dependabot-npm_and_yarn 0.350.0 → 0.351.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3c95e5a25dfbc888b7cbe14a06c8545a1dffa0223254983a4fea67b8e372a024
-  data.tar.gz: a47db5408d030fbc18d62679d22e3ace24b5f85cbb8de6ae2d153fd46a2c2c9a
+  metadata.gz: 58fb5e0f894d8303fda1c4ee5a250a5153a209047fb47b99b827a042bdedcc43
+  data.tar.gz: 4f7dbc1168c7672fa786fbdb253def7cd208064a2722ce63e94b387ab306d117
 SHA512:
-  metadata.gz: 14d440ca0f12543d02ac0b1d49b6f943c88fec8abb6f96851dfbcb26db1f6737360acc8747f5cd2ee17eefcea34fc57b3e3ef04f6c84999527ef3516c56a3d2d
-  data.tar.gz: 64b4cd22bcbe18bc9d82231bce93291cce5dc75ebf43d9c8a40d5ee28f44b9cd2a1b8784b9dd919e5e72e1243bffe5f07bd471c9405d1dda1667ad30be3b2002
+  metadata.gz: a7a6a0aeb758960adc54fca50c16142de988e0feed5b719c6b1edd34af72469e7829d906016e6f020a5190e9b50288df1eb4d2cc0745197b11bc4da8e4dca6f5
+  data.tar.gz: ae780bf718e902b6a6c46658727ac4bdd7b94271474f11014450d4288abc05613fdb927d329b3e20176fd6fb8b322453bf7fd36132ad7f62fc815f7b17264bd3

data/lib/dependabot/npm_and_yarn/constraint_helper.rb

@@ -261,9 +261,16 @@ module Dependabot
 
           full_version = Regexp.last_match(1)
 
-          # Normalize version: if full_version does not have patch version, add ".0"
+          # Normalize version: ensure it has major.minor.patch format
           version_parts = T.must(full_version).split(".")
-          full_version = "#{full_version}.0" if version_parts.length == 2
+          full_version = case version_parts.length
+                         when 1
+                           "#{full_version}.0.0" # major only -> major.0.0
+                         when 2
+                           "#{full_version}.0"   # major.minor -> major.minor.0
+                         else
+                           full_version          # already major.minor.patch
+                         end
 
           _, major, minor = version_components(full_version)
           return nil if major.nil?

data/lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb

@@ -0,0 +1,214 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency_file"
+require "dependabot/shared_helpers"
+require "dependabot/npm_and_yarn/helpers"
+require "dependabot/npm_and_yarn/package_manager"
+require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
+
+module Dependabot
+  module NpmAndYarn
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      class LockfileGenerator
+        extend T::Sig
+
+        sig do
+          params(
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            package_manager: String,
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependency_files:, package_manager:, credentials:)
+          @dependency_files = dependency_files
+          @package_manager = package_manager
+          @credentials = credentials
+        end
+
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
+        def generate
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_files
+            run_lockfile_generation
+            read_generated_lockfile
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_generation_error(e)
+          nil
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(String) }
+        attr_reader :package_manager
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { void }
+        def write_temporary_files
+          write_package_files
+          write_npmrc
+          write_yarnrc if yarn?
+        end
+
+        sig { void }
+        def write_package_files
+          dependency_files.each do |file|
+            next unless file.name.end_with?(
+              "package.json", ".npmrc", ".yarnrc", ".yarnrc.yml", "pnpm-workspace.yaml"
+            )
+
+            path = file.name
+            FileUtils.mkdir_p(File.dirname(path))
+            File.write(path, file.content)
+          end
+        end
+
+        sig { void }
+        def write_npmrc
+          # Skip if .npmrc already exists in dependency files (already written above)
+          return if dependency_files.any? { |f| f.name.end_with?(".npmrc") }
+
+          # Use NpmrcBuilder to generate npmrc content from credentials
+          npmrc_content = FileUpdater::NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+
+          return if npmrc_content.empty?
+
+          File.write(".npmrc", npmrc_content)
+        end
+
+        sig { void }
+        def write_yarnrc
+          return unless yarn_berry?
+
+          # For Yarn Berry, set up the environment properly
+          Helpers.setup_yarn_berry
+        end
+
+        sig { void }
+        def run_lockfile_generation
+          Dependabot.logger.info("Generating lockfile using #{package_manager}")
+
+          case package_manager
+          when NpmPackageManager::NAME
+            run_npm_lockfile_generation
+          when YarnPackageManager::NAME
+            run_yarn_lockfile_generation
+          when PNPMPackageManager::NAME
+            run_pnpm_lockfile_generation
+          else
+            raise "Unknown package manager: #{package_manager}"
+          end
+        end
+
+        sig { void }
+        def run_npm_lockfile_generation
+          # Use --package-lock-only to generate lockfile without installing node_modules
+          # Use --ignore-scripts to prevent running any scripts
+          # Use --force to ignore platform checks
+          # Use --dry-run false because global .npmrc may have dry-run: true set
+          command = "install --package-lock-only --ignore-scripts --force --dry-run false"
+          Helpers.run_npm_command(command, fingerprint: command)
+        end
+
+        sig { void }
+        def run_yarn_lockfile_generation
+          if yarn_berry?
+            # Yarn Berry (2+) uses different commands
+            Helpers.run_yarn_command("install --mode update-lockfile")
+          else
+            # Yarn Classic (1.x)
+            SharedHelpers.run_shell_command(
+              "yarn install --ignore-scripts --frozen-lockfile=false",
+              fingerprint: "yarn install --ignore-scripts --frozen-lockfile=false"
+            )
+          end
+        end
+
+        sig { void }
+        def run_pnpm_lockfile_generation
+          # pnpm uses --lockfile-only to generate lockfile without installing
+          command = "install --lockfile-only --ignore-scripts"
+          Helpers.run_pnpm_command(command, fingerprint: command)
+        end
+
+        sig { returns(T.nilable(Dependabot::DependencyFile)) }
+        def read_generated_lockfile
+          lockfile_name = expected_lockfile_name
+
+          unless File.exist?(lockfile_name)
+            Dependabot.logger.warn("Lockfile #{lockfile_name} was not generated")
+            return nil
+          end
+
+          content = File.read(lockfile_name)
+
+          Dependabot::DependencyFile.new(
+            name: lockfile_name,
+            content: content,
+            directory: "/"
+          )
+        end
+
+        sig { returns(String) }
+        def expected_lockfile_name
+          case package_manager
+          when NpmPackageManager::NAME
+            NpmPackageManager::LOCKFILE_NAME
+          when YarnPackageManager::NAME
+            YarnPackageManager::LOCKFILE_NAME
+          when PNPMPackageManager::NAME
+            PNPMPackageManager::LOCKFILE_NAME
+          else
+            "package-lock.json"
+          end
+        end
+
+        sig { returns(T::Boolean) }
+        def yarn?
+          package_manager == YarnPackageManager::NAME
+        end
+
+        sig { returns(T::Boolean) }
+        def yarn_berry?
+          return false unless yarn?
+
+          # Check for .yarnrc.yml which indicates Yarn Berry
+          dependency_files.any? { |f| f.name.end_with?(".yarnrc.yml") }
+        end
+
+        sig { params(error: SharedHelpers::HelperSubprocessFailed).void }
+        def handle_generation_error(error)
+          Dependabot.logger.error(
+            "Failed to generate lockfile with #{package_manager}: #{error.message}"
+          )
+
+          # Log more details for debugging
+          if error.message.include?("ERESOLVE")
+            Dependabot.logger.error(
+              "Dependency resolution failed. This may be due to conflicting peer dependencies."
+            )
+          elsif error.message.include?("ENOTFOUND") || error.message.include?("ETIMEDOUT")
+            Dependabot.logger.error(
+              "Network error while generating lockfile. Registry may be unreachable."
+            )
+          elsif error.message.include?("401") || error.message.include?("403")
+            Dependabot.logger.error(
+              "Authentication error. Check that credentials are configured correctly."
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_grapher.rb

@@ -0,0 +1,174 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency_graphers"
+require "dependabot/dependency_graphers/base"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/package_manager"
+require "dependabot/npm_and_yarn/helpers"
+
+module Dependabot
+  module NpmAndYarn
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      extend T::Sig
+
+      require_relative "dependency_grapher/lockfile_generator"
+
+      sig { override.returns(Dependabot::DependencyFile) }
+      def relevant_dependency_file
+        # Prefer lockfile if present, otherwise use package.json
+        lockfile || package_json
+      end
+
+      sig { override.void }
+      def prepare!
+        if lockfile.nil?
+          Dependabot.logger.info("No lockfile found, generating ephemeral lockfile for dependency graphing")
+          generate_ephemeral_lockfile!
+          emit_missing_lockfile_warning!
+        end
+        super
+      end
+
+      private
+
+      sig { returns(Dependabot::DependencyFile) }
+      def package_json
+        return T.must(@package_json) if defined?(@package_json)
+
+        T.must(
+          @package_json = T.let(
+            T.must(dependency_files.find { |f| f.name.end_with?(MANIFEST_FILENAME) }),
+            T.nilable(Dependabot::DependencyFile)
+          )
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def lockfile
+        return @lockfile if defined?(@lockfile)
+
+        @lockfile = T.let(
+          dependency_files.find do |f|
+            f.name.end_with?(
+              NpmPackageManager::LOCKFILE_NAME,
+              YarnPackageManager::LOCKFILE_NAME,
+              PNPMPackageManager::LOCKFILE_NAME
+            )
+          end,
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T::Hash[String, T.untyped]) }
+      def parsed_package_json
+        @parsed_package_json ||= T.let(
+          JSON.parse(T.must(package_json.content)),
+          T.nilable(T::Hash[String, T.untyped])
+        )
+      rescue JSON::ParserError
+        {}
+      end
+
+      sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
+      def lockfiles_hash
+        {
+          npm: dependency_files.find { |f| f.name.end_with?(NpmPackageManager::LOCKFILE_NAME) },
+          yarn: dependency_files.find { |f| f.name.end_with?(YarnPackageManager::LOCKFILE_NAME) },
+          pnpm: dependency_files.find { |f| f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME) }
+        }
+      end
+
+      sig { returns(String) }
+      def detected_package_manager
+        @detected_package_manager ||= T.let(
+          PackageManagerDetector.new(
+            lockfiles_hash,
+            parsed_package_json
+          ).detect_package_manager,
+          T.nilable(String)
+        )
+      end
+
+      sig { void }
+      def generate_ephemeral_lockfile!
+        generator = LockfileGenerator.new(
+          dependency_files: dependency_files,
+          package_manager: detected_package_manager,
+          credentials: file_parser.credentials
+        )
+
+        ephemeral_lockfile = generator.generate
+        return unless ephemeral_lockfile
+
+        # Inject the ephemeral lockfile into the dependency files
+        # so the file parser can use it
+        inject_ephemeral_lockfile(ephemeral_lockfile)
+
+        Dependabot.logger.info(
+          "Successfully generated ephemeral #{ephemeral_lockfile.name} for dependency graphing"
+        )
+      rescue StandardError => e
+        Dependabot.logger.warn(
+          "Failed to generate ephemeral lockfile: #{e.message}. " \
+          "Dependency versions may not be resolved."
+        )
+      end
+
+      sig { params(ephemeral_lockfile: Dependabot::DependencyFile).void }
+      def inject_ephemeral_lockfile(ephemeral_lockfile)
+        dependency_files << ephemeral_lockfile
+
+        # Clear our cached lockfile reference so it picks up the new one
+        @lockfile = T.let(nil, T.nilable(Dependabot::DependencyFile))
+
+        # Clear the FileParser's memoized lockfile references so it will
+        # find the newly injected lockfile when parse is called
+        file_parser.instance_variable_set(:@package_lock, nil)
+        file_parser.instance_variable_set(:@yarn_lock, nil)
+        file_parser.instance_variable_set(:@pnpm_lock, nil)
+        # Also clear the lockfile_parser which parses lockfile content
+        file_parser.instance_variable_set(:@lockfile_parser, nil)
+        # Also clear the package_manager_helper which caches lockfile info
+        file_parser.instance_variable_set(:@package_manager_helper, nil)
+      end
+
+      sig { void }
+      def emit_missing_lockfile_warning!
+        Dependabot.logger.warn(
+          "No lockfile was found in this repository. " \
+          "Dependabot generated a temporary lockfile to determine exact dependency versions.\n\n" \
+          "To ensure consistent builds and security scanning, we recommend:\n" \
+          "  - Committing your package-lock.json (npm), yarn.lock (yarn), or pnpm-lock.yaml (pnpm)\n" \
+          "  - Setting up a scheduled Dependabot graph job to periodically scan for changes\n\n" \
+          "Without a committed lockfile, resolved dependency versions may change between scans " \
+          "due to new package releases."
+        )
+      end
+
+      # Fetches subdependencies for a given dependency.
+      # For npm/yarn/pnpm, we can extract this from the lockfile parser if available.
+      sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def fetch_subdependencies(dependency)
+        # Check if the parser has attached depends_on metadata
+        dependency.metadata.fetch(:depends_on, [])
+      end
+
+      sig { override.params(_dependency: Dependabot::Dependency).returns(String) }
+      def purl_pkg_for(_dependency)
+        "npm"
+      end
+
+      # npm packages use the package name as-is for the purl
+      sig { params(dependency: Dependabot::Dependency).returns(String) }
+      def purl_name_for(dependency)
+        # Handle scoped packages: @scope/name -> %40scope/name (URL encoded @)
+        dependency.name.sub(/^@/, "%40")
+      end
+    end
+  end
+end
+
+Dependabot::DependencyGraphers.register("npm_and_yarn", Dependabot::NpmAndYarn::DependencyGrapher)

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -284,14 +284,18 @@ module Dependabot
           # TODO: Update the npm 6 updater to use these args as we currently
           # do the same in the js updater helper, we've kept it separate for
           # the npm 7 rollout
-          install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
 
-          run_npm_install_lockfile_only(install_args)
+          top_level_dependencies.each do |dependency|
+            install_args = [npm_install_args(dependency)]
+            is_optional = optional_dependency?(dependency)
+            run_npm_install_lockfile_only(install_args, has_optional_dependencies: is_optional)
+          end
 
           unless dependencies_in_current_package_json
             File.write(T.must(package_json).name, previous_package_json)
 
-            run_npm_install_lockfile_only
+            # Run final install without specific dependencies
+            run_npm_install_lockfile_only([], has_optional_dependencies: false)
           end
 
           { lockfile_basename => File.read(lockfile_basename) }
@@ -339,9 +343,11 @@ module Dependabot
         #   to work around an issue in npm 6, we don't want that here
         # - `--ignore-scripts` disables prepare and prepack scripts which are
         #   run when installing git dependencies
-        sig { params(install_args: T::Array[String]).returns(String) }
-        def run_npm_install_lockfile_only(install_args = [])
-          command = [
+        # - `--save-optional` when updating optional dependencies to ensure they
+        #   stay in optionalDependencies section and allow version upgrades
+        sig { params(install_args: T::Array[String], has_optional_dependencies: T::Boolean).returns(String) }
+        def run_npm_install_lockfile_only(install_args = [], has_optional_dependencies: false)
+          command_args = [
             "install",
             *install_args,
             "--force",
@@ -349,9 +355,13 @@ module Dependabot
             "false",
             "--ignore-scripts",
             "--package-lock-only"
-          ].join(" ")
+          ]
+
+          command_args << "--save-optional" if has_optional_dependencies
 
-          fingerprint = [
+          command = command_args.join(" ")
+
+          fingerprint_args = [
             "install",
             install_args.empty? ? "" : "<install_args>",
             "--force",
@@ -359,9 +369,31 @@ module Dependabot
             "false",
             "--ignore-scripts",
             "--package-lock-only"
-          ].join(" ")
+          ]
+
+          fingerprint_args << "--save-optional" if has_optional_dependencies
+
+          fingerprint = fingerprint_args.join(" ")
+
+          env = build_registry_env_variables
+
+          Helpers.run_npm_command(command, fingerprint: fingerprint, env: env)
+        end
 
-          Helpers.run_npm_command(command, fingerprint: fingerprint)
+        sig { returns(T.nilable(T::Hash[String, String])) }
+        def build_registry_env_variables
+          return nil unless Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
+
+          registry_helper = NpmAndYarn::RegistryHelper.new(
+            {
+              npmrc: dependency_files.find { |f| f.name.end_with?(".npmrc") },
+              yarnrc: dependency_files.find { |f| f.name.end_with?(".yarnrc") && !f.name.end_with?(".yarnrc.yml") },
+              yarnrc_yml: dependency_files.find { |f| f.name.end_with?(".yarnrc.yml") }
+            },
+            credentials
+          )
+
+          registry_helper.find_corepack_env_variables
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(String) }
@@ -408,6 +440,13 @@ module Dependabot
           end
         end
 
+        sig { params(dependency: Dependabot::Dependency).returns(T::Boolean) }
+        def optional_dependency?(dependency)
+          dependency.requirements.any? do |req|
+            req[:groups]&.include?("optionalDependencies")
+          end
+        end
+
         # rubocop:disable Metrics/AbcSize
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/PerceivedComplexity

data/lib/dependabot/npm_and_yarn.rb

@@ -10,6 +10,7 @@ require "dependabot/npm_and_yarn/file_updater"
 require "dependabot/npm_and_yarn/metadata_finder"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version"
+require "dependabot/npm_and_yarn/dependency_grapher"
 
 require "dependabot/pull_request_creator/labeler"
 Dependabot::PullRequestCreator::Labeler

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.350.0
+  version: 0.351.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.350.0
+        version: 0.351.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -313,6 +313,8 @@ files:
 - lib/dependabot/npm_and_yarn.rb
 - lib/dependabot/npm_and_yarn/constraint_helper.rb
 - lib/dependabot/npm_and_yarn/dependency_files_filterer.rb
+- lib/dependabot/npm_and_yarn/dependency_grapher.rb
+- lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb
 - lib/dependabot/npm_and_yarn/file_fetcher.rb
 - lib/dependabot/npm_and_yarn/file_fetcher/path_dependency_builder.rb
 - lib/dependabot/npm_and_yarn/file_parser.rb
@@ -359,7 +361,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.350.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.351.0
 rdoc_options: []
 require_paths:
 - lib