fixing pnpm catalogs being removed from lockfile during update (#11471)

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -107,20 +107,20 @@ def should_update_pnpm_workspace?
       sig { returns(T::Array[Dependabot::DependencyFile]) }
       def update_pnpm_workspace_and_locks
         workspace_updates = updated_pnpm_workspace_files
-        lock_updates = update_pnpm_locks(is_catalog: true)
+        lock_updates = update_pnpm_locks
 
         workspace_updates + lock_updates
       end
 
-      sig { params(is_catalog: T::Boolean).returns(T::Array[Dependabot::DependencyFile]) }
-      def update_pnpm_locks(is_catalog: false)
+      sig { returns(T::Array[Dependabot::DependencyFile]) }
+      def update_pnpm_locks
         updated_files = []
         pnpm_locks.each do |pnpm_lock|
-          next unless pnpm_lock_changed?(pnpm_lock, is_catalog: is_catalog)
+          next unless pnpm_lock_changed?(pnpm_lock)
 
           updated_files << updated_file(
             file: pnpm_lock,
-            content: updated_pnpm_lock_content(pnpm_lock, is_catalog: is_catalog)
+            content: updated_pnpm_lock_content(pnpm_lock)
           )
         end
         updated_files
@@ -282,9 +282,9 @@ def yarn_lock_changed?(yarn_lock)
         yarn_lock.content != updated_yarn_lock_content(yarn_lock)
       end
 
-      sig { params(pnpm_lock: Dependabot::DependencyFile, is_catalog: T::Boolean).returns(T::Boolean) }
-      def pnpm_lock_changed?(pnpm_lock, is_catalog: false)
-        pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock, is_catalog: is_catalog)
+      sig { params(pnpm_lock: Dependabot::DependencyFile).returns(T::Boolean) }
+      def pnpm_lock_changed?(pnpm_lock)
+        pnpm_lock.content != updated_pnpm_lock_content(pnpm_lock)
       end
 
       sig { params(bun_lock: Dependabot::DependencyFile).returns(T::Boolean) }
@@ -373,16 +373,14 @@ def updated_yarn_lock_content(yarn_lock)
           yarn_lockfile_updater.updated_yarn_lock_content(yarn_lock)
       end
 
-      sig do
-        params(
-          pnpm_lock: Dependabot::DependencyFile,
-          is_catalog: T::Boolean
-        ).returns(String)
-      end
-      def updated_pnpm_lock_content(pnpm_lock, is_catalog: false)
+      sig { params(pnpm_lock: Dependabot::DependencyFile).returns(String) }
+      def updated_pnpm_lock_content(pnpm_lock)
         @updated_pnpm_lock_content ||= T.let({}, T.nilable(T::Hash[String, T.nilable(String)]))
         @updated_pnpm_lock_content[pnpm_lock.name] ||=
-          pnpm_lockfile_updater.updated_pnpm_lock_content(pnpm_lock, is_catalog)
+          pnpm_lockfile_updater.updated_pnpm_lock_content(
+            pnpm_lock,
+            updated_pnpm_workspace_content: @updated_pnpm_workspace_content
+          )
       end
 
       sig { params(bun_lock: Dependabot::DependencyFile).returns(String) }

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb

@@ -24,11 +24,14 @@ def initialize(dependencies:, dependency_files:, repo_contents_path:, credential
           )
         end
 
-        def updated_pnpm_lock_content(pnpm_lock, is_catalog)
+        def updated_pnpm_lock_content(pnpm_lock, updated_pnpm_workspace_content: nil)
           @updated_pnpm_lock_content ||= {}
           return @updated_pnpm_lock_content[pnpm_lock.name] if @updated_pnpm_lock_content[pnpm_lock.name]
 
-          new_content = run_pnpm_update(pnpm_lock: pnpm_lock, is_catalog: is_catalog)
+          new_content = run_pnpm_update(
+            pnpm_lock: pnpm_lock,
+            updated_pnpm_workspace_content: updated_pnpm_workspace_content
+          )
           @updated_pnpm_lock_content[pnpm_lock.name] = new_content
         rescue SharedHelpers::HelperSubprocessFailed => e
           handle_pnpm_lock_updater_error(e, pnpm_lock)
@@ -100,12 +103,14 @@ def updated_pnpm_lock_content(pnpm_lock, is_catalog)
         # Peer dependencies configuration error
         ERR_PNPM_PEER_DEP_ISSUES = /ERR_PNPM_PEER_DEP_ISSUES/
 
-        def run_pnpm_update(pnpm_lock:, is_catalog:)
+        def run_pnpm_update(pnpm_lock:, updated_pnpm_workspace_content: nil)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
             File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
-              unless is_catalog
+              if updated_pnpm_workspace_content
+                File.write("pnpm-workspace.yaml", updated_pnpm_workspace_content["pnpm-workspace.yaml"])
+              else
                 run_pnpm_update_packages
                 write_final_package_json_files
               end

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater_spec.rb

@@ -5,9 +5,11 @@
 require "dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater"
 
 RSpec.describe Dependabot::NpmAndYarn::FileUpdater::PnpmLockfileUpdater do
-  subject(:updated_pnpm_lock_content) { updater.updated_pnpm_lock_content(pnpm_lock, is_catalog) }
+  subject(:updated_pnpm_lock_content) do
+    updater.updated_pnpm_lock_content(pnpm_lock, updated_pnpm_workspace_content: workspace_files)
+  end
 
-  let(:is_catalog) { false }
+  let(:workspace_files) { nil }
   let(:updater) do
     described_class.new(
       dependency_files: files,
@@ -716,7 +718,11 @@
       end
 
       context "when pnpm updates followed by install for non catalog dependencies" do
-        let(:is_catalog) { true }
+        let(:workspace_files) do
+          {
+            "pnpm-workspace.yaml" => "catalogs:\n    prettier:\n    version: 3.3.3\n"
+          }
+        end
 
         it "uses pnpm update followed by install" do
           expect(Dependabot::NpmAndYarn::Helpers).not_to receive(:run_pnpm_command)
@@ -733,8 +739,6 @@
       end
 
       context "when updating a regular package dependency" do
-        let(:is_catalog) { false }
-
         it "uses pnpm update followed by install" do
           expect(Dependabot::NpmAndYarn::Helpers).to receive(:run_pnpm_command)
             .with(

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb

@@ -4144,23 +4144,25 @@
 
       describe "pnpm catalog protocol" do
         context "when individual dependency needs updating" do
-          let(:project_name) { "pnpm/catalog_prettier" }
+          let(:project_name) { "pnpm/catalog_monorepo" }
           let(:dependency_name) { "prettier" }
           let(:dependencies) do
             [
               create_dependency(
                 file: "pnpm-workspace.yaml",
                 name: "prettier",
                 version: "3.3.3",
-                required_version: "^3.3.3",
-                previous_required_version: "^3.3.0"
+                required_version: "^3.4.2",
+                previous_required_version: "^3.3.3"
               )
             ]
           end
 
           it "updates the workspace" do
-            expect(updated_files.map(&:name)).to eq(%w(pnpm-workspace.yaml))
-            expect(updated_pnpm_workspace.content).to include("prettier: ^3.3.3")
+            expect(updated_files.map(&:name)).to eq(%w(pnpm-workspace.yaml pnpm-lock.yaml))
+            expect(updated_pnpm_workspace.content).to include("prettier: ^3.4.2")
+            expect(updated_pnpm_lock.content).to include("specifier: ^3.4.2")
+            expect(updated_pnpm_lock.content).to include("prettier:\n      specifier: ^3.4.2\n      version: 3.4.2")
           end
         end
 

npm_and_yarn/spec/fixtures/projects/pnpm/catalog_monorepo/apps/auth-proxy/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@acme/auth-proxy",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "build": "nitro build",
+    "clean": "git clean -xdf .cache .nitro .output .turbo .vercel node_modules",
+    "lint": "eslint",
+    "format": "prettier --check . --ignore-path ../../.gitignore",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@auth/core": "0.37.2"
+  },
+  "devDependencies": {
+    "@types/node": "^20.17.7",
+    "eslint": "catalog:",
+    "h3": "^1.13.0",
+    "nitropack": "^2.10.4",
+    "prettier": "catalog:",
+    "typescript": "catalog:"
+  },
+  "prettier": "@acme/prettier-config"
+}

npm_and_yarn/spec/fixtures/projects/pnpm/catalog_monorepo/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "create-t3-turbo",
+  "private": true,
+  "engines": {
+    "node": ">=20.18.1",
+    "pnpm": "^9.14.2"
+  },
+  "packageManager": "[email protected]",
+  "scripts": {
+    "build": "turbo run build",
+    "clean": "git clean -xdf node_modules",
+    "clean:workspaces": "turbo run clean",
+    "db:push": "turbo -F @acme/db push",
+    "db:studio": "turbo -F @acme/db studio",
+    "dev": "turbo watch dev --continue",
+    "dev:next": "turbo watch dev -F @acme/nextjs...",
+    "format": "turbo run format --continue -- --cache --cache-location .cache/.prettiercache",
+    "format:fix": "turbo run format --continue -- --write --cache --cache-location .cache/.prettiercache",
+    "lint": "turbo run lint --continue -- --cache --cache-location .cache/.eslintcache",
+    "lint:fix": "turbo run lint --continue -- --fix --cache --cache-location .cache/.eslintcache",
+    "lint:ws": "pnpm dlx sherif@latest",
+    "postinstall": "pnpm lint:ws",
+    "typecheck": "turbo run typecheck",
+    "ui-add": "turbo run ui-add"
+  },
+  "devDependencies": {
+    "@turbo/gen": "^2.3.3",
+    "prettier": "catalog:",
+    "turbo": "^2.3.3",
+    "typescript": "catalog:"
+  },
+  "prettier": "@acme/prettier-config"
+}