Fix issue #13972: Ensure 'Sourced from' links format correctly for scoped packages (#14833)

When scoped package names (@scope/pkg) appear in markdown links, they were
being processed incorrectly:
1. Added guard to skip team-mention-shaped text already inside links
2. For team mentions inside links: insert zero-width space (prevents notifications)
   without replacing the text node (preserves link formatting)
3. For team mentions outside links: use normal code-wrapped node replacement

This fixes both the formatting issue (#13972) and prevents unwanted team
notifications for scoped package names in 'Sourced from' release notes links.

Co-authored-by: v-HaripriyaC <v-haripriyac@microsoft.com>

Author: v-HaripriyaC

common/lib/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer.rb

@@ -106,23 +106,25 @@ def sanitize_mentions(doc)
           end
         end
 
-        # When we come across something that looks like a team mention (e.g. @dependabot/reviewers),
-        # we replace it with a text node.
-        # This is because there are ecosystems that have packages that follow the same pattern
-        # (e.g. @angular/angular-cli), and we don't want to create an invalid link, since
-        # team mentions link to `https://github.com/org/:organization_name/teams/:team_name`.
+        # Sanitize team mentions (e.g. @org/team) to prevent notifications; must run before sanitize_mentions.
         sig { params(doc: Commonmarker::Node).void }
         def sanitize_team_mentions(doc)
           doc.walk do |node|
             if node.type == :text &&
                node.string_content.match?(TEAM_MENTION_REGEX)
+              if parent_node_link?(node)
+                # Preserve text node formatting while preventing notifications with zero-width space
+                node.string_content = node.string_content.gsub(TEAM_MENTION_REGEX) do |match|
+                  insert_zero_width_space_in_mention(match)
+                end
+              else
+                nodes = build_team_mention_nodes(node.string_content)
 
-              nodes = build_team_mention_nodes(node.string_content)
-
-              nodes.each do |n|
-                node.insert_before(n)
+                nodes.each do |n|
+                  node.insert_before(n)
+                end
+                node.delete
               end
-              node.delete
             end
           end
         end

common/spec/dependabot/pull_request_creator/message_builder/link_and_mention_sanitizer_spec.rb

@@ -233,6 +233,36 @@
           )
         end
       end
+
+      context "when a scoped package name is inside a link" do
+        let(:text) { "Sourced from [@adamlui/minify.js](https://npmjs.com/package/@adamlui/minify.js)" }
+
+        it "preserves the link without partial code formatting" do
+          expect(sanitize_links_and_mentions).to eq(
+            "<p>Sourced from <a href=\"https://npmjs.com/package/@adamlui/minify.js\">" \
+            "@\u200Badamlui/minify.js</a></p>\n"
+          )
+        end
+      end
+
+      context "when a scoped package name without extension is inside a link" do
+        let(:text) { "Sourced from [@angular/cli](https://npmjs.com/package/@angular/cli)" }
+
+        it "preserves the link without code formatting" do
+          expect(sanitize_links_and_mentions).to eq(
+            "<p>Sourced from <a href=\"https://npmjs.com/package/@angular/cli\">" \
+            "@\u200Bangular/cli</a></p>\n"
+          )
+        end
+      end
+
+      context "when a team mention is inside a link" do
+        let(:text) { "Reviewed by [@dependabot/reviewers](https://github.com/orgs/dependabot/teams/reviewers)" }
+
+        it "inserts zero-width space to prevent notifications" do
+          expect(sanitize_links_and_mentions).to include("@\u200Bdependabot/reviewers")
+        end
+      end
     end
 
     context "with empty text" do