@openrewrite/rewrite 8.69.0-20251210-164937 → 8.69.0-20251210-194227

package/src/javascript/dependency-manager.ts

@@ -0,0 +1,292 @@
+/*
+ * Copyright 2025 the original author or authors.
+ * <p>
+ * Licensed under the Moderne Source Available License (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * https://docs.moderne.io/licensing/moderne-source-available-license
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {PackageManager} from "./node-resolution-result";
+
+/**
+ * Parsed dependency path for scoped overrides.
+ * Segments represent the chain of dependencies, e.g., "express>accepts" becomes
+ * [{name: "express"}, {name: "accepts"}]
+ */
+export interface DependencyPathSegment {
+    name: string;
+    version?: string;
+}
+
+/**
+ * Parses a dependency path string into segments.
+ * Accepts both '>' (pnpm style) and '/' (yarn style) as separators.
+ * Examples:
+ *   "express>accepts" -> [{name: "express"}, {name: "accepts"}]
+ *   "express@4.0.0>accepts" -> [{name: "express", version: "4.0.0"}, {name: "accepts"}]
+ *   "@scope/pkg>dep" -> [{name: "@scope/pkg"}, {name: "dep"}]
+ */
+export function parseDependencyPath(path: string): DependencyPathSegment[] {
+    // We can't just replace all '/' with '>' because scoped packages contain '/'
+    // Strategy: Split on '>' first, then for each part that contains '/' and doesn't
+    // start with '@', treat it as a '/'-separated path (yarn style)
+    const segments: DependencyPathSegment[] = [];
+
+    // Split on '>' (pnpm style separator)
+    const gtParts = path.split('>');
+
+    for (const gtPart of gtParts) {
+        // Check if this part needs further splitting by '/'
+        // Only split if it contains '/' AND either:
+        // - doesn't start with '@' (not a scoped package), OR
+        // - contains multiple '/' (e.g., "@scope/pkg/dep" is yarn-style path)
+        if (gtPart.includes('/')) {
+            if (gtPart.startsWith('@')) {
+                // Scoped package: @scope/pkg or @scope/pkg@version or @scope/pkg/dep (yarn path)
+                // Find the first '/' which is part of the scope
+                const firstSlash = gtPart.indexOf('/');
+                const afterFirstSlash = gtPart.substring(firstSlash + 1);
+
+                // Check if there's another '/' after the scope (yarn-style nesting)
+                const secondSlash = afterFirstSlash.indexOf('/');
+                if (secondSlash !== -1) {
+                    // yarn-style: @scope/pkg/dep - split further
+                    // First get the scoped package part
+                    const scopedPart = gtPart.substring(0, firstSlash + 1 + secondSlash);
+                    segments.push(parseSegment(scopedPart));
+
+                    // Then handle the rest as separate segments
+                    const rest = afterFirstSlash.substring(secondSlash + 1);
+                    for (const subPart of rest.split('/')) {
+                        if (subPart) {
+                            segments.push(parseSegment(subPart));
+                        }
+                    }
+                } else {
+                    // Simple scoped package: @scope/pkg or @scope/pkg@version
+                    segments.push(parseSegment(gtPart));
+                }
+            } else {
+                // Non-scoped with '/': yarn-style path like "express/accepts"
+                for (const slashPart of gtPart.split('/')) {
+                    if (slashPart) {
+                        segments.push(parseSegment(slashPart));
+                    }
+                }
+            }
+        } else {
+            // No '/', just parse the segment directly
+            segments.push(parseSegment(gtPart));
+        }
+    }
+
+    return segments;
+}
+
+/**
+ * Parses a single segment (package name, possibly with version).
+ */
+function parseSegment(part: string): DependencyPathSegment {
+    // Handle scoped packages: @scope/name or @scope/name@version
+    if (part.startsWith('@')) {
+        // Find the version separator (last @ that's not the scope prefix)
+        const slashIndex = part.indexOf('/');
+        if (slashIndex === -1) {
+            return {name: part};
+        }
+        const afterSlash = part.substring(slashIndex + 1);
+        const atIndex = afterSlash.lastIndexOf('@');
+        if (atIndex > 0) {
+            return {
+                name: part.substring(0, slashIndex + 1 + atIndex),
+                version: afterSlash.substring(atIndex + 1)
+            };
+        }
+        return {name: part};
+    }
+
+    // Non-scoped package: name or name@version
+    const atIndex = part.lastIndexOf('@');
+    if (atIndex > 0) {
+        return {
+            name: part.substring(0, atIndex),
+            version: part.substring(atIndex + 1)
+        };
+    }
+    return {name: part};
+}
+
+/**
+ * Generates an npm-style override entry (nested objects).
+ * npm uses nested objects for scoped overrides:
+ *   { "express": { "accepts": "^2.0.0" } }
+ * or for global overrides:
+ *   { "lodash": "^4.17.21" }
+ */
+function generateNpmOverride(
+    packageName: string,
+    newVersion: string,
+    pathSegments?: DependencyPathSegment[]
+): Record<string, any> {
+    if (!pathSegments || pathSegments.length === 0) {
+        // Global override
+        return {[packageName]: newVersion};
+    }
+
+    // Build nested structure from outside in
+    let result: Record<string, any> = {[packageName]: newVersion};
+    for (let i = pathSegments.length - 1; i >= 0; i--) {
+        const segment = pathSegments[i];
+        const key = segment.version ? `${segment.name}@${segment.version}` : segment.name;
+        result = {[key]: result};
+    }
+    return result;
+}
+
+/**
+ * Generates a Yarn-style resolution entry (path with / separator).
+ * Yarn uses a flat object with path keys:
+ *   { "express/accepts": "^2.0.0" }
+ * or for global:
+ *   { "lodash": "^4.17.21" }
+ */
+function generateYarnResolution(
+    packageName: string,
+    newVersion: string,
+    pathSegments?: DependencyPathSegment[]
+): Record<string, string> {
+    if (!pathSegments || pathSegments.length === 0) {
+        // Global resolution
+        return {[packageName]: newVersion};
+    }
+
+    // Yarn uses / separator: "express/accepts"
+    // Note: Yarn only supports one level of nesting, so we use the last segment
+    const parentSegment = pathSegments[pathSegments.length - 1];
+    const parentKey = parentSegment.version
+        ? `${parentSegment.name}@${parentSegment.version}`
+        : parentSegment.name;
+    const key = `${parentKey}/${packageName}`;
+    return {[key]: newVersion};
+}
+
+/**
+ * Generates a pnpm-style override entry (path with > separator).
+ * pnpm uses a flat object with > path keys:
+ *   { "express>accepts": "^2.0.0" }
+ * or for global:
+ *   { "lodash": "^4.17.21" }
+ */
+function generatePnpmOverride(
+    packageName: string,
+    newVersion: string,
+    pathSegments?: DependencyPathSegment[]
+): Record<string, string> {
+    if (!pathSegments || pathSegments.length === 0) {
+        // Global override
+        return {[packageName]: newVersion};
+    }
+
+    // pnpm uses > separator: "express@1>accepts"
+    const pathParts = pathSegments.map(seg =>
+        seg.version ? `${seg.name}@${seg.version}` : seg.name
+    );
+    const key = `${pathParts.join('>')}>${packageName}`;
+    return {[key]: newVersion};
+}
+
+/**
+ * Merges a new override entry into an existing overrides object.
+ * Handles npm's nested structure by deep merging.
+ */
+function mergeNpmOverride(
+    existing: Record<string, any>,
+    newOverride: Record<string, any>
+): Record<string, any> {
+    const result = {...existing};
+
+    for (const [key, value] of Object.entries(newOverride)) {
+        if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+            // Deep merge for nested objects
+            if (typeof result[key] === 'object' && result[key] !== null) {
+                result[key] = mergeNpmOverride(result[key], value);
+            } else {
+                result[key] = value;
+            }
+        } else {
+            // Simple value, just overwrite
+            result[key] = value;
+        }
+    }
+
+    return result;
+}
+
+/**
+ * Merges a new resolution/override entry into an existing flat object.
+ * Used for Yarn resolutions and pnpm overrides.
+ */
+function mergeFlatOverride(
+    existing: Record<string, string>,
+    newOverride: Record<string, string>
+): Record<string, string> {
+    return {...existing, ...newOverride};
+}
+
+/**
+ * Applies an override to a package.json object based on the package manager.
+ *
+ * @param packageJson The parsed package.json object
+ * @param packageManager The package manager in use
+ * @param packageName The target package to override
+ * @param newVersion The version to set
+ * @param pathSegments Optional path segments for scoped override
+ * @returns The modified package.json object
+ */
+export function applyOverrideToPackageJson(
+    packageJson: Record<string, any>,
+    packageManager: PackageManager,
+    packageName: string,
+    newVersion: string,
+    pathSegments?: DependencyPathSegment[]
+): Record<string, any> {
+    const result = {...packageJson};
+
+    switch (packageManager) {
+        case PackageManager.Npm:
+        case PackageManager.Bun: {
+            // npm and Bun use "overrides" with nested objects
+            const newOverride = generateNpmOverride(packageName, newVersion, pathSegments);
+            result.overrides = mergeNpmOverride(result.overrides || {}, newOverride);
+            break;
+        }
+
+        case PackageManager.YarnClassic:
+        case PackageManager.YarnBerry: {
+            // Yarn uses "resolutions" with flat path keys
+            const newResolution = generateYarnResolution(packageName, newVersion, pathSegments);
+            result.resolutions = mergeFlatOverride(result.resolutions || {}, newResolution);
+            break;
+        }
+
+        case PackageManager.Pnpm: {
+            // pnpm uses "pnpm.overrides" with > path keys
+            const newOverride = generatePnpmOverride(packageName, newVersion, pathSegments);
+            if (!result.pnpm) {
+                result.pnpm = {};
+            }
+            result.pnpm.overrides = mergeFlatOverride(result.pnpm?.overrides || {}, newOverride);
+            break;
+        }
+    }
+
+    return result;
+}

package/src/javascript/index.ts

@@ -22,6 +22,7 @@ export * from "./markers";
 export * from "./node-resolution-result";
 export * from "./package-json-parser";
 export * from "./package-manager";
+export * from "./dependency-manager";
 export * from "./preconditions";
 export * from "./templating/index";
 export * from "./method-matcher";

package/src/javascript/package-manager.ts

@@ -16,7 +16,9 @@
 
 import {PackageManager} from "./node-resolution-result";
 import * as fs from "fs";
+import * as fsp from "fs/promises";
 import * as path from "path";
+import * as os from "os";
 import {spawnSync} from "child_process";
 
 /**
@@ -426,3 +428,112 @@ export function getPackageManagerDisplayName(pm: PackageManager): string {
             return 'Bun';
     }
 }
+
+/**
+ * Result of running install in a temporary directory.
+ */
+export interface TempInstallResult {
+    /** Whether the install succeeded */
+    success: boolean;
+    /** The updated lock file content (if successful and lock file exists) */
+    lockFileContent?: string;
+    /** Error message (if failed) */
+    error?: string;
+}
+
+/**
+ * Options for running install in a temporary directory.
+ */
+export interface TempInstallOptions {
+    /** Timeout in milliseconds (default: 120000 = 2 minutes) */
+    timeout?: number;
+    /**
+     * If true, only update the lock file without installing node_modules.
+     * If false, perform a full install which creates node_modules in the temp dir.
+     * Default: true (lock-only is faster and sufficient for most cases)
+     */
+    lockOnly?: boolean;
+}
+
+/**
+ * Runs package manager install in a temporary directory.
+ *
+ * This function:
+ * 1. Creates a temp directory
+ * 2. Writes the provided package.json content
+ * 3. Copies the existing lock file (if present)
+ * 4. Copies config files (.npmrc, .yarnrc, etc.)
+ * 5. Runs the package manager install
+ * 6. Returns the updated lock file content
+ * 7. Cleans up the temp directory
+ *
+ * @param projectDir The original project directory (for copying lock file and configs)
+ * @param pm The package manager to use
+ * @param modifiedPackageJson The modified package.json content to use
+ * @param options Optional settings for timeout and lock-only mode
+ * @returns Result containing success status and lock file content or error
+ */
+export async function runInstallInTempDir(
+    projectDir: string,
+    pm: PackageManager,
+    modifiedPackageJson: string,
+    options: TempInstallOptions = {}
+): Promise<TempInstallResult> {
+    const {timeout = 120000, lockOnly = true} = options;
+    const lockFileName = getLockFileName(pm);
+    const tempDir = await fsp.mkdtemp(path.join(os.tmpdir(), 'openrewrite-pm-'));
+
+    try {
+        // Write modified package.json to temp directory
+        await fsp.writeFile(path.join(tempDir, 'package.json'), modifiedPackageJson);
+
+        // Copy existing lock file if present
+        const originalLockPath = path.join(projectDir, lockFileName);
+        if (fs.existsSync(originalLockPath)) {
+            await fsp.copyFile(originalLockPath, path.join(tempDir, lockFileName));
+        }
+
+        // Copy config files if present (for registry configuration and workspace setup)
+        const configFiles = ['.npmrc', '.yarnrc', '.yarnrc.yml', '.pnpmfile.cjs', 'pnpm-workspace.yaml'];
+        for (const configFile of configFiles) {
+            const configPath = path.join(projectDir, configFile);
+            if (fs.existsSync(configPath)) {
+                await fsp.copyFile(configPath, path.join(tempDir, configFile));
+            }
+        }
+
+        // Run package manager install
+        const result = runInstall(pm, {
+            cwd: tempDir,
+            lockOnly,
+            timeout
+        });
+
+        if (!result.success) {
+            return {
+                success: false,
+                error: result.error || result.stderr || 'Unknown error'
+            };
+        }
+
+        // Read back the updated lock file
+        const updatedLockPath = path.join(tempDir, lockFileName);
+        let lockFileContent: string | undefined;
+        if (fs.existsSync(updatedLockPath)) {
+            lockFileContent = await fsp.readFile(updatedLockPath, 'utf-8');
+        }
+
+        return {
+            success: true,
+            lockFileContent
+        };
+
+    } finally {
+        // Cleanup temp directory
+        try {
+            await fsp.rm(tempDir, {recursive: true, force: true});
+        } catch {
+            // Ignore cleanup errors
+        }
+    }
+}

package/src/javascript/recipes/index.ts

@@ -17,5 +17,6 @@
 export * from "./async-callback-in-sync-array-method";
 export * from "./auto-format";
 export * from "./upgrade-dependency-version";
+export * from "./upgrade-transitive-dependency-version";
 export * from "./order-imports";
 export * from "./change-import";

package/src/javascript/recipes/upgrade-dependency-version.ts

@@ -26,18 +26,11 @@ import {
     PackageManager,
     readNpmrcConfigs
 } from "../node-resolution-result";
-import * as fs from "fs";
-import * as fsp from "fs/promises";
 import * as path from "path";
-import * as os from "os";
 import * as semver from "semver";
 import {markupWarn, replaceMarkerByKind} from "../../markers";
 import {TreePrinters} from "../../print";
-import {
-    getAllLockFileNames,
-    getLockFileName,
-    runInstall
-} from "../package-manager";
+import {getAllLockFileNames, getLockFileName, runInstallInTempDir} from "../package-manager";
 
 /**
  * Represents a dependency scope in package.json
@@ -90,7 +83,7 @@ interface Accumulator {
 }
 
 /**
- * Upgrades the version of a dependency in package.json and updates the lock file.
+ * Upgrades the version of a direct dependency in package.json and updates the lock file.
  *
  * This recipe:
  * 1. Finds package.json files containing the specified dependency
@@ -98,15 +91,15 @@ interface Accumulator {
  * 3. Runs the package manager to update the lock file
  * 4. Updates the NodeResolutionResult marker with new dependency info
  *
- * TODO: Consider adding a `resolveToLatestMatching` option that would use `npm install <pkg>@<version>`
- * to let the package manager resolve the constraint to the latest matching version.
- * For example, `^22.0.0` would become `^22.19.1` (the latest version satisfying ^22.0.0).
- * This would be similar to how Maven's UpgradeDependencyVersion works with version selectors.
+ * For upgrading transitive dependencies (those pulled in indirectly by your direct
+ * dependencies), use `UpgradeTransitiveDependencyVersion` instead.
+ *
+ * @see UpgradeTransitiveDependencyVersion for transitive dependencies
  */
 export class UpgradeDependencyVersion extends ScanningRecipe<Accumulator> {
     readonly name = "org.openrewrite.javascript.dependencies.upgrade-dependency-version";
     readonly displayName = "Upgrade npm dependency version";
-    readonly description = "Upgrades the version of a dependency in `package.json` and updates the lock file by running the package manager.";
+    readonly description = "Upgrades the version of a direct dependency in `package.json` and updates the lock file by running the package manager.";
 
     @Option({
         displayName: "Package name",
@@ -169,7 +162,7 @@ export class UpgradeDependencyVersion extends ScanningRecipe<Accumulator> {
         const recipe = this;
 
         return new class extends JsonVisitor<ExecutionContext> {
-            protected async visitDocument(doc: Json.Document, ctx: ExecutionContext): Promise<Json | undefined> {
+            protected async visitDocument(doc: Json.Document, _ctx: ExecutionContext): Promise<Json | undefined> {
                 // Only process package.json files
                 if (!doc.sourcePath.endsWith('package.json')) {
                     return doc;
@@ -180,48 +173,54 @@ export class UpgradeDependencyVersion extends ScanningRecipe<Accumulator> {
                     return doc;
                 }
 
+                // Get the project directory and package manager
+                const projectDir = path.dirname(path.resolve(doc.sourcePath));
+                const pm = marker.packageManager ?? PackageManager.Npm;
+
                 // Check each dependency scope for the target package
                 const scopes: DependencyScope[] = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies'];
+                let foundScope: DependencyScope | undefined;
+                let currentVersion: string | undefined;
 
                 for (const scope of scopes) {
                     const deps = marker[scope];
                     const dep = deps?.find(d => d.name === recipe.packageName);
 
                     if (dep) {
-                        const currentVersion = dep.versionConstraint;
-
-                        // Check if version needs updating using semver comparison
-                        // Only upgrade if the new version is strictly newer than current
-                        if (recipe.shouldUpgrade(currentVersion, recipe.newVersion)) {
-                            // Get the project directory from the marker path
-                            const projectDir = path.dirname(path.resolve(doc.sourcePath));
-
-                            // Use package manager from marker (set during parsing), default to npm
-                            const pm = marker.packageManager ?? PackageManager.Npm;
-
-                            // Check if the resolved version already satisfies the new constraint.
-                            // If so, we can skip running the package manager entirely.
-                            const resolvedDep = marker.resolvedDependencies?.find(
-                                rd => rd.name === recipe.packageName
-                            );
-                            const skipInstall = resolvedDep !== undefined &&
-                                semver.satisfies(resolvedDep.version, recipe.newVersion);
-
-                            acc.projectsToUpdate.set(doc.sourcePath, {
-                                projectDir,
-                                packageJsonPath: doc.sourcePath,
-                                originalPackageJson: await this.printDocument(doc),
-                                dependencyScope: scope,
-                                currentVersion,
-                                newVersion: recipe.newVersion,
-                                packageManager: pm,
-                                skipInstall
-                            });
-                        }
-                        break; // Found the dependency, no need to check other scopes
+                        foundScope = scope;
+                        currentVersion = dep.versionConstraint;
+                        break;
                     }
                 }
 
+                if (!foundScope || !currentVersion) {
+                    return doc; // Dependency not found in any scope
+                }
+
+                // Check if upgrade is needed
+                if (!recipe.shouldUpgrade(currentVersion, recipe.newVersion)) {
+                    return doc; // Already at target version or newer
+                }
+
+                // Check if we can skip running the package manager
+                // (resolved version already satisfies the new constraint)
+                const resolvedDep = marker.resolvedDependencies?.find(
+                    rd => rd.name === recipe.packageName
+                );
+                const skipInstall = resolvedDep !== undefined &&
+                    semver.satisfies(resolvedDep.version, recipe.newVersion);
+
+                acc.projectsToUpdate.set(doc.sourcePath, {
+                    projectDir,
+                    packageJsonPath: doc.sourcePath,
+                    originalPackageJson: await this.printDocument(doc),
+                    dependencyScope: foundScope,
+                    currentVersion,
+                    newVersion: recipe.newVersion,
+                    packageManager: pm,
+                    skipInstall
+                });
+
                 return doc;
             }
 
@@ -331,69 +330,32 @@ export class UpgradeDependencyVersion extends ScanningRecipe<Accumulator> {
         updateInfo: ProjectUpdateInfo,
         _ctx: ExecutionContext
     ): Promise<void> {
-        const pm = updateInfo.packageManager;
-        const lockFileName = getLockFileName(pm);
-
-        // Create temp directory
-        const tempDir = await fsp.mkdtemp(path.join(os.tmpdir(), 'openrewrite-pm-'));
-
-        try {
-            // Create modified package.json with the new version constraint
-            const modifiedPackageJson = this.createModifiedPackageJson(
-                updateInfo.originalPackageJson,
-                updateInfo.dependencyScope,
-                updateInfo.newVersion
-            );
-
-            // Write modified package.json to temp directory
-            await fsp.writeFile(path.join(tempDir, 'package.json'), modifiedPackageJson);
-
-            // Copy existing lock file if present
-            const originalLockPath = path.join(updateInfo.projectDir, lockFileName);
-            if (fs.existsSync(originalLockPath)) {
-                await fsp.copyFile(originalLockPath, path.join(tempDir, lockFileName));
-            }
-
-            // Copy config files if present (for registry configuration and workspace setup)
-            const configFiles = ['.npmrc', '.yarnrc', '.yarnrc.yml', '.pnpmfile.cjs', 'pnpm-workspace.yaml'];
-            for (const configFile of configFiles) {
-                const configPath = path.join(updateInfo.projectDir, configFile);
-                if (fs.existsSync(configPath)) {
-                    await fsp.copyFile(configPath, path.join(tempDir, configFile));
-                }
-            }
-
-            // Run package manager install to validate the version and update lock file
-            const result = runInstall(pm, {
-                cwd: tempDir,
-                lockOnly: true,
-                timeout: 120000 // 2 minute timeout
-            });
+        // Create modified package.json with the new version constraint
+        const modifiedPackageJson = this.createModifiedPackageJson(
+            updateInfo.originalPackageJson,
+            updateInfo.dependencyScope,
+            updateInfo.newVersion
+        );
 
-            if (result.success) {
-                // Store the modified package.json (we'll use our visitor for actual output)
-                acc.updatedPackageJsons.set(updateInfo.packageJsonPath, modifiedPackageJson);
+        const result = await runInstallInTempDir(
+            updateInfo.projectDir,
+            updateInfo.packageManager,
+            modifiedPackageJson
+        );
 
-                // Read back the updated lock file
-                const updatedLockPath = path.join(tempDir, lockFileName);
-                if (fs.existsSync(updatedLockPath)) {
-                    const updatedLockContent = await fsp.readFile(updatedLockPath, 'utf-8');
-                    const lockFilePath = updateInfo.packageJsonPath.replace('package.json', lockFileName);
-                    acc.updatedLockFiles.set(lockFilePath, updatedLockContent);
-                }
-            } else {
-                // Track the failure - don't update package.json, the version likely doesn't exist
-                const errorMessage = result.error || result.stderr || 'Unknown error';
-                acc.failedProjects.set(updateInfo.packageJsonPath, errorMessage);
-            }
+        if (result.success) {
+            // Store the modified package.json (we'll use our visitor for actual output)
+            acc.updatedPackageJsons.set(updateInfo.packageJsonPath, modifiedPackageJson);
 
-        } finally {
-            // Cleanup temp directory
-            try {
-                await fsp.rm(tempDir, {recursive: true, force: true});
-            } catch {
-                // Ignore cleanup errors
+            // Store the updated lock file content
+            if (result.lockFileContent) {
+                const lockFileName = getLockFileName(updateInfo.packageManager);
+                const lockFilePath = updateInfo.packageJsonPath.replace('package.json', lockFileName);
+                acc.updatedLockFiles.set(lockFilePath, result.lockFileContent);
             }
+        } else {
+            // Track the failure - don't update package.json, the version likely doesn't exist
+            acc.failedProjects.set(updateInfo.packageJsonPath, result.error || 'Unknown error');
         }
     }