dependabot-npm_and_yarn 0.133.0 → 0.133.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 389ca43068e415bb536606c04350940eeebf285929a7a770edc9ca7a72b0c6ca
-  data.tar.gz: d9fd8268110e8eb0c25f368a54effb141e09bab5bebe8e7ec6c80b341d0af8b1
+  metadata.gz: 92e7aae218d62d0f572d1707a8a77cab9d5b23808300ffe4e2f85adf71729667
+  data.tar.gz: 0cf412aa358d3438218f00cfe0a06acd1fc18139a49634b2b91626833c18e99f
 SHA512:
-  metadata.gz: b54f5aaf854e4b7fb7148d6778f4c782baee6ad18b4e9238777e70a052cfdad950722b0bf83fb9b3dc918f26d16437f5c8ba2ffab910bb4369307cacc7ee859a
-  data.tar.gz: 315f19cb352c7be0508a9a75616e5c6cbe503a2c0ffb2632a7f87337864377b17bc65b7c33f64591434b9ec2d35b99f8f432342e95eab3c5e884a8edfdc7b34b
+  metadata.gz: 0f70b817f202208c29aa894f942551144a78a0659ffb5e9f89797973b010da11b0e86f901e7b5fe0bedabe651fd2b2febb0af5a0d5c4bac71e5961bb74565c95
+  data.tar.gz: 47b091546f71e3b7b6429faf57c6b5147db9ed71cd4b99a89edaed68b4c95fe81b74eb505de34be12e59751cc911e442c73a7e52d6c227e5a81313bd7d0e9d21

data/helpers/package.json

@@ -10,7 +10,7 @@
   },
   "dependencies": {
     "@dependabot/yarn-lib": "^1.21.1",
-    "@npmcli/arborist": "^2.2.0",
+    "@npmcli/arborist": "^2.2.1",
     "detect-indent": "^6.0.0",
     "npm6": "npm:npm@6.14.11",
     "npm7": "npm:npm@7.4.0",

data/helpers/yarn.lock

@@ -543,18 +543,18 @@
     "@types/yargs" "^15.0.0"
     chalk "^4.0.0"
 
-"@npmcli/arborist@^2.0.0", "@npmcli/arborist@^2.0.3", "@npmcli/arborist@^2.2.0":
-  version "2.2.0"
-  resolved "https://registry.yarnpkg.com/@npmcli/arborist/-/arborist-2.2.0.tgz#4cd64abd0d6993382631c4064a8bef2c6c680232"
-  integrity sha512-bnQccUyKUz6Id7GgMnQiTA4E4U6LK5FolkWtVahk29JXiJYXWrRDItnjvcBbzjGAG9mAEK3LxsO3oWDvGVjw0A==
+"@npmcli/arborist@^2.0.0", "@npmcli/arborist@^2.0.3", "@npmcli/arborist@^2.2.1":
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/@npmcli/arborist/-/arborist-2.2.1.tgz#5fbf3b697f3315be124e3477c17793ad9a68828a"
+  integrity sha512-J76nY+TYhxNLFAnWy1HqfjszC6dHy5zxHHFt1LJ2pgBDcb00ipNAbTX0qtyv6FPTF67hPErmPKePaKtFr5KvEA==
   dependencies:
-    "@npmcli/installed-package-contents" "^1.0.5"
-    "@npmcli/map-workspaces" "^1.0.1"
+    "@npmcli/installed-package-contents" "^1.0.6"
+    "@npmcli/map-workspaces" "^1.0.2"
     "@npmcli/metavuln-calculator" "^1.0.1"
     "@npmcli/move-file" "^1.1.0"
     "@npmcli/name-from-folder" "^1.0.1"
     "@npmcli/node-gyp" "^1.0.1"
-    "@npmcli/run-script" "^1.8.1"
+    "@npmcli/run-script" "^1.8.2"
     bin-links "^2.2.1"
     cacache "^15.0.3"
     common-ancestor-path "^1.0.1"
@@ -565,11 +565,11 @@
     npm-package-arg "^8.1.0"
     npm-pick-manifest "^6.1.0"
     npm-registry-fetch "^9.0.0"
-    pacote "^11.2.5"
+    pacote "^11.2.6"
     parse-conflict-json "^1.1.1"
     promise-all-reject-late "^1.0.0"
     promise-call-limit "^1.0.1"
-    read-package-json-fast "^1.2.1"
+    read-package-json-fast "^2.0.1"
     readdir-scoped-modules "^1.1.0"
     semver "^7.3.4"
     tar "^6.1.0"
@@ -607,25 +607,25 @@
     unique-filename "^1.1.1"
     which "^2.0.2"
 
-"@npmcli/installed-package-contents@^1.0.5":
-  version "1.0.5"
-  resolved "https://registry.yarnpkg.com/@npmcli/installed-package-contents/-/installed-package-contents-1.0.5.tgz#cc78565e55d9f14d46acf46a96f70934e516fa3d"
-  integrity sha512-aKIwguaaqb6ViwSOFytniGvLPb9SMCUm39TgM3SfUo7n0TxUMbwoXfpwyvQ4blm10lzbAwTsvjr7QZ85LvTi4A==
+"@npmcli/installed-package-contents@^1.0.6":
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/@npmcli/installed-package-contents/-/installed-package-contents-1.0.6.tgz#c8e4e18d16b51f70d1bcdeeca816074ca60a8bdd"
+  integrity sha512-mpAxU8XZbhyqD1N9/fw1vS5wpKTWREDpUrTPdyQUJOT1PRXIM+DsK3Tpiftvvfi1lmvrRD2HusE2ohgGKvo3UA==
   dependencies:
     npm-bundled "^1.1.1"
     npm-normalize-package-bin "^1.0.1"
-    read-package-json-fast "^1.1.1"
+    read-package-json-fast "^2.0.1"
     readdir-scoped-modules "^1.1.0"
 
-"@npmcli/map-workspaces@^1.0.1":
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@npmcli/map-workspaces/-/map-workspaces-1.0.1.tgz#fbbb7d7dfa650f04b8842df94bbdae26041b60fa"
-  integrity sha512-w6mVyJ2ngWV7O7f9zPjLrQzRDv7leFmNLVnewNuhouV1MYxXz61DXn2ja3AQj6xlnIp9Z/0GdV0/Ut14eVT8Vw==
+"@npmcli/map-workspaces@^1.0.2":
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/@npmcli/map-workspaces/-/map-workspaces-1.0.2.tgz#77f2400470cdc1d61731ba34a85c577ade1616b9"
+  integrity sha512-12nBSZ0EI/jRtCCjjQXF+1Twvj+ecxtBXFRomrTXR0xWn8oppc/OM53aPpPG5EnQWrKAAnOS/hEIATm6kxKz/A==
   dependencies:
     "@npmcli/name-from-folder" "^1.0.1"
     glob "^7.1.6"
     minimatch "^3.0.4"
-    read-package-json-fast "^1.2.1"
+    read-package-json-fast "^2.0.1"
 
 "@npmcli/metavuln-calculator@^1.0.1":
   version "1.0.2"
@@ -649,29 +649,29 @@
   resolved "https://registry.yarnpkg.com/@npmcli/name-from-folder/-/name-from-folder-1.0.1.tgz#77ecd0a4fcb772ba6fe927e2e2e155fbec2e6b1a"
   integrity sha512-qq3oEfcLFwNfEYOQ8HLimRGKlD8WSeGEdtUa7hmzpR8Sa7haL1KVQrvgO6wqMjhWFFVjgtrh1gIxDz+P8sjUaA==
 
-"@npmcli/node-gyp@^1.0.0", "@npmcli/node-gyp@^1.0.1":
+"@npmcli/node-gyp@^1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@npmcli/node-gyp/-/node-gyp-1.0.1.tgz#dedc4ea9b3c6ef207081ebcd82c053ef60edc478"
   integrity sha512-pBqoKPWmuk9iaEcXlLBVRIA6I1kG9JiICU+sG0NuD6NAR461F+02elHJS4WkQxHW2W5rnsfvP/ClKwmsZ9RaaA==
 
-"@npmcli/promise-spawn@^1.1.0", "@npmcli/promise-spawn@^1.2.0", "@npmcli/promise-spawn@^1.3.0":
+"@npmcli/promise-spawn@^1.1.0", "@npmcli/promise-spawn@^1.2.0", "@npmcli/promise-spawn@^1.3.2":
   version "1.3.2"
   resolved "https://registry.yarnpkg.com/@npmcli/promise-spawn/-/promise-spawn-1.3.2.tgz#42d4e56a8e9274fba180dabc0aea6e38f29274f5"
   integrity sha512-QyAGYo/Fbj4MXeGdJcFzZ+FkDkomfRBrPM+9QYJSg+PxgAUL+LU3FneQk37rKR2/zjqkCV1BLHccX98wRXG3Sg==
   dependencies:
     infer-owner "^1.0.4"
 
-"@npmcli/run-script@^1.2.1", "@npmcli/run-script@^1.3.0", "@npmcli/run-script@^1.8.1":
-  version "1.8.1"
-  resolved "https://registry.yarnpkg.com/@npmcli/run-script/-/run-script-1.8.1.tgz#729c5ac7293f250b654504d263952703af6da39c"
-  integrity sha512-G8c86g9cQHyRINosIcpovzv0BkXQc3urhL1ORf3KTe4TS4UBsg2O4Z2feca/W3pfzdHEJzc83ETBW4aKbb3SaA==
+"@npmcli/run-script@^1.2.1", "@npmcli/run-script@^1.3.0", "@npmcli/run-script@^1.8.1", "@npmcli/run-script@^1.8.2":
+  version "1.8.2"
+  resolved "https://registry.yarnpkg.com/@npmcli/run-script/-/run-script-1.8.2.tgz#528627e24da72a94e3156fb78056bca995a828a0"
+  integrity sha512-iwKq152Q62zG2rz/zRqT/OLDKcF1nBGTGmFdHRkTV8JRte6bUt18vPG4vOr/uoECecrIuJe1SSyvuUF32yt5BA==
   dependencies:
-    "@npmcli/node-gyp" "^1.0.0"
-    "@npmcli/promise-spawn" "^1.3.0"
+    "@npmcli/node-gyp" "^1.0.1"
+    "@npmcli/promise-spawn" "^1.3.2"
     infer-owner "^1.0.4"
     node-gyp "^7.1.0"
     puka "^1.0.1"
-    read-package-json-fast "^1.1.3"
+    read-package-json-fast "^2.0.1"
 
 "@sinonjs/commons@^1.7.0":
   version "1.8.2"
@@ -2183,6 +2183,11 @@ err-code@^1.0.0:
   resolved "https://registry.yarnpkg.com/err-code/-/err-code-1.1.2.tgz#06e0116d3028f6aef4806849eb0ea6a748ae6960"
   integrity sha1-BuARbTAo9q70gGhJ6w6mp0iuaWA=
 
+err-code@^2.0.2:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/err-code/-/err-code-2.0.3.tgz#23c2f3b756ffdfc608d30e27c9a941024807e7f9"
+  integrity sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==
+
 errno@~0.1.7:
   version "0.1.8"
   resolved "https://registry.yarnpkg.com/errno/-/errno-0.1.8.tgz#8bb3e9c7d463be4976ff888f76b4809ebc2e811f"
@@ -5820,15 +5825,15 @@ package-json@^4.0.0:
     registry-url "^3.0.3"
     semver "^5.1.0"
 
-pacote@^11.1.11, pacote@^11.1.14, pacote@^11.1.4, pacote@^11.2.5:
-  version "11.2.5"
-  resolved "https://registry.yarnpkg.com/pacote/-/pacote-11.2.5.tgz#7a1ecc7ac78237b54dcbc99f42ae6cc215d6e64e"
-  integrity sha512-KgVY3Rh3xJnhnRCirmsXW8kIdbslrFTnYeTtdzyvObPgj/Tc5VqdmazxsvdXGdIgRB/Km92mBKfuWcGGqgu7UQ==
+pacote@^11.1.11, pacote@^11.1.14, pacote@^11.1.4, pacote@^11.2.6:
+  version "11.2.6"
+  resolved "https://registry.yarnpkg.com/pacote/-/pacote-11.2.6.tgz#c0426e5d5c8d33aeea3461a75e1390f1ba78f953"
+  integrity sha512-xCl++Hb3aBC7LaWMimbO4xUqZVsEbKDVc6KKDIIyAeBYrmMwY1yJC2nES/lsGd8sdQLUosgBxQyuVNncZ2Ru0w==
   dependencies:
     "@npmcli/git" "^2.0.1"
-    "@npmcli/installed-package-contents" "^1.0.5"
+    "@npmcli/installed-package-contents" "^1.0.6"
     "@npmcli/promise-spawn" "^1.2.0"
-    "@npmcli/run-script" "^1.3.0"
+    "@npmcli/run-script" "^1.8.2"
     cacache "^15.0.5"
     chownr "^2.0.0"
     fs-minipass "^2.1.0"
@@ -5839,10 +5844,10 @@ pacote@^11.1.11, pacote@^11.1.14, pacote@^11.1.4, pacote@^11.2.5:
     npm-packlist "^2.1.4"
     npm-pick-manifest "^6.0.0"
     npm-registry-fetch "^9.0.0"
-    promise-retry "^1.1.1"
-    read-package-json-fast "^1.1.3"
+    promise-retry "^2.0.1"
+    read-package-json-fast "^2.0.1"
     rimraf "^3.0.2"
-    ssri "^8.0.0"
+    ssri "^8.0.1"
     tar "^6.1.0"
 
 pacote@^9.1.0, pacote@^9.5.12, pacote@^9.5.3:
@@ -6123,6 +6128,14 @@ promise-retry@^1.1.1:
     err-code "^1.0.0"
     retry "^0.10.0"
 
+promise-retry@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/promise-retry/-/promise-retry-2.0.1.tgz#ff747a13620ab57ba688f5fc67855410c370da22"
+  integrity sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==
+  dependencies:
+    err-code "^2.0.2"
+    retry "^0.12.0"
+
 prompts@^2.0.1:
   version "2.4.0"
   resolved "https://registry.yarnpkg.com/prompts/-/prompts-2.4.0.tgz#4aa5de0723a231d1ee9121c40fdf663df73f61d7"
@@ -6299,7 +6312,7 @@ read-installed@~4.0.3:
   optionalDependencies:
     graceful-fs "^4.1.2"
 
-read-package-json-fast@^1.1.1, read-package-json-fast@^1.1.3, read-package-json-fast@^1.2.1:
+read-package-json-fast@^1.2.1:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/read-package-json-fast/-/read-package-json-fast-1.2.1.tgz#e8518d6f37c99eb3afc26704c5cbb50d7ead82dd"
   integrity sha512-OFbpwnHcv74Oa5YN5WvbOBfLw6yPmPcwvyJJw/tj9cWFBF7juQUDLDSZiOjEcgzfweWeeROOmbPpNN1qm4hcRg==
@@ -6307,6 +6320,14 @@ read-package-json-fast@^1.1.1, read-package-json-fast@^1.1.3, read-package-json-
     json-parse-even-better-errors "^2.3.0"
     npm-normalize-package-bin "^1.0.1"
 
+read-package-json-fast@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/read-package-json-fast/-/read-package-json-fast-2.0.1.tgz#c767f6c634873ffb6bb73788191b65559734f555"
+  integrity sha512-bp6z0tdgLy9KzdfENDIw/53HWAolOVoQTRWXv7PUiqAo3YvvoUVeLr7RWPWq+mu7KUOu9kiT4DvxhUgNUBsvug==
+  dependencies:
+    json-parse-even-better-errors "^2.3.0"
+    npm-normalize-package-bin "^1.0.1"
+
 "read-package-json@1 || 2", read-package-json@^2.0.0, read-package-json@^2.0.13, read-package-json@^2.1.1:
   version "2.1.2"
   resolved "https://registry.yarnpkg.com/read-package-json/-/read-package-json-2.1.2.tgz#6992b2b66c7177259feb8eaac73c3acd28b9222a"
@@ -7002,7 +7023,7 @@ ssri@^6.0.0, ssri@^6.0.1:
   dependencies:
     figgy-pudding "^3.5.1"
 
-ssri@^8.0.0:
+ssri@^8.0.0, ssri@^8.0.1:
   version "8.0.1"
   resolved "https://registry.yarnpkg.com/ssri/-/ssri-8.0.1.tgz#638e4e439e2ffbd2cd289776d5ca457c4f51a2af"
   integrity sha512-97qShzy1AiyxvPNIkLWoGua7xoQzzPjQ0HAH4B0rWKo7SZ6USuPcrUiAFrws0UH8RrbWmgq3LMTObhPIHbbBeQ==

data/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb

@@ -2,6 +2,7 @@
 
 require "dependabot/dependency_file"
 require "dependabot/npm_and_yarn/file_parser"
+require "dependabot/npm_and_yarn/helpers"
 
 module Dependabot
   module NpmAndYarn
@@ -23,23 +24,9 @@ module Dependabot
           potential_lockfiles_for_manifest(manifest_name).each do |lockfile|
             details =
               if [*package_locks, *shrinkwraps].include?(lockfile)
-                parsed_lockfile = parse_package_lock(lockfile)
-                parsed_lockfile.dig("dependencies", dependency_name)
+                npm_lockfile_details(lockfile, dependency_name, manifest_name)
               else
-                parsed_yarn_lock = parse_yarn_lock(lockfile)
-                details_candidates =
-                  parsed_yarn_lock.
-                  select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
-
-                # If there's only one entry for this dependency, use it, even if
-                # the requirement in the lockfile doesn't match
-                if details_candidates.one?
-                  details_candidates.first.last
-                else
-                  details_candidates.find do |k, _|
-                    k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
-                  end&.last
-                end
+                yarn_lockfile_details(lockfile, dependency_name, requirement, manifest_name)
               end
 
             return details if details
@@ -65,6 +52,43 @@ module Dependabot
             compact
         end
 
+        def npm_lockfile_details(lockfile, dependency_name, manifest_name)
+          parsed_lockfile = parse_package_lock(lockfile)
+
+          if Helpers.npm_version(lockfile.content) == "npm7"
+            parsed_lockfile.dig(
+              "packages",
+              node_modules_path(manifest_name, dependency_name)
+            )&.slice("version", "resolved", "integrity", "dev")
+          else
+            parsed_lockfile.dig("dependencies", dependency_name)
+          end
+        end
+
+        def yarn_lockfile_details(lockfile, dependency_name, requirement, _manifest_name)
+          parsed_yarn_lock = parse_yarn_lock(lockfile)
+          details_candidates =
+            parsed_yarn_lock.
+            select { |k, _| k.split(/(?<=\w)\@/)[0] == dependency_name }
+
+          # If there's only one entry for this dependency, use it, even if
+          # the requirement in the lockfile doesn't match
+          if details_candidates.one?
+            details_candidates.first.last
+          else
+            details_candidates.find do |k, _|
+              k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
+            end&.last
+          end
+        end
+
+        def node_modules_path(manifest_name, dependency_name)
+          return "node_modules/#{dependency_name}" if manifest_name == "package.json"
+
+          workspace_path = manifest_name.gsub("/package.json", "")
+          File.join(workspace_path, "node_modules", dependency_name)
+        end
+
         def yarn_lock_dependencies
           dependency_set = Dependabot::NpmAndYarn::FileParser::DependencySet.new
 

data/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -117,11 +117,11 @@ module Dependabot
       end
 
       def package_lock_changed?(package_lock)
-        package_lock.content != updated_package_lock_content(package_lock)
+        package_lock.content != updated_lockfile_content(package_lock)
       end
 
       def shrinkwrap_changed?(shrinkwrap)
-        shrinkwrap.content != updated_package_lock_content(shrinkwrap)
+        shrinkwrap.content != updated_lockfile_content(shrinkwrap)
       end
 
       def updated_manifest_files
@@ -150,7 +150,7 @@ module Dependabot
 
           updated_files << updated_file(
             file: package_lock,
-            content: updated_package_lock_content(package_lock)
+            content: updated_lockfile_content(package_lock)
           )
         end
 
@@ -159,7 +159,7 @@ module Dependabot
 
           updated_files << updated_file(
             file: shrinkwrap,
-            content: updated_shrinkwrap_content(shrinkwrap)
+            content: updated_lockfile_content(shrinkwrap)
           )
         end
 
@@ -181,25 +181,15 @@ module Dependabot
           )
       end
 
-      def updated_package_lock_content(package_lock)
-        @updated_package_lock_content ||= {}
-        @updated_package_lock_content[package_lock.name] ||=
-          npm_lockfile_updater.updated_lockfile_content(package_lock)
-      end
-
-      def updated_shrinkwrap_content(shrinkwrap)
-        @updated_shrinkwrap_content ||= {}
-        @updated_shrinkwrap_content[shrinkwrap.name] ||=
-          npm_lockfile_updater.updated_lockfile_content(shrinkwrap)
-      end
-
-      def npm_lockfile_updater
-        @npm_lockfile_updater ||=
+      def updated_lockfile_content(file)
+        @updated_lockfile_content ||= {}
+        @updated_lockfile_content[file.name] ||=
           NpmLockfileUpdater.new(
+            lockfile: file,
             dependencies: dependencies,
             dependency_files: dependency_files,
             credentials: credentials
-          )
+          ).updated_lockfile.content
       end
 
       def updated_package_json_content(file)

data/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -17,35 +17,22 @@ module Dependabot
         require_relative "npmrc_builder"
         require_relative "package_json_updater"
 
-        def initialize(dependencies:, dependency_files:, credentials:)
+        def initialize(lockfile:, dependencies:, dependency_files:, credentials:)
+          @lockfile = lockfile
           @dependencies = dependencies
           @dependency_files = dependency_files
           @credentials = credentials
         end
 
-        def updated_lockfile_content(lockfile)
-          return lockfile.content if npmrc_disables_lockfile?
-          return lockfile.content if updatable_dependencies(lockfile).empty?
-
-          @updated_lockfile_content ||= {}
-          @updated_lockfile_content[lockfile.name] ||=
-            SharedHelpers.in_a_temporary_directory do
-              path = Pathname.new(lockfile.name).dirname.to_s
-              lockfile_name = Pathname.new(lockfile.name).basename.to_s
-              write_temporary_dependency_files(lockfile.name)
-              updated_files = Dir.chdir(path) do
-                run_current_npm_update(lockfile_name: lockfile_name, lockfile_content: lockfile.content)
-              end
-              updated_content = updated_files.fetch(lockfile_name)
-              post_process_npm_lockfile(lockfile.content, updated_content, lockfile.name)
-            end
-        rescue SharedHelpers::HelperSubprocessFailed => e
-          handle_npm_updater_error(e, lockfile)
+        def updated_lockfile
+          updated_file = lockfile.dup
+          updated_file.content = updated_lockfile_content
+          updated_file
         end
 
         private
 
-        attr_reader :dependencies, :dependency_files, :credentials
+        attr_reader :lockfile, :dependencies, :dependency_files, :credentials
 
         UNREACHABLE_GIT = /fatal: repository '(?<url>.*)' not found/.freeze
         FORBIDDEN_GIT = /fatal: Authentication failed for '(?<url>.*)'/.freeze
@@ -63,6 +50,21 @@ module Dependabot
         NPM7_MISSING_GIT_REF = /already exists and is not an empty directory/.freeze
         NPM6_MISSING_GIT_REF = /did not match any file\(s\) known to git/.freeze
 
+        def updated_lockfile_content
+          return lockfile.content if npmrc_disables_lockfile?
+          return lockfile.content unless updatable_dependencies.any?
+
+          @updated_lockfile_content ||=
+            SharedHelpers.in_a_temporary_directory do
+              write_temporary_dependency_files
+              updated_files = Dir.chdir(lockfile_directory) { run_current_npm_update }
+              updated_lockfile_content = updated_files.fetch(lockfile_basename)
+              post_process_npm_lockfile(updated_lockfile_content)
+            end
+        rescue SharedHelpers::HelperSubprocessFailed => e
+          handle_npm_updater_error(e)
+        end
+
         def top_level_dependencies
           dependencies.select(&:top_level?)
         end
@@ -71,16 +73,14 @@ module Dependabot
           dependencies.reject(&:top_level?)
         end
 
-        def updatable_dependencies(lockfile)
+        def updatable_dependencies
           dependencies.reject do |dependency|
-            dependency_up_to_date?(lockfile, dependency) ||
-              top_level_dependency_update_not_required?(dependency, lockfile)
+            dependency_up_to_date?(dependency) || top_level_dependency_update_not_required?(dependency)
           end
         end
 
-        def lockfile_dependencies(lockfile)
-          @lockfile_dependencies ||= {}
-          @lockfile_dependencies[lockfile.name] ||=
+        def lockfile_dependencies
+          @lockfile_dependencies ||=
             NpmAndYarn::FileParser.new(
               dependency_files: [lockfile, *package_files],
               source: nil,
@@ -88,9 +88,8 @@ module Dependabot
             ).parse
         end
 
-        def dependency_up_to_date?(lockfile, dependency)
-          existing_dep = lockfile_dependencies(lockfile).
-                         find { |dep| dep.name == dependency.name }
+        def dependency_up_to_date?(dependency)
+          existing_dep = lockfile_dependencies.find { |dep| dep.name == dependency.name }
 
           # If the dependency is missing but top level it should be treated as
           # not up to date
@@ -106,93 +105,81 @@ module Dependabot
         # proj). npm 7 introduces workspace support so we explitly want to
         # update the root lockfile and check if the dependency is in the
         # lockfile
-        def top_level_dependency_update_not_required?(dependency, lockfile)
-          lockfile_dir = Pathname.new(lockfile.name).dirname.to_s
-
-          requirements_for_path = dependency.requirements.select do |req|
-            req_dir = Pathname.new(req[:file]).dirname.to_s
-            req_dir == lockfile_dir
-          end
-
-          dependency_in_lockfile = lockfile_dependencies(lockfile).any? do |dep|
-            dep.name == dependency.name
-          end
-
-          dependency.top_level? && requirements_for_path.empty? && !dependency_in_lockfile
+        def top_level_dependency_update_not_required?(dependency)
+          dependency.top_level? &&
+            !dependency_in_package_json?(dependency) &&
+            !dependency_in_lockfile?(dependency)
         end
 
-        def run_current_npm_update(lockfile_name:, lockfile_content:)
-          top_level_dependency_updates = top_level_dependencies.map do |d|
-            { name: d.name, version: d.version, requirements: d.requirements }
-          end
-
-          run_npm_updater(
-            lockfile_name: lockfile_name,
-            top_level_dependency_updates: top_level_dependency_updates,
-            lockfile_content: lockfile_content
-          )
+        def run_current_npm_update
+          run_npm_updater(top_level_dependencies: top_level_dependencies)
         end
 
-        def run_previous_npm_update(lockfile_name:, lockfile_content:)
+        def run_previous_npm_update
           previous_top_level_dependencies = top_level_dependencies.map do |d|
-            {
+            Dependabot::Dependency.new(
               name: d.name,
+              package_manager: d.package_manager,
               version: d.previous_version,
-              requirements: d.previous_requirements
-            }
+              previous_version: d.previous_version,
+              requirements: d.previous_requirements,
+              previous_requirements: d.previous_requirements
+            )
           end
 
-          run_npm_updater(
-            lockfile_name: lockfile_name,
-            top_level_dependency_updates: previous_top_level_dependencies,
-            lockfile_content: lockfile_content
-          )
+          run_npm_updater(top_level_dependencies: previous_top_level_dependencies)
         end
 
-        def run_npm_updater(lockfile_name:, top_level_dependency_updates:, lockfile_content:)
+        def run_npm_updater(top_level_dependencies:)
           SharedHelpers.with_git_configured(credentials: credentials) do
-            if top_level_dependency_updates.any?
-              run_npm_top_level_updater(
-                lockfile_name: lockfile_name,
-                top_level_dependency_updates: top_level_dependency_updates,
-                lockfile_content: lockfile_content
-              )
+            if top_level_dependencies.any?
+              run_npm_top_level_updater(top_level_dependencies: top_level_dependencies)
             else
-              run_npm_subdependency_updater(lockfile_name: lockfile_name, lockfile_content: lockfile_content)
+              run_npm_subdependency_updater
             end
           end
         end
 
-        def run_npm_top_level_updater(lockfile_name:, top_level_dependency_updates:, lockfile_content:)
-          if npm7?(lockfile_content)
-            run_npm_7_top_level_updater(
-              lockfile_name: lockfile_name,
-              top_level_dependency_updates: top_level_dependency_updates
-            )
+        def run_npm_top_level_updater(top_level_dependencies:)
+          if npm7?
+            run_npm_7_top_level_updater(top_level_dependencies: top_level_dependencies)
           else
             SharedHelpers.run_helper_subprocess(
               command: NativeHelpers.helper_path,
               function: "npm6:update",
               args: [
                 Dir.pwd,
-                lockfile_name,
-                top_level_dependency_updates
+                lockfile_basename,
+                top_level_dependencies.map(&:to_h)
               ]
             )
           end
         end
 
-        def run_npm_7_top_level_updater(lockfile_name:, top_level_dependency_updates:)
-          # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
-          #   work around an issue in npm 6, we don't want that here
+        def run_npm_7_top_level_updater(top_level_dependencies:)
+          dependencies_in_current_package_json = top_level_dependencies.any? do |dependency|
+            dependency_in_package_json?(dependency)
+          end
+
+          # NOTE: When updating a dependency in a nested workspace project we
+          # need to run `npm install` without any arguments to update the root
+          # level lockfile after having updated the nested packages package.json
+          # requirement, otherwise npm will add the dependency as a new
+          # top-level dependency to the root lockfile.
+          install_args = ""
+          if dependencies_in_current_package_json
+            # TODO: Update the npm 6 updater to use these args as we currently
+            # do the same in the js updater helper, we've kept it seperate for
+            # the npm 7 rollout
+            install_args = top_level_dependencies.map { |dependency| npm_install_args(dependency) }
+          end
+
+          # NOTE: npm options
           # - `--force` ignores checks for platform (os, cpu) and engines
-          # - `--ignore-scripts` disables prepare and prepack scripts which are run
-          #   when installing git dependencies
-          flattenend_manifest_dependencies = flattenend_manifest_dependencies_for_lockfile_name(lockfile_name)
-          install_args = npm_top_level_updater_args(
-            top_level_dependency_updates: top_level_dependency_updates,
-            flattenend_manifest_dependencies: flattenend_manifest_dependencies
-          )
+          # - `--dry-run=false` the updater sets a global .npmrc with dry-run:
+          #   true to work around an issue in npm 6, we don't want that here
+          # - `--ignore-scripts` disables prepare and prepack scripts which are
+          #   run when installing git dependencies
           command = [
             "npm",
             "install",
@@ -204,26 +191,27 @@ module Dependabot
             "--package-lock-only"
           ].join(" ")
           SharedHelpers.run_shell_command(command)
-          { lockfile_name => File.read(lockfile_name) }
+          { lockfile_basename => File.read(lockfile_basename) }
         end
 
-        def run_npm_subdependency_updater(lockfile_name:, lockfile_content:)
-          if npm7?(lockfile_content)
-            run_npm_7_subdependency_updater(lockfile_name: lockfile_name)
+        def run_npm_subdependency_updater
+          if npm7?
+            run_npm_7_subdependency_updater
           else
             SharedHelpers.run_helper_subprocess(
               command: NativeHelpers.helper_path,
               function: "npm6:updateSubdependency",
-              args: [Dir.pwd, lockfile_name, sub_dependencies.map(&:to_h)]
+              args: [Dir.pwd, lockfile_basename, sub_dependencies.map(&:to_h)]
             )
           end
         end
 
-        def run_npm_7_subdependency_updater(lockfile_name:)
+        def run_npm_7_subdependency_updater
           dependency_names = sub_dependencies.map(&:name)
+          # NOTE: npm options
+          # - `--force` ignores checks for platform (os, cpu) and engines
           # - `--dry-run=false` the updater sets a global .npmrc with dry-run: true to
           #   work around an issue in npm 6, we don't want that here
-          # - `--force` ignores checks for platform (os, cpu) and engines
           # - `--ignore-scripts` disables prepare and prepack scripts which are run
           #   when installing git dependencies
           command = [
@@ -237,59 +225,64 @@ module Dependabot
             "--package-lock-only"
           ].join(" ")
           SharedHelpers.run_shell_command(command)
-          { lockfile_name => File.read(lockfile_name) }
+          { lockfile_basename => File.read(lockfile_basename) }
         end
 
-        # TODO: Update the npm 6 updater to use these args as we currently do
-        # the same in the js updater helper, we've kept it seperate for the npm
-        # 7 rollout
-        def npm_top_level_updater_args(top_level_dependency_updates:, flattenend_manifest_dependencies:)
-          top_level_dependency_updates.map do |dependency|
-            # NOTE: For git dependencies we loose some information about the
-            # requirement that's only available in the package.json, e.g. when
-            # specifying a semver tag:
-            # `dependabot/depeendabot-core#semver:^0.1` - this is required to
-            # pass the correct install argument to `npm install`
-            existing_version_requirement = flattenend_manifest_dependencies[dependency.fetch(:name)]
-            npm_install_args(
-              dependency.fetch(:name),
-              dependency.fetch(:version),
-              dependency.fetch(:requirements),
-              existing_version_requirement
-            )
-          end
+        def updated_version_requirement_for_dependency(dependency)
+          flattenend_manifest_dependencies[dependency.name]
         end
 
-        def flattenend_manifest_dependencies_for_lockfile_name(lockfile_name)
-          package_json_content = updated_package_json_content_for_lockfile_name(lockfile_name)
-          return {} unless package_json_content
+        # TODO: Add the raw updated requirement to the Dependency instance
+        # instead of fishing it out of the updated package json, we need to do
+        # this because we don't store the same requirement in
+        # Dependency#requirements for git dependencies - see PackageJsonUpdater
+        def flattenend_manifest_dependencies
+          return @flattenend_manifest_dependencies if defined?(@flattenend_manifest_dependencies)
 
-          parsed_package = JSON.parse(package_json_content)
-          NpmAndYarn::FileParser::DEPENDENCY_TYPES.inject({}) do |deps, type|
-            deps.merge(parsed_package[type] || {})
-          end
+          @flattenend_manifest_dependencies =
+            NpmAndYarn::FileParser::DEPENDENCY_TYPES.inject({}) do |deps, type|
+              deps.merge(parsed_package_json[type] || {})
+            end
         end
 
-        def npm_install_args(dep_name, desired_version, requirements, existing_version_requirement)
-          git_requirement = requirements.find { |req| req[:source] && req[:source][:type] == "git" }
+        def npm_install_args(dependency)
+          git_requirement = dependency.requirements.find { |req| req[:source] && req[:source][:type] == "git" }
 
           if git_requirement
-            existing_version_requirement ||= git_requirement[:source][:url]
+            # NOTE: For git dependencies we loose some information about the
+            # requirement that's only available in the package.json, e.g. when
+            # specifying a semver tag:
+            # `dependabot/depeendabot-core#semver:^0.1` - this is required to
+            # pass the correct install argument to `npm install`
+            updated_version_requirement = updated_version_requirement_for_dependency(dependency)
+            updated_version_requirement ||= git_requirement[:source][:url]
 
             # NOTE: Git is configured to auth over https while updating
-            existing_version_requirement = existing_version_requirement.gsub(
+            updated_version_requirement = updated_version_requirement.gsub(
               %r{git\+ssh://git@(.*?)[:/]}, 'https://\1/'
             )
 
             # NOTE: Keep any semver range that has already been updated by the
             # PackageJsonUpdater when installing the new version
-            if existing_version_requirement.include?(desired_version)
-              "#{dep_name}@#{existing_version_requirement}"
+            if updated_version_requirement.include?(dependency.version)
+              "#{dependency.name}@#{updated_version_requirement}"
             else
-              "#{dep_name}@#{existing_version_requirement.sub(/#.*/, '')}##{desired_version}"
+              "#{dependency.name}@#{updated_version_requirement.sub(/#.*/, '')}##{dependency.version}"
             end
           else
-            "#{dep_name}@#{desired_version}"
+            "#{dependency.name}@#{dependency.version}"
+          end
+        end
+
+        def dependency_in_package_json?(dependency)
+          dependency.requirements.any? do |req|
+            req[:file] == package_json.name
+          end
+        end
+
+        def dependency_in_lockfile?(dependency)
+          lockfile_dependencies.any? do |dep|
+            dep.name == dependency.name
           end
         end
 
@@ -297,14 +290,14 @@ module Dependabot
         # rubocop:disable Metrics/CyclomaticComplexity
         # rubocop:disable Metrics/PerceivedComplexity
         # rubocop:disable Metrics/MethodLength
-        def handle_npm_updater_error(error, lockfile)
+        def handle_npm_updater_error(error)
           error_message = error.message
           if error_message.match?(MISSING_PACKAGE)
             package_name = error_message.match(MISSING_PACKAGE).
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
           # Invalid package: When the package.json doesn't include a name or
@@ -316,7 +309,7 @@ module Dependabot
           if error_message.match?(INVALID_PACKAGE) ||
              error_message.include?("Invalid package name") ||
              error_message.include?(sub_dep_local_path_error)
-            raise_resolvability_error(error_message, lockfile)
+            raise_resolvability_error(error_message)
           end
 
           # TODO: Move this logic to the version resolver and check if a new
@@ -340,7 +333,7 @@ module Dependabot
           # queries
           if error_message.include?("No matching vers") &&
              dependencies_in_error_message?(error_message) &&
-             resolvable_before_update?(lockfile)
+             resolvable_before_update?
 
             # Raise a bespoke error so we can capture and ignore it if
             # we're trying to create a new PR (which will be created
@@ -353,7 +346,7 @@ module Dependabot
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
           # Some private registries return a 403 when the user is readonly
@@ -362,7 +355,7 @@ module Dependabot
                            named_captures["package_req"]
             sanitized_name = sanitize_package_name(package_name)
             sanitized_error = error_message.gsub(package_name, sanitized_name)
-            handle_missing_package(sanitized_name, sanitized_error, lockfile)
+            handle_missing_package(sanitized_name, sanitized_error)
           end
 
           if (git_error = error_message.match(UNREACHABLE_GIT) || error_message.match(FORBIDDEN_GIT))
@@ -379,9 +372,8 @@ module Dependabot
           # people to re-generate their lockfiles (Future feature idea: add a
           # way to click-to-fix the lockfile from the issue)
           if error_message.include?("Cannot read property 'match' of ") &&
-             !resolvable_before_update?(lockfile)
-            raise_missing_lockfile_version_resolvability_error(error_message,
-                                                               lockfile)
+             !resolvable_before_update?
+            raise_missing_lockfile_version_resolvability_error(error_message)
           end
 
           if (error_message.include?("No matching vers") ||
@@ -390,8 +382,8 @@ module Dependabot
              error_message.include?("Invalid tag name") ||
              error_message.match?(NPM6_MISSING_GIT_REF) ||
              error_message.match?(NPM7_MISSING_GIT_REF)) &&
-             !resolvable_before_update?(lockfile)
-            raise_resolvability_error(error_message, lockfile)
+             !resolvable_before_update?
+            raise_resolvability_error(error_message)
           end
 
           # NOTE: This check was introduced in npm7/arborist
@@ -407,17 +399,15 @@ module Dependabot
         # rubocop:enable Metrics/PerceivedComplexity
         # rubocop:enable Metrics/MethodLength
 
-        def raise_resolvability_error(error_message, lockfile)
+        def raise_resolvability_error(error_message)
           dependency_names = dependencies.map(&:name).join(", ")
           msg = "Error whilst updating #{dependency_names} in "\
                 "#{lockfile.path}:\n#{error_message}"
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def raise_missing_lockfile_version_resolvability_error(error_message,
-                                                               lockfile)
-          lockfile_dir = Pathname.new(lockfile.name).dirname
-          modules_path = lockfile_dir.join("node_modules")
+        def raise_missing_lockfile_version_resolvability_error(error_message)
+          modules_path = File.join(lockfile_directory, "node_modules")
           # NOTE: don't include the dependency names to prevent opening
           # multiple issues for each dependency that fails because we unique
           # issues on the error message (issue detail) on the backend
@@ -432,11 +422,10 @@ module Dependabot
           raise Dependabot::DependencyFileNotResolvable, msg
         end
 
-        def handle_missing_package(package_name, error_message, lockfile)
-          missing_dep = lockfile_dependencies(lockfile).
-                        find { |dep| dep.name == package_name }
+        def handle_missing_package(package_name, error_message)
+          missing_dep = lockfile_dependencies.find { |dep| dep.name == package_name }
 
-          raise_resolvability_error(error_message, lockfile) unless missing_dep
+          raise_resolvability_error(error_message) unless missing_dep
 
           reg = NpmAndYarn::UpdateChecker::RegistryFinder.new(
             dependency: missing_dep,
@@ -458,23 +447,14 @@ module Dependabot
           end
         end
 
-        def resolvable_before_update?(lockfile)
-          @resolvable_before_update ||= {}
-          return @resolvable_before_update[lockfile.name] if @resolvable_before_update.key?(lockfile.name)
+        def resolvable_before_update?
+          return @resolvable_before_update if defined?(@resolvable_before_update)
 
-          @resolvable_before_update[lockfile.name] =
+          @resolvable_before_update =
             begin
               SharedHelpers.in_a_temporary_directory do
-                write_temporary_dependency_files(
-                  lockfile.name,
-                  update_package_json: false
-                )
-
-                lockfile_name = Pathname.new(lockfile.name).basename.to_s
-                path = Pathname.new(lockfile.name).dirname.to_s
-                Dir.chdir(path) do
-                  run_previous_npm_update(lockfile_name: lockfile_name, lockfile_content: lockfile.content)
-                end
+                write_temporary_dependency_files(update_package_json: false)
+                Dir.chdir(lockfile_directory) { run_previous_npm_update }
               end
 
               true
@@ -492,12 +472,10 @@ module Dependabot
           end
         end
 
-        def write_temporary_dependency_files(lockfile_name,
-                                             update_package_json: true)
-          write_lockfiles(lockfile_name)
+        def write_temporary_dependency_files(update_package_json: true)
+          write_lockfiles
 
-          dir = Pathname.new(lockfile_name).dirname
-          File.write(File.join(dir, ".npmrc"), npmrc_content)
+          File.write(File.join(lockfile_directory, ".npmrc"), npmrc_content)
 
           package_files.each do |file|
             path = file.name
@@ -524,9 +502,9 @@ module Dependabot
           end
         end
 
-        def write_lockfiles(lockfile_name)
+        def write_lockfiles
           excluded_lock =
-            case lockfile_name
+            case lockfile.name
             when "package-lock.json" then "npm-shrinkwrap.json"
             when "npm-shrinkwrap.json" then "package-lock.json"
             end
@@ -627,22 +605,86 @@ module Dependabot
           @git_ssh_requirements_to_swap
         end
 
-        def post_process_npm_lockfile(original_content, updated_content, lockfile_name)
-          updated_content = replace_project_metadata(updated_content, original_content)
-
+        def post_process_npm_lockfile(updated_lockfile_content)
           # Switch SSH requirements back for git dependencies
-          updated_content = replace_swapped_git_ssh_requirements(updated_content)
+          updated_lockfile_content = replace_swapped_git_ssh_requirements(updated_lockfile_content)
 
           # Switch from details back for git dependencies (they will have
           # changed because we locked them)
-          updated_content = replace_locked_git_dependencies(updated_content)
+          updated_lockfile_content = replace_locked_git_dependencies(updated_lockfile_content)
+
+          parsed_updated_lockfile_content = JSON.parse(updated_lockfile_content)
+
+          # Restore lockfile name attribute from the original lockfile
+          updated_lockfile_content = replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
+
+          # Restore npm 7 "packages" "name" entry from package.json if previously set
+          updated_lockfile_content = restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
 
           # Switch back npm 7 lockfile "pacakages" requirements from the package.json
-          updated_content = restore_locked_package_dependencies(lockfile_name, updated_content)
+          updated_lockfile_content = restore_locked_package_dependencies(
+            updated_lockfile_content, parsed_updated_lockfile_content
+          )
 
           # Switch back the protocol of tarball resolutions if they've changed
           # (fixes an npm bug, which appears to be applied inconsistently)
-          replace_tarball_urls(updated_content)
+          replace_tarball_urls(updated_lockfile_content)
+        end
+
+        def replace_project_name(updated_lockfile_content, parsed_updated_lockfile_content)
+          current_name = parsed_updated_lockfile_content["name"]
+          original_name = parsed_lockfile["name"]
+          if original_name
+            updated_lockfile_content = replace_lockfile_name_attribute(
+              current_name, original_name, updated_lockfile_content
+            )
+          end
+          updated_lockfile_content
+        end
+
+        def restore_packages_name(updated_lockfile_content, parsed_updated_lockfile_content)
+          return updated_lockfile_content unless npm7?
+
+          current_name = parsed_updated_lockfile_content.dig("packages", "", "name")
+          original_name = parsed_lockfile.dig("packages", "", "name")
+
+          # TODO: Submit a patch to npm fixing this issue making `npm install`
+          # consistent with `npm install --package-lock-only`
+          #
+          # NOTE: This is a workaround for npm adding a `name` attribute to the
+          # packages section in the lockfile because we install using
+          # `--package-lock-only`
+          if !original_name
+            updated_lockfile_content = remove_lockfile_packages_name_attribute(
+              current_name, updated_lockfile_content
+            )
+          elsif original_name && original_name != current_name
+            updated_lockfile_content = replace_lockfile_packages_name_attribute(
+              current_name, original_name, updated_lockfile_content
+            )
+          end
+
+          updated_lockfile_content
+        end
+
+        def replace_lockfile_name_attribute(current_name, original_name, updated_lockfile_content)
+          updated_lockfile_content.sub(
+            /"name":\s"#{current_name}"/,
+            "\"name\": \"#{original_name}\""
+          )
+        end
+
+        def replace_lockfile_packages_name_attribute(current_name, original_name, updated_lockfile_content)
+          packages_key_line = '"": {'
+          updated_lockfile_content.sub(
+            /(#{packages_key_line}[\n\s]+"name":\s)"#{current_name}"/,
+            '\1"' + original_name + '"'
+          )
+        end
+
+        def remove_lockfile_packages_name_attribute(current_name, updated_lockfile_content)
+          packages_key_line = '"": {'
+          updated_lockfile_content.gsub(/(#{packages_key_line})[\n\s]+"name":\s"#{current_name}",/, '\1')
         end
 
         # NOTE: This is a workaround to "sync" what's in package.json
@@ -654,43 +696,38 @@ module Dependabot
         # `package.json` requirement for eslint at `^1.0.0`, in which case we
         # need to copy this from the manifest to the lockfile after the update
         # has finished.
-        def restore_locked_package_dependencies(lockfile_name, lockfile_content)
-          return lockfile_content unless npm7?(lockfile_content)
-
-          original_package = updated_package_json_content_for_lockfile_name(lockfile_name)
-          return lockfile_content unless original_package
+        def restore_locked_package_dependencies(updated_lockfile_content, parsed_updated_lockfile_content)
+          return updated_lockfile_content unless npm7?
 
-          parsed_package = JSON.parse(original_package)
-          parsed_lockfile = JSON.parse(lockfile_content)
           dependency_names_to_restore = (dependencies.map(&:name) + git_dependencies_to_lock.keys).uniq
 
           NpmAndYarn::FileParser::DEPENDENCY_TYPES.each do |type|
-            parsed_package.fetch(type, {}).each do |dependency_name, original_requirement|
+            parsed_package_json.fetch(type, {}).each do |dependency_name, original_requirement|
               next unless dependency_names_to_restore.include?(dependency_name)
 
-              locked_requirement = parsed_lockfile.dig("packages", "", type, dependency_name)
+              locked_requirement = parsed_updated_lockfile_content.dig("packages", "", type, dependency_name)
               next unless locked_requirement
 
               locked_req = %("#{dependency_name}": "#{locked_requirement}")
               original_req = %("#{dependency_name}": "#{original_requirement}")
-              lockfile_content = lockfile_content.gsub(locked_req, original_req)
+              updated_lockfile_content = updated_lockfile_content.gsub(locked_req, original_req)
             end
           end
 
-          lockfile_content
+          updated_lockfile_content
         end
 
-        def replace_swapped_git_ssh_requirements(lockfile_content)
+        def replace_swapped_git_ssh_requirements(updated_lockfile_content)
           git_ssh_requirements_to_swap.each do |req|
             new_r = req.gsub(%r{git\+ssh://git@(.*?)[:/]}, 'git+https://\1/')
             old_r = req.gsub(%r{git@(.*?)[:/]}, 'git@\1/')
-            lockfile_content = lockfile_content.gsub(new_r, old_r)
+            updated_lockfile_content = updated_lockfile_content.gsub(new_r, old_r)
           end
 
-          lockfile_content
+          updated_lockfile_content
         end
 
-        def replace_locked_git_dependencies(lockfile_content)
+        def replace_locked_git_dependencies(updated_lockfile_content)
           # Switch from details back for git dependencies (they will have
           # changed because we locked them)
           git_dependencies_to_lock.each do |dependency_name, details|
@@ -701,44 +738,33 @@ module Dependabot
             # updates the lockfile "from" field to the new git commit when we
             # run npm install
             original_from = %("from": "#{details[:from]}")
-            if npm7?(lockfile_content)
+            if npm7?
               # NOTE: The `from` syntax has changed in npm 7 to inclued the dependency name
               npm7_locked_from = %("from": "#{dependency_name}@#{details[:version]}")
-              lockfile_content = lockfile_content.gsub(npm7_locked_from, original_from)
+              updated_lockfile_content = updated_lockfile_content.gsub(npm7_locked_from, original_from)
             else
               npm6_locked_from = %("from": "#{details[:version]}")
-              lockfile_content = lockfile_content.gsub(npm6_locked_from, original_from)
+              updated_lockfile_content = updated_lockfile_content.gsub(npm6_locked_from, original_from)
             end
           end
 
-          lockfile_content
+          updated_lockfile_content
         end
 
-        def replace_tarball_urls(lockfile_content)
+        def replace_tarball_urls(updated_lockfile_content)
           tarball_urls.each do |url|
             trimmed_url = url.gsub(/(\d+\.)*tgz$/, "")
             incorrect_url = if url.start_with?("https")
                               trimmed_url.gsub(/^https:/, "http:")
                             else trimmed_url.gsub(/^http:/, "https:")
                             end
-            lockfile_content = lockfile_content.gsub(
+            updated_lockfile_content = updated_lockfile_content.gsub(
               /#{Regexp.quote(incorrect_url)}(?=(\d+\.)*tgz")/,
               trimmed_url
             )
           end
 
-          lockfile_content
-        end
-
-        def replace_project_metadata(new_content, old_content)
-          old_name = old_content.match(/(?<="name": ").*(?=",)/)&.to_s
-
-          if old_name
-            new_content = new_content.
-                          sub(/(?<="name": ").*(?=",)/, old_name)
-          end
-
-          new_content
+          updated_lockfile_content
         end
 
         def tarball_urls
@@ -765,15 +791,6 @@ module Dependabot
           ).npmrc_content
         end
 
-        def updated_package_json_content_for_lockfile_name(lockfile_name)
-          lockfile_basename = Pathname.new(lockfile_name).basename.to_s
-          package_name = lockfile_name.sub(lockfile_basename, "package.json")
-          package_json = package_files.find { |f| f.name == package_name }
-          return unless package_json
-
-          updated_package_json_content(package_json)
-        end
-
         def updated_package_json_content(file)
           @updated_package_json_content ||= {}
           @updated_package_json_content[file.name] ||=
@@ -787,8 +804,10 @@ module Dependabot
           npmrc_content.match?(/^package-lock\s*=\s*false/)
         end
 
-        def npm7?(lockfile_content)
-          Dependabot::NpmAndYarn::Helpers.npm_version(lockfile_content) == "npm7"
+        def npm7?
+          return @npm7 if defined?(@npm7)
+
+          @npm7 = Dependabot::NpmAndYarn::Helpers.npm_version(lockfile.content) == "npm7"
         end
 
         def sanitized_package_json_content(content)
@@ -802,6 +821,30 @@ module Dependabot
           package_name.gsub("%2f", "/").gsub("%2F", "/")
         end
 
+        def lockfile_directory
+          Pathname.new(lockfile.name).dirname.to_s
+        end
+
+        def lockfile_basename
+          Pathname.new(lockfile.name).basename.to_s
+        end
+
+        def parsed_lockfile
+          @parsed_lockfile ||= JSON.parse(lockfile.content)
+        end
+
+        def parsed_package_json
+          return {} unless package_json
+          return @parsed_package_json if defined?(@parsed_package_json)
+
+          @parsed_package_json = JSON.parse(updated_package_json_content(package_json))
+        end
+
+        def package_json
+          package_name = lockfile.name.sub(lockfile_basename, "package.json")
+          package_files.find { |f| f.name == package_name }
+        end
+
         def package_locks
           @package_locks ||=
             dependency_files.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.133.0
+  version: 0.133.1
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-09 00:00:00.000000000 Z
+date: 2021-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.133.0
+        version: 0.133.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.133.0
+        version: 0.133.1
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement