dependabot-npm_and_yarn 0.293.0 → 0.295.0

data/lib/dependabot/npm_and_yarn/version_selector.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
+require "dependabot/npm_and_yarn/constraint_helper"
 
 module Dependabot
   module NpmAndYarn
@@ -13,18 +14,42 @@ module Dependabot
       # such as "20.8.7", "8.1.2", "8.21.2",
       NODE_ENGINE_SUPPORTED_REGEX = /^\d+(?:\.\d+)*$/
 
-      sig { params(manifest_json: T::Hash[String, T.untyped], name: String).returns(T::Hash[Symbol, T.untyped]) }
-      def setup(manifest_json, name)
+      # Sets up engine versions from the given manifest JSON.
+      #
+      # @param manifest_json [Hash] The manifest JSON containing version information.
+      # @param name [String] The engine name to match.
+      # @return [Hash] A hash with selected versions, if found.
+      sig do
+        params(
+          manifest_json: T::Hash[String, T.untyped],
+          name: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
+      def setup(manifest_json, name, dependabot_versions = nil)
         engine_versions = manifest_json["engines"]
 
+        # Return an empty hash if no engine versions are specified
         return {} if engine_versions.nil?
 
-        # Only keep matching specs versions i.e. "20.21.2", "7.1.2",
-        # Additional specs can be added later
-        engine_versions.delete_if { |_key, value| !valid_extracted_version?(value) }
-        version = engine_versions.select { |engine, _value| engine.to_s.match(name) }
+        versions = {}
+
+        if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+          engine_versions.each do |engine, value|
+            next unless engine.to_s.match(name)
+
+            versions[name] = ConstraintHelper.find_highest_version_from_constraint_expression(
+              value, dependabot_versions
+            )
+          end
+        else
+          versions = engine_versions.select do |engine, value|
+            engine.to_s.match(name) && valid_extracted_version?(value)
+          end
+        end
 
-        version
+        versions
       end
 
       sig { params(version: String).returns(T::Boolean) }

data/lib/dependabot/npm_and_yarn.rb

@@ -146,6 +146,10 @@ module Dependabot
     # if not package found with specified version
     YARN_PACKAGE_NOT_FOUND = /MessageError: Couldn't find any versions for "(?<pkg>.*?)" that matches "(?<ver>.*?)"/
 
+    YN0001_DEPS_RESOLUTION_FAILED = T.let({
+      DEPS_INCORRECT_MET: /peer dependencies are incorrectly met/
+    }.freeze, T::Hash[String, Regexp])
+
     YN0001_FILE_NOT_RESOLVED_CODES = T.let({
       FIND_PACKAGE_LOCATION: /YN0001:(.*?)UsageError: Couldn't find the (?<pkg>.*) state file/,
       NO_CANDIDATE_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): No candidates found/,
@@ -165,6 +169,8 @@ module Dependabot
       REQUIREMENT_NOT_PROVIDED: /(?<dep>.*)(.*?)doesn't provide (?<pkg>.*)(.*?), requested by (?<parent>.*)/
     }.freeze, T::Hash[String, Regexp])
 
+    YN0086_DEPS_RESOLUTION_FAILED = /peer dependencies are incorrectly met/
+
     # registry returns malformed response
     REGISTRY_NOT_REACHABLE = /Received malformed response from registry for "(?<ver>.*)". The registry may be down./
 
@@ -227,6 +233,12 @@ module Dependabot
             end
           end
 
+          YN0001_DEPS_RESOLUTION_FAILED.each do |(_yn0001_key, yn0001_regex)|
+            if (msg = message.match(yn0001_regex))
+              return Dependabot::DependencyFileNotResolvable.new(msg)
+            end
+          end
+
           Dependabot::DependabotError.new(message)
         }
       },
@@ -351,6 +363,13 @@ module Dependabot
             Dependabot::DependencyNotFound.new(message)
           end
         }
+      },
+      "YN0086" => {
+        message: "deps resolution failed",
+        handler: lambda { |message, _error, _params|
+          msg = message.match(YN0086_DEPS_RESOLUTION_FAILED)
+          Dependabot::DependencyFileNotResolvable.new(msg || message)
+        }
       }
     }.freeze, T::Hash[String, {
       message: T.any(String, NilClass),

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.293.0
+  version: 0.295.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-16 00:00:00.000000000 Z
+date: 2025-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.293.0
+        version: 0.295.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.293.0
+        version: 0.295.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -307,6 +307,7 @@ files:
 - helpers/test/yarn/updater.test.js
 - lib/dependabot/npm_and_yarn.rb
 - lib/dependabot/npm_and_yarn/bun_package_manager.rb
+- lib/dependabot/npm_and_yarn/constraint_helper.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
@@ -323,6 +324,7 @@ files:
 - lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/pnpm_workspace_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/helpers.rb
 - lib/dependabot/npm_and_yarn/language.rb
@@ -354,7 +356,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.293.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.295.0
 post_install_message:
 rdoc_options: []
 require_paths: