Remove avoid_duplicate_updates_package_json FF from dependabot-core

[Copilot]

What are you trying to accomplish?

Remove the avoid_duplicate_updates_package_json feature flag, making its "enabled" behavior the permanent code path.

The flag guarded logic that avoids raising "Expected content to change!" when a dependency in the update batch is not present in package.json (e.g., a transitive dep only needing a lockfile update). With the flag removed, the check content == new_content && unique_deps_count > 1 is now unconditional.

Anything you want to highlight for special attention from reviewers?

Production code (npm_and_yarn and bun PackageJsonUpdater):

• Two flag-gated conditionals collapsed into one modifier-style raise: raises only when multiple unique deps are being updated and content didn't change
• When unique_deps_count == 1 (same dep name appearing multiple times, e.g. in both dependencies and devDependencies), unchanged content is silently allowed — this is the duplicate/transitive dep case the flag was protecting
• Removed the now-unnecessary rubocop:disable/enable Metrics/PerceivedComplexity directives since the simplified code no longer triggers the cop
• Updated inline comments in both npm_and_yarn and bun PackageJsonUpdater to accurately describe the raise behavior: no-op updates are tolerated for a single unique dependency name, but treated as unexpected when multiple unique deps are being updated

Test code (6 spec files):

• Removed allow(Experiments).to receive(:enabled?).with(:avoid_duplicate_updates_package_json) stubs from file_updater_spec, yarn_lockfile_updater_spec, npm_lockfile_updater_spec, and bun/file_updater_spec
• Removed Experiments.register/reset! blocks that were gating the package_json_updater_spec test — the test now exercises the behavior directly without experiment setup
• Updated yarn_lockfile_updater_spec test for misconfigured .yarnrc.yml to expect Dependabot::MisconfiguredTooling instead of "Expected content to change!" — with the FF removed, single-dep scenarios no longer early-exit with the generic error and instead correctly surface the real misconfiguration error from yarn
• Removed redundant enable_private_registry_for_corepack experiment stubs in file_updater_spec and npm_lockfile_updater_spec where the flag was stubbed true then immediately overridden to false

How will you know you've accomplished your goal?

Existing test suite passes, including the "when updating multiple dependencies that results in 'package.json' update only once" spec which validates the preserved behavior, and the "with a missing double quotes token value in the .yarnrc.yml" spec which now validates the correct MisconfiguredTooling error is raised.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[pavera]

@copilot please fix the failing npm_and_yarn ci test and the lint errors.

[Copilot]

@copilot please fix the failing npm_and_yarn ci test and the lint errors.

Fixed in e8ed038:

• Lint: Removed unnecessary rubocop:disable/enable Metrics/PerceivedComplexity and converted if block to modifier style per Style/IfUnlessModifier (all 4 offenses resolved).
• Test: Updated yarn_lockfile_updater_spec.rb:143 to expect Dependabot::MisconfiguredTooling instead of "Expected content to change!". With the FF removed (keeping the "enabled" behavior), single-dep scenarios no longer early-exit with that generic error — the yarn updater now proceeds and correctly detects the misconfigured .yarnrc.yml.

[Copilot]

Pull request overview

Removes the avoid_duplicate_updates_package_json experiment flag and makes the previously “enabled” behavior the default for PackageJsonUpdater logic in the npm_and_yarn and bun ecosystems, along with corresponding spec cleanups/expectation updates.

Changes:

• Collapses feature-flag-gated package.json no-op detection into a single unconditional guard (raise only when updating >1 unique dep name and content didn’t change).
• Removes experiment stubbing/registration related to avoid_duplicate_updates_package_json across affected specs.
• Updates a Yarn lockfile updater spec to expect Dependabot::MisconfiguredTooling for a misconfigured .yarnrc.yml case.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb	Removes experiment gating and simplifies the no-op content guard logic.
bun/lib/dependabot/bun/file_updater/package_json_updater.rb	Mirrors the same experiment removal and simplified guard logic as npm/yarn.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb	Removes stubbing for the removed experiment flag.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater_spec.rb	Removes stubbing for the removed experiment flag.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater_spec.rb	Removes stubbing for the removed experiment flag and updates expected error type for .yarnrc.yml misconfiguration.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/package_json_updater_spec.rb	Removes experiment register/unregister scaffolding around the multi-dependency behavior spec.
bun/spec/dependabot/bun/file_updater_spec.rb	Removes stubbing/resetting related to the removed experiment flag.

[Copilot]

The comment claims we “avoid throwing an exception and let the update continue”, but the code still raises when content == new_content and unique_deps_count > 1. Please adjust the comment to reflect the actual behavior (no-op updates are only allowed when the update batch contains a single unique dependency name).

Suggested change

	# most likely a transitive dependency which only needs an update in the lockfile. We avoid
	# throwing an exception and let the update continue.
	# most likely a transitive dependency which only needs an update in the lockfile. We allow this
	# kind of no-op update only when updating a single unique dependency name; otherwise we raise.

[Copilot]

In this before block, Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack) is stubbed twice (first true, then false). The second stub overrides the first, so the true stub is dead code and makes the setup harder to reason about. Please remove the redundant stub or replace with a single stub that returns the intended value(s).

See below for a potential fix:

      .with(:enable_private_registry_for_corepack).and_return(false)
  end

  after do

  after do

[Copilot]

Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack) is stubbed twice back-to-back (to true and then false). The second stub overrides the first, so the true stub is ineffective and confusing. Consider removing the redundant stub or using a single stub with the intended return value(s).

See below for a potential fix:

[pavera]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied all three review comments in 74bb777:

1. Updated the comment in bun/PackageJsonUpdater to accurately describe the raise behavior (now matches the npm_and_yarn version)
2. Removed redundant enable_private_registry_for_corepack stub in file_updater_spec.rb (was stubbed true then immediately overridden to false)
3. Removed same redundant stub in npm_lockfile_updater_spec.rb