Audit fix fallback for no-op updates for transitive deps

Author: robaiken

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -79,21 +79,9 @@ def handle_pnpm_support_file_no_change!(updated_files)
         return unless original_pnpm_locks.any?
         return unless updated_files.none? || updated_files.all?(&:support_file?)
 
-        raise_tool_not_supported_for_pnpm_if_transitive
         raise_miss_configured_tooling_if_pnpm_subdirectory
       end
 
-      sig { void }
-      def raise_tool_not_supported_for_pnpm_if_transitive
-        return if dependencies.empty? || dependencies.any?(&:top_level?)
-
-        raise ToolFeatureNotSupported.new(
-          tool_name: "pnpm",
-          tool_type: "package_manager",
-          feature: "updating transitive dependencies"
-        )
-      end
-
       # rubocop:disable Metrics/PerceivedComplexity
       sig { void }
       def raise_miss_configured_tooling_if_pnpm_subdirectory

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb

@@ -323,7 +323,42 @@ def run_npm_subdependency_updater(sub_dependencies:)
         def run_npm8_subdependency_updater(sub_dependencies:)
           dependency_names = sub_dependencies.map(&:name)
           NativeHelpers.run_npm8_subdependency_update_command(dependency_names)
-          { lockfile_basename => File.read(lockfile_basename) }
+
+          updated_content = File.read(lockfile_basename)
+          if lockfile_content_unchanged?(updated_content, sub_dependencies)
+            # `npm update` is a no-op for transitive dependencies not listed in
+            # any package.json (common in workspace repos). Fall back to
+            # `npm audit fix` which can update these in the lockfile.
+            # npm audit fix exits non-zero when vulnerabilities remain, so we
+            # rescue and use whatever lockfile changes it managed to make.
+            begin
+              NativeHelpers.run_npm_audit_fix_command
+            rescue SharedHelpers::HelperSubprocessFailed
+              Dependabot.logger.info("npm audit fix failed or partially fixed — continuing with any changes made")
+            end
+            updated_content = File.read(lockfile_basename)
+          end
+
+          { lockfile_basename => updated_content }
+        end
+
+        sig do
+          params(
+            updated_content: String,
+            sub_dependencies: T::Array[Dependabot::Dependency]
+          ).returns(T::Boolean)
+        end
+        def lockfile_content_unchanged?(updated_content, sub_dependencies)
+          parsed = JSON.parse(updated_content)
+          packages = parsed.fetch("packages", {})
+
+          sub_dependencies.any? do |dep|
+            packages.any? do |path, details|
+              next false unless path.end_with?("/#{dep.name}") || path == "node_modules/#{dep.name}"
+
+              details["version"] == dep.previous_version
+            end
+          end
         end
 
         sig { params(dependency: Dependabot::Dependency).returns(T.nilable(String)) }

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -255,6 +255,19 @@ def run_yarn_berry_subdependency_updater(yarn_lock:)
           ]
 
           Helpers.run_yarn_commands(*commands)
+
+          updated_content = File.read(yarn_lock.name)
+          if updated_content.include?("#{dep.name}@") &&
+             updated_content.include?("version: #{dep.previous_version}")
+            begin
+              NativeHelpers.run_yarn_audit_fix_command
+            rescue SharedHelpers::HelperSubprocessFailed
+              Dependabot.logger.info(
+                "yarn npm audit --fix failed or partially fixed — continuing with any changes made"
+              )
+            end
+          end
+
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 

npm_and_yarn/lib/dependabot/npm_and_yarn/native_helpers.rb

@@ -45,6 +45,37 @@ def self.run_npm8_subdependency_update_command(dependency_names)
 
         Helpers.run_npm_command(command, fingerprint: fingerprint)
       end
+
+      sig { returns(String) }
+      def self.run_npm_audit_fix_command
+        # Fallback for transitive dependencies in workspace repos where
+        # `npm update` is a no-op because the package isn't in package.json.
+        # `npm audit fix` updates all fixable vulnerabilities in the lockfile.
+        command = "audit fix --package-lock-only --ignore-scripts"
+        fingerprint = "audit fix --package-lock-only --ignore-scripts"
+
+        Helpers.run_npm_command(command, fingerprint: fingerprint)
+      end
+
+      sig { returns(String) }
+      def self.run_pnpm_audit_fix_command
+        # Fallback for transitive dependencies where `pnpm update` is a no-op.
+        # `pnpm audit --fix` adds overrides to the manifest for vulnerable deps.
+        Helpers.run_pnpm_command(
+          "audit --fix",
+          fingerprint: "audit --fix"
+        )
+      end
+
+      sig { returns(String) }
+      def self.run_yarn_audit_fix_command
+        # Fallback for transitive dependencies where `yarn up -R` is a no-op.
+        # `yarn npm audit --fix` updates vulnerable deps in the lockfile.
+        Helpers.run_yarn_command(
+          "npm audit --fix --mode update-lockfile",
+          fingerprint: "npm audit --fix --mode update-lockfile"
+        )
+      end
     end
   end
 end

npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver.rb

@@ -164,7 +164,20 @@ def run_yarn_berry_updater(path, lockfile_name)
                 "up -R #{dependency.name} #{Helpers.yarn_berry_args}".strip,
                 fingerprint: "up -R <dependency_name> #{Helpers.yarn_berry_args}".strip
               )
-              { lockfile_name => File.read(lockfile_name) }
+
+              updated_content = File.read(lockfile_name)
+              if yarn_update_was_noop?(updated_content)
+                begin
+                  NativeHelpers.run_yarn_audit_fix_command
+                rescue SharedHelpers::HelperSubprocessFailed
+                  Dependabot.logger.info(
+                    "yarn npm audit --fix failed or partially fixed — continuing with any changes made"
+                  )
+                end
+                updated_content = File.read(lockfile_name)
+              end
+
+              { lockfile_name => updated_content }
             end
           end
         end
@@ -177,7 +190,24 @@ def run_pnpm_updater(path, lockfile_name)
                 "update #{dependency.name} --lockfile-only",
                 fingerprint: "update <dependency_name> --lockfile-only"
               )
-              { lockfile_name => File.read(lockfile_name) }
+
+              updated_content = File.read(lockfile_name)
+              if pnpm_update_was_noop?(updated_content)
+                begin
+                  NativeHelpers.run_pnpm_audit_fix_command
+                  Helpers.run_pnpm_command(
+                    "install --lockfile-only",
+                    fingerprint: "install --lockfile-only"
+                  )
+                rescue SharedHelpers::HelperSubprocessFailed
+                  Dependabot.logger.info(
+                    "pnpm audit --fix failed or partially fixed — continuing with any changes made"
+                  )
+                end
+                updated_content = File.read(lockfile_name)
+              end
+
+              { lockfile_name => updated_content }
             end
           end
         end
@@ -188,11 +218,51 @@ def run_npm_updater(path, lockfile_name)
             Dir.chdir(path) do
               NativeHelpers.run_npm8_subdependency_update_command([dependency.name])
 
-              { lockfile_name => File.read(lockfile_name) }
+              updated_content = File.read(lockfile_name)
+              if npm_update_was_noop?(updated_content)
+                # `npm update` is a no-op for transitive dependencies not in
+                # any package.json (common in workspace repos). Fall back to
+                # `npm audit fix` which can resolve these in the lockfile.
+                # npm audit fix exits non-zero when vulnerabilities remain, so
+                # we rescue and use whatever lockfile changes it managed to make.
+                begin
+                  NativeHelpers.run_npm_audit_fix_command
+                rescue SharedHelpers::HelperSubprocessFailed
+                  Dependabot.logger.info("npm audit fix failed or partially fixed — continuing with any changes made")
+                end
+                updated_content = File.read(lockfile_name)
+              end
+
+              { lockfile_name => updated_content }
             end
           end
         end
 
+        sig { params(updated_content: String).returns(T::Boolean) }
+        def npm_update_was_noop?(updated_content)
+          parsed = JSON.parse(updated_content)
+          packages = parsed.fetch("packages", {})
+
+          packages.any? do |path, details|
+            next false unless path.end_with?("/#{dependency.name}") ||
+                              path == "node_modules/#{dependency.name}"
+
+            details["version"] == dependency.version
+          end
+        end
+
+        sig { params(updated_content: String).returns(T::Boolean) }
+        def yarn_update_was_noop?(updated_content)
+          updated_content.include?("\"#{dependency.name}@") &&
+            updated_content.include?("version: #{dependency.version}")
+        end
+
+        sig { params(updated_content: String).returns(T::Boolean) }
+        def pnpm_update_was_noop?(updated_content)
+          updated_content.include?("'#{dependency.name}@#{dependency.version}'") ||
+            updated_content.include?("/#{dependency.name}@#{dependency.version}")
+        end
+
         sig { params(path: String, lockfile_name: String).returns(T::Hash[String, String]) }
         def run_npm6_updater(path, lockfile_name)
           SharedHelpers.with_git_configured(credentials: credentials) do

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater_spec.rb

@@ -384,6 +384,29 @@
         expect(updated_npm_lock_content).to eq(expected_updated_npm_lock_content)
       end
     end
+
+    context "when updating a subdependency in a workspace repo" do
+      let(:files) { project_dependency_files("npm8/workspace_subdependency_update") }
+
+      let(:dependency_name) { "lodash" }
+      let(:version) { "3.10.2" }
+      let(:previous_version) { "3.10.1" }
+      let(:requirements) { [] }
+      let(:previous_requirements) { [] }
+
+      it "falls back to npm audit fix when npm update is a no-op" do
+        # Simulate npm update being a no-op (transitive dep not in package.json)
+        allow(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_npm8_subdependency_update_command).and_return("")
+        allow(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_npm_audit_fix_command).and_return("")
+
+        expect(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_npm_audit_fix_command).once
+
+        updated_npm_lock_content
+      end
+    end
   end
 
   describe "npm errors" do

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater_spec.rb

@@ -364,4 +364,33 @@
         .to include("https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3")
     end
   end
+
+  context "when updating a yarn berry sub-dependency and normal update is a no-op" do
+    let(:files) { project_dependency_files("yarn_berry/workspace_subdependency_update") }
+
+    let(:dependency_name) { "lodash" }
+    let(:version) { "3.10.2" }
+    let(:previous_version) { "3.10.1" }
+    let(:requirements) { [] }
+    let(:previous_requirements) { [] }
+
+    before do
+      # Stub run_yarn_commands to simulate a no-op (lockfile still has previous_version)
+      allow(Dependabot::NpmAndYarn::Helpers).to receive(:run_yarn_commands)
+      allow(Dependabot::NpmAndYarn::NativeHelpers)
+        .to receive(:run_yarn_audit_fix_command).and_return("")
+    end
+
+    it "falls back to yarn npm audit --fix when lockfile still has previous version" do
+      expect(Dependabot::NpmAndYarn::NativeHelpers)
+        .to receive(:run_yarn_audit_fix_command).once
+
+      Dir.mktmpdir do |tmp_dir|
+        File.write(File.join(tmp_dir, yarn_lock.name), yarn_lock.content)
+        Dir.chdir(tmp_dir) do
+          updater.send(:run_yarn_berry_subdependency_updater, yarn_lock: yarn_lock)
+        end
+      end
+    end
+  end
 end

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver_spec.rb

@@ -106,6 +106,32 @@
       it { is_expected.to eq(Gem::Version.new("5.7.4")) }
     end
 
+    context "with a yarn berry workspace subdependency" do
+      let(:dependency_files) { project_dependency_files("yarn_berry/workspace_subdependency_update") }
+
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "lodash",
+          version: "3.10.1",
+          requirements: [],
+          package_manager: "npm_and_yarn"
+        )
+      end
+      let(:latest_allowable_version) { "3.10.2" }
+
+      it "falls back to yarn npm audit --fix when yarn up -R is a no-op" do
+        # Stub yarn up -R to be a no-op (returns unchanged lockfile)
+        allow(Dependabot::NpmAndYarn::Helpers).to receive(:run_yarn_command).and_return("")
+        allow(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_yarn_audit_fix_command).and_return("")
+
+        expect(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_yarn_audit_fix_command).once
+
+        latest_resolvable_version
+      end
+    end
+
     context "with a pnpm-lock.yaml" do
       let(:dependency_files) { project_dependency_files("pnpm/no_lockfile_change") }
 
@@ -124,6 +150,32 @@
       it { is_expected.to eq(Gem::Version.new("5.7.4")) }
     end
 
+    context "with a pnpm workspace subdependency" do
+      let(:dependency_files) { project_dependency_files("pnpm/workspace_subdependency_update") }
+
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "lodash",
+          version: "3.10.1",
+          requirements: [],
+          package_manager: "npm_and_yarn"
+        )
+      end
+      let(:latest_allowable_version) { "3.10.2" }
+
+      it "falls back to pnpm audit --fix when pnpm update is a no-op" do
+        # Stub pnpm update to be a no-op (returns unchanged lockfile)
+        allow(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command).and_return("")
+        allow(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_pnpm_audit_fix_command).and_return("")
+
+        expect(Dependabot::NpmAndYarn::NativeHelpers)
+          .to receive(:run_pnpm_audit_fix_command).once
+
+        latest_resolvable_version
+      end
+    end
+
     context "with a npm8 package-lock.json" do
       let(:dependency_files) { project_dependency_files("npm8/subdependency_update") }