Skip to content

[ANE-2235] Fix PNPM v9 lockfile parsing issues with package names/versions #1531

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

[ANE-2235] Fix PNPM v9 lockfile parsing issues with package names/versions #1531

wants to merge 13 commits into from

Conversation

ryanlink
Copy link
Contributor

@ryanlink ryanlink commented Apr 11, 2025
edited
Loading

Overview

This PR fixes issues with PNPM v9 lockfile parsing, specifically addressing problems with incorrect package name and version handling.

Acceptance criteria

  1. When analyzing a project with a PNPM v9 lockfile:

    • Locators should be correctly formatted as npm+package-name$version
    • There should be no malformed locators like [email protected]

  2. Dependencies with special formats should be correctly handled:

    • Packages with namespaced references (e.g., @pnpm/[email protected]) should appear as npm+hosted-git-info$1.0.0
    • Packages where the version string contains another package name (e.g., [email protected]) should appear as npm+safe-execa$0.1.2

  3. Link references should be properly processed:

    • Workspace links (e.g., link:../cli-meta) should not result in malformed locators
    • No errors should be thrown when processing link references

  4. The FOSSA CLI should successfully build and run all PNPM-related unit tests

  5. When analyzing the PNPM repository itself (or any large project using PNPM v9), all dependencies should be properly resolved with correctly formatted locators

Testing plan

Tested with a real PNPM v9 lockfile from the PNPM repository itself, which demonstrated correct dependency resolution with properly formatted FOSSA locators.

Risks

There is one dependency safe-execa in the test v9 lockfile that we're generating a malformed locator for:

[email protected]

It should be:

[email protected].

Metrics

References

ANE-2235: Support pnpm@9 and pnpm-lockfile v9

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

@ryanlink ryanlink requested a review from a team as a code owner April 11, 2025 04:23
@ryanlink ryanlink requested a review from spatten April 11, 2025 04:23
@ryanlink ryanlink marked this pull request as draft April 11, 2025 04:42
@ryanlink ryanlink removed the request for review from spatten April 11, 2025 04:43
@ryanlink ryanlink force-pushed the pnpm-9-lockfile-fix branch from ccc9f49 to e8d9005 Compare April 11, 2025 14:28
@ryanlink ryanlink force-pushed the pnpm-9-lockfile-fix branch from 9ae886c to 67fd875 Compare April 11, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryanlink