NPM: fix npmrc generation for v3 package-locks

npm_and_yarn/lib/dependabot/npm_and_yarn/file_updater/npmrc_builder.rb

@@ -81,7 +81,9 @@ def global_registry # rubocop:disable Metrics/PerceivedComplexity
               next false if CENTRAL_REGISTRIES.include?(cred["registry"])
 
               # If all the URLs include this registry, it's global
-              next true if dependency_urls.all? { |url| url.include?(cred["registry"]) }
+              next true if dependency_urls.size.positive? && dependency_urls.all? do |url|
+                             url.include?(cred["registry"])
+                           end
 
               # Check if this registry has already been defined in .npmrc as a scoped registry
               next false if npmrc_scoped_registries.any? { |sr| sr.include?(cred["registry"]) }
@@ -133,8 +135,8 @@ def dependency_urls
           @dependency_urls = []
           if package_lock
             @dependency_urls +=
-              parsed_package_lock.fetch("dependencies", {}).
-              filter_map { |_, details| details["resolved"] }.
+              package_lock.content.scan(/"resolved"\s*:\s*"(.*)"/).
+              flatten.
               select { |url| url.is_a?(String) }.
               reject { |url| url.start_with?("git") }
           end
@@ -267,7 +269,7 @@ def registry_scopes(registry)
 
           scopes = affected_urls.map do |url|
             url.split(/\%40|@/)[1]&.split(%r{\%2[fF]|/})&.first
-          end
+          end.uniq
 
           # Registry used for unscoped packages
           return if scopes.include?(nil)

npm_and_yarn/spec/dependabot/npm_and_yarn/file_updater/npmrc_builder_spec.rb

@@ -852,6 +852,30 @@
         end
       end
 
+      context "v3 - when no packages resolve to the private registry" do
+        let(:dependency_files) do
+          project_dependency_files("npm9/simple")
+        end
+
+        it "adds only the token auth details" do
+          expect(npmrc_content).to eql("//npm.pkg.github.com/:_authToken=my_token")
+        end
+      end
+
+      context "v3 - when a public package of a different scope appears with an npmrc" do
+        let(:dependency_files) do
+          project_dependency_files("npm9/private-public")
+        end
+
+        it "adds only the token auth details" do
+          expect(npmrc_content).to eql(<<~NPMRC.chomp)
+            @dependabot:registry=https://npm.pkg.github.com
+
+            //npm.pkg.github.com/:_authToken=my_token
+          NPMRC
+        end
+      end
+
       context "when there are only packages that resolve to the private registry" do
         let(:dependency_files) do
           project_dependency_files("npm8/private_registry_ghpr_only")

npm_and_yarn/spec/fixtures/projects/npm9/private-public/.npmrc

@@ -0,0 +1 @@
+@dependabot:registry=https://npm.pkg.github.com

npm_and_yarn/spec/fixtures/projects/npm9/private-public/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "npm-public-private",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@sentry/react": "7.37.1"
+  }
+}

npm_and_yarn/spec/fixtures/projects/npm9/simple/package.json

@@ -0,0 +1,26 @@
+{
+    "name": "{{ name }}",
+    "version": "1.0.0",
+    "description": "",
+    "main": "index.js",
+    "scripts": {
+        "test": "echo \"Error: no\\ test\\ specified\" && exit 1",
+        "prettify": "prettier --write \"{{packages/*/src,examples,cypress,scripts}/**/,}*.{js,jsx,ts,tsx,css,md}\""
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/waltfy/PROTO_TEST.git"
+    },
+    "author": "",
+    "license": "ISC",
+    "bugs": {
+        "url": "https://github.com/waltfy/PROTO_TEST/issues"
+    },
+    "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
+    "dependencies": {
+      "fetch-factory": "^0.0.1"
+    },
+    "devDependencies": {
+      "etag" : "^1.0.0"
+    }
+}