From 7f6879780b0455f24f5c063eaa70732957e21fb0 Mon Sep 17 00:00:00 2001
From: Maxwell <mburumaxwell@gmail.com>
Date: Tue, 26 Sep 2023 05:08:07 +0300
Subject: [PATCH 1/3] Write .npmrc contents with credentials when updating pnpm

---
 .../npm_and_yarn/file_updater/pnpm_lockfile_updater.rb | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
index 919bff911b0..bdf50bac447 100644
--- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
+++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
@@ -9,6 +9,7 @@ module Dependabot
   module NpmAndYarn
     class FileUpdater
       class PnpmLockfileUpdater
+        require_relative "npmrc_builder"
         require_relative "package_json_updater"
 
         def initialize(dependencies:, dependency_files:, repo_contents_path:, credentials:)
@@ -38,6 +39,8 @@ def updated_pnpm_lock_content(pnpm_lock)
 
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
+            File.write(".npmrc", npmrc_content)
+
             SharedHelpers.with_git_configured(credentials: credentials) do
               run_pnpm_updater
 
@@ -120,6 +123,13 @@ def write_final_package_json_files
           end
         end
 
+        def npmrc_content
+          NpmrcBuilder.new(
+            credentials: credentials,
+            dependency_files: dependency_files
+          ).npmrc_content
+        end
+
         def updated_package_json_content(file)
           @updated_package_json_content ||= {}
           @updated_package_json_content[file.name] ||=

From c4e29f9ccb91d508e1304119e57a3f0c6dbe1c97 Mon Sep 17 00:00:00 2001
From: David Rodriguez <deivid.rodriguez@riseup.net>
Date: Tue, 26 Sep 2023 18:38:48 +0200
Subject: [PATCH 2/3] Simplify some npmrc building specs

In these case, the presence of a lockfile is irrelevant, so we can
refactor the specs and make them independent of the package manager.
---
 .../file_updater/npmrc_builder_spec.rb        | 181 +++++++-----------
 .../{yarn => generic}/npmrc_auth_token/.npmrc |   0
 .../npmrc_auth_token/package.json             |   0
 .../{yarn => generic}/npmrc_env_auth/.npmrc   |   0
 .../npmrc_env_auth/package.json               |   0
 .../npmrc_env_auth_token/.npmrc               |   0
 .../npmrc_env_auth_token/package.json         |   0
 .../projects/generic/simple/package.json      |  25 +++
 .../projects/yarn/npmrc_auth_token/yarn.lock  |  56 ------
 .../projects/yarn/npmrc_env_auth/yarn.lock    |  56 ------
 .../yarn/npmrc_env_auth_token/yarn.lock       |  56 ------
 11 files changed, 89 insertions(+), 285 deletions(-)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_auth_token/.npmrc (100%)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_auth_token/package.json (100%)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_env_auth/.npmrc (100%)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_env_auth/package.json (100%)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_env_auth_token/.npmrc (100%)
 rename npm_and_yarn/spec/fixtures/projects/{yarn => generic}/npmrc_env_auth_token/package.json (100%)
 create mode 100644 npm_and_yarn/spec/fixtures/projects/generic/simple/package.json
 delete mode 100644 npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/yarn.lock
 delete mode 100644 npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/yarn.lock
 delete mode 100644 npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/yarn.lock

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
index 58ef9d92279..b0f33eee51b 100644
--- a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
+++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
@@ -25,53 +25,51 @@
   describe "#npmrc_content" do
     subject(:npmrc_content) { npmrc_builder.npmrc_content }
 
-    context "with a yarn.lock" do
-      context "with no private sources and no credentials" do
-        let(:dependency_files) { project_dependency_files("yarn/simple") }
-
-        it { is_expected.to eq("") }
-
-        context "and an npmrc file" do
-          let(:dependency_files) { project_dependency_files("yarn/npmrc_auth_token") }
+    context "with an npmrc file" do
+      let(:dependency_files) { project_dependency_files("generic/npmrc_auth_token") }
 
-          it "returns the npmrc file unaltered" do
-            expect(npmrc_content)
-              .to eq(fixture("projects", "yarn", "npmrc_auth_token", ".npmrc"))
-          end
-
-          context "that needs an authToken sanitizing" do
-            let(:dependency_files) { project_dependency_files("yarn/npmrc_env_auth_token") }
-
-            it "removes the env variable use" do
-              expect(npmrc_content)
-                .to eq("@dependabot:registry=https://npm.fury.io/dependabot/\n")
-            end
-          end
+      it "returns the npmrc file unaltered" do
+        expect(npmrc_content)
+          .to eq(fixture("projects", "generic", "npmrc_auth_token", ".npmrc"))
+      end
 
-          context "that needs an auth sanitizing" do
-            let(:dependency_files) { project_dependency_files("yarn/npmrc_env_auth") }
+      context "that needs an authToken sanitizing" do
+        let(:dependency_files) { project_dependency_files("generic/npmrc_env_auth_token") }
 
-            it "removes the env variable use" do
-              expect(npmrc_content)
-                .to eq("@dependabot:registry=https://npm.fury.io/dependabot/\n")
-            end
-          end
+        it "removes the env variable use" do
+          expect(npmrc_content)
+            .to eq("@dependabot:registry=https://npm.fury.io/dependabot/\n")
         end
+      end
 
-        context "and a yarnrc file" do
-          let(:dependency_files) { project_dependency_files("yarn/yarnrc_global_registry") }
+      context "that needs an auth sanitizing" do
+        let(:dependency_files) { project_dependency_files("generic/npmrc_env_auth") }
 
-          it "uses the yarnrc file registry" do
-            expect(npmrc_content).to eq(
-              "registry = https://npm-proxy.fury.io/password/dependabot/\n"
-            )
-          end
+        it "removes the env variable use" do
+          expect(npmrc_content)
+            .to eq("@dependabot:registry=https://npm.fury.io/dependabot/\n")
         end
       end
+    end
 
-      context "with no private sources and some credentials" do
-        let(:dependency_files) { project_dependency_files("yarn/simple") }
+    context "with no private sources and some credentials" do
+      let(:dependency_files) { project_dependency_files("generic/simple") }
+
+      let(:credentials) do
+        [{
+          "type" => "git_source",
+          "host" => "github.com",
+          "username" => "x-access-token",
+          "password" => "token"
+        }, {
+          "type" => "npm_registry",
+          "registry" => "registry.npmjs.org",
+          "token" => "my_token"
+        }]
+      end
+      it { is_expected.to eq("//registry.npmjs.org/:_authToken=my_token") }
 
+      context "and using basic auth" do
         let(:credentials) do
           [{
             "type" => "git_source",
@@ -81,39 +79,41 @@
           }, {
             "type" => "npm_registry",
             "registry" => "registry.npmjs.org",
-            "token" => "my_token"
+            "token" => "my:token"
           }]
         end
-        it { is_expected.to eq("//registry.npmjs.org/:_authToken=my_token") }
+        it "includes Basic auth details" do
+          expect(npmrc_content).to eq(
+            "always-auth = true\n//registry.npmjs.org/:_auth=bXk6dG9rZW4="
+          )
+        end
+      end
 
-        context "that uses basic auth" do
-          let(:credentials) do
-            [{
-              "type" => "git_source",
-              "host" => "github.com",
-              "username" => "x-access-token",
-              "password" => "token"
-            }, {
-              "type" => "npm_registry",
-              "registry" => "registry.npmjs.org",
-              "token" => "my:token"
-            }]
-          end
-          it "includes Basic auth details" do
-            expect(npmrc_content).to eq(
-              "always-auth = true\n//registry.npmjs.org/:_auth=bXk6dG9rZW4="
-            )
-          end
+      context "and an npmrc file" do
+        let(:dependency_files) { project_dependency_files("generic/npmrc_auth_token") }
+
+        it "appends to the npmrc file" do
+          expect(npmrc_content)
+            .to include(fixture("projects", "generic", "npmrc_auth_token", ".npmrc"))
+          expect(npmrc_content)
+            .to end_with("\n\n//registry.npmjs.org/:_authToken=my_token")
         end
+      end
+    end
 
-        context "and an npmrc file" do
-          let(:dependency_files) { project_dependency_files("yarn/npmrc_auth_token") }
+    context "with a yarn.lock" do
+      context "with no private sources and no credentials" do
+        let(:dependency_files) { project_dependency_files("yarn/simple") }
 
-          it "appends to the npmrc file" do
-            expect(npmrc_content)
-              .to include(fixture("projects", "yarn", "npmrc_auth_token", ".npmrc"))
-            expect(npmrc_content)
-              .to end_with("\n\n//registry.npmjs.org/:_authToken=my_token")
+        it { is_expected.to eq("") }
+
+        context "and a yarnrc file" do
+          let(:dependency_files) { project_dependency_files("yarn/yarnrc_global_registry") }
+
+          it "uses the yarnrc file registry" do
+            expect(npmrc_content).to eq(
+              "registry = https://npm-proxy.fury.io/password/dependabot/\n"
+            )
           end
         end
       end
@@ -459,59 +459,6 @@
     end
 
     context "with a package-lock.json" do
-      context "with no private sources and no credentials" do
-        let(:dependency_files) { project_dependency_files("npm6/simple") }
-
-        it { is_expected.to eq("") }
-
-        context "and an npmrc file" do
-          let(:dependency_files) { project_dependency_files("npm6/npmrc_auth_token") }
-
-          it "returns the npmrc file unaltered" do
-            expect(npmrc_content)
-              .to eq(fixture("projects", "npm6", "npmrc_auth_token", ".npmrc"))
-          end
-
-          context "that need sanitizing" do
-            let(:dependency_files) { project_dependency_files("npm6/npmrc_env_auth_token") }
-
-            it "removes the env variable use" do
-              expect(npmrc_content)
-                .to eq("@dependabot:registry=https://npm.fury.io/dependabot/\n")
-            end
-          end
-        end
-      end
-
-      context "with no private sources and some credentials" do
-        let(:dependency_files) { project_dependency_files("npm6/simple") }
-
-        let(:credentials) do
-          [{
-            "type" => "git_source",
-            "host" => "github.com",
-            "username" => "x-access-token",
-            "password" => "token"
-          }, {
-            "type" => "npm_registry",
-            "registry" => "registry.npmjs.org",
-            "token" => "my_token"
-          }]
-        end
-        it { is_expected.to eq("//registry.npmjs.org/:_authToken=my_token") }
-
-        context "and an npmrc file" do
-          let(:dependency_files) { project_dependency_files("npm6/npmrc_auth_token") }
-
-          it "appends to the npmrc file" do
-            expect(npmrc_content)
-              .to include(fixture("projects", "npm6", "npmrc_auth_token", ".npmrc"))
-            expect(npmrc_content)
-              .to end_with("\n\n//registry.npmjs.org/:_authToken=my_token")
-          end
-        end
-      end
-
       context "with no private sources and credentials cleared" do
         let(:dependency_files) { project_dependency_files("npm6/private_source") }
 
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/.npmrc b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_auth_token/.npmrc
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/.npmrc
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_auth_token/.npmrc
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/package.json b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_auth_token/package.json
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/package.json
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_auth_token/package.json
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/.npmrc b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth/.npmrc
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/.npmrc
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth/.npmrc
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/package.json b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth/package.json
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/package.json
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth/package.json
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/.npmrc b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth_token/.npmrc
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/.npmrc
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth_token/.npmrc
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/package.json b/npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth_token/package.json
similarity index 100%
rename from npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/package.json
rename to npm_and_yarn/spec/fixtures/projects/generic/npmrc_env_auth_token/package.json
diff --git a/npm_and_yarn/spec/fixtures/projects/generic/simple/package.json b/npm_and_yarn/spec/fixtures/projects/generic/simple/package.json
new file mode 100644
index 00000000000..88a3adff6e2
--- /dev/null
+++ b/npm_and_yarn/spec/fixtures/projects/generic/simple/package.json
@@ -0,0 +1,25 @@
+{
+    "name": "{{ name }}",
+    "version": "1.0.0",
+    "description": "",
+    "main": "index.js",
+    "scripts": {
+        "test": "echo \"Error: no\\ test\ specified\" && exit 1",
+        "prettify": "prettier --write \"{{packages/*/src,examples,cypress,scripts}/**/,}*.{js,jsx,ts,tsx,css,md}\""
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/waltfy/PROTO_TEST.git"
+    },
+    "author": "",
+    "license": "ISC",
+    "bugs": {
+        "url": "https://github.com/waltfy/PROTO_TEST/issues"
+    },
+    "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
+    "dependencies": {
+      "fetch-factory": "^0.0.1"
+    },
+    "devDependencies": {
+      "etag" : "^1.0.0"
+    }}
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/yarn.lock b/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/yarn.lock
deleted file mode 100644
index 47ab0f33f04..00000000000
--- a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_auth_token/yarn.lock
+++ /dev/null
@@ -1,56 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-encoding@^0.1.11:
-  version "0.1.12"
-  resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
-  dependencies:
-    iconv-lite "~0.4.13"
-
-es6-promise@^3.0.2:
-  version "3.3.1"
-  resolved "https://registry.yarnpkg.com/es6-promise/-/es6-promise-3.3.1.tgz#a08cdde84ccdbf34d027a1451bc91d4bcd28a613"
-
-etag@^1.0.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.7.0.tgz#03d30b5f67dd6e632d2945d30d6652731a34d5d8"
-
-fetch-factory@^0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/fetch-factory/-/fetch-factory-0.0.1.tgz#e0076059bdb31e3147c75b3b8c04133ba8c7e071"
-  dependencies:
-    es6-promise "^3.0.2"
-    isomorphic-fetch "^2.1.1"
-    lodash "^3.10.1"
-
-iconv-lite@~0.4.13:
-  version "0.4.15"
-  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.15.tgz#fe265a218ac6a57cfe854927e9d04c19825eddeb"
-
-is-stream@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
-
-isomorphic-fetch@^2.1.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
-  dependencies:
-    node-fetch "^1.0.1"
-    whatwg-fetch ">=0.10.0"
-
-lodash@^3.10.1:
-  version "3.10.1"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
-
-node-fetch@^1.0.1:
-  version "1.6.3"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-1.6.3.tgz#dc234edd6489982d58e8f0db4f695029abcd8c04"
-  dependencies:
-    encoding "^0.1.11"
-    is-stream "^1.0.1"
-
-whatwg-fetch@>=0.10.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.2.tgz#fe294d1d89e36c5be8b3195057f2e4bc74fc980e"
-
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/yarn.lock b/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/yarn.lock
deleted file mode 100644
index 47ab0f33f04..00000000000
--- a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth/yarn.lock
+++ /dev/null
@@ -1,56 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-encoding@^0.1.11:
-  version "0.1.12"
-  resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
-  dependencies:
-    iconv-lite "~0.4.13"
-
-es6-promise@^3.0.2:
-  version "3.3.1"
-  resolved "https://registry.yarnpkg.com/es6-promise/-/es6-promise-3.3.1.tgz#a08cdde84ccdbf34d027a1451bc91d4bcd28a613"
-
-etag@^1.0.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.7.0.tgz#03d30b5f67dd6e632d2945d30d6652731a34d5d8"
-
-fetch-factory@^0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/fetch-factory/-/fetch-factory-0.0.1.tgz#e0076059bdb31e3147c75b3b8c04133ba8c7e071"
-  dependencies:
-    es6-promise "^3.0.2"
-    isomorphic-fetch "^2.1.1"
-    lodash "^3.10.1"
-
-iconv-lite@~0.4.13:
-  version "0.4.15"
-  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.15.tgz#fe265a218ac6a57cfe854927e9d04c19825eddeb"
-
-is-stream@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
-
-isomorphic-fetch@^2.1.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
-  dependencies:
-    node-fetch "^1.0.1"
-    whatwg-fetch ">=0.10.0"
-
-lodash@^3.10.1:
-  version "3.10.1"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
-
-node-fetch@^1.0.1:
-  version "1.6.3"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-1.6.3.tgz#dc234edd6489982d58e8f0db4f695029abcd8c04"
-  dependencies:
-    encoding "^0.1.11"
-    is-stream "^1.0.1"
-
-whatwg-fetch@>=0.10.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.2.tgz#fe294d1d89e36c5be8b3195057f2e4bc74fc980e"
-
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/yarn.lock b/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/yarn.lock
deleted file mode 100644
index 47ab0f33f04..00000000000
--- a/npm_and_yarn/spec/fixtures/projects/yarn/npmrc_env_auth_token/yarn.lock
+++ /dev/null
@@ -1,56 +0,0 @@
-# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
-# yarn lockfile v1
-
-
-encoding@^0.1.11:
-  version "0.1.12"
-  resolved "https://registry.yarnpkg.com/encoding/-/encoding-0.1.12.tgz#538b66f3ee62cd1ab51ec323829d1f9480c74beb"
-  dependencies:
-    iconv-lite "~0.4.13"
-
-es6-promise@^3.0.2:
-  version "3.3.1"
-  resolved "https://registry.yarnpkg.com/es6-promise/-/es6-promise-3.3.1.tgz#a08cdde84ccdbf34d027a1451bc91d4bcd28a613"
-
-etag@^1.0.0:
-  version "1.7.0"
-  resolved "https://registry.yarnpkg.com/etag/-/etag-1.7.0.tgz#03d30b5f67dd6e632d2945d30d6652731a34d5d8"
-
-fetch-factory@^0.0.1:
-  version "0.0.1"
-  resolved "https://registry.yarnpkg.com/fetch-factory/-/fetch-factory-0.0.1.tgz#e0076059bdb31e3147c75b3b8c04133ba8c7e071"
-  dependencies:
-    es6-promise "^3.0.2"
-    isomorphic-fetch "^2.1.1"
-    lodash "^3.10.1"
-
-iconv-lite@~0.4.13:
-  version "0.4.15"
-  resolved "https://registry.yarnpkg.com/iconv-lite/-/iconv-lite-0.4.15.tgz#fe265a218ac6a57cfe854927e9d04c19825eddeb"
-
-is-stream@^1.0.1:
-  version "1.1.0"
-  resolved "https://registry.yarnpkg.com/is-stream/-/is-stream-1.1.0.tgz#12d4a3dd4e68e0b79ceb8dbc84173ae80d91ca44"
-
-isomorphic-fetch@^2.1.1:
-  version "2.2.1"
-  resolved "https://registry.yarnpkg.com/isomorphic-fetch/-/isomorphic-fetch-2.2.1.tgz#611ae1acf14f5e81f729507472819fe9733558a9"
-  dependencies:
-    node-fetch "^1.0.1"
-    whatwg-fetch ">=0.10.0"
-
-lodash@^3.10.1:
-  version "3.10.1"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-3.10.1.tgz#5bf45e8e49ba4189e17d482789dfd15bd140b7b6"
-
-node-fetch@^1.0.1:
-  version "1.6.3"
-  resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-1.6.3.tgz#dc234edd6489982d58e8f0db4f695029abcd8c04"
-  dependencies:
-    encoding "^0.1.11"
-    is-stream "^1.0.1"
-
-whatwg-fetch@>=0.10.0:
-  version "2.0.2"
-  resolved "https://registry.yarnpkg.com/whatwg-fetch/-/whatwg-fetch-2.0.2.tgz#fe294d1d89e36c5be8b3195057f2e4bc74fc980e"
-

From 7bd8b2c24c456e70a76311e7ae0806d4c47fbfc0 Mon Sep 17 00:00:00 2001
From: David Rodriguez <deivid.rodriguez@riseup.net>
Date: Tue, 26 Sep 2023 11:18:49 +0200
Subject: [PATCH 3/3] Reuse RegistryFinder when inferring npmrc for PNPM

---
 .../file_updater/npmrc_builder.rb             | 16 ++++++-
 .../file_updater/pnpm_lockfile_updater.rb     |  7 ++--
 .../file_updater/npmrc_builder_spec.rb        | 42 ++++++++++++++++++-
 .../projects/pnpm/private_source/package.json | 23 ++++++++++
 .../pnpm/private_source/pnpm-lock.yaml        | 38 +++++++++++++++++
 5 files changed, 120 insertions(+), 6 deletions(-)
 create mode 100644 npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json
 create mode 100644 npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml

diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
index d3a67655520..a8a8a90827d 100644
--- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
+++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb
@@ -17,9 +17,10 @@ class NpmrcBuilder
 
         SCOPED_REGISTRY = /^\s*@(?<scope>\S+):registry\s*=\s*(?<registry>\S+)/
 
-        def initialize(dependency_files:, credentials:)
+        def initialize(dependency_files:, credentials:, dependencies: [])
           @dependency_files = dependency_files
           @credentials = credentials
+          @dependencies = dependencies
         end
 
         # PROXY WORK
@@ -52,7 +53,7 @@ def yarnrc_content
 
         private
 
-        attr_reader :dependency_files, :credentials
+        attr_reader :dependency_files, :credentials, :dependencies
 
         def build_npmrc_content_from_lockfile
           return unless yarn_lock || package_lock
@@ -134,6 +135,17 @@ def dependency_urls
           return @dependency_urls if defined?(@dependency_urls)
 
           @dependency_urls = []
+
+          if dependencies.any?
+            @dependency_urls = dependencies.map do |dependency|
+              UpdateChecker::RegistryFinder.new(
+                dependency: dependency,
+                credentials: credentials
+              ).dependency_url
+            end
+            return @dependency_urls
+          end
+
           if package_lock
             @dependency_urls +=
               package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/)
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
index bdf50bac447..ab0d71dd16e 100644
--- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
+++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/pnpm_lockfile_updater.rb
@@ -39,7 +39,7 @@ def updated_pnpm_lock_content(pnpm_lock)
 
         def run_pnpm_update(pnpm_lock:)
           SharedHelpers.in_a_temporary_repo_directory(base_dir, repo_contents_path) do
-            File.write(".npmrc", npmrc_content)
+            File.write(".npmrc", npmrc_content(pnpm_lock))
 
             SharedHelpers.with_git_configured(credentials: credentials) do
               run_pnpm_updater
@@ -123,10 +123,11 @@ def write_final_package_json_files
           end
         end
 
-        def npmrc_content
+        def npmrc_content(pnpm_lock)
           NpmrcBuilder.new(
             credentials: credentials,
-            dependency_files: dependency_files
+            dependency_files: dependency_files,
+            dependencies: lockfile_dependencies(pnpm_lock)
           ).npmrc_content
         end
 
diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
index b0f33eee51b..d21e0f5b896 100644
--- a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
+++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb
@@ -9,7 +9,8 @@
   let(:npmrc_builder) do
     described_class.new(
       dependency_files: dependency_files,
-      credentials: credentials
+      credentials: credentials,
+      dependencies: dependencies
     )
   end
 
@@ -22,6 +23,10 @@
     }]
   end
 
+  let(:dependencies) do
+    []
+  end
+
   describe "#npmrc_content" do
     subject(:npmrc_content) { npmrc_builder.npmrc_content }
 
@@ -777,6 +782,41 @@
       end
     end
 
+    context "with a pnpm-lock.yaml" do
+      let(:dependency_files) { project_dependency_files("pnpm/private_source") }
+      let(:dependencies) do
+        [
+          Dependabot::Dependency.new(name: "@dependabot/etag", version: "1.8.1", package_manager: "npm_and_yarn",
+                                     requirements: []),
+          Dependabot::Dependency.new(name: "semver", version: "7.5.4", package_manager: "npm_and_yarn",
+                                     requirements: [])
+        ]
+      end
+
+      context "and a private registry configured that lists a specific dependency" do
+        let(:credentials) do
+          [{
+            "type" => "npm_registry",
+            "registry" => "pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/",
+            "token" => "my_token"
+          }]
+        end
+
+        before do
+          stub_request(:get, "https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/@dependabot%2Fetag")
+            .with(headers: { "Authorization" => "Bearer my_token" })
+            .to_return(status: 200, body: "{}")
+          stub_request(:get, "https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/semver")
+            .with(headers: { "Authorization" => "Bearer my_token" })
+            .to_return(status: 404)
+        end
+
+        it "adds a scoped registry for the dependency" do
+          expect(npmrc_content).to include("@dependabot:registry=https://pkgs.dev.azure.com/dependabot/my-project/_packaging/my-feed/npm/registry/")
+        end
+      end
+    end
+
     context "registry scope generation" do
       let(:credentials) do
         [{
diff --git a/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json
new file mode 100644
index 00000000000..85f6822bea2
--- /dev/null
+++ b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/package.json
@@ -0,0 +1,23 @@
+{
+  "name": "test",
+  "version": "1.0.0",
+  "description": "testing out private registry usage",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/waltfy/PROTO_TEST.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/waltfy/PROTO_TEST/issues"
+  },
+  "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
+  "dependencies": {
+    "@dependabot/etag": "^1.8.0",
+    "semver": "^7.5.4"
+  }
+}
diff --git a/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml
new file mode 100644
index 00000000000..5f7c7210d6b
--- /dev/null
+++ b/npm_and_yarn/spec/fixtures/projects/pnpm/private_source/pnpm-lock.yaml
@@ -0,0 +1,38 @@
+lockfileVersion: '6.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+dependencies:
+  '@dependabot/etag':
+    specifier: ^1.8.0
+    version: 1.8.0
+  semver:
+    specifier: ^7.5.4
+    version: 7.5.4
+
+packages:
+
+  /@dependabot/etag@1.8.0:
+    resolution: {integrity: sha1-/HizFb1hVT38sBYgsMHMF2qMbC8=}
+    dev: false
+
+  /lru-cache@6.0.0:
+    resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
+    engines: {node: '>=10'}
+    dependencies:
+      yallist: 4.0.0
+    dev: false
+
+  /semver@7.5.4:
+    resolution: {integrity: sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==}
+    engines: {node: '>=10'}
+    hasBin: true
+    dependencies:
+      lru-cache: 6.0.0
+    dev: false
+
+  /yallist@4.0.0:
+    resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==}
+    dev: false