dependabot · deivid-rodriguez · May 11, 2023
@@ -42,7 +42,7 @@ def self.register_name_normaliser(package_manager, name_builder)
 
     def initialize(name:, requirements:, package_manager:, version: nil,
                    previous_version: nil, previous_requirements: nil,
-                   subdependency_metadata: [], removed: false, metadata: {})
+                   subdependency_metadata: [], removed: false, on_package_manager: false, metadata: {})
       @name = name
       @version = version
       @requirements = requirements.map { |req| symbolize_keys(req) }
@@ -55,6 +55,7 @@ def initialize(name:, requirements:, package_manager:, version: nil,
                                   &.map { |h| symbolize_keys(h) }
       end
       @removed = removed
+      @on_package_manager = on_package_manager
       @metadata = symbolize_keys(metadata || {})
 
       check_values
@@ -68,6 +69,10 @@ def removed?
       @removed
     end
 
+    def on_package_manager?
+      @on_package_manager
+    end
+
     def numeric_version
       @numeric_version ||= version_class.new(version) if version && version_class.correct?(version)
     end
@@ -81,7 +86,8 @@ def to_h
         "previous_requirements" => previous_requirements,
         "package_manager" => package_manager,
         "subdependency_metadata" => subdependency_metadata,
-        "removed" => removed? ? true : nil
+        "removed" => removed? ? true : nil,
+        "on_package_manager" => on_package_manager? ? true : nil
       }.compact
     end
 

@@ -184,7 +184,8 @@ def updated_dependency_with_own_req_unlock
           previous_requirements: dependency.requirements,
           package_manager: dependency.package_manager,
           metadata: dependency.metadata,
-          subdependency_metadata: dependency.subdependency_metadata
+          subdependency_metadata: dependency.subdependency_metadata,
+          on_package_manager: dependency.on_package_manager?
         )
       end
 

@@ -9,6 +9,7 @@
 require "dependabot/shared_helpers"
 require "dependabot/npm_and_yarn/helpers"
 require "dependabot/npm_and_yarn/native_helpers"
+require "dependabot/npm_and_yarn/package_manager"
 require "dependabot/npm_and_yarn/version"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/git_metadata_fetcher"
@@ -78,9 +79,30 @@ def manifest_dependencies
           end
         end
 
+        pnpm_version = package_manager.locked_version("pnpm")
+
+        if pnpm_version
+          dependency_set << Dependency.new(
+            name: "pnpm",
+            version: pnpm_version,
+            package_manager: "npm_and_yarn",
+            requirements: [{
+              requirement: pnpm_version,
+              file: "package.json",
+              groups: ["dependencies"],
+              source: nil
+            }],
+            on_package_manager: true
+          )
+        end
+
         dependency_set
       end
 
+      def package_manager
+        @package_manager ||= PackageManager.new(parsed_root_package_file)
+      end
+
       def lockfile_parser
         @lockfile_parser ||= LockfileParser.new(
           dependency_files: dependency_files
@@ -334,6 +356,10 @@ def url_for_relevant_cred(resolved_url)
         resolved_url.gsub(/#{Regexp.quote(reg)}.*/, "") + reg
       end
 
+      def parsed_root_package_file
+        JSON.parse(root_package_file.content)
+      end
+
       def package_files
         @package_files ||=
           begin
@@ -345,12 +371,16 @@ def package_files
               .reject(&:support_file?)
 
             [
-              dependency_files.find { |f| f.name == "package.json" },
+              root_package_file,
               *sub_packages
             ].compact
           end
       end
 
+      def root_package_file
+        @root_package_file ||= dependency_files.find { |f| f.name == "package.json" }
+      end
+
       def version_class
         NpmAndYarn::Version
       end

@@ -29,7 +29,7 @@ def updated_package_json_content
 
               new_content = update_package_json_declaration(
                 package_json_content: content,
-                dependency_name: dep.name,
+                dependency: dep,
                 old_req: old_req,
                 new_req: new_req
               )
@@ -80,7 +80,23 @@ def updated_requirements(dependency)
         end
 
         def update_package_json_declaration(package_json_content:, new_req:,
-                                            dependency_name:, old_req:)
+                                            dependency:, old_req:)
+          args = {
+            package_json_content: package_json_content,
+            new_req: new_req,
+            dependency_name: dependency.name,
+            old_req: old_req
+          }
+
+          if dependency.on_package_manager?
+            update_package_manager_declaration(**args)
+          else
+            update_dependency_declaration(**args)
+          end
+        end
+
+        def update_dependency_declaration(package_json_content:, new_req:,
+                                          dependency_name:, old_req:)
           original_line = declaration_line(
             dependency_name: dependency_name,
             dependency_req: old_req,
@@ -140,6 +156,16 @@ def update_package_json_resolutions(package_json_content:, new_req:,
           content
         end
 
+        def update_package_manager_declaration(package_json_content:, new_req:,
+                                               dependency_name:, old_req:)
+          parsed_json_content = JSON.parse(package_json_content)
+          package_manager = parsed_json_content["packageManager"]
+
+          return package_json_content unless package_manager == "#{dependency_name}@#{old_req[:requirement]}"
+
+          package_json_content.sub("\"#{package_manager}\"", "\"#{dependency_name}@#{new_req[:requirement]}\"")
+        end
+
         def declaration_line(dependency_name:, dependency_req:, content:)
           git_dependency = dependency_req.dig(:source, :type) == "git"
 

@@ -42,11 +42,11 @@ def run_pnpm_update(pnpm_lock:)
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              run_pnpm_updater
+              run_pnpm_updater unless dependencies.first.on_package_manager?
 
               write_final_package_json_files
 
-              run_pnpm_install
+              sync_lockfile
 
               File.read(pnpm_lock.name)
             end
@@ -64,7 +64,7 @@ def run_pnpm_updater
           )
         end
 
-        def run_pnpm_install
+        def sync_lockfile
           SharedHelpers.run_shell_command(
             "pnpm install --lockfile-only"
           )

@@ -93,7 +93,7 @@ def initialize(dependency:, credentials:, dependency_files:,
         end
 
         def latest_resolvable_version
-          return latest_allowable_version if git_dependency?(dependency)
+          return latest_allowable_version if git_dependency?(dependency) || dependency.on_package_manager?
           return if part_of_tightly_locked_monorepo?
           return if types_update_available?
           return if original_package_update_available?