dependabot · Copilot · Mar 4, 2026 · Mar 4, 2026 · Mar 5, 2026 · Mar 5, 2026
@@ -297,21 +297,13 @@ def self.run_yarn_commands(*commands)
       end
       def self.run_npm_command(command, fingerprint: command, env: nil)
         merged_env = merge_corepack_env(env)
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          package_manager_run_command(
-            NpmPackageManager::NAME,
-            command,
-            fingerprint: fingerprint,
-            output_observer: ->(output) { command_observer(output) },
-            env: merged_env
-          )
-        else
-          Dependabot::SharedHelpers.run_shell_command(
-            "npm #{command}",
-            fingerprint: "npm #{fingerprint}",
-            output_observer: ->(output) { command_observer(output) }
-          )
-        end
+        package_manager_run_command(
+          NpmPackageManager::NAME,
+          command,
+          fingerprint: fingerprint,
+          output_observer: ->(output) { command_observer(output) },
+          env: merged_env
+        )
       end
 
       sig do
@@ -369,27 +361,13 @@ def self.run_yarn_command(command, fingerprint: nil)
       # Run single pnpm command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_pnpm_command(command, fingerprint: nil)
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          package_manager_run_command(PNPMPackageManager::NAME, command, fingerprint: fingerprint)
-        else
-          Dependabot::SharedHelpers.run_shell_command(
-            "pnpm #{command}",
-            fingerprint: "pnpm #{fingerprint || command}"
-          )
-        end
+        package_manager_run_command(PNPMPackageManager::NAME, command, fingerprint: fingerprint)
       end
 
       # Run single yarn command returning stdout/stderr
       sig { params(command: String, fingerprint: T.nilable(String)).returns(String) }
       def self.run_single_yarn_command(command, fingerprint: nil)
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          package_manager_run_command(YarnPackageManager::NAME, command, fingerprint: fingerprint)
-        else
-          Dependabot::SharedHelpers.run_shell_command(
-            "yarn #{command}",
-            fingerprint: "yarn #{fingerprint || command}"
-          )
-        end
+        package_manager_run_command(YarnPackageManager::NAME, command, fingerprint: fingerprint)
       end
 
       # Activate the package manager for specified version by using corepack

@@ -216,9 +216,7 @@ def find_engine_constraints_as_requirement(name)
       end
 
       # rubocop:disable Metrics/CyclomaticComplexity
-      # rubocop:disable Metrics/AbcSize
       # rubocop:disable Metrics/PerceivedComplexity
-      # rubocop:disable Metrics/MethodLength
       sig { params(name: String).returns(T.nilable(T.any(Integer, String))) }
       def setup(name)
         # we prioritize version mentioned in "packageManager" instead of "engines"
@@ -252,36 +250,16 @@ def setup(name)
           )
         end
 
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          version ||= requested_version(name) || guessed_version(name)
+        version ||= requested_version(name) || guessed_version(name)
 
-          if version
-            raise_if_unsupported!(name, version.to_s)
-            install(name, version.to_s)
-          end
-        else
-          version ||= requested_version(name)
-
-          if version
-            raise_if_unsupported!(name, version.to_s)
-
-            install(name, version)
-          else
-            version = guessed_version(name)
-
-            if version
-              raise_if_unsupported!(name, version.to_s)
-
-              install(name, version.to_s) if name == PNPMPackageManager::NAME
-            end
-          end
+        if version
+          raise_if_unsupported!(name, version.to_s)
+          install(name, version.to_s)
         end
         version
       end
       # rubocop:enable Metrics/CyclomaticComplexity
-      # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/PerceivedComplexity
-      # rubocop:enable Metrics/MethodLength
 
       sig { params(name: String).returns(T.nilable(String)) }
       def detect_version(name)
@@ -384,26 +362,12 @@ def raise_if_unsupported!(name, version)
 
       sig { params(name: String, version: T.nilable(String)).void }
       def install(name, version)
-        if Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-          env = {}
-          if Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
-            env = @registry_helper.find_corepack_env_variables
-          end
-          # Use the Helpers.install method to install the package manager
-          return Helpers.install(name, version.to_s, env: env)
-        end
-
-        Dependabot.logger.info("Installing \"#{name}@#{version}\"")
-
-        begin
-          SharedHelpers.run_shell_command(
-            "corepack install #{name}@#{version} --global --cache-only",
-            fingerprint: "corepack install <name>@<version> --global --cache-only"
-          )
-        rescue SharedHelpers::HelperSubprocessFailed => e
-          Dependabot.logger.error("Error installing #{name}@#{version}: #{e.message}")
-          Helpers.fallback_to_local_version(name)
+        env = {}
+        if Dependabot::Experiments.enabled?(:enable_private_registry_for_corepack)
+          env = @registry_helper.find_corepack_env_variables
         end
+        # Use the Helpers.install method to install the package manager
+        Helpers.install(name, version.to_s, env: env)
       end
 
       sig { params(name: T.nilable(String)).returns(String) }

@@ -929,8 +929,6 @@ def run_npm8_checker(version:)
 
         sig { returns(T.nilable(T::Hash[String, String])) }
         def corepack_registry_override_env
-          return nil unless Dependabot::Experiments.enabled?(:enable_corepack_for_npm_and_yarn)
-
           replaces_base_cred = credentials.find { |cred| cred["type"] == "npm_registry" && cred.replaces_base? }
           registry_url = replaces_base_cred&.[]("registry")
           return nil unless registry_url

@@ -28,8 +28,7 @@
   end
 
   before do
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end

@@ -44,8 +44,7 @@
   end
 
   before do
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(true)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end

@@ -33,12 +33,8 @@
     )
   end
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end

@@ -62,13 +62,9 @@
 
   let(:tmp_path) { Dependabot::Utils::BUMP_TMP_DIR_PATH }
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     FileUtils.mkdir_p(tmp_path)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)

@@ -67,13 +67,9 @@
 
   let(:repo_contents_path) { build_tmp_repo(project_name, path: "projects") }
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     FileUtils.mkdir_p(tmp_path)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end

@@ -60,13 +60,9 @@
 
   let(:tmp_path) { Dependabot::Utils::BUMP_TMP_DIR_PATH }
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     FileUtils.mkdir_p(tmp_path)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)

@@ -59,13 +59,9 @@
     )
   end
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     FileUtils.mkdir_p(tmp_path)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
     allow(Dependabot::Experiments).to receive(:enabled?)

@@ -354,56 +354,24 @@
     let(:empty_lockfile) { Dependabot::DependencyFile.new(name: "package-lock.json", content: "") }
     let(:nil_lockfile) { nil }
 
-    context "when the feature flag :enable_corepack_for_npm_and_yarn is enabled" do
-      before do
-        allow(Dependabot::Experiments).to receive(:enabled?).with(:enable_corepack_for_npm_and_yarn).and_return(true)
-      end
-
-      it "returns true if lockfileVersion is 3 or higher" do
-        expect(described_class.parse_npm8?(lockfile_with_v3)).to be true
-      end
-
-      it "returns true if lockfileVersion is 2" do
-        expect(described_class.parse_npm8?(lockfile_with_v2)).to be true
-      end
-
-      it "returns true if lockfileVersion is 1" do
-        expect(described_class.parse_npm8?(lockfile_with_v1)).to be false
-      end
-
-      it "returns true if lockfile is empty" do
-        expect(described_class.parse_npm8?(empty_lockfile)).to be true
-      end
-
-      it "returns true if lockfile is nil" do
-        expect(described_class.parse_npm8?(nil_lockfile)).to be true
-      end
+    it "returns true if lockfileVersion is 3 or higher" do
+      expect(described_class.parse_npm8?(lockfile_with_v3)).to be true
     end
 
-    context "when the feature flag :enable_corepack_for_npm_and_yarn is disabled" do
-      before do
-        allow(Dependabot::Experiments).to receive(:enabled?).with(:enable_corepack_for_npm_and_yarn).and_return(false)
-      end
-
-      it "returns true if 3=< lockfileVersion" do
-        expect(described_class.parse_npm8?(lockfile_with_v3)).to be true
-      end
-
-      it "returns true if 2=< lockfileVersion <3" do
-        expect(described_class.parse_npm8?(lockfile_with_v2)).to be true
-      end
+    it "returns true if lockfileVersion is 2" do
+      expect(described_class.parse_npm8?(lockfile_with_v2)).to be true
+    end
 
-      it "returns false if 1=< lockfileVersion <2" do
-        expect(described_class.parse_npm8?(lockfile_with_v1)).to be false
-      end
+    it "returns true if lockfileVersion is 1" do
+      expect(described_class.parse_npm8?(lockfile_with_v1)).to be false
+    end
 
-      it "returns true if lockfile is empty" do
-        expect(described_class.parse_npm8?(empty_lockfile)).to be true
-      end
+    it "returns true if lockfile is empty" do
+      expect(described_class.parse_npm8?(empty_lockfile)).to be true
+    end
 
-      it "returns true if lockfile is nil" do
-        expect(described_class.parse_npm8?(nil_lockfile)).to be true
-      end
+    it "returns true if lockfile is nil" do
+      expect(described_class.parse_npm8?(nil_lockfile)).to be true
     end
   end
 
@@ -506,10 +474,9 @@
     before do
       described_class.dependency_files = dependency_files
       described_class.credentials = credentials
+      allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
       allow(Dependabot::Experiments).to receive(:enabled?)
         .with(:enable_private_registry_for_corepack).and_return(true)
-      allow(Dependabot::Experiments).to receive(:enabled?)
-        .with(:enable_corepack_for_npm_and_yarn).and_return(true)
     end
 
     after do

@@ -32,12 +32,8 @@
   end
   let(:ignored_versions) { [] }
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end

@@ -62,9 +62,6 @@
     fixture("npm_responses", "opentelemetry-context-async-hooks.json")
   end
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     stub_request(:get, react_dom_registry_listing_url)
       .to_return(status: 200, body: react_dom_registry_response)
@@ -78,8 +75,7 @@
       .to_return(status: 200, body: opentelemetry_api_registry_response)
     stub_request(:get, opentelemetry_context_async_hooks_registry_listing_url)
       .to_return(status: 200, body: opentelemetry_context_async_hooks_registry_response)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end
@@ -2301,7 +2297,6 @@
         }]
       )
     end
-    let(:enable_corepack_for_npm_and_yarn) { true }
 
     before do
       allow(Dependabot::SharedHelpers).to receive(:run_shell_command).and_return("npm install successful")

@@ -58,16 +58,12 @@
   let(:registry_listing_url) { "#{registry_base}/#{escaped_dependency_name}" }
   let(:registry_base) { "https://registry.npmjs.org" }
 
-  # Variable to control the enabling feature flag for the corepack fix
-  let(:enable_corepack_for_npm_and_yarn) { true }
-
   before do
     stub_request(:get, registry_listing_url)
       .to_return(status: 200, body: registry_response)
     stub_request(:head, "#{registry_base}/#{dependency_name}/-/#{unscoped_dependency_name}-#{target_version}.tgz")
       .to_return(status: 200)
-    allow(Dependabot::Experiments).to receive(:enabled?)
-      .with(:enable_corepack_for_npm_and_yarn).and_return(enable_corepack_for_npm_and_yarn)
+    allow(Dependabot::Experiments).to receive(:enabled?).and_call_original
     allow(Dependabot::Experiments).to receive(:enabled?)
       .with(:enable_private_registry_for_corepack).and_return(true)
   end