Skip to content

fix(npm_and_yarn): split compound engine constraints before Requirement parsing#15115

Closed
thavaahariharangit wants to merge 6 commits into
mainfrom
harry/npm-node-engine-compound-engine-constraints-parser
Closed

fix(npm_and_yarn): split compound engine constraints before Requirement parsing#15115
thavaahariharangit wants to merge 6 commits into
mainfrom
harry/npm-node-engine-compound-engine-constraints-parser

Conversation

@thavaahariharangit
Copy link
Copy Markdown
Contributor

@thavaahariharangit thavaahariharangit commented May 22, 2026
edited
Loading

What are you trying to accomplish?

This change makes Dependabot more robust when interpreting Node engine constraints so updates do not fail on valid npm-style range expressions.

Why:
Some projects specify Node support with compound and alternative ranges (for example, a bounded major range plus a newer-major fallback). Those constraints are valid in the ecosystem, but the updater could pass a combined range fragment into requirement parsing in a shape that triggered an Illformed requirement error. That caused update jobs to fail even though the manifest constraints were legitimate.

What changed at a high level:
The updater now normalizes parsed engine constraints into parser-safe comparator tokens before building the requirement object. In other words, compound ranges are preserved semantically, but represented in the granular form expected by the requirement parser.

Approach:
The fix is intentionally narrow and low-risk:

  • Normalize constraint tokens at the handoff point between constraint extraction and requirement construction.
  • Preserve existing behavior for already-valid single-token constraints.
  • Add regression coverage for the Node engine pattern that previously failed, to prevent reintroduction.

Result:
Valid Node engine expressions that include compound ranges and alternatives are now handled correctly, eliminating this failure mode and improving updater reliability for real-world package manifests.

Anything you want to highlight for special attention from reviewers?

Error reproduced in this workflow: https://github.com/thavaahariharangit/dependabot-caret-engines-repro-FR-13667/actions/runs/26219192273/job/77149420577

How will you know you've accomplished your goal?

Before this update:

updater | 2026/05/21 10:01:42 INFO <job_1377883513> Command executed successfully: node -v
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Processing engine constraints for node
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Parsed constraints for node: >=22.0.0 <23.0.0, >=24
updater | 2026/05/21 10:01:42 ERROR <job_1377883513> Error processing constraints for node: Illformed requirement [">=22.0.0 <23.0.0"]

After this update:

updater | 2026/05/22 13:21:06 INFO Command executed successfully: node -v
updater | 2026/05/22 13:21:06 INFO Processing engine constraints for node
updater | 2026/05/22 13:21:06 INFO Parsed constraints for node: >=22.0.0, <23.0.0, >=24
  proxy | 2026/05/22 13:21:06 [010] POST http://host.docker.internal:33751/update_jobs/cli/update_dependency_list

Checklist

  • I have run the complete test suite to ensure all tests and linters pass.
  • I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
  • I have written clear and descriptive commit messages.
  • I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
  • I have ensured that the code is well-documented and easy to understand.

@thavaahariharangit thavaahariharangit requested a review from a team as a code owner May 22, 2026 13:29
Copilot AI review requested due to automatic review settings May 22, 2026 13:29
github-advanced-security[bot]
github-advanced-security AI found potential problems May 22, 2026
View reviewed changes
Comment thread npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb Fixed
Copilot AI reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Improves npm_and_yarn engine constraint handling so valid npm-style Node engine ranges (including compound ranges produced by caret/tilde expansion and alternative ranges) don’t crash requirement parsing.

Changes:

  • Normalize extracted engine constraints by splitting compound comparator strings into individual comparator tokens before building a Dependabot::NpmAndYarn::Requirement.
  • Update logging to reflect the normalized constraint list passed to Requirement.new.
  • Add a regression spec for a Node engines expression like ^22.0.0 || >=24 that previously triggered an “Illformed requirement” error.
Show a summary per file
File Description
npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb Splits compound engine constraint strings into parser-safe tokens before constructing Requirement.
npm_and_yarn/spec/dependabot/npm_and_yarn/package_manager_helper_spec.rb Adds regression coverage for compound + alternative Node engine constraints.

Copilot's findings

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb Outdated
@robaiken
Copy link
Copy Markdown
Contributor

robaiken commented May 22, 2026

@thavaahariharangit is >=22.0.0 <23.0.0, >=24 an illformed requirement

@thavaahariharangit
Copy link
Copy Markdown
Contributor Author

thavaahariharangit commented May 22, 2026
edited
Loading

@thavaahariharangit is >=22.0.0 <23.0.0, >=24 an illformed requirement

@robaiken

This is the package.json

{
  "name": "dependabot-caret-engines-repro",
  "version": "0.0.1",
  "private": true,
  "engines": {
    "node": "^22  || >=24"
  },
  "dependencies": {
    "lodash": "^4.17.21"
  }
}

Ref: https://github.com/thavaahariharangit/dependabot-caret-engines-repro-FR-13667/blob/main/package.json

"^22 || >=24" should be valid

But dependabot is saying Illformed requirement

@robaiken
Copy link
Copy Markdown
Contributor

robaiken commented May 22, 2026

Valid Node engine expressions that include compound ranges and alternatives are now handled correctly, eliminating this failure mode and improving updater reliability for real-world package manifests.

@thavaahariharangit I can see this fixes the issue, but I'm not sure what the side effects of this PR are. I'm guessing we're using these versions for corepack, so what version are we actually pulling in?

@markhallen markhallen self-requested a review May 22, 2026 15:29
@thavaahariharangit
Copy link
Copy Markdown
Contributor Author

thavaahariharangit commented May 26, 2026

covered here: #15144

@robaiken robaiken mentioned this pull request May 26, 2026
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@markhallen markhallen Awaiting requested review from markhallen

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

L: javascript

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thavaahariharangit @robaiken @markhallen @github-advanced-security