dependabot-npm_and_yarn 0.293.0 → 0.295.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d548c0891264c8b407f2b673e39266b3494683e431ac1e8b9ebc899319208f5
-  data.tar.gz: b43aeb89fb1a1c1e32a9d86eee5ccc188d8fc3da548ee4cbbcfbc4c76cfd59c7
+  metadata.gz: 14edb941111a95dc07d83e6449c01bd3b0f4b92c4e3168acd19d31ce1fa96183
+  data.tar.gz: 0ec9a05bb2ebda169ad58028bfc2c0465ef0bbf192265f317570842f5aaa81b7
 SHA512:
-  metadata.gz: 95eef6390619686a8017fc949e5a5609e34f3675920fea726975fb42c55904e9901ef55b80df005ffa43bf74e87623ed00a9a287005af9446c93b78fcb0c010d
-  data.tar.gz: 9a104350702acef102f005bdc0c4649b7713288de3685992538f9e58384487802f48a1f1c6e57dd6ac244fb11e849fd89b72f2f3648355eb3115d1174846e21f
+  metadata.gz: 5822f02ef7a153c079c70f91724efe53250ea696af5c0a995cfb86537be568e155344eb9cbb1481c2f2be01c080d486a0b98300dd318aa72c6271b36bd0d906e
+  data.tar.gz: 85bf7be8bb171f92b38a67d7c0b12b6c0e68056a6cdf09a0b20d8c2054517276e614e1bc7fd01bc366a53e917ba54c032ee816c977d47ca4eb11c22afda6c2ee

data/helpers/lib/npm/vulnerability-auditor.js

@@ -97,9 +97,9 @@ async function findVulnerableDependencies(directory, advisories) {
 
     for (const group of groupedFixUpdateChains.values()) {
       const fixUpdateNode = group[0].nodes[0]
-      const groupTopLevelAncestors = group.reduce((anc, chain) => {
+      const groupTopLevelAncestors = group.reduce((ancestor, chain) => {
         const topLevelNode = chain.nodes[chain.nodes.length - 1]
-        return anc.add(topLevelNode.name)
+        return ancestor.add(topLevelNode.name)
       }, new Set())
 
       // Add group's top-level ancestors to the set of all top-level ancestors of
@@ -269,23 +269,23 @@ const maybeReadFile = file => {
 }
 
 function loadCACerts(npmConfig) {
-    if (npmConfig.ca) {
-      return npmConfig.ca
-    }
+  if (npmConfig.ca) {
+    return npmConfig.ca
+  }
 
-    if (!npmConfig.cafile) {
-      return
-    }
+  if (!npmConfig.cafile) {
+    return
+  }
 
-    const raw = maybeReadFile(npmConfig.cafile)
-    if (!raw) {
-      return
-    }
+  const raw = maybeReadFile(npmConfig.cafile)
+  if (!raw) {
+    return
+  }
 
-    const delim = '-----END CERTIFICATE-----'
-    return raw.replace(/\r\n/g, '\n').split(delim)
-      .filter(section => section.trim())
-      .map(section => section.trimStart() + delim)
+  const delim = '-----END CERTIFICATE-----'
+  return raw.replace(/\r\n/g, '\n').split(delim)
+    .filter(section => section.trim())
+    .map(section => section.trimStart() + delim)
 }
 
 module.exports = { findVulnerableDependencies }

data/helpers/lib/npm6/updater.js

@@ -113,7 +113,7 @@ function flattenAllDependencies(manifest) {
   );
 }
 
-// NOTE: Re-used in npm 7 updater
+// NOTE: Reused in npm 7 updater
 function installArgs(
   depName,
   desiredVersion,

data/lib/dependabot/npm_and_yarn/bun_package_manager.rb

@@ -39,7 +39,7 @@ module Dependabot
 
       sig { override.returns(T::Boolean) }
       def unsupported?
-        supported_versions.all? { |supported| supported > version }
+        false
       end
     end
   end

data/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -0,0 +1,306 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    module ConstraintHelper
+      extend T::Sig
+
+      INVALID = "invalid" # Invalid constraint
+      # Regex Components for Semantic Versioning
+      DIGIT = "\\d+"                             # Matches a single number (e.g., "1")
+      PRERELEASE = "(?:-[a-zA-Z0-9.-]+)?"        # Matches optional pre-release tag (e.g., "-alpha")
+      BUILD_METADATA = "(?:\\+[a-zA-Z0-9.-]+)?"  # Matches optional build metadata (e.g., "+001")
+      DOT = "\\."                                # Matches a literal dot "."
+
+      # Matches semantic versions:
+      VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
+
+      VERSION_REGEX = T.let(/\A#{VERSION}\z/o, Regexp)
+
+      # SemVer regex: major.minor.patch[-prerelease][+build]
+      SEMVER_REGEX = /^(?<version>\d+\.\d+\.\d+)(?:-(?<prerelease>[a-zA-Z0-9.-]+))?(?:\+(?<build>[a-zA-Z0-9.-]+))?$/
+
+      # Constraint Types as Constants
+      CARET_CONSTRAINT_REGEX = T.let(/^\^(#{VERSION})$/, Regexp)
+      TILDE_CONSTRAINT_REGEX = T.let(/^~(#{VERSION})$/, Regexp)
+      EXACT_CONSTRAINT_REGEX = T.let(/^(#{VERSION})$/, Regexp)
+      GREATER_THAN_EQUAL_REGEX = T.let(/^>=(#{VERSION})$/, Regexp)
+      LESS_THAN_EQUAL_REGEX = T.let(/^<=(#{VERSION})$/, Regexp)
+      GREATER_THAN_REGEX = T.let(/^>(#{VERSION})$/, Regexp)
+      LESS_THAN_REGEX = T.let(/^<(#{VERSION})$/, Regexp)
+      WILDCARD_REGEX = T.let(/^\*$/, Regexp)
+
+      # Unified Regex for Valid Constraints
+      VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
+        CARET_CONSTRAINT_REGEX,
+        TILDE_CONSTRAINT_REGEX,
+        EXACT_CONSTRAINT_REGEX,
+        GREATER_THAN_EQUAL_REGEX,
+        LESS_THAN_EQUAL_REGEX,
+        GREATER_THAN_REGEX,
+        LESS_THAN_REGEX,
+        WILDCARD_REGEX
+      ).freeze, Regexp)
+
+      # Validates if the provided semver constraint expression from a `package.json` is valid.
+      # A valid semver constraint expression in `package.json` can consist of multiple groups
+      # separated by logical OR (`||`). Within each group, space-separated constraints are treated
+      # as logical AND. Each individual constraint must conform to the semver rules defined in
+      # `VALID_CONSTRAINT_REGEX`.
+      #
+      # Example (valid `package.json` semver constraints):
+      #   ">=1.2.3 <2.0.0 || ~3.4.5" → Valid (space-separated constraints are AND, `||` is OR)
+      #   "^1.0.0 || >=2.0.0 <3.0.0" → Valid (caret and range constraints combined)
+      #   "1.2.3" → Valid (exact version)
+      #   "*" → Valid (wildcard allows any version)
+      #
+      # Example (invalid `package.json` semver constraints):
+      #   ">=1.2.3 && <2.0.0" → Invalid (`&&` is not valid in semver)
+      #   ">=x.y.z" → Invalid (non-numeric version parts are not valid)
+      #   "1.2.3 ||" → Invalid (trailing OR operator)
+      #
+      # @param constraint_expression [String] The semver constraint expression from `package.json` to validate.
+      # @return [T::Boolean] Returns true if the constraint expression is valid semver, false otherwise.
+      sig { params(constraint_expression: T.nilable(String)).returns(T::Boolean) }
+      def self.valid_constraint_expression?(constraint_expression)
+        normalized_constraint = constraint_expression&.strip
+
+        # Treat nil or empty input as valid (no constraints)
+        return true if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Split the expression by logical OR (`||`) into groups
+        normalized_constraint.split("||").reject(&:empty?).all? do |or_group|
+          or_group.split(/\s+/).reject(&:empty?).all? do |and_constraint|
+            and_constraint.match?(VALID_CONSTRAINT_REGEX)
+          end
+        end
+      end
+
+      # Extract unique constraints from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T::Array[String]] The list of unique Ruby-compatible constraints.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.extract_constraints(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints.filter_map { |parsed| parsed[:constraint] }
+      end
+
+      # Find the highest version from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T.nilable(String)] The highest version, or nil if no versions are available.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(String))
+      end
+      def self.find_highest_version_from_constraint_expression(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+        return nil if normalized_constraint.nil? || normalized_constraint.empty?
+
+        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints
+          .filter_map { |parsed| parsed[:version] } # Extract all versions
+          .max_by { |version| Version.new(version) }
+      end
+
+      # Parse all constraints (split by logical OR `||`) and convert to Ruby-compatible constraints.
+      # Return:
+      #   - `nil` if the constraint expression is invalid
+      #   - `[]` if the constraint expression is valid but represents "no constraints"
+      #   - An array of hashes for valid constraints with details about the constraint and version
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]]))
+      end
+      def self.parse_constraints(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+
+        # Return an empty array for valid "no constraints" (nil or empty input)
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Return nil for invalid constraints
+        return nil unless valid_constraint_expression?(normalized_constraint)
+
+        # Parse valid constraints
+        constraints = normalized_constraint.split("||").flat_map do |or_group|
+          or_group.strip.split(/\s+/).map(&:strip)
+        end.then do |normalized_constraints| # rubocop:disable Style/MultilineBlockChain
+          to_ruby_constraints_with_versions(normalized_constraints, dependabot_versions)
+        end.uniq { |parsed| parsed[:constraint] } # Ensure uniqueness based on `:constraint` # rubocop:disable Style/MultilineBlockChain
+        constraints
+      end
+
+      sig do
+        params(
+          constraints: T::Array[String],
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        ).returns(T::Array[T::Hash[Symbol, T.nilable(String)]])
+      end
+      def self.to_ruby_constraints_with_versions(constraints, dependabot_versions = [])
+        constraints.filter_map do |constraint|
+          parsed = to_ruby_constraint_with_version(constraint, dependabot_versions)
+          parsed if parsed && parsed[:constraint] # Only include valid constraints
+        end.uniq
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # Converts a semver constraint to a Ruby-compatible constraint and extracts the version, if available.
+      # @param constraint [String] The semver constraint to parse.
+      # @return [T.nilable(T::Hash[Symbol, T.nilable(String)])] Returns the Ruby-compatible constraint and the version,
+      # if available, or nil if the constraint is invalid.
+      #
+      # @example
+      #  to_ruby_constraint_with_version("=1.2.3") # => { constraint: "=1.2.3", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("^1.2.3") # => { constraint: ">=1.2.3 <2.0.0", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("*")      # => { constraint: nil, version: nil }
+      #  to_ruby_constraint_with_version("invalid") # => nil
+      sig do
+        params(
+          constraint: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
+      def self.to_ruby_constraint_with_version(constraint, dependabot_versions = [])
+        return nil if constraint.empty?
+
+        case constraint
+        when EXACT_CONSTRAINT_REGEX # Exact version, e.g., "1.2.3-alpha"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "=#{full_version}", version: full_version }
+        when CARET_CONSTRAINT_REGEX # Caret constraint, e.g., "^1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          return nil if major.nil?
+
+          ruby_constraint =
+            if major.to_i.zero?
+              minor.nil? ? ">=#{full_version} <1.0.0" : ">=#{full_version} <0.#{minor.to_i + 1}.0"
+            else
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when TILDE_CONSTRAINT_REGEX # Tilde constraint, e.g., "~1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          ruby_constraint =
+            if minor.nil?
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            else
+              ">=#{full_version} <#{major}.#{minor.to_i + 1}.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when GREATER_THAN_EQUAL_REGEX # Greater than or equal, e.g., ">=1.2.3"
+
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version >= Version.new(constraint_version)
+          end
+          { constraint: ">=#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_EQUAL_REGEX # Less than or equal, e.g., "<=1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "<=#{full_version}", version: full_version }
+        when GREATER_THAN_REGEX # Greater than, e.g., ">1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version > Version.new(constraint_version)
+          end
+          { constraint: ">#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_REGEX # Less than, e.g., "<1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version < Version.new(constraint_version)
+          end
+          { constraint: "<#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when WILDCARD_REGEX # Wildcard
+          { constraint: nil, version: dependabot_versions&.max&.to_s } # Explicitly valid but no specific constraint
+        end
+      end
+
+      sig do
+        params(
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version]),
+          constraint_version: String,
+          condition: T.proc.params(version: Dependabot::Version, constraint: Dependabot::Version).returns(T::Boolean)
+        )
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def self.highest_matching_version(dependabot_versions, constraint_version, &condition)
+        return unless dependabot_versions&.any?
+
+        # Returns the highest version that satisfies the condition, or nil if none.
+        dependabot_versions
+          .sort
+          .reverse
+          .find { |version| condition.call(version, Version.new(constraint_version)) } # rubocop:disable Performance/RedundantBlockCall
+      end
+
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      # Parses a semantic version string into its components as per the SemVer spec
+      # Example: "1.2.3-alpha+001" → ["1.2.3", "1", "2", "3", "alpha", "001"]
+      sig { params(full_version: T.nilable(String)).returns(T.nilable(T::Array[String])) }
+      def self.version_components(full_version)
+        return [] if full_version.nil?
+
+        match = full_version.match(SEMVER_REGEX)
+        return [] unless match
+
+        version = match[:version]
+        return [] unless version
+
+        major, minor, patch = version.split(".")
+        [version, major, minor, patch, match[:prerelease], match[:build]].compact
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -213,7 +213,7 @@ module Dependabot
 
       sig { returns(T.nilable(T.any(Integer, String))) }
       def bun_version
-        return @bun_version = nil unless Experiments.enabled?(:bun_updates)
+        return @bun_version = nil unless allow_beta_ecosystems?
 
         @bun_version ||= T.let(
           package_manager_helper.setup(BunPackageManager::NAME),
@@ -453,6 +453,15 @@ module Dependabot
 
         resolution_deps = resolution_objects.flat_map(&:to_a)
                                             .map do |path, value|
+          # skip dependencies that contain invalid values such as inline comments, null, etc.
+
+          unless value.is_a?(String)
+            Dependabot.logger.warn("File fetcher: Skipping dependency \"#{path}\" " \
+                                   "with value: \"#{value}\"")
+
+            next
+          end
+
           convert_dependency_path_to_name(path, value)
         end
 
@@ -645,8 +654,8 @@ module Dependabot
       def parsed_pnpm_workspace_yaml
         return {} unless pnpm_workspace_yaml
 
-        YAML.safe_load(T.must(T.must(pnpm_workspace_yaml).content))
-      rescue Psych::SyntaxError
+        YAML.safe_load(T.must(T.must(pnpm_workspace_yaml).content), aliases: true)
+      rescue Psych::SyntaxError, Psych::BadAlias
         raise Dependabot::DependencyFileNotParseable, T.must(pnpm_workspace_yaml).path
       end
 

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -31,7 +31,6 @@ module Dependabot
             version = content["lockfileVersion"]
             raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
             raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
-            raise_invalid!("unsupported 'lockfileVersion' = #{version}") unless version.zero?
 
             T.let(content, T.untyped)
           end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -55,10 +55,11 @@ module Dependabot
       end
 
       sig { override.returns(T::Array[Dependency]) }
-      def parse
+      def parse # rubocop:disable Metrics/PerceivedComplexity
         dependency_set = DependencySet.new
         dependency_set += manifest_dependencies
         dependency_set += lockfile_dependencies
+        dependency_set += workspace_catalog_dependencies if enable_pnpm_workspace_catalog?
 
         dependencies = Helpers.dependencies_with_all_versions_metadata(dependency_set)
 
@@ -93,6 +94,11 @@ module Dependabot
 
       private
 
+      sig { returns(T.nilable(T::Boolean)) }
+      def enable_pnpm_workspace_catalog?
+        pnpm_workspace_yml && Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
+      end
+
       sig { returns(PackageManagerHelper) }
       def package_manager_helper
         @package_manager_helper ||= T.let(
@@ -143,56 +149,63 @@ module Dependabot
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def shrinkwrap
         @shrinkwrap ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::SHRINKWRAP_LOCKFILE_NAME
+          f.name.end_with?(NpmPackageManager::SHRINKWRAP_LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def package_lock
         @package_lock ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::LOCKFILE_NAME
+          f.name.end_with?(NpmPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def yarn_lock
         @yarn_lock ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::LOCKFILE_NAME
+          f.name.end_with?(YarnPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def pnpm_lock
         @pnpm_lock ||= T.let(dependency_files.find do |f|
-          f.name == PNPMPackageManager::LOCKFILE_NAME
+          f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME)
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pnpm_workspace_yml
+        @pnpm_workspace_yml ||= T.let(dependency_files.find do |f|
+          f.name.end_with?(PNPMPackageManager::PNPM_WS_YML_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def bun_lock
         @bun_lock ||= T.let(dependency_files.find do |f|
-          f.name == BunPackageManager::LOCKFILE_NAME
+          f.name.end_with?(BunPackageManager::LOCKFILE_NAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def npmrc
         @npmrc ||= T.let(dependency_files.find do |f|
-          f.name == NpmPackageManager::RC_FILENAME
+          f.name.end_with?(NpmPackageManager::RC_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def yarnrc
         @yarnrc ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::RC_FILENAME
+          f.name.end_with?(YarnPackageManager::RC_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
       sig { returns(T.nilable(DependencyFile)) }
       def yarnrc_yml
         @yarnrc_yml ||= T.let(dependency_files.find do |f|
-          f.name == YarnPackageManager::RC_YML_FILENAME
+          f.name.end_with?(YarnPackageManager::RC_YML_FILENAME)
         end, T.nilable(Dependabot::DependencyFile))
       end
 
@@ -212,7 +225,7 @@ module Dependabot
             next unless requirement.is_a?(String)
 
             # Skip dependencies using Yarn workspace cross-references as requirements
-            next if requirement.start_with?("workspace:")
+            next if requirement.start_with?("workspace:", "catalog:")
 
             requirement = "*" if requirement == ""
             dep = build_dependency(
@@ -225,6 +238,30 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def workspace_catalog_dependencies
+        dependency_set = DependencySet.new
+        workspace_config = YAML.safe_load(T.must(pnpm_workspace_yml&.content), aliases: true)
+
+        workspace_config["catalog"]&.each do |name, version|
+          dep = build_dependency(
+            file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+          )
+          dependency_set << dep if dep
+        end
+
+        workspace_config["catalogs"]&.each do |_, group_depenencies|
+          group_depenencies.each do |name, version|
+            dep = build_dependency(
+              file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+            )
+            dependency_set << dep if dep
+          end
+        end
+
+        dependency_set
+      end
+
       sig { returns(LockfileParser) }
       def lockfile_parser
         @lockfile_parser ||= T.let(LockfileParser.new(

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -37,8 +37,13 @@ module Dependabot
         sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
 
+        # rubocop:disable Metrics/PerceivedComplexity
+
         sig { returns(T.nilable(String)) }
         def updated_package_json_content
+          # checks if we are updating single dependency in package.json
+          unique_deps_count = dependencies.map(&:name).to_a.uniq.compact.length
+
           dependencies.reduce(package_json.content.dup) do |content, dep|
             updated_requirements(dep)&.each do |new_req|
               old_req = old_requirement(dep, new_req)
@@ -50,7 +55,25 @@ module Dependabot
                 new_req: new_req
               )
 
-              raise "Expected content to change!" if content == new_content
+              if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
+                 (content == new_content && unique_deps_count > 1)
+
+                # (we observed that) package.json does not always contains the same dependencies compared to
+                # "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"
+                # and "dev" => "1.0.1" while package.json can only contain "dep" => "1.0.0",the other dependency is
+                # not present in package.json so we don't have to update it, this is most likely (as observed)
+                # a transitive dependency which only needs update in lockfile, So we avoid throwing exception and let
+                # the update continue.
+
+                Dependabot.logger.info("experiment: avoid_duplicate_updates_package_json.
+                Updating package.json for #{dep.name} ")
+
+                raise "Expected content to change!"
+              end
+
+              if !Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) && (content == new_content)
+                raise "Expected content to change!"
+              end
 
               content = new_content
             end
@@ -69,7 +92,7 @@ module Dependabot
             content
           end
         end
-
+        # rubocop:enable Metrics/PerceivedComplexity
         sig do
           params(
             dependency: Dependabot::Dependency,