Skip to content

feat: Add Yarn package handler with refactored Node.js utilities #1044

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
eyalk007 merged 1 commit into from
Jan 27, 2026
Merged

feat: Add Yarn package handler with refactored Node.js utilities #1044

eyalk007 merged 1 commit into from
Jan 27, 2026

Conversation

@eyalk007
Copy link
Collaborator

@eyalk007 eyalk007 commented Jan 26, 2026

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies

  • Add comprehensive Yarn support (Classic v1 and Berry v2+)

    • Detect Yarn version by lockfile header (__metadata: for Berry)
    • Use correct commands per version:
      • Yarn 1: yarn install --ignore-scripts --frozen-lockfile=false
      • Yarn 2+: yarn install --mode update-lockfile
    • Support resolutions section (Yarn-specific)
    • Simplified env vars (CI=true only, flags handle the rest)

  • Extract shared Node.js utilities to nodepackageupdaterutils.go

    • UpdatePackageJsonDependency: JSON manipulation with sjson/gjson
    • GetDescriptorsToFixFromVulnerability: Derive package.json from lockfiles
    • UpdatePackageAndRegenerateLock: Orchestration with rollback
    • Shared by npm, Yarn (and future pnpm)

  • Refactor npm handler to use shared utilities

    • Reduce code duplication
    • Maintain all existing functionality
    • All tests pass

  • Delete old buggy yarnpackagehandler.go

    • Had critical bug: checked global Yarn version instead of project version
    • Replaced with lockfile-based detection

@eyalk007
feat: Add Yarn package handler with refactored Node.js utilities
f792435 
- Add comprehensive Yarn support (Classic v1 and Berry v2+)
  - Detect Yarn version by lockfile header (__metadata: for Berry)
  - Use correct commands per version:
    - Yarn 1: yarn install --ignore-scripts --frozen-lockfile=false
    - Yarn 2+: yarn install --mode update-lockfile
  - Support resolutions section (Yarn-specific)
  - Simplified env vars (CI=true only, flags handle the rest)

- Extract shared Node.js utilities to nodepackageupdaterutils.go
  - UpdatePackageJsonDependency: JSON manipulation with sjson/gjson
  - GetDescriptorsToFixFromVulnerability: Derive package.json from lockfiles
  - UpdatePackageAndRegenerateLock: Orchestration with rollback
  - Shared by npm, Yarn (and future pnpm)

- Refactor npm handler to use shared utilities
  - Reduce code duplication
  - Maintain all existing functionality
  - All tests pass

- Delete old buggy yarnpackagehandler.go
  - Had critical bug: checked global Yarn version instead of project version
  - Replaced with lockfile-based detection

- Add comprehensive test coverage
  - 383 lines of Yarn-specific tests
  - Tests for version detection, JSON updates, resolutions, env isolation
  - All npm tests updated and passing

Net: -282 lines deleted, +671 lines added (new functionality)
@eyalk007 eyalk007 added the improvement Automatically generated release notes label Jan 26, 2026
@eyalk007 eyalk007 self-assigned this Jan 26, 2026
@eyalk007 eyalk007 merged commit f792435 into jfrog:v3_er Jan 27, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@eyalk007 eyalk007

Labels

improvement Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eyalk007