feat: add support for yarn.lock files (#308)

Author: sdn4z

README.md

@@ -114,6 +114,7 @@ The following dependency file formats are supported:
 - `poetry.lock`
 - `uv.lock`
 - `package-lock.json` (v1, v2, v3)
+- `yarn.lock` (v1, v2)
 
 ### Check dependencies introduced through the CLI
 

pyproject.toml

@@ -19,6 +19,7 @@ dependencies = [
     "tomlkit<0.14.0,>=0.11.6",
     "tomli<3.0.0,>=2.2.1; python_version < \"3.13\"",
     "pydantic>=2.11.7,<3.0.0",
+    "pyyaml>=6.0.2",
 ]
 name = "twyn"
 description = "Security tool against dependency typosquatting attacks"
@@ -47,6 +48,7 @@ dev = [
     "types-requests<3.0.0.0,>=2.32.4.20250611",
     "types-python-dateutil>=2.9.0.20250809",
     "freezegun>=1.5.5",
+    "types-pyyaml>=6.0.12.20250822",
 ]
 local = ["ipdb<1.0.0,>=0.13.9", "commitizen<5.0,>=2.38", "pdbpp<1.0.0,>=0.11.6"]
 

src/twyn/base/constants.py

@@ -25,6 +25,7 @@
     "poetry.lock": dependency_parser.PoetryLockParser,
     "uv.lock": dependency_parser.UvLockParser,
     "package-lock.json": dependency_parser.PackageLockJsonParser,
+    "yarn.lock": dependency_parser.YarnLockParser,
 }
 
 

src/twyn/dependency_managers/__init__.py

@@ -0,0 +1,15 @@
+from twyn.dependency_managers.managers.npm_dependency_manager import NpmDependencyManager
+from twyn.dependency_managers.managers.pypi_dependency_manager import PypiDependencyManager
+from twyn.dependency_managers.utils import (
+    PACKAGE_ECOSYSTEMS,
+    get_dependency_manager_from_file,
+    get_dependency_manager_from_name,
+)
+
+__all__ = [
+    "NpmDependencyManager",
+    "PypiDependencyManager",
+    "get_dependency_manager_from_file",
+    "get_dependency_manager_from_name",
+    "PACKAGE_ECOSYSTEMS",
+]

src/twyn/dependency_managers/managers/__init__.py

@@ -0,0 +1,24 @@
+from dataclasses import dataclass
+from pathlib import Path
+
+from twyn.trusted_packages.references.base import AbstractPackageReference
+
+
+@dataclass
+class BaseDependencyManager:
+    """Base class for all `DependencyManagers`.
+
+    It acts as a repository, linking programming languages with trusted packages sources and dependency file names.
+    """
+
+    name: str
+    trusted_packages_source: type[AbstractPackageReference]
+    dependency_files: set[str]
+
+    @classmethod
+    def matches_dependency_file(cls, dependency_file: str) -> bool:
+        return Path(dependency_file).name in cls.dependency_files
+
+    @classmethod
+    def matches_language_name(cls, name: str) -> bool:
+        return cls.name == Path(name).name.lower()

src/twyn/dependency_managers/managers/base.py

@@ -0,0 +1,12 @@
+from dataclasses import dataclass
+
+from twyn.dependency_managers.managers.base import BaseDependencyManager
+from twyn.dependency_parser.parsers.constants import PACKAGE_LOCK_JSON, YARN_LOCK
+from twyn.trusted_packages import TopNpmReference
+
+
+@dataclass
+class NpmDependencyManager(BaseDependencyManager):
+    name = "npm"
+    trusted_packages_source = TopNpmReference
+    dependency_files = {PACKAGE_LOCK_JSON, YARN_LOCK}

src/twyn/dependency_managers/managers/npm_dependency_manager.py

@@ -0,0 +1,12 @@
+from dataclasses import dataclass
+
+from twyn.dependency_managers.managers.base import BaseDependencyManager
+from twyn.dependency_parser.parsers.constants import POETRY_LOCK, REQUIREMENTS_TXT, UV_LOCK
+from twyn.trusted_packages import TopPyPiReference
+
+
+@dataclass
+class PypiDependencyManager(BaseDependencyManager):
+    name = "pypi"
+    trusted_packages_source = TopPyPiReference
+    dependency_files = {UV_LOCK, POETRY_LOCK, REQUIREMENTS_TXT}

src/twyn/dependency_managers/managers/pypi_dependency_manager.py

@@ -0,0 +1,25 @@
+from twyn.dependency_managers.exceptions import NoMatchingDependencyManagerError
+from twyn.dependency_managers.managers.base import BaseDependencyManager
+from twyn.dependency_managers.managers.npm_dependency_manager import NpmDependencyManager
+from twyn.dependency_managers.managers.pypi_dependency_manager import PypiDependencyManager
+
+
+def get_dependency_manager_from_file(dependency_file: str) -> type[BaseDependencyManager]:
+    for manager in DEPENDENCY_MANAGERS:
+        if manager.matches_dependency_file(dependency_file):
+            return manager
+    raise NoMatchingDependencyManagerError
+
+
+def get_dependency_manager_from_name(name: str) -> type[BaseDependencyManager]:
+    for manager in DEPENDENCY_MANAGERS:
+        if manager.matches_language_name(name):
+            return manager
+    raise NoMatchingDependencyManagerError
+
+
+DEPENDENCY_MANAGERS: list[type[BaseDependencyManager]] = [
+    PypiDependencyManager,
+    NpmDependencyManager,
+]
+PACKAGE_ECOSYSTEMS = {x.name for x in DEPENDENCY_MANAGERS}

src/twyn/dependency_managers/utils.py

@@ -3,5 +3,6 @@
 from twyn.dependency_parser.parsers.lock_parser import PoetryLockParser, UvLockParser
 from twyn.dependency_parser.parsers.package_lock_json import PackageLockJsonParser
 from twyn.dependency_parser.parsers.requirements_txt_parser import RequirementsTxtParser
+from twyn.dependency_parser.parsers.yarn_lock_parser import YarnLockParser
 
-__all__ = ["RequirementsTxtParser", "PoetryLockParser", "UvLockParser", "PackageLockJsonParser"]
+__all__ = ["RequirementsTxtParser", "PoetryLockParser", "UvLockParser", "PackageLockJsonParser", "YarnLockParser"]