Fix path-based dependencies that point to individual files

[Copilot]

What are you trying to accomplish?

npm supports path dependencies pointing to individual files (e.g., "foo": "file:./lib/foo.js"), but Dependabot's file fetcher treats all non-tarball paths as directories. This causes it to attempt fetching ./lib/foo.js/package.json, throwing DependencyFileNotFound and blocking all dependency updates for affected projects.

Anything you want to highlight for special attention from reviewers?

Implementation approach:

• Detect file-based paths via regex matching common JS/TS extensions (.js, .mjs, .cjs, .ts, .tsx, .jsx, .json)
• Skip fetching when detected—Dependabot doesn't need source files for dependency analysis
• Alternative considered: fetch the file then check if it's a directory, but this adds unnecessary I/O and complexity

Key code change in file_fetcher.rb:

# Skip path dependencies that point to individual files (not packages)
if path.match?(/\.(js|mjs|cjs|ts|tsx|jsx|json)$/i)
  Dependabot.logger.info("Skipping file-based path dependency '#{name}' at '#{path}'")
  next
end

How will you know you've accomplished your goal?

• Added 7 test cases covering all supported file extensions
• Existing path dependency tests for directories and tarballs continue to pass
• Test fixture demonstrates the fix: npm8/path_dependency_file with "foo": "file:./lib/foo.js" no longer attempts to fetch a non-existent package.json

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Path-based dependencies fail if they point to a file</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

npm 9.6.7

Language version

Node.js 18.17.0

Manifest location and content before the Dependabot update

package.json

{
  "devDependencies": {
    "foo": "file:./lib/foo.js"
  }
}

dependabot.yml content

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

No response

What you expected to see, versus what you actually saw

• Given a valid file at ./lib/foo.js, the path-based dependency should be resolved just as npm resolves it locally.
• However, Dependabot will fail to resolve it, and this will block updates of all other packages
• Only if the dependency is located in its own directory (./lib/foo/index.js) with a corresponding package.json, and called as file:./lib/foo, will Dependabot resolve it properly

Native package manager behavior

npm resolves file:./lib/foo.js as expected and without errors or warnings

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Path-based dependencies fail if they point to a file #8884

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[AbhishekBhaskar]

Closing as issue is not reproducible.