Fix npm8 subdependency updates when version is in-range

[Copilot]

What are you trying to accomplish?

npm8's npm update <dependency> command won't update a subdependency if the current version already satisfies the parent's semver range, even when a newer in-range version exists. For example, updating follow-redirects from 1.15.2 to 1.15.6 when axios specifies ^1.15.0 fails despite both versions being valid.

This blocks security updates for subdependencies when the vulnerability is patched within the existing semver range.

Anything you want to highlight for special attention from reviewers?

Approach: Implemented npm8 subdependency updater following the existing npm6 pattern:

1. Remove subdependency entries from package-lock.json packages object
2. Run npm install --package-lock-only to regenerate with latest compatible version

Key implementation details:

• removeDependenciesFromLockfile() removes package entries but preserves dependency references in parent packages (npm resolves these during regeneration)
• Uses detect-indent for formatting consistency with npm6 helper
• Error handling restores original lockfile on npm install failure
• Proper Sorbet type casting in Ruby integration

Changes:

• New: npm_and_yarn/helpers/lib/npm8/subdependency-updater.js - Core lockfile manipulation and regeneration logic
• Modified: SubdependencyVersionResolver#run_npm_updater - Calls new helper via SharedHelpers.run_helper_subprocess
• Modified: NpmLockfileUpdater#run_npm8_subdependency_updater - Calls new helper instead of command-line npm update

How will you know you've accomplished your goal?

Unit tests verify lockfile manipulation correctly removes subdependencies while preserving parent references. Integration tests with axios/follow-redirects fixture demonstrate the fix resolves the reported scenario.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Dependabot unable to generate package-lock with subdependency even with existing dependency range allows it</issue_title>
<issue_description>

Package ecosystem

npm

Package manager version

npm 8

Language version

node 17.3
Manifest location and content prior to update

/package-lock.json: https://github.com/HealthScreening/HealthScreeningBot/blob/35a156e093798083409723908a62c8dbde485bb7/package-lock.json
dependabot.yml content
https://github.com/HealthScreening/HealthScreeningBot/blob/35a156e093798083409723908a62c8dbde485bb7/.github/dependabot.yml

Updated dependency

axios --> follow-redirects
What you expected to see, versus what you actually saw
Follow-redirects has a vulnerability, so it should get updated to the latest version. However, dependabot security is unable to make the upgrade because it is required by a subdependency, axios. Axios has the dependency at ^1.14.4, and I am trying to upgrade to 1.14.7, so it is in-range.

Native package manager behavior

It correctly overwrites the subdependency.
Images of the diff or a link to the PR, issue or logs

🕹 Bonus points: Smallest manifest that reproduces the issue

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Dependabot unable to generate package-lock with subdependency even with existing dependency range allows it #4633

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.