dependabot-npm_and_yarn 0.91.0

data/lib/dependabot/npm_and_yarn/update_checker/requirements_updater.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+################################################################################
+# For more details on npm version constraints, see:                            #
+# https://docs.npmjs.com/misc/semver                                           #
+################################################################################
+
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/version"
+require "dependabot/npm_and_yarn/requirement"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker
+      class RequirementsUpdater
+        VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
+        SEPARATOR = /(?<=[a-zA-Z0-9*])[\s|]+(?![\s|-])/.freeze
+        ALLOWED_UPDATE_STRATEGIES =
+          %i(widen_ranges bump_versions bump_versions_if_necessary).freeze
+
+        def initialize(requirements:, updated_source:, update_strategy:,
+                       latest_version:, latest_resolvable_version:)
+          @requirements = requirements
+          @updated_source = updated_source
+          @update_strategy = update_strategy
+
+          check_update_strategy
+
+          @latest_version = version_class.new(latest_version) if latest_version
+          return unless latest_resolvable_version
+
+          @latest_resolvable_version =
+            version_class.new(latest_resolvable_version)
+        end
+
+        def updated_requirements
+          requirements.map do |req|
+            req = req.merge(source: updated_source)
+            next req unless latest_resolvable_version
+            next initial_req_after_source_change(req) unless req[:requirement]
+            next req if req[:requirement].match?(/^([A-Za-uw-z]|v[^\d])/)
+
+            case update_strategy
+            when :widen_ranges then widen_requirement(req)
+            when :bump_versions then update_version_requirement(req)
+            when :bump_versions_if_necessary
+              update_version_requirement_if_needed(req)
+            else raise "Unexpected update strategy: #{update_strategy}"
+            end
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :updated_source, :update_strategy,
+                    :latest_version, :latest_resolvable_version
+
+        def check_update_strategy
+          return if ALLOWED_UPDATE_STRATEGIES.include?(update_strategy)
+
+          raise "Unknown update strategy: #{update_strategy}"
+        end
+
+        def updating_from_git_to_npm?
+          return false unless updated_source.nil?
+
+          original_source = requirements.map { |r| r[:source] }.compact.first
+          original_source&.fetch(:type) == "git"
+        end
+
+        def initial_req_after_source_change(req)
+          return req unless updating_from_git_to_npm?
+          return req unless req[:requirement].nil?
+
+          req.merge(requirement: "^#{latest_resolvable_version}")
+        end
+
+        def update_version_requirement(req)
+          current_requirement = req[:requirement]
+
+          if current_requirement.match?(/(<|-\s)/i)
+            ruby_req = ruby_requirements(current_requirement).first
+            return req if ruby_req.satisfied_by?(latest_resolvable_version)
+
+            updated_req = update_range_requirement(current_requirement)
+            return req.merge(requirement: updated_req)
+          end
+
+          reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+          req.merge(requirement: update_version_string(reqs.first))
+        end
+
+        def update_version_requirement_if_needed(req)
+          current_requirement = req[:requirement]
+          version = latest_resolvable_version
+          return req if current_requirement.strip == ""
+
+          ruby_reqs = ruby_requirements(current_requirement)
+          return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+          update_version_requirement(req)
+        end
+
+        def widen_requirement(req)
+          current_requirement = req[:requirement]
+          version = latest_resolvable_version
+          return req if current_requirement.strip == ""
+
+          ruby_reqs = ruby_requirements(current_requirement)
+          return req if ruby_reqs.any? { |r| r.satisfied_by?(version) }
+
+          reqs = current_requirement.strip.split(SEPARATOR).map(&:strip)
+
+          updated_requirement =
+            if reqs.any? { |r| r.match?(/(<|-\s)/i) }
+              update_range_requirement(current_requirement)
+            elsif current_requirement.strip.split(SEPARATOR).count == 1
+              update_version_string(current_requirement)
+            else
+              current_requirement
+            end
+
+          req.merge(requirement: updated_requirement)
+        end
+
+        def ruby_requirements(requirement_string)
+          NpmAndYarn::Requirement.
+            requirements_array(requirement_string)
+        end
+
+        def update_range_requirement(req_string)
+          range_requirements =
+            req_string.split(SEPARATOR).select { |r| r.match?(/<|(\s+-\s+)/) }
+
+          if range_requirements.count == 1
+            range_requirement = range_requirements.first
+            versions = range_requirement.scan(VERSION_REGEX)
+            upper_bound = versions.map { |v| version_class.new(v) }.max
+            new_upper_bound = update_greatest_version(
+              upper_bound,
+              latest_resolvable_version
+            )
+
+            req_string.sub(
+              upper_bound.to_s,
+              new_upper_bound.to_s
+            )
+          else
+            req_string + " || ^#{latest_resolvable_version}"
+          end
+        end
+
+        def update_version_string(req_string)
+          req_string.
+            sub(VERSION_REGEX) do |old_version|
+              if old_version.match?(/\d-/) ||
+                 latest_resolvable_version.to_s.match?(/\d-/)
+                latest_resolvable_version.to_s
+              else
+                old_parts = old_version.split(".")
+                new_parts = latest_resolvable_version.to_s.split(".").
+                            first(old_parts.count)
+                new_parts.map.with_index do |part, i|
+                  old_parts[i].match?(/^x\b/) ? "x" : part
+                end.join(".")
+              end
+            end
+        end
+
+        def update_greatest_version(old_version, version_to_be_permitted)
+          version = version_class.new(old_version)
+          version = version.release if version.prerelease?
+
+          index_to_update =
+            version.segments.map.with_index { |seg, i| seg.zero? ? 0 : i }.max
+
+          version.segments.map.with_index do |_, index|
+            if index < index_to_update
+              version_to_be_permitted.segments[index]
+            elsif index == index_to_update
+              version_to_be_permitted.segments[index] + 1
+            else 0
+            end
+          end.join(".")
+        end
+
+        def version_class
+          NpmAndYarn::Version
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/version"
+require "dependabot/npm_and_yarn/native_helpers"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
+require "dependabot/npm_and_yarn/file_updater/package_json_preparer"
+
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker
+      class SubdependencyVersionResolver
+        def initialize(dependency:, credentials:, dependency_files:,
+                       ignored_versions:)
+          @dependency       = dependency
+          @credentials      = credentials
+          @dependency_files = dependency_files
+          @ignored_versions = ignored_versions
+        end
+
+        def latest_resolvable_version
+          raise "Not a subdependency!" if dependency.requirements.any?
+
+          lockfiles = [*package_locks, *shrinkwraps, *yarn_locks]
+          updated_lockfiles = lockfiles.map do |lockfile|
+            updated_content = update_subdependency_in_lockfile(lockfile)
+            updated_lockfile = lockfile.dup
+            updated_lockfile.content = updated_content
+            updated_lockfile
+          end
+
+          version_from_updated_lockfiles(updated_lockfiles)
+        rescue SharedHelpers::HelperSubprocessFailed
+          # TODO: Move error handling logic from the FileUpdater to this class
+
+          # Return nil (no update possible) if an unknown error occurred
+          nil
+        end
+
+        private
+
+        attr_reader :dependency, :credentials, :dependency_files,
+                    :ignored_versions
+
+        def update_subdependency_in_lockfile(lockfile)
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_dependency_files
+            lockfile_name = Pathname.new(lockfile.name).basename.to_s
+            path = Pathname.new(lockfile.name).dirname.to_s
+
+            updated_files = if lockfile.name.end_with?("yarn.lock")
+                              run_yarn_updater(path, lockfile_name)
+                            else
+                              run_npm_updater(path, lockfile_name)
+                            end
+
+            updated_files.fetch(lockfile_name)
+          end
+        end
+
+        def version_from_updated_lockfiles(updated_lockfiles)
+          updated_files = dependency_files -
+                          yarn_locks -
+                          package_locks -
+                          shrinkwraps +
+                          updated_lockfiles
+
+          updated_version = NpmAndYarn::FileParser.new(
+            dependency_files: updated_files,
+            source: nil,
+            credentials: credentials
+          ).parse.find { |d| d.name == dependency.name }&.version
+          return unless updated_version
+
+          version_class.new(updated_version)
+        end
+
+        # rubocop:disable Metrics/CyclomaticComplexity
+        # rubocop:disable Metrics/PerceivedComplexity
+        def run_yarn_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_helper_subprocess(
+                command: "node #{yarn_helper_path}",
+                function: "updateSubdependency",
+                args: [Dir.pwd, lockfile_name]
+              )
+            end
+          end
+        rescue SharedHelpers::HelperSubprocessFailed => error
+          unfindable_str = "find package \"#{dependency.name}"
+          raise unless error.message.include?("The registry may be down") ||
+                       error.message.include?("ETIMEDOUT") ||
+                       error.message.include?("ENOBUFS") ||
+                       error.message.include?(unfindable_str)
+
+          retry_count ||= 0
+          retry_count += 1
+          raise if retry_count > 2
+
+          sleep(rand(3.0..10.0)) && retry
+        end
+        # rubocop:enable Metrics/CyclomaticComplexity
+        # rubocop:enable Metrics/PerceivedComplexity
+
+        def run_npm_updater(path, lockfile_name)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_helper_subprocess(
+                command: "node #{npm_helper_path}",
+                function: "updateSubdependency",
+                args: [Dir.pwd, lockfile_name]
+              )
+            end
+          end
+        end
+
+        def write_temporary_dependency_files
+          write_lock_files
+
+          File.write(".npmrc", npmrc_content)
+
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, prepared_package_json_content(file))
+          end
+        end
+
+        def write_lock_files
+          yarn_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, prepared_yarn_lockfile_content(f.content))
+          end
+
+          [*package_locks, *shrinkwraps].each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, prepared_npm_lockfile_content(f.content))
+          end
+        end
+
+        # Duplicated in NpmLockfileUpdater
+        # Remove the dependency we want to update from the lockfile and let
+        # yarn find the latest resolvable version and fix the lockfile
+        def prepared_yarn_lockfile_content(content)
+          content.gsub(/^#{Regexp.quote(dependency.name)}\@.*?\n\n/m, "")
+        end
+
+        def prepared_npm_lockfile_content(content)
+          JSON.dump(
+            remove_dependency_from_npm_lockfile(JSON.parse(content))
+          )
+        end
+
+        # Duplicated in NpmLockfileUpdater
+        # Remove the dependency we want to update from the lockfile and let
+        # npm find the latest resolvable version and fix the lockfile
+        def remove_dependency_from_npm_lockfile(npm_lockfile)
+          return npm_lockfile unless npm_lockfile.key?("dependencies")
+
+          dependencies =
+            npm_lockfile["dependencies"].
+            reject { |key, _| key == dependency.name }.
+            map { |k, v| [k, remove_dependency_from_npm_lockfile(v)] }.
+            to_h
+          npm_lockfile.merge("dependencies" => dependencies)
+        end
+
+        def prepared_package_json_content(file)
+          NpmAndYarn::FileUpdater::PackageJsonPreparer.new(
+            package_json_content: file.content
+          ).prepared_content
+        end
+
+        def npmrc_content
+          NpmAndYarn::FileUpdater::NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+        end
+
+        def version_class
+          NpmAndYarn::Version
+        end
+
+        def package_locks
+          @package_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package-lock.json") }
+        end
+
+        def yarn_locks
+          @yarn_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("yarn.lock") }
+        end
+
+        def shrinkwraps
+          @shrinkwraps ||=
+            dependency_files.
+            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+        end
+
+        def package_files
+          @package_files ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package.json") }
+        end
+
+        def yarn_helper_path
+          NativeHelpers.yarn_helper_path
+        end
+
+        def npm_helper_path
+          NativeHelpers.npm_helper_path
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/update_checker/version_resolver.rb

@@ -0,0 +1,495 @@
+# frozen_string_literal: true
+
+require "dependabot/git_commit_checker"
+require "dependabot/npm_and_yarn/update_checker"
+require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/version"
+require "dependabot/npm_and_yarn/requirement"
+require "dependabot/npm_and_yarn/native_helpers"
+require "dependabot/shared_helpers"
+require "dependabot/errors"
+require "dependabot/npm_and_yarn/file_updater/npmrc_builder"
+require "dependabot/npm_and_yarn/file_updater/package_json_preparer"
+
+# rubocop:disable Metrics/ClassLength
+module Dependabot
+  module NpmAndYarn
+    class UpdateChecker
+      class VersionResolver
+        require_relative "latest_version_finder"
+
+        TIGHTLY_COUPLED_MONOREPOS = {
+          "vue" => %w(vue vue-template-compiler)
+        }.freeze
+
+        # Error message from yarn add:
+        # " > @reach/router@1.2.1" has incorrect \
+        # peer dependency "react@15.x || 16.x || 16.4.0-alpha.0911da3"
+        # " > react-burger-menu@1.9.9" has unmet \
+        # peer dependency "react@>=0.14.0 <16.0.0".
+        YARN_PEER_DEP_ERROR_REGEX =
+          /
+            "\s>\s(?<requiring_dep>[^"]+)"\s
+            has\s(incorrect|unmet)\speer\sdependency\s
+            "(?<required_dep>[^"]+)"
+          /x.freeze
+
+        # Error message from npm install:
+        # react-dom@15.2.0 requires a peer of react@^15.2.0 \
+        # but none is installed. You must install peer dependencies yourself.
+        NPM_PEER_DEP_ERROR_REGEX =
+          /
+            (?<requiring_dep>[^\s]+)\s
+            requires\sa\speer\sof\s
+            (?<required_dep>.+?)\sbut\snone\sis\sinstalled.
+          /x.freeze
+
+        def initialize(dependency:, credentials:, dependency_files:,
+                       latest_allowable_version:, latest_version_finder:)
+          @dependency               = dependency
+          @credentials              = credentials
+          @dependency_files         = dependency_files
+          @latest_allowable_version = latest_allowable_version
+
+          @latest_version_finder = {}
+          @latest_version_finder[dependency] = latest_version_finder
+        end
+
+        def latest_resolvable_version
+          return latest_allowable_version if git_dependency?(dependency)
+          return if part_of_tightly_locked_monorepo?
+
+          unless relevant_unmet_peer_dependencies.any?
+            return latest_allowable_version
+          end
+
+          satisfying_versions.first
+        end
+
+        def latest_version_resolvable_with_full_unlock?
+          return false if dependency_updates_from_full_unlock.nil?
+
+          true
+        end
+
+        def dependency_updates_from_full_unlock
+          return if git_dependency?(dependency)
+          if part_of_tightly_locked_monorepo?
+            return updated_monorepo_dependencies
+          end
+          return if newly_broken_peer_reqs_from_dep.any?
+
+          updates =
+            [{ dependency: dependency, version: latest_allowable_version }]
+          newly_broken_peer_reqs_on_dep.each do |peer_req|
+            dep_name = peer_req.fetch(:requiring_dep_name)
+            dep = top_level_dependencies.find { |d| d.name == dep_name }
+
+            # Can't handle reqs from sub-deps or git source deps (yet)
+            return nil if dep.nil?
+            return nil if git_dependency?(dep)
+
+            updated_version =
+              latest_version_of_dep_with_satisfied_peer_reqs(dep)
+            return nil unless updated_version
+
+            updates << { dependency: dep, version: updated_version }
+          end
+
+          updates
+        end
+
+        private
+
+        attr_reader :dependency, :credentials, :dependency_files,
+                    :latest_allowable_version
+
+        def latest_version_finder(dep)
+          @latest_version_finder[dep] ||=
+            LatestVersionFinder.new(
+              dependency: dep,
+              credentials: credentials,
+              dependency_files: dependency_files,
+              ignored_versions: []
+            )
+        end
+
+        def part_of_tightly_locked_monorepo?
+          monorepo_dep_names =
+            TIGHTLY_COUPLED_MONOREPOS.values.
+            find { |deps| deps.include?(dependency.name) }
+          return false unless monorepo_dep_names
+
+          deps_to_update =
+            top_level_dependencies.
+            select { |d| monorepo_dep_names.include?(d.name) }
+
+          deps_to_update.count > 1
+        end
+
+        def updated_monorepo_dependencies
+          monorepo_dep_names =
+            TIGHTLY_COUPLED_MONOREPOS.values.
+            find { |deps| deps.include?(dependency.name) }
+
+          deps_to_update =
+            top_level_dependencies.
+            select { |d| monorepo_dep_names.include?(d.name) }
+
+          updates = []
+          deps_to_update.each do |dep|
+            next if git_dependency?(dep)
+            next if dep.version &&
+                    version_class.new(dep.version) >= latest_allowable_version
+
+            updated_version =
+              latest_version_finder(dep).
+              possible_versions.
+              find { |v| v == latest_allowable_version }
+            next unless updated_version
+
+            updates << { dependency: dep, version: updated_version }
+          end
+
+          updates
+        end
+
+        def peer_dependency_errors
+          return @peer_dependency_errors if @peer_dependency_errors_checked
+
+          @peer_dependency_errors_checked = true
+
+          @peer_dependency_errors =
+            fetch_peer_dependency_errors(version: latest_allowable_version)
+        end
+
+        def old_peer_dependency_errors
+          if @old_peer_dependency_errors_checked
+            return @old_peer_dependency_errors
+          end
+
+          @old_peer_dependency_errors_checked = true
+
+          @old_peer_dependency_errors =
+            fetch_peer_dependency_errors(version: dependency.version)
+        end
+
+        def fetch_peer_dependency_errors(version:)
+          # TODO: Add all of the error handling that the FileUpdater does
+          # here (since problematic repos will be resolved here before they're
+          # seen by the FileUpdater)
+          SharedHelpers.in_a_temporary_directory do
+            write_temporary_dependency_files
+
+            package_files.flat_map do |file|
+              path = Pathname.new(file.name).dirname
+              run_checker(path: path, version: version)
+            rescue SharedHelpers::HelperSubprocessFailed => error
+              errors = []
+              if error.message.match?(NPM_PEER_DEP_ERROR_REGEX)
+                error.message.scan(NPM_PEER_DEP_ERROR_REGEX) do
+                  errors << Regexp.last_match.named_captures
+                end
+              elsif error.message.match?(YARN_PEER_DEP_ERROR_REGEX)
+                error.message.scan(YARN_PEER_DEP_ERROR_REGEX) do
+                  errors << Regexp.last_match.named_captures
+                end
+              else raise
+              end
+              errors
+            end.compact
+          end
+        rescue SharedHelpers::HelperSubprocessFailed
+          # Fall back to allowing the version through. Whatever error
+          # occurred should be properly handled by the FileUpdater. We
+          # can slowly migrate error handling to this class over time.
+          []
+        end
+
+        def unmet_peer_dependencies
+          peer_dependency_errors.
+            map { |captures| error_details_from_captures(captures) }
+        end
+
+        def old_unmet_peer_dependencies
+          old_peer_dependency_errors.
+            map { |captures| error_details_from_captures(captures) }
+        end
+
+        def error_details_from_captures(captures)
+          {
+            requirement_name:
+              captures.fetch("required_dep").sub(/@[^@]+$/, ""),
+            requirement_version:
+              captures.fetch("required_dep").split("@").last,
+            requiring_dep_name:
+              captures.fetch("requiring_dep").sub(/@[^@]+$/, "")
+          }
+        end
+
+        def relevant_unmet_peer_dependencies
+          relevant_unmet_peer_dependencies =
+            unmet_peer_dependencies.select do |dep|
+              dep[:requirement_name] == dependency.name ||
+                dep[:requiring_dep_name] == dependency.name
+            end
+
+          return [] if relevant_unmet_peer_dependencies.empty?
+
+          # Prune out any pre-existing warnings
+          relevant_unmet_peer_dependencies.reject do |issue|
+            old_unmet_peer_dependencies.any? do |old_issue|
+              old_issue.slice(:requirement_name, :requiring_dep_name) ==
+                issue.slice(:requirement_name, :requiring_dep_name)
+            end
+          end
+        end
+
+        def satisfying_versions
+          latest_version_finder(dependency).
+            possible_versions_with_details.
+            select do |version, details|
+              next false unless satisfies_peer_reqs_on_dep?(version)
+              next true unless details["peerDependencies"]
+
+              details["peerDependencies"].all? do |dep, req|
+                dep = top_level_dependencies.find { |d| d.name == dep }
+                next false unless dep
+                next git_dependency?(dep) if req.include?("/")
+
+                reqs = requirement_class.requirements_array(req)
+                next false unless version_for_dependency(dep)
+
+                reqs.any? { |r| r.satisfied_by?(version_for_dependency(dep)) }
+              rescue Gem::Requirement::BadRequirementError
+                false
+              end
+            end.
+            map(&:first)
+        end
+
+        def satisfies_peer_reqs_on_dep?(version)
+          newly_broken_peer_reqs_on_dep.all? do |peer_req|
+            req = peer_req.fetch(:requirement_version)
+
+            # Git requirements can't be satisfied by a version
+            next false if req.include?("/")
+
+            reqs = requirement_class.requirements_array(req)
+            reqs.any? { |r| r.satisfied_by?(version) }
+          end
+        end
+
+        def latest_version_of_dep_with_satisfied_peer_reqs(dep)
+          latest_version_finder(dep).
+            possible_versions_with_details.
+            find do |version, details|
+              next false unless version > version_class.new(dep.version)
+              next true unless details["peerDependencies"]
+
+              details["peerDependencies"].all? do |peer_dep_name, req|
+                # Can't handle multiple peer dependencies
+                next false unless peer_dep_name == dependency.name
+                next git_dependency?(dependency) if req.include?("/")
+
+                reqs = requirement_class.requirements_array(req)
+
+                reqs.any? { |r| r.satisfied_by?(latest_allowable_version) }
+              end
+            end&.
+            first
+        end
+
+        def git_dependency?(dep)
+          GitCommitChecker.
+            new(dependency: dep, credentials: credentials).
+            git_dependency?
+        end
+
+        def newly_broken_peer_reqs_on_dep
+          relevant_unmet_peer_dependencies.
+            select { |dep| dep[:requirement_name] == dependency.name }
+        end
+
+        def newly_broken_peer_reqs_from_dep
+          relevant_unmet_peer_dependencies.
+            select { |dep| dep[:requiring_dep_name] == dependency.name }
+        end
+
+        def run_checker(path:, version:)
+          if [*package_locks, *shrinkwraps].any?
+            run_npm_checker(path: path, version: version)
+          end
+
+          run_yarn_checker(path: path, version: version) if yarn_locks.any?
+          run_yarn_checker(path: path, version: version) if lockfiles.none?
+        end
+
+        def run_yarn_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_helper_subprocess(
+                command: "node #{yarn_helper_path}",
+                function: "checkPeerDependencies",
+                args: [
+                  Dir.pwd,
+                  dependency.name,
+                  version,
+                  requirements_for_path(dependency.requirements, path)
+                ]
+              )
+            end
+          end
+        end
+
+        def run_npm_checker(path:, version:)
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(path) do
+              SharedHelpers.run_helper_subprocess(
+                command: "node #{npm_helper_path}",
+                function: "checkPeerDependencies",
+                args: [
+                  Dir.pwd,
+                  dependency.name,
+                  version,
+                  requirements_for_path(dependency.requirements, path),
+                  top_level_dependencies.map(&:to_h)
+                ]
+              )
+            end
+          end
+        end
+
+        def requirements_for_path(requirements, path)
+          return requirements if path.to_s == "."
+
+          requirements.map do |r|
+            next unless r[:file].start_with?("#{path}/")
+
+            r.merge(file: r[:file].gsub(/^#{Regexp.quote("#{path}/")}/, ""))
+          end.compact
+        end
+
+        def write_temporary_dependency_files
+          write_lock_files
+
+          File.write(".npmrc", npmrc_content)
+
+          package_files.each do |file|
+            path = file.name
+            FileUtils.mkdir_p(Pathname.new(path).dirname)
+            File.write(file.name, prepared_package_json_content(file))
+          end
+        end
+
+        def write_lock_files
+          yarn_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, prepared_yarn_lockfile_content(f.content))
+          end
+
+          package_locks.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, f.content)
+          end
+
+          shrinkwraps.each do |f|
+            FileUtils.mkdir_p(Pathname.new(f.name).dirname)
+            File.write(f.name, f.content)
+          end
+        end
+
+        def prepared_yarn_lockfile_content(content)
+          content.gsub(/^#{Regexp.quote(dependency.name)}\@.*?\n\n/m, "")
+        end
+
+        def prepared_package_json_content(file)
+          NpmAndYarn::FileUpdater::PackageJsonPreparer.new(
+            package_json_content: file.content
+          ).prepared_content
+        end
+
+        def npmrc_content
+          NpmAndYarn::FileUpdater::NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+        end
+
+        # Top level dependecies are required in the peer dep checker
+        # to fetch the manifests for all top level deps which may contain
+        # "peerDependency" requirements
+        def top_level_dependencies
+          @top_level_dependencies ||= NpmAndYarn::FileParser.new(
+            dependency_files: dependency_files,
+            source: nil,
+            credentials: credentials
+          ).parse.select(&:top_level?)
+        end
+
+        def lockfiles
+          [*yarn_locks, *package_locks, *shrinkwraps]
+        end
+
+        def package_locks
+          @package_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package-lock.json") }
+        end
+
+        def yarn_locks
+          @yarn_locks ||=
+            dependency_files.
+            select { |f| f.name.end_with?("yarn.lock") }
+        end
+
+        def shrinkwraps
+          @shrinkwraps ||=
+            dependency_files.
+            select { |f| f.name.end_with?("npm-shrinkwrap.json") }
+        end
+
+        def package_files
+          @package_files ||=
+            dependency_files.
+            select { |f| f.name.end_with?("package.json") }
+        end
+
+        def yarn_helper_path
+          NativeHelpers.yarn_helper_path
+        end
+
+        def npm_helper_path
+          NativeHelpers.npm_helper_path
+        end
+
+        def version_for_dependency(dep)
+          if dep.version && version_class.correct?(dep.version)
+            return version_class.new(dep.version)
+          end
+
+          dep.requirements.map { |r| r[:requirement] }.compact.
+            reject { |req_string| req_string.start_with?("<") }.
+            select { |req_string| req_string.match?(version_regex) }.
+            map { |req_string| req_string.match(version_regex) }.
+            select { |version| version_class.correct?(version.to_s) }.
+            map { |version| version_class.new(version.to_s) }.
+            max
+        end
+
+        def version_class
+          NpmAndYarn::Version
+        end
+
+        def requirement_class
+          NpmAndYarn::Requirement
+        end
+
+        def version_regex
+          version_class::VERSION_PATTERN
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/ClassLength