dependabot-npm_and_yarn 0.294.0 → 0.295.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72e338772b3c3aac3cf86538fc2d70dbbc45f5f7cb854cd7fd74913b140fe056
-  data.tar.gz: 1856c138b871ebe80e5cc6faa5984ba80c10b342aa8bf0822e325e5a31a3f815
+  metadata.gz: 14edb941111a95dc07d83e6449c01bd3b0f4b92c4e3168acd19d31ce1fa96183
+  data.tar.gz: 0ec9a05bb2ebda169ad58028bfc2c0465ef0bbf192265f317570842f5aaa81b7
 SHA512:
-  metadata.gz: 0e3267d0aafcf35e345505c87a23b2b783cfc36377e46f5f10875a4bd8b0c4fe201b6dea0dbed75463b75dccba175014af850451cfc52b39c0a2a410a5c5ab34
-  data.tar.gz: a1c6be5ccbebcf43a76a51d7871a37743428f052c734a985a48fc90d4b1e2944679a8b6eb17910a8ef7e14c69dbe46d9761319b28d6a57d7dcbac7e94fbb9c09
+  metadata.gz: 5822f02ef7a153c079c70f91724efe53250ea696af5c0a995cfb86537be568e155344eb9cbb1481c2f2be01c080d486a0b98300dd318aa72c6271b36bd0d906e
+  data.tar.gz: 85bf7be8bb171f92b38a67d7c0b12b6c0e68056a6cdf09a0b20d8c2054517276e614e1bc7fd01bc366a53e917ba54c032ee816c977d47ca4eb11c22afda6c2ee

data/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -0,0 +1,306 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    module ConstraintHelper
+      extend T::Sig
+
+      INVALID = "invalid" # Invalid constraint
+      # Regex Components for Semantic Versioning
+      DIGIT = "\\d+"                             # Matches a single number (e.g., "1")
+      PRERELEASE = "(?:-[a-zA-Z0-9.-]+)?"        # Matches optional pre-release tag (e.g., "-alpha")
+      BUILD_METADATA = "(?:\\+[a-zA-Z0-9.-]+)?"  # Matches optional build metadata (e.g., "+001")
+      DOT = "\\."                                # Matches a literal dot "."
+
+      # Matches semantic versions:
+      VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
+
+      VERSION_REGEX = T.let(/\A#{VERSION}\z/o, Regexp)
+
+      # SemVer regex: major.minor.patch[-prerelease][+build]
+      SEMVER_REGEX = /^(?<version>\d+\.\d+\.\d+)(?:-(?<prerelease>[a-zA-Z0-9.-]+))?(?:\+(?<build>[a-zA-Z0-9.-]+))?$/
+
+      # Constraint Types as Constants
+      CARET_CONSTRAINT_REGEX = T.let(/^\^(#{VERSION})$/, Regexp)
+      TILDE_CONSTRAINT_REGEX = T.let(/^~(#{VERSION})$/, Regexp)
+      EXACT_CONSTRAINT_REGEX = T.let(/^(#{VERSION})$/, Regexp)
+      GREATER_THAN_EQUAL_REGEX = T.let(/^>=(#{VERSION})$/, Regexp)
+      LESS_THAN_EQUAL_REGEX = T.let(/^<=(#{VERSION})$/, Regexp)
+      GREATER_THAN_REGEX = T.let(/^>(#{VERSION})$/, Regexp)
+      LESS_THAN_REGEX = T.let(/^<(#{VERSION})$/, Regexp)
+      WILDCARD_REGEX = T.let(/^\*$/, Regexp)
+
+      # Unified Regex for Valid Constraints
+      VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
+        CARET_CONSTRAINT_REGEX,
+        TILDE_CONSTRAINT_REGEX,
+        EXACT_CONSTRAINT_REGEX,
+        GREATER_THAN_EQUAL_REGEX,
+        LESS_THAN_EQUAL_REGEX,
+        GREATER_THAN_REGEX,
+        LESS_THAN_REGEX,
+        WILDCARD_REGEX
+      ).freeze, Regexp)
+
+      # Validates if the provided semver constraint expression from a `package.json` is valid.
+      # A valid semver constraint expression in `package.json` can consist of multiple groups
+      # separated by logical OR (`||`). Within each group, space-separated constraints are treated
+      # as logical AND. Each individual constraint must conform to the semver rules defined in
+      # `VALID_CONSTRAINT_REGEX`.
+      #
+      # Example (valid `package.json` semver constraints):
+      #   ">=1.2.3 <2.0.0 || ~3.4.5" → Valid (space-separated constraints are AND, `||` is OR)
+      #   "^1.0.0 || >=2.0.0 <3.0.0" → Valid (caret and range constraints combined)
+      #   "1.2.3" → Valid (exact version)
+      #   "*" → Valid (wildcard allows any version)
+      #
+      # Example (invalid `package.json` semver constraints):
+      #   ">=1.2.3 && <2.0.0" → Invalid (`&&` is not valid in semver)
+      #   ">=x.y.z" → Invalid (non-numeric version parts are not valid)
+      #   "1.2.3 ||" → Invalid (trailing OR operator)
+      #
+      # @param constraint_expression [String] The semver constraint expression from `package.json` to validate.
+      # @return [T::Boolean] Returns true if the constraint expression is valid semver, false otherwise.
+      sig { params(constraint_expression: T.nilable(String)).returns(T::Boolean) }
+      def self.valid_constraint_expression?(constraint_expression)
+        normalized_constraint = constraint_expression&.strip
+
+        # Treat nil or empty input as valid (no constraints)
+        return true if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Split the expression by logical OR (`||`) into groups
+        normalized_constraint.split("||").reject(&:empty?).all? do |or_group|
+          or_group.split(/\s+/).reject(&:empty?).all? do |and_constraint|
+            and_constraint.match?(VALID_CONSTRAINT_REGEX)
+          end
+        end
+      end
+
+      # Extract unique constraints from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T::Array[String]] The list of unique Ruby-compatible constraints.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.extract_constraints(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints.filter_map { |parsed| parsed[:constraint] }
+      end
+
+      # Find the highest version from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T.nilable(String)] The highest version, or nil if no versions are available.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(String))
+      end
+      def self.find_highest_version_from_constraint_expression(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+        return nil if normalized_constraint.nil? || normalized_constraint.empty?
+
+        parsed_constraints = parse_constraints(normalized_constraint, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints
+          .filter_map { |parsed| parsed[:version] } # Extract all versions
+          .max_by { |version| Version.new(version) }
+      end
+
+      # Parse all constraints (split by logical OR `||`) and convert to Ruby-compatible constraints.
+      # Return:
+      #   - `nil` if the constraint expression is invalid
+      #   - `[]` if the constraint expression is valid but represents "no constraints"
+      #   - An array of hashes for valid constraints with details about the constraint and version
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]]))
+      end
+      def self.parse_constraints(constraint_expression, dependabot_versions = nil)
+        normalized_constraint = constraint_expression&.strip
+
+        # Return an empty array for valid "no constraints" (nil or empty input)
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Return nil for invalid constraints
+        return nil unless valid_constraint_expression?(normalized_constraint)
+
+        # Parse valid constraints
+        constraints = normalized_constraint.split("||").flat_map do |or_group|
+          or_group.strip.split(/\s+/).map(&:strip)
+        end.then do |normalized_constraints| # rubocop:disable Style/MultilineBlockChain
+          to_ruby_constraints_with_versions(normalized_constraints, dependabot_versions)
+        end.uniq { |parsed| parsed[:constraint] } # Ensure uniqueness based on `:constraint` # rubocop:disable Style/MultilineBlockChain
+        constraints
+      end
+
+      sig do
+        params(
+          constraints: T::Array[String],
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        ).returns(T::Array[T::Hash[Symbol, T.nilable(String)]])
+      end
+      def self.to_ruby_constraints_with_versions(constraints, dependabot_versions = [])
+        constraints.filter_map do |constraint|
+          parsed = to_ruby_constraint_with_version(constraint, dependabot_versions)
+          parsed if parsed && parsed[:constraint] # Only include valid constraints
+        end.uniq
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # Converts a semver constraint to a Ruby-compatible constraint and extracts the version, if available.
+      # @param constraint [String] The semver constraint to parse.
+      # @return [T.nilable(T::Hash[Symbol, T.nilable(String)])] Returns the Ruby-compatible constraint and the version,
+      # if available, or nil if the constraint is invalid.
+      #
+      # @example
+      #  to_ruby_constraint_with_version("=1.2.3") # => { constraint: "=1.2.3", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("^1.2.3") # => { constraint: ">=1.2.3 <2.0.0", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("*")      # => { constraint: nil, version: nil }
+      #  to_ruby_constraint_with_version("invalid") # => nil
+      sig do
+        params(
+          constraint: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
+      def self.to_ruby_constraint_with_version(constraint, dependabot_versions = [])
+        return nil if constraint.empty?
+
+        case constraint
+        when EXACT_CONSTRAINT_REGEX # Exact version, e.g., "1.2.3-alpha"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "=#{full_version}", version: full_version }
+        when CARET_CONSTRAINT_REGEX # Caret constraint, e.g., "^1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          return nil if major.nil?
+
+          ruby_constraint =
+            if major.to_i.zero?
+              minor.nil? ? ">=#{full_version} <1.0.0" : ">=#{full_version} <0.#{minor.to_i + 1}.0"
+            else
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when TILDE_CONSTRAINT_REGEX # Tilde constraint, e.g., "~1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          ruby_constraint =
+            if minor.nil?
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            else
+              ">=#{full_version} <#{major}.#{minor.to_i + 1}.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when GREATER_THAN_EQUAL_REGEX # Greater than or equal, e.g., ">=1.2.3"
+
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version >= Version.new(constraint_version)
+          end
+          { constraint: ">=#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_EQUAL_REGEX # Less than or equal, e.g., "<=1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "<=#{full_version}", version: full_version }
+        when GREATER_THAN_REGEX # Greater than, e.g., ">1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version > Version.new(constraint_version)
+          end
+          { constraint: ">#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_REGEX # Less than, e.g., "<1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version < Version.new(constraint_version)
+          end
+          { constraint: "<#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when WILDCARD_REGEX # Wildcard
+          { constraint: nil, version: dependabot_versions&.max&.to_s } # Explicitly valid but no specific constraint
+        end
+      end
+
+      sig do
+        params(
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version]),
+          constraint_version: String,
+          condition: T.proc.params(version: Dependabot::Version, constraint: Dependabot::Version).returns(T::Boolean)
+        )
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def self.highest_matching_version(dependabot_versions, constraint_version, &condition)
+        return unless dependabot_versions&.any?
+
+        # Returns the highest version that satisfies the condition, or nil if none.
+        dependabot_versions
+          .sort
+          .reverse
+          .find { |version| condition.call(version, Version.new(constraint_version)) } # rubocop:disable Performance/RedundantBlockCall
+      end
+
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      # Parses a semantic version string into its components as per the SemVer spec
+      # Example: "1.2.3-alpha+001" → ["1.2.3", "1", "2", "3", "alpha", "001"]
+      sig { params(full_version: T.nilable(String)).returns(T.nilable(T::Array[String])) }
+      def self.version_components(full_version)
+        return [] if full_version.nil?
+
+        match = full_version.match(SEMVER_REGEX)
+        return [] unless match
+
+        version = match[:version]
+        return [] unless version
+
+        major, minor, patch = version.split(".")
+        [version, major, minor, patch, match[:prerelease], match[:build]].compact
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -31,7 +31,6 @@ module Dependabot
             version = content["lockfileVersion"]
             raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
             raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
-            raise_invalid!("unsupported 'lockfileVersion' = #{version}") unless version.zero?
 
             T.let(content, T.untyped)
           end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -55,10 +55,11 @@ module Dependabot
       end
 
       sig { override.returns(T::Array[Dependency]) }
-      def parse
+      def parse # rubocop:disable Metrics/PerceivedComplexity
         dependency_set = DependencySet.new
         dependency_set += manifest_dependencies
         dependency_set += lockfile_dependencies
+        dependency_set += workspace_catalog_dependencies if enable_pnpm_workspace_catalog?
 
         dependencies = Helpers.dependencies_with_all_versions_metadata(dependency_set)
 
@@ -93,6 +94,11 @@ module Dependabot
 
       private
 
+      sig { returns(T.nilable(T::Boolean)) }
+      def enable_pnpm_workspace_catalog?
+        pnpm_workspace_yml && Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
+      end
+
       sig { returns(PackageManagerHelper) }
       def package_manager_helper
         @package_manager_helper ||= T.let(
@@ -168,6 +174,13 @@ module Dependabot
         end, T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pnpm_workspace_yml
+        @pnpm_workspace_yml ||= T.let(dependency_files.find do |f|
+          f.name.end_with?(PNPMPackageManager::PNPM_WS_YML_FILENAME)
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def bun_lock
         @bun_lock ||= T.let(dependency_files.find do |f|
@@ -225,6 +238,30 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def workspace_catalog_dependencies
+        dependency_set = DependencySet.new
+        workspace_config = YAML.safe_load(T.must(pnpm_workspace_yml&.content), aliases: true)
+
+        workspace_config["catalog"]&.each do |name, version|
+          dep = build_dependency(
+            file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+          )
+          dependency_set << dep if dep
+        end
+
+        workspace_config["catalogs"]&.each do |_, group_depenencies|
+          group_depenencies.each do |name, version|
+            dep = build_dependency(
+              file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+            )
+            dependency_set << dep if dep
+          end
+        end
+
+        dependency_set
+      end
+
       sig { returns(LockfileParser) }
       def lockfile_parser
         @lockfile_parser ||= T.let(LockfileParser.new(

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -37,8 +37,13 @@ module Dependabot
         sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
 
+        # rubocop:disable Metrics/PerceivedComplexity
+
         sig { returns(T.nilable(String)) }
         def updated_package_json_content
+          # checks if we are updating single dependency in package.json
+          unique_deps_count = dependencies.map(&:name).to_a.uniq.compact.length
+
           dependencies.reduce(package_json.content.dup) do |content, dep|
             updated_requirements(dep)&.each do |new_req|
               old_req = old_requirement(dep, new_req)
@@ -50,7 +55,25 @@ module Dependabot
                 new_req: new_req
               )
 
-              raise "Expected content to change!" if content == new_content
+              if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
+                 (content == new_content && unique_deps_count > 1)
+
+                # (we observed that) package.json does not always contains the same dependencies compared to
+                # "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"
+                # and "dev" => "1.0.1" while package.json can only contain "dep" => "1.0.0",the other dependency is
+                # not present in package.json so we don't have to update it, this is most likely (as observed)
+                # a transitive dependency which only needs update in lockfile, So we avoid throwing exception and let
+                # the update continue.
+
+                Dependabot.logger.info("experiment: avoid_duplicate_updates_package_json.
+                Updating package.json for #{dep.name} ")
+
+                raise "Expected content to change!"
+              end
+
+              if !Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) && (content == new_content)
+                raise "Expected content to change!"
+              end
 
               content = new_content
             end
@@ -69,7 +92,7 @@ module Dependabot
             content
           end
         end
-
+        # rubocop:enable Metrics/PerceivedComplexity
         sig do
           params(
             dependency: Dependabot::Dependency,

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_workspace_updater.rb

@@ -0,0 +1,140 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/update_checker/registry_finder"
+require "dependabot/npm_and_yarn/registry_parser"
+require "dependabot/shared_helpers"
+
+class DependencyRequirement < T::Struct
+  const :file, String
+  const :requirement, String
+  const :groups, T::Array[String]
+  const :source, T.nilable(String)
+end
+
+module Dependabot
+  module NpmAndYarn
+    class FileUpdater
+      class PnpmWorkspaceUpdater
+        extend T::Sig
+
+        sig do
+          params(
+            workspace_file: Dependabot::DependencyFile,
+            dependencies: T::Array[Dependabot::Dependency]
+          ) .void
+        end
+        def initialize(workspace_file:, dependencies:)
+          @dependencies = dependencies
+          @workspace_file = workspace_file
+        end
+
+        sig { returns(Dependabot::DependencyFile) }
+        def updated_pnpm_workspace
+          updated_file = workspace_file.dup
+          updated_file.content = updated_pnpm_workspace_content
+          updated_file
+        end
+
+        private
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :workspace_file
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig { returns(T.nilable(String)) }
+        def updated_pnpm_workspace_content
+          content = workspace_file.content.dup
+          dependencies.each do |dependency|
+            content = update_dependency_versions(T.must(content), dependency)
+          end
+
+          content
+        end
+
+        sig { params(content: String, dependency: Dependabot::Dependency).returns(String) }
+        def update_dependency_versions(content, dependency)
+          new_requirements(dependency).each do |requirement|
+            content = replace_version_in_content(
+              content: content,
+              dependency: dependency,
+              old_requirement: T.must(old_requirement(dependency, requirement)),
+              new_requirement: requirement
+            )
+          end
+
+          content
+        end
+
+        sig do
+          params(
+            content: String,
+            dependency: Dependabot::Dependency,
+            old_requirement: DependencyRequirement,
+            new_requirement: DependencyRequirement
+          ).returns(String)
+        end
+        def replace_version_in_content(content:, dependency:, old_requirement:, new_requirement:)
+          old_version = old_requirement.requirement
+          new_version = new_requirement.requirement
+
+          pattern = build_replacement_pattern(
+            dependency_name: dependency.name,
+            version: old_version
+          )
+
+          replacement = build_replacement_string(
+            dependency_name: dependency.name,
+            version: new_version
+          )
+
+          content.gsub(pattern, replacement)
+        end
+
+        sig { params(dependency_name: String, version: String).returns(Regexp) }
+        def build_replacement_pattern(dependency_name:, version:)
+          /(["']?)#{dependency_name}\1:\s*(["']?)#{Regexp.escape(version)}\2/
+        end
+
+        sig { params(dependency_name: String, version: String).returns(String) }
+        def build_replacement_string(dependency_name:, version:)
+          "\\1#{dependency_name}\\1: \\2#{version}\\2"
+        end
+
+        sig { params(dependency: Dependabot::Dependency).returns(T::Array[DependencyRequirement]) }
+        def new_requirements(dependency)
+          dependency.requirements
+                    .select { |r| r[:file] == workspace_file.name }
+                    .map do |r|
+            DependencyRequirement.new(
+              file: r[:file],
+              requirement: r[:requirement],
+              groups: r[:groups],
+              source: r[:source]
+            )
+          end
+        end
+
+        sig do
+          params(dependency: Dependabot::Dependency,
+                 new_requirement: DependencyRequirement).returns(T.nilable(DependencyRequirement))
+        end
+        def old_requirement(dependency, new_requirement)
+          matching_req = T.must(dependency.previous_requirements).find { |r| r[:groups] == new_requirement.groups }
+
+          return nil if matching_req.nil?
+
+          DependencyRequirement.new(
+            file: matching_req[:file],
+            requirement: matching_req[:requirement],
+            groups: matching_req[:groups],
+            source: matching_req[:source]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -11,7 +11,7 @@ require "sorbet-runtime"
 
 module Dependabot
   module NpmAndYarn
-    class FileUpdater < Dependabot::FileUpdaters::Base
+    class FileUpdater < Dependabot::FileUpdaters::Base # rubocop:disable Metrics/ClassLength
       extend T::Sig
 
       require_relative "file_updater/package_json_updater"
@@ -19,6 +19,7 @@ module Dependabot
       require_relative "file_updater/yarn_lockfile_updater"
       require_relative "file_updater/pnpm_lockfile_updater"
       require_relative "file_updater/bun_lockfile_updater"
+      require_relative "file_updater/pnpm_workspace_updater"
 
       class NoChangeError < StandardError
         extend T::Sig
@@ -43,6 +44,7 @@ module Dependabot
           %r{^(?:.*/)?npm-shrinkwrap\.json$},
           %r{^(?:.*/)?yarn\.lock$},
           %r{^(?:.*/)?pnpm-lock\.yaml$},
+          %r{^(?:.*/)?pnpm-workspace\.yaml$},
           %r{^(?:.*/)?\.yarn/.*}, # Matches any file within the .yarn/ directory
           %r{^(?:.*/)?\.pnp\.(?:js|cjs)$} # Matches .pnp.js or .pnp.cjs files
         ]
@@ -54,6 +56,9 @@ module Dependabot
         updated_files = T.let([], T::Array[DependencyFile])
 
         updated_files += updated_manifest_files
+        if Dependabot::Experiments.enabled?(:enable_pnpm_workspace_catalog)
+          updated_files += updated_pnpm_workspace_files
+        end
         updated_files += updated_lockfiles
 
         if updated_files.none?
@@ -208,6 +213,15 @@ module Dependabot
         )
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def pnpm_workspace
+        @pnpm_workspace ||= T.let(
+          filtered_dependency_files
+          .select { |f| f.name.end_with?("pnpm-workspace.yaml") },
+          T.nilable(T::Array[Dependabot::DependencyFile])
+        )
+      end
+
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def bun_locks
         @bun_locks ||= T.let(
@@ -270,6 +284,16 @@ module Dependabot
         end
       end
 
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def updated_pnpm_workspace_files
+        pnpm_workspace.filter_map do |file|
+          updated_content = updated_pnpm_workspace_content(file)
+          next if updated_content == file.content
+
+          updated_file(file: file, content: T.must(updated_content))
+        end
+      end
+
       # rubocop:disable Metrics/MethodLength
       # rubocop:disable Metrics/PerceivedComplexity
       sig { returns(T::Array[Dependabot::DependencyFile]) }
@@ -407,6 +431,19 @@ module Dependabot
             dependencies: dependencies
           ).updated_package_json.content
       end
+
+      sig do
+        params(file: Dependabot::DependencyFile)
+          .returns(T.nilable(String))
+      end
+      def updated_pnpm_workspace_content(file)
+        @updated_pnpm_workspace_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
+        @updated_pnpm_workspace_content[file.name] ||=
+          PnpmWorkspaceUpdater.new(
+            workspace_file: file,
+            dependencies: dependencies
+          ).updated_pnpm_workspace.content
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/npm_package_manager.rb

@@ -38,8 +38,8 @@ module Dependabot
       def initialize(detected_version: nil, raw_version: nil, requirement: nil)
         super(
           name: NAME,
-          detected_version: detected_version ? Version.new(detected_version) : nil,
-          version: raw_version ? Version.new(raw_version) : nil,
+          detected_version: detected_version && !detected_version.empty? ? Version.new(detected_version) : nil,
+          version: raw_version && !raw_version.empty? ? Version.new(raw_version) : nil,
           deprecated_versions: DEPRECATED_VERSIONS,
           supported_versions: SUPPORTED_VERSIONS,
           requirement: requirement
@@ -48,22 +48,16 @@ module Dependabot
 
       sig { override.returns(T::Boolean) }
       def deprecated?
-        return false unless detected_version
-
-        return false if unsupported?
-
         return false unless Dependabot::Experiments.enabled?(:npm_v6_deprecation_warning)
 
-        deprecated_versions.include?(detected_version)
+        super
       end
 
       sig { override.returns(T::Boolean) }
       def unsupported?
-        return false unless detected_version
-
         return false unless Dependabot::Experiments.enabled?(:npm_v6_unsupported_error)
 
-        supported_versions.all? { |supported| supported > detected_version }
+        super
       end
     end
   end

data/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -11,6 +11,7 @@ require "dependabot/npm_and_yarn/yarn_package_manager"
 require "dependabot/npm_and_yarn/pnpm_package_manager"
 require "dependabot/npm_and_yarn/bun_package_manager"
 require "dependabot/npm_and_yarn/language"
+require "dependabot/npm_and_yarn/constraint_helper"
 
 module Dependabot
   module NpmAndYarn
@@ -189,7 +190,7 @@ module Dependabot
       end
 
       sig { params(name: String).returns(T.nilable(Requirement)) }
-      def find_engine_constraints_as_requirement(name)
+      def find_engine_constraints_as_requirement(name) # rubocop:disable Metrics/PerceivedComplexity
         Dependabot.logger.info("Processing engine constraints for #{name}")
 
         return nil unless @engines.is_a?(Hash) && @engines[name]
@@ -197,19 +198,31 @@ module Dependabot
         raw_constraint = @engines[name].to_s.strip
         return nil if raw_constraint.empty?
 
-        raw_constraints = raw_constraint.split
-        constraints = raw_constraints.map do |constraint|
-          case constraint
-          when /^\d+$/
-            ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
-          when /^\d+\.\d+$/
-            ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
-          when /^\d+\.\d+\.\d+$/
-            "=#{constraint}"
-          else
-            Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
-            constraint
+        if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+          constraints = ConstraintHelper.extract_constraints(raw_constraint)
+
+          # When constraints are invalid we return constraints array nil
+          if constraints.nil?
+            Dependabot.logger.warn(
+              "Unrecognized constraint format for #{name}: #{raw_constraint}"
+            )
           end
+        else
+          raw_constraints = raw_constraint.split
+          constraints = raw_constraints.map do |constraint|
+            case constraint
+            when /^\d+$/
+              ">=#{constraint}.0.0 <#{constraint.to_i + 1}.0.0"
+            when /^\d+\.\d+$/
+              ">=#{constraint} <#{constraint.split('.').first.to_i + 1}.0.0"
+            when /^\d+\.\d+\.\d+$/
+              "=#{constraint}"
+            else
+              Dependabot.logger.warn("Unrecognized constraint format for #{name}: #{constraint}")
+              constraint
+            end
+          end
+
         end
 
         Dependabot.logger.info("Parsed constraints for #{name}: #{constraints.join(', ')}")
@@ -289,19 +302,24 @@ module Dependabot
 
       sig { params(name: String).returns(T.nilable(String)) }
       def detect_version(name)
-        # we prioritize version mentioned in "packageManager" instead of "engines"
+        # Prioritize version mentioned in "packageManager" instead of "engines"
         if @manifest_package_manager&.start_with?("#{name}@")
           detected_version = @manifest_package_manager.split("@").last.to_s
         end
 
-        # if "packageManager" have no version specified, we check if we can extract "engines" information
-        detected_version = check_engine_version(name) if !detected_version || detected_version.empty?
+        # If "packageManager" has no version specified, check if we can extract "engines" information
+        detected_version ||= check_engine_version(name) if detected_version.to_s.empty?
 
-        # if "packageManager" and "engines" both are not present, we check if we can infer the version
-        # from the manifest file lockfileVersion
-        detected_version = guessed_version(name) if !detected_version || detected_version.empty?
+        # If neither "packageManager" nor "engines" have versions, infer version from lockfileVersion
+        detected_version ||= guessed_version(name) if detected_version.to_s.empty?
 
-        detected_version&.to_s
+        # Strip and validate version format
+        detected_version_string = detected_version.to_s.strip
+
+        # Ensure detected_version is neither "0" nor invalid format
+        return if detected_version_string == "0" || !detected_version_string.match?(ConstraintHelper::VERSION_REGEX)
+
+        detected_version_string
       end
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
@@ -332,7 +350,7 @@ module Dependabot
         end
 
         package_manager_class.new(
-          detected_version: detected_version.to_s,
+          detected_version: detected_version,
           raw_version: installed_version,
           requirement: package_manager_requirement
         )
@@ -434,7 +452,8 @@ module Dependabot
         return if @package_json.nil?
 
         version_selector = VersionSelector.new
-        engine_versions = version_selector.setup(@package_json, name)
+
+        engine_versions = version_selector.setup(@package_json, name, dependabot_versions(name))
 
         return if engine_versions.empty?
 
@@ -442,6 +461,20 @@ module Dependabot
         Dependabot.logger.info("Returned (#{MANIFEST_ENGINES_KEY}) info \"#{name}\" : \"#{version}\"")
         version
       end
+
+      sig { params(name: String).returns(T.nilable(T::Array[Dependabot::Version])) }
+      def dependabot_versions(name)
+        case name
+        when "npm"
+          NpmPackageManager::SUPPORTED_VERSIONS
+        when "yarn"
+          YarnPackageManager::SUPPORTED_VERSIONS
+        when "bun"
+          BunPackageManager::SUPPORTED_VERSIONS
+        when "pnpm"
+          PNPMPackageManager::SUPPORTED_VERSIONS
+        end
+      end
     end
   end
 end

data/lib/dependabot/npm_and_yarn/version_selector.rb

@@ -2,6 +2,7 @@
 # frozen_string_literal: true
 
 require "dependabot/shared_helpers"
+require "dependabot/npm_and_yarn/constraint_helper"
 
 module Dependabot
   module NpmAndYarn
@@ -13,18 +14,42 @@ module Dependabot
       # such as "20.8.7", "8.1.2", "8.21.2",
       NODE_ENGINE_SUPPORTED_REGEX = /^\d+(?:\.\d+)*$/
 
-      sig { params(manifest_json: T::Hash[String, T.untyped], name: String).returns(T::Hash[Symbol, T.untyped]) }
-      def setup(manifest_json, name)
+      # Sets up engine versions from the given manifest JSON.
+      #
+      # @param manifest_json [Hash] The manifest JSON containing version information.
+      # @param name [String] The engine name to match.
+      # @return [Hash] A hash with selected versions, if found.
+      sig do
+        params(
+          manifest_json: T::Hash[String, T.untyped],
+          name: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T::Hash[Symbol, T.untyped])
+      end
+      def setup(manifest_json, name, dependabot_versions = nil)
         engine_versions = manifest_json["engines"]
 
+        # Return an empty hash if no engine versions are specified
         return {} if engine_versions.nil?
 
-        # Only keep matching specs versions i.e. "20.21.2", "7.1.2",
-        # Additional specs can be added later
-        engine_versions.delete_if { |_key, value| !valid_extracted_version?(value) }
-        version = engine_versions.select { |engine, _value| engine.to_s.match(name) }
+        versions = {}
+
+        if Dependabot::Experiments.enabled?(:enable_engine_version_detection)
+          engine_versions.each do |engine, value|
+            next unless engine.to_s.match(name)
+
+            versions[name] = ConstraintHelper.find_highest_version_from_constraint_expression(
+              value, dependabot_versions
+            )
+          end
+        else
+          versions = engine_versions.select do |engine, value|
+            engine.to_s.match(name) && valid_extracted_version?(value)
+          end
+        end
 
-        version
+        versions
       end
 
       sig { params(version: String).returns(T::Boolean) }

data/lib/dependabot/npm_and_yarn.rb

@@ -146,6 +146,10 @@ module Dependabot
     # if not package found with specified version
     YARN_PACKAGE_NOT_FOUND = /MessageError: Couldn't find any versions for "(?<pkg>.*?)" that matches "(?<ver>.*?)"/
 
+    YN0001_DEPS_RESOLUTION_FAILED = T.let({
+      DEPS_INCORRECT_MET: /peer dependencies are incorrectly met/
+    }.freeze, T::Hash[String, Regexp])
+
     YN0001_FILE_NOT_RESOLVED_CODES = T.let({
       FIND_PACKAGE_LOCATION: /YN0001:(.*?)UsageError: Couldn't find the (?<pkg>.*) state file/,
       NO_CANDIDATE_FOUND: /YN0001:(.*?)Error: (?<pkg>.*): No candidates found/,
@@ -165,6 +169,8 @@ module Dependabot
       REQUIREMENT_NOT_PROVIDED: /(?<dep>.*)(.*?)doesn't provide (?<pkg>.*)(.*?), requested by (?<parent>.*)/
     }.freeze, T::Hash[String, Regexp])
 
+    YN0086_DEPS_RESOLUTION_FAILED = /peer dependencies are incorrectly met/
+
     # registry returns malformed response
     REGISTRY_NOT_REACHABLE = /Received malformed response from registry for "(?<ver>.*)". The registry may be down./
 
@@ -227,6 +233,12 @@ module Dependabot
             end
           end
 
+          YN0001_DEPS_RESOLUTION_FAILED.each do |(_yn0001_key, yn0001_regex)|
+            if (msg = message.match(yn0001_regex))
+              return Dependabot::DependencyFileNotResolvable.new(msg)
+            end
+          end
+
           Dependabot::DependabotError.new(message)
         }
       },
@@ -351,6 +363,13 @@ module Dependabot
             Dependabot::DependencyNotFound.new(message)
           end
         }
+      },
+      "YN0086" => {
+        message: "deps resolution failed",
+        handler: lambda { |message, _error, _params|
+          msg = message.match(YN0086_DEPS_RESOLUTION_FAILED)
+          Dependabot::DependencyFileNotResolvable.new(msg || message)
+        }
       }
     }.freeze, T::Hash[String, {
       message: T.any(String, NilClass),

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.294.0
+  version: 0.295.0
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-23 00:00:00.000000000 Z
+date: 2025-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.294.0
+        version: 0.295.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.294.0
+        version: 0.295.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -307,6 +307,7 @@ files:
 - helpers/test/yarn/updater.test.js
 - lib/dependabot/npm_and_yarn.rb
 - lib/dependabot/npm_and_yarn/bun_package_manager.rb
+- lib/dependabot/npm_and_yarn/constraint_helper.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
@@ -323,6 +324,7 @@ files:
 - lib/dependabot/npm_and_yarn/file_updater/package_json_preparer.rb
 - lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
+- lib/dependabot/npm_and_yarn/file_updater/pnpm_workspace_updater.rb
 - lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb
 - lib/dependabot/npm_and_yarn/helpers.rb
 - lib/dependabot/npm_and_yarn/language.rb
@@ -354,7 +356,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.294.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.295.0
 post_install_message:
 rdoc_options: []
 require_paths: