dependabot-npm_and_yarn 0.230.0 → 0.231.0

data/helpers/package.json

@@ -21,9 +21,9 @@
     "patch-package": "^8.0.0"
   },
   "devDependencies": {
-    "eslint": "^8.47.0",
+    "eslint": "^8.49.0",
     "eslint-config-prettier": "^9.0.0",
-    "jest": "^29.6.3",
-    "prettier": "^3.0.2"
+    "jest": "^29.6.4",
+    "prettier": "^3.0.3"
   }
 }

data/lib/dependabot/npm_and_yarn/dependency_files_filterer.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/utils"

data/lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "json"
@@ -36,20 +37,20 @@ module Dependabot
 
         def details_from_yarn_lock
           path_starts = FileFetcher::PATH_DEPENDENCY_STARTS
-          parsed_yarn_lock.to_a.
-            find do |n, _|
-              next false unless n.split(/(?<=\w)\@/).first == dependency_name
+          parsed_yarn_lock.to_a
+                          .find do |n, _|
+            next false unless n.split(/(?<=\w)\@/).first == dependency_name
 
-              n.split(/(?<=\w)\@/).last.start_with?(*path_starts)
-            end&.last
+            n.split(/(?<=\w)\@/).last.start_with?(*path_starts)
+          end&.last
         end
 
         def details_from_npm_lock
           path_starts = FileFetcher::NPM_PATH_DEPENDENCY_STARTS
-          path_deps = parsed_package_lock.fetch("dependencies", []).to_a.
-                      select do |_, v|
-                        v.fetch("version", "").start_with?(*path_starts)
-                      end
+          path_deps = parsed_package_lock.fetch("dependencies", []).to_a
+                                         .select do |_, v|
+            v.fetch("version", "").start_with?(*path_starts)
+          end
           path_deps.find { |n, _| n == dependency_name }&.last
         end
 
@@ -93,18 +94,18 @@ module Dependabot
             next unless value.start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
 
             path_from_base =
-              parsed_yarn_lock.to_a.
-              find do |n, _|
+              parsed_yarn_lock.to_a
+                              .find do |n, _|
                 next false unless n.split(/(?<=\w)\@/).first == name
 
-                n.split(/(?<=\w)\@/).last.
-                  start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
+                n.split(/(?<=\w)\@/).last
+                 .start_with?(*FileFetcher::PATH_DEPENDENCY_STARTS)
               end&.first&.split(/(?<=\w)\@/)&.last
 
             next unless path_from_base
 
-            cleaned_path = path_from_base.
-                           gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
+            cleaned_path = path_from_base
+                           .gsub(FileFetcher::PATH_DEPENDENCY_CLEAN_REGEX, "")
             obj[name] = "file:" + File.join(inverted_path, cleaned_path)
           end
         end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "json"
@@ -225,8 +226,8 @@ module Dependabot
 
         # Loop through parent directories looking for an npmrc
         (1..directory.split("/").count).each do |i|
-          @npmrc = fetch_file_from_host(("../" * i) + ".npmrc")&.
-                   tap { |f| f.support_file = true }
+          @npmrc = fetch_file_from_host(("../" * i) + ".npmrc")
+                   &.tap { |f| f.support_file = true }
           break if @npmrc
         rescue Dependabot::DependencyFileNotFound
           # Ignore errors (.npmrc may not be present)
@@ -245,8 +246,8 @@ module Dependabot
 
         # Loop through parent directories looking for an yarnrc
         (1..directory.split("/").count).each do |i|
-          @yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")&.
-                   tap { |f| f.support_file = true }
+          @yarnrc = fetch_file_from_host(("../" * i) + ".yarnrc")
+                   &.tap { |f| f.support_file = true }
           break if @yarnrc
         rescue Dependabot::DependencyFileNotFound
           # Ignore errors (.yarnrc may not be present)
@@ -368,15 +369,15 @@ module Dependabot
 
         raise Dependabot::DependencyFileNotParseable, file.path unless manifest_objects.all?(Hash)
 
-        resolution_deps = resolution_objects.flat_map(&:to_a).
-                          map do |path, value|
-                            convert_dependency_path_to_name(path, value)
-                          end
+        resolution_deps = resolution_objects.flat_map(&:to_a)
+                                            .map do |path, value|
+          convert_dependency_path_to_name(path, value)
+        end
 
         path_starts = PATH_DEPENDENCY_STARTS
-        (dependency_objects.flat_map(&:to_a) + resolution_deps).
-          select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }.
-          map do |name, path|
+        (dependency_objects.flat_map(&:to_a) + resolution_deps)
+          .select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }
+          .map do |name, path|
             path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "")
             raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/", "#{path_to_directory}..")
 
@@ -391,10 +392,10 @@ module Dependabot
 
       def path_dependency_details_from_npm_lockfile(parsed_lockfile)
         path_starts = NPM_PATH_DEPENDENCY_STARTS
-        parsed_lockfile.fetch("dependencies", []).to_a.
-          select { |_, v| v.is_a?(Hash) }.
-          select { |_, v| v.fetch("version", "").start_with?(*path_starts) }.
-          map { |k, v| [k, v.fetch("version")] }
+        parsed_lockfile.fetch("dependencies", []).to_a
+                       .select { |_, v| v.is_a?(Hash) }
+                       .select { |_, v| v.fetch("version", "").start_with?(*path_starts) }
+                       .map { |k, v| [k, v.fetch("version")] }
       end
 
       # Re-write the glob name to the targeted dependency name (which is used
@@ -458,16 +459,16 @@ module Dependabot
         return [glob] unless glob.include?("*") || yarn_ignored_glob(glob)
 
         unglobbed_path =
-          glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*").
-          split("*").
-          first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
+          glob.gsub(%r{^\./}, "").gsub(/!\(.*?\)/, "*")
+              .split("*")
+              .first&.gsub(%r{(?<=/)[^/]*$}, "") || "."
 
         dir = directory.gsub(%r{(^/|/$)}, "")
 
         paths =
-          repo_contents(dir: unglobbed_path, raise_errors: false).
-          select { |file| file.type == "dir" }.
-          map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
+          repo_contents(dir: unglobbed_path, raise_errors: false)
+          .select { |file| file.type == "dir" }
+          .map { |f| f.path.gsub(%r{^/?#{Regexp.escape(dir)}/?}, "") }
 
         matching_paths(glob, paths)
       end
@@ -585,5 +586,5 @@ module Dependabot
   end
 end
 
-Dependabot::FileFetchers.
-  register("npm_and_yarn", Dependabot::NpmAndYarn::FileFetcher)
+Dependabot::FileFetchers
+  .register("npm_and_yarn", Dependabot::NpmAndYarn::FileFetcher)

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "json"

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/dependency_file"
@@ -56,8 +57,8 @@ module Dependabot
             end +
             %w(yarn.lock pnpm-lock.yaml package-lock.json npm-shrinkwrap.json)
 
-          possible_lockfile_names.uniq.
-            filter_map { |nm| dependency_files.find { |f| f.name == nm } }
+          possible_lockfile_names.uniq
+                                 .filter_map { |nm| dependency_files.find { |f| f.name == nm } }
         end
 
         def parsed_lockfile(file)
@@ -77,26 +78,26 @@ module Dependabot
 
         def package_locks
           @package_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("package-lock.json") }
+            dependency_files
+            .select { |f| f.name.end_with?("package-lock.json") }
         end
 
         def pnpm_locks
           @pnpm_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("pnpm-lock.yaml") }
+            dependency_files
+            .select { |f| f.name.end_with?("pnpm-lock.yaml") }
         end
 
         def yarn_locks
           @yarn_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("yarn.lock") }
+            dependency_files
+            .select { |f| f.name.end_with?("yarn.lock") }
         end
 
         def shrinkwraps
           @shrinkwraps ||=
-            dependency_files.
-            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+            dependency_files
+            .select { |f| f.name.end_with?("npm-shrinkwrap.json") }
         end
 
         def version_class

data/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/errors"

data/lib/dependabot/npm_and_yarn/file_parser/yarn_lock.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
@@ -51,8 +52,8 @@ module Dependabot
 
         def details(dependency_name, requirement, _manifest_name)
           details_candidates =
-            parsed.
-            select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
+            parsed
+            .select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
 
           # If there's only one entry for this dependency, use it, even if
           # the requirement in the lockfile doesn't match

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 # See https://docs.npmjs.com/files/package.json for package.json format docs.
@@ -204,14 +205,14 @@ module Dependabot
           Dependabot::GitMetadataFetcher.new(
             url: git_source_for(requirement).fetch(:url),
             credentials: credentials
-          ).tags.
-          select { |t| [t.commit_sha, t.tag_sha].include?(git_revision) }
+          ).tags
+                                        .select { |t| [t.commit_sha, t.tag_sha].include?(git_revision) }
 
         tags.each do |t|
           next unless t.name.match?(Dependabot::GitCommitChecker::VERSION_REGEX)
 
-          version = t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX).
-                    named_captures.fetch("version")
+          version = t.name.match(Dependabot::GitCommitChecker::VERSION_REGEX)
+                     .named_captures.fetch("version")
           next unless version_class.correct?(version)
 
           return version
@@ -267,10 +268,10 @@ module Dependabot
         prefix = details.fetch("git_prefix")
 
         host = if prefix.include?("git@") || prefix.include?("://")
-                 prefix.split("git@").last.
-                   sub(%r{.*?://}, "").
-                   sub(%r{[:/]$}, "").
-                   split("#").first
+                 prefix.split("git@").last
+                       .sub(%r{.*?://}, "")
+                       .sub(%r{[:/]$}, "")
+                       .split("#").first
                elsif prefix.include?("bitbucket") then "bitbucket.org"
                elsif prefix.include?("gitlab") then "gitlab.com"
                else
@@ -292,8 +293,8 @@ module Dependabot
             resolved_url.split("/~/").first
           elsif resolved_url.include?("/#{name}/-/#{name}")
             # MyGet / Bintray format
-            resolved_url.split("/#{name}/-/#{name}").first.
-              gsub("dl.bintray.com//", "api.bintray.com/npm/").
+            resolved_url.split("/#{name}/-/#{name}").first
+                        .gsub("dl.bintray.com//", "api.bintray.com/npm/").
               # GitLab format
               gsub(%r{\/projects\/\d+}, "")
           elsif resolved_url.include?("/#{name}/-/#{name.split('/').last}")
@@ -311,10 +312,10 @@ module Dependabot
         resolved_url_host = URI(resolved_url).host
 
         credential_matching_url =
-          credentials.
-          select { |cred| cred["type"] == "npm_registry" }.
-          sort_by { |cred| cred["registry"].length }.
-          find do |details|
+          credentials
+          .select { |cred| cred["type"] == "npm_registry" }
+          .sort_by { |cred| cred["registry"].length }
+          .find do |details|
             next true if resolved_url_host == details["registry"]
 
             uri = if details["registry"]&.include?("://")
@@ -337,11 +338,11 @@ module Dependabot
         @package_files ||=
           begin
             sub_packages =
-              dependency_files.
-              select { |f| f.name.end_with?("package.json") }.
-              reject { |f| f.name == "package.json" }.
-              reject { |f| f.name.include?("node_modules/") }.
-              reject(&:support_file?)
+              dependency_files
+              .select { |f| f.name.end_with?("package.json") }
+              .reject { |f| f.name == "package.json" }
+              .reject { |f| f.name.include?("node_modules/") }
+              .reject(&:support_file?)
 
             [
               dependency_files.find { |f| f.name == "package.json" },
@@ -361,5 +362,5 @@ module Dependabot
   end
 end
 
-Dependabot::FileParsers.
-  register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
+Dependabot::FileParsers
+  .register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/errors"
@@ -319,8 +320,8 @@ module Dependabot
         def handle_npm_updater_error(error)
           error_message = error.message
           if error_message.match?(MISSING_PACKAGE)
-            package_name = error_message.match(MISSING_PACKAGE).
-                           named_captures["package_req"]
+            package_name = error_message.match(MISSING_PACKAGE)
+                                        .named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
             handle_missing_package(sanitized_name, sanitized_error)
@@ -368,8 +369,8 @@ module Dependabot
           end
 
           if error_message.match?(FORBIDDEN_PACKAGE)
-            package_name = error_message.match(FORBIDDEN_PACKAGE).
-                           named_captures["package_req"]
+            package_name = error_message.match(FORBIDDEN_PACKAGE)
+                                        .named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
             handle_missing_package(sanitized_name, sanitized_error)
@@ -377,8 +378,8 @@ module Dependabot
 
           # Some private registries return a 403 when the user is readonly
           if error_message.match?(FORBIDDEN_PACKAGE_403)
-            package_name = error_message.match(FORBIDDEN_PACKAGE_403).
-                           named_captures["package_req"]
+            package_name = error_message.match(FORBIDDEN_PACKAGE_403)
+                                        .named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
             handle_missing_package(sanitized_name, sanitized_error)
@@ -868,14 +869,14 @@ module Dependabot
 
         def package_locks
           @package_locks ||=
-            dependency_files.
-            select { |f| f.name.end_with?("package-lock.json") }
+            dependency_files
+            .select { |f| f.name.end_with?("package-lock.json") }
         end
 
         def shrinkwraps
           @shrinkwraps ||=
-            dependency_files.
-            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+            dependency_files
+            .select { |f| f.name.end_with?("npm-shrinkwrap.json") }
         end
 
         def package_files

data/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/npm_and_yarn/file_updater"
@@ -91,9 +92,9 @@ module Dependabot
               next false if yarnrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
 
               # If any unscoped URLs include this registry, assume it's global
-              dependency_urls.
-                reject { |u| u.include?("@") || u.include?("%40") }.
-                any? { |url| url.include?(cred["registry"]) }
+              dependency_urls
+                .reject { |u| u.include?("@") || u.include?("%40") }
+                .any? { |url| url.include?(cred["registry"]) }
             end
         end
 
@@ -135,10 +136,10 @@ module Dependabot
           @dependency_urls = []
           if package_lock
             @dependency_urls +=
-              package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/).
-              flatten.
-              select { |url| url.is_a?(String) }.
-              reject { |url| url.start_with?("git") }
+              package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)
+                          .flatten
+                          .select { |url| url.is_a?(String) }
+                          .reject { |url| url.start_with?("git") }
           end
           if yarn_lock
             @dependency_urls +=
@@ -155,8 +156,8 @@ module Dependabot
         end
 
         def complete_npmrc_from_credentials
-          initial_content = npmrc_file.content.
-                            gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
+          initial_content = npmrc_file.content
+                                      .gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
           return initial_content unless yarn_lock || package_lock
           return initial_content unless global_registry
 
@@ -169,8 +170,8 @@ module Dependabot
         end
 
         def complete_yarnrc_from_credentials
-          initial_content = yarnrc_file.content.
-                            gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
+          initial_content = yarnrc_file.content
+                                       .gsub(/^.*\$\{.*\}.*/, "").strip + "\n"
           return initial_content unless yarn_lock || package_lock
           return initial_content unless global_registry
 
@@ -182,10 +183,10 @@ module Dependabot
 
         def build_npmrc_from_yarnrc
           yarnrc_global_registry =
-            yarnrc_file.content.
-            lines.find { |line| line.match?(/^\s*registry\s/) }&.
-            match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)&.
-            named_captures&.fetch("registry")
+            yarnrc_file.content
+                       .lines.find { |line| line.match?(/^\s*registry\s/) }
+            &.match(NpmAndYarn::UpdateChecker::RegistryFinder::YARN_GLOBAL_REGISTRY_REGEX)
+            &.named_captures&.fetch("registry")
 
           return "registry = #{yarnrc_global_registry}\n" if yarnrc_global_registry
 
@@ -194,10 +195,10 @@ module Dependabot
 
         def build_yarnrc_from_yarnrc
           yarnrc_global_registry =
-            yarnrc_file.content.
-            lines.find { |line| line.match?(/^\s*registry\s/) }&.
-            match(/^\s*registry\s+"(?<registry>[^"]+)"/)&.
-            named_captures&.fetch("registry")
+            yarnrc_file.content
+                       .lines.find { |line| line.match?(/^\s*registry\s/) }
+            &.match(/^\s*registry\s+"(?<registry>[^"]+)"/)
+            &.named_captures&.fetch("registry")
 
           return "registry \"#{yarnrc_global_registry}\"\n" if yarnrc_global_registry
 
@@ -238,16 +239,16 @@ module Dependabot
           return [] unless npmrc_file
 
           @npmrc_scoped_registries ||=
-            npmrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }.
-            filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
+            npmrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
+                      .filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
         end
 
         def yarnrc_scoped_registries
           return [] unless yarnrc_file
 
           @yarnrc_scoped_registries ||=
-            yarnrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }.
-            filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
+            yarnrc_file.content.lines.select { |line| line.match?(SCOPED_REGISTRY) }
+                       .filter_map { |line| line.match(SCOPED_REGISTRY)&.named_captures&.fetch("registry") }
         end
 
         # rubocop:disable Metrics/PerceivedComplexity
@@ -260,8 +261,8 @@ module Dependabot
             registry_credentials.map { |c| c.fetch("registry") } -
             [registry]
           affected_urls =
-            dependency_urls.
-            select do |url|
+            dependency_urls
+            .select do |url|
               next false unless url.include?(registry)
 
               other_regs.none? { |r| r.include?(registry) && url.include?(r) }
@@ -287,13 +288,13 @@ module Dependabot
         end
 
         def npmrc_file
-          @npmrc_file ||= dependency_files.
-                          find { |f| f.name.end_with?(".npmrc") }
+          @npmrc_file ||= dependency_files
+                          .find { |f| f.name.end_with?(".npmrc") }
         end
 
         def yarnrc_file
-          @yarnrc_file ||= dependency_files.
-                           find { |f| f.name.end_with?(".yarnrc") }
+          @yarnrc_file ||= dependency_files
+                           .find { |f| f.name.end_with?(".yarnrc") }
         end
 
         def yarn_lock

data/lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/npm_and_yarn/file_updater"
@@ -39,8 +40,8 @@ module Dependabot
           workspace_object = json.fetch("workspaces")
           paths_array =
             if workspace_object.is_a?(Hash)
-              workspace_object.values_at("packages", "nohoist").
-                flatten.compact
+              workspace_object.values_at("packages", "nohoist")
+                              .flatten.compact
             elsif workspace_object.is_a?(Array) then workspace_object
             else
               raise "Unexpected workspace object"
@@ -52,10 +53,10 @@ module Dependabot
         end
 
         def remove_invalid_characters(content)
-          content.
-            gsub(/\{\{[^\}]*?\}\}/, "something"). # {{ nm }} syntax not allowed
-            gsub(/(?<!\\)\\ /, " ").          # escaped whitespace not allowed
-            gsub(%r{^\s*//.*}, " ")           # comments are not allowed
+          content
+            .gsub(/\{\{[^\}]*?\}\}/, "something") # {{ nm }} syntax not allowed
+            .gsub(/(?<!\\)\\ /, " ") # escaped whitespace not allowed
+            .gsub(%r{^\s*//.*}, " ")           # comments are not allowed
         end
 
         def swapped_ssh_requirements

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/npm_and_yarn/file_updater"
@@ -54,9 +55,9 @@ module Dependabot
         end
 
         def old_requirement(dependency, new_requirement)
-          dependency.previous_requirements.
-            select { |r| r[:file] == package_json.name }.
-            find { |r| r[:groups] == new_requirement[:groups] }
+          dependency.previous_requirements
+                    .select { |r| r[:file] == package_json.name }
+                    .find { |r| r[:groups] == new_requirement[:groups] }
         end
 
         def new_requirements(dependency)
@@ -65,17 +66,17 @@ module Dependabot
 
         def updated_requirements(dependency)
           updated_requirement_pairs =
-            dependency.requirements.zip(dependency.previous_requirements).
-            reject do |new_req, old_req|
+            dependency.requirements.zip(dependency.previous_requirements)
+                      .reject do |new_req, old_req|
               next true if new_req == old_req
               next false unless old_req[:source].nil?
 
               new_req[:requirement] == old_req[:requirement]
             end
 
-          updated_requirement_pairs.
-            map(&:first).
-            select { |r| r[:file] == package_json.name }
+          updated_requirement_pairs
+            .map(&:first)
+            .select { |r| r[:file] == package_json.name }
         end
 
         def update_package_json_declaration(package_json_content:, new_req:,
@@ -110,9 +111,9 @@ module Dependabot
           dep = dependency
           parsed_json_content = JSON.parse(package_json_content)
           resolutions =
-            parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {}).
-            reject { |_, v| v != old_req && v != dep.previous_version }.
-            select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
+            parsed_json_content.fetch("resolutions", parsed_json_content.dig("pnpm", "overrides") || {})
+                               .reject { |_, v| v != old_req && v != dep.previous_version }
+                               .select { |k, _| k == dep.name || k.end_with?("/#{dep.name}") }
 
           return package_json_content unless resolutions.any?
 

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -1,3 +1,4 @@
+# typed: false
 # frozen_string_literal: true
 
 require "dependabot/npm_and_yarn/helpers"
@@ -85,9 +86,9 @@ module Dependabot
 
           raise unless error_message.match?(MISSING_PACKAGE)
 
-          package_name = error_message.match(MISSING_PACKAGE).
-                         named_captures["package_req"].
-                         split(/(?<=\w)\@/).first
+          package_name = error_message.match(MISSING_PACKAGE)
+                                      .named_captures["package_req"]
+                                      .split(/(?<=\w)\@/).first
           raise_missing_package_error(package_name, error_message, pnpm_lock)
         end
 
@@ -99,8 +100,8 @@ module Dependabot
         end
 
         def raise_missing_package_error(package_name, _error_message, pnpm_lock)
-          missing_dep = lockfile_dependencies(pnpm_lock).
-                        find { |dep| dep.name == package_name }
+          missing_dep = lockfile_dependencies(pnpm_lock)
+                        .find { |dep| dep.name == package_name }
 
           reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
             dependency: missing_dep,