dependabot-npm_and_yarn 0.266.0 → 0.268.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67babb3510f025790b2e9806bd26290c658b66465bed55f41bbda6d2e4538551
-  data.tar.gz: cebb0aa37accd77075e95f2cbd6539aa01015a6d44f44cb7709eee40b04cde27
+  metadata.gz: 473cf091eca02d2d3e0ff9920708779183b7a9a9dba2771c35ffe602eda18003
+  data.tar.gz: 3ff951a1e1970c6818b615b5f10b78950e5cc53c01b3a2b9540a28f3451ac294
 SHA512:
-  metadata.gz: eff4ddfd5d0945e47eadce0deb0c8e8a7b8571ac238b809e8a8a86d28a6926d66cdf3074111c41769d040bcd5ec8adbae14f9da0b1a58ba18262b35242695784
-  data.tar.gz: d5932088b9539ff88c1c43c59b5737de4e50e24222148af147fbea8d2ad068fae1aab6da8ea2bdc552272183afa84829a6900bb6c1c4b5a8e8a9f6680133a4ab
+  metadata.gz: 73a7da3b2062a4adaa70d33616698d418bcda9684e8cf301279bac6756537079136872cc68d6623af7f1ea8bd09197d7ac98edd287da6aafef63f1f6f25243c1
+  data.tar.gz: 68e3d2e1a3b50ccad6359b961a1e3093d6095d08fb8e79175aa83025c57716f080ca03dd5aea9e4f1dead654fa881cf4f20698971150ac5b361a25efbaa74b04

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -79,6 +79,14 @@ module Dependabot
         INVALID_AUTH_TOKEN =
           /401 Unauthorized - GET (?<url>.*) - unauthenticated: User cannot be authenticated with the token provided./
         NPM_PACKAGE_REGISTRY = "https://npm.pkg.github.com"
+        EOVERRIDE = /EOVERRIDE\n *.* Override for (?<deps>.*) conflicts with direct dependency/
+        NESTED_ALIAS = /nested aliases not supported/
+        PEER_DEPS_PATTERNS = T.let([/Cannot read properties of null/,
+                                    /ERESOLVE overriding peer dependency/].freeze, T::Array[Regexp])
+
+        ERROR_E401 = /code E401/
+        ERROR_E403 = /code E403/
+        ERROR_EAI_AGAIN = /request to (?<url>.*) failed, reason: getaddrinfo EAI_AGAIN/
 
         # TODO: look into fixing this in npm, seems like a bug in the git
         # downloader introduced in npm 7
@@ -392,7 +400,23 @@ module Dependabot
         # rubocop:disable Metrics/MethodLength
         sig { params(error: Exception).returns(T.noreturn) }
         def handle_npm_updater_error(error)
+          Dependabot.logger.warn("NPM : " + error.message)
+
           error_message = error.message
+
+          # message groups which are related to peer dependency resolution failure. Peer deps can be updated
+          # with --legacy-peer-deps flag, but it is not recommended as the flag can mess up dependency resolution
+          # and introduce breaking changes. So we let the update fail.
+          peerdep_group = Regexp.union(PEER_DEPS_PATTERNS)
+          if error_message.match(peerdep_group)
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Error while updating peer dependency."
+          end
+
+          if error_message.match?(ERROR_E401) || error_message.match?(ERROR_E403)
+            raise Dependabot::PrivateSourceAuthenticationFailure, error_message
+          end
+
           if error_message.match?(MISSING_PACKAGE)
             package_name = T.must(error_message.match(MISSING_PACKAGE))
                             .named_captures["package_req"]
@@ -516,6 +540,11 @@ module Dependabot
             raise Dependabot::PrivateSourceAuthenticationFailure, msg
           end
 
+          if (git_source = error_message.match(ERROR_EAI_AGAIN))
+            msg = "Network Error. Access to #{git_source.named_captures.fetch('url')} failed."
+            raise Dependabot::PrivateSourceTimedOut, msg
+          end
+
           if (registry_source = error_message.match(INVALID_AUTH_TOKEN) ||
             error_message.match(MISSING_AUTH_TOKEN)) &&
              T.must(registry_source.named_captures.fetch("url")).include?(NPM_PACKAGE_REGISTRY)
@@ -523,6 +552,16 @@ module Dependabot
             raise Dependabot::InvalidGitAuthToken, T.must(msg)
           end
 
+          if (dep = error_message.match(EOVERRIDE))
+            msg = "Override for #{dep.named_captures.fetch('deps')} conflicts with direct dependency"
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
+          if error_message.match(NESTED_ALIAS)
+            msg = "Nested aliases are not supported in NPM versions earlier than 6.9.0."
+            raise Dependabot::DependencyFileNotResolvable, msg
+          end
+
           raise error
         end
         # rubocop:enable Metrics/AbcSize

data/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -130,18 +130,14 @@ module Dependabot
             end
           end
         rescue SharedHelpers::HelperSubprocessFailed => e
-          # package.json name cannot contain characters like empty string or @.
-          raise Dependabot::DependencyFileNotParseable, e.message if e.message.include?(INVALID_NAME_IN_PACKAGE_JSON)
+          package_missing = error_handler.package_missing(e.message)
 
-          names = dependencies.map(&:name)
-          package_missing = names.any? do |name|
-            e.message.include?("find package \"#{name}")
+          unless package_missing
+            error_handler.handle_error(e, {
+              yarn_lock: yarn_lock
+            })
           end
 
-          package_missing = e.message.match(PACKAGE_MISSING_REGEX) || package_missing
-
-          error_handler.handle_error(e) unless package_missing
-
           raise unless package_missing
 
           retry_count ||= 0
@@ -229,39 +225,19 @@ module Dependabot
           end
         end
 
-        # rubocop:disable Metrics/AbcSize
-        # rubocop:disable Metrics/PerceivedComplexity
-        # rubocop:disable Metrics/MethodLength
         def handle_yarn_lock_updater_error(error, yarn_lock)
           error_message = error.message
 
-          # Invalid package: When package.json doesn't include a name or version
-          # Local path error: When installing a git dependency which
-          # is using local file paths for sub-dependencies (e.g. unbuilt yarn
-          # workspace project)
-          if error_message.match?(INVALID_PACKAGE_REGEX) ||
-             error_message.include?(SUB_DEP_LOCAL_PATH_TEXT)
-            error_handler.raise_resolvability_error(error_message, yarn_lock)
-          end
+          error_handler.handle_error(error, {
+            yarn_lock: yarn_lock
+          })
 
-          error_handler.handle_error(error)
+          package_not_found = error_handler.handle_package_not_found(error_message, yarn_lock)
 
-          if error_message.include?("Couldn't find package")
-            package_name = error_message.match(/package "(?<package_req>.*?)"/)
-                                        .named_captures["package_req"]
-                                        .split(/(?<=\w)\@/).first
-            sanitized_name = sanitize_package_name(package_name)
-            sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
-          end
-
-          if error_message.match?(%r{/[^/]+: Not found})
-            package_name = error_message
-                           .match(%r{/(?<package_name>[^/]+): Not found})
-                           .named_captures["package_name"]
-            sanitized_name = sanitize_package_name(package_name)
-            sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, yarn_lock)
+          if package_not_found.any?
+            sanitized_name = package_not_found[:sanitized_name]
+            sanitized_message = package_not_found[:sanitized_message]
+            handle_missing_package(sanitized_name, sanitized_message, yarn_lock)
           end
 
           # TODO: Move this logic to the version resolver and check if a new
@@ -283,7 +259,7 @@ module Dependabot
           # This happens if a new version has been published but npm is having
           # consistency issues and the version isn't fully available on all
           # queries
-          if error_message.start_with?("Couldn't find any versions") &&
+          if error_message.start_with?(DEPENDENCY_NO_VERSION_FOUND) &&
              dependencies_in_error_message?(error_message) &&
              resolvable_before_update?(yarn_lock)
 
@@ -293,24 +269,13 @@ module Dependabot
             raise Dependabot::InconsistentRegistryResponse, error_message
           end
 
-          if error_message.include?(ONLY_PRIVATE_WORKSPACE_TEXT)
-            raise Dependabot::DependencyFileNotEvaluatable, error_message
-          end
-
-          if error_message.match?(UNREACHABLE_GIT_CHECK_REGEX)
-            dependency_url = error_message.match(UNREACHABLE_GIT_CHECK_REGEX)
-                                          .named_captures.fetch("url")
-
-            raise Dependabot::GitDependenciesNotReachable, dependency_url
-          end
-
           handle_timeout(error_message, yarn_lock) if error_message.match?(
             TIMEOUT_FETCHING_PACKAGE_REGEX
           )
 
-          if error_message.start_with?("Couldn't find any versions") ||
-             error_message.include?(": Not found") ||
-             error_message.include?("Couldn't find match for")
+          if error_message.start_with?(DEPENDENCY_VERSION_NOT_FOUND) ||
+             error_message.include?(DEPENDENCY_NOT_FOUND) ||
+             error_message.include?(DEPENDENCY_MATCH_NOT_FOUND)
 
             unless resolvable_before_update?(yarn_lock)
               error_handler.raise_resolvability_error(error_message, yarn_lock)
@@ -323,9 +288,6 @@ module Dependabot
 
           raise error
         end
-        # rubocop:enable Metrics/AbcSize
-        # rubocop:enable Metrics/PerceivedComplexity
-        # rubocop:enable Metrics/MethodLength
 
         def resolvable_before_update?(yarn_lock)
           @resolvable_before_update ||= {}
@@ -583,6 +545,7 @@ module Dependabot
     class YarnErrorHandler
       extend T::Sig
 
+      # Initializes the YarnErrorHandler with dependencies and dependency files
       sig do
         params(
           dependencies: T::Array[Dependabot::Dependency],
@@ -615,26 +578,27 @@ module Dependabot
       end
 
       # Main error handling method
-      sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
-      def handle_error(error)
-        # Check if defined yarn error codes contained in the error message
-        # and raise the corresponding error class
-        handle_yarn_error(error)
+      sig { params(error: SharedHelpers::HelperSubprocessFailed, params: T::Hash[Symbol, String]).void }
+      def handle_error(error, params)
+        error_message = error.message
 
         # Extract the usage error message from the raw error message
-        usage_error_message = find_usage_error(error.message) || ""
+        usage_error_message = find_usage_error(error_message) || ""
 
-        # Check if the error message contains any group patterns and raise
-        # the corresponding error class
-        handle_group_patterns(error, usage_error_message)
+        # Check if the error message contains any group patterns and raise the corresponding error class
+        handle_group_patterns(error, usage_error_message, params)
+
+        # Check if defined yarn error codes contained in the error message
+        # and raise the corresponding error class
+        handle_yarn_error(error, params)
       end
 
       # Handles errors with specific to yarn error codes
-      sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
-      def handle_yarn_error(error)
-        error_message = error.message
-        regex = YARN_CODE_REGEX
-        matches = error_message.scan(regex)
+      sig { params(error: SharedHelpers::HelperSubprocessFailed, params: T::Hash[Symbol, String]).void }
+      def handle_yarn_error(error, params)
+        ## Clean error message from ANSI escape codes
+        error_message = error.message.gsub(/\e\[\d+(;\d+)*m/, "")
+        matches = error_message.scan(YARN_CODE_REGEX)
         return if matches.empty?
 
         # Go through each match backwards in the error message and raise the corresponding error class
@@ -646,8 +610,8 @@ module Dependabot
           next unless yarn_error.is_a?(Hash)
 
           message = yarn_error[:message]
-          new_error = yarn_error[:new_error]
-          next unless new_error
+          handler = yarn_error[:handler]
+          next unless handler
 
           modified_error_message = if message
                                      "[#{code}]: #{message}, Detail: #{error_message}"
@@ -655,7 +619,7 @@ module Dependabot
                                      "[#{code}]: #{error_message}"
                                    end
 
-          raise new_error.call(error, modified_error_message)
+          raise  create_error(handler, modified_error_message, error, params)
         end
       end
 
@@ -663,30 +627,48 @@ module Dependabot
       sig do
         params(
           error: SharedHelpers::HelperSubprocessFailed,
-          usage_error_message: String
+          usage_error_message: String,
+          params: T::Hash[Symbol, String]
         ).void
       end
-      def handle_group_patterns(error, usage_error_message) # rubocop:disable Metrics/PerceivedComplexity
+      def handle_group_patterns(error, usage_error_message, params) # rubocop:disable Metrics/PerceivedComplexity
         error_message = error.message
         VALIDATION_GROUP_PATTERNS.each do |group|
           patterns = group[:patterns]
           matchfn = group[:matchfn]
-          new_error = group[:new_error]
+          handler = group[:handler]
           in_usage = group[:in_usage] || false
 
-          next unless (patterns || matchfn) && new_error
+          next unless (patterns || matchfn) && handler
 
           message = usage_error_message.empty? ? error_message : usage_error_message
           if in_usage && pattern_in_message(patterns, usage_error_message)
-            raise new_error.call(error, message)
-          elsif !in_usage && pattern_in_message(patterns, error_message)
-            raise new_error.call(error, error.message)
+            raise create_error(handler, message, error, params)
+          elsif !in_usage && pattern_in_message(patterns, error.message)
+            raise create_error(handler, error.message, error, params)
           end
 
-          raise new_error.call(error, message) if matchfn&.call(usage_error_message, error_message)
+          raise create_error(handler, message, error, params) if matchfn&.call(usage_error_message, error_message)
         end
       end
 
+      # Creates a new error based on the provided parameters
+      sig do
+        params(
+          handler: ErrorHandler,
+          message: String,
+          error: SharedHelpers::HelperSubprocessFailed,
+          params: T::Hash[Symbol, String]
+        ).returns(Dependabot::DependabotError)
+      end
+      def create_error(handler, message, error, params)
+        handler.call(message, error, {
+          dependencies: dependencies,
+          dependency_files: dependency_files,
+          **params
+        })
+      end
+
       # Raises a resolvability error for a dependency file
       sig do
         params(
@@ -708,16 +690,68 @@ module Dependabot
         ).returns(T::Boolean)
       end
       def pattern_in_message(patterns, message)
-        patterns.any? do |pattern|
+        patterns.each do |pattern|
           if pattern.is_a?(String)
-            return message.include?(pattern)
+            return true if message.include?(pattern)
           elsif pattern.is_a?(Regexp)
-            message = message.gsub(/\e\[[\d;]*[A-Za-z]/, "")
-            return message.match?(pattern)
+            return true if message.gsub(/\e\[[\d;]*[A-Za-z]/, "").match?(pattern)
           end
         end
         false
       end
+
+      sig do
+        params(error_message: String, yarn_lock: Dependabot::DependencyFile)
+          .returns(T::Hash[T.any(Symbol, String), T.any(String, NilClass)])
+      end
+      def handle_package_not_found(error_message, yarn_lock) # rubocop:disable Metrics/PerceivedComplexity
+        # There are 2 different package not found error messages
+        package_not_found = error_message.include?(PACKAGE_NOT_FOUND)
+        package_not_found2 = error_message.match?(PACKAGE_NOT_FOUND2)
+
+        # If non of the patterns are found, return an empty hash
+        return {} unless package_not_found || package_not_found2
+
+        sanitized_name = T.let(nil, T.nilable(String))
+
+        if package_not_found
+          package_name =
+            error_message
+            .match(PACKAGE_NOT_FOUND_PACKAGE_NAME_REGEX)
+            &.named_captures
+            &.[](PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE)
+            &.split(PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE_SPLIT_REGEX)
+            &.first
+        end
+
+        if package_not_found2
+          package_name =
+            error_message
+            .match(PACKAGE_NOT_FOUND2_PACKAGE_NAME_REGEX)
+            &.named_captures
+            &.[](PACKAGE_NOT_FOUND2_PACKAGE_NAME_CAPTURE)
+        end
+
+        raise_resolvability_error(error_message, yarn_lock) unless package_name
+        sanitized_name = sanitize_package_name(package_name) if package_name
+        error_message = error_message.gsub(package_name, sanitized_name) if package_name && sanitized_name
+        { sanitized_name: sanitized_name, sanitized_message: error_message }
+      end
+
+      # Checks if a package is missing from the error message
+      sig { params(error_message: String).returns(T::Boolean) }
+      def package_missing(error_message)
+        names = dependencies.map(&:name)
+        package_missing = names.any? { |name| error_message.include?("find package \"#{name}") }
+        !!error_message.match(PACKAGE_MISSING_REGEX) || package_missing
+      end
+
+      sig { params(package_name: T.nilable(String)).returns(T.nilable(String)) }
+      def sanitize_package_name(package_name)
+        return package_name.gsub("%2f", "/").gsub("%2F", "/") if package_name
+
+        nil
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -309,6 +309,10 @@ module Dependabot
 
           latest_version = latest_version_finder(original_package).latest_version_from_registry
 
+          # If the latest version is within the scope of the current requirements,
+          # latest_version will be nil. In such cases, there is no update available.
+          return false if latest_version.nil?
+
           original_package_version < latest_version
         end
 

data/lib/dependabot/npm_and_yarn.rb

@@ -26,6 +26,13 @@ Dependabot::Dependency.register_production_check(
   end
 )
 
+## A type used for defining a proc that creates a new error object
+ErrorHandler = T.type_alias do
+  T.proc
+   .params(message: String, error: Dependabot::DependabotError, params: T::Hash[Symbol, T.untyped])
+   .returns(Dependabot::DependabotError)
+end
+
 module Dependabot
   module NpmAndYarn
     NODE_VERSION_NOT_SATISFY_REGEX = /The current Node version (?<current_version>v?\d+\.\d+\.\d+) does not satisfy the required version (?<required_version>v?\d+\.\d+\.\d+)\./ # rubocop:disable Layout/LineLength
@@ -36,7 +43,10 @@ module Dependabot
     # Used to check if url is http or https
     HTTP_CHECK_REGEX = %r{https?://}
 
-    # Error message when a package.json name include invalid characters
+    # Used to check capture url match in regex capture group
+    URL_CAPTURE = "url"
+
+    # When package name contains package.json name cannot contain characters like empty string or @.
     INVALID_NAME_IN_PACKAGE_JSON = "Name contains illegal characters"
 
     # Used to identify error messages indicating a package is missing, unreachable,
@@ -56,7 +66,29 @@ module Dependabot
     SUB_DEP_LOCAL_PATH_TEXT = "refers to a non-existing file"
 
     # Used to identify invalid package error when package is not found in registry
-    INVALID_PACKAGE_REGEX = /Can't add "(?<package_req>.*)": invalid/
+    INVALID_PACKAGE_REGEX = /Can't add "[\w\-.]+": invalid/
+
+    # Used to identify error if package not found in registry
+    PACKAGE_NOT_FOUND = "Couldn't find package"
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_REGEX = /package "(?<package_req>.*?)"/
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE = "package_req"
+    PACKAGE_NOT_FOUND_PACKAGE_NAME_CAPTURE_SPLIT_REGEX = /(?<=\w)\@/
+
+    YN0035 = T.let({
+      PACKAGE_NOT_FOUND: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): Package not found},
+      FAILED_TO_RETRIEVE: %r{(?<package_req>@[\w-]+\/[\w-]+@\S+): The remote server failed to provide the requested resource} # rubocop:disable Layout/LineLength
+    }.freeze, T::Hash[String, Regexp])
+
+    PACKAGE_NOT_FOUND2 = %r{/[^/]+: Not found}
+    PACKAGE_NOT_FOUND2_PACKAGE_NAME_REGEX = %r{/(?<package_name>[^/]+): Not found}
+    PACKAGE_NOT_FOUND2_PACKAGE_NAME_CAPTURE = "package_name"
+
+    # Used to identify error if package not found in registry
+    DEPENDENCY_VERSION_NOT_FOUND = "Couldn't find any versions"
+    DEPENDENCY_NOT_FOUND = ": Not found"
+    DEPENDENCY_MATCH_NOT_FOUND = "Couldn't find match for"
+
+    DEPENDENCY_NO_VERSION_FOUND = "Couldn't find any versions"
 
     # Used to identify error if node_modules state file not resolved
     NODE_MODULES_STATE_FILE_NOT_FOUND = "Couldn't find the node_modules state file"
@@ -74,6 +106,8 @@ module Dependabot
     # Used to identify if error message is related to yarn workspaces
     DEPENDENCY_FILE_NOT_RESOLVABLE = "conflicts with direct dependency"
 
+    ENV_VAR_NOT_RESOLVABLE = /Failed to replace env in config: \$\{(?<var>.*)\}/
+
     class Utils
       extend T::Sig
 
@@ -87,88 +121,176 @@ module Dependabot
           required_version: match_data[:required_version]
         }
       end
+
+      sig { params(error_message: String).returns(String) }
+      def self.extract_var(error_message)
+        match_data = T.must(error_message.match(ENV_VAR_NOT_RESOLVABLE)).named_captures["var"]
+        return "" unless match_data
+
+        match_data
+      end
+
+      sig do
+        params(
+          error_message: String,
+          dependencies: T::Array[Dependabot::Dependency],
+          yarn_lock: Dependabot::DependencyFile
+        ).returns(String)
+      end
+      def self.sanitize_resolvability_message(error_message, dependencies, yarn_lock)
+        dependency_names = dependencies.map(&:name).join(", ")
+        "Error whilst updating #{dependency_names} in #{yarn_lock.path}:\n#{error_message}"
+      end
     end
 
     YARN_CODE_REGEX = /(YN\d{4})/
     YARN_ERROR_CODES = T.let({
       "YN0001" => {
         message: "Exception error",
-        new_error: ->(_error, message) { Dependabot::DependabotError.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependabotError.new(message)
+        }
       },
       "YN0002" => {
         message: "Missing peer dependency",
-        new_error: ->(_error, message) { Dependabot::DependencyFileNotResolvable.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        }
       },
       "YN0016" => {
         message: "Remote not found",
-        new_error: ->(_error, message) { Dependabot::GitDependenciesNotReachable.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::GitDependenciesNotReachable.new(message)
+        }
       },
       "YN0020" => {
         message: "Missing lockfile entry",
-        new_error: ->(_error, message) { Dependabot::DependencyFileNotFound.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotFound.new(message)
+        }
+      },
+      "YN0035" => {
+        message: "Package not found",
+        handler: lambda { |message, _error, _params|
+          YN0035.each do |(_yn0035_key, yn0035_regex)|
+            if (match_data = message.match(yn0035_regex)) && (package_req = match_data[:package_req])
+              return Dependabot::DependencyNotFound.new(
+                "#{package_req} Detail: #{message}"
+              )
+            end
+          end
+          Dependabot::DependencyNotFound.new(message)
+        }
       },
       "YN0046" => {
         message: "Automerge failed to parse",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0047" => {
         message: "Automerge immutable",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0062" => {
         message: "Incompatible OS",
-        new_error: ->(_error, message) { Dependabot::DependabotError.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependabotError.new(message)
+        }
       },
       "YN0063" => {
         message: "Incompatible CPU",
-        new_error: ->(_error, message) { Dependabot::IncompatibleCPU.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::IncompatibleCPU.new(message)
+        }
       },
       "YN0071" => {
         message: "NM can't install external soft link",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0072" => {
         message: "NM preserve symlinks required",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0075" => {
         message: "Prolog instantiation error",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0077" => {
         message: "Ghost architecture",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0080" => {
         message: "Network disabled",
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        }
       },
       "YN0081" => {
         message: "Network unsafe HTTP",
-        new_error: ->(_error, message) { Dependabot::NetworkUnsafeHTTP.new(message) }
+        handler: lambda { |message, _error, _params|
+          Dependabot::NetworkUnsafeHTTP.new(message)
+        }
       }
     }.freeze, T::Hash[String, {
       message: T.any(String, NilClass),
-      new_error: T.proc.params(error: Dependabot::DependabotError, message: String).returns(Dependabot::DependabotError)
+      handler: ErrorHandler
     }])
 
     # Group of patterns to validate error message and raise specific error
     VALIDATION_GROUP_PATTERNS = T.let([
+      {
+        patterns: [INVALID_NAME_IN_PACKAGE_JSON],
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotParseable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        # Check if sub dependency is using local path and raise a resolvability error
+        patterns: [INVALID_PACKAGE_REGEX, SUB_DEP_LOCAL_PATH_TEXT],
+        handler: lambda { |message, _error, params|
+          Dependabot::DependencyFileNotResolvable.new(
+            Utils.sanitize_resolvability_message(
+              message,
+              params[:dependencies],
+              params[:yarn_lock]
+            )
+          )
+        },
+        in_usage: false,
+        matchfn: nil
+      },
       {
         patterns: [NODE_MODULES_STATE_FILE_NOT_FOUND],
-        new_error: ->(_error, message) { Dependabot::MisconfiguredTooling.new("Yarn", message) },
+        handler: lambda { |message, _error, _params|
+          Dependabot::MisconfiguredTooling.new("Yarn", message)
+        },
         in_usage: true,
         matchfn: nil
       },
       {
         patterns: [TARBALL_IS_NOT_IN_NETWORK],
-        new_error: ->(_error, message) { Dependabot::DependencyFileNotResolvable.new(message) },
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotResolvable.new(message)
+        },
         in_usage: false,
         matchfn: nil
       },
       {
         patterns: [NODE_VERSION_NOT_SATISFY_REGEX],
-        new_error: lambda { |_error, message|
+        handler: lambda { |message, _error, _params|
           versions = Utils.extract_node_versions(message)
           current_version = versions[:current_version]
           required_version = versions[:required_version]
@@ -182,20 +304,51 @@ module Dependabot
       },
       {
         patterns: [AUTHENTICATION_TOKEN_NOT_PROVIDED, AUTHENTICATION_IS_NOT_CONFIGURED],
-        new_error: ->(_error, message) { Dependabot::PrivateSourceAuthenticationFailure.new(message) },
+        handler: lambda { |message, _error, _params|
+          Dependabot::PrivateSourceAuthenticationFailure.new(message)
+        },
         in_usage: false,
         matchfn: nil
       },
       {
         patterns: [DEPENDENCY_FILE_NOT_RESOLVABLE],
-        new_error: ->(_error, message) { DependencyFileNotResolvable.new(message) },
+        handler: lambda { |message, _error, _params|
+          DependencyFileNotResolvable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ENV_VAR_NOT_RESOLVABLE],
+        handler: lambda { |message, _error, _params|
+          var = Utils.extract_var(message)
+
+          Dependabot::MissingEnvironmentVariable.new(var, message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [ONLY_PRIVATE_WORKSPACE_TEXT],
+        handler: lambda { |message, _error, _params|
+          Dependabot::DependencyFileNotEvaluatable.new(message)
+        },
+        in_usage: false,
+        matchfn: nil
+      },
+      {
+        patterns: [UNREACHABLE_GIT_CHECK_REGEX],
+        handler: lambda { |message, _error, _params|
+          dependency_url = message.match(UNREACHABLE_GIT_CHECK_REGEX).named_captures.fetch(URL_CAPTURE)
+
+          Dependabot::GitDependenciesNotReachable.new(dependency_url)
+        },
         in_usage: false,
         matchfn: nil
       }
     ].freeze, T::Array[{
       patterns: T::Array[T.any(String, Regexp)],
-      new_error: T.proc.params(error: Dependabot::DependabotError,
-                               message: String).returns(Dependabot::DependabotError),
+      handler: ErrorHandler,
       in_usage: T.nilable(T::Boolean),
       matchfn: T.nilable(T.proc.params(usage: String, message: String).returns(T::Boolean))
     }])

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.266.0
+  version: 0.268.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-07-18 00:00:00.000000000 Z
+date: 2024-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.266.0
+        version: 0.268.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.266.0
+        version: 0.268.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -345,7 +345,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.266.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.268.0
 post_install_message: 
 rdoc_options: []
 require_paths: