Add deno lockfile support (#15153)

* Add Deno helpers module for invoking the CLI

* Add Deno LockfileUpdater for regenerating deno.lock

* Emit updated deno.lock from Deno file updater

* Refresh Deno README implementation status

* Refactor Deno lockfile updater: extract ManifestUpdater and tighten error handling

* Truncate large deno install error output

* Drift-proof Deno lockfile specs and document test requirements

* Fix Sorbet strict-mode complaints in Deno helpers and manifest updater

* CI feedback: SharedHelpers subprocess and stronger Sorbet sigils

Author: sbs44

deno/README.md

@@ -15,24 +15,45 @@ Deno support for [`dependabot-core`][core-repo].
   [dependabot-core-dev] ~ $ cd deno && rspec
   ```
 
+  The lockfile-regeneration specs (`spec/dependabot/deno/file_updater/lockfile_updater_spec.rb`) shell out
+  to a real `deno install` and hit the JSR/npm registries. They expect the `deno` binary on `PATH` and
+  network access — both are provided by the `bin/docker-dev-shell deno` image, but local runs outside
+  the container need them too.
+
 [core-repo]: https://github.com/dependabot/dependabot-core
 
 ### Implementation Status
 
-This ecosystem is currently under development. See [NEW_ECOSYSTEMS.md](../NEW_ECOSYSTEMS.md) for implementation guidelines.
-
 #### Required Classes
-- [ ] FileFetcher
-- [ ] FileParser
-- [ ] UpdateChecker
-- [ ] FileUpdater
+- [x] FileFetcher
+- [x] FileParser
+- [x] UpdateChecker
+- [x] FileUpdater (manifest + `deno.lock` regeneration)
 
 #### Optional Classes
-- [ ] MetadataFinder
-- [ ] Version
-- [ ] Requirement
+- [x] MetadataFinder (npm sources; jsr returns nil)
+- [x] Version
+- [x] Requirement
 
 #### Supporting Infrastructure
-- [ ] Comprehensive unit tests
-- [ ] CI/CD integration
-- [ ] Documentation
+- [x] Comprehensive unit tests
+- [x] CI/CD integration
+- [x] Documentation
+
+### Supported
+
+- `deno.json` and `deno.jsonc` import maps
+- `jsr:` and `npm:` specifiers (scoped, unscoped, versionless, sub-path)
+- `deno.lock` regeneration when the manifest changes
+- Cooldown for direct dependencies
+
+### Not yet supported (planned)
+
+- HTTPS imports (`https://deno.land/x/...`)
+- `scopes` field overrides
+- `vendor/` directory regeneration
+- Workspaces (nested `deno.json`)
+- `links` field (local package overrides)
+- `DENO_AUTH_TOKENS` / private registries
+- Frozen-lockfile UX (we pass `--frozen=false` and may overwrite a frozen lockfile)
+- Custom lockfile path (`"lock": { "path": "..." }`)

deno/lib/dependabot/deno.rb

@@ -9,6 +9,7 @@
 require "dependabot/deno/file_updater"
 require "dependabot/deno/metadata_finder"
 require "dependabot/deno/package/package_details_fetcher"
+require "dependabot/deno/helpers"
 require "dependabot/deno/version"
 require "dependabot/deno/requirement"
 

deno/lib/dependabot/deno/file_updater.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/file_updaters"
@@ -9,6 +9,9 @@ module Deno
     class FileUpdater < Dependabot::FileUpdaters::Base
       extend T::Sig
 
+      require_relative "file_updater/manifest_updater"
+      require_relative "file_updater/lockfile_updater"
+
       MANIFEST_FILENAMES = T.let(%w(deno.json deno.jsonc).freeze, T::Array[String])
 
       sig { override.returns(T::Array[Dependabot::DependencyFile]) }
@@ -24,6 +27,13 @@ def updated_dependency_files
           updated_files << updated_file(file: file, content: new_content)
         end
 
+        if lockfile
+          updated_files << updated_file(
+            file: T.must(lockfile),
+            content: lockfile_updater.updated_lockfile_content
+          )
+        end
+
         updated_files
       end
 
@@ -36,28 +46,29 @@ def check_required_files
         raise "No deno.json or deno.jsonc found!"
       end
 
-      sig { params(file: Dependabot::DependencyFile).returns(String) }
-      def update_manifest_content(file)
-        content = T.must(file.content)
-
-        dependencies.each do |dep|
-          prev_reqs = dep.previous_requirements&.select { |r| r[:file] == file.name } || []
-          new_reqs = dep.requirements.select { |r| r[:file] == file.name }
-
-          prev_reqs.zip(new_reqs).each do |prev_req, new_req|
-            source_type = prev_req[:source][:type]
-            prev_req_str = prev_req[:requirement]
-            new_req_str = T.must(new_req)[:requirement]
-
-            base = "#{source_type}:#{dep.name}"
-            old_specifier = prev_req_str ? "#{base}@#{prev_req_str}" : base
-            new_specifier = "#{base}@#{new_req_str}"
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def lockfile
+        @lockfile ||= T.let(
+          dependency_files.find { |f| f.name == "deno.lock" },
+          T.nilable(Dependabot::DependencyFile)
+        )
+      end
 
-            content = content.gsub(%r{#{Regexp.escape(old_specifier)}(?=["/])}, new_specifier)
-          end
-        end
+      sig { returns(LockfileUpdater) }
+      def lockfile_updater
+        @lockfile_updater ||= T.let(
+          LockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ),
+          T.nilable(LockfileUpdater)
+        )
+      end
 
-        content
+      sig { params(file: Dependabot::DependencyFile).returns(String) }
+      def update_manifest_content(file)
+        ManifestUpdater.new(dependencies: dependencies, manifest: file).updated_manifest_content
       end
     end
   end

deno/lib/dependabot/deno/file_updater/lockfile_updater.rb

@@ -0,0 +1,119 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "json"
+require "sorbet-runtime"
+
+require "dependabot/dependency"
+require "dependabot/dependency_file"
+require "dependabot/errors"
+require "dependabot/shared_helpers"
+require "dependabot/deno/file_updater"
+require "dependabot/deno/file_updater/manifest_updater"
+require "dependabot/deno/helpers"
+
+module Dependabot
+  module Deno
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      class LockfileUpdater
+        extend T::Sig
+
+        LOCKFILE_FILENAME = T.let("deno.lock", String)
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            dependency_files: T::Array[Dependabot::DependencyFile],
+            credentials: T::Array[Dependabot::Credential]
+          ).void
+        end
+        def initialize(dependencies:, dependency_files:, credentials:)
+          @dependencies = dependencies
+          @dependency_files = dependency_files
+          # Reserved for DENO_AUTH_TOKENS / private registry support — accepted now
+          # so callers don't need a signature change when that lands.
+          @credentials = credentials
+        end
+
+        sig { returns(String) }
+        def updated_lockfile_content
+          @updated_lockfile_content ||= T.let(
+            regenerate_lockfile,
+            T.nilable(String)
+          )
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig { returns(T::Array[Dependabot::DependencyFile]) }
+        attr_reader :dependency_files
+
+        sig { returns(T::Array[Dependabot::Credential]) }
+        attr_reader :credentials
+
+        sig { returns(String) }
+        def regenerate_lockfile
+          # Deno rewrites `deno.lock` holistically (not surgically) when its
+          # input manifest references newer constraints. Don't try to
+          # preserve unrelated entries here — that's deno install's job.
+          #
+          # Note on error detection: `deno install` exits 0 even when a
+          # specifier can't be resolved (missing package, unsatisfiable
+          # constraint) — it just silently leaves the lockfile unchanged.
+          # The byte-equal check below is the primary defense; the rescue
+          # wraps the rare-but-real cases where deno does exit non-zero
+          # (malformed config, binary missing, filesystem errors).
+          original_lockfile_content = T.must(lockfile.content)
+
+          new_content =
+            begin
+              SharedHelpers.in_a_temporary_directory do |dir|
+                write_temporary_files(dir.to_s)
+                Helpers.run_deno_command("install", "--frozen=false", dir: dir.to_s)
+                File.read(File.join(dir.to_s, LOCKFILE_FILENAME))
+              end
+            rescue SharedHelpers::HelperSubprocessFailed, Errno::ENOENT => e
+              raise Dependabot::DependencyFileNotResolvable, e.message
+            end
+
+          if new_content == original_lockfile_content
+            raise Dependabot::DependencyFileNotResolvable,
+                  "deno install did not change #{LOCKFILE_FILENAME}; manifest bump did not take effect"
+          end
+
+          new_content
+        end
+
+        sig { params(dir: String).void }
+        def write_temporary_files(dir)
+          File.write(File.join(dir, manifest.name), updated_manifest_content)
+          File.write(File.join(dir, LOCKFILE_FILENAME), T.must(lockfile.content))
+        end
+
+        sig { returns(String) }
+        def updated_manifest_content
+          ManifestUpdater.new(dependencies: dependencies, manifest: manifest).updated_manifest_content
+        end
+
+        sig { returns(Dependabot::DependencyFile) }
+        def manifest
+          @manifest ||= T.let(
+            T.must(dependency_files.find { |f| FileUpdater::MANIFEST_FILENAMES.include?(f.name) }),
+            T.nilable(Dependabot::DependencyFile)
+          )
+        end
+
+        sig { returns(Dependabot::DependencyFile) }
+        def lockfile
+          @lockfile ||= T.let(
+            T.must(dependency_files.find { |f| f.name == LOCKFILE_FILENAME }),
+            T.nilable(Dependabot::DependencyFile)
+          )
+        end
+      end
+    end
+  end
+end

deno/lib/dependabot/deno/file_updater/manifest_updater.rb

@@ -0,0 +1,73 @@
+# typed: strict
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/dependency"
+require "dependabot/dependency_file"
+require "dependabot/deno/file_updater"
+
+module Dependabot
+  module Deno
+    class FileUpdater
+      class ManifestUpdater
+        extend T::Sig
+
+        sig do
+          params(
+            dependencies: T::Array[Dependabot::Dependency],
+            manifest: Dependabot::DependencyFile
+          ).void
+        end
+        def initialize(dependencies:, manifest:)
+          @dependencies = dependencies
+          @manifest = manifest
+        end
+
+        sig { returns(String) }
+        def updated_manifest_content
+          content = T.must(manifest.content).dup
+
+          dependencies.each do |dep|
+            prev_reqs = (dep.previous_requirements || []).select { |r| r[:file] == manifest.name }
+            new_reqs = dep.requirements.select { |r| r[:file] == manifest.name }
+
+            prev_reqs.zip(new_reqs).each do |prev_req, new_req|
+              content = apply_substitution(content, dep, prev_req, T.must(new_req))
+            end
+          end
+
+          content
+        end
+
+        private
+
+        sig { returns(T::Array[Dependabot::Dependency]) }
+        attr_reader :dependencies
+
+        sig { returns(Dependabot::DependencyFile) }
+        attr_reader :manifest
+
+        sig do
+          params(
+            content: String,
+            dep: Dependabot::Dependency,
+            prev_req: T::Hash[Symbol, T.untyped],
+            new_req: T::Hash[Symbol, T.untyped]
+          ).returns(String)
+        end
+        def apply_substitution(content, dep, prev_req, new_req)
+          source_type = prev_req[:source][:type]
+          prev_req_str = prev_req[:requirement]
+          new_req_str = new_req[:requirement]
+
+          base = "#{source_type}:#{dep.name}"
+          old_specifier = prev_req_str ? "#{base}@#{prev_req_str}" : base
+          new_specifier = "#{base}@#{new_req_str}"
+
+          content.gsub(%r{#{Regexp.escape(old_specifier)}(?=["/])}, new_specifier)
+        end
+      end
+    end
+  end
+end

deno/lib/dependabot/deno/helpers.rb

@@ -0,0 +1,33 @@
+# typed: strong
+# frozen_string_literal: true
+
+require "sorbet-runtime"
+
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Deno
+    module Helpers
+      extend T::Sig
+
+      # Wraps `deno <args>` via Dependabot's standard subprocess helper, so
+      # failures surface as Dependabot::SharedHelpers::HelperSubprocessFailed
+      # (consistent with cargo / bun / npm_and_yarn). DENO_DIR is scoped to
+      # the working directory so concurrent jobs don't trample each other's
+      # module cache.
+      sig do
+        params(
+          args: String,
+          dir: String
+        ).returns(String)
+      end
+      def self.run_deno_command(*args, dir:)
+        Dependabot::SharedHelpers.run_shell_command(
+          "deno #{args.join(' ')}",
+          cwd: dir,
+          env: { "DENO_DIR" => File.join(dir, ".deno_cache") }
+        )
+      end
+    end
+  end
+end