dependabot-npm_and_yarn 0.294.0 → 0.296.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72e338772b3c3aac3cf86538fc2d70dbbc45f5f7cb854cd7fd74913b140fe056
-  data.tar.gz: 1856c138b871ebe80e5cc6faa5984ba80c10b342aa8bf0822e325e5a31a3f815
+  metadata.gz: 40c0445c84d264374459bc6e6d333d051a116ec598ae0e208536123242a2a56b
+  data.tar.gz: 208a49c91628dda0ada48108de1ef09b07b8ca7b4f12df008906689e5ad173f9
 SHA512:
-  metadata.gz: 0e3267d0aafcf35e345505c87a23b2b783cfc36377e46f5f10875a4bd8b0c4fe201b6dea0dbed75463b75dccba175014af850451cfc52b39c0a2a410a5c5ab34
-  data.tar.gz: a1c6be5ccbebcf43a76a51d7871a37743428f052c734a985a48fc90d4b1e2944679a8b6eb17910a8ef7e14c69dbe46d9761319b28d6a57d7dcbac7e94fbb9c09
+  metadata.gz: c1a2bc9cfa98144e171f653efedd490ccf0eb02176c29496a5ee288d83a54b83f8390e3a7d67b98fa544ef3f5e4074080101d8115414fdc34cb4c3ec075a2f25
+  data.tar.gz: da594bed80a0ad0c2e0fef360bb026f176020c0edc1c665e4e4823f882edd72e85e07a52b5a2036c78620f0889a0e050d0342462b21f6671a8d6daaa5976cbb3

data/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -0,0 +1,359 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+module Dependabot
+  module NpmAndYarn
+    module ConstraintHelper
+      extend T::Sig
+
+      # Regex Components for Semantic Versioning
+      DIGIT = "\\d+"                             # Matches a single number (e.g., "1")
+      PRERELEASE = "(?:-[a-zA-Z0-9.-]+)?"        # Matches optional pre-release tag (e.g., "-alpha")
+      BUILD_METADATA = "(?:\\+[a-zA-Z0-9.-]+)?"  # Matches optional build metadata (e.g., "+001")
+
+      # Matches semantic versions:
+      VERSION = T.let("#{DIGIT}(?:\\.#{DIGIT}){0,2}#{PRERELEASE}#{BUILD_METADATA}".freeze, String)
+
+      VERSION_REGEX = T.let(/^#{VERSION}$/, Regexp)
+
+      # Base regex for SemVer (major.minor.patch[-prerelease][+build])
+      # This pattern extracts valid semantic versioning strings based on the SemVer 2.0 specification.
+      SEMVER_REGEX = T.let(/
+        (?<version>\d+\.\d+\.\d+)               # Match major.minor.patch (e.g., 1.2.3)
+        (?:-(?<prerelease>[a-zA-Z0-9.-]+))?     # Optional prerelease (e.g., -alpha.1, -rc.1, -beta.5)
+        (?:\+(?<build>[a-zA-Z0-9.-]+))?         # Optional build metadata (e.g., +build.20231101, +exp.sha.5114f85)
+      /x, Regexp)
+
+      # Full SemVer validation regex (ensures the entire string is a valid SemVer)
+      # This ensures the entire input strictly follows SemVer, without extra characters before/after.
+      SEMVER_VALIDATION_REGEX = T.let(/^#{SEMVER_REGEX}$/, Regexp)
+
+      # SemVer constraint regex (supports package.json version constraints)
+      # This pattern ensures proper parsing of SemVer versions with optional operators.
+      SEMVER_CONSTRAINT_REGEX = T.let(/
+        (?: (>=|<=|>|<|=|~|\^)\s*)?  # Make operators optional (e.g., >=, ^, ~)
+        (\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)  # Match full SemVer versions
+        | (\*|latest) # Match wildcard (*) or 'latest'
+      /x, Regexp)
+
+      # /(>=|<=|>|<|=|~|\^)\s*(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.-]+)?(?:\+[a-zA-Z0-9.-]+)?)|(\*|latest)/
+
+      SEMVER_OPERATOR_REGEX = /^(>=|<=|>|<|~|\^|=)$/
+
+      # Constraint Types as Constants
+      CARET_CONSTRAINT_REGEX = T.let(/^\^\s*(#{VERSION})$/, Regexp)
+      TILDE_CONSTRAINT_REGEX = T.let(/^~\s*(#{VERSION})$/, Regexp)
+      EXACT_CONSTRAINT_REGEX = T.let(/^\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_EQUAL_REGEX = T.let(/^>=\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_EQUAL_REGEX = T.let(/^<=\s*(#{VERSION})$/, Regexp)
+      GREATER_THAN_REGEX = T.let(/^>\s*(#{VERSION})$/, Regexp)
+      LESS_THAN_REGEX = T.let(/^<\s*(#{VERSION})$/, Regexp)
+      WILDCARD_REGEX = T.let(/^\*$/, Regexp)
+      LATEST_REGEX = T.let(/^latest$/, Regexp)
+      SEMVER_CONSTANTS = ["*", "latest"].freeze
+
+      # Unified Regex for Valid Constraints
+      VALID_CONSTRAINT_REGEX = T.let(Regexp.union(
+        CARET_CONSTRAINT_REGEX,
+        TILDE_CONSTRAINT_REGEX,
+        EXACT_CONSTRAINT_REGEX,
+        GREATER_THAN_EQUAL_REGEX,
+        LESS_THAN_EQUAL_REGEX,
+        GREATER_THAN_REGEX,
+        LESS_THAN_REGEX,
+        WILDCARD_REGEX,
+        LATEST_REGEX
+      ).freeze, Regexp)
+
+      # Extract unique constraints from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T::Array[String]] The list of unique Ruby-compatible constraints.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.extract_ruby_constraints(constraint_expression, dependabot_versions = nil)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints.filter_map { |parsed| parsed[:constraint] }
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      sig do
+        params(constraint_expression: T.nilable(String))
+          .returns(T.nilable(T::Array[String]))
+      end
+      def self.split_constraints(constraint_expression)
+        normalized_constraint = constraint_expression&.strip
+        return [] if normalized_constraint.nil? || normalized_constraint.empty?
+
+        # Split constraints by logical OR (`||`)
+        constraint_groups = normalized_constraint.split("||")
+
+        # Split constraints by logical AND (`,`)
+        constraint_groups = constraint_groups.map do |or_constraint|
+          or_constraint.split(",").map(&:strip)
+        end.flatten
+
+        constraint_groups = constraint_groups.map do |constraint|
+          tokens = constraint.split(/\s+/).map(&:strip)
+
+          and_constraints = []
+
+          previous = T.let(nil, T.nilable(String))
+          operator = T.let(false, T.nilable(T::Boolean))
+          wildcard = T.let(false, T::Boolean)
+
+          tokens.each do |token|
+            token = token.strip
+            next if token.empty?
+
+            # Invalid constraint if wildcard and anything else
+            return nil if wildcard
+
+            # If token is one of the operators (>=, <=, >, <, ~, ^, =)
+            if token.match?(SEMVER_OPERATOR_REGEX)
+              wildcard = false
+              operator = true
+            # If token is wildcard or latest
+            elsif token.match?(/(\*|latest)/)
+              and_constraints << token
+              wildcard = true
+              operator = false
+            # If token is exact version (e.g., "1.2.3")
+            elsif token.match(VERSION_REGEX)
+              and_constraints << if operator
+                                   "#{previous}#{token}"
+                                 else
+                                   token
+                                 end
+              wildcard = false
+              operator = false
+            # If token is a valid constraint (e.g., ">=1.2.3", "<=2.0.0")
+            elsif token.match(VALID_CONSTRAINT_REGEX)
+              return nil if operator
+
+              and_constraints << token
+
+              wildcard = false
+              operator = false
+            else
+              # invalid constraint
+              return nil
+            end
+            previous = token
+          end
+          and_constraints.uniq
+        end.flatten
+        constraint_groups if constraint_groups.any?
+      end
+
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+
+      # Find the highest version from the given constraint expression.
+      # @param constraint_expression [T.nilable(String)] The semver constraint expression.
+      # @return [T.nilable(String)] The highest version, or nil if no versions are available.
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(String))
+      end
+      def self.find_highest_version_from_constraint_expression(constraint_expression, dependabot_versions = nil)
+        parsed_constraints = parse_constraints(constraint_expression, dependabot_versions)
+
+        return nil unless parsed_constraints
+
+        parsed_constraints
+          .filter_map { |parsed| parsed[:version] } # Extract all versions
+          .max_by { |version| Version.new(version) }
+      end
+
+      # Parse all constraints (split by logical OR `||`) and convert to Ruby-compatible constraints.
+      # Return:
+      #   - `nil` if the constraint expression is invalid
+      #   - `[]` if the constraint expression is valid but represents "no constraints"
+      #   - An array of hashes for valid constraints with details about the constraint and version
+      sig do
+        params(
+          constraint_expression: T.nilable(String),
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Array[T::Hash[Symbol, T.nilable(String)]]))
+      end
+      def self.parse_constraints(constraint_expression, dependabot_versions = nil)
+        splitted_constraints = split_constraints(constraint_expression)
+
+        return unless splitted_constraints
+
+        constraints = to_ruby_constraints_with_versions(splitted_constraints, dependabot_versions)
+        constraints
+      end
+
+      sig do
+        params(
+          constraints: T::Array[String],
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        ).returns(T::Array[T::Hash[Symbol, T.nilable(String)]])
+      end
+      def self.to_ruby_constraints_with_versions(constraints, dependabot_versions = [])
+        constraints.filter_map do |constraint|
+          parsed = to_ruby_constraint_with_version(constraint, dependabot_versions)
+          parsed if parsed
+        end.uniq
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/PerceivedComplexity
+      # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/CyclomaticComplexity
+      # Converts a semver constraint to a Ruby-compatible constraint and extracts the version, if available.
+      # @param constraint [String] The semver constraint to parse.
+      # @return [T.nilable(T::Hash[Symbol, T.nilable(String)])] Returns the Ruby-compatible constraint and the version,
+      # if available, or nil if the constraint is invalid.
+      #
+      # @example
+      #  to_ruby_constraint_with_version("=1.2.3") # => { constraint: "=1.2.3", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("^1.2.3") # => { constraint: ">=1.2.3 <2.0.0", version: "1.2.3" }
+      #  to_ruby_constraint_with_version("*")      # => { constraint: nil, version: nil }
+      #  to_ruby_constraint_with_version("invalid") # => nil
+      sig do
+        params(
+          constraint: String,
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version])
+        )
+          .returns(T.nilable(T::Hash[Symbol, T.nilable(String)]))
+      end
+      def self.to_ruby_constraint_with_version(constraint, dependabot_versions = [])
+        return nil if constraint.empty?
+
+        case constraint
+        when EXACT_CONSTRAINT_REGEX # Exact version, e.g., "1.2.3-alpha"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "=#{full_version}", version: full_version }
+        when CARET_CONSTRAINT_REGEX # Caret constraint, e.g., "^1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          return nil if major.nil?
+
+          ruby_constraint =
+            if major.to_i.zero?
+              minor.nil? ? ">=#{full_version} <1.0.0" : ">=#{full_version} <0.#{minor.to_i + 1}.0"
+            else
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when TILDE_CONSTRAINT_REGEX # Tilde constraint, e.g., "~1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          _, major, minor = version_components(full_version)
+          ruby_constraint =
+            if minor.nil?
+              ">=#{full_version} <#{major.to_i + 1}.0.0"
+            else
+              ">=#{full_version} <#{major}.#{minor.to_i + 1}.0"
+            end
+          { constraint: ruby_constraint, version: full_version }
+        when GREATER_THAN_EQUAL_REGEX # Greater than or equal, e.g., ">=1.2.3"
+
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version >= Version.new(constraint_version)
+          end
+          { constraint: ">=#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_EQUAL_REGEX # Less than or equal, e.g., "<=1.2.3"
+          return unless Regexp.last_match
+
+          full_version = Regexp.last_match(1)
+          { constraint: "<=#{full_version}", version: full_version }
+        when GREATER_THAN_REGEX # Greater than, e.g., ">1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version > Version.new(constraint_version)
+          end
+          { constraint: ">#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when LESS_THAN_REGEX # Less than, e.g., "<1.2.3"
+          return unless Regexp.last_match && Regexp.last_match(1)
+
+          found_version = highest_matching_version(
+            dependabot_versions,
+            T.must(Regexp.last_match(1))
+          ) do |version, constraint_version|
+            version < Version.new(constraint_version)
+          end
+          { constraint: "<#{Regexp.last_match(1)}", version: found_version&.to_s }
+        when WILDCARD_REGEX # No specific constraint, resolves to the highest available version
+          { constraint: nil, version: dependabot_versions&.max&.to_s }
+        when LATEST_REGEX
+          { constraint: nil, version: dependabot_versions&.max&.to_s } # Resolves to the latest available version
+        end
+      end
+
+      sig do
+        params(
+          dependabot_versions: T.nilable(T::Array[Dependabot::Version]),
+          constraint_version: String,
+          condition: T.proc.params(version: Dependabot::Version, constraint: Dependabot::Version).returns(T::Boolean)
+        )
+          .returns(T.nilable(Dependabot::Version))
+      end
+      def self.highest_matching_version(dependabot_versions, constraint_version, &condition)
+        return unless dependabot_versions&.any?
+
+        # Returns the highest version that satisfies the condition, or nil if none.
+        dependabot_versions
+          .sort
+          .reverse
+          .find { |version| condition.call(version, Version.new(constraint_version)) } # rubocop:disable Performance/RedundantBlockCall
+      end
+
+      # rubocop:enable Metrics/MethodLength
+      # rubocop:enable Metrics/PerceivedComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/CyclomaticComplexity
+
+      # Parses a semantic version string into its components as per the SemVer spec
+      # Example: "1.2.3-alpha+001" → ["1.2.3", "1", "2", "3", "alpha", "001"]
+      sig { params(full_version: T.nilable(String)).returns(T.nilable(T::Array[String])) }
+      def self.version_components(full_version)
+        return [] if full_version.nil?
+
+        match = full_version.match(SEMVER_VALIDATION_REGEX)
+        return [] unless match
+
+        version = match[:version]
+        return [] unless version
+
+        major, minor, patch = version.split(".")
+        [version, major, minor, patch, match[:prerelease], match[:build]].compact
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -342,6 +342,11 @@ module Dependabot
           fetch_support_file(PNPMPackageManager::PNPM_WS_YML_FILENAME),
           T.nilable(DependencyFile)
         )
+
+        # Only fetch from parent directories if the file wasn't found initially
+        @pnpm_workspace_yaml ||= fetch_file_from_parent_directories(PNPMPackageManager::PNPM_WS_YML_FILENAME)
+
+        @pnpm_workspace_yaml
       end
 
       sig { returns(T.nilable(DependencyFile)) }

data/lib/dependabot/npm_and_yarn/file_parser/bun_lock.rb

@@ -31,7 +31,6 @@ module Dependabot
             version = content["lockfileVersion"]
             raise_invalid!("expected 'lockfileVersion' to be an integer") unless version.is_a?(Integer)
             raise_invalid!("expected 'lockfileVersion' to be >= 0") unless version >= 0
-            raise_invalid!("unsupported 'lockfileVersion' = #{version}") unless version.zero?
 
             T.let(content, T.untyped)
           end

data/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -55,10 +55,11 @@ module Dependabot
       end
 
       sig { override.returns(T::Array[Dependency]) }
-      def parse
+      def parse # rubocop:disable Metrics/PerceivedComplexity
         dependency_set = DependencySet.new
         dependency_set += manifest_dependencies
         dependency_set += lockfile_dependencies
+        dependency_set += workspace_catalog_dependencies if pnpm_workspace_yml
 
         dependencies = Helpers.dependencies_with_all_versions_metadata(dependency_set)
 
@@ -168,6 +169,13 @@ module Dependabot
         end, T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pnpm_workspace_yml
+        @pnpm_workspace_yml ||= T.let(dependency_files.find do |f|
+          f.name.end_with?(PNPMPackageManager::PNPM_WS_YML_FILENAME)
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def bun_lock
         @bun_lock ||= T.let(dependency_files.find do |f|
@@ -225,6 +233,30 @@ module Dependabot
         dependency_set
       end
 
+      sig { returns(Dependabot::FileParsers::Base::DependencySet) }
+      def workspace_catalog_dependencies
+        dependency_set = DependencySet.new
+        workspace_config = YAML.safe_load(T.must(pnpm_workspace_yml&.content), aliases: true)
+
+        workspace_config["catalog"]&.each do |name, version|
+          dep = build_dependency(
+            file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+          )
+          dependency_set << dep if dep
+        end
+
+        workspace_config["catalogs"]&.each do |_, group_depenencies|
+          group_depenencies.each do |name, version|
+            dep = build_dependency(
+              file: T.must(pnpm_workspace_yml), type: "dependencies", name: name, requirement: version
+            )
+            dependency_set << dep if dep
+          end
+        end
+
+        dependency_set
+      end
+
       sig { returns(LockfileParser) }
       def lockfile_parser
         @lockfile_parser ||= T.let(LockfileParser.new(

data/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb

@@ -11,11 +11,15 @@ module Dependabot
       class PackageJsonUpdater
         extend T::Sig
 
+        LOCAL_PACKAGE = T.let([/portal:/, /file:/].freeze, T::Array[Regexp])
+
+        PATCH_PACKAGE = T.let([/patch:/].freeze, T::Array[Regexp])
+
         sig do
           params(
             package_json: Dependabot::DependencyFile,
             dependencies: T::Array[Dependabot::Dependency]
-          ) .void
+          ).void
         end
         def initialize(package_json:, dependencies:)
           @package_json = package_json
@@ -37,8 +41,13 @@ module Dependabot
         sig { returns(T::Array[Dependabot::Dependency]) }
         attr_reader :dependencies
 
+        # rubocop:disable Metrics/PerceivedComplexity
+
         sig { returns(T.nilable(String)) }
         def updated_package_json_content
+          # checks if we are updating single dependency in package.json
+          unique_deps_count = dependencies.map(&:name).to_a.uniq.compact.length
+
           dependencies.reduce(package_json.content.dup) do |content, dep|
             updated_requirements(dep)&.each do |new_req|
               old_req = old_requirement(dep, new_req)
@@ -50,7 +59,25 @@ module Dependabot
                 new_req: new_req
               )
 
-              raise "Expected content to change!" if content == new_content
+              if Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) &&
+                 (content == new_content && unique_deps_count > 1)
+
+                # (we observed that) package.json does not always contains the same dependencies compared to
+                # "dependencies" list, for example, dependencies object can contain same name dependency "dep"=> "1.0.0"
+                # and "dev" => "1.0.1" while package.json can only contain "dep" => "1.0.0",the other dependency is
+                # not present in package.json so we don't have to update it, this is most likely (as observed)
+                # a transitive dependency which only needs update in lockfile, So we avoid throwing exception and let
+                # the update continue.
+
+                Dependabot.logger.info("experiment: avoid_duplicate_updates_package_json.
+                Updating package.json for #{dep.name} ")
+
+                raise "Expected content to change!"
+              end
+
+              if !Dependabot::Experiments.enabled?(:avoid_duplicate_updates_package_json) && (content == new_content)
+                raise "Expected content to change!"
+              end
 
               content = new_content
             end
@@ -69,7 +96,7 @@ module Dependabot
             content
           end
         end
-
+        # rubocop:enable Metrics/PerceivedComplexity
         sig do
           params(
             dependency: Dependabot::Dependency,
@@ -92,6 +119,8 @@ module Dependabot
         def updated_requirements(dependency)
           return unless dependency.previous_requirements
 
+          preliminary_check_for_update(dependency)
+
           updated_requirement_pairs =
             dependency.requirements.zip(T.must(dependency.previous_requirements))
                       .reject do |new_req, old_req|
@@ -318,6 +347,31 @@ module Dependabot
 
           0
         end
+
+        sig { params(dependency: Dependabot::Dependency).void }
+        def preliminary_check_for_update(dependency)
+          T.must(dependency.previous_requirements).each do |req, _dep|
+            next if req.fetch(:requirement).nil?
+
+            # some deps are patched with local patches, we don't need to update them
+            if req.fetch(:requirement).match?(Regexp.union(PATCH_PACKAGE))
+              Dependabot.logger.info("Func: updated_requirements. dependency patched #{dependency.name}," \
+                                     " Requirement: '#{req.fetch(:requirement)}'")
+
+              raise DependencyFileNotResolvable,
+                    "Dependency is patched locally, Update not required."
+            end
+
+            # some deps are added as local packages, we don't need to update them as they are referred to a local path
+            next unless req.fetch(:requirement).match?(Regexp.union(LOCAL_PACKAGE))
+
+            Dependabot.logger.info("Func: updated_requirements. local package #{dependency.name}," \
+                                   " Requirement: '#{req.fetch(:requirement)}'")
+
+            raise DependencyFileNotResolvable,
+                  "Local package, Update not required."
+          end
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -24,11 +24,14 @@ module Dependabot
           )
         end
 
-        def updated_pnpm_lock_content(pnpm_lock)
+        def updated_pnpm_lock_content(pnpm_lock, updated_pnpm_workspace_content: nil)
           @updated_pnpm_lock_content ||= {}
           return @updated_pnpm_lock_content[pnpm_lock.name] if @updated_pnpm_lock_content[pnpm_lock.name]
 
-          new_content = run_pnpm_update(pnpm_lock: pnpm_lock)
+          new_content = run_pnpm_update(
+            pnpm_lock: pnpm_lock,
+            updated_pnpm_workspace_content: updated_pnpm_workspace_content
+          )
           @updated_pnpm_lock_content[pnpm_lock.name] = new_content
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_pnpm_lock_updater_error(e, pnpm_lock)
@@ -100,14 +103,17 @@ module Dependabot
         # Peer dependencies configuration error
         ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
 
-        def run_pnpm_update(pnpm_lock:)
+        def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              run_pnpm_update_packages
-
-              write_final_package_json_files
+              if updated_pnpm_workspace_content
+                File.write("pnpm-workspace.yaml", updated_pnpm_workspace_content["pnpm-workspace.yaml"])
+              else
+                run_pnpm_update_packages
+                write_final_package_json_files
+              end
 
               run_pnpm_install
 
@@ -140,11 +146,15 @@ module Dependabot
           )
         end
 
+        def workspace_files
+          @workspace_files ||= dependency_files.select { |f| f.name.end_with?("pnpm-workspace.yaml") }
+        end
+
         def lockfile_dependencies(lockfile)
           @lockfile_dependencies ||= {}
           @lockfile_dependencies[lockfile.name] ||=
             NpmAndYarn::FileParser.new(
-              dependency_files: [lockfile, *package_files],
+              dependency_files: [lockfile, *package_files, *workspace_files],
               source: nil,
               credentials: credentials
             ).parse