Yarn Berry: run git lfs pull before running yarn

Dockerfile

@@ -16,6 +16,7 @@ RUN apt-get update \
     build-essential \
     dirmngr \
     git \
+    git-lfs \
     bzr \
     mercurial \
     gnupg2 \
@@ -316,6 +317,9 @@ RUN curl -sL $SHIM -o git-shim.tar.gz && mkdir -p ~/bin && tar -xvf git-shim.tar
 ENV PATH="$HOME/bin:$PATH"
 # Configure cargo to use git CLI so the above takes effect
 RUN mkdir -p ~/.cargo && printf "[net]\ngit-fetch-with-cli = true\n" >> ~/.cargo/config.toml
+# Disable automatic pulling of files stored with Git LFS
+# This avoids downloading large files not necessary for the dependabot scripts
+ENV GIT_LFS_SKIP_SMUDGE=1
 
 # Pin to an earlier version of Hex. This must be run as dependabot
 RUN mix hex.install 1.0.1

npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb

@@ -30,6 +30,24 @@ def self.required_files_message
         "Repo must contain a package.json."
       end
 
+      # Overridden to pull any yarn data or plugins which may be stored with Git LFS.
+      def clone_repo_contents
+        return @git_lfs_cloned_repo_contents_path if defined?(@git_lfs_cloned_repo_contents_path)
+
+        @git_lfs_cloned_repo_contents_path = super
+        begin
+          SharedHelpers.with_git_configured(credentials: credentials) do
+            Dir.chdir(@git_lfs_cloned_repo_contents_path) do
+              cache_dir = Helpers.fetch_yarnrc_yml_value("cacheFolder", "./yarn/cache")
+              SharedHelpers.run_shell_command("git lfs pull --include .yarn,#{cache_dir}")
+            end
+            @git_lfs_cloned_repo_contents_path
+          end
+        rescue StandardError
+          @git_lfs_cloned_repo_contents_path
+        end
+      end
+
       private
 
       def fetch_files

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater.rb

@@ -73,21 +73,13 @@ def updated_dependency_files
       def vendor_cache_dir
         return @vendor_cache_dir if defined?(@vendor_cache_dir)
 
-        @vendor_cache_dir = if File.exist?(".yarnrc.yml")
-                              YAML.load_file(".yarnrc.yml").fetch("cacheFolder", "./.yarn/cache")
-                            else
-                              "./.yarn/cache"
-                            end
+        @vendor_cache_dir = Helpers.fetch_yarnrc_yml_value("cacheFolder", "./.yarn/cache")
       end
 
       def install_state_path
         return @install_state_path if defined?(@install_state_path)
 
-        @install_state_path = if File.exist?(".yarnrc.yml")
-                                YAML.load_file(".yarnrc.yml").fetch("installStatePath", "./.yarn/install-state.gz")
-                              else
-                                "./.yarn/install-state.gz"
-                              end
+        @install_state_path = Helpers.fetch_yarnrc_yml_value("installStatePath", "./.yarn/install-state.gz")
       end
 
       def vendor_updater

npm_and_yarn/lib/dependabot/npm_and_yarn/helpers.rb

@@ -16,6 +16,14 @@ def self.npm_version_numeric(lockfile_content)
         6
       end
 
+      def self.fetch_yarnrc_yml_value(key, default_value)
+        if File.exist?(".yarnrc.yml") && (yarnrc = YAML.load_file(".yarnrc.yml"))
+          yarnrc.fetch(key, default_value)
+        else
+          default_value
+        end
+      end
+
       # Run any number of yarn commands while ensuring that `enableScripts` is
       # set to false. Yarn commands should _not_ be ran outside of this helper
       # to ensure that postinstall scripts are never executed, as they could

npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb

@@ -62,6 +62,41 @@
     end
   end
 
+  context "with .yarn data stored in git-lfs" do
+    let(:source) do
+      Dependabot::Source.new(
+        provider: "github",
+        repo: repo,
+        directory: directory
+      )
+    end
+    let(:url) { "https://api.github.com/repos/dependabot-fixtures/dependabot-yarn-lfs-fixture/contents/" }
+    let(:repo) { "dependabot-fixtures/dependabot-yarn-lfs-fixture" }
+    let(:repo_contents_path) { Dir.mktmpdir }
+    after { FileUtils.rm_rf(repo_contents_path) }
+
+    let(:file_fetcher_instance) do
+      described_class.new(source: source, credentials: credentials, repo_contents_path: repo_contents_path)
+    end
+
+    it "pulls files from lfs after cloning" do
+      # Calling #files triggers the clone
+      expect(file_fetcher_instance.files.map(&:name)).to contain_exactly("package.json", "yarn.lock", ".yarnrc.yml")
+      expect(
+        File.read(
+          File.join(repo_contents_path, ".yarn", "releases", "yarn-3.2.4.cjs")
+        )
+      ).to start_with("#!/usr/bin/env node")
+
+      # LFS files not needed by dependabot are not pulled
+      expect(
+        File.read(
+          File.join(repo_contents_path, ".pnp.cjs")
+        )
+      ).to start_with("version https://git-lfs.github.com/spec/v1")
+    end
+  end
+
   context "with a .npmrc file" do
     before do
       stub_request(:get, url + "?ref=sha").