Fix Unsupported Error When Npm Version Not Detected

[kbukum1]

What are you trying to accomplish?

This change addresses the issue where the NPM version detection failed when the version is empty or set to 0. The fix ensures that the error is handled gracefully, allowing Dependabot to properly detect and work with NPM versions that were previously unsupported.

Anything you want to highlight for special attention from reviewers?

The fix specifically targets the issue where an unsupported error occurred due to the version being empty or 0. It ensures that these edge cases are handled without causing a disruption in the update process.

How will you know you've accomplished your goal?

• The issue of failing to detect NPM versions that are empty or 0 should be resolved.
• The system should now handle these cases without raising errors or affecting other functionality.
• Automated tests should pass successfully, and manual validation should show that the detection now works correctly for edge cases.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[kbukum1]

Review Tip: Simplified

[kbukum1]

Review Tip: Simplified

[kbukum1]

Review Tip: We want to be sure we return nil instead of empty when there is no detected version. Note that detected version can be string or integer.

[kbukum1]

Review Tip: Check if detected_version has value.

[kbukum1]

Fix for #11234

[bcomnes]

Can you clarify which version of npm you will default to when none is specified? Whatever npm version ships with with the current node LTS seems reasonable.

This sounds like this will fix the issue introduced last week.

Also related: #11373

Thanks for getting a fix out for this.

[kbukum1]

Can you clarify which version of npm you will default to when none is specified? Whatever npm version ships with with the current node LTS seems reasonable.

This sounds like this will fix the issue introduced last week.

Also related: #11373

Thanks for getting a fix out for this.

@bcomnes

1. Default npm Version When None is Specified:

   • If there is no lockfile or the lockfile is empty, we default to npm 10.
   • If the lockfile exists and contains a valid lockfileVersion, we determine the npm version as follows:
     • lockfileVersion >= 3 → npm 10
     • lockfileVersion == 2 → npm 8
     • lockfileVersion == 1 → npm 8
   • If a lockfile is present but cannot be parsed, we fall back to npm 8.

   Note that these versions are used for making decisions related to how the manifest and lockfile are structured. However, when running npm for operations such as install, we do not use the detected version. Instead, we explicitly run npm with NPM_VERSION=9.6.5.

Let me know if you need any further clarification!

[kbukum1]

Fixes:

• Dependabot fails to update a package.json without a lock file #11373
• NPM version detection broken #11234

[bcomnes]

Great. Works for me thank you.

[kbukum1]

@bcomnes,

The fix has been shipped. Could you check your repository to see if it's working now? You may need to rerun the process to reflect the changes, as the fix was just released.

[kbukum1]

commented review tips

[bcomnes]

Confirmed working as before. Thank you @kbukum1

[kbukum1]

Confirmed working as before. Thank you @kbukum1

Thanks for the confirmation.