You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/references/strategies/languages/nodejs/pnpm.md
+11-18Lines changed: 11 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Pnpm
2
2
3
-
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
3
+
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
4
4
Unlike npm and yarn, pnpm uses symbolic links to create a nested structure
5
5
of dependencies.
6
6
@@ -20,8 +20,8 @@ in `pnpm-lock.yaml` to analyze the dependency graph.
20
20
21
21
-`packages`
22
22
-`[packagesKey]`
23
-
-`resolution`: infer git URL, git commit, or package source URL.
24
-
-`dependencies`: list of transitive dependencies
23
+
-`resolution`: infer git URL, git commit, or package source URL.
24
+
-`dependencies`: list of transitive dependencies
25
25
-`peerDependencies`: list of peer dependencies (will be treated like any other dependency)
26
26
-`dev`: to infer if this is used dependency or not. If the value is `true` by default CLI will not include this in the final analysis.
27
27
@@ -35,15 +35,15 @@ importers:
35
35
specifiers:
36
36
some-pkg: https://some-url/pkg.tar.gz
37
37
react: '*'
38
-
my-local-pkg: file:../libs/my-local-pkg
38
+
my-local-pkg: file:../libs/my-local-pkg
39
39
dependencies:
40
40
some-pkg: '@some-url/pkg.tar.gz'
41
41
my-local-pkg: file:../libs/my-local-pkg
42
42
devDependencies:
43
43
react: 18.1.0
44
44
45
45
# workspace project in packages/some-ws-pkg directory from root.
46
-
packages/some-ws-pkg:
46
+
packages/some-ws-pkg:
47
47
specifiers:
48
48
commander: 9.2.0
49
49
dependencies:
@@ -104,7 +104,7 @@ FOSSA will use provided `repo` and `commit` attribute to analyze this dependency
104
104
dev: false
105
105
```
106
106
107
-
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
107
+
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
108
108
FOSSA will use provided URL address to download and analyze this dependency.
109
109
110
110
```yaml
@@ -118,11 +118,11 @@ FOSSA will use provided URL address to download and analyze this dependency.
118
118
```
119
119
120
120
* If the dependency was resolved using the local directory (`resolution` will have the `type: directory` attribute),
121
-
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122
-
and they will be promoted in place of local dependency.
121
+
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122
+
and they will be promoted in place of local dependency.
123
123
124
124
```yaml
125
-
# FOSSA will not analyze this dependency,
125
+
# FOSSA will not analyze this dependency,
126
126
# But FOSSA will analyze its transitive dependency (if they are not sourced from the local directory)
127
127
#
128
128
# FOSSA will promote loose-envify of 1.4.0 in place of unifier.
@@ -136,7 +136,7 @@ and they will be promoted in place of local dependency.
136
136
dev: false
137
137
```
138
138
139
-
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
139
+
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
140
140
CLI will infer the package name and version using `/${dependencyName}/${dependencyVersion}` scheme from the package's key.
141
141
142
142
```yaml
@@ -151,7 +151,7 @@ CLI will infer the package name and version using `/${dependencyName}/${dependen
151
151
* Pnpm workspaces are supported.
152
152
* Development dependencies (`dev: true`) are ignored by default from analysis. To include them in the analysis, execute CLI with `--include-unused` flag e.g. `fossa analyze --include-unused`.
153
153
* Optional dependencies are included in the analysis by default. They can be ignored in FOSSA UI.
154
-
* `fossa-cli` supports lockFileVersion: 4.x, 5.x, and 6.x.
At this time, the latest version of pnpm (v9) and its associated v9 lockfiles are not correctly parsed by FOSSA. Please revert to v8 (v6 lockfile) if your dependencies are not resolved in the FOSSA UI: "FOSSA was unable to analyze this dependency. If it is behind a private registry or auth you may need to configure FOSSA's access, then rebuild this dependency."This is due to the version number being appended to the package name:
0 commit comments