dependabot-npm_and_yarn 0.373.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d0c7fd9ad9edbc848ecc61bacd020254d35d569f4b1cea212522b993af8644e4
-  data.tar.gz: d2c20af4468b35af219b1f515f9be0f03d5d1a33d4a8c3bc999b9eeb07e08cb7
+  metadata.gz: 6d73a3111c08214ea172fa372dc8a3170c06e320ff7584da2b3bbf874de01b53
+  data.tar.gz: 64dde7b56d164827bd2a9ad46665b52bd97ffa93cfa35032ef03f0b827f344dc
 SHA512:
-  metadata.gz: f0088c2492c6d9c1c4719dd3ce080cf56ef29e0a71d5b0e68f6a1994323d6ce267576a1a9e1f2ea3f89481fa9519df63968a455f9b5a68b72d76d9664ab1befd
-  data.tar.gz: 7dcaf7008726c174dd201f7316f56454a9f251a3418d9c15494c584f90156042e9fad1634be2b9510502022e5563c05b9e26cb1ade420989832e82bc8e628544
+  metadata.gz: dd062f7ceca3feef8ac45235c5063c45a990347cd31c6702d4fbe377a932398ee556cf94124ca0db27bcdaea9f01ec55b1cdf16d6fb498c158c66fb8735c84ce
+  data.tar.gz: d84403b98bf265e074e087a386441929bfd66fdf01a5339503e8c93977107577f2b84b00330f6a049b7c594da104bc3367be36f4c44ff542704e415dfed3a125

data/helpers/lib/npm/vulnerability-auditor.ts

@@ -222,7 +222,7 @@ export async function findVulnerableDependencies(
         return left.localeCompare(right);
       });
     const remainingVulnerableTargets = vulnLocations
-      .map((loc) => lookupChildLocation(fixTree, loc)?.version)
+      .map((loc) => resolveNodeFromLocation(fixTree, loc)?.version)
       .filter((version): version is string => typeof version === "string");
 
     // If any originally vulnerable location still exists after applying the
@@ -233,7 +233,7 @@ export async function findVulnerableDependencies(
       remainingVulnerableTargets[0] ?? fixTree.children.get(name)?.version;
 
     for (const update of response.fix_updates) {
-      update.target_version = lookupChildLocation(
+      update.target_version = resolveNodeFromLocation(
         fixTree,
         update.dependency_location!
       )?.version;
@@ -358,12 +358,17 @@ function groupBy<T>(
 }
 
 /**
- * Look up the child node at the given location in the tree rooted at `root`.
- * `root` is an ArboristNode, and `location` is a string containing the normalized
- * path to the child node, relative to the root. This string can be taken from
- * ArboristNode.location and will be of the form "node_modules/foo/node_modules/bar".
+ * Resolve the node at the given location in the tree rooted at `root`, returning
+ * null if the location is invalid or doesn't exist in the tree. The location is a
+ * string containing the normalized path to the node, relative to the root, and can
+ * be taken from ArboristNode.location. It will be of the form "node_modules/foo/node_modules/bar".
+ *
+ * If the exact package location does not exist in the tree, the function will use
+ * Arborist's resolve method to attempt to resolve the target package from the furthest
+ * existing ancestor location. This allows us to handle cases where the fixed package
+ * is hoisted to a higher level in the tree than the vulnerable package was originally located.
  */
-function lookupChildLocation(
+function resolveNodeFromLocation(
   root: Arborist.Node,
   location: string
 ): Arborist.Node | Arborist.Link | null {
@@ -374,14 +379,20 @@ function lookupChildLocation(
   const parts = location
     .substring("node_modules/".length)
     .split("/node_modules/");
-  let current: Arborist.Node | Arborist.Link | undefined = root;
-  for (const part of parts) {
-    if (!current) {
-      return null;
+  const target = parts[parts.length - 1];
+  let current: Arborist.Node | Arborist.Link = root;
+  for (const pkgName of parts) {
+    const next: Arborist.Node | Arborist.Link | undefined =
+      current.children.get(pkgName);
+    if (!next) {
+      // This is the furthest we can resolve down the tree based on the given location.
+      // Ask the tree to resolve the target node.
+      return current.resolve(target) as Arborist.Node | null;
     }
-    current = current.children.get(part);
+    current = next;
   }
-  return current ?? null;
+  // We've resolved the entire location successfully.
+  return current;
 }
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any

data/helpers/test/npm/fixtures/vulnerability-auditor/fix-hoists-package/package-lock.json

@@ -0,0 +1,37 @@
+{
+  "name": "test-vulnerability-auditor-fix-hoists-package",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-auditor-fix-hoists-package",
+      "version": "1.0.0",
+      "dependencies": {
+        "@dependabot-fixtures/npm-parent-dependency-with-more-versions": "1.0.0",
+        "@dependabot-fixtures/npm-transitive-dependency-with-more-versions": "1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-parent-dependency-with-more-versions": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-parent-dependency-with-more-versions/-/npm-parent-dependency-with-more-versions-1.0.0.tgz",
+      "integrity": "sha512-Ys1u0synVJwqj1+bgo6g0uWMMDg3v55IG8O6qEM2WKP0Y9lmxSoN2egArdfBZcKuut+1EBcWmtM89g6P40EFJw==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-transitive-dependency-with-more-versions": "^1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-parent-dependency-with-more-versions/node_modules/@dependabot-fixtures/npm-transitive-dependency-with-more-versions": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency-with-more-versions/-/npm-transitive-dependency-with-more-versions-1.0.1.tgz",
+      "integrity": "sha512-L25+LUfJNPO3T+/RdhG62Hv2gIwiZLWR05qqqV1mzqD9goLy31/oc5rcF8/0pjOF45Zv/JqZm2whi4qhXa9plw==",
+      "license": "ISC"
+    },
+    "node_modules/@dependabot-fixtures/npm-transitive-dependency-with-more-versions": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency-with-more-versions/-/npm-transitive-dependency-with-more-versions-1.0.0.tgz",
+      "integrity": "sha512-IHtKNrRBm6bDrL2Jf1w+ZMg/4MmAb6MMHmP8CVebKnfn6Za7h39L7hG/ozA0vKI1ZZpGSfkRshvCd9EFFAc8IA==",
+      "license": "ISC"
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/fix-hoists-package/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "test-vulnerability-auditor-fix-hoists-package",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@dependabot-fixtures/npm-parent-dependency-with-more-versions": "1.0.0",
+    "@dependabot-fixtures/npm-transitive-dependency-with-more-versions": "1.0.0"
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/fix-removes-package/package-lock.json

@@ -0,0 +1,30 @@
+{
+  "name": "test-vulnerability-auditor-fix-removes-package",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "test-vulnerability-auditor-fix-removes-package",
+      "version": "1.0.0",
+      "dependencies": {
+        "@dependabot-fixtures/npm-remove-dependency": "^10.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-remove-dependency": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-remove-dependency/-/npm-remove-dependency-10.0.0.tgz",
+      "integrity": "sha512-QMgb6isjtNCnql6Nn+/h2v759qIW4f1ZDER8IbUJaIuyppDq3BqABbiwTFNenynu39yQZ1YAUFbWuNGeECNLyw==",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-transitive-dependency": "1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-transitive-dependency": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz",
+      "integrity": "sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg==",
+      "license": "ISC"
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/fix-removes-package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "test-vulnerability-auditor-fix-removes-package",
+  "version": "1.0.0",
+  "private": true,
+  "description": "",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "dependencies": {
+    "@dependabot-fixtures/npm-remove-dependency": "^10.0.0"
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/outdated-package-lock/package-lock.json

@@ -0,0 +1,37 @@
+{
+  "name": "locked-transitive-dependency-outdated",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "locked-transitive-dependency-outdated",
+      "version": "1.0.0",
+      "license": "ISC",
+      "dependencies": {
+        "@dependabot-fixtures/npm-parent-dependency": "2.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-intermediate-dependency": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-intermediate-dependency/-/npm-intermediate-dependency-0.0.1.tgz",
+      "integrity": "sha512-/N77Dzpfg8BIfFgpJrMk86ueUYTVhmpc4RobuHpIpKSc3GZr4Ltu4au92brnUGk66UkzgrMmtgqRXO8OrOspKQ==",
+      "dependencies": {
+        "@dependabot-fixtures/npm-transitive-dependency": "1.0.0"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-parent-dependency": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-parent-dependency/-/npm-parent-dependency-2.0.0.tgz",
+      "integrity": "sha512-5LtLEL1yzO2TdkNX3R9cvr+nKmhw5h4xM0wkFTJeK14wxlI9d8gEYA+I2hUi+IP96ucBSztAnOgZVwoJHEZb6A==",
+      "dependencies": {
+        "@dependabot-fixtures/npm-intermediate-dependency": "0.0.1"
+      }
+    },
+    "node_modules/@dependabot-fixtures/npm-transitive-dependency": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@dependabot-fixtures/npm-transitive-dependency/-/npm-transitive-dependency-1.0.0.tgz",
+      "integrity": "sha512-nFbzQH0TRgdzSA2/FH6MPnxZDpD+5Bgz00aD5Edgbc1wY/k8VC9s7lnk22dBTgJLwoY7MgbrnAf9rAvN08hHVg=="
+    }
+  }
+}

data/helpers/test/npm/fixtures/vulnerability-auditor/outdated-package-lock/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "locked-transitive-dependency-outdated",
+  "version": "1.0.0",
+  "description": "test fixture where the lockfile contains a vulnerability but it's not in sync with this file",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {}
+}

data/helpers/test/npm/vulnerability-auditor.test.ts

@@ -52,28 +52,34 @@ describe("findVulnerableDependencies", () => {
       },
     ];
     const actual = await findVulnerableDependencies(tempDir, advisories);
-    const expected = {
-      dependency_name: "@msgpack/msgpack",
-      fix_updates: [
+
+    expect(actual.dependency_name).toBe("@msgpack/msgpack");
+    expect(actual.current_version).toBe("2.7.2");
+    expect(actual.fix_available).toBe(true);
+    expect(actual.target_version).toBe("2.8.0");
+
+    expect(actual.top_level_ancestors).toHaveLength(2);
+    expect(actual.top_level_ancestors).toEqual(
+      expect.arrayContaining(["@msgpack/msgpack", "wireql-client"])
+    );
+
+    expect(actual.fix_updates).toHaveLength(2);
+    expect(actual.fix_updates).toEqual(
+      expect.arrayContaining([
         {
           dependency_name: "@msgpack/msgpack",
           current_version: "2.7.2",
-          top_level_ancestors: [],
           target_version: "2.8.0",
+          top_level_ancestors: [],
         },
         {
           dependency_name: "@msgpack/msgpack",
           current_version: "3.0.0",
-          top_level_ancestors: ["wireql-client"],
           target_version: "3.1.3",
+          top_level_ancestors: ["wireql-client"],
         },
-      ],
-      top_level_ancestors: ["@msgpack/msgpack", "wireql-client"],
-      current_version: "2.7.2",
-      fix_available: true,
-      target_version: "2.8.0",
-    };
-    expect(actual).toEqual(expected);
+      ])
+    );
   });
 
   it("finds vulnerable dependencies through workspace link nodes", async () => {
@@ -95,15 +101,130 @@ describe("findVulnerableDependencies", () => {
     // chains and the dependency would appear to have no top-level ancestors.
     // Note: the ancestor name comes from the Link target's directory ("app"),
     // not its package.json name ("@test/app").
+    expect(actual.dependency_name).toBe(
+      "@dependabot-fixtures/npm-parent-dependency"
+    );
+    expect(actual.current_version).toBe("2.0.0");
     expect(actual.fix_available).toBe(true);
+    expect(actual.target_version).toBe("2.0.2");
+
     expect(actual.top_level_ancestors).toEqual(["app"]);
+
     expect(actual.fix_updates).toEqual([
       {
         dependency_name: "@dependabot-fixtures/npm-parent-dependency",
         current_version: "2.0.0",
-        top_level_ancestors: ["app"],
         target_version: "2.0.2",
+        top_level_ancestors: ["app"],
       },
     ]);
   });
+
+  it("returns empty fix updates when package-lock.json is outdated", async () => {
+    helpers.copyDependencies(
+      "vulnerability-auditor/outdated-package-lock",
+      tempDir
+    );
+
+    const advisories = [
+      {
+        dependency_name: "@dependabot-fixtures/npm-transitive-dependency",
+        affected_versions: [">= 0, < 1.0.1"],
+      },
+    ];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      current_version: "1.0.0",
+      dependency_name: "@dependabot-fixtures/npm-transitive-dependency",
+      fix_available: true,
+      fix_updates: [],
+      target_version: undefined,
+      top_level_ancestors: [],
+    };
+    expect(actual).toEqual(expected);
+  });
+
+  it("has undefined target_version when a vulnerable package is removed", async () => {
+    helpers.copyDependencies(
+      "vulnerability-auditor/fix-removes-package",
+      tempDir
+    );
+
+    const advisories = [
+      {
+        dependency_name: "@dependabot-fixtures/npm-transitive-dependency",
+        affected_versions: [">= 0, < 1.0.1"],
+      },
+    ];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+    const expected = {
+      current_version: "1.0.0",
+      dependency_name: "@dependabot-fixtures/npm-transitive-dependency",
+      fix_available: true,
+      fix_updates: [
+        {
+          current_version: "10.0.0",
+          dependency_name: "@dependabot-fixtures/npm-remove-dependency",
+          target_version: "10.0.1",
+          top_level_ancestors: [],
+        },
+      ],
+      target_version: undefined,
+      top_level_ancestors: ["@dependabot-fixtures/npm-remove-dependency"],
+    };
+    expect(actual).toEqual(expected);
+  });
+
+  it("has defined target_versions in fix_updates when a vulnerable package is hoisted", async () => {
+    helpers.copyDependencies(
+      "vulnerability-auditor/fix-hoists-package",
+      tempDir
+    );
+
+    const advisories = [
+      {
+        dependency_name:
+          "@dependabot-fixtures/npm-transitive-dependency-with-more-versions",
+        affected_versions: [">= 0, < 1.0.2"],
+      },
+    ];
+    const actual = await findVulnerableDependencies(tempDir, advisories);
+
+    expect(actual.dependency_name).toBe(
+      "@dependabot-fixtures/npm-transitive-dependency-with-more-versions"
+    );
+    expect(actual.current_version).toBe("1.0.0");
+    expect(actual.fix_available).toBe(true);
+    expect(actual.target_version).toBe("1.0.2");
+
+    expect(actual.top_level_ancestors).toHaveLength(2);
+    expect(actual.top_level_ancestors).toEqual(
+      expect.arrayContaining([
+        "@dependabot-fixtures/npm-parent-dependency-with-more-versions",
+        "@dependabot-fixtures/npm-transitive-dependency-with-more-versions",
+      ])
+    );
+
+    expect(actual.fix_updates).toHaveLength(2);
+    expect(actual.fix_updates).toEqual(
+      expect.arrayContaining([
+        {
+          dependency_name:
+            "@dependabot-fixtures/npm-transitive-dependency-with-more-versions",
+          current_version: "1.0.1",
+          target_version: "1.0.2",
+          top_level_ancestors: [
+            "@dependabot-fixtures/npm-parent-dependency-with-more-versions",
+          ],
+        },
+        {
+          dependency_name:
+            "@dependabot-fixtures/npm-transitive-dependency-with-more-versions",
+          current_version: "1.0.0",
+          target_version: "1.0.2",
+          top_level_ancestors: [],
+        },
+      ])
+    );
+  });
 });

data/lib/dependabot/npm_and_yarn/dependency_grapher.rb

@@ -1,6 +1,8 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "json"
+require "yaml"
 require "sorbet-runtime"
 
 require "dependabot/dependency_graphers"
@@ -152,12 +154,138 @@ module Dependabot
         )
       end
 
-      # Fetches subdependencies for a given dependency.
-      # For npm/yarn/pnpm, we can extract this from the lockfile parser if available.
       sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def fetch_subdependencies(dependency)
-        # Check if the parser has attached depends_on metadata
-        dependency.metadata.fetch(:depends_on, [])
+        package_relationships.fetch(dependency.name, [])
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def package_relationships
+        @package_relationships ||= T.let(
+          fetch_package_relationships,
+          T.nilable(T::Hash[String, T::Array[String]])
+        )
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_package_relationships
+        case detected_package_manager
+        when NpmPackageManager::NAME
+          fetch_npm_lock_relationships
+        when YarnPackageManager::NAME
+          fetch_yarn_lock_relationships
+        when PNPMPackageManager::NAME
+          fetch_pnpm_lock_relationships
+        else
+          {}
+        end
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def npm_lockfile
+        return @npm_lockfile if defined?(@npm_lockfile)
+
+        @npm_lockfile = T.let(
+          dependency_files.find { |f| f.name.end_with?(NpmPackageManager::LOCKFILE_NAME) },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def yarn_lockfile
+        return @yarn_lockfile if defined?(@yarn_lockfile)
+
+        @yarn_lockfile = T.let(
+          dependency_files.find { |f| f.name.end_with?(YarnPackageManager::LOCKFILE_NAME) },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def pnpm_lockfile
+        return @pnpm_lockfile if defined?(@pnpm_lockfile)
+
+        @pnpm_lockfile = T.let(
+          dependency_files.find { |f| f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME) },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_npm_lock_relationships
+        parsed = JSON.parse(T.must(T.must(npm_lockfile).content))
+        packages = parsed.fetch("packages", {})
+
+        # v3/v2 lockfiles use a flat "packages" section
+        if packages.is_a?(Hash) && !packages.empty?
+          return packages.each_with_object({}) do |(path, details), rels|
+            next if path.empty? # skip root package entry
+            next unless details.is_a?(Hash)
+
+            children = details.fetch("dependencies", {}).keys
+            next if children.empty?
+
+            rels[path.split("node_modules/").last] = children
+          end
+        end
+
+        # if packages isn't present, attempt a v1 fallback
+        fetch_npm_v1_lock_relationships(parsed)
+      end
+
+      sig { params(parsed: T::Hash[String, T.untyped]).returns(T::Hash[String, T::Array[String]]) }
+      def fetch_npm_v1_lock_relationships(parsed)
+        dependencies = parsed.fetch("dependencies", {})
+        return {} unless dependencies.is_a?(Hash)
+
+        dependencies.each_with_object({}) do |(name, details), rels|
+          next unless details.is_a?(Hash)
+
+          nested = details.fetch("dependencies", nil)
+          next unless nested.is_a?(Hash)
+
+          children = nested.keys
+          rels[name] = children unless children.empty?
+          rels.merge!(fetch_npm_v1_lock_relationships(details))
+        end
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_yarn_lock_relationships
+        parsed = FileParser::YarnLock.new(T.must(yarn_lockfile)).parsed
+
+        parsed.each_with_object({}) do |(req, details), rels|
+          next unless details.is_a?(Hash)
+
+          parent_name = T.must(req.split(/(?<=\w)\@/).first)
+          children = details.fetch("dependencies", {})&.keys || []
+
+          next if children.empty?
+
+          rels[parent_name] ||= []
+          rels[parent_name].concat(children).uniq!
+        end
+      end
+
+      sig { returns(T::Hash[String, T::Array[String]]) }
+      def fetch_pnpm_lock_relationships
+        parsed = YAML.safe_load(T.must(T.must(pnpm_lockfile).content)) || {}
+
+        # v9+ uses "snapshots" for resolved dependency details; v6 uses "packages"
+        entries = parsed.fetch("snapshots", nil) || parsed.fetch("packages", {})
+
+        entries.each_with_object({}) do |(key, details), rels|
+          next unless details.is_a?(Hash)
+
+          # Keys are "/name@version" (v6) or "name@version" (v9)
+          parent_name = key.sub(%r{^/}, "").split(/(?<=\w)\@/).first
+          children = details.fetch("dependencies", {})&.keys || []
+
+          next if children.empty?
+
+          rels[parent_name] ||= []
+          rels[parent_name].concat(children).uniq!
+        end
       end
 
       sig { override.params(_dependency: Dependabot::Dependency).returns(String) }

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb

@@ -71,10 +71,7 @@ module Dependabot
               name: package_name,
               version: version,
               package_manager: "npm_and_yarn",
-              requirements: [],
-              metadata: {
-                depends_on: details&.fetch("dependencies", {})&.keys || []
-              }
+              requirements: []
             }
 
             if details["bundled"]

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-npm_and_yarn
 version: !ruby/object:Gem::Version
-  version: 0.373.0
+  version: 0.374.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -271,6 +271,12 @@ files:
 - helpers/package.json
 - helpers/patches/npm++pacote+9.5.12.patch
 - helpers/run.ts
+- helpers/test/npm/fixtures/vulnerability-auditor/fix-hoists-package/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/fix-hoists-package/package.json
+- helpers/test/npm/fixtures/vulnerability-auditor/fix-removes-package/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/fix-removes-package/package.json
+- helpers/test/npm/fixtures/vulnerability-auditor/outdated-package-lock/package-lock.json
+- helpers/test/npm/fixtures/vulnerability-auditor/outdated-package-lock/package.json
 - helpers/test/npm/fixtures/vulnerability-auditor/simple/package-lock.json
 - helpers/test/npm/fixtures/vulnerability-auditor/simple/package.json
 - helpers/test/npm/fixtures/vulnerability-auditor/update-needed-across-two-versions/package-lock.json
@@ -364,7 +370,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.373.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.374.0
 rdoc_options: []
 require_paths:
 - lib