dependabot-npm_and_yarn 0.217.0 → 0.218.0

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -12,6 +12,7 @@ module Dependabot
       require_relative "file_updater/package_json_updater"
       require_relative "file_updater/npm_lockfile_updater"
       require_relative "file_updater/yarn_lockfile_updater"
+      require_relative "file_updater/pnpm_lockfile_updater"
 
       class NoChangeError < StandardError
         def initialize(message:, error_context:)
@@ -29,7 +30,8 @@ module Dependabot
           /^package\.json$/,
           /^package-lock\.json$/,
           /^npm-shrinkwrap\.json$/,
-          /^yarn\.lock$/
+          /^yarn\.lock$/,
+          /^pnpm-lock\.yaml$/
         ]
       end
 
@@ -145,6 +147,12 @@ module Dependabot
           select { |f| f.name.end_with?("yarn.lock") }
       end
 
+      def pnpm_locks
+        @pnpm_locks ||=
+          filtered_dependency_files.
+          select { |f| f.name.end_with?("pnpm-lock.yaml") }
+      end
+
       def shrinkwraps
         @shrinkwraps ||=
           filtered_dependency_files.
@@ -162,6 +170,10 @@ module Dependabot
         yarn_lock.content != updated_yarn_lock_content(yarn_lock)
       end
 
+      def pnpm_lock_changed?(pnpm_lock)
+        pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock)
+      end
+
       def package_lock_changed?(package_lock)
         package_lock.content != updated_lockfile_content(package_lock)
       end
@@ -191,6 +203,15 @@ module Dependabot
           )
         end
 
+        pnpm_locks.each do |pnpm_lock|
+          next unless pnpm_lock_changed?(pnpm_lock)
+
+          updated_files << updated_file(
+            file: pnpm_lock,
+            content: updated_pnpm_lock_content(pnpm_lock)
+          )
+        end
+
         package_locks.each do |package_lock|
           next unless package_lock_changed?(package_lock)
 
@@ -218,6 +239,12 @@ module Dependabot
           yarn_lockfile_updater.updated_yarn_lock_content(yarn_lock)
       end
 
+      def updated_pnpm_lock_content(pnpm_lock)
+        @updated_pnpm_lock_content ||= {}
+        @updated_pnpm_lock_content[pnpm_lock.name] ||=
+          pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock)
+      end
+
       def yarn_lockfile_updater
         @yarn_lockfile_updater ||=
           YarnLockfileUpdater.new(
@@ -228,6 +255,16 @@ module Dependabot
           )
       end
 
+      def pnpm_lockfile_updater
+        @pnpm_lockfile_updater ||=
+          PnpmLockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            repo_contents_path: repo_contents_path,
+            credentials: credentials
+          )
+      end
+
       def updated_lockfile_content(file)
         @updated_lockfile_content ||= {}
         @updated_lockfile_content[file.name] ||=

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -40,10 +40,23 @@ module Dependabot
       end
 
       def self.yarn_major_version
+        @yarn_major_version ||= fetch_yarn_major_version
+      end
+
+      def self.pnpm_major_version
+        @pnpm_major_version ||= fetch_pnpm_major_version
+      end
+
+      def self.fetch_yarn_major_version
         output = SharedHelpers.run_shell_command("yarn --version")
         Version.new(output).major
       end
 
+      def self.fetch_pnpm_major_version
+        output = SharedHelpers.run_shell_command("pnpm --version")
+        Version.new(output).major
+      end
+
       def self.yarn_zero_install?
         File.exist?(".pnp.cjs")
       end

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module NpmAndYarn
+    class PackageManager
+      def initialize(package_json)
+        @package_json = package_json
+      end
+
+      def locked_version(name)
+        locked = @package_json.fetch("packageManager", nil)
+        return unless locked
+
+        version_match = locked.match(/#{name}@(?<version>\d+.\d+.\d+)/)
+        version_match&.named_captures&.fetch("version", nil)
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb

@@ -50,7 +50,8 @@ module Dependabot
         file.name.end_with?(
           "package-lock.json",
           "yarn.lock",
-          "npm-shrinkwrap.json"
+          "npm-shrinkwrap.json",
+          "pnpm-lock.yaml"
         )
       end
 

data/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb

@@ -19,7 +19,7 @@ module Dependabot
           if Helpers.yarn_berry?(yarn_locks.first)
             File.write(".yarnrc.yml", yarnrc_yml_content) if yarnrc_yml_file
           else
-            File.write(".npmrc", npmrc_content) unless Helpers.yarn_berry?(yarn_locks.first)
+            File.write(".npmrc", npmrc_content)
             File.write(".yarnrc", yarnrc_content) if yarnrc_specifies_private_reg?
           end
 
@@ -42,12 +42,24 @@ module Dependabot
             select { |f| f.name.end_with?("yarn.lock") }
         end
 
+        def pnpm_locks
+          @pnpm_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("pnpm-lock.yaml") }
+        end
+
         def root_yarn_lock
           @root_yarn_lock ||=
             dependency_files.
             find { |f| f.name == "yarn.lock" }
         end
 
+        def root_pnpm_lock
+          @root_pnpm_lock ||=
+            dependency_files.
+            find { |f| f.name == "pnpm-lock.yaml" }
+        end
+
         def shrinkwraps
           @shrinkwraps ||=
             dependency_files.
@@ -55,7 +67,7 @@ module Dependabot
         end
 
         def lockfiles
-          [*package_locks, *shrinkwraps, *yarn_locks]
+          [*package_locks, *shrinkwraps, *yarn_locks, *pnpm_locks]
         end
 
         def package_files
@@ -74,6 +86,11 @@ module Dependabot
             File.write(f.name, prepared_yarn_lockfile_content(f.content))
           end
 
+          pnpm_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, f.content)
+          end
+
           [*package_locks, *shrinkwraps].each do |f|
             FileUtils.mkdir_p(Pathname.new(f.name).dirname)
             File.write(f.name, f.content)

data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb

@@ -15,7 +15,7 @@ module Dependabot
       class RequirementsUpdater
         VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/
         SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/
-        ALLOWED_UPDATE_STRATEGIES = %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+        ALLOWED_UPDATE_STRATEGIES = %i(lockfile_only widen_ranges bump_versions bump_versions_if_necessary).freeze
 
         def initialize(requirements:, updated_source:, update_strategy:,
                        latest_resolvable_version:)
@@ -32,6 +32,8 @@ module Dependabot
         end
 
         def updated_requirements
+          return requirements if update_strategy == :lockfile_only
+
           requirements.map do |req|
             req = req.merge(source: updated_source)
             next req unless latest_resolvable_version

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -4,8 +4,6 @@ require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/logger"
 require "dependabot/npm_and_yarn/file_parser"
-require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
-require "dependabot/npm_and_yarn/file_updater/package_json_preparer"
 require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/sub_dependency_files_filterer"
@@ -65,6 +63,8 @@ module Dependabot
                             run_yarn_berry_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("yarn.lock")
                             run_yarn_updater(path, lockfile_name)
+                          elsif lockfile.name.end_with?("pnpm-lock.yaml")
+                            run_pnpm_updater(path, lockfile_name)
                           else
                             run_npm_updater(path, lockfile_name, lockfile.content)
                           end
@@ -74,9 +74,7 @@ module Dependabot
 
         def version_from_updated_lockfiles(updated_lockfiles)
           updated_files = dependency_files -
-                          dependency_files_builder.yarn_locks -
-                          dependency_files_builder.package_locks -
-                          dependency_files_builder.shrinkwraps +
+                          dependency_files_builder.lockfiles +
                           updated_lockfiles
 
           updated_version = NpmAndYarn::FileParser.new(
@@ -125,6 +123,18 @@ module Dependabot
           end
         end
 
+        def run_pnpm_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_shell_command(
+                "pnpm update #{dependency.name} --lockfile-only",
+                fingerprint: "pnpm update <dependency_name> --lockfile-only"
+              )
+              { lockfile_name => File.read(lockfile_name) }
+            end
+          end
+        end
+
         def run_npm_updater(path, lockfile_name, lockfile_content)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -26,7 +26,7 @@ module Dependabot
           "vue" => %w(vue vue-template-compiler)
         }.freeze
 
-        # Error message from yarn add:
+        # Error message returned by `yarn add` (for Yarn classic):
         # " > @reach/router@1.2.1" has incorrect peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
         # "workspace-aggregator-<random-string> > test > react-dom@15.6.2" has incorrect peer dependency "react@^15.6.2"
         # " > react-burger-menu@1.9.9" has unmet peer dependency "react@>=0.14.0 <16.0.0"
@@ -37,7 +37,7 @@ module Dependabot
             "(?<required_dep>[^"]+)"
           /x
 
-        # Error message from yarn add:
+        # Error message returned by `yarn add` (for Yarn berry):
         # YN0060: │ eve-roster@workspace:. provides jest (p8d618) \
         # with version 29.3.0, which doesn't satisfy \
         # what ts-jest requests\n
@@ -46,7 +46,16 @@ module Dependabot
             YN0060:\s|\s.+\sprovides\s(?<required_dep>.+?)\s\((?<info_hash>\w+)\).+what\s(?<requiring_dep>.+?)\srequests
           /x
 
-        # Error message from npm install:
+        # Error message returned by `pnpm update`:
+        # └─┬ react-dom 15.7.0
+        #   └── ✕ unmet peer react@^15.7.0: found 16.3.1
+        PNPM_PEER_DEP_ERROR_REGEX =
+          /
+            ┬\s(?<requiring_dep>[^\n]+)\n
+            [^\n]*✕\sunmet\speer\s(?<required_dep>[^:]+):
+          /mx
+
+        # Error message returned by `npm install` (for NPM 6):
         # react-dom@15.2.0 requires a peer of react@^15.2.0 \
         # but none is installed. You must install peer dependencies yourself.
         NPM6_PEER_DEP_ERROR_REGEX =
@@ -56,7 +65,7 @@ module Dependabot
             (?<required_dep>.+?)\sbut\snone\sis\sinstalled.
           /x
 
-        # Error message from npm install:
+        # Error message returned by `npm install` (for NPM 8):
         # npm ERR! Could not resolve dependency:
         # npm ERR! peer react@"^16.14.0" from react-dom@16.14.0
         #
@@ -320,8 +329,7 @@ module Dependabot
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             dependency_files_builder.write_temporary_dependency_files
 
-            filtered_package_files.flat_map do |file|
-              path = Pathname.new(file.name).dirname
+            paths_requiring_update_check.flat_map do |path|
               run_checker(path: path, version: version)
             end.compact
           end
@@ -332,24 +340,30 @@ module Dependabot
           []
         end
 
-        def handle_peer_dependency_errors(error)
+        def handle_peer_dependency_errors(message)
           errors = []
-          if error.message.match?(NPM6_PEER_DEP_ERROR_REGEX)
-            error.message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
+          if message.match?(NPM6_PEER_DEP_ERROR_REGEX)
+            message.scan(NPM6_PEER_DEP_ERROR_REGEX) do
               errors << Regexp.last_match.named_captures
             end
-          elsif error.message.match?(NPM8_PEER_DEP_ERROR_REGEX)
-            error.message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
+          elsif message.match?(NPM8_PEER_DEP_ERROR_REGEX)
+            message.scan(NPM8_PEER_DEP_ERROR_REGEX) do
               errors << Regexp.last_match.named_captures
             end
-          elsif error.message.match?(YARN_PEER_DEP_ERROR_REGEX)
-            error.message.scan(YARN_PEER_DEP_ERROR_REGEX) do
+          elsif message.match?(YARN_PEER_DEP_ERROR_REGEX)
+            message.scan(YARN_PEER_DEP_ERROR_REGEX) do
               errors << Regexp.last_match.named_captures
             end
-          elsif error.message.match?(YARN_BERRY_PEER_DEP_ERROR_REGEX)
-            error.message.scan(YARN_BERRY_PEER_DEP_ERROR_REGEX) do
+          elsif message.match?(YARN_BERRY_PEER_DEP_ERROR_REGEX)
+            message.scan(YARN_BERRY_PEER_DEP_ERROR_REGEX) do
               errors << Regexp.last_match.named_captures
             end
+          elsif message.match?(PNPM_PEER_DEP_ERROR_REGEX)
+            message.scan(PNPM_PEER_DEP_ERROR_REGEX) do
+              captures = Regexp.last_match.named_captures
+              captures["requiring_dep"].tr!(" ", "@")
+              errors << captures
+            end
           else
             raise
           end
@@ -483,20 +497,24 @@ module Dependabot
         end
 
         def run_checker(path:, version:)
-          # If there are both yarn lockfiles and npm lockfiles only run the
-          # yarn updater
           yarn_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.yarn_locks, path: path)
           return run_yarn_checker(path: path, version: version, lockfile: yarn_lockfiles.first) if yarn_lockfiles.any?
 
+          pnpm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.pnpm_locks, path: path)
+          return run_pnpm_checker(path: path, version: version) if pnpm_lockfiles.any?
+
           npm_lockfiles = lockfiles_for_path(lockfiles: dependency_files_builder.package_locks, path: path)
           return run_npm_checker(path: path, version: version) if npm_lockfiles.any?
 
           root_yarn_lock = dependency_files_builder.root_yarn_lock
           return run_yarn_checker(path: path, version: version, lockfile: root_yarn_lock) if root_yarn_lock
 
+          root_pnpm_lock = dependency_files_builder.root_pnpm_lock
+          return run_pnpm_checker(path: path, version: version) if root_pnpm_lock
+
           run_npm_checker(path: path, version: version)
         rescue SharedHelpers::HelperSubprocessFailed => e
-          handle_peer_dependency_errors(e)
+          handle_peer_dependency_errors(e.message)
         end
 
         def run_yarn_checker(path:, version:, lockfile:)
@@ -505,6 +523,23 @@ module Dependabot
           run_yarn_classic_checker(path: path, version: version)
         end
 
+        def run_pnpm_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              output = SharedHelpers.run_shell_command(
+                "pnpm update #{dependency.name}@#{version} --lockfile-only",
+                fingerprint: "pnpm update <dependency_name>@<version> --lockfile-only"
+              )
+              if PNPM_PEER_DEP_ERROR_REGEX.match?(output)
+                raise SharedHelpers::HelperSubprocessFailed.new(
+                  message: output,
+                  error_context: {}
+                )
+              end
+            end
+          end
+        end
+
         def run_yarn_berry_checker(path:, version:)
           # This method mimics calling a native helper in order to comply with the caller's expectations
           # Specifically we add the dependency at the specified updated version
@@ -612,12 +647,12 @@ module Dependabot
           ).parse.select(&:top_level?)
         end
 
-        def filtered_package_files
-          @filtered_package_files ||=
+        def paths_requiring_update_check
+          @paths_requiring_update_check ||=
             DependencyFilesFilterer.new(
               dependency_files: dependency_files,
               updated_dependencies: [dependency]
-            ).package_files_requiring_update
+            ).paths_requiring_update_check
         end
 
         def dependency_files_builder

data/lib/dependabot/npm_and_yarn/update_checker.rb

@@ -102,6 +102,10 @@ module Dependabot
           ).updated_requirements
       end
 
+      def requirements_unlocked_or_can_be?
+        requirements_update_strategy != :lockfile_only
+      end
+
       def requirements_update_strategy
         # If passed in as an option (in the base class) honour that option
         return @requirements_update_strategy.to_sym if @requirements_update_strategy

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.217.0
+  version: 0.218.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-24 00:00:00.000000000 Z
+date: 2023-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.217.0
+        version: 0.218.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -227,6 +227,8 @@ files:
 - helpers/lib/npm6/remove-dependencies-from-lockfile.js
 - helpers/lib/npm6/subdependency-updater.js
 - helpers/lib/npm6/updater.js
+- helpers/lib/pnpm/index.js
+- helpers/lib/pnpm/lockfile-parser.js
 - helpers/lib/yarn/conflicting-dependency-parser.js
 - helpers/lib/yarn/fix-duplicates.js
 - helpers/lib/yarn/helpers.js
@@ -274,16 +276,19 @@ files:
 - lib/dependabot/npm_and_yarn/file_parser.rb
 - lib/dependabot/npm_and_yarn/file_parser/json_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
+- lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb
 - lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb
 - lib/dependabot/npm_and_yarn/file_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/helpers.rb
 - lib/dependabot/npm_and_yarn/metadata_finder.rb
 - lib/dependabot/npm_and_yarn/native_helpers.rb
+- lib/dependabot/npm_and_yarn/package_manager.rb
 - lib/dependabot/npm_and_yarn/package_name.rb
 - lib/dependabot/npm_and_yarn/requirement.rb
 - lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb
@@ -302,8 +307,8 @@ homepage: https://github.com/dependabot/dependabot-core
 licenses:
 - Nonstandard
 metadata:
-  issue_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.218.0
 post_install_message: 
 rdoc_options: []
 require_paths: