You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Basic support for pnpm 9 lockfiles.
* fix nonexhaustive patterns.
* fix: improve pnpm v9 lockfile parsing
1. Handle package keys without leading slash in v9 format
2. Add support for catalog versions (workspace:*) in v9 format
3. Improve version normalization and handling
4. Add more test cases and documentation
* [ANE-2235] Add support for PNPM v9 catalog versions
- Add catalogs field to PnpmLockfile type
- Create CatalogMap and CatalogEntry types for parsing catalog data
- Add getPackageVersion helper to resolve catalog versions
- Update version parsing to properly handle v7-v9 lockfiles
* [ANE-2235] Fix dev dependency handling in PNPM v9 lockfiles
- Track dev dependencies from importers section
- Consider both importers and packages sections when determining dev status
- Pass dev dependency status through dependency resolution chain
- Update toDependency to combine isDev flags from both sources
* [ANE-2235] Fix name collision with version field
- Rename version field in CatalogEntry to catalogVersion to avoid collision with ProjectMapDepMetadata
* [ANE-2235] Fix CatalogMap parsing
- Use parseJSON instead of undefined parseCatalogEntry
* [ANE-2235] Fix CatalogMap parsing
- Use fully qualified Yaml.parseJSON to fix compilation error
* [ANE-2235] Fix CatalogMap parsing type error
- Add KeyMap import
- Convert Object to Map Text using KeyMap.toMap
* [ANE-2235] Revert commits to restore pnpm-9 branch to d78d81b
Reverting commits from Jan 31 - Feb 3 to restore the branch to how
csasarak left it on Jan 3rd (d78d81b)
* Process pnpm lockfile v9 workspaces
* Read dependency graph from lockfile snapshots where necessary.
* Fix snapshots parsing.
* Glob negation.
* Fix snapshots parsing again
* Dev deps for pnpm 9 projects.
* Tests for pnpm9 lockfile and workspace project.
* Fix compilation error.
* Update docs and changelog
* Apply suggestions from code review
Co-authored-by: Scott Patten <scott@fossa.com>
* Address PR feedback.
---------
Co-authored-by: ryanlink <ryanlink@gmail.com>
Co-authored-by: Ryan Link <47920994+ryanlink@users.noreply.github.com>
Co-authored-by: Scott Patten <scott@fossa.com>
Copy file name to clipboardExpand all lines: docs/references/strategies/languages/nodejs/pnpm.md
+11-18Lines changed: 11 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# Pnpm
2
2
3
-
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
3
+
[Pnpm](https://pnpm.io/) is a fast, disk space-efficient package manager.
4
4
Unlike npm and yarn, pnpm uses symbolic links to create a nested structure
5
5
of dependencies.
6
6
@@ -20,8 +20,8 @@ in `pnpm-lock.yaml` to analyze the dependency graph.
20
20
21
21
-`packages`
22
22
-`[packagesKey]`
23
-
-`resolution`: infer git URL, git commit, or package source URL.
24
-
-`dependencies`: list of transitive dependencies
23
+
-`resolution`: infer git URL, git commit, or package source URL.
24
+
-`dependencies`: list of transitive dependencies
25
25
-`peerDependencies`: list of peer dependencies (will be treated like any other dependency)
26
26
-`dev`: to infer if this is used dependency or not. If the value is `true` by default CLI will not include this in the final analysis.
27
27
@@ -35,15 +35,15 @@ importers:
35
35
specifiers:
36
36
some-pkg: https://some-url/pkg.tar.gz
37
37
react: '*'
38
-
my-local-pkg: file:../libs/my-local-pkg
38
+
my-local-pkg: file:../libs/my-local-pkg
39
39
dependencies:
40
40
some-pkg: '@some-url/pkg.tar.gz'
41
41
my-local-pkg: file:../libs/my-local-pkg
42
42
devDependencies:
43
43
react: 18.1.0
44
44
45
45
# workspace project in packages/some-ws-pkg directory from root.
46
-
packages/some-ws-pkg:
46
+
packages/some-ws-pkg:
47
47
specifiers:
48
48
commander: 9.2.0
49
49
dependencies:
@@ -104,7 +104,7 @@ FOSSA will use provided `repo` and `commit` attribute to analyze this dependency
104
104
dev: false
105
105
```
106
106
107
-
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
107
+
* If the dependency was resolved using tarball (`resolution` will have `tarball` attribute)
108
108
FOSSA will use provided URL address to download and analyze this dependency.
109
109
110
110
```yaml
@@ -118,11 +118,11 @@ FOSSA will use provided URL address to download and analyze this dependency.
118
118
```
119
119
120
120
* If the dependency was resolved using the local directory (`resolution` will have the `type: directory` attribute),
121
-
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122
-
and they will be promoted in place of local dependency.
121
+
FOSSA will not analyze this dependency. Local dependency's transitive dependencies will be analyzed,
122
+
and they will be promoted in place of local dependency.
123
123
124
124
```yaml
125
-
# FOSSA will not analyze this dependency,
125
+
# FOSSA will not analyze this dependency,
126
126
# But FOSSA will analyze its transitive dependency (if they are not sourced from the local directory)
127
127
#
128
128
# FOSSA will promote loose-envify of 1.4.0 in place of unifier.
@@ -136,7 +136,7 @@ and they will be promoted in place of local dependency.
136
136
dev: false
137
137
```
138
138
139
-
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
139
+
* If the dependency was resolved using registry resolver, FOSSA will use the registry to analyze the dependency.
140
140
CLI will infer the package name and version using `/${dependencyName}/${dependencyVersion}` scheme from the package's key.
141
141
142
142
```yaml
@@ -151,7 +151,7 @@ CLI will infer the package name and version using `/${dependencyName}/${dependen
151
151
* Pnpm workspaces are supported.
152
152
* Development dependencies (`dev: true`) are ignored by default from analysis. To include them in the analysis, execute CLI with `--include-unused` flag e.g. `fossa analyze --include-unused`.
153
153
* Optional dependencies are included in the analysis by default. They can be ignored in FOSSA UI.
154
-
* `fossa-cli` supports lockFileVersion: 4.x, 5.x, and 6.x.
At this time, the latest version of pnpm (v9) and its associated v9 lockfiles are not correctly parsed by FOSSA. Please revert to v8 (v6 lockfile) if your dependencies are not resolved in the FOSSA UI: "FOSSA was unable to analyze this dependency. If it is behind a private registry or auth you may need to configure FOSSA's access, then rebuild this dependency."This is due to the version number being appended to the package name:
0 commit comments