Merge pull request #15099 from dependabot/brrygrdn/dg-11931-capture-multi-version-graphs

[Graph] Fix handling of multiple version resolution

Author: brrygrdn

npm_and_yarn/lib/dependabot/npm_and_yarn/dependency_grapher.rb

@@ -27,6 +27,31 @@ def relevant_dependency_file
         lockfile || package_json
       end
 
+      # Override to expand multi-version dependencies into separate resolved
+      # dependency entries. When the same package exists at multiple versions
+      # (e.g., is-number@6.0.0 direct + is-number@7.0.0 transitive), each
+      # version gets its own entry with correct subdependency edges.
+      sig { override.returns(T::Hash[String, Dependabot::DependencyGraphers::ResolvedDependency]) }
+      def resolved_dependencies
+        prepare! unless prepared
+
+        @dependencies.each_with_object({}) do |dep, resolved|
+          all_versions = dep.metadata[:all_versions] || [dep]
+
+          all_versions.each do |version_dep|
+            purl = build_purl(version_dep)
+            next if resolved.key?(purl)
+
+            resolved[purl] = Dependabot::DependencyGraphers::ResolvedDependency.new(
+              package_url: purl,
+              direct: version_dep.top_level?,
+              runtime: version_dep.production?,
+              dependencies: subdependency_purls_for(version_dep)
+            )
+          end
+        end
+      end
+
       sig { override.void }
       def prepare!
         if lockfile.nil?
@@ -156,7 +181,48 @@ def emit_missing_lockfile_warning!
 
       sig { override.params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
       def fetch_subdependencies(dependency)
-        package_relationships.fetch(dependency.name, [])
+        key = "#{dependency.name}@#{dependency.version}"
+        package_relationships.fetch(key, [])
+      end
+
+      # Builds purl strings for subdependencies directly from the name@version
+      # entries in package_relationships, without going through dependencies_by_name
+      # which only holds one combined dep per package name.
+      sig { params(dependency: Dependabot::Dependency).returns(T::Array[String]) }
+      def subdependency_purls_for(dependency)
+        return [] if errored_fetching_subdependencies
+
+        key = "#{dependency.name}@#{dependency.version}"
+        children = package_relationships.fetch(key, [])
+
+        children.filter_map do |child_key|
+          child_name, child_version = split_name_version(child_key)
+          next unless child_name && child_version
+
+          purl_name = child_name.sub(/^@/, "%40")
+          format(PURL_TEMPLATE, type: "npm", name: purl_name, version: "@#{child_version}")
+        end
+      rescue StandardError => e
+        errored_fetching_subdependencies!
+        @subdependency_error = T.let(e, T.nilable(StandardError))
+        Dependabot.logger.error("Error fetching subdependencies: #{e.message}")
+        []
+      end
+
+      # Splits a "name@version" string, handling scoped packages like "@scope/pkg@1.0.0"
+      sig { params(name_version: String).returns([T.nilable(String), T.nilable(String)]) }
+      def split_name_version(name_version)
+        # For scoped packages (@scope/name@version), find the second @
+        at_index = if name_version.start_with?("@")
+                     name_version.index("@", 1)
+                   else
+                     name_version.index("@")
+                   end
+        return [name_version, nil] unless at_index
+
+        version = name_version[(at_index + 1)..]
+        version = nil if version.nil? || version.empty?
+        [name_version[0...at_index], version]
       end
 
       sig { returns(T::Hash[String, T::Array[String]]) }
@@ -225,14 +291,67 @@ def fetch_npm_lock_relationships
             children = details.fetch("dependencies", {}).keys
             next if children.empty?
 
-            rels[path.split("node_modules/").last] = children
+            package_name = path.split("node_modules/").last
+            version = details["version"]
+            next if version.nil? || version.to_s.empty?
+
+            resolved = resolve_npm_v3_children(packages, path, children)
+            rels["#{package_name}@#{version}"] = resolved unless resolved.empty?
           end
         end
 
         # if packages isn't present, attempt a v1 fallback
         fetch_npm_v1_lock_relationships(parsed)
       end
 
+      sig do
+        params(
+          packages: T::Hash[String, T.untyped],
+          parent_path: String,
+          children: T::Array[String]
+        ).returns(T::Array[String])
+      end
+      def resolve_npm_v3_children(packages, parent_path, children)
+        children.filter_map do |child_name|
+          child_details = resolve_npm_child(packages, parent_path, child_name)
+          next unless child_details
+
+          child_version = child_details["version"]
+          next if child_version.nil? || child_version.to_s.empty?
+
+          "#{child_name}@#{child_version}"
+        end
+      end
+
+      # Walks up the node_modules tree to resolve a child dependency,
+      # matching Node.js module resolution behavior.
+      sig do
+        params(
+          packages: T::Hash[String, T.untyped],
+          parent_path: String,
+          child_name: String
+        ).returns(T.nilable(T::Hash[String, T.untyped]))
+      end
+      def resolve_npm_child(packages, parent_path, child_name)
+        # First check directly nested under parent
+        candidate = "#{parent_path}/node_modules/#{child_name}"
+        return packages[candidate] if packages.key?(candidate)
+
+        # Walk up the tree: strip trailing node_modules/pkg segments
+        segments = parent_path.split("node_modules/")
+        segments.pop # remove the current package segment
+
+        while segments.any?
+          candidate = "#{segments.join('node_modules/')}node_modules/#{child_name}"
+          return packages[candidate] if packages.key?(candidate)
+
+          segments.pop
+        end
+
+        # Top-level fallback
+        packages["node_modules/#{child_name}"]
+      end
+
       sig { params(parsed: T::Hash[String, T.untyped]).returns(T::Hash[String, T::Array[String]]) }
       def fetch_npm_v1_lock_relationships(parsed)
         dependencies = parsed.fetch("dependencies", {})
@@ -244,29 +363,73 @@ def fetch_npm_v1_lock_relationships(parsed)
           nested = details.fetch("dependencies", nil)
           next unless nested.is_a?(Hash)
 
-          children = nested.keys
-          rels[name] = children unless children.empty?
+          version = details["version"]
+          next if version.nil? || version.to_s.empty?
+
+          children = resolve_npm_v1_children(nested)
+          rels["#{name}@#{version}"] = children unless children.empty?
           rels.merge!(fetch_npm_v1_lock_relationships(details))
         end
       end
 
+      sig { params(nested: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+      def resolve_npm_v1_children(nested)
+        nested.filter_map do |child_name, child_details|
+          next unless child_details.is_a?(Hash)
+
+          child_version = child_details["version"]
+          next if child_version.nil? || child_version.to_s.empty?
+
+          "#{child_name}@#{child_version}"
+        end
+      end
+
       sig { returns(T::Hash[String, T::Array[String]]) }
       def fetch_yarn_lock_relationships
         parsed = FileParser::YarnLock.new(T.must(yarn_lockfile)).parsed
 
         parsed.each_with_object({}) do |(req, details), rels|
           next unless details.is_a?(Hash)
 
+          version = details["version"]
           parent_name = T.must(req.split(/(?<=\w)\@/).first)
-          children = details.fetch("dependencies", {})&.keys || []
+          children = details.fetch("dependencies", {})
+
+          next if children.nil? || children.empty?
+
+          key = "#{parent_name}@#{version}"
+          resolved_children = resolve_yarn_children(children, parsed)
 
-          next if children.empty?
+          rels[key] ||= []
+          rels[key].concat(resolved_children).uniq!
+        end
+      end
 
-          rels[parent_name] ||= []
-          rels[parent_name].concat(children).uniq!
+      sig { params(children: T::Hash[String, String], parsed: T::Hash[String, T.untyped]).returns(T::Array[String]) }
+      def resolve_yarn_children(children, parsed)
+        children.filter_map do |child_name, child_req|
+          version = resolve_yarn_child_version(child_name, child_req, parsed)
+          "#{child_name}@#{version}" if version
         end
       end
 
+      sig { params(child_name: String, child_req: String, parsed: T::Hash[String, T.untyped]).returns(T.nilable(String)) }
+      def resolve_yarn_child_version(child_name, child_req, parsed)
+        # Try exact key first
+        child_entry = parsed["#{child_name}@#{child_req}"]
+        return child_entry["version"] if child_entry && child_entry["version"]
+
+        # Yarn groups multiple requirements into single keys like "foo@^1.0.0, foo@^1.2.0"
+        target_req = "#{child_name}@#{child_req}"
+        grouped_match = parsed.find { |k, _| k.split(", ").include?(target_req) }
+        return grouped_match.last["version"] if grouped_match && grouped_match.last["version"]
+
+        # Fallback: find by name only if there's exactly one candidate
+        candidates = parsed.select { |k, _| k.split(/(?<=\w)\@/).first == child_name }
+        candidate = candidates.first
+        candidate.last["version"] if candidates.size == 1 && candidate
+      end
+
       sig { returns(T::Hash[String, T::Array[String]]) }
       def fetch_pnpm_lock_relationships
         parsed = YAML.safe_load(T.must(T.must(pnpm_lockfile).content)) || {}
@@ -278,13 +441,25 @@ def fetch_pnpm_lock_relationships
           next unless details.is_a?(Hash)
 
           # Keys are "/name@version" (v6) or "name@version" (v9)
-          parent_name = key.sub(%r{^/}, "").split(/(?<=\w)\@/).first
-          children = details.fetch("dependencies", {})&.keys || []
+          name_version = key.sub(%r{^/}, "")
+          children = details.fetch("dependencies", {})
+
+          next if children.nil? || children.empty?
+
+          # Strip any pnpm suffix metadata (e.g., parenthesized peer dep info)
+          name_version = name_version.sub(/\(.*\)$/, "")
 
-          next if children.empty?
+          # pnpm dependencies are already resolved: {"name": "version"}
+          # Strip any peer metadata suffixes like "7.49.0(react@18.2.0)"
+          resolved_children = children.filter_map do |child_name, child_version|
+            clean_version = child_version.to_s.sub(/\(.*\)$/, "")
+            next if clean_version.empty?
+
+            "#{child_name}@#{clean_version}"
+          end
 
-          rels[parent_name] ||= []
-          rels[parent_name].concat(children).uniq!
+          rels[name_version] ||= []
+          rels[name_version].concat(resolved_children).uniq!
         end
       end