Enable CorePack Installing Package Managers from Private Registries

npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -207,7 +207,9 @@ def package_manager_helper
         @package_manager_helper ||= T.let(
           PackageManagerHelper.new(
             parsed_package_json,
-            lockfiles: lockfiles
+            lockfiles,
+            registry_config_files,
+            credentials
           ), T.nilable(PackageManagerHelper)
         )
       end
@@ -221,6 +223,17 @@ def lockfiles
         }
       end
 
+      # Returns the .npmrc, and .yarnrc files for the repository.
+      # @return [Hash{Symbol => Dependabot::DependencyFile}]
+      sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
+      def registry_config_files
+        {
+          npmrc: npmrc,
+          yarnrc: yarnrc,
+          yarnrc_yml: yarnrc_yml
+        }
+      end
+
       sig { returns(DependencyFile) }
       def package_json
         @package_json ||= T.let(fetch_file_from_host(MANIFEST_FILENAME), T.nilable(DependencyFile))

npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser.rb

@@ -98,7 +98,9 @@ def package_manager_helper
         @package_manager_helper ||= T.let(
           PackageManagerHelper.new(
             parsed_package_json,
-            lockfiles: lockfiles
+            lockfiles,
+            registry_config_files,
+            credentials
           ), T.nilable(PackageManagerHelper)
         )
       end
@@ -112,6 +114,15 @@ def lockfiles
         }
       end
 
+      sig { returns(T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]) }
+      def registry_config_files
+        {
+          npmrc: npmrc,
+          yarnrc: yarnrc,
+          yarnrc_yml: yarnrc_yml
+        }
+      end
+
       sig { returns(T.untyped) }
       def parsed_package_json
         JSON.parse(T.must(package_json.content))
@@ -156,6 +167,27 @@ def pnpm_lock
         end, T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def npmrc
+        @npmrc ||= T.let(dependency_files.find do |f|
+          f.name == NpmPackageManager::RC_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def yarnrc
+        @yarnrc ||= T.let(dependency_files.find do |f|
+          f.name == YarnPackageManager::RC_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
+      sig { returns(T.nilable(DependencyFile)) }
+      def yarnrc_yml
+        @yarnrc_yml ||= T.let(dependency_files.find do |f|
+          f.name == YarnPackageManager::RC_YML_FILENAME
+        end, T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { returns(Dependabot::FileParsers::Base::DependencySet) }
       def manifest_dependencies
         dependency_set = DependencySet.new

npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb

@@ -388,17 +388,28 @@ def self.run_single_yarn_command(command, fingerprint: nil)
       end
 
       # Install the package manager for specified version by using corepack
-      sig { params(name: String, version: String).returns(String) }
-      def self.install(name, version)
+      sig do
+        params(
+          name: String,
+          version: String,
+          env: T.nilable(T::Hash[String, String])
+        )
+          .returns(String)
+      end
+      def self.install(name, version, env: {})
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")
 
         begin
           # Try to install the specified version
-          output = package_manager_install(name, version)
+          output = package_manager_install(name, version, env: env)
 
           # Confirm success based on the output
           if output.match?(/Adding #{name}@.* to the cache/)
             Dependabot.logger.info("#{name}@#{version} successfully installed.")
+
+            Dependabot.logger.info("Activating currently installed version of #{name}: #{version}")
+            package_manager_activate(name, version)
+
           else
             Dependabot.logger.error("Corepack installation output unexpected: #{output}")
             fallback_to_local_version(name)
@@ -428,11 +439,19 @@ def self.fallback_to_local_version(name)
       end
 
       # Install the package manager for specified version by using corepack
-      sig { params(name: String, version: String).returns(String) }
-      def self.package_manager_install(name, version)
+      sig do
+        params(
+          name: String,
+          version: String,
+          env: T.nilable(T::Hash[String, String])
+        )
+          .returns(String)
+      end
+      def self.package_manager_install(name, version, env: {})
         Dependabot::SharedHelpers.run_shell_command(
           "corepack install #{name}@#{version} --global --cache-only",
-          fingerprint: "corepack install <name>@<version> --global --cache-only"
+          fingerprint: "corepack install <name>@<version> --global --cache-only",
+          env: env
         ).strip
       end
 

npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb

@@ -5,6 +5,7 @@
 require "dependabot/ecosystem"
 require "dependabot/npm_and_yarn/requirement"
 require "dependabot/npm_and_yarn/version_selector"
+require "dependabot/npm_and_yarn/registry_helper"
 
 module Dependabot
   module NpmAndYarn
@@ -311,17 +312,24 @@ class PackageManagerHelper
       sig do
         params(
           package_json: T.nilable(T::Hash[String, T.untyped]),
-          lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)]
+          lockfiles: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          registry_config_files: T::Hash[Symbol, T.nilable(Dependabot::DependencyFile)],
+          credentials: T.nilable(T::Array[Dependabot::Credential])
         ).void
       end
-      def initialize(package_json, lockfiles:)
+      def initialize(package_json, lockfiles, registry_config_files, credentials)
         @package_json = package_json
         @lockfiles = lockfiles
+        @registry_helper = T.let(
+          RegistryHelper.new(registry_config_files, credentials),
+          Dependabot::NpmAndYarn::RegistryHelper
+        )
         @package_manager_detector = T.let(PackageManagerDetector.new(lockfiles, package_json), PackageManagerDetector)
         @manifest_package_manager = T.let(package_json&.fetch(MANIFEST_PACKAGE_MANAGER_KEY, nil), T.nilable(String))
         @engines = T.let(package_json&.fetch(MANIFEST_ENGINES_KEY, nil), T.nilable(T::Hash[String, T.untyped]))
 
         @installed_versions = T.let({}, T::Hash[String, String])
+        @registries = T.let({}, T::Hash[String, String])
 
         @language = T.let(nil, T.nilable(Ecosystem::VersionManager))
         @language_requirement = T.let(nil, T.nilable(Requirement))
@@ -379,8 +387,8 @@ def find_engine_constraints_as_requirement(name)
       end
 
       # rubocop:disable Metrics/CyclomaticComplexity
-      # rubocop:disable Metrics/PerceivedComplexity
       # rubocop:disable Metrics/AbcSize
+      # rubocop:disable Metrics/PerceivedComplexity
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -438,6 +446,9 @@ def setup(name)
         end
         version
       end
+      # rubocop:enable Metrics/CyclomaticComplexity
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/PerceivedComplexity
 
       sig { params(name: T.nilable(String)).returns(Ecosystem::VersionManager) }
       def package_manager_by_name(name)
@@ -456,21 +467,15 @@ def package_manager_by_name(name)
           Dependabot.logger.info("No version requirement found for #{name}")
         end
 
-        package_manager_instance = package_manager_class.new(
+        package_manager_class.new(
           installed_version,
           requirement: package_manager_requirement
         )
-
-        Dependabot.logger.info("Package manager resolved for #{name}: #{package_manager_instance}")
-        package_manager_instance
       rescue StandardError => e
         Dependabot.logger.error("Error resolving package manager for #{name || 'default'}: #{e.message}")
         raise
       end
 
-      # rubocop:enable Metrics/CyclomaticComplexity
-      # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/AbcSize
       # Retrieve the installed version of the package manager by executing
       # the "corepack <name> -v" command and using the output.
       # If the output does not match the expected version format (PACKAGE_MANAGER_VERSION_REGEX),
@@ -510,7 +515,12 @@ def raise_if_unsupported!(name, version)
       sig { params(name: String, version: T.nilable(String)).void }
       def install(name, version)
         if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          return Helpers.install(name, version.to_s)
+          env = {}
+          if Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
+            env = @registry_helper.find_corepack_env_variables
+          end
+          # Use the Helpers.install method to install the package manager
+          return Helpers.install(name, version.to_s, env: env)
         end
 
         Dependabot.logger.info("Installing \"#{name}@#{version}\"")