Add pnpm transitive update support

[thavaahariharangit]

What are you trying to accomplish?

Enable pnpm security updates for indirect dependencies that previously failed with tool_feature_not_supported.

This change teaches the npm_and_yarn updater to create a root pnpm.overrides entry when a vulnerable transitive dependency needs to be pinned and there is no existing manifest override to update. That gives Dependabot a valid manifest change it can use to drive the lockfile update, instead of treating the run as an unsupported pnpm transitive update.

This fixes the case where pnpm security jobs can identify a vulnerable indirect dependency, but the file updater produces no manifest or lockfile changes and reports the update as unsupported rather than remediating it.

Anything you want to highlight for special attention from reviewers?

Before this change, if the vulnerable package was only pulled in transitively, Dependabot reached the update step and then failed with “updating transitive dependencies” not supported for pnpm. The practical problem was that there was no valid manifest change for Dependabot to make, so the run stopped instead of producing an update.

The fix is straightforward in concept: when pnpm needs to update an indirect dependency and there is no existing override to edit, we now let Dependabot add a root pnpm.overrides entry in package.json. That gives pnpm a concrete manifest instruction, which then allows the lockfile update to happen and the security fix to be proposed normally.

There are also a couple of guardrails around that behavior:

• It only applies to the pnpm cases where we genuinely need a manifest-level fallback for a subdependency.
• It avoids changing package.json in older lockfile-only scenarios that should remain lockfile-only.
• It handles malformed override data defensively instead of crashing.

the PR changes pnpm updates from “Dependabot knows there’s a problem but gives up” to “Dependabot writes the minimal override needed and successfully creates the update.”

How will you know you've accomplished your goal?

Before this change, the workflow failed because Dependabot detected the vulnerable indirect dependency but could not apply a pnpm transitive update:
Reference: https://github.com/thavaahariharangit/pnpm-transitive-core-issue-13177/actions/runs/23739511411/job/69152739352
Summary:

Dependabot encountered '1' error(s) during execution, please check the logs for more details.
+-------------------------------------------------------------------------------------------+
|                               Dependencies failed to update                               |
+------------+----------------------------+-------------------------------------------------+
| Dependency | Error Type                 | Error Details                                   |
+------------+----------------------------+-------------------------------------------------+
| tar-fs     | tool_feature_not_supported | {                                               |
|            |                            |   "tool-name": "pnpm",                          |
|            |                            |   "tool-type": "package_manager",               |
|            |                            |   "feature": "updating transitive dependencies" |
|            |                            | }                                               |
+------------+----------------------------+-------------------------------------------------+
Failure running container 9338a5105f70dc31d3d7771682734e1582357d909c167899b6a3bd43443c091e: Error: Command failed with exit code 1: /bin/sh -c $DEPENDABOT_HOME/dependabot-updater/bin/run update_files

After this change, a local Dependabot CLI run against that same scenario completes successfully and reports a created update for tar-fs instead of an unsupported-feature error:
Summary:

updater | 2026/03/30 11:37:37 INFO Finished job processing
updater | 2026/03/30 11:37:37 INFO Results:
updater | +------------------------------------------+
updater | |   Changes to Dependabot Pull Requests    |
updater | +---------+--------------------------------+
updater | | created | tar-fs ( from 3.1.0 to 3.1.2 ) |
updater | +---------+--------------------------------+
  proxy | 2026/03/30 11:37:37 Skipping sending metrics because api endpoint is empty
  proxy | 2026/03/30 11:37:37 25/116 calls cached (21%)

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Enables pnpm security updates for vulnerable transitive dependencies by generating a manifest change (pnpm.overrides) when no existing resolution/override entry can be updated, preventing ToolFeatureNotSupported errors for indirect-only updates.

Changes:

• Add PnpmOverrideHelper to inject pnpm.overrides.<dep> = <target_version> for pnpm transitive updates when no override exists yet.
• Thread detected_package_manager into PackageJsonUpdater so pnpm-specific behavior can be enabled when appropriate.
• Extend specs to cover the new pnpm transitive override behavior (both updater-level and package.json updater unit spec).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb	Adds an integration-style spec asserting a pnpm override is added (and no unsupported-feature error is raised) for a sub-dependency with no existing override.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/package_json_updater_spec.rb	Adds unit coverage for adding pnpm.overrides when updating a pnpm sub-dependency with no prior override.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/package_json_updater/pnpm_override_helper.rb	Introduces helper that adds a root pnpm.overrides entry for pnpm projects.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/package_json_updater.rb	Refactors update flow and invokes PnpmOverrideHelper as a fallback for sub-dependency updates.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb	Ensures appropriate package.json files are considered for pnpm transitive updates and passes detected package manager into PackageJsonUpdater.

[MattIPv4]

🤔 I'm concerned that this is relying on setting a fixed override that a human maintainer will then need to later remove, as I assume Dependabot won't be able to later clean up or update those overrides. Why can't this rely on pnpm update <dep> to properly update the lockfile?

[MattIPv4]

(And as an aside, if this is the direction chosen to go in [which I don't think it should be per the above maintenance burden concern], this probably needs to handle overrides being defined in pnpm-workspace.yaml as well)

[thavaahariharangit]

Related work: #14589

[thavaahariharangit]

🤔 I'm concerned that this is relying on setting a fixed override that a human maintainer will then need to later remove, as I assume Dependabot won't be able to later clean up or update those overrides. Why can't this rely on pnpm update <dep> to properly update the lockfile?

@MattIPv4

@robaiken Has implemented your suggestion in this PR

Please feel free to review and let us know your thoughts

with this note I am closing this PR