Yarn Berry: Prevent sub-package dependencies being added to root workspace

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/yarn_lockfile_updater.rb

@@ -154,18 +154,27 @@ def yarn_berry?(yarn_lock)
         end
 
         def run_yarn_berry_top_level_updater(top_level_dependency_updates:, yarn_lock:)
-          updates = top_level_dependency_updates.collect do |dep|
-            # when there are multiple requirements, we're dealing with a
-            # workspace-like setup, where there are multiple package.json files
-            # that pull in the same dependency. It appears that these are always
-            # updated to a single new version, so we just pick the first one.
-            "#{dep[:name]}@#{dep[:requirements].first[:requirement]}"
-          end
-          command = "yarn add #{updates.join(' ')} --mode=update-lockfile"
+          # If the requirements have changed, it means we've updated the
+          # package.json file(s), and we can just run yarn install to get the
+          # lockfile in the right state. Otherwise we'll need to manually update
+          # the lockfile.
+          command = if top_level_dependency_updates.all? { |dep| requirements_changed?(dep[:name]) }
+                      "yarn install --mode=update-lockfile"
+                    else
+                      updates = top_level_dependency_updates.collect do |dep|
+                        dep[:requirements].map { |req| "#{dep[:name]}@#{req[:requirement]}" }.join(" ")
+                      end
+                      "yarn up #{updates.join(' ')} --mode=update-lockfile"
+                    end
           Helpers.run_yarn_commands(command)
           { yarn_lock.name => File.read(yarn_lock.name) }
         end
 
+        def requirements_changed?(dependency_name)
+          dep = top_level_dependencies.first { |d| d.name == dependency_name }
+          dep.requirements != dep.previous_requirements
+        end
+
         def run_yarn_berry_subdependency_updater(yarn_lock:)
           dep = sub_dependencies.first
           update = "#{dep.name}@#{dep.version}"

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater_spec.rb

@@ -3004,6 +3004,32 @@
         end
       end
 
+      context "when updating only the lockfile" do
+        let(:files) { project_dependency_files("yarn_berry/lockfile_only_change") }
+
+        let(:dependency_name) { "babel-jest" }
+        let(:version) { "22.4.4" }
+        let(:previous_version) { "22.0.4" }
+        let(:requirements) do
+          [{
+            file: "package.json",
+            requirement: "^22.0.4",
+            groups: ["dependencies"],
+            source: nil
+          }]
+        end
+        let(:previous_requirements) { requirements }
+
+        it "has details of the updated item, but doesn't update everything" do
+          parsed_lockfile = YAML.safe_load(updated_yarn_lock.content)
+          # Updates the desired dependency
+          expect(parsed_lockfile["babel-jest@npm:^22.0.4"]["version"]).to eq("22.4.4")
+
+          # Doesn't update unrelated dependencies
+          expect(parsed_lockfile["eslint@npm:^4.14.0"]["version"]).to eq("4.14.0")
+        end
+      end
+
       context "with workspaces" do
         let(:files) { project_dependency_files("yarn_berry/workspaces") }
 
@@ -3096,6 +3122,12 @@
             expect(lockfile.content).to include("chalk@npm:0.4.0")
             expect(lockfile.content).to_not include("workspace-aggregator")
           end
+
+          it "does not add the dependency to the top-level workspace" do
+            lockfile = updated_files.find { |f| f.name == "yarn.lock" }
+            parsed_lockfile = YAML.safe_load(lockfile.content)
+            expect(parsed_lockfile.dig("bump-test@workspace:.", "dependencies").keys).not_to include("chalk")
+          end
         end
       end
 

npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json

@@ -0,0 +1,97 @@
+{
+  "name": "js-devbox",
+  "version": "5.1.0",
+  "description": "Some standard devDependencies we use",
+  "main": "lib/index.js",
+  "scripts": {
+    "build": "yarn run clean && yarn babel src/ -d lib/",
+    "clean": "rm -rf lib",
+    "flow": "flow",
+    "lint": "eslint src",
+    "precommit": "lint-staged && yarn test",
+    "prepack": "yarn build",
+    "prepare": "yarn build",
+    "prepublishOnly": "yarn test",
+    "preversion": "yarn test",
+    "test": "yarn lint && yarn run flow && yarn build && yarn test-only",
+    "test-only": "jest",
+    "contrib": "./scripts/contrib.sh",
+    "tidy-ci": "yarn contrib"
+  },
+  "bin": {
+    "github-changes": "./scripts/null-github-changes.sh",
+    "pushver": "./scripts/pushver.sh"
+  },
+  "engines": {
+    "node": ">=6.0.0",
+    "yarn": "^1.3.2"
+  },
+  "keywords": [
+    "KEYWORDS"
+  ],
+  "lint-staged": {
+    "src/**/*.{js,jsx}": [
+      "prettier --parser flow --write",
+      "git add"
+    ],
+    "**/*.{json,md}": [
+      "prettier --write",
+      "git add"
+    ]
+  },
+  "homepage": "https://github.com/holvonix-open/js-devbox#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/holvonix-open/js-devbox.git"
+  },
+  "author": "Holvonix LLC and the js-devbox AUTHORS <sourcecode@holvonix.com> (https://github.com/holvonix-open/js-devbox)",
+  "contributors": [
+    "See AUTHORS file",
+    "See CONTRIBUTORS file"
+  ],
+  "files": [
+    "lib/",
+    "scripts/null-github-changes.sh",
+    "CHANGELOG.md",
+    "package.json",
+    "LICENSE",
+    "AUTHORS",
+    "NOTICE",
+    "README.md",
+    "CONTRIBUTORS",
+    ".flowconfig",
+    ".babelrc",
+    ".eslintrc.json",
+    ".npmignore",
+    ".gitignore",
+    ".travis.yml",
+    "yarn.lock"
+  ],
+  "license": "Apache-2.0",
+  "dependencies": {
+    "babel-cli": "^6.26.0",
+    "babel-core": "6.26.0",
+    "babel-eslint": "^8.1.2",
+    "babel-jest": "^22.0.4",
+    "babel-preset-flow": "^6.23.0",
+    "eslint": "^4.14.0",
+    "eslint-config-airbnb-base": "^12.1.0",
+    "eslint-config-prettier": "^2.9.0",
+    "eslint-plugin-flowtype": "^2.40.0",
+    "eslint-plugin-import": "^2.8.0",
+    "eslint-plugin-jest": "^21.5.0",
+    "eslint-plugin-prettier": "^2.4.0",
+    "flow-bin": "^0.61.0",
+    "git-contributors": "^0.2.3",
+    "husky": "^0.14.3",
+    "jest-cli": "^22.0.4",
+    "lint-staged": "^6.0.0",
+    "prettier": "^1.9.1",
+    "semver": "^5.4.1"
+  },
+  "jest": {
+    "testEnvironment": "node",
+    "collectCoverage": true,
+    "coverageDirectory": "./coverage/"
+  }
+}