dependabot-npm_and_yarn 0.287.0 → 0.289.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a81729237750f9d53bf9197345ac3f563f267d9683ac202ebca543413bd912ef
-  data.tar.gz: 5caefb54429a28a52aeff8b50ba8f80554f67baa70eaf6e5bef7040d52d7ebaa
+  metadata.gz: 3b61a2e379cb066af66a91f9cbfd25d89755129946f7093b2e1d5be7f3642133
+  data.tar.gz: 10995493f890b53c62af1c14f7d29a165ee32096b8b84a529f0822984d6f1480
 SHA512:
-  metadata.gz: 2d4fca7ae33a0540e6940de6946420c08e06be84daf21b37c9efe7234af43050de4efe74191254ace8b12e7e977c74d66557067e9a9bdc07eaf5964bc1996060
-  data.tar.gz: ab4bd3efd5fe75244c87ec30fb31e1585ce26ac586d42a4b9b8ea84fe86a4015d54dbdc515afe228fb319520fdedc1b1aaa1ab89f71f38bd5cf76683c4c780a9
+  metadata.gz: 3fb1619f2f8ba90e8bbe7945c7b1e179abd09004b940c1d2514d9f4290a7679955ad0fcc0db26ebcb4b810c5903e4d66ddb3f3d0b3ca0a265c9636f34f272519
+  data.tar.gz: ae15d52f683156e2df0ddf213c254e0b9cd6e9324da8eda5367dae8d1c59629497739be437e3c76c6597ce9ccbbbd06509196ba9efad51240e3e98a9c99d91f4

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -107,6 +107,7 @@ module Dependabot
         fetched_yarn_files << yarn_lock if yarn_lock
         fetched_yarn_files << yarnrc if yarnrc
         fetched_yarn_files << yarnrc_yml if yarnrc_yml
+        create_yarn_cache
         fetched_yarn_files
       end
 
@@ -244,6 +245,20 @@ module Dependabot
         return @pnpm_lock if defined?(@pnpm_lock)
 
         @pnpm_lock ||= T.let(fetch_file_if_present(PNPMPackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
+
+        return @pnpm_lock if @pnpm_lock || directory == "/"
+
+        # Loop through parent directories looking for a pnpm-lock
+        (1..directory.split("/").count).each do |i|
+          @pnpm_lock = fetch_file_from_host(("../" * i) + PNPMPackageManager::LOCKFILE_NAME)
+                       .tap { |f| f.support_file = true }
+          break if @pnpm_lock
+        rescue Dependabot::DependencyFileNotFound
+          # Ignore errors (pnpm_lock.yaml may not be present)
+          nil
+        end
+
+        @pnpm_lock
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -655,6 +670,19 @@ module Dependabot
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, T.must(lerna_json).path
       end
+
+      sig { void }
+      def create_yarn_cache
+        if repo_contents_path.nil?
+          Dependabot.logger.info("Repository contents path is nil")
+        elsif Dir.exist?(T.must(repo_contents_path))
+          Dir.chdir(T.must(repo_contents_path)) do
+            FileUtils.mkdir_p(".yarn/cache")
+          end
+        else
+          Dependabot.logger.info("Repository contents path does not exist")
+        end
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -11,6 +11,7 @@ require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/version"
 require "dependabot/npm_and_yarn/requirement"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/registry_parser"
 require "dependabot/git_metadata_fetcher"
 require "dependabot/git_commit_checker"
@@ -83,7 +84,8 @@ module Dependabot
         @ecosystem ||= T.let(
           Ecosystem.new(
             name: ECOSYSTEM,
-            package_manager: package_manager_helper.package_manager
+            package_manager: package_manager_helper.package_manager,
+            language: package_manager_helper.language
           ),
           T.nilable(Ecosystem)
         )
@@ -477,4 +479,4 @@ module Dependabot
 end
 
 Dependabot::FileParsers
-  .register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
+  .register(Dependabot::NpmAndYarn::ECOSYSTEM, Dependabot::NpmAndYarn::FileParser)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -1,9 +1,10 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/dependency"
 require "dependabot/file_parsers"
 require "dependabot/file_parsers/base"
+require "dependabot/shared_helpers"
 require "sorbet-runtime"
 
 module Dependabot
@@ -15,6 +16,7 @@ module Dependabot
         /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
 
       # NPM Version Constants
+      NPM_V10 = 10
       NPM_V8 = 8
       NPM_V6 = 6
       NPM_DEFAULT_VERSION = NPM_V8
@@ -39,6 +41,10 @@ module Dependabot
       # Otherwise, we are going to use old versionining npm 6
       sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
       def self.npm_version_numeric(lockfile)
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(lockfile)
+        end
+
         fallback_version_npm8 = Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6)
 
         return npm_version_numeric_npm8_or_higher(lockfile) if fallback_version_npm8
@@ -90,6 +96,36 @@ module Dependabot
         NPM_DEFAULT_VERSION # Fallback to default npm version if parsing fails
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
+      def self.npm_version_numeric_latest(lockfile)
+        lockfile_content = lockfile&.content
+
+        # Return npm 10 as the default if the lockfile is missing or empty
+        return NPM_V10 if lockfile_content.nil? || lockfile_content.strip.empty?
+
+        # Parse the lockfile content to extract the `lockfileVersion`
+        parsed_lockfile = JSON.parse(lockfile_content)
+        lockfile_version = parsed_lockfile["lockfileVersion"]&.to_i
+
+        # Determine the appropriate npm version based on `lockfileVersion`
+        if lockfile_version.nil?
+          NPM_V10 # Use npm 10 if `lockfileVersion` is missing or nil
+        elsif lockfile_version >= 3
+          NPM_V10 # Use npm 10 for lockfileVersion 3 or higher
+        elsif lockfile_version >= 2
+          NPM_V8 # Use npm 8 for lockfileVersion 2
+        elsif lockfile_version >= 1
+          # Use npm 8 if the fallback version flag is enabled, otherwise use npm 6
+          Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6) ? NPM_V8 : NPM_V6
+        else
+          NPM_V10 # Default to npm 10 for unexpected or unsupported versions
+        end
+      rescue JSON::ParserError
+        NPM_V8 # Fallback to npm 8 if the lockfile content cannot be parsed
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
       sig { params(yarn_lock: T.nilable(DependencyFile)).returns(Integer) }
       def self.yarn_version_numeric(yarn_lock)
         lockfile_content = yarn_lock&.content
@@ -110,9 +146,14 @@ module Dependabot
       def self.pnpm_version_numeric(pnpm_lock)
         lockfile_content = pnpm_lock&.content
 
-        return PNPM_DEFAULT_VERSION if lockfile_content.nil? || lockfile_content.strip.empty?
+        return PNPM_DEFAULT_VERSION if !lockfile_content || lockfile_content.strip.empty?
+
+        pnpm_lockfile_version_str = pnpm_lockfile_version(pnpm_lock)
+
+        return PNPM_FALLBACK_VERSION unless pnpm_lockfile_version_str
+
+        pnpm_lockfile_version = pnpm_lockfile_version_str.to_f
 
-        pnpm_lockfile_version = pnpm_lockfile_version(pnpm_lock).to_f
         return PNPM_V9 if pnpm_lockfile_version >= 9.0
         return PNPM_V8 if pnpm_lockfile_version >= 6.0
         return PNPM_V7 if pnpm_lockfile_version >= 5.4
@@ -120,6 +161,7 @@ module Dependabot
         PNPM_FALLBACK_VERSION
       end
 
+      sig { params(key: String, default_value: String).returns(T.untyped) }
       def self.fetch_yarnrc_yml_value(key, default_value)
         if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
           yarnrc.fetch(key, default_value)
@@ -132,6 +174,10 @@ module Dependabot
       def self.npm8?(package_lock)
         return true unless package_lock&.content
 
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(package_lock) >= NPM_V8
+        end
+
         npm_version_numeric(package_lock) == NPM_V8
       end
 
@@ -252,9 +298,12 @@ module Dependabot
       # set to false. Yarn commands should _not_ be ran outside of this helper
       # to ensure that postinstall scripts are never executed, as they could
       # contain malicious code.
+      sig { params(commands: T::Array[String]).void }
       def self.run_yarn_commands(*commands)
         setup_yarn_berry
-        commands.each { |cmd, fingerprint| run_single_yarn_command(cmd, fingerprint: fingerprint) }
+        commands.each do |cmd, fingerprint|
+          run_single_yarn_command(cmd, fingerprint: fingerprint) if cmd
+        end
       end
 
       # Run single npm command returning stdout/stderr.
@@ -267,10 +316,44 @@ module Dependabot
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           package_manager_run_command(NpmPackageManager::NAME, command, fingerprint: fingerprint)
         else
-          SharedHelpers.run_shell_command("corepack npm #{command}", fingerprint: "corepack npm #{fingerprint}")
+          Dependabot::SharedHelpers.run_shell_command(
+            "corepack npm #{command}",
+            fingerprint: "corepack npm #{fingerprint}"
+          )
         end
       end
 
+      sig { returns(T.nilable(String)) }
+      def self.node_version
+        version = run_node_command("-v", fingerprint: "-v").strip
+
+        # Validate the output format (e.g., "v20.18.1" or "20.18.1")
+        if version.match?(/^v?\d+(\.\d+){2}$/)
+          version.strip.delete_prefix("v") # Remove the "v" prefix if present
+        end
+      rescue StandardError => e
+        puts "Error retrieving Node.js version: #{e.message}"
+        nil
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_node_command(command, fingerprint: nil)
+        full_command = "node #{command}"
+
+        Dependabot.logger.info("Running node command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "node #{fingerprint || command}"
+        )
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running node command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+
       # Setup yarn and run a single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_yarn_command(command, fingerprint: nil)
@@ -284,7 +367,10 @@ module Dependabot
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           package_manager_run_command(PNPMPackageManager::NAME, command, fingerprint: fingerprint)
         else
-          SharedHelpers.run_shell_command("pnpm #{command}", fingerprint: "pnpm #{fingerprint || command}")
+          Dependabot::SharedHelpers.run_shell_command(
+            "pnpm #{command}",
+            fingerprint: "pnpm #{fingerprint || command}"
+          )
         end
       end
 
@@ -294,13 +380,16 @@ module Dependabot
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           package_manager_run_command(YarnPackageManager::NAME, command, fingerprint: fingerprint)
         else
-          SharedHelpers.run_shell_command("yarn #{command}", fingerprint: "yarn #{fingerprint || command}")
+          Dependabot::SharedHelpers.run_shell_command(
+            "yarn #{command}",
+            fingerprint: "yarn #{fingerprint || command}"
+          )
         end
       end
 
       # Install the package manager for specified version by using corepack
       # and prepare it for use by using corepack
-      sig { params(name: String, version: String).void }
+      sig { params(name: String, version: String).returns(String) }
       def self.install(name, version)
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")
 
@@ -309,30 +398,40 @@ module Dependabot
         installed_version = package_manager_version(name)
 
         Dependabot.logger.info("Installed version of #{name}: #{installed_version}")
+
+        installed_version
       end
 
       # Install the package manager for specified version by using corepack
       sig { params(name: String, version: String).void }
       def self.package_manager_install(name, version)
-        SharedHelpers.run_shell_command(
+        Dependabot::SharedHelpers.run_shell_command(
           "corepack install #{name}@#{version} --global --cache-only",
           fingerprint: "corepack install <name>@<version> --global --cache-only"
-        )
+        ).strip
       end
 
       # Prepare the package manager for use by using corepack
       sig { params(name: String, version: String).void }
       def self.package_manager_activate(name, version)
-        SharedHelpers.run_shell_command(
+        Dependabot::SharedHelpers.run_shell_command(
           "corepack prepare #{name}@#{version} --activate",
           fingerprint: "corepack prepare --activate"
-        )
+        ).strip
       end
 
       # Get the version of the package manager by using corepack
       sig { params(name: String).returns(String) }
       def self.package_manager_version(name)
-        package_manager_run_command(name, "-v")
+        Dependabot.logger.info("Fetching version for package manager: #{name}")
+
+        version = package_manager_run_command(name, "-v").strip
+
+        Dependabot.logger.info("Version for #{name}: #{version}")
+        version
+      rescue StandardError => e
+        Dependabot.logger.error("Error fetching version for package manager #{name}: #{e.message}")
+        raise
       end
 
       # Run single command on package manager returning stdout/stderr
@@ -344,15 +443,30 @@ module Dependabot
         ).returns(String)
       end
       def self.package_manager_run_command(name, command, fingerprint: nil)
-        SharedHelpers.run_shell_command(
-          "corepack #{name} #{command}",
+        full_command = "corepack #{name} #{command}"
+
+        Dependabot.logger.info("Running package manager command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
           fingerprint: "corepack #{name} #{fingerprint || command}"
-        )
+        ).strip
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running package manager command: #{full_command}, Error: #{e.message}")
+        raise
       end
+
       private_class_method :run_single_yarn_command
 
+      sig { params(pnpm_lock: DependencyFile).returns(T.nilable(String)) }
       def self.pnpm_lockfile_version(pnpm_lock)
-        pnpm_lock.content.match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)[:version]
+        match = T.must(pnpm_lock.content).match(/^lockfileVersion: ['"]?(?<version>[\d.]+)/)
+        return match[:version] if match
+
+        nil
       end
 
       sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).returns(T::Array[Dependency]) }

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -1,8 +1,9 @@
-# typed: true
+# typed: strict
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
 require "dependabot/ecosystem"
+require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
 
 module Dependabot
@@ -10,6 +11,37 @@ module Dependabot
     ECOSYSTEM = "npm_and_yarn"
     MANIFEST_FILENAME = "package.json"
     LERNA_JSON_FILENAME = "lerna.json"
+    PACKAGE_MANAGER_VERSION_REGEX = /
+      ^                        # Start of string
+      (?<major>\d+)            # Major version (required, numeric)
+      \.                       # Separator between major and minor versions
+      (?<minor>\d+)            # Minor version (required, numeric)
+      \.                       # Separator between minor and patch versions
+      (?<patch>\d+)            # Patch version (required, numeric)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional, alphanumeric or dot-separated)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional, alphanumeric or dot-separated)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
+
+    VALID_REQUIREMENT_CONSTRAINT = /
+      ^                        # Start of string
+      (?<operator>=|>|>=|<|<=|~>|\\^) # Allowed operators
+      \s*                      # Optional whitespace
+      (?<major>\d+)            # Major version (required)
+      (\.(?<minor>\d+))?       # Minor version (optional)
+      (\.(?<patch>\d+))?       # Patch version (optional)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
 
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
@@ -25,24 +57,32 @@ module Dependabot
       NPM_V7 = "7"
       NPM_V8 = "8"
       NPM_V9 = "9"
+      NPM_V10 = "10"
 
       # Keep versions in ascending order
       SUPPORTED_VERSIONS = T.let([
         Version.new(NPM_V6),
         Version.new(NPM_V7),
         Version.new(NPM_V8),
-        Version.new(NPM_V9)
+        Version.new(NPM_V9),
+        Version.new(NPM_V10)
       ].freeze, T::Array[Dependabot::Version])
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -76,13 +116,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -115,13 +161,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -138,11 +190,20 @@ module Dependabot
 
     DEFAULT_PACKAGE_MANAGER = NpmPackageManager::NAME
 
-    PACKAGE_MANAGER_CLASSES = {
+    # Define a type alias for the expected class interface
+    NpmAndYarnPackageManagerClassType = T.type_alias do
+      T.any(
+        T.class_of(Dependabot::NpmAndYarn::NpmPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::YarnPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager)
+      )
+    end
+
+    PACKAGE_MANAGER_CLASSES = T.let({
       NpmPackageManager::NAME => NpmPackageManager,
       YarnPackageManager::NAME => YarnPackageManager,
       PNPMPackageManager::NAME => PNPMPackageManager
-    }.freeze
+    }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
 
     class PackageManagerDetector
       extend T::Sig
@@ -151,21 +212,34 @@ module Dependabot
       sig do
         params(
           lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
-          package_json: T::Hash[String, T.untyped]
+          package_json: T.nilable(T::Hash[String, T.untyped])
         ).void
       end
       def initialize(lockfiles, package_json)
         @lockfiles = lockfiles
         @package_json = package_json
-        @manifest_package_manager = package_json["packageManager"]
-        @engines = package_json.fetch(MANIFEST_ENGINES_KEY, nil)
+        @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
+        @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, {}), T::Hash[String, T.untyped])
       end
 
       # Returns npm, yarn, or pnpm based on the lockfiles, package.json, and engines
       # Defaults to npm if no package manager is detected
       sig { returns(String) }
       def detect_package_manager
-        name_from_lockfiles || name_from_package_manager_attr || name_from_engines || DEFAULT_PACKAGE_MANAGER
+        package_manager = name_from_lockfiles ||
+                          name_from_package_manager_attr ||
+                          name_from_engines
+
+        if package_manager
+          Dependabot.logger.info("Detected package manager: #{package_manager}")
+        else
+          package_manager = DEFAULT_PACKAGE_MANAGER
+          Dependabot.logger.info("Default package manager used: #{package_manager}")
+        end
+        package_manager
+      rescue StandardError => e
+        Dependabot.logger.error("Error detecting package manager: #{e.message}")
+        DEFAULT_PACKAGE_MANAGER
       end
 
       private
@@ -195,22 +269,62 @@ module Dependabot
       end
     end
 
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
+        super(
+          NAME,
+          Version.new(raw_version),
+          DEPRECATED_VERSIONS,
+          SUPPORTED_VERSIONS,
+          requirement
+        )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
 
       sig do
         params(
-          package_json: T::Hash[String, T.untyped],
+          package_json: T.nilable(T::Hash[String, T.untyped]),
           lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]
         ).void
       end
       def initialize(package_json, lockfiles:)
         @package_json = package_json
         @lockfiles = lockfiles
-        @manifest_package_manager = package_json[MANIFEST_PACKAGE_MANAGER_KEY]
-        @engines = package_json.fetch(MANIFEST_ENGINES_KEY, nil)
-        @package_manager_detector = PackageManagerDetector.new(@lockfiles, @package_json)
+        @package_manager_detector = T.let(PackageManagerDetector.new(lockfiles, package_json), PackageManagerDetector)
+        @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
+        @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
+
+        @installed_versions = T.let({}, T::Hash[String, String])
+
+        @language = T.let(nil, T.nilable(Ecosystem::VersionManager))
+        @language_requirement = T.let(nil, T.nilable(Requirement))
       end
 
       sig { returns(Ecosystem::VersionManager) }
@@ -220,8 +334,54 @@ module Dependabot
         )
       end
 
+      sig { returns(Ecosystem::VersionManager) }
+      def language
+        @language ||= Language.new(
+          Helpers.node_version,
+          requirement: language_requirement
+        )
+      end
+
+      sig { returns(T.nilable(Requirement)) }
+      def language_requirement
+        @language_requirement ||= find_engine_constraints_as_requirement(Language::NAME)
+      end
+
+      sig { params(name: String).returns(T.nilable(Requirement)) }
+      def find_engine_constraints_as_requirement(name)
+        Dependabot.logger.info("Processing engine constraints for #{name}")
+
+        return nil unless @engines.is_a?(Hash) && @engines[name]
+
+        raw_constraint = @engines[name].to_s.strip
+        return nil if raw_constraint.empty?
+
+        raw_constraints = raw_constraint.split
+        constraints = raw_constraints.map do |constraint|
+          case constraint
+          when /^\d+$/
+            ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
+          when /^\d+\.\d+$/
+            ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
+          when /^\d+\.\d+\.\d+$/
+            "=#{constraint}"
+          else
+            Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
+            constraint
+          end
+        end
+
+        Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
+        Requirement.new(constraints)
+      rescue StandardError => e
+        Dependabot.logger.error("Error processing constraints for #{name}: #{e.message}")
+        nil
+      end
+
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
         # i.e. if { engines : "pnpm" : "6" } and { packageManager: "pnpm@6.0.2" },
@@ -257,13 +417,13 @@ module Dependabot
 
           if version
             raise_if_unsupported!(name, version.to_s)
-            install(name, version)
+            install(name, version.to_s)
           end
         else
           version ||= requested_version(name)
 
           if version
-            raise_if_unsupported!(name, version)
+            raise_if_unsupported!(name, version.to_s)
 
             install(name, version)
           else
@@ -272,30 +432,74 @@ module Dependabot
             if version
               raise_if_unsupported!(name, version.to_s)
 
-              install(name, version) if name == PNPMPackageManager::NAME
+              install(name, version.to_s) if name == PNPMPackageManager::NAME
             end
           end
         end
         version
       end
-      # rubocop:enable Metrics/CyclomaticComplexity
-      # rubocop:enable Metrics/PerceivedComplexity
-
-      private
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
-        name = DEFAULT_PACKAGE_MANAGER if name.nil? || PACKAGE_MANAGER_CLASSES[name].nil?
+        Dependabot.logger.info("Resolving package manager for: #{name || 'default'}")
 
-        package_manager_class = PACKAGE_MANAGER_CLASSES[name]
+        name = ensure_valid_package_manager(name)
+        package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
 
-        package_manager_class ||= PACKAGE_MANAGER_CLASSES[DEFAULT_PACKAGE_MANAGER]
+        installed_version = installed_version(name)
+        Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
 
-        version = Helpers.send(:"#{name}_version_numeric", @lockfiles[name.to_sym])
+        package_manager_requirement = find_engine_constraints_as_requirement(name)
+        if package_manager_requirement
+          Dependabot.logger.info("Version requirement for #{name}: #{package_manager_requirement}")
+        else
+          Dependabot.logger.info("No version requirement found for #{name}")
+        end
 
-        package_manager_class.new(version.to_s)
+        package_manager_instance = package_manager_class.new(
+          installed_version,
+          requirement: package_manager_requirement
+        )
+
+        Dependabot.logger.info("Package manager resolved for #{name}: #{package_manager_instance}")
+        package_manager_instance
+      rescue StandardError => e
+        Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
+        raise
       end
 
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      # Retrieve the installed version of the package manager by executing
+      # the "corepack <name> -v" command and using the output.
+      # If the output does not match the expected version format (PACKAGE_MANAGER_VERSION_REGEX),
+      # fall back to the version inferred from the dependency files.
+      sig { params(name: String).returns(String) }
+      def installed_version(name)
+        # Return the memoized version if it has already been computed
+        return T.must(@installed_versions[name]) if @installed_versions.key?(name)
+
+        # Attempt to get the installed version through the package manager version command
+        @installed_versions[name] = Helpers.package_manager_version(name)
+
+        # If we can't get the installed version, we need to install the package manager and get the version
+        unless @installed_versions[name]&.match?(PACKAGE_MANAGER_VERSION_REGEX)
+          setup(name)
+          @installed_versions[name] = Helpers.package_manager_version(name)
+        end
+
+        # If we can't get the installed version or the version is invalid, we need to get inferred version
+        unless @installed_versions[name]&.match?(PACKAGE_MANAGER_VERSION_REGEX)
+          @installed_versions[name] = Helpers.public_send(:"#{name}_version_numeric", @lockfiles[name.to_sym]).to_s
+        end
+
+        T.must(@installed_versions[name])
+      end
+
+      private
+
+      sig { params(name: String, version: String).void }
       def raise_if_unsupported!(name, version)
         return unless name == PNPMPackageManager::NAME
         return unless Version.new(version) < Version.new("7")
@@ -303,6 +507,7 @@ module Dependabot
         raise ToolVersionNotSupported.new(PNPMPackageManager::NAME.upcase, version, "7.*, 8.*")
       end
 
+      sig { params(name: String, version: T.nilable(String)).void }
       def install(name, version)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
           return Helpers.install(name, version.to_s)
@@ -316,6 +521,13 @@ module Dependabot
         )
       end
 
+      sig { params(name: T.nilable(String)).returns(String) }
+      def ensure_valid_package_manager(name)
+        name = DEFAULT_PACKAGE_MANAGER if name.nil? || PACKAGE_MANAGER_CLASSES[name].nil?
+        name
+      end
+
+      sig { params(name: String).returns(T.nilable(String)) }
       def requested_version(name)
         return unless @manifest_package_manager
 
@@ -326,6 +538,7 @@ module Dependabot
         match["version"]
       end
 
+      sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def guessed_version(name)
         lockfile = @lockfiles[name.to_sym]
         return unless lockfile
@@ -339,6 +552,8 @@ module Dependabot
 
       sig { params(name: T.untyped).returns(T.nilable(String)) }
       def check_engine_version(name)
+        return if @package_json.nil?
+
         version_selector = VersionSelector.new
         engine_versions = version_selector.setup(@package_json, name)
 

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -70,8 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
-                          elsif Helpers.npm8?(lockfile)
-                            run_npm8_updater(path, lockfile_name)
+                          elsif !Helpers.npm8?(lockfile)
+                            run_npm6_updater(path, lockfile_name)
                           else
                             run_npm_updater(path, lockfile_name)
                           end
@@ -143,7 +143,7 @@ module Dependabot
           end
         end
 
-        def run_npm8_updater(path, lockfile_name)
+        def run_npm_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
@@ -153,7 +153,7 @@ module Dependabot
           end
         end
 
-        def run_npm_updater(path, lockfile_name)
+        def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               SharedHelpers.run_helper_subprocess(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.287.0
+  version: 0.289.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-19 00:00:00.000000000 Z
+date: 2024-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.287.0
+        version: 0.289.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.287.0
+        version: 0.289.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -346,7 +346,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.287.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.289.0
 post_install_message: 
 rdoc_options: []
 require_paths: