.include?(cred["registry"])
+                           end
 
               # Check if this registry has already been defined in .npmrc as a scoped registry
               next false if npmrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
@@ -133,8 +135,8 @@ module Dependabot
           @dependency_urls = []
           if package_lock
             @dependency_urls +=
-              parsed_package_lock.fetch("dependencies", {}).
-              filter_map { |_, details| details["resolved"] }.
+              package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/).
+              flatten.
               select { |url| url.is_a?(String) }.
               reject { |url| url.start_with?("git") }
           end
@@ -267,7 +269,7 @@ module Dependabot
 
           scopes = affected_urls.map do |url|
             url.split(/\%40|@/)[1]&.split(%r{\%2[fF]|/})&.first
-          end
+          end.uniq
 
           # Registry used for unscoped packages
           return if scopes.include?(nil)

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -108,8 +108,9 @@ module Dependabot
         def update_package_json_resolutions(package_json_content:, new_req:,
                                             dependency:, old_req:)
           dep = dependency
+          parsed_json_content = JSON.parse(package_json_content)
           resolutions =
-            JSON.parse(package_json_content).fetch("resolutions", {}).
+            parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {}).
             reject { |_, v| v != old_req && v != dep.previous_version }.
             select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
 
@@ -132,7 +133,7 @@ module Dependabot
             )
 
             content = update_package_json_sections(
-              ["resolutions"], content, original_line, replacement_line
+              %w(resolutions overrides), content, original_line, replacement_line
             )
           end
           content

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -0,0 +1,145 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      class PnpmLockfileUpdater
+        require_relative "package_json_updater"
+
+        def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          @repo_contents_path = repo_contents_path
+          @credentials = credentials
+        end
+
+        def updated_pnpm_lock_content(pnpm_lock)
+          @updated_pnpm_lock_content ||= {}
+          return @updated_pnpm_lock_content[pnpm_lock.name] if @updated_pnpm_lock_content[pnpm_lock.name]
+
+          new_content = run_pnpm_update(pnpm_lock: pnpm_lock)
+          @updated_pnpm_lock_content[pnpm_lock.name] = new_content
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_pnpm_lock_updater_error(e, pnpm_lock)
+        end
+
+        private
+
+        attr_reader :dependencies, :dependency_files, :repo_contents_path, :credentials
+
+        IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
+        INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"
+        MISSING_PACKAGE = /(?<package_req>.*?) is not in the npm registry, or you have no permission to fetch it/
+
+        def run_pnpm_update(pnpm_lock:)
+          SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            SharedHelpers.with_git_configured(credentials: credentials) do
+              run_pnpm_updater
+
+              write_final_package_json_files
+
+              run_pnpm_install
+
+              File.read(pnpm_lock.name)
+            end
+          end
+        end
+
+        def run_pnpm_updater
+          dependency_updates = dependencies.map do |d|
+            "#{d.name}@#{d.version}"
+          end.join(" ")
+
+          SharedHelpers.run_shell_command(
+            "pnpm install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
+            fingerprint: "pnpm install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
+          )
+        end
+
+        def run_pnpm_install
+          SharedHelpers.run_shell_command(
+            "pnpm install --lockfile-only"
+          )
+        end
+
+        def lockfile_dependencies(lockfile)
+          @lockfile_dependencies ||= {}
+          @lockfile_dependencies[lockfile.name] ||=
+            NpmAndYarn::FileParser.new(
+              dependency_files: [lockfile, *package_files],
+              source: nil,
+              credentials: credentials
+            ).parse
+        end
+
+        def handle_pnpm_lock_updater_error(error, pnpm_lock)
+          error_message = error.message
+
+          if error_message.include?(IRRESOLVABLE_PACKAGE) || error_message.include?(INVALID_REQUIREMENT)
+            raise_resolvability_error(error_message, pnpm_lock)
+          end
+
+          raise unless error_message.match?(MISSING_PACKAGE)
+
+          package_name = error_message.match(MISSING_PACKAGE).
+                         named_captures["package_req"].
+                         split(/(?<=\w)\@/).first
+          raise_missing_package_error(package_name, error_message, pnpm_lock)
+        end
+
+        def raise_resolvability_error(error_message, pnpm_lock)
+          dependency_names = dependencies.map(&:name).join(", ")
+          msg = "Error whilst updating #{dependency_names} in " \
+                "#{pnpm_lock.path}:\n#{error_message}"
+          raise Dependabot::DependencyFileNotResolvable, msg
+        end
+
+        def raise_missing_package_error(package_name, _error_message, pnpm_lock)
+          missing_dep = lockfile_dependencies(pnpm_lock).
+                        find { |dep| dep.name == package_name }
+
+          reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
+            dependency: missing_dep,
+            credentials: credentials,
+            npmrc_file: npmrc_file
+          ).registry
+
+          raise PrivateSourceAuthenticationFailure, reg
+        end
+
+        def write_final_package_json_files
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(path, updated_package_json_content(file))
+          end
+        end
+
+        def updated_package_json_content(file)
+          @updated_package_json_content ||= {}
+          @updated_package_json_content[file.name] ||=
+            PackageJsonUpdater.new(
+              package_json: file,
+              dependencies: dependencies
+            ).updated_package_json.content
+        end
+
+        def package_files
+          @package_files ||= dependency_files.select { |f| f.name.end_with?("package.json") }
+        end
+
+        def base_dir
+          dependency_files.first.directory
+        end
+
+        def npmrc_file
+          dependency_files.find { |f| f.name == ".npmrc" }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -342,7 +342,7 @@ module Dependabot
           if Helpers.yarn_berry?(yarn_lock)
             File.write(".yarnrc.yml", yarnrc_yml_content) if yarnrc_yml_file
           else
-            File.write(".npmrc", npmrc_content) unless Helpers.yarn_berry?(yarn_lock)
+            File.write(".npmrc", npmrc_content)
             File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_private_reg?
           end