fix(npm_and_yarn): handle engines OR constraints and split caret-expanded bounds

[thavaahariharangit]

What are you trying to accomplish?

fix(npm_and_yarn): handle engines OR constraints and split caret-expanded bounds

• parse engines constraints by OR groups instead of flattening into one AND list
• split compound comparator strings (for example ">=22.0.0 <23.0.0") into separate requirements before Requirement.new
• select the OR branch that matches current runtime version when available, with fallback to first branch
• add regression tests for "^22 || >=24", including fallback behavior when node version is unavailable

Anything you want to highlight for special attention from reviewers?

How will you know you've accomplished your goal?

Testing against the workflow: https://github.com/thavaahariharangit/dependabot-caret-engines-repro-FR-13667/actions/runs/26219192273/job/77149420577

before:

updater | 2026/05/21 10:01:42 INFO <job_1377883513> Command executed successfully: node -v
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Processing engine constraints for node
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Parsed constraints for node: >=22.0.0 <23.0.0, >=24
updater | 2026/05/21 10:01:42 ERROR <job_1377883513> Error processing constraints for node: Illformed requirement [">=22.0.0 <23.0.0"]
  proxy | 2026/05/21 10:01:42 [012] POST /update_jobs/1377883513/update_dependency_list
  proxy | 2026/05/21 10:01:42 [012] 204 /update_jobs/1377883513/update_dependency_list
  proxy | 2026/05/21 10:01:42 [014] POST /update_jobs/1377883513/increment_metric
  proxy | 2026/05/21 10:01:42 [014] 204 /update_jobs/1377883513/increment_metric
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Starting update job for thavaahariharangit/dependabot-caret-engines-repro-FR-13667
2026/05/21 10:01:42 INFO <job_1377883513> Checking all dependencies for version updates...
updater | 2026/05/21 10:01:42 INFO <job_1377883513> Checking if lodash 4.17.21 needs updating

After:

updater | 2026/05/26 11:47:40 INFO Command executed successfully: node -v
updater | 2026/05/26 11:47:40 INFO Processing engine constraints for node
updater | 2026/05/26 11:47:40 INFO Parsed constraints for node: >=22.0.0 <23.0.0 || >=24
updater | 2026/05/26 11:47:40 INFO Running node command: node -v
updater | 2026/05/26 11:47:40 INFO Started process PID: 4784 with command: {} node -v {}
updater | 2026/05/26 11:47:40 INFO Process PID: 4784 completed with status: pid 4784 exit 0
updater | 2026/05/26 11:47:40 INFO Total execution time: 0.01 seconds
updater | 2026/05/26 11:47:40 INFO Command executed successfully: node -v
  proxy | 2026/05/26 11:47:40 [010] POST http://host.docker.internal:41121/update_jobs/cli/update_dependency_list
{"data":{"dependencies":[{"name":"lodash","requirements":[{"file":"package.json","groups":["dependencies"],"requirement":"^4.17.21","source":{"type":"registry","url":"https://registry.npmjs.org"}}],"version":"4.17.21"}],"dependency_files":["/package.json","/package-lock.json"]},"type":"update_dependency_list"}
  proxy | 2026/05/26 11:47:40 [010] 200 http://host.docker.internal:41121/update_jobs/cli/update_dependency_list
  proxy | 2026/05/26 11:47:40 [011] POST http://host.docker.internal:41121/update_jobs/cli/increment_metric
{"data":{"metric":"updater.started","tags":{"operation":"group_update_all_versions"}},"type":"increment_metric"}
  proxy | 2026/05/26 11:47:40 [011] 200 http://host.docker.internal:41121/update_jobs/cli/increment_metric
updater | 2026/05/26 11:47:40 INFO Starting update job for thavaahariharangit/dependabot-caret-engines-repro-FR-13667
updater | 2026/05/26 11:47:40 INFO Checking all dependencies for version updates...
updater | 2026/05/26 11:47:40 INFO Checking if lodash 4.17.21 needs updating

confirmation of things working as expected: updater | 2026/05/26 11:47:40 INFO Command executed successfully: node -v

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 2

[Copilot]

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 1

[robaiken]

@thavaahariharangit I can see this fixes the issue, but I'm not sure what the side effects of this PR are. I'm guessing we're using these versions for corepack, so what version are we actually pulling in? #15115 (comment)

[thavaahariharangit]

@thavaahariharangit I can see this fixes the issue, but I'm not sure what the side effects of this PR are. I'm guessing we're using these versions for corepack, so what version are we actually pulling in? #15115 (comment)

@robaiken
These are the versions

This is where it's picks up the versions

2026/05/26 14:43:22 INFO Resolving package manager for: npm
2026/05/26 14:43:22 INFO Guessed version info "npm" : "11"
2026/05/26 14:43:22 INFO Fetching version for package manager: npm
2026/05/26 14:43:22 INFO Started process PID: 5017 with command: {} corepack npm -v {}
2026/05/26 14:43:23 INFO Process PID: 5017 completed with status: pid 5017 exit 0
2026/05/26 14:43:23 INFO Total execution time: 0.23 seconds
2026/05/26 14:43:23 INFO Installed version of npm: 11.8.0
2026/05/26 14:43:23 INFO Installed version for npm: 11.8.0
2026/05/26 14:43:23 INFO Processing engine constraints for npm
2026/05/26 14:43:23 INFO No version requirement found for npm
2026/05/26 14:43:23 INFO Running node command: node -v
2026/05/26 14:43:23 INFO Started process PID: 5029 with command: {} node -v {}
2026/05/26 14:43:23 INFO Process PID: 5029 completed with status: pid 5029 exit 0
2026/05/26 14:43:23 INFO Total execution time: 0.01 seconds
2026/05/26 14:43:23 INFO Command executed successfully: node -v
2026/05/26 14:43:23 INFO Processing engine constraints for node
2026/05/26 14:43:23 INFO Parsed constraints for node: >=22.0.0 <23.0.0 || >=24
2026/05/26 14:43:23 INFO Running node command: node -v
2026/05/26 14:43:23 INFO Started process PID: 5031 with command: {} node -v {}
2026/05/26 14:43:23 INFO Process PID: 5031 completed with status: pid 5031 exit 0
2026/05/26 14:43:23 INFO Total execution time: 0.01 seconds
2026/05/26 14:43:23 INFO Command executed successfully: node -v

Does this answer your question?

[robaiken]

@thavaahariharangit Looks like we are pulling in the highest version, which is good. Can we log it to the user?

2026/05/26 14:43:23 INFO Parsed constraints for node: >=22.0.0 <23.0.0 || >=24
2026/05/26 14:43:23 INFO Running node command: node -v
2026/05/26 14:43:23 INFO Started process PID: 5031 with command: {} node -v {}

We are running node -v, we should display what version we are using to run to the end user. This might help users debug issues later. Also, have you checked what happens if the lower version is on the right side? Are we always going to pull the highest version?

[thavaahariharangit]

@thavaahariharangit Looks like we are pulling in the highest version, which is good. Can we log it to the user?

2026/05/26 14:43:23 INFO Parsed constraints for node: >=22.0.0 <23.0.0 || >=24
2026/05/26 14:43:23 INFO Running node command: node -v
2026/05/26 14:43:23 INFO Started process PID: 5031 with command: {} node -v {}

We are running node -v, we should display what version we are using to run to the end user. This might help users debug issues later. Also, have you checked what happens if the lower version is on the right side? Are we always going to pull the highest version?

@robaiken

Now both versions are being displayed in the logs:

updater | 2026/05/26 15:27:37 INFO Detected package manager: npm
updater | 2026/05/26 15:27:37 INFO Resolving package manager for: npm
updater | 2026/05/26 15:27:37 INFO Guessed version info "npm" : "11"
updater | 2026/05/26 15:27:37 INFO Fetching version for package manager: npm
updater | 2026/05/26 15:27:37 INFO Started process PID: 4771 with command: {} corepack npm -v {}
updater | 2026/05/26 15:27:38 INFO Process PID: 4771 completed with status: pid 4771 exit 0
updater | 2026/05/26 15:27:38 INFO Total execution time: 0.28 seconds
updater | 2026/05/26 15:27:38 INFO Installed version of npm: 11.8.0
updater | 2026/05/26 15:27:38 INFO Installed version for npm: 11.8.0
updater | 2026/05/26 15:27:38 INFO Processing engine constraints for npm
updater | 2026/05/26 15:27:38 INFO No version requirement found for npm
updater | 2026/05/26 15:27:38 INFO Running node command: node -v
updater | 2026/05/26 15:27:38 INFO Started process PID: 4783 with command: {} node -v {}
updater | 2026/05/26 15:27:38 INFO Process PID: 4783 completed with status: pid 4783 exit 0
updater | 2026/05/26 15:27:38 INFO Total execution time: 0.02 seconds
updater | 2026/05/26 15:27:38 INFO Command executed successfully: node -v
updater | 2026/05/26 15:27:38 INFO Using node version: 24.15.0
updater | 2026/05/26 15:27:38 INFO Processing engine constraints for node
updater | 2026/05/26 15:27:38 INFO Parsed constraints for node: >=22.0.0 <23.0.0 || >=24
updater | 2026/05/26 15:27:38 INFO Running node command: node -v
updater | 2026/05/26 15:27:38 INFO Started process PID: 4785 with command: {} node -v {}
updater | 2026/05/26 15:27:38 INFO Process PID: 4785 completed with status: pid 4785 exit 0
updater | 2026/05/26 15:27:38 INFO Total execution time: 0.02 seconds
updater | 2026/05/26 15:27:38 INFO Command executed successfully: node -v
updater | 2026/05/26 15:27:38 INFO Using node version: 24.15.0

And I have added test for lower version on the right side: 1e52ee5