Try pnpm update --depth Infinity before pnpm audit --fix

Copilot · robaiken · commit 4b777e581ce1 · 2026-04-27T14:54:13.000Z
Adds a first-tier fallback that runs pnpm update --depth Infinity &lt;dep&gt;
(with -r --include-workspace-root for workspaces) when the regular
update is a no-op. This updates transitive dependencies in the lockfile
without modifying any package.json (unlike pnpm audit --fix).

If --depth Infinity is also a no-op we fall through to the existing
audit --fix path.
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
@@ -167,6 +167,11 @@ def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
               run_pnpm_install
 
               updated_content = File.read(pnpm_lock.name)
+              if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+                run_pnpm_deep_update_fallback
+                updated_content = File.read(pnpm_lock.name)
+              end
+
               if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
                 run_pnpm_audit_fix_fallback(pnpm_lock, original_content)
                 updated_content = File.read(pnpm_lock.name)
@@ -196,6 +201,23 @@ def run_pnpm_install
           )
         end
 
+        # Tries `pnpm update --depth Infinity <dep>` for each dependency as a
+        # first-tier fallback when the regular update is a no-op (typically
+        # transitive deps not listed in any package.json). Unlike `audit --fix`
+        # this does not write `overrides` to package.json.
+        sig { void }
+        def run_pnpm_deep_update_fallback
+          recursive = workspace_files.any?
+          dependencies.each do |dep|
+            NativeHelpers.run_pnpm_deep_update_command(dep.name, recursive: recursive)
+            dep.metadata[:deep_update_used] = true
+          end
+        rescue SharedHelpers::HelperSubprocessFailed
+          Dependabot.logger.info(
+            "pnpm update --depth Infinity failed or partially fixed — continuing with any changes made"
+          )
+        end
+
         # Runs `pnpm audit --fix` as a fallback when the primary update is a no-op.
         # `pnpm audit --fix` adds `overrides` to `package.json` — since we can
         # only return lockfile content from `run_pnpm_update`, any manifest
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/native_helpers.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/native_helpers.rb
@@ -69,6 +69,20 @@ def self.run_pnpm_audit_fix_command
         )
       end
 
+      sig { params(dependency_name: String, recursive: T::Boolean).returns(String) }
+      def self.run_pnpm_deep_update_command(dependency_name, recursive: false)
+        # `pnpm update --depth Infinity <dep>` traverses the full dependency
+        # graph, allowing transitive dependencies to be updated in the lockfile
+        # without modifying any package.json (unlike `pnpm audit --fix`).
+        # `-r --include-workspace-root` is required for workspace repos so the
+        # update is applied across all packages.
+        flags = recursive ? "-r --include-workspace-root " : ""
+        Helpers.run_pnpm_command(
+          "#{flags}update #{dependency_name} --depth Infinity --lockfile-only",
+          fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only"
+        )
+      end
+
       sig { returns(String) }
       def self.run_yarn_audit_fix_command
         # Fallback for transitive dependencies where `yarn up -R` is a no-op.
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb
@@ -235,6 +235,11 @@ def run_pnpm_updater(path, lockfile_name)
               )
 
               updated_content = File.read(lockfile_name)
+              if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+                run_pnpm_deep_update_fallback
+                updated_content = File.read(lockfile_name)
+              end
+
               if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
                 run_pnpm_audit_fix_fallback(lockfile_name, original_content)
                 updated_content = File.read(lockfile_name)
@@ -245,6 +250,20 @@ def run_pnpm_updater(path, lockfile_name)
           end
         end
 
+        # First-tier fallback: try `pnpm update --depth Infinity <dep>` to
+        # update transitive dependencies in the lockfile without modifying
+        # any package.json (unlike `pnpm audit --fix`).
+        sig { void }
+        def run_pnpm_deep_update_fallback
+          recursive = Dir.glob("**/pnpm-workspace.yaml").any?
+          NativeHelpers.run_pnpm_deep_update_command(dependency.name, recursive: recursive)
+          dependency.metadata[:deep_update_used] = true
+        rescue SharedHelpers::HelperSubprocessFailed
+          Dependabot.logger.info(
+            "pnpm update --depth Infinity failed or partially fixed — continuing with any changes made"
+          )
+        end
+
         # Runs `pnpm audit --fix` as a fallback when `pnpm update` is a no-op.
         # `pnpm audit --fix` adds `overrides` to `package.json`, but this method
         # only returns the lockfile. If audit-fix modifies any package.json we
diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater_spec.rb
@@ -770,6 +770,13 @@
           expect(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command)
             .with("install --lockfile-only")
             .ordered
+          expect(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command)
+            .with(
+              "-r --include-workspace-root update prettier --depth Infinity --lockfile-only",
+              { fingerprint: "-r --include-workspace-root update <dependency_name> --depth Infinity --lockfile-only" }
+            )
+            .ordered
+            .and_return("")
           expect(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command)
             .with("audit --fix", { fingerprint: "audit --fix" })
             .ordered
diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver_spec.rb
@@ -210,6 +210,19 @@
         latest_resolvable_version
       end
 
+      it "tries pnpm update --depth Infinity before pnpm audit --fix" do
+        allow(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command).and_return("")
+        allow(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive_messages(run_pnpm_deep_update_command: "", run_pnpm_audit_fix_command: "")
+
+        expect(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_pnpm_deep_update_command).once.ordered
+        expect(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_pnpm_audit_fix_command).once.ordered
+
+        latest_resolvable_version
+      end
+
       context "when pnpm audit --fix fails" do
         it "logs and continues without raising" do
           allow(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command).and_return("")
