Merge branch 'main' into dev/rybrande/NugetJsonParse

npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb

@@ -9,7 +9,7 @@ module Helpers
 
       def self.npm_version_numeric(lockfile)
         lockfile_content = lockfile.content
-        return 8 if JSON.parse(lockfile_content)["lockfileVersion"] >= 2
+        return 8 if JSON.parse(lockfile_content)["lockfileVersion"].to_i >= 2
 
         6
       rescue JSON::ParserError

npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb

@@ -1901,6 +1901,30 @@
     end
   end
 
+  context "with lockfileVersion not in integer format" do
+    before do
+      allow(file_fetcher_instance).to receive(:commit).and_return("sha")
+
+      stub_request(:get, File.join(url, "package.json?ref=sha"))
+        .to_return(
+          status: 200,
+          body: fixture_to_response("projects/npm/lockfile_version_unparseable", "package.json"),
+          headers: json_header
+        )
+
+      stub_request(:get, File.join(url, "package-lock.json?ref=sha"))
+        .to_return(
+          status: 200,
+          body: fixture_to_response("projects/npm/lockfile_version_unparseable", "package-lock.json"),
+          headers: json_header
+        )
+    end
+
+    it "still fetches files" do
+      expect(file_fetcher_instance.files.count).to eq(2)
+    end
+  end
+
   context "with no .npmrc but package-lock.json contains a custom registry" do
     before do
       allow(file_fetcher_instance).to receive(:commit).and_return("sha")

npm_and_yarn/spec/fixtures/projects/npm/lockfile_version_unparseable/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "lockfile-version-unparseable",
+  "version": "1.0.0",
+  "main": "index.js",
+  "license": "UNLICENSED",
+  "owner": "foo",
+  "engines": {
+    "node": "^18.12.1"
+  },
+  "private": true
+}