Merge branch 'main' into add-bun-file-fetcher

common/lib/dependabot/errors.rb

@@ -149,11 +149,6 @@ def self.parser_error_details(error)
         "error-type": "git_dependencies_not_reachable",
         "error-detail": { "dependency-urls": error.dependency_urls }
       }
-    when Dependabot::UnresolvableVersionError
-      {
-        "error-type": "unresolvable_version",
-        "error-detail": { dependencies: error.dependencies }
-      }
     when Dependabot::NotImplemented
       {
         "error-type": "not_implemented",
@@ -671,23 +666,6 @@ def initialize(dependencies)
     end
   end
 
-  class UnresolvableVersionError < DependabotError
-    extend T::Sig
-
-    sig { returns(T::Array[String]) }
-    attr_reader :dependencies
-
-    sig { params(dependencies: T::Array[String]).void }
-    def initialize(dependencies)
-      @dependencies = dependencies
-
-      msg = "Unable to determine semantic version from tags or commits for dependencies. " \
-            "Dependencies must have a tag or commit that references a semantic version. " \
-            "Affected dependencies: #{@dependencies.join(', ')}"
-      super(msg)
-    end
-  end
-
   class GitDependenciesNotReachable < DependabotError
     extend T::Sig
 

github_actions/lib/dependabot/github_actions/file_parser.rb

@@ -30,12 +30,6 @@ def parse
           dependency_set += workfile_file_dependencies(file)
         end
 
-        dependencies_without_version = dependency_set.dependencies.select { |dep| dep.version.nil? }
-        unless dependencies_without_version.empty?
-          raise UnresolvableVersionError,
-                dependencies_without_version.map(&:name)
-        end
-
         dependency_set.dependencies
       end
 

github_actions/spec/dependabot/github_actions/file_parser_spec.rb

@@ -560,27 +560,6 @@ def mock_service_pack_request(nwo)
         end
       end
     end
-
-    context "with an unresolvable version" do
-      let(:workflow_file_fixture_name) { "unresolved_version.yml" }
-      let(:service_pack_url) do
-        "https://github.com/taiki-e/install-action.git/info/refs" \
-          "?service=git-upload-pack"
-      end
-
-      before do
-        mock_service_pack_request("taiki-e/install-action")
-      end
-
-      it "raises an UnresolvableVersionError error" do
-        expect { parser.parse }.to raise_error(
-          Dependabot::UnresolvableVersionError,
-          "Unable to determine semantic version from tags or commits for dependencies. " \
-          "Dependencies must have a tag or commit that references a semantic version. " \
-          "Affected dependencies: taiki-e/install-action"
-        )
-      end
-    end
   end
 
   describe "#ecosystem" do

npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/pnpm_lock.rb

@@ -26,6 +26,10 @@ def parsed
         end
 
         def dependencies
+          if Dependabot::Experiments.enabled?(:enable_fix_for_pnpm_no_change_error)
+            return dependencies_with_prioritization
+          end
+
           dependency_set = Dependabot::FileParsers::Base::DependencySet.new
 
           parsed.each do |details|
@@ -52,6 +56,49 @@ def dependencies
           dependency_set
         end
 
+        def dependencies_with_prioritization
+          dependency_set = Dependabot::FileParsers::Base::DependencySet.new
+
+          # Separate dependencies into two categories: with specifiers and without specifiers.
+          dependencies_with_specifiers = [] # Main dependencies with specifiers.
+          dependencies_without_specifiers = [] # Subdependencies without specifiers.
+
+          parsed.each do |details|
+            next if details["aliased"]
+
+            name = details["name"]
+            version = details["version"]
+
+            dependency_args = {
+              name: name,
+              version: version,
+              package_manager: "npm_and_yarn",
+              requirements: []
+            }
+
+            # Add metadata for subdependencies if marked as a dev dependency.
+            dependency_args[:subdependency_metadata] = [{ production: !details["dev"] }] if details["dev"]
+
+            specifiers = details["specifiers"]
+            if specifiers&.any?
+              dependencies_with_specifiers << dependency_args
+            else
+              dependencies_without_specifiers << dependency_args
+            end
+          end
+
+          # Add prioritized dependencies to the dependency set.
+          dependencies_with_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependencies_without_specifiers.each do |dependency_args|
+            dependency_set << Dependency.new(**dependency_args)
+          end
+
+          dependency_set
+        end
+
         def details(dependency_name, requirement, _manifest_name)
           details_candidates = parsed.select { |info| info["name"] == dependency_name }
 

npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser_spec.rb

@@ -46,6 +46,8 @@
       .with(:enable_shared_helpers_command_timeout).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:npm_v6_deprecation_warning).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?)
+      .with(:enable_fix_for_pnpm_no_change_error).and_return(true)
   end
 
   after do

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater_spec.rb

@@ -72,6 +72,8 @@
       .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_shared_helpers_command_timeout).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?)
+      .with(:enable_fix_for_pnpm_no_change_error).and_return(true)
   end
 
   after do

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb

@@ -72,6 +72,8 @@
       .with(:enable_shared_helpers_command_timeout).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:npm_v6_deprecation_warning).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?)
+      .with(:enable_fix_for_pnpm_no_change_error).and_return(true)
   end
 
   after do

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/subdependency_version_resolver_spec.rb

@@ -45,6 +45,8 @@
       .with(:enable_shared_helpers_command_timeout).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:npm_v6_deprecation_warning).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?)
+      .with(:enable_fix_for_pnpm_no_change_error).and_return(true)
   end
 
   after do

npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb

@@ -87,6 +87,8 @@
       .with(:enable_shared_helpers_command_timeout).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:npm_v6_deprecation_warning).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?)
+      .with(:enable_fix_for_pnpm_no_change_error).and_return(true)
   end
 
   after do