Conversation
1. Handle package keys without leading slash in v9 format 2. Add support for catalog versions (workspace:*) in v9 format 3. Improve version normalization and handling 4. Add more test cases and documentation
- Add catalogs field to PnpmLockfile type - Create CatalogMap and CatalogEntry types for parsing catalog data - Add getPackageVersion helper to resolve catalog versions - Update version parsing to properly handle v7-v9 lockfiles
- Track dev dependencies from importers section - Consider both importers and packages sections when determining dev status - Pass dev dependency status through dependency resolution chain - Update toDependency to combine isDev flags from both sources
- Rename version field in CatalogEntry to catalogVersion to avoid collision with ProjectMapDepMetadata
- Use parseJSON instead of undefined parseCatalogEntry
- Use fully qualified Yaml.parseJSON to fix compilation error
- Add KeyMap import - Convert Object to Map Text using KeyMap.toMap
Reverting commits from Jan 31 - Feb 3 to restore the branch to how csasarak left it on Jan 3rd (d78d81b)
spatten
approved these changes
Jul 8, 2025
spatten
left a comment
Contributor
There was a problem hiding this comment.
Looks good! I had a few comments and questions, but nothing blocking.
|
|
||
| type SnapShotDepRev = Text | ||
|
|
||
| -- | Lockfile versions > 9 use snapshots to represent the dependency graph. |
Contributor
There was a problem hiding this comment.
Can you add an example of what this looks like? Just a snippet of the lockfile so that we can see the structure
| pure $ PnpmLockfile refinedImporters packages rawLockFileVersion | ||
| pure $ PnpmLockfile{importers = refinedImporters, packages = packages, lockFileVersion = rawLockFileVersion, lockFileSnapshots = snapshots} | ||
| where | ||
| getVersion (TextLike ver) = case (listToMaybe . toString $ ver) of |
Contributor
There was a problem hiding this comment.
I'm a bit confused about how TextLike deals with a version like '9.0', like we see here. Does that get parsed as an int and then turned into a string of '9'?
Contributor
Author
There was a problem hiding this comment.
Good call out, this was tricky and took me a bit of time to figure out. It turns out listToMaybe either returns Nothing for an empty list or the first element of the list in Just for a non-empty one.
Co-authored-by: Scott Patten <scott@fossa.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR attempts to add some support for version 9 of PNPM's lockfile.
Acceptance criteria
pnpm-workspace.yamlfile is now suppported.Testing plan
I used both pnpm itself's repo and the vuejs core's repo to verify. I made sure that dev dependencies were not included in the output and verified that dependencies from multiple sub-modules were included properly.
Additionally, there are integration tests testing both the workspace case and the non-workspace case.
Risks
There isn't really a very detailed spec for the lockfile, so some of this I had to develop empirically rather than to spec. I would expect we'll get some bug reports for the functionality in this PR.
Additionally, the PNPM strategy probably should be refactored into several sub-parsers which each support some lockfile range. As it is now, a lot of the code for different versions is intermingled and just works by conditional branching and/or combining fields from different versions which is a smell IMO. I did not have time to do this refactor myself though so it's left for a future time, or Ficus. Overall, I think this PR is a bit gross but an improvement on the status quo.
References
ANE-2235
Checklist
docs/.docs/README.msand gave consideration to how discoverable or not my documentation is.Changelog.md. If this PR did not mark a release, I added my changes into an## Unreleasedsection at the top..fossa.ymlorfossa-deps.{json.yml}, I updateddocs/references/files/*.schema.jsonAND I have updated example files used byfossa initcommand. You may also need to update these if you have added/removed new dependency type (e.g.pip) or analysis target type (e.g.poetry).docs/references/subcommands/<subcommand>.md.