[ANE-2235] Fix PNPM v9 lockfile parsing issues with package names/versions #1531
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
ccc9f49 to
e8d9005
Compare
…ce unsafe head, fix formatting
…ndefined with invalidDependency
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
9ae886c to
67fd875
Compare
… for both real-world pnpm repo and test dependencies lockfiles
… unused imports, fix name shadowing warnings, update v6 lockfile test to expect correct dependencies, fixed formatting
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
67975e7 to
6202d62
Compare
…s (383 total, 43 direct, 340 assocs)
…key handling, version cleanup, error handling, and docs; unify graph logic; polish v9 support
…rld lockfile structure and parser behavior. Mark non-representative tests as pending.
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
9c5d12f to
ffbfa47
Compare
…nit, last) in PnpmLock.hs. Use safe alternatives (listToMaybe, take, drop) for all list indexing and manipulation. Also, replace run . evalGrapher with runIdentity . evalGrapher for legacy pnpm lockfile parsing. Code is now hlint clean and fourmolu formatted.
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
82c517e to
965c4c5
Compare
…ts, and shadowed/unused bindings in PnpmLock.hs; fix guard syntax; ensure fourmolu and hlint clean.
…(resolveDependencySnapshots, getPkgNameVersionForV9Snapshots, shouldApplySymConstraint). Fixes build errors from previous cleanup.
csasarak
requested changes
May 15, 2025
There was a problem hiding this comment.
I've left some comments. In general:
- You spent a lot of time understanding the lockfile format, we don't want to lose that information so I need you to add commentary relating the code to the parts of the file. This is especially critical since as far as I know there isn't a spec for PNPM lock files. We don't want to throw away understanding.
- This PR seems to remove a lot of commentary on the pnpm lock format without any replacement. Please go through and explain why it was removed or bring them back to the relevant spots. A previous dev spent a lot of time understanding and writing that stuff so future devs wouldn't have to - throwing it away is unacceptable.
- I'd strongly recommend writing a half-page to a page of prose describing the format you're trying to match and what makes it different from previous versions of pnpm. I think it might clarify a lot of this or you may identify areas where pre-existing code would be able to do the job.
- When I was looking into this issue, it seemed like it would likely be simple to implement but the hard part of the job would be understanding what the right solution is. Based on this PR, I still have no idea what the right solution is and we need to prove that we do understand it.
- With the commentary that does exist in this PR, a lot of it I'm not clear on how it's supposed to help me. In particular, I wouldn't reference previous versions of the code in commentary unless it's to describe how the current implementation might be surprising. Also, don't compare things to
mastersince ideally this PR will someday be onmaster!
Please don't try to submit code changes to this PR in response to my review. Let's go through all the comments and discuss next steps for each of them together with @zlav and myself.
Changelog.md
Outdated
| @@ -1,5 +1,9 @@ | |||
| # FOSSA CLI Changelog | |||
|
|
|||
| ## Unreleased | |||
There was a problem hiding this comment.
This warrants a release. Make it 3.10.9.
| <img width="796" alt="image" src="https://github.com/user-attachments/assets/d1461506-d3e7-42da-b9be-2b53a87f79f1" /> | ||
|
|
||
| Please [email](mailto:[email protected]) FOSSA support if you are affected by this limitation. | ||
| As of [PR #1531](https://github.com/fossas/fossa-cli/pull/1531), pnpm v9 and v10 and their associated v9 lockfiles are supported by FOSSA CLI. If you encounter any issues, please [email](mailto:[email protected]) FOSSA support. |
There was a problem hiding this comment.
I think we typically recommend support.fossa.com. Is there a reason to use the email here?
I would say "as of version" rather than "as of PR." PR isn't going to mean anything to some of our customers.
Also, I would just focus on the lockfile versions we support. If pnpm 10 uses lockfile v9 then the pnpm 10 detail isn't really relevant IMO. It will also come to imply in the future that we don't support pnpm > 11 which may not be true if they also use pnpm v9.
spectrometer.cabal
Outdated
| @@ -736,6 +738,7 @@ test-suite unit-tests | |||
| , hspec-hedgehog ^>=0.1 | |||
| , hspec-megaparsec ^>=2.2 | |||
| , HUnit ^>=1.6.0 | |||
| , QuickCheck ^>=2.15.0.1 | |||
There was a problem hiding this comment.
We use hedgehog for property based testing in this repo, not QuickCheck. Please alter this PR to use QuickCheck or justify why we should use both systems.
There was a problem hiding this comment.
I must have tried this transiently in PnpmLockSpec.hs, but it's no longer being used. Removing
| @@ -194,7 +215,7 @@ instance FromJSON ProjectMapDepMetadata where | |||
|
|
|||
| data PackageData = PackageData | |||
| { isDev :: Bool | |||
| , name :: Maybe Text -- only provided when non-registry resolver is used | |||
| , name :: Maybe Text | |||
There was a problem hiding this comment.
Can you explain why this comment is no longer relevant? No need to include it in code, an explanation here is fine.
There was a problem hiding this comment.
Not sure why that was removed, can reinstate.
A more accurate, albeit slightly less concise, comment might be:
-- | The canonical package name. More consistently present for non-registry resolved dependencies (git, file), but can appear for registry ones too.
Or, if we want to keep it very brief:
-- | Optional: The canonical package name, especially for non-registry packages.
src/Strategy/Node/Pnpm/PnpmLock.hs
Outdated
| let finalIsDev = maybe isCtxDev isDev maybePkgData | ||
| pure $ createDepSimple NodeJSType canonicalDepName (Just versionFromSnapKey) finalIsDev | ||
|
|
||
| -- Define processImporterEntries here, after resolveSnapshotDependency |
src/Strategy/Node/Pnpm/PnpmLock.hs
Outdated
| pure $ createDepSimple NodeJSType canonicalDepName (Just versionFromSnapKey) finalIsDev | ||
|
|
||
| -- Define processImporterEntries here, after resolveSnapshotDependency | ||
| let processImporterEntries entries isDepDevFlag = |
There was a problem hiding this comment.
Above here you explicitly write a type for a function but here you do not. In general we do like to add explicit types even for local definitions. At the very least, try to make code close together consistent.
Hint: If you wrote processImporterEntries :: _ on its own line above the function head the language server should help you.
There was a problem hiding this comment.
Adding type signature
src/Strategy/Node/Pnpm/PnpmLock.hs
Outdated
| -- Define processImporterEntries here, after resolveSnapshotDependency | ||
| let processImporterEntries entries isDepDevFlag = | ||
| for_ entries $ \(canonicalName, ProjectMapDepMetadata{depVersion = resolvedRefStr}) -> do | ||
| if "catalog:" `Text.isPrefixOf` resolvedRefStr |
There was a problem hiding this comment.
I would strongly recommend using parser combinators from MegaParsec throughout here. It's much easier to read and keep track of. At minimum, some more commentary clarifying which branches match to which patterns in the lockfile format would be really helpful.
As it is, this code is complex enough that there's a strong likelihood a reviewer (me) will miss something without the additional information.
This may be a "me" thing, but when I start seeing lots of nesting like this it's usually a strong indication that there's something wrong with the way I've chosen to organize the code.
There was a problem hiding this comment.
refactored this whole section
src/Strategy/Node/Pnpm/PnpmLock.hs
Outdated
| withoutSymConstraint = fst . Text.breakOn "_" | ||
| removePrefixes v | ||
| | "@" `Text.isInfixOf` v && Text.count "@" v > 1 = | ||
| let parts = Text.splitOn "@" v |
There was a problem hiding this comment.
Couldn't you just splitOn and pattern match to know if its infix or there are more than 1 "@"?
| checkGraphLegacy pnpmLockV6WithWorkspace pnpmLockV6WithWorkspaceGraphSpec | ||
| checkGraphLegacy pnpmLockV6 pnpmLockV6GraphSpec | ||
|
|
||
| -- v9 format - START V9 CHANGES |
There was a problem hiding this comment.
Suggested change
| -- v9 format - START V9 CHANGES | |
| -- v9 format |
|
@csasarak Thanks for the thorough review. I'm actually revamping the parser again as I realized the few unresolved deps I mentioned led me to a bunch of deps we didn't parse from the lockfile; there are many package names in the lockfile containing the string I definitely didn't intend to remove commentary. That appears to be a consequence of vibe-coding without a specific instruction to retain it, which is unfortunate. I'll restore as much as I can and add comments where needed on new logic. I'm going to address your comments individually and propose changes in-comment before making any changes to the code, but I will likely push a new commit by tomorrow that will address the missing dependencies. cc @zlav hope that's OK! |
|
I suspect that this PR is more complicated than it needs to be - in particular AIs seem to like reinventing rather than integrating with what already exists. I'd like to strongly reiterate my suggestion to write a short prose document explaining what's wrong with the current parser (outside this PR) and what the new one needs to do. The reason I recommend waiting on adding new code is because I'm not confident that this PR will be incrementally improvable to get to a solution we'll accept. |
|
Agreed. I'll re-approach it with more attention to using pre-existing code, retaining commentary, and adding only appropriate comments. I don't know why I didn't think of this before, but I can reverse-engineer https://github.com/pnpm/pnpm/blob/main/lockfile/fs/src/lockfileFormatConverters.ts and https://github.com/pnpm/pnpm/blob/main/lockfile/fs/src/write.ts to make this code a lot cleaner. Here's a prose-and-bullets doc explaining what we know about changes to the v9 lockfile format from v6. @csasarak I respect your request not to make edits without individually reviewing them with you and @zlav, but I believe that, given your helpful and specific comments, I can do a much better job on this before submitting for review again. Do you mind if I take what you've written and run with it, with the goal of retaining as much pre-existing code and commentary as possible? |
I would be careful with this, as a direct translation won't always result in code that's a good use of the target language. It's not a bad approach to understanding the problem though. Cards on the table: a lot of my comments and initial thoughts are aimed at finding out what your level of understanding is about the changes you're doing here and how PNPM lockfile v9 works. This isn't meant to be condescending: a huge amount of the work any SE does is understanding problems even if it ultimately gets distilled down into code. Some of this may just be my bias, but one concern I have with LLMs is that it seems easy to get something that appears right behaviorally, but skip over the parts of the process that actually demonstrate that the solution is the correct one in a logical sense. That last bit can seem extraneous, but it's critical when we have to fix a bug or make enhancements later. When I took my first stab at this a while back and then decided to write it up as a ticket for later, it wasn't because I was expecting to have to write a ton of code and that's time consuming. It's because I knew that it would take me time to learn enough that I could be comfortable releasing what I'd written and calling it PNPM v9 support.
My goal here was to make sure you understood each comment and got some guidance on how to address each one so you don't waste your time. I want to stress that this is just the first round of review: addressing what I've written here (either by doing it or by explaining why you won't) is necessary but not sufficient to get this merged. If you think that you have what you need to move forward and that's the most effective way to proceed then that's fine - I didn't mean to lay down a hard injunction.
Retaining the old code/commentary isn't necessarily the goal. Feel free to change it if it makes sense - the real goal should be for these new changes to be as understandable as the old version. If you need something more from me or I can offer more support, please let me know! |
…arious helper functions, renamed graph building functions: main dispatcher is now 'dispatchPnpmGraphBuilder', legacy logic is 'buildGraph'; added/reinstated commentary, removed unused QuickCheck dependency. TODO: resolve test build errors under fused-effects
…t key parsing, full recursive snapshot walk, and correct transitive dependency resolution. Cleans up imports, unifies traversal logic, adds warnings for missing keys, and ensures output matches expected dependency counts. Passes hlint and fourmolu.
…pliance; refactored getGraphIO in test/Pnpm/PnpmLockSpec.hs to use expectationFailure instead of error, improving test safety and hlint compliance; ensured all formatting and linting checks pass for both test and lockfile modules; staged src/Strategy/Node/Pnpm/PnpmLock.hs as part of the relevant PNPM lockfile/test improvements.
…notation, update comments, and remove outdated TODOs. Restore v3 deprecation note. No functional changes.
CI Feedback 🧐(Feedback updated until commit 83e2774)A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
|
…legacy helpers for clarity, update comments, and ensure all formatting/linting/tests pass. No functional changes.
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
3 times, most recently
from
484f47f to
4857360
Compare
…actor legacy logic; ensure correct name/version assignment
ryanlink
force-pushed
the
pnpm-9-lockfile-fix
branch
from
4857360 to
83e2774
Compare
…linking Improves pnpm lockfile parsing to support v9+ formats, which introduce a 'snapshots' section for the dependency graph. This change adds logic to correctly resolve local workspace packages referenced via 'link:', normalizing paths to ensure consistent lookups in the 'packages' and 'snapshots' maps. Extensive diagnostic logging has been included to aid in debugging complex resolution scenarios. The legacy v5/v6 parsing logic has been preserved and now operates alongside the new v9+ parser, dispatched based on the 'lockFileVersion'.
…riants, alias/@@ handling, npm: prefix stripping, better logging. Highlights:\n• generateCandidateSnapshotKeysV9: expand normalization rules (npm:, @@ alias, peer suffix combinations).\n• lookupSnapshotV9 warns on missing snapshot but no longer fails.\n• No behavioural changes for pre-v9 lockfiles.\n• Keeps synthetic workspace root logic intact.
…ck & mixed dep tests Changes:\n• PnpmLockSpec.hs: added buildGraphFrom helper.\n• Added inline v9 fixture with link dependency and registry dep to validate UserType fallback and direct promotion.\n• Subset assertions switched to shouldSatisfy.\nAll unit tests green (1200 examples, 0 failures).
Changes:\n• PnpmLockSpec.hs: repl. head/last split with Text.breakOnEnd and safe fallback, clearing -Wpartial.\n• Fourmolu + hlint run; no production code touched.\nAll unit tests pass (1202 examples).
…shotKey; update spec comment
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR fixes issues with PNPM v9 lockfile parsing, specifically addressing problems with incorrect package name and version handling.
Acceptance criteria
When analyzing a project with a PNPM v9 lockfile:
npm+package-name$version[email protected]Dependencies with special formats should be correctly handled:
@pnpm/[email protected]) should appear asnpm+hosted-git-info$1.0.0[email protected]) should appear asnpm+safe-execa$0.1.2Link references should be properly processed:
link:../cli-meta) should not result in malformed locatorsThe FOSSA CLI should successfully build and run all PNPM-related unit tests
When analyzing the PNPM repository itself (or any large project using PNPM v9), all dependencies should be properly resolved with correctly formatted locators
Testing plan
Tested with a real PNPM v9 lockfile from the PNPM repository itself, which demonstrated correct dependency resolution with properly formatted FOSSA locators. Also tested against a v9 lockfile @vishal-thenge provided from a prospect.
Risks
Observation
While testing the new PNPM-v9 lock-file parser I ran FOSSA analysis on the full
pnpmrepo.Analysis succeeded, but the CLI emitted warnings such as:
Similar warnings appear for
@pnpm/config,@pnpm/logger, and other internal workspace links.Why this happens
link:protocol.packages:map of the lockfile, so our parser can’t pull the usual version/integrity metadata.link:but find no metadata block, we currently log a warning.Impact
package.jsonon disk), so license analysis succeeds.Proposed follow-ups (post-merge)
Enhance
generateCandidateSnapshotKeysV9to treatlink:refs as first-class nodes:• Use the on-disk
package.jsonforname/version.• Synthesize a pseudo snapshot key (e.g.,
link:@pnpm/logger@workspace).Downgrade the current warning to
DEBUGonce we have a resolution path, to avoid noise.This isn’t a blocker for merging—overall parsing logic works—but we should track the enhancement so that SBOMs include internal workspace dependencies with accurate version pins.
Metrics
References
ANE-2235: Support pnpm@9 and pnpm-lockfile v9
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.