Ensure Corepack Usage for npm, pnpm, and yarn Command Execution

[kbukum1]

What are you trying to accomplish?

This PR ensures that corepack is explicitly invoked when running npm, pnpm, and yarn commands. By calling corepack directly, we can guarantee that the correct package manager versions (installed via Corepack) are used for each command. This change helps prevent version mismatches and enhances consistency across different environments.

This change resolves inconsistencies in package manager versions used in different environments and addresses potential issues caused by mismatched versions.

Anything you want to highlight for special attention from reviewers?

The key change here is the addition of corepack to the npm, pnpm, and yarn command execution. This ensures that the commands run with the versions installed by Corepack. If there were multiple approaches to achieve this, I selected this one to make the execution explicit and straightforward.

How will you know you've accomplished your goal?

• To confirm these changes, tests were run to verify that each package manager command executes correctly with Corepack and maintains version consistency.
• This PR includes updates to run_npm_command, run_pnpm_command, and run_single_yarn_command to prepend corepack to each command, ensuring the correct version usage.
• The implementation was verified by running the package manager commands and confirming the expected behavior.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[kbukum1]

moved from PackageManagerHelper into Helpers.

[Nishnha]

we should check to see if we have run the setup command already and skip it if we have

[Nishnha]

also, since most of the codebase uses #run_single_yarn_command, should we update that method instead?

[kbukum1]

Thanks for the feedback. I will check if we can run the run_single_yarn_command and make changes accordingly.

[kbukum1]

I went over the code. I think we are already doing install in file_fetcher phase. So we don't need to re-run setup for that. Just we need to be sure that we are running commands through corepack. And in the following change we are running all command by using corepack. Also in setup_yarn_berry we are running multiple yarn commands with different conditions so I think this method is doing things with conditions and it is calling run_single_yarn_command which is expected to be right call.

https://github.com/dependabot/dependabot-core/pull/10944/files#diff-85ec3865f2fdb48045a2536b37b847156ed3bd3960afdc8bd900ae568de9acd7R295

[kbukum1]

If you’re suggesting that we configure setup_yarn_berry once and avoid re-running these commands, I can work on that. However, I think it would be better suited to a separate PR, as our priority is first ensuring everything runs smoothly with Corepack.

[Nishnha]

The direction of this PR makes sense to me. Do you have any data showing the inconsistent runs? We could use that to verify that this change makes them consistent again

[kbukum1]

The direction of this PR makes sense to me. Do you have any data showing the inconsistent runs? We could use that to verify that this change makes them consistent again.

@Nishnha
I've checked the metrics, and they indicate that we’re always using the default package manager versions in our images. When I manually tried to retrieve the package manager versions within the image using corepack npm -v, corepack pnpm -v, and corepack yarn -v, I found that only the default installed versions are being used rather than the versions installed after detection.

After investigating further, I discovered that once a package manager is installed with corepack, it also needs to be activated. To ensure we’re using the correct installed version, we should activate it and then run commands using corepack #{name} #{command}.

Here are the details for the deployed and reverted changes for further reference: https://github.com/github/dependabot-updates/issues/7325
Dashboard link for metrics: Dependabot Ecosystem Metrics

[kbukum1]

Duplicate!

[kbukum1]

We want to install npm, and yarn versions as well. We removed the condition that only install for pnpm when version is guessed.

[kbukum1]

Fix Sorbet Issue:

Dependabot::Sorbet::Runtime::InformationalError
Parameter 'name': Expected type T.nilable(String), got type Hash with value {"npm"=>Dependabot::NpmAndY...pmAndYarn::PNPMPackageManager}
Caller: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:221
Definition: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:282 (Dependabot::NpmAndYarn::PackageManagerHelper#package_manager_by_name)

[kbukum1]

Fix Sorbet Issue:

Dependabot::Sorbet::Runtime::InformationalError
Parameter 'name': Expected type T.nilable(String), got type Hash with value {"npm"=>Dependabot::NpmAndY...pmAndYarn::PNPMPackageManager}
Caller: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:221
Definition: /home/dependabot/npm_and_yarn/lib/dependabot/npm_and_yarn/package_manager.rb:282 (Dependabot::NpmAndYarn::PackageManagerHelper#package_manager_by_name)

[kbukum1]

This else is going to be removed in clean-up process of enable_corepack_for_npm_and_yarn feature flag after all checks.

[broksonic21]

Flagging this ticket, which is blocking us on a number of our repositories today, and likely is related to this PR: #10982