dependabot-npm_and_yarn 0.239.0 → 0.241.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a56edd19122fd01bf494ccd5c3e4f9641f32289ebabf6bb08915d869ee58f2b
-  data.tar.gz: 0c9883cde9e28dc7a60056db9766eb1ada8a8b5f3890bba671423571d2164697
+  metadata.gz: 854c8f9873cf47c2a5ee76f65a96e3dd91baf4dbe78ed09bee56687377291d80
+  data.tar.gz: 603392ebc98a3d0b27744767d8e6cc64c3b3d54e973472378b659da095a3bc38
 SHA512:
-  metadata.gz: d74b8568ea273f503b4168667f33fade47048e3364236560a409a9399676b4ed3e5c344435b982f1112ca8340deecb0141d60ca842c080fc0a054c4b49d0b5b0
-  data.tar.gz: 02af05f027efc8e1e5e429e4485d36d29f1bf636cfb05ae61025e3ce2ef8a77e09292c09e279bf9ab457da0a6533f4faa7c7e7219c2256094cdb28a81fc71ab8
+  metadata.gz: 5c259c7e0232109e4b7f936698f56e366f0ea3df09a4bcaada13e2df3c61ae7784d52521778b4fb8e389f823c07d263e3c80e029d7b8141095308dc8d1c5ea8b
+  data.tar.gz: 4a5d44748870b26da01b337b4faa75df767ee4f8146245d2650bfe11e0708f20c1beb9701856b967fec3ffcff07c98f183d6740a9bbd3734acb33fd2764c39d6

data/helpers/package-lock.json

@@ -8,11 +8,11 @@
       "hasInstallScript": true,
       "dependencies": {
         "@dependabot/yarn-lib": "^1.22.19",
-        "@npmcli/arborist": "^7.2.1",
+        "@npmcli/arborist": "^7.3.0",
         "@pnpm/dependency-path": "^2.1.1",
         "@pnpm/lockfile-file": "^8.1.4",
         "detect-indent": "^6.1.0",
-        "nock": "^13.3.8",
+        "nock": "^13.5.0",
         "npm": "6.14.18",
         "patch-package": "^8.0.0",
         "semver": "^7.4.0"
@@ -1939,9 +1939,9 @@
       }
     },
     "node_modules/@npmcli/arborist": {
-      "version": "7.2.1",
-      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-7.2.1.tgz",
-      "integrity": "sha512-o1QIAX56FC8HEPF+Hf4V4/hck9j0a3UiLnMX4aDHPbtU4Po1tUOUSmc2GAx947VWT+acrdMYTDkqUt2CaSXt7A==",
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-7.3.0.tgz",
+      "integrity": "sha512-ZElIE9L14fEYiL4KqgqRHmo8fRKiTSOFU3hVS1mNm0zJE7hu4FHmof+OFsA7fAAXfkNDJrDByvD0o7Le0ISHMw==",
       "dependencies": {
         "@isaacs/string-locale-compare": "^1.1.0",
         "@npmcli/fs": "^3.1.0",
@@ -8587,9 +8587,9 @@
       }
     },
     "node_modules/nock": {
-      "version": "13.3.8",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.8.tgz",
-      "integrity": "sha512-96yVFal0c/W1lG7mmfRe7eO+hovrhJYd2obzzOZ90f6fjpeU/XNvd9cYHZKZAQJumDfhXgoTpkpJ9pvMj+hqHw==",
+      "version": "13.5.0",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-13.5.0.tgz",
+      "integrity": "sha512-9hc1eCS2HtOz+sE9W7JQw/tXJktg0zoPSu48s/pYe73e25JW9ywiowbqnUSd7iZPeVawLcVpPZeZS312fwSY+g==",
       "dependencies": {
         "debug": "^4.1.0",
         "json-stringify-safe": "^5.0.1",
@@ -17168,9 +17168,9 @@
       }
     },
     "@npmcli/arborist": {
-      "version": "7.2.1",
-      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-7.2.1.tgz",
-      "integrity": "sha512-o1QIAX56FC8HEPF+Hf4V4/hck9j0a3UiLnMX4aDHPbtU4Po1tUOUSmc2GAx947VWT+acrdMYTDkqUt2CaSXt7A==",
+      "version": "7.3.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-7.3.0.tgz",
+      "integrity": "sha512-ZElIE9L14fEYiL4KqgqRHmo8fRKiTSOFU3hVS1mNm0zJE7hu4FHmof+OFsA7fAAXfkNDJrDByvD0o7Le0ISHMw==",
       "requires": {
         "@isaacs/string-locale-compare": "^1.1.0",
         "@npmcli/fs": "^3.1.0",
@@ -22158,9 +22158,9 @@
       "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="
     },
     "nock": {
-      "version": "13.3.8",
-      "resolved": "https://registry.npmjs.org/nock/-/nock-13.3.8.tgz",
-      "integrity": "sha512-96yVFal0c/W1lG7mmfRe7eO+hovrhJYd2obzzOZ90f6fjpeU/XNvd9cYHZKZAQJumDfhXgoTpkpJ9pvMj+hqHw==",
+      "version": "13.5.0",
+      "resolved": "https://registry.npmjs.org/nock/-/nock-13.5.0.tgz",
+      "integrity": "sha512-9hc1eCS2HtOz+sE9W7JQw/tXJktg0zoPSu48s/pYe73e25JW9ywiowbqnUSd7iZPeVawLcVpPZeZS312fwSY+g==",
       "requires": {
         "debug": "^4.1.0",
         "json-stringify-safe": "^5.0.1",

data/helpers/package.json

@@ -11,9 +11,9 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.22.19",
-    "@npmcli/arborist": "^7.2.1",
+    "@npmcli/arborist": "^7.3.0",
     "detect-indent": "^6.1.0",
-    "nock": "^13.3.8",
+    "nock": "^13.5.0",
     "npm": "6.14.18",
     "@pnpm/lockfile-file": "^8.1.4",
     "@pnpm/dependency-path": "^2.1.1",

data/helpers/test/npm6/conflicting-dependency-parser.test.js

@@ -11,7 +11,7 @@ describe("findConflictingDependencies", () => {
   beforeEach(() => {
     tempDir = fs.mkdtempSync(os.tmpdir() + path.sep);
   });
-  afterEach(() => fs.rmdir(tempDir, { recursive: true }, () => {}));
+  afterEach(() => fs.rm(tempDir, { recursive: true }, () => {}));
 
   it("finds conflicting dependencies", async () => {
     helpers.copyDependencies("conflicting-dependency-parser/simple", tempDir);

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -60,10 +60,9 @@ module Dependabot
       def ecosystem_versions
         package_managers = {}
 
-        package_managers["npm"] = npm_version if package_lock
+        package_managers["npm"] = npm_version if npm_version
         package_managers["yarn"] = yarn_version if yarn_version
         package_managers["pnpm"] = pnpm_version if pnpm_version
-        package_managers["shrinkwrap"] = 1 if shrinkwrap
         package_managers["unknown"] = 1 if package_managers.empty?
 
         {
@@ -75,9 +74,10 @@ module Dependabot
       def fetch_files
         fetched_files = []
         fetched_files << package_json
-        fetched_files += npm_files
-        fetched_files += yarn_files
-        fetched_files += pnpm_files
+        fetched_files << npmrc if npmrc
+        fetched_files += npm_files if npm_version
+        fetched_files += yarn_files if yarn_version
+        fetched_files += pnpm_files if pnpm_version
         fetched_files += lerna_files
         fetched_files += workspace_package_jsons
         fetched_files += path_dependencies(fetched_files)
@@ -93,9 +93,8 @@ module Dependabot
 
       def npm_files
         fetched_npm_files = []
-        fetched_npm_files << package_lock if package_lock
+        fetched_npm_files << package_lock if package_lock && !skip_package_lock?
         fetched_npm_files << shrinkwrap if shrinkwrap
-        fetched_npm_files << npmrc if npmrc
         fetched_npm_files << inferred_npmrc if inferred_npmrc
         fetched_npm_files
       end
@@ -110,7 +109,7 @@ module Dependabot
 
       def pnpm_files
         fetched_pnpm_files = []
-        fetched_pnpm_files << pnpm_lock if pnpm_lock
+        fetched_pnpm_files << pnpm_lock if pnpm_lock && !skip_pnpm_lock?
         fetched_pnpm_files << pnpm_workspace_yaml if pnpm_workspace_yaml
         fetched_pnpm_files += pnpm_workspace_package_jsons
         fetched_pnpm_files
@@ -131,7 +130,7 @@ module Dependabot
         return @inferred_npmrc = nil unless npmrc.nil? && package_lock
 
         known_registries = []
-        JSON.parse(package_lock.content).fetch("dependencies", {}).each do |dependency_name, details|
+        FileParser::JsonLock.new(package_lock).parsed.fetch("dependencies", {}).each do |dependency_name, details|
           resolved = details.fetch("resolved", DEFAULT_NPM_REGISTRY)
 
           begin
@@ -171,41 +170,28 @@ module Dependabot
       end
 
       def npm_version
-        Helpers.npm_version_numeric(package_lock.content)
+        return @npm_version if defined?(@npm_version)
+
+        @npm_version = package_manager.setup("npm")
       end
 
       def yarn_version
         return @yarn_version if defined?(@yarn_version)
 
-        @yarn_version = package_manager.requested_version("yarn") || guess_yarn_version
-      end
-
-      def guess_yarn_version
-        return unless yarn_lock
-
-        Helpers.yarn_version_numeric(yarn_lock)
+        @yarn_version = package_manager.setup("yarn")
       end
 
       def pnpm_version
         return @pnpm_version if defined?(@pnpm_version)
 
-        version = package_manager.requested_version("pnpm") || guess_pnpm_version
-
-        if version && Version.new(version.to_s) < Version.new("7")
-          raise ToolVersionNotSupported.new("PNPM", version.to_s, "7.*, 8.*")
-        end
-
-        @pnpm_version = version
-      end
-
-      def guess_pnpm_version
-        return unless pnpm_lock
-
-        Helpers.pnpm_version_numeric(pnpm_lock)
+        @pnpm_version = package_manager.setup("pnpm")
       end
 
       def package_manager
-        @package_manager ||= PackageManager.new(parsed_package_json)
+        @package_manager ||= PackageManager.new(
+          parsed_package_json,
+          lockfiles: { npm: package_lock || shrinkwrap, yarn: yarn_lock, pnpm: pnpm_lock }
+        )
       end
 
       def package_json
@@ -215,7 +201,7 @@ module Dependabot
       def package_lock
         return @package_lock if defined?(@package_lock)
 
-        @package_lock = fetch_file_if_present("package-lock.json") unless skip_package_lock?
+        @package_lock = fetch_file_if_present("package-lock.json")
       end
 
       def yarn_lock
@@ -227,7 +213,7 @@ module Dependabot
       def pnpm_lock
         return @pnpm_lock if defined?(@pnpm_lock)
 
-        @pnpm_lock = fetch_file_if_present("pnpm-lock.yaml") unless skip_pnpm_lock?
+        @pnpm_lock = fetch_file_if_present("pnpm-lock.yaml")
       end
 
       def shrinkwrap
@@ -379,7 +365,7 @@ module Dependabot
         current_depth = File.join(directory, file.name).split("/").count { |path| !path.empty? }
         path_to_directory = "../" * current_depth
 
-        dep_types = NpmAndYarn::FileParser::DEPENDENCY_TYPES
+        dep_types = FileParser::DEPENDENCY_TYPES
         parsed_manifest = JSON.parse(file.content)
         dependency_objects = parsed_manifest.values_at(*dep_types).compact
         # Fetch yarn "file:" path "resolutions" so the lockfile can be resolved

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -24,7 +24,7 @@ module Dependabot
         end
 
         def details(dependency_name, _requirement, manifest_name)
-          if Helpers.npm_version(@dependency_file.content) == "npm8"
+          if Helpers.npm8?(@dependency_file)
             # NOTE: npm 8 sometimes doesn't install workspace dependencies in the
             # workspace folder so we need to fallback to checking top-level
             nested_details = parsed.dig("packages", node_modules_path(manifest_name, dependency_name))

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -248,7 +248,6 @@ module Dependabot
         #   run when installing git dependencies
         def run_npm_install_lockfile_only(*install_args)
           command = [
-            "npm",
             "install",
             *install_args,
             "--force",
@@ -259,7 +258,6 @@ module Dependabot
           ].join(" ")
 
           fingerprint = [
-            "npm",
             "install",
             install_args.empty? ? "" : "<install_args>",
             "--force",
@@ -269,7 +267,7 @@ module Dependabot
             "--package-lock-only"
           ].join(" ")
 
-          SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+          Helpers.run_npm_command(command, fingerprint: fingerprint)
         end
 
         def npm_install_args(dependency)
@@ -830,7 +828,7 @@ module Dependabot
         def npm8?
           return @npm8 if defined?(@npm8)
 
-          @npm8 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm8"
+          @npm8 = Dependabot::NpmAndYarn::Helpers.npm8?(lockfile)
         end
 
         def sanitize_package_name(package_name)

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -62,15 +62,15 @@ module Dependabot
             "#{d.name}@#{d.version}"
           end.join(" ")
 
-          SharedHelpers.run_shell_command(
-            "pnpm install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
-            fingerprint: "pnpm install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
+          Helpers.run_pnpm_command(
+            "install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
+            fingerprint: "install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
           )
         end
 
         def run_pnpm_install
-          SharedHelpers.run_shell_command(
-            "pnpm install --lockfile-only"
+          Helpers.run_pnpm_command(
+            "install --lockfile-only"
           )
         end
 

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -152,15 +152,15 @@ module Dependabot
           # the lockfile.
 
           if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
-            Helpers.run_yarn_command("yarn install #{yarn_berry_args}".strip)
+            Helpers.run_yarn_command("install #{yarn_berry_args}".strip)
           else
             updates = top_level_dependency_updates.collect do |dep|
               dep[:name]
             end
 
             Helpers.run_yarn_command(
-              "yarn up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
-              fingerprint: "yarn up -R <dependency_names> #{yarn_berry_args}".strip
+              "up -R #{updates.join(' ')} #{yarn_berry_args}".strip,
+              fingerprint: "up -R <dependency_names> #{yarn_berry_args}".strip
             )
           end
           { yarn_lock.name => File.read(yarn_lock.name) }
@@ -176,9 +176,9 @@ module Dependabot
           update = "#{dep.name}@#{dep.version}"
 
           commands = [
-            ["yarn add #{update} #{yarn_berry_args}".strip, "yarn add <update> #{yarn_berry_args}".strip],
-            ["yarn dedupe #{dep.name} #{yarn_berry_args}".strip, "yarn dedupe <dep_name> #{yarn_berry_args}".strip],
-            ["yarn remove #{dep.name} #{yarn_berry_args}".strip, "yarn remove <dep_name> #{yarn_berry_args}".strip]
+            ["add #{update} #{yarn_berry_args}".strip, "add <update> #{yarn_berry_args}".strip],
+            ["dedupe #{dep.name} #{yarn_berry_args}".strip, "dedupe <dep_name> #{yarn_berry_args}".strip],
+            ["remove #{dep.name} #{yarn_berry_args}".strip, "remove <dep_name> #{yarn_berry_args}".strip]
           ]
 
           Helpers.run_yarn_commands(*commands)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -7,13 +7,9 @@ module Dependabot
       YARN_PATH_NOT_FOUND =
         /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
 
-      def self.npm_version(lockfile_content)
-        "npm#{npm_version_numeric(lockfile_content)}"
-      end
-
-      def self.npm_version_numeric(lockfile_content)
-        return 8 unless lockfile_content
-        return 8 if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
+      def self.npm_version_numeric(lockfile)
+        lockfile_content = lockfile.content
+        return 8 if JSON.parse(lockfile_content)["lockfileVersion"].to_i >= 2
 
         6
       rescue JSON::ParserError
@@ -31,8 +27,10 @@ module Dependabot
       # Mapping from lockfile versions to PNPM versions is at
       # https://github.com/pnpm/spec/tree/274ff02de23376ad59773a9f25ecfedd03a41f64/lockfile, but simplify it for now.
       def self.pnpm_version_numeric(pnpm_lock)
-        if pnpm_lockfile_version(pnpm_lock).to_f >= 5.4
+        if pnpm_lockfile_version(pnpm_lock).to_f >= 6.0
           8
+        elsif pnpm_lockfile_version(pnpm_lock).to_f >= 5.4
+          7
         else
           6
         end
@@ -46,6 +44,12 @@ module Dependabot
         end
       end
 
+      def self.npm8?(package_lock)
+        return true unless package_lock
+
+        npm_version_numeric(package_lock) == 8
+      end
+
       def self.yarn_berry?(yarn_lock)
         yaml = YAML.safe_load(yarn_lock.content)
         yaml.key?("__metadata")
@@ -55,7 +59,7 @@ module Dependabot
 
       def self.yarn_major_version
         retries = 0
-        output = SharedHelpers.run_shell_command("yarn --version")
+        output = run_single_yarn_command("--version")
         Version.new(output).major
       rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
         # Should never happen, can probably be removed once this settles
@@ -118,23 +122,23 @@ module Dependabot
 
       def self.setup_yarn_berry
         # Always disable immutable installs so yarn's CI detection doesn't prevent updates.
-        SharedHelpers.run_shell_command("yarn config set enableImmutableInstalls false")
+        run_single_yarn_command("config set enableImmutableInstalls false")
         # Do not generate a cache if offline cache disabled. Otherwise side effects may confuse further checks
-        SharedHelpers.run_shell_command("yarn config set enableGlobalCache true") unless yarn_berry_skip_build?
+        run_single_yarn_command("config set enableGlobalCache true") unless yarn_berry_skip_build?
         # We never want to execute postinstall scripts, either set this config or mode=skip-build must be set
-        SharedHelpers.run_shell_command("yarn config set enableScripts false") if yarn_berry_disable_scripts?
+        run_single_yarn_command("config set enableScripts false") if yarn_berry_disable_scripts?
         if (http_proxy = ENV.fetch("HTTP_PROXY", false))
-          SharedHelpers.run_shell_command("yarn config set httpProxy #{http_proxy}")
+          run_single_yarn_command("config set httpProxy #{http_proxy}", fingerprint: "config set httpProxy <proxy>")
         end
         if (https_proxy = ENV.fetch("HTTPS_PROXY", false))
-          SharedHelpers.run_shell_command("yarn config set httpsProxy #{https_proxy}")
+          run_single_yarn_command("config set httpsProxy #{https_proxy}", fingerprint: "config set httpsProxy <proxy>")
         end
         return unless (ca_file_path = ENV.fetch("NODE_EXTRA_CA_CERTS", false))
 
         if yarn_4_or_higher?
-          SharedHelpers.run_shell_command("yarn config set httpsCaFilePath #{ca_file_path}")
+          run_single_yarn_command("config set httpsCaFilePath #{ca_file_path}")
         else
-          SharedHelpers.run_shell_command("yarn config set caFilePath #{ca_file_path}")
+          run_single_yarn_command("config set caFilePath #{ca_file_path}")
         end
       end
 
@@ -144,14 +148,34 @@ module Dependabot
       # contain malicious code.
       def self.run_yarn_commands(*commands)
         setup_yarn_berry
-        commands.each { |cmd, fingerprint| SharedHelpers.run_shell_command(cmd, fingerprint: fingerprint) }
+        commands.each { |cmd, fingerprint| run_single_yarn_command(cmd, fingerprint: fingerprint) }
       end
 
-      # Run a single yarn command returning stdout/stderr
+      # Run single npm command returning stdout/stderr.
+      #
+      # NOTE: Needs to be explicitly run through corepack to respect the
+      # `packageManager` setting in `package.json`, because corepack does not
+      # add shims for NPM.
+      def self.run_npm_command(command, fingerprint: command)
+        SharedHelpers.run_shell_command("corepack npm #{command}", fingerprint: "corepack npm #{fingerprint}")
+      end
+
+      # Setup yarn and run a single yarn command returning stdout/stderr
       def self.run_yarn_command(command, fingerprint: nil)
         setup_yarn_berry
-        SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        run_single_yarn_command(command, fingerprint: fingerprint)
+      end
+
+      # Run single pnpm command returning stdout/stderr
+      def self.run_pnpm_command(command, fingerprint: nil)
+        SharedHelpers.run_shell_command("pnpm #{command}", fingerprint: "pnpm #{fingerprint || command}")
+      end
+
+      # Run single yarn command returning stdout/stderr
+      def self.run_single_yarn_command(command, fingerprint: nil)
+        SharedHelpers.run_shell_command("yarn #{command}", fingerprint: "yarn #{fingerprint || command}")
       end
+      private_class_method :run_single_yarn_command
 
       def self.pnpm_lockfile_version(pnpm_lock)
         pnpm_lock.content.match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)[:version]

data/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -23,7 +23,6 @@ module Dependabot
         # - `--ignore-scripts` disables prepare and prepack scripts which are run
         #   when installing git dependencies
         command = [
-          "npm",
           "update",
           *dependency_names,
           "--force",
@@ -34,7 +33,6 @@ module Dependabot
         ].join(" ")
 
         fingerprint = [
-          "npm",
           "update",
           "<dependency_names>",
           "--force",
@@ -44,7 +42,7 @@ module Dependabot
           "--package-lock-only"
         ].join(" ")
 
-        SharedHelpers.run_shell_command(command, fingerprint: fingerprint)
+        Helpers.run_npm_command(command, fingerprint: fingerprint)
       end
     end
   end

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -1,19 +1,69 @@
 # typed: true
 # frozen_string_literal: true
 
+require "dependabot/shared_helpers"
+
 module Dependabot
   module NpmAndYarn
     class PackageManager
-      def initialize(package_json)
+      def initialize(package_json, lockfiles:)
         @package_json = package_json
+        @lockfiles = lockfiles
+        @package_manager = package_json.fetch("packageManager", nil)
+      end
+
+      def setup(name)
+        return unless @package_manager.nil? || @package_manager.start_with?("#{name}@")
+
+        version = requested_version(name)
+
+        if version
+          raise_if_unsupported!(name, version)
+
+          install(name, version)
+        else
+          version = guessed_version(name)
+
+          if version
+            raise_if_unsupported!(name, version.to_s)
+
+            install(name, version) if name == "pnpm"
+          end
+        end
+
+        version
+      end
+
+      private
+
+      def raise_if_unsupported!(name, version)
+        return unless name == "pnpm"
+        return unless Version.new(version) < Version.new("7")
+
+        raise ToolVersionNotSupported.new("PNPM", version, "7.*, 8.*")
+      end
+
+      def install(name, version)
+        SharedHelpers.run_shell_command(
+          "corepack install #{name}@#{version} --global --cache-only",
+          fingerprint: "corepack install <name>@<version> --global --cache-only"
+        )
       end
 
       def requested_version(name)
-        version = @package_json.fetch("packageManager", nil)
-        return unless version
+        return unless @package_manager
+
+        match = @package_manager.match(/#{name}@(?<version>\d+.\d+.\d+)/)
+        return unless match
+
+        match["version"]
+      end
+
+      def guessed_version(name)
+        lockfile = @lockfiles[name.to_sym]
+        return unless lockfile
 
-        version_match = version.match(/#{name}@(?<version>\d+.\d+.\d+)/)
-        version_match&.named_captures&.fetch("version", nil)
+        Helpers.send(:"#{name}_version_numeric", lockfile)
       end
     end
   end

data/lib/dependabot/npm_and_yarn/requirement.rb

@@ -34,7 +34,7 @@ module Dependabot
 
         return DefaultRequirement if matches[1] == ">=" && matches[2] == "0"
 
-        [matches[1] || "=", NpmAndYarn::Version.new(matches[2])]
+        [matches[1] || "=", NpmAndYarn::Version.new(T.must(matches[2]))]
       end
 
       # Returns an array of requirements. At least one requirement from the

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -66,8 +66,10 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
+                          elsif Helpers.npm8?(lockfile)
+                            run_npm8_updater(path, lockfile_name)
                           else
-                            run_npm_updater(path, lockfile_name, lockfile.content)
+                            run_npm_updater(path, lockfile_name)
                           end
 
           updated_files.fetch(lockfile_name)
@@ -116,8 +118,8 @@ module Dependabot
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               Helpers.run_yarn_command(
-                "yarn up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
-                fingerprint: "yarn up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
+                "up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
+                fingerprint: "up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
               )
               { lockfile_name => File.read(lockfile_name) }
             end
@@ -127,30 +129,33 @@ module Dependabot
         def run_pnpm_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
-              SharedHelpers.run_shell_command(
-                "pnpm update #{dependency.name} --lockfile-only",
-                fingerprint: "pnpm update <dependency_name> --lockfile-only"
+              Helpers.run_pnpm_command(
+                "update #{dependency.name} --lockfile-only",
+                fingerprint: "update <dependency_name> --lockfile-only"
               )
               { lockfile_name => File.read(lockfile_name) }
             end
           end
         end
 
-        def run_npm_updater(path, lockfile_name, lockfile_content)
+        def run_npm8_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
-              npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content)
-
-              if npm_version == "npm8"
-                NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
-                { lockfile_name => File.read(lockfile_name) }
-              else
-                SharedHelpers.run_helper_subprocess(
-                  command: NativeHelpers.helper_path,
-                  function: "npm6:updateSubdependency",
-                  args: [Dir.pwd, lockfile_name, [dependency.to_h]]
-                )
-              end
+              NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
+
+              { lockfile_name => File.read(lockfile_name) }
+            end
+          end
+        end
+
+        def run_npm_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_helper_subprocess(
+                command: NativeHelpers.helper_path,
+                function: "npm6:updateSubdependency",
+                args: [Dir.pwd, lockfile_name, [dependency.to_h]]
+              )
             end
           end
         end

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -539,9 +539,9 @@ module Dependabot
         def run_pnpm_checker(path:, version:)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
-              output = SharedHelpers.run_shell_command(
-                "pnpm update #{dependency.name}@#{version} --lockfile-only",
-                fingerprint: "pnpm update <dependency_name>@<version> --lockfile-only"
+              output = Helpers.run_pnpm_command(
+                "update #{dependency.name}@#{version} --lockfile-only",
+                fingerprint: "update <dependency_name>@<version> --lockfile-only"
               )
               if PNPM_PEER_DEP_ERROR_REGEX.match?(output)
                 raise SharedHelpers::HelperSubprocessFailed.new(
@@ -562,7 +562,7 @@ module Dependabot
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               output = Helpers.run_yarn_command(
-                "yarn add #{dependency.name}@#{version} #{Helpers.yarn_berry_args}".strip
+                "add #{dependency.name}@#{version} #{Helpers.yarn_berry_args}".strip
               )
               if output.include?("YN0060")
                 raise SharedHelpers::HelperSubprocessFailed.new(
@@ -598,9 +598,8 @@ module Dependabot
                 # Find the lockfile that's in the current directory
                 f.name == [path, "package-lock.json"].join("/").sub(%r{\A.?\/}, "")
               end
-              npm_version = Dependabot::NpmAndYarn::Helpers.npm_version(package_lock&.content)
 
-              return run_npm8_checker(version: version) if npm_version == "npm8"
+              return run_npm8_checker(version: version) if Dependabot::NpmAndYarn::Helpers.npm8?(package_lock)
 
               SharedHelpers.run_helper_subprocess(
                 command: NativeHelpers.helper_path,
@@ -619,8 +618,8 @@ module Dependabot
 
         def run_npm8_checker(version:)
           cmd =
-            "npm install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
-          output = SharedHelpers.run_shell_command(cmd)
+            "install #{version_install_arg(version: version)} --package-lock-only --dry-run=true --ignore-scripts"
+          output = Helpers.run_npm_command(cmd)
           if output.match?(NPM8_PEER_DEP_ERROR_REGEX)
             error_context = { command: cmd, process_exit_value: 1 }
             raise SharedHelpers::HelperSubprocessFailed.new(message: output, error_context: error_context)

data/lib/dependabot/npm_and_yarn/version.rb

@@ -21,7 +21,20 @@ module Dependabot
       VERSION_PATTERN = T.let(Gem::Version::VERSION_PATTERN + '(\+[0-9a-zA-Z\-.]+)?', String)
       ANCHORED_VERSION_PATTERN = /\A\s*(#{VERSION_PATTERN})?\s*\z/
 
-      sig { override.params(version: T.nilable(T.any(String, Gem::Version))).returns(T::Boolean) }
+      sig do
+        override
+          .overridable
+          .params(
+            version: T.any(
+              String,
+              Integer,
+              Float,
+              Gem::Version,
+              NilClass
+            )
+          )
+          .returns(T::Boolean)
+      end
       def self.correct?(version)
         version = version.gsub(/^v/, "") if version.is_a?(String)
 
@@ -42,29 +55,58 @@ module Dependabot
         version
       end
 
-      sig { override.params(version: T.any(String, Gem::Version)).void }
+      sig do
+        override
+          .params(
+            version: T.any(
+              String,
+              Integer,
+              Float,
+              Gem::Version,
+              NilClass
+            )
+          )
+          .void
+      end
       def initialize(version)
         @version_string = T.let(version.to_s, String)
         version = version.gsub(/^v/, "") if version.is_a?(String)
 
         version, @build_info = version.to_s.split("+") if version.to_s.include?("+")
 
-        super
+        super(T.must(version))
+      end
+
+      sig do
+        override
+          .params(
+            version: T.any(
+              String,
+              Integer,
+              Float,
+              Gem::Version,
+              NilClass
+            )
+          )
+          .returns(Dependabot::NpmAndYarn::Version)
+      end
+      def self.new(version)
+        T.cast(super, Dependabot::NpmAndYarn::Version)
       end
 
       sig { returns(Integer) }
       def major
-        @major ||= T.let(segments[0] || 0, T.nilable(Integer))
+        @major ||= T.let(segments[0].to_i, T.nilable(Integer))
       end
 
       sig { returns(Integer) }
       def minor
-        @minor ||= T.let(segments[1] || 0, T.nilable(Integer))
+        @minor ||= T.let(segments[1].to_i, T.nilable(Integer))
       end
 
       sig { returns(Integer) }
       def patch
-        @patch ||= T.let(segments[2] || 0, T.nilable(Integer))
+        @patch ||= T.let(segments[2].to_i, T.nilable(Integer))
       end
 
       sig { params(other: Dependabot::NpmAndYarn::Version).returns(T::Boolean) }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.239.0
+  version: 0.241.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-28 00:00:00.000000000 Z
+date: 2024-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.239.0
+        version: 0.241.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.239.0
+        version: 0.241.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -206,6 +206,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.18'
+- !ruby/object:Gem::Dependency
+  name: webrick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.7'
 description: Dependabot-NPM_And_Yarn provides support for bumping Javascript (npm
   and yarn) libraries via Dependabot. If you want support for multiple package managers,
   you probably want the meta-gem dependabot-omnibus.
@@ -310,7 +324,7 @@ licenses:
 - Nonstandard
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.239.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.241.0
 post_install_message: 
 rdoc_options: []
 require_paths: