fix(npm): use lockfileVersion from npm-shrinkwrap (#26726)

renovatebot · Jan 19, 2024 · 5fdf4fc · 5fdf4fc
1 parent faa1618
commit 5fdf4fc
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 3 deletions.
diff --git a/lib/modules/manager/npm/post-update/npm.spec.ts b/lib/modules/manager/npm/post-update/npm.spec.ts
@@ -199,7 +199,7 @@ describe('modules/manager/npm/post-update/npm', () => {
     ]);
   });
 
-  it('deduplicates dependencies after installation with npm <= 6', async () => {
+  it('deduplicates package-lock.json dependencies after installation with npm <= 6', async () => {
     const execSnapshots = mockExecAll();
     // package.json
     fs.readLocalFile.mockResolvedValueOnce('{}');
@@ -234,6 +234,45 @@ describe('modules/manager/npm/post-update/npm', () => {
     ]);
   });
 
+  it('deduplicates npm-shrinkwrap.json dependencies after installation with npm <= 6', async () => {
+    const execSnapshots = mockExecAll();
+    // package.json
+    fs.readLocalFile.mockResolvedValueOnce('{}');
+    const packageLockContents = JSON.stringify({
+      dependencies: {},
+      lockfileVersion: 1,
+    });
+    fs.readLocalFile.mockResolvedValueOnce(packageLockContents);
+    fs.readLocalFile.mockResolvedValueOnce(packageLockContents);
+    const postUpdateOptions = ['npmDedupe'];
+    const updates = [
+      { packageName: 'some-dep', newVersion: '1.0.1', isLockfileUpdate: false },
+    ];
+    const res = await npmHelper.generateLockFile(
+      'some-dir',
+      {},
+      'npm-shrinkwrap.json',
+      { postUpdateOptions },
+      updates,
+    );
+    expect(fs.readLocalFile).toHaveBeenCalledTimes(3);
+    expect(fs.readLocalFile).toHaveBeenCalledWith(
+      'some-dir/npm-shrinkwrap.json',
+      'utf8',
+    );
+    expect(res.error).toBeFalse();
+    expect(res.lockFile).toBe(packageLockContents);
+    expect(execSnapshots).toHaveLength(2);
+    expect(execSnapshots).toMatchObject([
+      {
+        cmd: 'npm install --no-audit --ignore-scripts',
+      },
+      {
+        cmd: 'npm dedupe',
+      },
+    ]);
+  });
+
   it('runs twice if remediating', async () => {
     const execSnapshots = mockExecAll();
     fs.readLocalFile.mockResolvedValueOnce('package-lock-contents');

diff --git a/lib/modules/manager/npm/post-update/npm.ts b/lib/modules/manager/npm/post-update/npm.ts
@@ -32,8 +32,9 @@ import { getPackageManagerVersion, lazyLoadPackageJson } from './utils';
 
 async function getNpmConstraintFromPackageLock(
   lockFileDir: string,
+  filename: string,
 ): Promise<string | null> {
-  const packageLockFileName = upath.join(lockFileDir, 'package-lock.json');
+  const packageLockFileName = upath.join(lockFileDir, filename);
   const packageLockContents = await readLocalFile(packageLockFileName, 'utf8');
   const packageLockJson = Result.parse(
     packageLockContents,
@@ -79,7 +80,7 @@ export async function generateLockFile(
       constraint:
         config.constraints?.npm ??
         getPackageManagerVersion('npm', await lazyPkgJson.getValue()) ??
-        (await getNpmConstraintFromPackageLock(lockFileDir)) ??
+        (await getNpmConstraintFromPackageLock(lockFileDir, filename)) ??
         null,
     };
     const supportsPreferDedupeFlag =