Audit fix fallback (#14589)

* Audit fix  fallback for no-op updates for transitive deps

* receive -> receive_messages

* Update npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater_spec.rb

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Refactor lockfile update checks to compare original and updated content for npm and yarn

* Track audit fix usage in dependencies for improved PR naming

* added feature flag

* Better support for pnpm

* Add tests for audit fix fallback behavior in subdependency version resolver

* fixing tests

* Add --force flag to npm audit fix and fix yarn updater to reuse updated_content

Agent-Logs-Url: https://github.com/dependabot/dependabot-core/sessions/988c3f95-a729-413c-98ac-994924de2c00

Co-authored-by: robaiken <6567647+robaiken@users.noreply.github.com>

* make sure we are returning version for berry workspaces

* Revert pnpm audit fix if it modifies package.json

pnpm audit --fix adds overrides to package.json. Since run_pnpm_update
and run_pnpm_updater only return lockfile content, a manifest change
would produce inconsistent output. Snapshot package.json files before
the fallback and revert both manifest(s) and lockfile if any change is
detected.

* Try pnpm update --depth Infinity before pnpm audit --fix

Adds a first-tier fallback that runs pnpm update --depth Infinity <dep>
(with -r --include-workspace-root for workspaces) when the regular
update is a no-op. This updates transitive dependencies in the lockfile
without modifying any package.json (unlike pnpm audit --fix).

If --depth Infinity is also a no-op we fall through to the existing
audit --fix path.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <copilot@users.noreply.github.com>

Author: 4 people

common/lib/dependabot/pull_request_creator/message_builder.rb

@@ -214,6 +214,7 @@ def message
       sig { returns(String) }
       def solo_pr_name
         name = library? ? library_pr_name : application_pr_name
+        name += " (via audit fix)" if dependencies.any? { |dep| dep.metadata[:audit_fix_used] }
         "#{name}#{pr_name_directory}"
       end
 

common/spec/dependabot/pull_request_creator/message_builder_spec.rb

@@ -239,6 +239,12 @@ def commits_details(base:, head:)
           it { is_expected.to start_with("[Security] Bump business") }
         end
 
+        context "when a dependency has audit_fix_used metadata" do
+          let(:metadata) { { audit_fix_used: true } }
+
+          it { is_expected.to eq("Bump business from 1.4.0 to 1.5.0 (via audit fix)") }
+        end
+
         context "with two dependencies" do
           let(:dependency2) do
             Dependabot::Dependency.new(
@@ -717,6 +723,15 @@ def commits_details(base:, head:)
           it { is_expected.to start_with("[Security] Update business") }
         end
 
+        context "when a dependency has audit_fix_used metadata" do
+          let(:metadata) { { audit_fix_used: true } }
+
+          it "appends (via audit fix) to the PR name" do
+            expect(pr_name)
+              .to eq("Update business requirement from ~> 1.4.0 to ~> 1.5.0 (via audit fix)")
+          end
+        end
+
         context "with two dependencies" do
           let(:dependency2) do
             Dependabot::Dependency.new(

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -79,21 +79,9 @@ def handle_pnpm_support_file_no_change!(updated_files)
         return unless original_pnpm_locks.any?
         return unless updated_files.none? || updated_files.all?(&:support_file?)
 
-        raise_tool_not_supported_for_pnpm_if_transitive
         raise_miss_configured_tooling_if_pnpm_subdirectory
       end
 
-      sig { void }
-      def raise_tool_not_supported_for_pnpm_if_transitive
-        return if dependencies.empty? || dependencies.any?(&:top_level?)
-
-        raise ToolFeatureNotSupported.new(
-          tool_name: "pnpm",
-          tool_type: "package_manager",
-          feature: "updating transitive dependencies"
-        )
-      end
-
       # rubocop:disable Metrics/PerceivedComplexity
       sig { void }
       def raise_miss_configured_tooling_if_pnpm_subdirectory

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -332,8 +332,27 @@ def run_npm_subdependency_updater(sub_dependencies:)
         sig { params(sub_dependencies: T::Array[Dependabot::Dependency]).returns(T::Hash[String, String]) }
         def run_npm8_subdependency_updater(sub_dependencies:)
           dependency_names = sub_dependencies.map(&:name)
+          original_content = File.read(lockfile_basename)
+
           NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
-          { lockfile_basename => File.read(lockfile_basename) }
+
+          updated_content = File.read(lockfile_basename)
+          if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+            # `npm update` is a no-op for transitive dependencies not listed in
+            # any package.json (common in workspace repos). Fall back to
+            # `npm audit fix` which can update these in the lockfile.
+            # npm audit fix exits non-zero when vulnerabilities remain, so we
+            # rescue and use whatever lockfile changes it managed to make.
+            begin
+              NativeHelpers.run_npm_audit_fix_command
+              sub_dependencies.each { |dep| dep.metadata[:audit_fix_used] = true }
+            rescue SharedHelpers::HelperSubprocessFailed
+              Dependabot.logger.info("npm audit fix failed or partially fixed — continuing with any changes made")
+            end
+            updated_content = File.read(lockfile_basename)
+          end
+
+          { lockfile_basename => updated_content }
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(T.nilable(String)) }

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -155,6 +155,8 @@ def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
+              original_content = File.read(pnpm_lock.name)
+
               if updated_pnpm_workspace_content
                 File.write("pnpm-workspace.yaml", updated_pnpm_workspace_content["pnpm-workspace.yaml"])
               else
@@ -164,7 +166,18 @@ def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
 
               run_pnpm_install
 
-              File.read(pnpm_lock.name)
+              updated_content = File.read(pnpm_lock.name)
+              if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+                run_pnpm_deep_update_fallback
+                updated_content = File.read(pnpm_lock.name)
+              end
+
+              if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+                run_pnpm_audit_fix_fallback(pnpm_lock, original_content)
+                updated_content = File.read(pnpm_lock.name)
+              end
+
+              updated_content
             end
           end
         end
@@ -188,6 +201,54 @@ def run_pnpm_install
           )
         end
 
+        # Tries `pnpm update --depth Infinity <dep>` for each dependency as a
+        # first-tier fallback when the regular update is a no-op (typically
+        # transitive deps not listed in any package.json). Unlike `audit --fix`
+        # this does not write `overrides` to package.json.
+        sig { void }
+        def run_pnpm_deep_update_fallback
+          recursive = workspace_files.any?
+          dependencies.each do |dep|
+            NativeHelpers.run_pnpm_deep_update_command(dep.name, recursive: recursive)
+            dep.metadata[:deep_update_used] = true
+          end
+        rescue SharedHelpers::HelperSubprocessFailed
+          Dependabot.logger.info(
+            "pnpm update --depth Infinity failed or partially fixed — continuing with any changes made"
+          )
+        end
+
+        # Runs `pnpm audit --fix` as a fallback when the primary update is a no-op.
+        # `pnpm audit --fix` adds `overrides` to `package.json` — since we can
+        # only return lockfile content from `run_pnpm_update`, any manifest
+        # changes would produce inconsistent output. If audit-fix modifies a
+        # package.json we revert both the manifest(s) and lockfile so the
+        # overall operation behaves as a no-op.
+        sig { params(pnpm_lock: Dependabot::DependencyFile, original_content: String).void }
+        def run_pnpm_audit_fix_fallback(pnpm_lock, original_content)
+          package_json_snapshots = Dir.glob("**/package.json").to_h { |f| [f, File.read(f)] }
+
+          begin
+            NativeHelpers.run_pnpm_audit_fix_command
+            run_pnpm_install
+
+            manifest_changed = package_json_snapshots.any? { |f, c| File.read(f) != c }
+            if manifest_changed
+              Dependabot.logger.info(
+                "pnpm audit --fix modified package.json (overrides) — reverting fallback"
+              )
+              package_json_snapshots.each { |f, c| File.write(f, c) }
+              File.write(pnpm_lock.name, original_content)
+            else
+              dependencies.each { |dep| dep.metadata[:audit_fix_used] = true }
+            end
+          rescue SharedHelpers::HelperSubprocessFailed
+            Dependabot.logger.info(
+              "pnpm audit --fix failed or partially fixed — continuing with any changes made"
+            )
+          end
+        end
+
         sig { returns(T::Array[Dependabot::DependencyFile]) }
         def workspace_files
           @workspace_files ||= T.let(

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -254,8 +254,23 @@ def run_yarn_berry_subdependency_updater(yarn_lock:)
             ["remove #{dep.name} #{yarn_berry_args}".strip, "remove <dep_name> #{yarn_berry_args}".strip]
           ]
 
+          original_content = File.read(yarn_lock.name)
           Helpers.run_yarn_commands(*commands)
-          { yarn_lock.name => File.read(yarn_lock.name) }
+
+          updated_content = File.read(yarn_lock.name)
+          if updated_content == original_content && Dependabot::Experiments.enabled?(:enable_audit_fix_fallback)
+            begin
+              NativeHelpers.run_yarn_audit_fix_command
+              dep.metadata[:audit_fix_used] = true
+            rescue SharedHelpers::HelperSubprocessFailed
+              Dependabot.logger.info(
+                "yarn npm audit --fix failed or partially fixed — continuing with any changes made"
+              )
+            end
+            updated_content = File.read(yarn_lock.name)
+          end
+
+          { yarn_lock.name => updated_content }
         end
 
         sig { returns(String) }

npm_and_yarn/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -45,6 +45,53 @@ def self.run_npm8_subdependency_update_command(dependency_names)
 
         Helpers.run_npm_command(command, fingerprint: fingerprint)
       end
+
+      sig { returns(String) }
+      def self.run_npm_audit_fix_command
+        # Fallback for transitive dependencies in workspace repos where
+        # `npm update` is a no-op because the package isn't in package.json.
+        # `npm audit fix` updates all fixable vulnerabilities in the lockfile.
+        # `--force` ignores checks for platform (os, cpu) and engines,
+        # matching the flags used by run_npm8_subdependency_update_command.
+        command = "audit fix --force --package-lock-only --ignore-scripts"
+        fingerprint = "audit fix --force --package-lock-only --ignore-scripts"
+
+        Helpers.run_npm_command(command, fingerprint: fingerprint)
+      end
+
+      sig { returns(String) }
+      def self.run_pnpm_audit_fix_command
+        # Fallback for transitive dependencies where `pnpm update` is a no-op.
+        # `pnpm audit --fix` adds overrides to the manifest for vulnerable deps.
+        Helpers.run_pnpm_command(
+          "audit --fix",
+          fingerprint: "audit --fix"
+        )
+      end
+
+      sig { params(dependency_name: String, recursive: T::Boolean).returns(String) }
+      def self.run_pnpm_deep_update_command(dependency_name, recursive: false)
+        # `pnpm update --depth Infinity <dep>` traverses the full dependency
+        # graph, allowing transitive dependencies to be updated in the lockfile
+        # without modifying any package.json (unlike `pnpm audit --fix`).
+        # `-r --include-workspace-root` is required for workspace repos so the
+        # update is applied across all packages.
+        flags = recursive ? "-r --include-workspace-root " : ""
+        Helpers.run_pnpm_command(
+          "#{flags}update #{dependency_name} --depth Infinity --lockfile-only",
+          fingerprint: "#{flags}update <dependency_name> --depth Infinity --lockfile-only"
+        )
+      end
+
+      sig { returns(String) }
+      def self.run_yarn_audit_fix_command
+        # Fallback for transitive dependencies where `yarn up -R` is a no-op.
+        # `yarn npm audit --fix` updates vulnerable deps in the lockfile.
+        Helpers.run_yarn_command(
+          "npm audit --fix --mode update-lockfile",
+          fingerprint: "npm audit --fix --mode update-lockfile"
+        )
+      end
     end
   end
 end