feat: add support for package-lock.json files#305
Merged
Conversation
sdn4z
commented
Sep 8, 2025
| if dependency_parser().file_exists() | ||
| ] | ||
| self._raise_for_selected_parsers(parsers) | ||
| self.dependency_file = parsers[0]().file_path |
Collaborator
Author
There was a problem hiding this comment.
we need to save it now, as we rely on the detected lock file to infer which manager to use when the file was auto detected
https://github.com/elementsinteractive/twyn/pull/305/files#diff-814dedefc2eb7e589119510f15db759d203e36192b41cbb5751ffad17253fcaaR136
scastlara
reviewed
Sep 8, 2025
scastlara
reviewed
Sep 8, 2025
scastlara
reviewed
Sep 8, 2025
scastlara
reviewed
Sep 8, 2025
scastlara
reviewed
Sep 8, 2025
| DEFAULT_USE_CACHE = True | ||
|
|
||
|
|
||
| PackageManagers: TypeAlias = Literal["pypi", "npm"] |
Collaborator
There was a problem hiding this comment.
mmmm not package manager, it's a repository or a source. We can look maybe at other systems how they call it? Like renovate and dependabot? and then call them the same way.
Collaborator
Author
There was a problem hiding this comment.
oh yeah, I rushed too much and thought of npm's package manager.
I've renamed it to PackageEcosystem
sdn4z
force-pushed
the
npm-source
branch
2 times, most recently
from
c01237e to
6701b80
Compare
scastlara
approved these changes
Sep 8, 2025
BREAKING CHANGE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #96
This PR introduces the support for
package-lock.jsonfiles, makingtwynable to check not only against Python dependencies, but also javascript.In order to do so, a new
PackageReferencewas introduced, so that the trusted packages can be downloaded, together with apackage-lock.jsonfile parser, supporting v1, v2 and v3.Some refactoring took place in this PR, and
DependencyManagers were introduced. These are in charge of linking programming languages with the ir corresponding lock files as well as with theirPackageReferencerelated classes.I've manually tested it with v1, v2 and v3
package-json.lockfiles, and it works! for v1 and v2, at least for the lockfiles that I've used, it returns way more results than it does for Python lockfiles and for v3. This is probably because v1 and v2 files are old and have old dependencies that are not used anymore. Something to keep in mind.In the
ConfigHandlerclass, pypi_reference was renamed to source, making it breaking change.BREAKING CHANGE