Handle dealiasing of manifests

brrygrdn · brrygrdn · commit 6cb976f62b29 · 2026-05-19T17:09:02.000+01:00
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb
@@ -240,6 +240,9 @@ def manifest_dependencies
             next if requirement.start_with?("workspace:", "catalog:")
 
             requirement = "*" if requirement == ""
+
+            name, requirement = dealias_package(name, requirement) if dealias_packages?
+
             dep = build_dependency(
               file: file, type: type, name: name, requirement: requirement
             )
@@ -388,6 +391,64 @@ def aliased_package_name?(name)
         name.include?("@#{NpmPackageManager::NAME}:")
       end
 
+      sig { returns(T::Boolean) }
+      def dealias_packages?
+        options.fetch(:dealias_packages, false) == true
+      end
+
+      # Resolves an aliased manifest entry to its real package name and requirement.
+      # Yarn-style: "my-fetch-factory@npm:fetch-factory": "0.0.2"
+      # npm-style: "my-fetch-factory": "npm:fetch-factory@0.0.2"
+      sig { params(name: String, requirement: String).returns([String, String]) }
+      def dealias_package(name, requirement)
+        if aliased_package_name?(name)
+          real_name = extract_real_name_from_alias_key(name)
+          name = real_name if real_name
+        elsif alias_package?(requirement)
+          parsed = parse_alias_package_requirement(requirement)
+          if parsed
+            name = T.must(parsed[:name])
+            requirement = T.must(parsed[:requirement])
+          end
+        end
+
+        [name, requirement]
+      end
+
+      # npm-style: "npm:fetch-factory@0.0.2" → { name: "fetch-factory", requirement: "0.0.2" }
+      # npm-style: "npm:@scope/pkg@^1.0.0" → { name: "@scope/pkg", requirement: "^1.0.0" }
+      sig { params(requirement: String).returns(T.nilable(T::Hash[Symbol, String])) }
+      def parse_alias_package_requirement(requirement)
+        return nil unless requirement.start_with?("#{NpmPackageManager::NAME}:")
+
+        rest = requirement.delete_prefix("#{NpmPackageManager::NAME}:")
+
+        if rest.start_with?("@")
+          second_at = rest.index("@", 1)
+          if second_at
+            { name: rest[0...second_at], requirement: rest[(second_at + 1)..] }
+          else
+            { name: rest, requirement: "*" }
+          end
+        else
+          at_index = rest.index("@")
+          if at_index
+            { name: rest[0...at_index], requirement: rest[(at_index + 1)..] }
+          else
+            { name: rest, requirement: "*" }
+          end
+        end
+      end
+
+      # Yarn-style: "my-fetch-factory@npm:fetch-factory" → "fetch-factory"
+      sig { params(name: String).returns(T.nilable(String)) }
+      def extract_real_name_from_alias_key(name)
+        match = name.match(/@#{NpmPackageManager::NAME}:(.+)$/o)
+        return nil unless match
+
+        match[1]
+      end
+
       sig { returns(T::Array[String]) }
       def workspace_package_names
         @workspace_package_names ||= T.let(
diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser_spec.rb
@@ -1152,6 +1152,26 @@
           end
         end
 
+        context "with an npm aliased dependency" do
+          let(:files) { project_dependency_files("grapher/npm_with_alias") }
+
+          it "doesn't include the aliased dependency" do
+            expect(top_level_dependencies.map(&:name)).to include("etag")
+            expect(top_level_dependencies.map(&:name)).not_to include("is-number")
+            expect(top_level_dependencies.map(&:name)).not_to include("my-is-number")
+          end
+        end
+
+        context "with a pnpm aliased dependency" do
+          let(:files) { project_dependency_files("pnpm/aliased_dependency") }
+
+          it "doesn't include the aliased dependency" do
+            expect(top_level_dependencies.map(&:name)).to include("etag")
+            expect(top_level_dependencies.map(&:name)).not_to include("fetch-factory")
+            expect(top_level_dependencies.map(&:name)).not_to include("my-fetch-factory")
+          end
+        end
+
         context "with an aliased dependency name (only supported by yarn)" do
           let(:files) { project_dependency_files("yarn/aliased_dependency_name") }
 
@@ -1196,6 +1216,64 @@
           end
         end
 
+        context "with an npm aliased dependency and dealias_packages enabled" do
+          let(:files) { project_dependency_files("grapher/npm_with_alias") }
+          let(:parser) do
+            described_class.new(
+              dependency_files: files,
+              source: source,
+              credentials: credentials,
+              options: { dealias_packages: true }
+            )
+          end
+
+          it "includes the real aliased package (is-number)" do
+            expect(top_level_dependencies.map(&:name)).to include("is-number")
+            expect(top_level_dependencies.map(&:name)).to include("etag")
+            expect(top_level_dependencies.map(&:name)).not_to include("my-is-number")
+          end
+        end
+
+        context "with a pnpm aliased dependency and dealias_packages enabled" do
+          let(:files) { project_dependency_files("pnpm/aliased_dependency") }
+          let(:parser) do
+            described_class.new(
+              dependency_files: files,
+              source: source,
+              credentials: credentials,
+              options: { dealias_packages: true }
+            )
+          end
+
+          it "includes the real aliased package (fetch-factory)" do
+            expect(top_level_dependencies.map(&:name)).to include("fetch-factory")
+            expect(top_level_dependencies.map(&:name)).not_to include("my-fetch-factory")
+          end
+        end
+
+        context "with an aliased dependency, dealias_packages enabled, and no lockfile" do
+          let(:files) { project_dependency_files("npm8/aliased_dependency_no_lockfile") }
+          let(:parser) do
+            described_class.new(
+              dependency_files: files,
+              source: source,
+              credentials: credentials,
+              options: { dealias_packages: true }
+            )
+          end
+
+          it "includes the real aliased package with the requirement as version" do
+            dep = top_level_dependencies.find { |d| d.name == "is-number" }
+            expect(dep).to_not be_nil
+            expect(dep.version).to be_nil
+            expect(dep.requirements.first[:requirement]).to eq("^7.0.0")
+          end
+
+          it "still includes non-aliased packages" do
+            expect(top_level_dependencies.map(&:name)).to include("etag")
+          end
+        end
+
         context "with a git dependency" do
           let(:files) { project_dependency_files("npm6_and_yarn/git_dependency") }
 
diff --git a/npm_and_yarn/spec/fixtures/projects/npm8/aliased_dependency_no_lockfile/package.json b/npm_and_yarn/spec/fixtures/projects/npm8/aliased_dependency_no_lockfile/package.json
@@ -0,0 +1,8 @@
+{
+  "name": "alias-no-lockfile-test",
+  "version": "1.0.0",
+  "dependencies": {
+    "my-is-number": "npm:is-number@^7.0.0",
+    "etag": "^1.8.1"
+  }
+}
