Yarn 1.x: Parse packages from yarn.lock #693
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
taylormadore
force-pushed
the
parse-yarn-lock
branch
from
047a31a to
0c6cd40
Compare
taylormadore
force-pushed
the
parse-yarn-lock
branch
from
1d5caee to
990ff46
Compare
eskultety
reviewed
Oct 24, 2024
| @@ -186,6 +187,22 @@ def _get_packages_from_lockfile(source_dir: RootedPath) -> list[YarnClassicPacka | |||
| return [_classify_pyarn_package(source_dir, package) for package in pyarn_packages] | |||
|
|
|||
|
|
|||
| def _get_main_package(source_dir: RootedPath) -> WorkspacePackage: | |||
| """Return a WorkspacePackage for the main package in package.json.""" | |||
| # TODO: Use yarn classic project files once available | |||
There was a problem hiding this comment.
I'm lacking context with this message, can you please elaborate for me?
There was a problem hiding this comment.
I pulled in the PackageJson class from the yarn module here. It should eventually be replaced by whatever the result of #705 is once merged
There was a problem hiding this comment.
Uhm, apparently github failed to include my response in this thread when submitting the review, so repeating:
I pulled in the PackageJson class from the yarn module here. It should eventually be replaced by whatever the result of #705 is once merged
Oh, but this means it's going to be super easy to forget to update this accordingly given there's already working logic. This creates a direct dependency on #705 then.
taylormadore
force-pushed
the
parse-yarn-lock
branch
from
990ff46 to
b3b350d
Compare
a-ovchinnikov
approved these changes
Oct 25, 2024
taylormadore
force-pushed
the
parse-yarn-lock
branch
3 times, most recently
from
740a843 to
5a83727
Compare
taylormadore
force-pushed
the
parse-yarn-lock
branch
from
5a83727 to
9bad602
Compare
brunoapimentel
approved these changes
Nov 12, 2024
taylormadore
force-pushed
the
parse-yarn-lock
branch
from
9bad602 to
96534da
Compare
|
nitpick: We should drop this unused piece of code: |
I think it would be better to start using it rather than dropping it 🤔 Added an additional commit for that 👍 |
slimreaper35
approved these changes
Nov 19, 2024
eskultety
approved these changes
Nov 19, 2024
Signed-off-by: Taylor Madore <[email protected]>
The workspace path globs in package.json are relative to the workspace root. Workspace paths need to be resolved relative to the workspace root (the request package path) rather than the request source dir to prevent workspaces in package subdirectories from being missed by the glob Signed-off-by: Taylor Madore <[email protected]>
Move responsibility for the prefetch and component resolution from fetch_yarn_sources to be more consistent with how other package managers are implemented Signed-off-by: Taylor Madore <[email protected]>
These correspond to the different package types that can be resolved in a Yarn 1.x yarn.lock file Signed-off-by: Taylor Madore <[email protected]>
Resolves containerbuildsystem#629 Use the pyarn library to parse yarn.lock and get the list of project dependencies. Next classify them into specific package types that can later be used to generate SBOM components with PURLs. Some of the logic used to classify the package types was inspired by or taken directly from the official yarn sources. Signed-off-by: Taylor Madore <[email protected]>
Signed-off-by: Taylor Madore <[email protected]>
Signed-off-by: Taylor Madore <[email protected]>
Verify the yarn project is not a PnP (Plug'n'play) install before resolving the project Signed-off-by: Taylor Madore <[email protected]>
eskultety
force-pushed
the
parse-yarn-lock
branch
from
6e30b72 to
a84af89
Compare
Merged
via the queue into
containerbuildsystem:main
with commit Nov 19, 2024
b9bca19
16 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR creates "Packages" for a Yarn 1.x project and all project dependencies. These "Packages" will later be resolved into SBOM Components in future PRs.
The yarn.lock file is the principal source for the fully resolved set of direct project dependencies and transitive dependencies (Yarn workspaces are an exception to this and must be parsed from package.json).
The pyarn library will be used to parse yarn.lock. There is a related PR in that repository that must be merged and released first. It adds handling for additional styles of path-based version specifiers.
Maintainers will complete the following section
Note: if the contribution is external (not from an organization member), the CI
pipeline will not run automatically. After verifying that the CI is safe to run:
/ok-to-test(as is the standard for Pipelines as Code)