dependabot-npm_and_yarn 0.288.0 → 0.289.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef19e7ca0938baa0bee66d3db0500574f6d3b42b181fef8fe38d36396587a2f4
-  data.tar.gz: 4905508434d0e5ac9ef7cbe1b71dcc10d466c5932291b8c9abb4473d53d854b1
+  metadata.gz: 3b61a2e379cb066af66a91f9cbfd25d89755129946f7093b2e1d5be7f3642133
+  data.tar.gz: 10995493f890b53c62af1c14f7d29a165ee32096b8b84a529f0822984d6f1480
 SHA512:
-  metadata.gz: 9981d5b93d3b36479e9500d54fcfcc2d0de8aed94ac5d382a84b7189d570277348e5d421e77f0fc8fee9d20c18511352a60ce855cdc95c178e74ff94640fc175
-  data.tar.gz: c8015a50c6732baf3435b7be9ebef4393f312c20d154bf15c516bcad80f8dc39d1fd093c09df6aeb70a59feabe02385dcf9ae15e4b46f3eb6a61916736f04f6a
+  metadata.gz: 3fb1619f2f8ba90e8bbe7945c7b1e179abd09004b940c1d2514d9f4290a7679955ad0fcc0db26ebcb4b810c5903e4d66ddb3f3d0b3ca0a265c9636f34f272519
+  data.tar.gz: ae15d52f683156e2df0ddf213c254e0b9cd6e9324da8eda5367dae8d1c59629497739be437e3c76c6597ce9ccbbbd06509196ba9efad51240e3e98a9c99d91f4

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -107,6 +107,7 @@ module Dependabot
         fetched_yarn_files << yarn_lock if yarn_lock
         fetched_yarn_files << yarnrc if yarnrc
         fetched_yarn_files << yarnrc_yml if yarnrc_yml
+        create_yarn_cache
         fetched_yarn_files
       end
 
@@ -244,6 +245,20 @@ module Dependabot
         return @pnpm_lock if defined?(@pnpm_lock)
 
         @pnpm_lock ||= T.let(fetch_file_if_present(PNPMPackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
+
+        return @pnpm_lock if @pnpm_lock || directory == "/"
+
+        # Loop through parent directories looking for a pnpm-lock
+        (1..directory.split("/").count).each do |i|
+          @pnpm_lock = fetch_file_from_host(("../" * i) + PNPMPackageManager::LOCKFILE_NAME)
+                       .tap { |f| f.support_file = true }
+          break if @pnpm_lock
+        rescue Dependabot::DependencyFileNotFound
+          # Ignore errors (pnpm_lock.yaml may not be present)
+          nil
+        end
+
+        @pnpm_lock
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -655,6 +670,19 @@ module Dependabot
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, T.must(lerna_json).path
       end
+
+      sig { void }
+      def create_yarn_cache
+        if repo_contents_path.nil?
+          Dependabot.logger.info("Repository contents path is nil")
+        elsif Dir.exist?(T.must(repo_contents_path))
+          Dir.chdir(T.must(repo_contents_path)) do
+            FileUtils.mkdir_p(".yarn/cache")
+          end
+        else
+          Dependabot.logger.info("Repository contents path does not exist")
+        end
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -11,6 +11,7 @@ require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/version"
 require "dependabot/npm_and_yarn/requirement"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/registry_parser"
 require "dependabot/git_metadata_fetcher"
 require "dependabot/git_commit_checker"
@@ -83,7 +84,8 @@ module Dependabot
         @ecosystem ||= T.let(
           Ecosystem.new(
             name: ECOSYSTEM,
-            package_manager: package_manager_helper.package_manager
+            package_manager: package_manager_helper.package_manager,
+            language: package_manager_helper.language
           ),
           T.nilable(Ecosystem)
         )
@@ -477,4 +479,4 @@ module Dependabot
 end
 
 Dependabot::FileParsers
-  .register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
+  .register(Dependabot::NpmAndYarn::ECOSYSTEM, Dependabot::NpmAndYarn::FileParser)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -16,6 +16,7 @@ module Dependabot
         /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
 
       # NPM Version Constants
+      NPM_V10 = 10
       NPM_V8 = 8
       NPM_V6 = 6
       NPM_DEFAULT_VERSION = NPM_V8
@@ -40,6 +41,10 @@ module Dependabot
       # Otherwise, we are going to use old versionining npm 6
       sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
       def self.npm_version_numeric(lockfile)
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(lockfile)
+        end
+
         fallback_version_npm8 = Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6)
 
         return npm_version_numeric_npm8_or_higher(lockfile) if fallback_version_npm8
@@ -91,6 +96,36 @@ module Dependabot
         NPM_DEFAULT_VERSION # Fallback to default npm version if parsing fails
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
+      def self.npm_version_numeric_latest(lockfile)
+        lockfile_content = lockfile&.content
+
+        # Return npm 10 as the default if the lockfile is missing or empty
+        return NPM_V10 if lockfile_content.nil? || lockfile_content.strip.empty?
+
+        # Parse the lockfile content to extract the `lockfileVersion`
+        parsed_lockfile = JSON.parse(lockfile_content)
+        lockfile_version = parsed_lockfile["lockfileVersion"]&.to_i
+
+        # Determine the appropriate npm version based on `lockfileVersion`
+        if lockfile_version.nil?
+          NPM_V10 # Use npm 10 if `lockfileVersion` is missing or nil
+        elsif lockfile_version >= 3
+          NPM_V10 # Use npm 10 for lockfileVersion 3 or higher
+        elsif lockfile_version >= 2
+          NPM_V8 # Use npm 8 for lockfileVersion 2
+        elsif lockfile_version >= 1
+          # Use npm 8 if the fallback version flag is enabled, otherwise use npm 6
+          Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6) ? NPM_V8 : NPM_V6
+        else
+          NPM_V10 # Default to npm 10 for unexpected or unsupported versions
+        end
+      rescue JSON::ParserError
+        NPM_V8 # Fallback to npm 8 if the lockfile content cannot be parsed
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
       sig { params(yarn_lock: T.nilable(DependencyFile)).returns(Integer) }
       def self.yarn_version_numeric(yarn_lock)
         lockfile_content = yarn_lock&.content
@@ -139,6 +174,10 @@ module Dependabot
       def self.npm8?(package_lock)
         return true unless package_lock&.content
 
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(package_lock) >= NPM_V8
+        end
+
         npm_version_numeric(package_lock) == NPM_V8
       end
 
@@ -284,6 +323,37 @@ module Dependabot
         end
       end
 
+      sig { returns(T.nilable(String)) }
+      def self.node_version
+        version = run_node_command("-v", fingerprint: "-v").strip
+
+        # Validate the output format (e.g., "v20.18.1" or "20.18.1")
+        if version.match?(/^v?\d+(\.\d+){2}$/)
+          version.strip.delete_prefix("v") # Remove the "v" prefix if present
+        end
+      rescue StandardError => e
+        puts "Error retrieving Node.js version: #{e.message}"
+        nil
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_node_command(command, fingerprint: nil)
+        full_command = "node #{command}"
+
+        Dependabot.logger.info("Running node command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "node #{fingerprint || command}"
+        )
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running node command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+
       # Setup yarn and run a single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_yarn_command(command, fingerprint: nil)
@@ -353,7 +423,15 @@ module Dependabot
       # Get the version of the package manager by using corepack
       sig { params(name: String).returns(String) }
       def self.package_manager_version(name)
-        package_manager_run_command(name, "-v")
+        Dependabot.logger.info("Fetching version for package manager: #{name}")
+
+        version = package_manager_run_command(name, "-v").strip
+
+        Dependabot.logger.info("Version for #{name}: #{version}")
+        version
+      rescue StandardError => e
+        Dependabot.logger.error("Error fetching version for package manager #{name}: #{e.message}")
+        raise
       end
 
       # Run single command on package manager returning stdout/stderr
@@ -365,11 +443,22 @@ module Dependabot
         ).returns(String)
       end
       def self.package_manager_run_command(name, command, fingerprint: nil)
-        Dependabot::SharedHelpers.run_shell_command(
-          "corepack #{name} #{command}",
+        full_command = "corepack #{name} #{command}"
+
+        Dependabot.logger.info("Running package manager command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
           fingerprint: "corepack #{name} #{fingerprint || command}"
         ).strip
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running package manager command: #{full_command}, Error: #{e.message}")
+        raise
       end
+
       private_class_method :run_single_yarn_command
 
       sig { params(pnpm_lock: DependencyFile).returns(T.nilable(String)) }

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -3,6 +3,7 @@
 
 require "dependabot/shared_helpers"
 require "dependabot/ecosystem"
+require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
 
 module Dependabot
@@ -10,7 +11,37 @@ module Dependabot
     ECOSYSTEM = "npm_and_yarn"
     MANIFEST_FILENAME = "package.json"
     LERNA_JSON_FILENAME = "lerna.json"
-    PACKAGE_MANAGER_VERSION_REGEX = /^(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)(?:-(?<pre_release>[a-zA-Z0-9.]+))?(?:\+(?<build>[a-zA-Z0-9.]+))?$/ # rubocop:disable Layout/LineLength
+    PACKAGE_MANAGER_VERSION_REGEX = /
+      ^                        # Start of string
+      (?<major>\d+)            # Major version (required, numeric)
+      \.                       # Separator between major and minor versions
+      (?<minor>\d+)            # Minor version (required, numeric)
+      \.                       # Separator between minor and patch versions
+      (?<patch>\d+)            # Patch version (required, numeric)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional, alphanumeric or dot-separated)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional, alphanumeric or dot-separated)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
+
+    VALID_REQUIREMENT_CONSTRAINT = /
+      ^                        # Start of string
+      (?<operator>=|>|>=|<|<=|~>|\\^) # Allowed operators
+      \s*                      # Optional whitespace
+      (?<major>\d+)            # Major version (required)
+      (\.(?<minor>\d+))?       # Minor version (optional)
+      (\.(?<patch>\d+))?       # Patch version (optional)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
 
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
@@ -26,24 +57,32 @@ module Dependabot
       NPM_V7 = "7"
       NPM_V8 = "8"
       NPM_V9 = "9"
+      NPM_V10 = "10"
 
       # Keep versions in ascending order
       SUPPORTED_VERSIONS = T.let([
         Version.new(NPM_V6),
         Version.new(NPM_V7),
         Version.new(NPM_V8),
-        Version.new(NPM_V9)
+        Version.new(NPM_V9),
+        Version.new(NPM_V10)
       ].freeze, T::Array[Dependabot::Version])
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -77,13 +116,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -116,13 +161,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -175,7 +226,20 @@ module Dependabot
       # Defaults to npm if no package manager is detected
       sig { returns(String) }
       def detect_package_manager
-        name_from_lockfiles || name_from_package_manager_attr || name_from_engines || DEFAULT_PACKAGE_MANAGER
+        package_manager = name_from_lockfiles ||
+                          name_from_package_manager_attr ||
+                          name_from_engines
+
+        if package_manager
+          Dependabot.logger.info("Detected package manager: #{package_manager}")
+        else
+          package_manager = DEFAULT_PACKAGE_MANAGER
+          Dependabot.logger.info("Default package manager used: #{package_manager}")
+        end
+        package_manager
+      rescue StandardError => e
+        Dependabot.logger.error("Error detecting package manager: #{e.message}")
+        DEFAULT_PACKAGE_MANAGER
       end
 
       private
@@ -205,6 +269,41 @@ module Dependabot
       end
     end
 
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
+        super(
+          NAME,
+          Version.new(raw_version),
+          DEPRECATED_VERSIONS,
+          SUPPORTED_VERSIONS,
+          requirement
+        )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
@@ -223,6 +322,9 @@ module Dependabot
         @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
 
         @installed_versions = T.let({}, T::Hash[String, String])
+
+        @language = T.let(nil, T.nilable(Ecosystem::VersionManager))
+        @language_requirement = T.let(nil, T.nilable(Requirement))
       end
 
       sig { returns(Ecosystem::VersionManager) }
@@ -232,6 +334,50 @@ module Dependabot
         )
       end
 
+      sig { returns(Ecosystem::VersionManager) }
+      def language
+        @language ||= Language.new(
+          Helpers.node_version,
+          requirement: language_requirement
+        )
+      end
+
+      sig { returns(T.nilable(Requirement)) }
+      def language_requirement
+        @language_requirement ||= find_engine_constraints_as_requirement(Language::NAME)
+      end
+
+      sig { params(name: String).returns(T.nilable(Requirement)) }
+      def find_engine_constraints_as_requirement(name)
+        Dependabot.logger.info("Processing engine constraints for #{name}")
+
+        return nil unless @engines.is_a?(Hash) && @engines[name]
+
+        raw_constraint = @engines[name].to_s.strip
+        return nil if raw_constraint.empty?
+
+        raw_constraints = raw_constraint.split
+        constraints = raw_constraints.map do |constraint|
+          case constraint
+          when /^\d+$/
+            ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
+          when /^\d+\.\d+$/
+            ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
+          when /^\d+\.\d+\.\d+$/
+            "=#{constraint}"
+          else
+            Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
+            constraint
+          end
+        end
+
+        Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
+        Requirement.new(constraints)
+      rescue StandardError => e
+        Dependabot.logger.error("Error processing constraints for #{name}: #{e.message}")
+        nil
+      end
+
       # rubocop:disable Metrics/CyclomaticComplexity
       # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
@@ -295,13 +441,31 @@ module Dependabot
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
-        name = ensure_valid_package_manager(name)
+        Dependabot.logger.info("Resolving package manager for: #{name || 'default'}")
 
+        name = ensure_valid_package_manager(name)
         package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
 
         installed_version = installed_version(name)
+        Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
+
+        package_manager_requirement = find_engine_constraints_as_requirement(name)
+        if package_manager_requirement
+          Dependabot.logger.info("Version requirement for #{name}: #{package_manager_requirement}")
+        else
+          Dependabot.logger.info("No version requirement found for #{name}")
+        end
+
+        package_manager_instance = package_manager_class.new(
+          installed_version,
+          requirement: package_manager_requirement
+        )
 
-        package_manager_class.new(installed_version)
+        Dependabot.logger.info("Package manager resolved for #{name}: #{package_manager_instance}")
+        package_manager_instance
+      rescue StandardError => e
+        Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
+        raise
       end
 
       # rubocop:enable Metrics/CyclomaticComplexity

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -70,8 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
-                          elsif Helpers.npm8?(lockfile)
-                            run_npm8_updater(path, lockfile_name)
+                          elsif !Helpers.npm8?(lockfile)
+                            run_npm6_updater(path, lockfile_name)
                           else
                             run_npm_updater(path, lockfile_name)
                           end
@@ -143,7 +143,7 @@ module Dependabot
           end
         end
 
-        def run_npm8_updater(path, lockfile_name)
+        def run_npm_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
@@ -153,7 +153,7 @@ module Dependabot
           end
         end
 
-        def run_npm_updater(path, lockfile_name)
+        def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               SharedHelpers.run_helper_subprocess(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.288.0
+  version: 0.289.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 2024-12-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.288.0
+        version: 0.289.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.288.0
+        version: 0.289.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -346,7 +346,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.288.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.289.0
 post_install_message: 
 rdoc_options: []
 require_paths: