Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(nodejs): support yarn workspaces #4664

Merged
merged 8 commits into from
Jun 30, 2023

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Jun 19, 2023

Description

When using workspaces, yarn creates yarn.lock only in the root of the monorepository. And since the package.json of the monorepository does not contain information about dependencies in workspaces, they are skipped. So we have to get all the dependencies from the package.json of workspaces.

go-dep-parser refers to this commit.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@nikpivkin nikpivkin changed the title feat(nodejs): add the workspaces field to the package feat(nodejs): support yarn workspaces Jun 19, 2023
@nikpivkin nikpivkin marked this pull request as ready for review June 21, 2023 14:41
@nikpivkin nikpivkin requested a review from knqyf263 as a code owner June 21, 2023 14:41
@knqyf263 knqyf263 requested a review from DmitriyLewen June 22, 2023 07:38
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some comments, @nikpivkin please check them out.

@DmitriyLewen
Copy link
Contributor

LGTM.
Thanks for your work!

@DmitriyLewen
Copy link
Contributor

@nikpivkin can you resolve conflicts, please?

pkg/fanal/analyzer/language/nodejs/yarn/yarn.go Outdated Show resolved Hide resolved
var pkgs []packagejson.Package

required := func(path string, _ fs.DirEntry) bool {
return filepath.Base(path) == types.NpmPkg
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is node_modules created? Only root?

  • monorepo
    • package.json
    • node_modules <- only root?
    • c
      • package.json
      • node_modules <- ?
    • packages
      • package1
        • package.json
        • node_modules <- ?
      • package2
        • package.json
        • node_modules <- ?

Should we skip package.json under node_modules just in case?

Suggested change
return filepath.Base(path) == types.NpmPkg
// Skip package.json files under node_modules
if slices.Contains(strings.Split(path, "/"), "node_modules") {
return false
}
return filepath.Base(path) == types.NpmPkg

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

node_modules is created only at the root

Copy link
Collaborator

@knqyf263 knqyf263 Jun 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is ok if you're sure irrelevant package.json files must not be present in workspace projects. Since we use WalkDir, all package.json files will be parsed under the workspace paths. That is my concern.

if err := fsutils.WalkDir(fsys, match, required, walkDirFunc); err != nil {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can extract the names of all the packages of the monorepository from yarn.lock and then check them so as not to capture an extra package.json. But as far as I know, at the moment go-dep-parser does not include local packages from workspaces in the list of dependencies.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I might be too concerned. If we see any issue, we can fix it.

@knqyf263 knqyf263 added this pull request to the merge queue Jun 29, 2023
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Jun 29, 2023
@knqyf263 knqyf263 added this pull request to the merge queue Jun 30, 2023
Merged via the queue into aquasecurity:main with commit 73734ea Jun 30, 2023
@nikpivkin nikpivkin deleted the feat/yarn-workspaces branch July 20, 2023 16:06
AnaisUrlichs pushed a commit to AnaisUrlichs/trivy that referenced this pull request Aug 10, 2023
* feat(nodejs): add the workspaces field to the package

* fix go.mod

* update go.mod

* compare workspaces by length
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Trivy is not working properly with yarn workspaces
3 participants