RubyGems - dependabot-npm_and_yarn - Versions diffs - 0.378.0 → 0.379.0 - Mend

dependabot-npm_and_yarn 0.378.0 → 0.379.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc8f0275a798e00313419810c19e4111046b82ff368f0b80e4b6565ce78a4242
-  data.tar.gz: 7a9410b39a02e0c8a2a63ed961828c5df1cf7cc478d0ceb1214c5da523242e1b
+  metadata.gz: bd08cdfb4fa9a2d7702785f8f1613bc691569c1cbde17dc45be2c540a7bb6de3
+  data.tar.gz: ed5b6525cb039e5dadbd06709f0a95a47c6c16236ec79a2c8ecbc555bcf1ddd8
 SHA512:
-  metadata.gz: 6795bb05b732633241bef5d4d5d7a31f105eb49297de001a7f754d8b99295f414c902387ee8d22c3cb54d53916a74982786d7a6aed4cebfeb4951c41a81ad56d
-  data.tar.gz: 79b1035a89c6cb3787776325b326f206a660d9da1e4882dc530f1eef3a0b3394e5d6c80a389e88626195fa498b94b0b439a2de55fc928549a637d8f5b727c0db
+  metadata.gz: af2f7366ea66b328b4ab910b54bff68773df0b76156e988b8bc1590e8fa97097b4b736f890699718df31b6e001191e0c86e7362e306fd91030df9625e1625923
+  data.tar.gz: 49955bd7ee30d88d916ff83ec7ded75784f5d53efc4aeab927e756fde987b4eddaa1788360f8b5f7f13314075908b4a14e7937394ff9b8b16edcbd7b8037707a

data/lib/dependabot/npm_and_yarn/dependency_grapher/lockfile_generator.rb CHANGED Viewed

@@ -4,6 +4,7 @@
 require "sorbet-runtime"
 require "dependabot/dependency_file"
+require "dependabot/errors"
 require "dependabot/shared_helpers"
 require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/package_manager"
@@ -15,6 +16,12 @@ module Dependabot
       class LockfileGenerator
         extend T::Sig
+        # URL extraction patterns
+        GENERIC_URL_REGEX = T.let(%r{(https?://[^\s"']+)}, Regexp)
+        NETWORK_ERROR_HOST_REGEX = T.let(/E(?:NOTFOUND|TIMEDOUT)\s+(\S+)/i, Regexp)
+        FALLBACK_SOURCE = "a private registry"
         sig do
           params(
             dependency_files: T::Array[Dependabot::DependencyFile],
@@ -202,21 +209,49 @@ module Dependabot
             "Failed to generate lockfile with #{package_manager}: #{error.message}"
           )
-          # Log more details for debugging
           if error.message.include?("ERESOLVE")
             Dependabot.logger.error(
               "Dependency resolution failed. This may be due to conflicting peer dependencies."
             )
+            raise Dependabot::DependencyFileNotResolvable,
+                  "Could not resolve dependencies. This may be due to conflicting peer dependencies."
           elsif error.message.include?("ENOTFOUND") || error.message.include?("ETIMEDOUT")
             Dependabot.logger.error(
               "Network error while generating lockfile. Registry may be unreachable."
             )
-          elsif error.message.include?("401") || error.message.include?("403")
+            raise Dependabot::PrivateSourceTimedOut, extract_network_error_host(error.message)
+          elsif authentication_error?(error.message)
             Dependabot.logger.error(
               "Authentication error. Check that credentials are configured correctly."
             )
+            raise Dependabot::PrivateSourceAuthenticationFailure, extract_url(error.message)
           end
         end
+        sig { params(message: String).returns(T::Boolean) }
+        def authentication_error?(message)
+          message.include?("401") ||
+            message.include?("403") ||
+            message.include?(NpmAndYarn::AUTHENTICATION_TOKEN_NOT_PROVIDED) ||
+            message.include?(NpmAndYarn::AUTHENTICATION_IS_NOT_CONFIGURED) ||
+            message.include?(NpmAndYarn::AUTHENTICATION_HEADER_NOT_PROVIDED) ||
+            message.match?(NpmAndYarn::AUTH_REQUIRED_ERROR)
+        end
+        sig { params(message: String).returns(String) }
+        def extract_url(message)
+          match = message.match(GENERIC_URL_REGEX)
+          match ? T.must(match[1]).chomp(":") : FALLBACK_SOURCE
+        end
+        sig { params(message: String).returns(String) }
+        def extract_network_error_host(message)
+          match = message.match(NETWORK_ERROR_HOST_REGEX)
+          return T.must(match[1]) if match
+          match = message.match(GENERIC_URL_REGEX)
+          match ? T.must(match[1]) : FALLBACK_SOURCE
+        end
       end
     end
   end

data/lib/dependabot/npm_and_yarn/dependency_grapher/npm_relationship_resolver.rb ADDED Viewed

@@ -0,0 +1,134 @@
+# typed: strict
+# frozen_string_literal: true
+require "json"
+require "sorbet-runtime"
+module Dependabot
+  module NpmAndYarn
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      class NpmRelationshipResolver
+        extend T::Sig
+        sig { params(lockfile: Dependabot::DependencyFile).void }
+        def initialize(lockfile)
+          @lockfile = lockfile
+        end
+        sig { returns(T::Hash[String, T::Array[String]]) }
+        def relationships
+          parsed = JSON.parse(T.must(@lockfile.content))
+          packages = parsed.fetch("packages", {})
+          # v3/v2 lockfiles use a flat "packages" section
+          return build_v3_relationships(packages) if packages.is_a?(Hash) && !packages.empty?
+          # if packages isn't present, attempt a v1 fallback
+          build_v1_relationships(parsed)
+        end
+        private
+        sig { params(packages: T::Hash[String, T.untyped]).returns(T::Hash[String, T::Array[String]]) }
+        def build_v3_relationships(packages)
+          packages.each_with_object({}) do |(path, details), rels|
+            next if path.empty? # skip root package entry
+            next unless details.is_a?(Hash)
+            children = details.fetch("dependencies", {}).keys
+            next if children.empty?
+            package_name = details["name"] || path.split("node_modules/").last
+            version = details["version"]
+            next if version.nil? || version.to_s.empty?
+            resolved = resolve_v3_children(packages, path, children)
+            rels["#{package_name}@#{version}"] = resolved unless resolved.empty?
+          end
+        end
+        sig do
+          params(
+            packages: T::Hash[String, T.untyped],
+            parent_path: String,
+            children: T::Array[String]
+          ).returns(T::Array[String])
+        end
+        def resolve_v3_children(packages, parent_path, children)
+          children.filter_map do |child_name|
+            child_details = resolve_child(packages, parent_path, child_name)
+            next unless child_details
+            child_version = child_details["version"]
+            next if child_version.nil? || child_version.to_s.empty?
+            # Use the "name" field for aliased packages (real name vs path alias)
+            real_name = child_details["name"] || child_name
+            "#{real_name}@#{child_version}"
+          end
+        end
+        # Walks up the node_modules tree to resolve a child dependency,
+        # matching Node.js module resolution behavior.
+        sig do
+          params(
+            packages: T::Hash[String, T.untyped],
+            parent_path: String,
+            child_name: String
+          ).returns(T.nilable(T::Hash[String, T.untyped]))
+        end
+        def resolve_child(packages, parent_path, child_name)
+          # First check directly nested under parent
+          candidate = "#{parent_path}/node_modules/#{child_name}"
+          return packages[candidate] if packages.key?(candidate)
+          # Walk up the tree: strip trailing node_modules/pkg segments
+          segments = parent_path.split("node_modules/")
+          segments.pop # remove the current package segment
+          while segments.any?
+            candidate = "#{segments.join('node_modules/')}node_modules/#{child_name}"
+            return packages[candidate] if packages.key?(candidate)
+            segments.pop
+          end
+          # Top-level fallback
+          packages["node_modules/#{child_name}"]
+        end
+        sig { params(parsed: T::Hash[String, T.untyped]).returns(T::Hash[String, T::Array[String]]) }
+        def build_v1_relationships(parsed)
+          dependencies = parsed.fetch("dependencies", {})
+          return {} unless dependencies.is_a?(Hash)
+          dependencies.each_with_object({}) do |(name, details), rels|
+            next unless details.is_a?(Hash)
+            nested = details.fetch("dependencies", nil)
+            next unless nested.is_a?(Hash)
+            version = details["version"]
+            next if version.nil? || version.to_s.empty?
+            children = resolve_v1_children(nested)
+            rels["#{name}@#{version}"] = children unless children.empty?
+            rels.merge!(build_v1_relationships(details))
+          end
+        end
+        sig { params(nested: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+        def resolve_v1_children(nested)
+          nested.filter_map do |child_name, child_details|
+            next unless child_details.is_a?(Hash)
+            child_version = child_details["version"]
+            next if child_version.nil? || child_version.to_s.empty?
+            "#{child_name}@#{child_version}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_grapher/pnpm_relationship_resolver.rb ADDED Viewed

@@ -0,0 +1,53 @@
+# typed: strict
+# frozen_string_literal: true
+require "yaml"
+require "sorbet-runtime"
+module Dependabot
+  module NpmAndYarn
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      class PnpmRelationshipResolver
+        extend T::Sig
+        sig { params(lockfile: Dependabot::DependencyFile).void }
+        def initialize(lockfile)
+          @lockfile = lockfile
+        end
+        sig { returns(T::Hash[String, T::Array[String]]) }
+        def relationships
+          parsed = YAML.safe_load(T.must(@lockfile.content)) || {}
+          # v9+ uses "snapshots" for resolved dependency details; v6 uses "packages"
+          entries = parsed.fetch("snapshots", nil) || parsed.fetch("packages", {})
+          entries.each_with_object({}) do |(key, details), rels|
+            next unless details.is_a?(Hash)
+            # Keys are "/name@version" (v6) or "name@version" (v9)
+            name_version = key.sub(%r{^/}, "")
+            children = details.fetch("dependencies", {})
+            next if children.nil? || children.empty?
+            # Strip any pnpm suffix metadata (e.g., parenthesized peer dep info)
+            name_version = name_version.sub(/\(.*\)$/, "")
+            # pnpm dependencies are already resolved: {"name": "version"}
+            # Strip any peer metadata suffixes like "7.49.0(react@18.2.0)"
+            resolved_children = children.filter_map do |child_name, child_version|
+              clean_version = child_version.to_s.sub(/\(.*\)$/, "")
+              next if clean_version.empty?
+              "#{child_name}@#{clean_version}"
+            end
+            rels[name_version] ||= []
+            rels[name_version].concat(resolved_children).uniq!
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_grapher/yarn_relationship_resolver.rb ADDED Viewed

@@ -0,0 +1,68 @@
+# typed: strict
+# frozen_string_literal: true
+require "sorbet-runtime"
+require "dependabot/npm_and_yarn/file_parser/yarn_lock"
+module Dependabot
+  module NpmAndYarn
+    class DependencyGrapher < Dependabot::DependencyGraphers::Base
+      class YarnRelationshipResolver
+        extend T::Sig
+        sig { params(lockfile: Dependabot::DependencyFile).void }
+        def initialize(lockfile)
+          @lockfile = lockfile
+        end
+        sig { returns(T::Hash[String, T::Array[String]]) }
+        def relationships
+          parsed = FileParser::YarnLock.new(@lockfile).parsed
+          parsed.each_with_object({}) do |(req, details), rels|
+            next unless details.is_a?(Hash)
+            version = details["version"]
+            parent_name = T.must(req.split(/(?<=\w)\@/).first)
+            children = details.fetch("dependencies", {})
+            next if children.nil? || children.empty?
+            key = "#{parent_name}@#{version}"
+            resolved_children = resolve_children(children, parsed)
+            rels[key] ||= []
+            rels[key].concat(resolved_children).uniq!
+          end
+        end
+        private
+        sig { params(children: T::Hash[String, String], parsed: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+        def resolve_children(children, parsed)
+          children.filter_map do |child_name, child_req|
+            version = resolve_child_version(child_name, child_req, parsed)
+            "#{child_name}@#{version}" if version
+          end
+        end
+        sig { params(child_name: String, child_req: String, parsed: T::Hash[String, T.untyped]).returns(T.nilable(String)) }
+        def resolve_child_version(child_name, child_req, parsed)
+          # Try exact key first
+          child_entry = parsed["#{child_name}@#{child_req}"]
+          return child_entry["version"] if child_entry && child_entry["version"]
+          # Yarn groups multiple requirements into single keys like "foo@^1.0.0, foo@^1.2.0"
+          target_req = "#{child_name}@#{child_req}"
+          grouped_match = parsed.find { |k, _| k.split(", ").include?(target_req) }
+          return grouped_match.last["version"] if grouped_match && grouped_match.last["version"]
+          # Fallback: find by name only if there's exactly one candidate
+          candidates = parsed.select { |k, _| k.split(/(?<=\w)\@/).first == child_name }
+          candidate = candidates.first
+          candidate.last["version"] if candidates.size == 1 && candidate
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/npm_and_yarn/dependency_grapher.rb CHANGED Viewed

@@ -2,7 +2,6 @@
 # frozen_string_literal: true
 require "json"
-require "yaml"
 require "sorbet-runtime"
 require "dependabot/dependency_graphers"
@@ -17,6 +16,9 @@ module Dependabot
       extend T::Sig
       require_relative "dependency_grapher/lockfile_generator"
+      require_relative "dependency_grapher/npm_relationship_resolver"
+      require_relative "dependency_grapher/yarn_relationship_resolver"
+      require_relative "dependency_grapher/pnpm_relationship_resolver"
       sig { override.returns(Dependabot::DependencyFile) }
       def relevant_dependency_file
@@ -27,8 +29,37 @@ module Dependabot
         lockfile || package_json
       end
+      # Override to expand multi-version dependencies into separate resolved
+      # dependency entries. When the same package exists at multiple versions
+      # (e.g., is-number@6.0.0 direct + is-number@7.0.0 transitive), each
+      # version gets its own entry with correct subdependency edges.
+      sig { override.returns(T::Hash[String, Dependabot::DependencyGraphers::ResolvedDependency]) }
+      def resolved_dependencies
+        prepare! unless prepared
+        @dependencies.each_with_object({}) do |dep, resolved|
+          all_versions = dep.metadata[:all_versions] || [dep]
+          all_versions.each do |version_dep|
+            purl = build_purl(version_dep)
+            next if resolved.key?(purl)
+            resolved[purl] = Dependabot::DependencyGraphers::ResolvedDependency.new(
+              package_url: purl,
+              direct: version_dep.top_level? || !version_dep.metadata[:alias].nil?,
+              runtime: version_dep.production?,
+              dependencies: subdependency_purls_for(version_dep)
+            )
+          end
+        end
+      end
       sig { override.void }
       def prepare!
+        # Enable alias extraction for graph jobs so aliased packages appear
+        # in the dependency graph for security scanning.
+        file_parser.dealias_packages!
         if lockfile.nil?
           Dependabot.logger.info("No lockfile found, generating ephemeral lockfile for dependency graphing")
           generate_ephemeral_lockfile!
@@ -79,11 +110,14 @@ module Dependabot
       sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
       def lockfiles_hash
-        {
-          npm: dependency_files.find { |f| f.name.end_with?(NpmPackageManager::LOCKFILE_NAME) },
-          yarn: dependency_files.find { |f| f.name.end_with?(YarnPackageManager::LOCKFILE_NAME) },
-          pnpm: dependency_files.find { |f| f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME) }
-        }
+        @lockfiles_hash ||= T.let(
+          {
+            npm: dependency_files.find { |f| f.name.end_with?(NpmPackageManager::LOCKFILE_NAME) },
+            yarn: dependency_files.find { |f| f.name.end_with?(YarnPackageManager::LOCKFILE_NAME) },
+            pnpm: dependency_files.find { |f| f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME) }
+          },
+          T.nilable(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)])
+        )
       end
       sig { returns(String) }
@@ -130,6 +164,7 @@ module Dependabot
         # Clear our cached lockfile reference so it picks up the new one
         remove_instance_variable(:@lockfile) if instance_variable_defined?(:@lockfile)
+        remove_instance_variable(:@lockfiles_hash) if instance_variable_defined?(:@lockfiles_hash)
         # Clear the FileParser's memoized lockfile references so it will
         # find the newly injected lockfile when parse is called
@@ -156,7 +191,48 @@ module Dependabot
       sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def fetch_subdependencies(dependency)
-        package_relationships.fetch(dependency.name, [])
+        key = "#{dependency.name}@#{dependency.version}"
+        package_relationships.fetch(key, [])
+      end
+      # Builds purl strings for subdependencies directly from the name@version
+      # entries in package_relationships, without going through dependencies_by_name
+      # which only holds one combined dep per package name.
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def subdependency_purls_for(dependency)
+        return [] if errored_fetching_subdependencies
+        key = "#{dependency.name}@#{dependency.version}"
+        children = package_relationships.fetch(key, [])
+        children.filter_map do |child_key|
+          child_name, child_version = split_name_version(child_key)
+          next unless child_name && child_version
+          purl_name = child_name.sub(/^@/, "%40")
+          format(PURL_TEMPLATE, type: "npm", name: purl_name, version: "@#{child_version}")
+        end
+      rescue StandardError => e
+        errored_fetching_subdependencies!
+        @subdependency_error = T.let(e, T.nilable(StandardError))
+        Dependabot.logger.error("Error fetching subdependencies: #{e.message}")
+        []
+      end
+      # Splits a "name@version" string, handling scoped packages like "@scope/pkg@1.0.0"
+      sig { params(name_version: String).returns([T.nilable(String), T.nilable(String)]) }
+      def split_name_version(name_version)
+        # For scoped packages (@scope/name@version), find the second @
+        at_index = if name_version.start_with?("@")
+                     name_version.index("@", 1)
+                   else
+                     name_version.index("@")
+                   end
+        return [name_version, nil] unless at_index
+        version = name_version[(at_index + 1)..]
+        version = nil if version.nil? || version.empty?
+        [name_version[0...at_index], version]
       end
       sig { returns(T::Hash[String, T::Array[String]]) }
@@ -165,129 +241,27 @@ module Dependabot
           fetch_package_relationships,
           T.nilable(T::Hash[String, T::Array[String]])
         )
+      rescue StandardError => e
+        errored_fetching_subdependencies!
+        @subdependency_error = T.let(e, T.nilable(StandardError))
+        Dependabot.logger.error("Error fetching subdependencies: #{e.message}")
+        @package_relationships = {}
       end
       sig { returns(T::Hash[String, T::Array[String]]) }
       def fetch_package_relationships
         case detected_package_manager
         when NpmPackageManager::NAME
-          fetch_npm_lock_relationships
+          NpmRelationshipResolver.new(T.must(lockfiles_hash[:npm])).relationships
         when YarnPackageManager::NAME
-          fetch_yarn_lock_relationships
+          YarnRelationshipResolver.new(T.must(lockfiles_hash[:yarn])).relationships
         when PNPMPackageManager::NAME
-          fetch_pnpm_lock_relationships
+          PnpmRelationshipResolver.new(T.must(lockfiles_hash[:pnpm])).relationships
         else
           {}
         end
       end
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def npm_lockfile
-        return @npm_lockfile if defined?(@npm_lockfile)
-        @npm_lockfile = T.let(
-          dependency_files.find { |f| f.name.end_with?(NpmPackageManager::LOCKFILE_NAME) },
-          T.nilable(Dependabot::DependencyFile)
-        )
-      end
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def yarn_lockfile
-        return @yarn_lockfile if defined?(@yarn_lockfile)
-        @yarn_lockfile = T.let(
-          dependency_files.find { |f| f.name.end_with?(YarnPackageManager::LOCKFILE_NAME) },
-          T.nilable(Dependabot::DependencyFile)
-        )
-      end
-      sig { returns(T.nilable(Dependabot::DependencyFile)) }
-      def pnpm_lockfile
-        return @pnpm_lockfile if defined?(@pnpm_lockfile)
-        @pnpm_lockfile = T.let(
-          dependency_files.find { |f| f.name.end_with?(PNPMPackageManager::LOCKFILE_NAME) },
-          T.nilable(Dependabot::DependencyFile)
-        )
-      end
-      sig { returns(T::Hash[String, T::Array[String]]) }
-      def fetch_npm_lock_relationships
-        parsed = JSON.parse(T.must(T.must(npm_lockfile).content))
-        packages = parsed.fetch("packages", {})
-        # v3/v2 lockfiles use a flat "packages" section
-        if packages.is_a?(Hash) && !packages.empty?
-          return packages.each_with_object({}) do |(path, details), rels|
-            next if path.empty? # skip root package entry
-            next unless details.is_a?(Hash)
-            children = details.fetch("dependencies", {}).keys
-            next if children.empty?
-            rels[path.split("node_modules/").last] = children
-          end
-        end
-        # if packages isn't present, attempt a v1 fallback
-        fetch_npm_v1_lock_relationships(parsed)
-      end
-      sig { params(parsed: T::Hash[String, T.untyped]).returns(T::Hash[String, T::Array[String]]) }
-      def fetch_npm_v1_lock_relationships(parsed)
-        dependencies = parsed.fetch("dependencies", {})
-        return {} unless dependencies.is_a?(Hash)
-        dependencies.each_with_object({}) do |(name, details), rels|
-          next unless details.is_a?(Hash)
-          nested = details.fetch("dependencies", nil)
-          next unless nested.is_a?(Hash)
-          children = nested.keys
-          rels[name] = children unless children.empty?
-          rels.merge!(fetch_npm_v1_lock_relationships(details))
-        end
-      end
-      sig { returns(T::Hash[String, T::Array[String]]) }
-      def fetch_yarn_lock_relationships
-        parsed = FileParser::YarnLock.new(T.must(yarn_lockfile)).parsed
-        parsed.each_with_object({}) do |(req, details), rels|
-          next unless details.is_a?(Hash)
-          parent_name = T.must(req.split(/(?<=\w)\@/).first)
-          children = details.fetch("dependencies", {})&.keys || []
-          next if children.empty?
-          rels[parent_name] ||= []
-          rels[parent_name].concat(children).uniq!
-        end
-      end
-      sig { returns(T::Hash[String, T::Array[String]]) }
-      def fetch_pnpm_lock_relationships
-        parsed = YAML.safe_load(T.must(T.must(pnpm_lockfile).content)) || {}
-        # v9+ uses "snapshots" for resolved dependency details; v6 uses "packages"
-        entries = parsed.fetch("snapshots", nil) || parsed.fetch("packages", {})
-        entries.each_with_object({}) do |(key, details), rels|
-          next unless details.is_a?(Hash)
-          # Keys are "/name@version" (v6) or "name@version" (v9)
-          parent_name = key.sub(%r{^/}, "").split(/(?<=\w)\@/).first
-          children = details.fetch("dependencies", {})&.keys || []
-          next if children.empty?
-          rels[parent_name] ||= []
-          rels[parent_name].concat(children).uniq!
-        end
-      end
       sig { override.params(_dependency: Dependabot::Dependency).returns(String) }
       def purl_pkg_for(_dependency)
         "npm"

data/lib/dependabot/npm_and_yarn/file_parser/json_lock.rb CHANGED Viewed

@@ -12,9 +12,10 @@ module Dependabot
       class JsonLock
         extend T::Sig
-        sig { params(dependency_file: DependencyFile).void }
-        def initialize(dependency_file)
+        sig { params(dependency_file: DependencyFile, dealias_packages: T::Boolean).void }
+        def initialize(dependency_file, dealias_packages: false)
           @dependency_file = dependency_file
+          @dealias_packages = dealias_packages
         end
         sig { returns(T::Hash[String, T.untyped]) }
@@ -64,7 +65,7 @@ module Dependabot
             version = Version.semver_for(details["version"])
             next unless version
-            package_name = name.split("node_modules/").last
+            package_name = package_name_for(name, details)
             version = version.to_s
             dependency_args = {
@@ -74,6 +75,11 @@ module Dependabot
               requirements: []
             }
+            if aliased_package?(name, details)
+              alias_name = name.split("node_modules/").last
+              dependency_args[:metadata] = { alias: alias_name }
+            end
             if details["bundled"]
               dependency_args[:subdependency_metadata] =
                 [{ npm_bundled: details["bundled"] }]
@@ -91,6 +97,29 @@ module Dependabot
           dependency_set
         end
+        sig { params(package_path: String, details: T::Hash[String, T.untyped]).returns(String) }
+        def package_name_for(package_path, details)
+          package_name = T.must(package_path.split("node_modules/").last)
+          return package_name unless dealias_packages?
+          real_package_name = details["name"]
+          return package_name unless real_package_name.is_a?(String)
+          return package_name if real_package_name == package_name
+          real_package_name
+        end
+        sig { params(package_path: String, details: T::Hash[String, T.untyped]).returns(T::Boolean) }
+        def aliased_package?(package_path, details)
+          return false unless dealias_packages?
+          real_package_name = details["name"]
+          return false unless real_package_name.is_a?(String)
+          package_name = T.must(package_path.split("node_modules/").last)
+          real_package_name != package_name
+        end
         sig { params(manifest_name: String, dependency_name: String).returns(String) }
         def node_modules_path(manifest_name, dependency_name)
           return "node_modules/#{dependency_name}" if manifest_name == "package.json"
@@ -98,6 +127,11 @@ module Dependabot
           workspace_path = manifest_name.gsub("/package.json", "")
           File.join(workspace_path, "node_modules", dependency_name)
         end
+        sig { returns(T::Boolean) }
+        def dealias_packages?
+          @dealias_packages
+        end
       end
     end
   end