Add no-change diagnostics for npm/yarn/pnpm lockfile updates

[robaiken]

What are you trying to accomplish?

Make NoChangeError debuggable for npm/yarn/pnpm. Today it surfaces as unknown_error with no detail on which native command ran, whether the fallback was tried, or what the package manager printed.

This PR adds:

• A new CommandTrace that wraps every native npm/yarn/pnpm invocation and records timing, success, and truncated stdout/stderr.
• Per-command traces on NoChangeError#error_context, plus reason, commands_succeeded, fallback_attempted, fallback_succeeded.
• A new updater.no_change metric (tagged by package manager + the four fields above) and a structured no_change_error error-type sent to the backend.
• A one-line summary per command in the job log (truncated stdout/stderr at debug level).

Anything you want to highlight for special attention from reviewers?

• The NoChangeError → no_change_error mapping lives in ErrorHandler#no_change_error_details, not in common/, so common/ stays ecosystem-agnostic. It matches by class-name suffix, which also picks up the existing Dependabot::Bun::FileUpdater::NoChangeError.
• Stdout/stderr are capped at 4 KiB and error messages at 2 KiB to bound the payload.
• Metric tags are all low-cardinality strings (no dep names, versions, or repo info).
• NoChangeError's raise behavior and sentry_context are unchanged.

How will you know you've accomplished your goal?

• New + existing specs pass (command_trace_spec, error_handler_spec, npm/yarn lockfile no-op specs), srb tc and rubocop clean.
• Post-deploy: updater.no_change metric appears in dashboards broken down by reason/fallback, and no-change jobs get a No-change diagnostics: block in their logs.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

Adds structured diagnostics for npm/yarn/pnpm “no change” lockfile update failures so they’re observable (backend error details + metric + logs) instead of surfacing as an unhelpful unknown_error.

Changes:

• Introduces Dependabot::SharedHelpers::CommandTrace and wraps native helper invocations to record timing/success and truncated output.
• Enhances npm_and_yarn NoChangeError#error_context with command traces and fallback metadata.
• Updates the updater ErrorHandler to map NoChangeError to no_change_error, emit a new updater.no_change metric, and log a diagnostics block.

Show a summary per file

File	Description
updater/spec/dependabot/updater/error_handler_spec.rb	Adds coverage for NoChangeError → no_change_error mapping, metric emission, and logging.
updater/lib/dependabot/updater/error_handler.rb	Maps ecosystem NoChangeError to structured payload, emits updater.no_change, logs trace summaries.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater_spec.rb	Asserts yarn updater collects traces across primary + fallback flows.
npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater_spec.rb	Asserts npm updater collects traces and records content_changed_after for fallback.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb	Wraps yarn commands with CommandTrace.record and annotates content_changed_after.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb	Wraps pnpm commands/fallbacks with CommandTrace.record and annotates content_changed_after.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npm_lockfile_updater.rb	Wraps npm install/update/audit commands with CommandTrace.record and annotates content_changed_after.
npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb	Adds CommandTrace alias and enriches NoChangeError context with traces + fallback state.
common/spec/dependabot/shared_helpers/command_trace_spec.rb	Adds unit tests for trace recording, truncation, and summaries.
common/lib/dependabot/shared_helpers/command_trace.rb	New shared helper class implementing trace capture/truncation and serialization.

Copilot's findings

Comments suppressed due to low confidence (1)

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb:8

• PnpmLockfileUpdater reopens Dependabot::NpmAndYarn::FileUpdater but doesn’t require "dependabot/npm_and_yarn/file_updater" first (unlike the npm/yarn lockfile updaters). This can create load-order issues and can lead to superclass-mismatch/partial-class problems if this file is required directly. Align with the established helper pattern by requiring the main file first (and rely on it to provide the CommandTrace alias).

# typed: strict
# frozen_string_literal: true

require "dependabot/shared_helpers/command_trace"
require "dependabot/npm_and_yarn/helpers"
require "dependabot/npm_and_yarn/package/registry_finder"
require "dependabot/npm_and_yarn/registry_parser"
require "dependabot/shared_helpers"

• Files reviewed: 10/10 changed files
• Comments generated: 5

[markhallen]

This is really cool. Nice work