Fix Dependency File Detection for npm, pnpm, yarn, and bun

[kbukum1]

What are you trying to accomplish?

This PR fixes an issue with detecting dependency files in workspaces when file names include parent directories or relative paths (e.g., ./../pnpm-lock.yaml). The previous logic relied solely on exact name matches (==), which caused package manager detection to fail when no lock file was found.

The updated logic uses both == and end_with? checks to improve robustness and ensure compatibility with various file naming conventions.

Anything you want to highlight for special attention from reviewers?

• Changes have been applied to methods that handle lockfiles and configuration files for npm, pnpm, yarn, and bun.
• This fix addresses edge cases where dependency files are nested or include parent directory references in their paths.
• Reviewers should check if all relevant file types are covered and ensure the changes do not introduce regressions.

How will you know you've accomplished your goal?

• Dependency files are correctly identified in all scenarios, including nested or prefixed paths.
• Tests verify correct behavior for each package manager (npm, pnpm, yarn, and bun).
• Package manager detection works without errors caused by missing or misidentified files.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[abdulapopoola]

do we want to check for case insensitivity?

[kbukum1]

I think we are good for case sensitivity. Let me check but file_fetcher is working fine by using case sensitivite namings.

[kbukum1]

Maybe we can. I can see in file fetcher we are doing following to set name. It may not be small letters.

        DependencyFile.new(
          name: Pathname.new(filename).cleanpath.to_path,
          directory: directory,
          type: type,
          content: content,
          symlink_target: symlink_target,
          support_file: in_submodule?(path)
        )

[kbukum1]

Normally we only have problem with lock files where we have following if we can't find file from the directory.

      sig { params(filename: String).returns(T.nilable(DependencyFile)) }
      def fetch_file_from_parent_directories(filename)
        (1..directory.split("/").count).each do |i|
          file = fetch_file_with_support(("../" * i) + filename)
          return file if file
        end
        nil
      end

[abdulapopoola]

can we test and see if it works with PNPM-LOCK.json for example?

[kbukum1]

Let me try.

[kbukum1]

The IDE's automatic formatter is adjusting the code indentation to a tabSize of 2 instead of 4, which deviates from our standard indentation style.

[kbukum1]

Just removed the library because it was causing the following error in go specs

       expected "go: github.com/jenkins-x/[email protected] requires\n\tk8s.io/[email protected] requires\n\tcloud.google.com/[email protected] requires\n\[email protected]: unrecognized import path \"go.opencensus.io\": https fetch: Get \"https://go.opencensus.io/?go-get=1\": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-22T00:44:17Z is after 2025-01-21T03:43:04Z" to include "go.mod has post-v1 module path"
       Diff:
       @@ -1,4 +1,7 @@
       -go.mod has post-v1 module path
       +go: github.com/jenkins-x/[email protected] requires
       +	k8s.io/[email protected] requires
       +	cloud.google.com/[email protected] requires
       +	[email protected]: unrecognized import path "go.opencensus.io": https fetch: Get "https://go.opencensus.io/?go-get=1": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-01-22T00:44:17Z is after 2025-01-21T03:43:04Z
     # ./spec/dependabot/go_modules/file_updater/go_mod_updater_spec.rb:558:in `block (4 levels) in <top (required)>'
     # /home/dependabot/common/spec/spec_helper.rb:66:in `block (2 levels) in <top (required)>'
     # /home/dependabot/dependabot-updater/vendor/ruby/3.3.0/gems/webmock-3.24.0/lib/webmock/rspec.rb:39:in `block (2 levels) in <top (required)>'
 

[kbukum1]

Since the go_modules specs focuses on path validation for go_modules, verifying the v1 path against the v2 path is sufficient. Adding a similar check for v0 is redundant and does not provide additional value to the test. Therefore, I have updated the existing spec to focus on the v1 path check and removed the redundant spec for the v0 path check.