fix(yarn2): Capture transitive dependencies of packages with peer deps

mnonnenmacher · mnonnenmacher · commit e33568d17134 · 2026-04-25T16:19:04.000+02:00
When a package has peer dependencies, Yarn2+ creates a virtual package
for it that is used also in the output of `yarn info`. This virtual
package only contains the peer dependencies, while only the non-virtual
package contains the transitive dependencies.

Fix the issue that transitive dependencies of such packages are ignored
by mapping locators that point to virtual packages to locators that
point to the non-virtual packages.

Signed-off-by: Martin Nonnenmacher &lt;martin.nonnenmacher@bosch.com&gt;
diff --git a/plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/project-with-lockfile-expected-output.yml b/plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/project-with-lockfile-expected-output.yml
@@ -77,6 +77,9 @@ project:
       dependencies:
       - id: "NPM::asap:2.0.6"
     - id: "NPM:@csstools:css-color-parser:3.0.8"
+      dependencies:
+      - id: "NPM:@csstools:color-helpers:5.1.0"
+      - id: "NPM:@csstools:css-calc:2.1.4"
   - name: "devDependencies"
     dependencies:
     - id: "NPM::cson:4.1.0"
@@ -1266,6 +1269,62 @@ packages:
     url: "https://github.com/TooTallNate/util-deprecate.git"
     revision: "475fb6857cd23fafff20c1be846c1350abf8e6d4"
     path: ""
+- id: "NPM:@csstools:color-helpers:5.1.0"
+  purl: "pkg:npm/%40csstools/color-helpers@5.1.0"
+  declared_licenses:
+  - "MIT-0"
+  declared_licenses_processed:
+    spdx_expression: "MIT-0"
+  description: "Color helpers to ease transformation between formats, gamut, etc"
+  homepage_url: "https://github.com/csstools/postcss-plugins/tree/main/packages/color-helpers#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-5.1.0.tgz"
+    hash:
+      value: "106c54c808cabfd1ab4c602d8505ee584c2996ef"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/csstools/postcss-plugins.git"
+    revision: "132530a36b9f711a886602ce4bf1e95de95f2a5b"
+    path: "packages/color-helpers"
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/csstools/postcss-plugins.git"
+    revision: "132530a36b9f711a886602ce4bf1e95de95f2a5b"
+    path: "packages/color-helpers"
+- id: "NPM:@csstools:css-calc:2.1.4"
+  purl: "pkg:npm/%40csstools/css-calc@2.1.4"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Solve CSS math expressions"
+  homepage_url: "https://github.com/csstools/postcss-plugins/tree/main/packages/css-calc#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-2.1.4.tgz"
+    hash:
+      value: "8473f63e2fcd6e459838dd412401d5948f224c65"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/csstools/postcss-plugins.git"
+    revision: "7a21bdf28305a0915af8e002b98ba82bc25a1573"
+    path: "packages/css-calc"
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/csstools/postcss-plugins.git"
+    revision: "7a21bdf28305a0915af8e002b98ba82bc25a1573"
+    path: "packages/css-calc"
 - id: "NPM:@csstools:css-color-parser:3.0.8"
   purl: "pkg:npm/%40csstools/css-color-parser@3.0.8"
   declared_licenses:
diff --git a/plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/project-with-lockfile-skip-excluded-scopes-expected-output.yml b/plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/project-with-lockfile-skip-excluded-scopes-expected-output.yml
@@ -77,6 +77,9 @@ project:
       dependencies:
       - id: "NPM::asap:2.0.6"
     - id: "NPM:@csstools:css-color-parser:3.0.8"
+      dependencies:
+      - id: "NPM:@csstools:color-helpers:5.1.0"
+      - id: "NPM:@csstools:css-calc:2.1.4"
 packages:
 - id: "NPM::asap:2.0.6"
   purl: "pkg:npm/asap@2.0.6"
@@ -851,6 +854,62 @@ packages:
     url: "https://github.com/TooTallNate/util-deprecate.git"
     revision: "475fb6857cd23fafff20c1be846c1350abf8e6d4"
     path: ""
+- id: "NPM:@csstools:color-helpers:5.1.0"
+  purl: "pkg:npm/%40csstools/color-helpers@5.1.0"
+  declared_licenses:
+  - "MIT-0"
+  declared_licenses_processed:
+    spdx_expression: "MIT-0"
+  description: "Color helpers to ease transformation between formats, gamut, etc"
+  homepage_url: "https://github.com/csstools/postcss-plugins/tree/main/packages/color-helpers#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-5.1.0.tgz"
+    hash:
+      value: "106c54c808cabfd1ab4c602d8505ee584c2996ef"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/csstools/postcss-plugins.git"
+    revision: "132530a36b9f711a886602ce4bf1e95de95f2a5b"
+    path: "packages/color-helpers"
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/csstools/postcss-plugins.git"
+    revision: "132530a36b9f711a886602ce4bf1e95de95f2a5b"
+    path: "packages/color-helpers"
+- id: "NPM:@csstools:css-calc:2.1.4"
+  purl: "pkg:npm/%40csstools/css-calc@2.1.4"
+  declared_licenses:
+  - "MIT"
+  declared_licenses_processed:
+    spdx_expression: "MIT"
+  description: "Solve CSS math expressions"
+  homepage_url: "https://github.com/csstools/postcss-plugins/tree/main/packages/css-calc#readme"
+  binary_artifact:
+    url: ""
+    hash:
+      value: ""
+      algorithm: ""
+  source_artifact:
+    url: "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-2.1.4.tgz"
+    hash:
+      value: "8473f63e2fcd6e459838dd412401d5948f224c65"
+      algorithm: "SHA-1"
+  vcs:
+    type: "Git"
+    url: "git+https://github.com/csstools/postcss-plugins.git"
+    revision: "7a21bdf28305a0915af8e002b98ba82bc25a1573"
+    path: "packages/css-calc"
+  vcs_processed:
+    type: "Git"
+    url: "https://github.com/csstools/postcss-plugins.git"
+    revision: "7a21bdf28305a0915af8e002b98ba82bc25a1573"
+    path: "packages/css-calc"
 - id: "NPM:@csstools:css-color-parser:3.0.8"
   purl: "pkg:npm/%40csstools/css-color-parser@3.0.8"
   declared_licenses:
diff --git a/plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2.kt b/plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2.kt
@@ -56,6 +56,7 @@ import org.ossreviewtoolkit.utils.ort.runBlocking
  * The amount of package details to query at once with `yarn npm info`.
  */
 private const val YARN_NPM_INFO_CHUNK_SIZE = 1000
+private val virtualPackageRegex = Regex("""^(@[^@]+)@.*#npm:([0-9]+\.[0-9]+\.[0-9]+)""")
 
 data class Yarn2Config(
     /**
@@ -169,7 +170,15 @@ class Yarn2(override val descriptor: PluginDescriptor = Yarn2Factory.descriptor,
             scopes.forEach { scope ->
                 val dependencyNames = packageJson.getDependenciesForScope(scope)
                 val dependencies = packageInfo.children.dependencies
-                    .map { packageInfoForLocator.getValue(it.locator) }
+                    .map { dependency ->
+                        // Map virtual package locators to their corresponding real package locators as only their
+                        // package infos contain the transitive dependencies.
+                        val locator = virtualPackageRegex.find(dependency.locator)?.let {
+                            "${it.groupValues[1]}@npm:${it.groupValues[2]}"
+                        } ?: dependency.locator
+
+                        packageInfoForLocator.getValue(locator)
+                    }
                     .filter { it.moduleName in dependencyNames }
 
                 graphBuilder.addDependencies(project.id, scope.descriptor, dependencies)
