dependabot-npm_and_yarn 0.293.0 → 0.295.0

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -18,6 +18,10 @@ module Dependabot
           @dependency_files = dependency_files
           @repo_contents_path = repo_contents_path
           @credentials = credentials
+          @error_handler = PnpmErrorHandler.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files
+          )
         end
 
         def updated_pnpm_lock_content(pnpm_lock)
@@ -36,6 +40,7 @@ module Dependabot
         attr_reader :dependency_files
         attr_reader :repo_contents_path
         attr_reader :credentials
+        attr_reader :error_handler
 
         IRRESOLVABLE_PACKAGE = "ERR_PNPM_NO_MATCHING_VERSION"
         INVALID_REQUIREMENT = "ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER"
@@ -46,12 +51,12 @@ module Dependabot
         UNAUTHORIZED_PACKAGE = /ERR_PNPM_FETCH_401[ [^:print:]]+GET (?<dependency_url>.*): Unauthorized - 401/
 
         # ERR_PNPM_FETCH ERROR CODES
-        ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):  - 401/
-        ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):  - 403/
-        ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*):  - 404/
-        ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):  - 500/
-        ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):  - 502/
-        ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*):  - 503/
+        ERR_PNPM_FETCH_401 = /ERR_PNPM_FETCH_401.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_403 = /ERR_PNPM_FETCH_403.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_404 = /ERR_PNPM_FETCH_404.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_500 = /ERR_PNPM_FETCH_500.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_502 = /ERR_PNPM_FETCH_502.*GET (?<dependency_url>.*):/
+        ERR_PNPM_FETCH_503 = /ERR_PNPM_FETCH_503.*GET (?<dependency_url>.*):/
 
         # ERR_PNPM_UNSUPPORTED_ENGINE
         ERR_PNPM_UNSUPPORTED_ENGINE = /ERR_PNPM_UNSUPPORTED_ENGINE/
@@ -100,7 +105,7 @@ module Dependabot
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              run_pnpm_updater
+              run_pnpm_update_packages
 
               write_final_package_json_files
 
@@ -111,15 +116,22 @@ module Dependabot
           end
         end
 
-        def run_pnpm_updater
+        def run_pnpm_update_packages
           dependency_updates = dependencies.map do |d|
             "#{d.name}@#{d.version}"
           end.join(" ")
 
-          Helpers.run_pnpm_command(
-            "install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
-            fingerprint: "install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
-          )
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            Helpers.run_pnpm_command(
+              "update #{dependency_updates}  --lockfile-only --no-save -r",
+              fingerprint: "update <dependency_updates>  --lockfile-only --no-save -r"
+            )
+          else
+            Helpers.run_pnpm_command(
+              "install #{dependency_updates} --lockfile-only --ignore-workspace-root-check",
+              fingerprint: "install <dependency_updates> --lockfile-only --ignore-workspace-root-check"
+            )
+          end
         end
 
         def run_pnpm_install
@@ -251,6 +263,8 @@ module Dependabot
                                              pnpm_lock)
           end
 
+          error_handler.handle_pnpm_error(error)
+
           raise
         end
         # rubocop:enable Metrics/AbcSize
@@ -360,5 +374,60 @@ module Dependabot
         end
       end
     end
+
+    class PnpmErrorHandler
+      extend T::Sig
+
+      # remote connection closed
+      ECONNRESET_ERROR = /ECONNRESET/
+
+      # socket hang up error code
+      SOCKET_HANG_UP = /socket hang up/
+
+      # ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC error
+      ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC = /ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC/
+
+      # duplicate package error code
+      DUPLICATE_PACKAGE = /Found duplicates/
+
+      ERR_PNPM_NO_VERSIONS = /ERR_PNPM_NO_VERSIONS/
+
+      # Initializes the YarnErrorHandler with dependencies and dependency files
+      sig do
+        params(
+          dependencies: T::Array[Dependabot::Dependency],
+          dependency_files: T::Array[Dependabot::DependencyFile]
+        ).void
+      end
+      def initialize(dependencies:, dependency_files:)
+        @dependencies = dependencies
+        @dependency_files = dependency_files
+      end
+
+      private
+
+      sig { returns(T::Array[Dependabot::Dependency]) }
+      attr_reader :dependencies
+
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      attr_reader :dependency_files
+
+      public
+
+      # Handles errors with specific to yarn error codes
+      sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
+      def handle_pnpm_error(error)
+        if error.message.match?(DUPLICATE_PACKAGE) || error.message.match?(ERR_PNPM_NO_VERSIONS) ||
+           error.message.match?(ERR_PNPM_CATALOG_ENTRY_NOT_FOUND_FOR_SPEC)
+
+          raise DependencyFileNotResolvable, "Error resolving dependency"
+        end
+
+        ## Clean error message from ANSI escape codes
+        return unless error.message.match?(ECONNRESET_ERROR) || error.message.match?(SOCKET_HANG_UP)
+
+        raise InconsistentRegistryResponse, "Inconsistent registry response while resolving dependency"
+      end
+    end
   end
 end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_workspace_updater.rb

@@ -0,0 +1,140 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
+require "dependabot/npm_and_yarn/registry_parser"
+require "dependabot/shared_helpers"
+
+class DependencyRequirement < T::Struct
+  const :file, String
+  const :requirement, String
+  const :groups, T::Array[String]
+  const :source, T.nilable(String)
+end
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      class PnpmWorkspaceUpdater
+        extend T::Sig
+
+        sig do
+          params(
+            workspace_file: Dependabot::DependencyFile,
+            dependencies: T::Array[Dependabot::Dependency]
+          ) .void
+        end
+        def initialize(workspace_file:, dependencies:)
+          @dependencies = dependencies
+          @workspace_file = workspace_file
+        end
+
+        sig { returns(Dependabot::DependencyFile) }
+        def updated_pnpm_workspace
+          updated_file = workspace_file.dup
+          updated_file.content = updated_pnpm_workspace_content
+          updated_file
+        end
+
+        private
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :workspace_file
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig { returns(T.nilable(String)) }
+        def updated_pnpm_workspace_content
+          content = workspace_file.content.dup
+          dependencies.each do |dependency|
+            content = update_dependency_versions(T.must(content), dependency)
+          end
+
+          content
+        end
+
+        sig { params(content: String, dependency: Dependabot::Dependency).returns(String) }
+        def update_dependency_versions(content, dependency)
+          new_requirements(dependency).each do |requirement|
+            content = replace_version_in_content(
+              content: content,
+              dependency: dependency,
+              old_requirement: T.must(old_requirement(dependency, requirement)),
+              new_requirement: requirement
+            )
+          end
+
+          content
+        end
+
+        sig do
+          params(
+            content: String,
+            dependency: Dependabot::Dependency,
+            old_requirement: DependencyRequirement,
+            new_requirement: DependencyRequirement
+          ).returns(String)
+        end
+        def replace_version_in_content(content:, dependency:, old_requirement:, new_requirement:)
+          old_version = old_requirement.requirement
+          new_version = new_requirement.requirement
+
+          pattern = build_replacement_pattern(
+            dependency_name: dependency.name,
+            version: old_version
+          )
+
+          replacement = build_replacement_string(
+            dependency_name: dependency.name,
+            version: new_version
+          )
+
+          content.gsub(pattern, replacement)
+        end
+
+        sig { params(dependency_name: String, version: String).returns(Regexp) }
+        def build_replacement_pattern(dependency_name:, version:)
+          /(["']?)#{dependency_name}\1:\s*(["']?)#{Regexp.escape(version)}\2/
+        end
+
+        sig { params(dependency_name: String, version: String).returns(String) }
+        def build_replacement_string(dependency_name:, version:)
+          "\\1#{dependency_name}\\1: \\2#{version}\\2"
+        end
+
+        sig { params(dependency: Dependabot::Dependency).returns(T::Array[DependencyRequirement]) }
+        def new_requirements(dependency)
+          dependency.requirements
+                    .select { |r| r[:file] == workspace_file.name }
+                    .map do |r|
+            DependencyRequirement.new(
+              file: r[:file],
+              requirement: r[:requirement],
+              groups: r[:groups],
+              source: r[:source]
+            )
+          end
+        end
+
+        sig do
+          params(dependency: Dependabot::Dependency,
+                 new_requirement: DependencyRequirement).returns(T.nilable(DependencyRequirement))
+        end
+        def old_requirement(dependency, new_requirement)
+          matching_req = T.must(dependency.previous_requirements).find { |r| r[:groups] == new_requirement.groups }
+
+          return nil if matching_req.nil?
+
+          DependencyRequirement.new(
+            file: matching_req[:file],
+            requirement: matching_req[:requirement],
+            groups: matching_req[:groups],
+            source: matching_req[:source]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -11,7 +11,7 @@ require "sorbet-runtime"
 
 module Dependabot
   module NpmAndYarn
-    class FileUpdater < Dependabot::FileUpdaters::Base
+    class FileUpdater < Dependabot::FileUpdaters::Base # rubocop:disable Metrics/ClassLength
       extend T::Sig
 
       require_relative "file_updater/package_json_updater"
@@ -19,6 +19,7 @@ module Dependabot
       require_relative "file_updater/yarn_lockfile_updater"
       require_relative "file_updater/pnpm_lockfile_updater"
       require_relative "file_updater/bun_lockfile_updater"
+      require_relative "file_updater/pnpm_workspace_updater"
 
       class NoChangeError < StandardError
         extend T::Sig
@@ -43,19 +44,40 @@ module Dependabot
           %r{^(?:.*/)?npm-shrinkwrap\.json$},
           %r{^(?:.*/)?yarn\.lock$},
           %r{^(?:.*/)?pnpm-lock\.yaml$},
+          %r{^(?:.*/)?pnpm-workspace\.yaml$},
           %r{^(?:.*/)?\.yarn/.*}, # Matches any file within the .yarn/ directory
           %r{^(?:.*/)?\.pnp\.(?:js|cjs)$} # Matches .pnp.js or .pnp.cjs files
         ]
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { override.returns(T::Array[DependencyFile]) }
       def updated_dependency_files
         updated_files = T.let([], T::Array[DependencyFile])
 
         updated_files += updated_manifest_files
+        if Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
+          updated_files += updated_pnpm_workspace_files
+        end
         updated_files += updated_lockfiles
 
         if updated_files.none?
+
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            # when all dependencies are transitive
+            all_transitive = dependencies.none?(&:top_level?)
+            # when there is no update in package.json
+            no_package_json_update = package_files.empty?
+            # handle the no change error for transitive dependency updates
+            if pnpm_locks.any? && dependencies.length.positive? && all_transitive && no_package_json_update
+              raise ToolFeatureNotSupported.new(
+                tool_name: "pnpm",
+                tool_type: "package_manager",
+                feature: "updating transitive dependencies"
+              )
+            end
+          end
+
           raise NoChangeError.new(
             message: "No files were updated!",
             error_context: error_context(updated_files: updated_files)
@@ -72,6 +94,7 @@ module Dependabot
 
         vendor_updated_files(updated_files)
       end
+      # rubocop:enable Metrics/PerceivedComplexity
 
       private
 
@@ -190,6 +213,15 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def pnpm_workspace
+        @pnpm_workspace ||= T.let(
+          filtered_dependency_files
+          .select { |f| f.name.end_with?("pnpm-workspace.yaml") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def bun_locks
         @bun_locks ||= T.let(
@@ -252,6 +284,16 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_pnpm_workspace_files
+        pnpm_workspace.filter_map do |file|
+          updated_content = updated_pnpm_workspace_content(file)
+          next if updated_content == file.content
+
+          updated_file(file: file, content: T.must(updated_content))
+        end
+      end
+
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -389,6 +431,19 @@ module Dependabot
             dependencies: dependencies
           ).updated_package_json.content
       end
+
+      sig do
+        params(file: Dependabot::DependencyFile)
+          .returns(T.nilable(String))
+      end
+      def updated_pnpm_workspace_content(file)
+        @updated_pnpm_workspace_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_pnpm_workspace_content[file.name] ||=
+          PnpmWorkspaceUpdater.new(
+            workspace_file: file,
+            dependencies: dependencies
+          ).updated_pnpm_workspace.content
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/helpers.rb

@@ -40,6 +40,9 @@ module Dependabot
       YARN_DEFAULT_VERSION = YARN_V3
       YARN_FALLBACK_VERSION = YARN_V1
 
+      # corepack supported package managers
+      SUPPORTED_COREPACK_PACKAGE_MANAGERS = %w(npm yarn pnpm).freeze
+
       # Determines the npm version depends to the feature flag
       # If the feature flag is enabled, we are going to use the minimum version npm 8
       # Otherwise, we are going to use old versionining npm 6
@@ -324,8 +327,8 @@ module Dependabot
           package_manager_run_command(NpmPackageManager::NAME, command, fingerprint: fingerprint)
         else
           Dependabot::SharedHelpers.run_shell_command(
-            "corepack npm #{command}",
-            fingerprint: "corepack npm #{fingerprint}"
+            "npm #{command}",
+            fingerprint: "npm #{fingerprint}"
           )
         end
       end
@@ -484,6 +487,8 @@ module Dependabot
           .returns(String)
       end
       def self.package_manager_install(name, version, env: {})
+        return "Corepack does not support #{name}" unless corepack_supported_package_manager?(name)
+
         Dependabot::SharedHelpers.run_shell_command(
           "corepack install #{name}@#{version} --global --cache-only",
           fingerprint: "corepack install <name>@<version> --global --cache-only",
@@ -494,6 +499,8 @@ module Dependabot
       # Prepare the package manager for use by using corepack
       sig { params(name: String, version: String).returns(String) }
       def self.package_manager_activate(name, version)
+        return "Corepack does not support #{name}" unless corepack_supported_package_manager?(name)
+
         Dependabot::SharedHelpers.run_shell_command(
           "corepack prepare #{name}@#{version} --activate",
           fingerprint: "corepack prepare <name>@<version> --activate"
@@ -566,6 +573,11 @@ module Dependabot
           dependency
         end
       end
+
+      sig { params(name: String).returns(T::Boolean) }
+      def self.corepack_supported_package_manager?(name)
+        SUPPORTED_COREPACK_PACKAGE_MANAGERS.include?(name)
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb

@@ -38,8 +38,8 @@ module Dependabot
       def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
           name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
+          detected_version: detected_version && !detected_version.empty? ? Version.new(detected_version) : nil,
+          version: raw_version && !raw_version.empty? ? Version.new(raw_version) : nil,
           deprecated_versions: DEPRECATED_VERSIONS,
           supported_versions: SUPPORTED_VERSIONS,
           requirement: requirement
@@ -48,22 +48,16 @@ module Dependabot
 
       sig { override.returns(T::Boolean) }
       def deprecated?
-        return false unless detected_version
-
-        return false if unsupported?
-
         return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
 
-        deprecated_versions.include?(detected_version)
+        super
       end
 
       sig { override.returns(T::Boolean) }
       def unsupported?
-        return false unless detected_version
-
         return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
 
-        supported_versions.all? { |supported| supported > detected_version }
+        super
       end
     end
   end

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -11,6 +11,7 @@ require "dependabot/npm_and_yarn/yarn_package_manager"
 require "dependabot/npm_and_yarn/pnpm_package_manager"
 require "dependabot/npm_and_yarn/bun_package_manager"
 require "dependabot/npm_and_yarn/language"
+require "dependabot/npm_and_yarn/constraint_helper"
 
 module Dependabot
   module NpmAndYarn
@@ -59,14 +60,16 @@ module Dependabot
       T.any(
         T.class_of(Dependabot::NpmAndYarn::NpmPackageManager),
         T.class_of(Dependabot::NpmAndYarn::YarnPackageManager),
-        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager)
+        T.class_of(Dependabot::NpmAndYarn::PNPMPackageManager),
+        T.class_of(Dependabot::NpmAndYarn::BunPackageManager)
       )
     end
 
     PACKAGE_MANAGER_CLASSES = T.let({
       NpmPackageManager::NAME => NpmPackageManager,
       YarnPackageManager::NAME => YarnPackageManager,
-      PNPMPackageManager::NAME => PNPMPackageManager
+      PNPMPackageManager::NAME => PNPMPackageManager,
+      BunPackageManager::NAME => BunPackageManager
     }.freeze, T::Hash[String, NpmAndYarnPackageManagerClassType])
 
     # Error malformed version number string
@@ -187,7 +190,7 @@ module Dependabot
       end
 
       sig { params(name: String).returns(T.nilable(Requirement)) }
-      def find_engine_constraints_as_requirement(name)
+      def find_engine_constraints_as_requirement(name) # rubocop:disable Metrics/PerceivedComplexity
         Dependabot.logger.info("Processing engine constraints for #{name}")
 
         return nil unless @engines.is_a?(Hash) && @engines[name]
@@ -195,19 +198,31 @@ module Dependabot
         raw_constraint = @engines[name].to_s.strip
         return nil if raw_constraint.empty?
 
-        raw_constraints = raw_constraint.split
-        constraints = raw_constraints.map do |constraint|
-          case constraint
-          when /^\d+$/
-            ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
-          when /^\d+\.\d+$/
-            ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
-          when /^\d+\.\d+\.\d+$/
-            "=#{constraint}"
-          else
-            Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
-            constraint
+        if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+          constraints = ConstraintHelper.extract_constraints(raw_constraint)
+
+          # When constraints are invalid we return constraints array nil
+          if constraints.nil?
+            Dependabot.logger.warn(
+              "Unrecognized constraint format for #{name}: #{raw_constraint}"
+            )
           end
+        else
+          raw_constraints = raw_constraint.split
+          constraints = raw_constraints.map do |constraint|
+            case constraint
+            when /^\d+$/
+              ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
+            when /^\d+\.\d+$/
+              ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
+            when /^\d+\.\d+\.\d+$/
+              "=#{constraint}"
+            else
+              Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
+              constraint
+            end
+          end
+
         end
 
         Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
@@ -287,19 +302,24 @@ module Dependabot
 
       sig { params(name: String).returns(T.nilable(String)) }
       def detect_version(name)
-        # we prioritize version mentioned in "packageManager" instead of "engines"
+        # Prioritize version mentioned in "packageManager" instead of "engines"
         if @manifest_package_manager&.start_with?("#{name}@")
           detected_version = @manifest_package_manager.split("@").last.to_s
         end
 
-        # if "packageManager" have no version specified, we check if we can extract "engines" information
-        detected_version = check_engine_version(name) if !detected_version || detected_version.empty?
+        # If "packageManager" has no version specified, check if we can extract "engines" information
+        detected_version ||= check_engine_version(name) if detected_version.to_s.empty?
 
-        # if "packageManager" and "engines" both are not present, we check if we can infer the version
-        # from the manifest file lockfileVersion
-        detected_version = guessed_version(name) if !detected_version || detected_version.empty?
+        # If neither "packageManager" nor "engines" have versions, infer version from lockfileVersion
+        detected_version ||= guessed_version(name) if detected_version.to_s.empty?
 
-        detected_version&.to_s
+        # Strip and validate version format
+        detected_version_string = detected_version.to_s.strip
+
+        # Ensure detected_version is neither "0" nor invalid format
+        return if detected_version_string == "0" || !detected_version_string.match?(ConstraintHelper::VERSION_REGEX)
+
+        detected_version_string
       end
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
@@ -330,7 +350,7 @@ module Dependabot
         end
 
         package_manager_class.new(
-          detected_version: detected_version.to_s,
+          detected_version: detected_version,
           raw_version: installed_version,
           requirement: package_manager_requirement
         )
@@ -432,7 +452,8 @@ module Dependabot
         return if @package_json.nil?
 
         version_selector = VersionSelector.new
-        engine_versions = version_selector.setup(@package_json, name)
+
+        engine_versions = version_selector.setup(@package_json, name, dependabot_versions(name))
 
         return if engine_versions.empty?
 
@@ -440,6 +461,20 @@ module Dependabot
         Dependabot.logger.info("Returned (#{MANIFEST_ENGINES_KEY}) info \"#{name}\" : \"#{version}\"")
         version
       end
+
+      sig { params(name: String).returns(T.nilable(T::Array[Dependabot::Version])) }
+      def dependabot_versions(name)
+        case name
+        when "npm"
+          NpmPackageManager::SUPPORTED_VERSIONS
+        when "yarn"
+          YarnPackageManager::SUPPORTED_VERSIONS
+        when "bun"
+          BunPackageManager::SUPPORTED_VERSIONS
+        when "pnpm"
+          PNPMPackageManager::SUPPORTED_VERSIONS
+        end
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/version.rb

@@ -80,6 +80,10 @@ module Dependabot
           # Matches @ followed by x.y.z (digits separated by dots)
           if (match = version.match(/@(\d+\.\d+\.\d+)/))
             version = match[1] # Just "4.5.3"
+
+          # Extract version in case the output contains Corepack verbose data
+          elsif version.include?("Corepack")
+            version = T.must(T.must(version.tr("\n", " ").match(/(\d+\.\d+\.\d+)/))[-1])
           end
           version = version&.gsub(/^v/, "")
         end