Fix yarn package updater #1045
Open
Fix yarn package updater #1045
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add comprehensive Yarn support (Classic v1 and Berry v2+)
- Detect Yarn version by lockfile header (__metadata: for Berry)
- Use correct commands per version:
- Yarn 1: yarn install --ignore-scripts --frozen-lockfile=false
- Yarn 2+: yarn install --mode update-lockfile
- Support resolutions section (Yarn-specific)
- Simplified env vars (CI=true only, flags handle the rest)
- Extract shared Node.js utilities to nodepackageupdaterutils.go
- UpdatePackageJsonDependency: JSON manipulation with sjson/gjson
- GetDescriptorsToFixFromVulnerability: Derive package.json from lockfiles
- UpdatePackageAndRegenerateLock: Orchestration with rollback
- Shared by npm, Yarn (and future pnpm)
- Refactor npm handler to use shared utilities
- Reduce code duplication
- Maintain all existing functionality
- All tests pass
- Delete old buggy yarnpackagehandler.go
- Had critical bug: checked global Yarn version instead of project version
- Replaced with lockfile-based detection
- Add comprehensive test coverage
- 383 lines of Yarn-specific tests
- Tests for version detection, JSON updates, resolutions, env isolation
- All npm tests updated and passing
Net: -282 lines deleted, +671 lines added (new functionality)
- Test GetPackageJsonPathsFromLockfilePaths: path derivation, file checks, edge cases - Test UpdatePackageInDescriptor: file updates, backup creation, error handling - Test RegenerateLockfile: success, rollback on failure, rollback failure handling - Test UpdatePackageAndRegenerateLock: full orchestration, git tracking logic Total: 366 lines, 12 test cases covering critical rollback logic
- Only GetDescriptorsToFixFromVulnerability and UpdatePackageAndRegenerateLock are exported (called by npm/Yarn) - All other functions are now internal (lowercase): getPackageJsonPathsFromLockfilePaths, updatePackageInDescriptor, regenerateLockfile, updatePackageJsonDependency, escapeJsonPathKey - Revert scanrepository_test.go import ordering to match upstream/v3_er - All tests passing
- Upgraded from v1.24.2 to v1.26.0 - Also upgraded related dependencies: - build-info-go - jfrog-cli-core/v2 - jfrog-cli-artifactory - jfrog-client-go - All tests passing
- Primary: Look for package.json in component locations (Yarn/newer scans) - Fallback: Look for lockfile and derive package.json path (npm/older scans) - Verify lockfile exists in same directory before accepting descriptor - Fixes 'no location evidence found' error for Yarn projects - All tests passing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds Yarn package handler with proper version detection and refactors Node.js utilities for code reuse across npm/Yarn/pnpm.