dependabot-npm_and_yarn 0.288.0 → 0.290.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef19e7ca0938baa0bee66d3db0500574f6d3b42b181fef8fe38d36396587a2f4
-  data.tar.gz: 4905508434d0e5ac9ef7cbe1b71dcc10d466c5932291b8c9abb4473d53d854b1
+  metadata.gz: a8a094096ac6049e60970f2435585ab4cde21182030752133351f3b211f83d2b
+  data.tar.gz: 78e3e5f474091fa12526c005a4309a65d71420cbfd64d6a835cae7a1d387f031
 SHA512:
-  metadata.gz: 9981d5b93d3b36479e9500d54fcfcc2d0de8aed94ac5d382a84b7189d570277348e5d421e77f0fc8fee9d20c18511352a60ce855cdc95c178e74ff94640fc175
-  data.tar.gz: c8015a50c6732baf3435b7be9ebef4393f312c20d154bf15c516bcad80f8dc39d1fd093c09df6aeb70a59feabe02385dcf9ae15e4b46f3eb6a61916736f04f6a
+  metadata.gz: a264a72f6140fae85f8f5d03519381060c44093838cf8828130d30b8489bfe334790106fcf874d2805d62edfe295d2cc7963118e768806da61d879df5ff9863d
+  data.tar.gz: 82d5056fa18f3f7592a0471e4ce29d9feebb68108f5793f7e07b7603d63f6bba1294912ad1b56ba8bbfbc3e676ad74adfbda3d5a8446533e63463f88988569d8

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -107,6 +107,7 @@ module Dependabot
         fetched_yarn_files << yarn_lock if yarn_lock
         fetched_yarn_files << yarnrc if yarnrc
         fetched_yarn_files << yarnrc_yml if yarnrc_yml
+        create_yarn_cache
         fetched_yarn_files
       end
 
@@ -206,7 +207,9 @@ module Dependabot
         @package_manager_helper ||= T.let(
           PackageManagerHelper.new(
             parsed_package_json,
-            lockfiles: lockfiles
+            lockfiles,
+            registry_config_files,
+            credentials
           ), T.nilable(PackageManagerHelper)
         )
       end
@@ -220,6 +223,17 @@ module Dependabot
         }
       end
 
+      # Returns the .npmrc, and .yarnrc files for the repository.
+      # @return [Hash{Symbol => Dependabot::DependencyFile}]
+      sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
+      def registry_config_files
+        {
+          npmrc: npmrc,
+          yarnrc: yarnrc,
+          yarnrc_yml: yarnrc_yml
+        }
+      end
+
       sig { returns(DependencyFile) }
       def package_json
         @package_json ||= T.let(fetch_file_from_host(MANIFEST_FILENAME), T.nilable(DependencyFile))
@@ -244,6 +258,20 @@ module Dependabot
         return @pnpm_lock if defined?(@pnpm_lock)
 
         @pnpm_lock ||= T.let(fetch_file_if_present(PNPMPackageManager::LOCKFILE_NAME), T.nilable(DependencyFile))
+
+        return @pnpm_lock if @pnpm_lock || directory == "/"
+
+        # Loop through parent directories looking for a pnpm-lock
+        (1..directory.split("/").count).each do |i|
+          @pnpm_lock = fetch_file_from_host(("../" * i) + PNPMPackageManager::LOCKFILE_NAME)
+                       .tap { |f| f.support_file = true }
+          break if @pnpm_lock
+        rescue Dependabot::DependencyFileNotFound
+          # Ignore errors (pnpm_lock.yaml may not be present)
+          nil
+        end
+
+        @pnpm_lock
       end
 
       sig { returns(T.nilable(DependencyFile)) }
@@ -655,6 +683,19 @@ module Dependabot
       rescue JSON::ParserError
         raise Dependabot::DependencyFileNotParseable, T.must(lerna_json).path
       end
+
+      sig { void }
+      def create_yarn_cache
+        if repo_contents_path.nil?
+          Dependabot.logger.info("Repository contents path is nil")
+        elsif Dir.exist?(T.must(repo_contents_path))
+          Dir.chdir(T.must(repo_contents_path)) do
+            FileUtils.mkdir_p(".yarn/cache")
+          end
+        else
+          Dependabot.logger.info("Repository contents path does not exist")
+        end
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -11,6 +11,7 @@ require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/native_helpers"
 require "dependabot/npm_and_yarn/version"
 require "dependabot/npm_and_yarn/requirement"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/registry_parser"
 require "dependabot/git_metadata_fetcher"
 require "dependabot/git_commit_checker"
@@ -83,7 +84,8 @@ module Dependabot
         @ecosystem ||= T.let(
           Ecosystem.new(
             name: ECOSYSTEM,
-            package_manager: package_manager_helper.package_manager
+            package_manager: package_manager_helper.package_manager,
+            language: package_manager_helper.language
           ),
           T.nilable(Ecosystem)
         )
@@ -96,7 +98,9 @@ module Dependabot
         @package_manager_helper ||= T.let(
           PackageManagerHelper.new(
             parsed_package_json,
-            lockfiles: lockfiles
+            lockfiles,
+            registry_config_files,
+            credentials
           ), T.nilable(PackageManagerHelper)
         )
       end
@@ -110,6 +114,15 @@ module Dependabot
         }
       end
 
+      sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
+      def registry_config_files
+        {
+          npmrc: npmrc,
+          yarnrc: yarnrc,
+          yarnrc_yml: yarnrc_yml
+        }
+      end
+
       sig { returns(T.untyped) }
       def parsed_package_json
         JSON.parse(T.must(package_json.content))
@@ -154,6 +167,27 @@ module Dependabot
         end, T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def npmrc
+        @npmrc ||= T.let(dependency_files.find do |f|
+          f.name == NpmPackageManager::RC_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def yarnrc
+        @yarnrc ||= T.let(dependency_files.find do |f|
+          f.name == YarnPackageManager::RC_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def yarnrc_yml
+        @yarnrc_yml ||= T.let(dependency_files.find do |f|
+          f.name == YarnPackageManager::RC_YML_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def manifest_dependencies
         dependency_set = DependencySet.new
@@ -477,4 +511,4 @@ module Dependabot
 end
 
 Dependabot::FileParsers
-  .register("npm_and_yarn", Dependabot::NpmAndYarn::FileParser)
+  .register(Dependabot::NpmAndYarn::ECOSYSTEM, Dependabot::NpmAndYarn::FileParser)

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -9,13 +9,14 @@ require "sorbet-runtime"
 
 module Dependabot
   module NpmAndYarn
-    module Helpers
+    module Helpers # rubocop:disable Metrics/ModuleLength
       extend T::Sig
 
       YARN_PATH_NOT_FOUND =
         /^.*(?<error>The "yarn-path" option has been set \(in [^)]+\), but the specified location doesn't exist)/
 
       # NPM Version Constants
+      NPM_V10 = 10
       NPM_V8 = 8
       NPM_V6 = 6
       NPM_DEFAULT_VERSION = NPM_V8
@@ -40,6 +41,10 @@ module Dependabot
       # Otherwise, we are going to use old versionining npm 6
       sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
       def self.npm_version_numeric(lockfile)
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(lockfile)
+        end
+
         fallback_version_npm8 = Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6)
 
         return npm_version_numeric_npm8_or_higher(lockfile) if fallback_version_npm8
@@ -91,6 +96,36 @@ module Dependabot
         NPM_DEFAULT_VERSION # Fallback to default npm version if parsing fails
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(lockfile: T.nilable(DependencyFile)).returns(Integer) }
+      def self.npm_version_numeric_latest(lockfile)
+        lockfile_content = lockfile&.content
+
+        # Return npm 10 as the default if the lockfile is missing or empty
+        return NPM_V10 if lockfile_content.nil? || lockfile_content.strip.empty?
+
+        # Parse the lockfile content to extract the `lockfileVersion`
+        parsed_lockfile = JSON.parse(lockfile_content)
+        lockfile_version = parsed_lockfile["lockfileVersion"]&.to_i
+
+        # Determine the appropriate npm version based on `lockfileVersion`
+        if lockfile_version.nil?
+          NPM_V10 # Use npm 10 if `lockfileVersion` is missing or nil
+        elsif lockfile_version >= 3
+          NPM_V10 # Use npm 10 for lockfileVersion 3 or higher
+        elsif lockfile_version >= 2
+          NPM_V8 # Use npm 8 for lockfileVersion 2
+        elsif lockfile_version >= 1
+          # Use npm 8 if the fallback version flag is enabled, otherwise use npm 6
+          Dependabot::Experiments.enabled?(:npm_fallback_version_above_v6) ? NPM_V8 : NPM_V6
+        else
+          NPM_V10 # Default to npm 10 for unexpected or unsupported versions
+        end
+      rescue JSON::ParserError
+        NPM_V8 # Fallback to npm 8 if the lockfile content cannot be parsed
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
       sig { params(yarn_lock: T.nilable(DependencyFile)).returns(Integer) }
       def self.yarn_version_numeric(yarn_lock)
         lockfile_content = yarn_lock&.content
@@ -139,6 +174,10 @@ module Dependabot
       def self.npm8?(package_lock)
         return true unless package_lock&.content
 
+        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
+          return npm_version_numeric_latest(package_lock) >= NPM_V8
+        end
+
         npm_version_numeric(package_lock) == NPM_V8
       end
 
@@ -284,6 +323,37 @@ module Dependabot
         end
       end
 
+      sig { returns(T.nilable(String)) }
+      def self.node_version
+        version = run_node_command("-v", fingerprint: "-v").strip
+
+        # Validate the output format (e.g., "v20.18.1" or "20.18.1")
+        if version.match?(/^v?\d+(\.\d+){2}$/)
+          version.strip.delete_prefix("v") # Remove the "v" prefix if present
+        end
+      rescue StandardError => e
+        Dependabot.logger.error("Error retrieving Node.js version: #{e.message}")
+        nil
+      end
+
+      sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
+      def self.run_node_command(command, fingerprint: nil)
+        full_command = "node #{command}"
+
+        Dependabot.logger.info("Running node command: #{full_command}")
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
+          fingerprint: "node #{fingerprint || command}"
+        )
+
+        Dependabot.logger.info("Command executed successfully: #{full_command}")
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running node command: #{full_command}, Error: #{e.message}")
+        raise
+      end
+
       # Setup yarn and run a single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_yarn_command(command, fingerprint: nil)
@@ -318,42 +388,105 @@ module Dependabot
       end
 
       # Install the package manager for specified version by using corepack
-      # and prepare it for use by using corepack
-      sig { params(name: String, version: String).returns(String) }
-      def self.install(name, version)
+      sig do
+        params(
+          name: String,
+          version: String,
+          env: T.nilable(T::Hash[String, String])
+        )
+          .returns(String)
+      end
+      def self.install(name, version, env: {})
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")
 
-        package_manager_install(name, version)
-        package_manager_activate(name, version)
-        installed_version = package_manager_version(name)
+        begin
+          # Try to install the specified version
+          output = package_manager_install(name, version, env: env)
+
+          # Confirm success based on the output
+          if output.match?(/Adding #{name}@.* to the cache/)
+            Dependabot.logger.info("#{name}@#{version} successfully installed.")
 
-        Dependabot.logger.info("Installed version of #{name}: #{installed_version}")
+            Dependabot.logger.info("Activating currently installed version of #{name}: #{version}")
+            package_manager_activate(name, version)
+
+          else
+            Dependabot.logger.error("Corepack installation output unexpected: #{output}")
+            fallback_to_local_version(name)
+          end
+        rescue StandardError => e
+          Dependabot.logger.error("Error installing #{name}@#{version}: #{e.message}")
+          fallback_to_local_version(name)
+        end
+
+        # Verify the installed version
+        installed_version = package_manager_version(name)
 
         installed_version
       end
 
+      # Attempt to activate the local version of the package manager
+      sig { params(name: String).void }
+      def self.fallback_to_local_version(name)
+        Dependabot.logger.info("Falling back to activate the currently installed version of #{name}.")
+
+        # Fetch the currently installed version directly from the environment
+        current_version = local_package_manager_version(name)
+        Dependabot.logger.info("Activating currently installed version of #{name}: #{current_version}")
+
+        # Prepare the existing version
+        package_manager_activate(name, current_version)
+      end
+
       # Install the package manager for specified version by using corepack
-      sig { params(name: String, version: String).void }
-      def self.package_manager_install(name, version)
+      sig do
+        params(
+          name: String,
+          version: String,
+          env: T.nilable(T::Hash[String, String])
+        )
+          .returns(String)
+      end
+      def self.package_manager_install(name, version, env: {})
         Dependabot::SharedHelpers.run_shell_command(
           "corepack install #{name}@#{version} --global --cache-only",
-          fingerprint: "corepack install <name>@<version> --global --cache-only"
+          fingerprint: "corepack install <name>@<version> --global --cache-only",
+          env: env
         ).strip
       end
 
       # Prepare the package manager for use by using corepack
-      sig { params(name: String, version: String).void }
+      sig { params(name: String, version: String).returns(String) }
       def self.package_manager_activate(name, version)
         Dependabot::SharedHelpers.run_shell_command(
           "corepack prepare #{name}@#{version} --activate",
-          fingerprint: "corepack prepare --activate"
+          fingerprint: "corepack prepare <name>@<version> --activate"
+        ).strip
+      end
+
+      # Fetch the currently installed version of the package manager directly
+      # from the system without involving Corepack
+      sig { params(name: String).returns(String) }
+      def self.local_package_manager_version(name)
+        Dependabot::SharedHelpers.run_shell_command(
+          "#{name} -v",
+          fingerprint: "#{name} -v"
         ).strip
       end
 
       # Get the version of the package manager by using corepack
       sig { params(name: String).returns(String) }
       def self.package_manager_version(name)
-        package_manager_run_command(name, "-v")
+        Dependabot.logger.info("Fetching version for package manager: #{name}")
+
+        version = package_manager_run_command(name, "-v").strip
+
+        Dependabot.logger.info("Installed version of #{name}: #{version}")
+
+        version
+      rescue StandardError => e
+        Dependabot.logger.error("Error fetching version for package manager #{name}: #{e.message}")
+        raise
       end
 
       # Run single command on package manager returning stdout/stderr
@@ -365,11 +498,19 @@ module Dependabot
         ).returns(String)
       end
       def self.package_manager_run_command(name, command, fingerprint: nil)
-        Dependabot::SharedHelpers.run_shell_command(
-          "corepack #{name} #{command}",
+        full_command = "corepack #{name} #{command}"
+
+        result = Dependabot::SharedHelpers.run_shell_command(
+          full_command,
           fingerprint: "corepack #{name} #{fingerprint || command}"
         ).strip
+
+        result
+      rescue StandardError => e
+        Dependabot.logger.error("Error running package manager command: #{full_command}, Error: #{e.message}")
+        raise
       end
+
       private_class_method :run_single_yarn_command
 
       sig { params(pnpm_lock: DependencyFile).returns(T.nilable(String)) }

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -3,14 +3,46 @@
 
 require "dependabot/shared_helpers"
 require "dependabot/ecosystem"
+require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
+require "dependabot/npm_and_yarn/registry_helper"
 
 module Dependabot
   module NpmAndYarn
     ECOSYSTEM = "npm_and_yarn"
     MANIFEST_FILENAME = "package.json"
     LERNA_JSON_FILENAME = "lerna.json"
-    PACKAGE_MANAGER_VERSION_REGEX = /^(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)(?:-(?<pre_release>[a-zA-Z0-9.]+))?(?:\+(?<build>[a-zA-Z0-9.]+))?$/ # rubocop:disable Layout/LineLength
+    PACKAGE_MANAGER_VERSION_REGEX = /
+      ^                        # Start of string
+      (?<major>\d+)            # Major version (required, numeric)
+      \.                       # Separator between major and minor versions
+      (?<minor>\d+)            # Minor version (required, numeric)
+      \.                       # Separator between minor and patch versions
+      (?<patch>\d+)            # Patch version (required, numeric)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional, alphanumeric or dot-separated)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional, alphanumeric or dot-separated)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
+
+    VALID_REQUIREMENT_CONSTRAINT = /
+      ^                        # Start of string
+      (?<operator>=|>|>=|<|<=|~>|\\^) # Allowed operators
+      \s*                      # Optional whitespace
+      (?<major>\d+)            # Major version (required)
+      (\.(?<minor>\d+))?       # Minor version (optional)
+      (\.(?<patch>\d+))?       # Patch version (optional)
+      (                        # Start pre-release section
+        -(?<pre_release>[a-zA-Z0-9.]+) # Pre-release label (optional)
+      )?
+      (                        # Start build metadata section
+        \+(?<build>[a-zA-Z0-9.]+) # Build metadata (optional)
+      )?
+      $                        # End of string
+    /x # Extended mode for readability
 
     MANIFEST_PACKAGE_MANAGER_KEY = "packageManager"
     MANIFEST_ENGINES_KEY = "engines"
@@ -26,24 +58,32 @@ module Dependabot
       NPM_V7 = "7"
       NPM_V8 = "8"
       NPM_V9 = "9"
+      NPM_V10 = "10"
 
       # Keep versions in ascending order
       SUPPORTED_VERSIONS = T.let([
         Version.new(NPM_V6),
         Version.new(NPM_V7),
         Version.new(NPM_V8),
-        Version.new(NPM_V9)
+        Version.new(NPM_V9),
+        Version.new(NPM_V10)
       ].freeze, T::Array[Dependabot::Version])
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Dependabot::NpmAndYarn::Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -77,13 +117,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -116,13 +162,19 @@ module Dependabot
 
       DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
 
-      sig { params(raw_version: String).void }
-      def initialize(raw_version)
+      sig do
+        params(
+          raw_version: String,
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
         super(
           NAME,
           Version.new(raw_version),
           DEPRECATED_VERSIONS,
-          SUPPORTED_VERSIONS
+          SUPPORTED_VERSIONS,
+          requirement
         )
       end
 
@@ -175,7 +227,20 @@ module Dependabot
       # Defaults to npm if no package manager is detected
       sig { returns(String) }
       def detect_package_manager
-        name_from_lockfiles || name_from_package_manager_attr || name_from_engines || DEFAULT_PACKAGE_MANAGER
+        package_manager = name_from_lockfiles ||
+                          name_from_package_manager_attr ||
+                          name_from_engines
+
+        if package_manager
+          Dependabot.logger.info("Detected package manager: #{package_manager}")
+        else
+          package_manager = DEFAULT_PACKAGE_MANAGER
+          Dependabot.logger.info("Default package manager used: #{package_manager}")
+        end
+        package_manager
+      rescue StandardError => e
+        Dependabot.logger.error("Error detecting package manager: #{e.message}")
+        DEFAULT_PACKAGE_MANAGER
       end
 
       private
@@ -205,6 +270,41 @@ module Dependabot
       end
     end
 
+    class Language < Ecosystem::VersionManager
+      extend T::Sig
+      NAME = "node"
+
+      SUPPORTED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      DEPRECATED_VERSIONS = T.let([].freeze, T::Array[Dependabot::Version])
+
+      sig do
+        params(
+          raw_version: T.nilable(String),
+          requirement: T.nilable(Requirement)
+        ).void
+      end
+      def initialize(raw_version, requirement: nil)
+        super(
+          NAME,
+          Version.new(raw_version),
+          DEPRECATED_VERSIONS,
+          SUPPORTED_VERSIONS,
+          requirement
+        )
+      end
+
+      sig { override.returns(T::Boolean) }
+      def deprecated?
+        false
+      end
+
+      sig { override.returns(T::Boolean) }
+      def unsupported?
+        false
+      end
+    end
+
     class PackageManagerHelper
       extend T::Sig
       extend T::Helpers
@@ -212,17 +312,27 @@ module Dependabot
       sig do
         params(
           package_json: T.nilable(T::Hash[String, T.untyped]),
-          lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]
+          lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          credentials: T.nilable(T::Array[Dependabot::Credential])
         ).void
       end
-      def initialize(package_json, lockfiles:)
+      def initialize(package_json, lockfiles, registry_config_files, credentials)
         @package_json = package_json
         @lockfiles = lockfiles
+        @registry_helper = T.let(
+          RegistryHelper.new(registry_config_files, credentials),
+          Dependabot::NpmAndYarn::RegistryHelper
+        )
         @package_manager_detector = T.let(PackageManagerDetector.new(lockfiles, package_json), PackageManagerDetector)
         @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
         @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
 
         @installed_versions = T.let({}, T::Hash[String, String])
+        @registries = T.let({}, T::Hash[String, String])
+
+        @language = T.let(nil, T.nilable(Ecosystem::VersionManager))
+        @language_requirement = T.let(nil, T.nilable(Requirement))
       end
 
       sig { returns(Ecosystem::VersionManager) }
@@ -232,9 +342,53 @@ module Dependabot
         )
       end
 
+      sig { returns(Ecosystem::VersionManager) }
+      def language
+        @language ||= Language.new(
+          Helpers.node_version,
+          requirement: language_requirement
+        )
+      end
+
+      sig { returns(T.nilable(Requirement)) }
+      def language_requirement
+        @language_requirement ||= find_engine_constraints_as_requirement(Language::NAME)
+      end
+
+      sig { params(name: String).returns(T.nilable(Requirement)) }
+      def find_engine_constraints_as_requirement(name)
+        Dependabot.logger.info("Processing engine constraints for #{name}")
+
+        return nil unless @engines.is_a?(Hash) && @engines[name]
+
+        raw_constraint = @engines[name].to_s.strip
+        return nil if raw_constraint.empty?
+
+        raw_constraints = raw_constraint.split
+        constraints = raw_constraints.map do |constraint|
+          case constraint
+          when /^\d+$/
+            ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
+          when /^\d+\.\d+$/
+            ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
+          when /^\d+\.\d+\.\d+$/
+            "=#{constraint}"
+          else
+            Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
+            constraint
+          end
+        end
+
+        Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
+        Requirement.new(constraints)
+      rescue StandardError => e
+        Dependabot.logger.error("Error processing constraints for #{name}: #{e.message}")
+        nil
+      end
+
       # rubocop:disable Metrics/CyclomaticComplexity
-      # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -292,21 +446,36 @@ module Dependabot
         end
         version
       end
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
-        name = ensure_valid_package_manager(name)
+        Dependabot.logger.info("Resolving package manager for: #{name || 'default'}")
 
+        name = ensure_valid_package_manager(name)
         package_manager_class = T.must(PACKAGE_MANAGER_CLASSES[name])
 
         installed_version = installed_version(name)
+        Dependabot.logger.info("Installed version for #{name}: #{installed_version}")
 
-        package_manager_class.new(installed_version)
+        package_manager_requirement = find_engine_constraints_as_requirement(name)
+        if package_manager_requirement
+          Dependabot.logger.info("Version requirement for #{name}: #{package_manager_requirement}")
+        else
+          Dependabot.logger.info("No version requirement found for #{name}")
+        end
+
+        package_manager_class.new(
+          installed_version,
+          requirement: package_manager_requirement
+        )
+      rescue StandardError => e
+        Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
+        raise
       end
 
-      # rubocop:enable Metrics/CyclomaticComplexity
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/AbcSize
       # Retrieve the installed version of the package manager by executing
       # the "corepack <name> -v" command and using the output.
       # If the output does not match the expected version format (PACKAGE_MANAGER_VERSION_REGEX),
@@ -346,7 +515,12 @@ module Dependabot
       sig { params(name: String, version: T.nilable(String)).void }
       def install(name, version)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          return Helpers.install(name, version.to_s)
+          env = {}
+          if Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
+            env = @registry_helper.find_corepack_env_variables
+          end
+          # Use the Helpers.install method to install the package manager
+          return Helpers.install(name, version.to_s, env: env)
         end
 
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")

data/lib/dependabot/npm_and_yarn/registry_helper.rb

@@ -0,0 +1,188 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "yaml"
+require "dependabot/dependency_file"
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    class RegistryHelper
+      extend T::Sig
+
+      # Keys for configurations
+      REGISTRY_KEY = "registry"
+      AUTH_KEY = "authToken"
+
+      # Yarn-specific keys
+      NPM_AUTH_TOKEN_KEY_FOR_YARN = "npmAuthToken"
+      NPM_SCOPE_KEY_FOR_YARN = "npmScopes"
+      NPM_REGISTER_KEY_FOR_YARN = "npmRegistryServer"
+
+      # Environment variable keys
+      COREPACK_NPM_REGISTRY_ENV = "COREPACK_NPM_REGISTRY"
+      COREPACK_NPM_TOKEN_ENV = "COREPACK_NPM_TOKEN"
+
+      sig do
+        params(
+          registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          credentials: T.nilable(T::Array[Dependabot::Credential])
+        ).void
+      end
+      def initialize(registry_config_files, credentials)
+        @registry_config_files = T.let(registry_config_files, T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
+        @credentials = T.let(credentials, T.nilable(T::Array[Dependabot::Credential]))
+      end
+
+      sig { returns(T::Hash[String, String]) }
+      def find_corepack_env_variables
+        registry_info = find_registry_and_token
+
+        env_variables = {}
+        env_variables[COREPACK_NPM_REGISTRY_ENV] = registry_info[:registry] if registry_info[:registry]
+        env_variables[COREPACK_NPM_TOKEN_ENV] = registry_info[:auth_token] if registry_info[:auth_token]
+
+        env_variables
+      end
+
+      private
+
+      sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+      def find_registry_and_token
+        # Step 1: Check dependabot.yml configuration
+        dependabot_config = config_npm_registry_and_token
+        return dependabot_config if dependabot_config[:registry]
+
+        # Step 2: Check .npmrc
+        npmrc_config = @registry_config_files[:npmrc]
+        npmrc_result = parse_registry_from_npmrc_yarnrc(npmrc_config, "=", "npm")
+
+        return npmrc_result if npmrc_result[:registry]
+
+        # Step 3: Check .yarnrc
+        yarnrc_config = @registry_config_files[:yarnrc]
+        yarnrc_result = parse_registry_from_npmrc_yarnrc(yarnrc_config, " ", "npm")
+        return yarnrc_result if yarnrc_result[:registry]
+
+        # Step 4: Check yarnrc.yml
+        yarnrc_yml_config = @registry_config_files[:yarnrc_yml]
+        yarnrc_yml_result = parse_npm_from_yarnrc_yml(yarnrc_yml_config)
+        return yarnrc_yml_result if yarnrc_yml_result[:registry]
+
+        # Default values if no registry is found
+        {}
+      end
+
+      sig { returns(T::Hash[Symbol, T.nilable(String)]) }
+      def config_npm_registry_and_token
+        registries = {}
+
+        return registries unless @credentials&.any?
+
+        @credentials.each do |cred|
+          next unless cred["type"] == "npm_registry" # Skip if not an npm registry
+          next unless cred["replaces-base"] # Skip if not a reverse-proxy registry
+
+          # Set the registry if it's not already set
+          registries[:registry] ||= cred["registry"]
+
+          # Set the token if it's not already set
+          registries[:auth_token] ||= cred["token"]
+        end
+        registries
+      end
+
+      # Find registry and token in .npmrc or .yarnrc file
+      sig do
+        params(
+          file: T.nilable(Dependabot::DependencyFile),
+          separator: String
+        ).returns(T::Hash[Symbol, T.nilable(String)])
+      end
+      def parse_npm_from_npm_or_yarn_rc(file, separator = "=")
+        parse_registry_from_npmrc_yarnrc(file, separator, NpmPackageManager::NAME)
+      end
+
+      # Find registry and token in .npmrc or .yarnrc file
+      sig do
+        params(
+          file: T.nilable(Dependabot::DependencyFile),
+          separator: String,
+          scope: T.nilable(String)
+        ).returns(T::Hash[Symbol, T.nilable(String)])
+      end
+      def parse_registry_from_npmrc_yarnrc(file, separator = "=", scope = nil)
+        content = file&.content
+        return { registry: nil, auth_token: nil } unless content
+
+        global_registry = T.let(nil, T.nilable(String))
+        scoped_registry = T.let(nil, T.nilable(String))
+        auth_token = T.let(nil, T.nilable(String))
+
+        content.split("\n").each do |line|
+          # Split using the provided separator
+          key, value = line.strip.split(separator, 2)
+          next unless key && value
+
+          # Remove surrounding quotes from keys and values
+          cleaned_key = key.strip.gsub(/\A["']|["']\z/, "")
+          cleaned_value = value.strip.gsub(/\A["']|["']\z/, "")
+
+          case cleaned_key
+          when "registry"
+            # Case 1: Found a global registry
+            global_registry = cleaned_value
+          when "_authToken"
+            # Case 2: Found an auth token
+            auth_token = cleaned_value
+          else
+            # Handle scoped registry if a scope is provided
+            scoped_registry = cleaned_value if scope && cleaned_key == "@#{scope}:registry"
+          end
+        end
+
+        # Determine the registry to return (global first, fallback to scoped)
+        registry = global_registry || scoped_registry
+
+        { registry: registry, auth_token: auth_token }
+      end
+
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig { params(file: T.nilable(Dependabot::DependencyFile)).returns(T::Hash[Symbol, T.nilable(String)]) }
+      def parse_npm_from_yarnrc_yml(file)
+        content = file&.content
+        return { registry: nil, auth_token: nil } unless content
+
+        result = {}
+        yaml_data = safe_load_yaml(content)
+
+        # Step 1: Extract global registry and auth token
+        result[:registry] = yaml_data[NPM_REGISTER_KEY_FOR_YARN] if yaml_data.key?(NPM_REGISTER_KEY_FOR_YARN)
+        result[:auth_token] = yaml_data[NPM_AUTH_TOKEN_KEY_FOR_YARN] if yaml_data.key?(NPM_AUTH_TOKEN_KEY_FOR_YARN)
+
+        # Step 2: Fallback to any scoped registry and auth token if global is missing
+        if result[:registry].nil? && yaml_data.key?(NPM_SCOPE_KEY_FOR_YARN)
+          yaml_data[NPM_SCOPE_KEY_FOR_YARN].each do |_current_scope, config|
+            next unless config.is_a?(Hash)
+
+            result[:registry] ||= config[NPM_REGISTER_KEY_FOR_YARN]
+            result[:auth_token] ||= config[NPM_AUTH_TOKEN_KEY_FOR_YARN]
+          end
+        end
+
+        result
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      # Safely loads the YAML content and logs any parsing errors
+      sig { params(content: String).returns(T::Hash[String, T.untyped]) }
+      def safe_load_yaml(content)
+        YAML.safe_load(content, permitted_classes: [Symbol, String]) || {}
+      rescue Psych::SyntaxError => e
+        # Log the error instead of raising it
+        Dependabot.logger.error("YAML parsing error: #{e.message}")
+        {}
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -70,8 +70,8 @@ module Dependabot
                             run_yarn_updater(path, lockfile_name)
                           elsif lockfile.name.end_with?("pnpm-lock.yaml")
                             run_pnpm_updater(path, lockfile_name)
-                          elsif Helpers.npm8?(lockfile)
-                            run_npm8_updater(path, lockfile_name)
+                          elsif !Helpers.npm8?(lockfile)
+                            run_npm6_updater(path, lockfile_name)
                           else
                             run_npm_updater(path, lockfile_name)
                           end
@@ -143,7 +143,7 @@ module Dependabot
           end
         end
 
-        def run_npm8_updater(path, lockfile_name)
+        def run_npm_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
@@ -153,7 +153,7 @@ module Dependabot
           end
         end
 
-        def run_npm_updater(path, lockfile_name)
+        def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do
             Dir.chdir(path) do
               SharedHelpers.run_helper_subprocess(

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.288.0
+  version: 0.290.0
 platform: ruby
 authors:
 - Dependabot
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-21 00:00:00.000000000 Z
+date: 2024-12-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.288.0
+        version: 0.290.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.288.0
+        version: 0.290.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -326,6 +326,7 @@ files:
 - lib/dependabot/npm_and_yarn/native_helpers.rb
 - lib/dependabot/npm_and_yarn/package_manager.rb
 - lib/dependabot/npm_and_yarn/package_name.rb
+- lib/dependabot/npm_and_yarn/registry_helper.rb
 - lib/dependabot/npm_and_yarn/registry_parser.rb
 - lib/dependabot/npm_and_yarn/requirement.rb
 - lib/dependabot/npm_and_yarn/sub_dependency_files_filterer.rb
@@ -346,8 +347,8 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.288.0
-post_install_message: 
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.290.0
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -363,7 +364,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 3.1.0
 requirements: []
 rubygems_version: 3.5.9
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Provides Dependabot support for Javascript (npm and yarn)
 test_files: []