Skip to content

Commit 081d3c1

Browse files
committed
Update docs and changelog
1 parent 164df47 commit 081d3c1

3 files changed

Lines changed: 16 additions & 20 deletions

File tree

Changelog.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,13 @@
11
# FOSSA CLI Changelog
22

3+
## 3.10.12
4+
5+
- PNPM: Initial support for lockfile version 9.0 ((#1561)[https://github.com/fossas/fossa-cli/pull/1561])
6+
37
## 3.10.11
48

59
- container scanning: fix unzipping JARs that symlink to other layers #1555 ([#1555](https://github.com/fossas/fossa-cli/pull/1555))
6-
10+
711
## 3.10.10
812

913
- go: support the `tool` directive introduced in go Feb 2025 ([#1553](https://github.com/fossas/fossa-cli/pull/1553))

docs/references/strategies/languages/nodejs/pnpm.md

Lines changed: 11 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Pnpm
22

3-
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
3+
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
44
Unlike npm and yarn, pnpm uses symbolic links to create a nested structure
55
of dependencies.
66

@@ -20,8 +20,8 @@ in `pnpm-lock.yaml` to analyze the dependency graph.
2020

2121
- `packages`
2222
- `[packagesKey]`
23-
- `resolution`: infer git URL, git commit, or package source URL.
24-
- `dependencies`: list of transitive dependencies
23+
- `resolution`: infer git URL, git commit, or package source URL.
24+
- `dependencies`: list of transitive dependencies
2525
- `peerDependencies`: list of peer dependencies (will be treated like any other dependency)
2626
- `dev`: to infer if this is used dependency or not. If the value is `true` by default CLI will not include this in the final analysis.
2727

@@ -35,15 +35,15 @@ importers:
3535
specifiers:
3636
some-pkg: https://some-url/pkg.tar.gz
3737
react: '*'
38-
my-local-pkg: file:../libs/my-local-pkg
38+
my-local-pkg: file:../libs/my-local-pkg
3939
dependencies:
4040
some-pkg: '@some-url/pkg.tar.gz'
4141
my-local-pkg: file:../libs/my-local-pkg
4242
devDependencies:
4343
react: 18.1.0
4444

4545
# workspace project in packages/some-ws-pkg directory from root.
46-
packages/some-ws-pkg:
46+
packages/some-ws-pkg:
4747
specifiers:
4848
commander: 9.2.0
4949
dependencies:
@@ -104,7 +104,7 @@ FOSSA will use provided `repo` and `commit` attribute to analyze this dependency
104104
dev: false
105105
```
106106
107-
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
107+
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
108108
FOSSA will use provided URL address to download and analyze this dependency.
109109

110110
```yaml
@@ -118,11 +118,11 @@ FOSSA will use provided URL address to download and analyze this dependency.
118118
```
119119

120120
* If the dependency was resolved using the local directory (`resolution` will have the `type: directory` attribute),
121-
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122-
and they will be promoted in place of local dependency.
121+
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122+
and they will be promoted in place of local dependency.
123123

124124
```yaml
125-
# FOSSA will not analyze this dependency,
125+
# FOSSA will not analyze this dependency,
126126
# But FOSSA will analyze its transitive dependency (if they are not sourced from the local directory)
127127
#
128128
# FOSSA will promote loose-envify of 1.4.0 in place of unifier.
@@ -136,7 +136,7 @@ and they will be promoted in place of local dependency.
136136
dev: false
137137
```
138138

139-
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
139+
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
140140
CLI will infer the package name and version using `/${dependencyName}/${dependencyVersion}` scheme from the package's key.
141141

142142
```yaml
@@ -151,7 +151,7 @@ CLI will infer the package name and version using `/${dependencyName}/${dependen
151151
* Pnpm workspaces are supported.
152152
* Development dependencies (`dev: true`) are ignored by default from analysis. To include them in the analysis, execute CLI with `--include-unused` flag e.g. `fossa analyze --include-unused`.
153153
* Optional dependencies are included in the analysis by default. They can be ignored in FOSSA UI.
154-
* `fossa-cli` supports lockFileVersion: 4.x, 5.x, and 6.x.
154+
* `fossa-cli` supports lockFileVersion: 4.x, 5.x, 6.x, 7.x, 8.x, and 9.x.
155155

156156

157157
# F.A.Q
@@ -168,10 +168,3 @@ targets:
168168
only:
169169
- type: pnpm
170170
```
171-
### Are all versions of `pnpm` supported?
172-
173-
At this time, the latest version of pnpm (v9) and its associated v9 lockfiles are not correctly parsed by FOSSA. Please revert to v8 (v6 lockfile) if your dependencies are not resolved in the FOSSA UI: "FOSSA was unable to analyze this dependency. If it is behind a private registry or auth you may need to configure FOSSA's access, then rebuild this dependency." This is due to the version number being appended to the package name:
174-
175-
<img width="796" alt="image" src="https://github.com/user-attachments/assets/d1461506-d3e7-42da-b9be-2b53a87f79f1" />
176-
177-
Please [email](mailto:support@fossa.com) FOSSA support if you are affected by this limitation.

src/Strategy/Node/Pnpm/PnpmLock.hs

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,7 +285,6 @@ analyze file = context "Analyzing Npm Lockfile (v3)" $ do
285285

286286
case lockFileVersion pnpmLockFile of
287287
PnpmLockLt4 raw -> logWarn . pretty $ "pnpm-lock file is using older lockFileVersion: " <> raw <> " of, which is not officially supported!"
288-
PnpmLockV678 raw -> logWarn . pretty $ "pnpm-lock file is using newer lockFileVersion: " <> raw <> " of, which is not officially supported!"
289288
_ -> pure ()
290289

291290
context "Building dependency graph" $ pure $ buildGraph pnpmLockFile

0 commit comments

Comments
 (0)