Support yarn v3 in Dependency Scanning

Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

NOTE if you are a user who also is seeing this bug, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include if you are SaaS (gitlab.com) or self-hosted (and what version you are on) and any other additional steps to reproduce that you can share.

Proposal

We are currently working on adding support for Yarn v2 in #263358 (closed). One benefit of supporting Yarn v2 lock files is that we also gain support for Yarn v3, due to the similar structure of their lock files. The goal of the Yarn v2 support issue is to enhance the existing Gemnasium Yarn parser so that it can parse lock files for both Yarn v2 and v3. This will require the parser to distinguish between Yarn Classic and Berry, and treat the lock files accordingly. It's important to note that Yarn berry refers to Yarn versions greater than or equal to 2.

Implmentation Plan

Since Yarn v2 support issue will extend the Gemnasium Yarn parser capabilities to parse Yarn v3 lock files, with this issue we need to make sure we have everything we need in place for our first iteration. Keep in mind that initially we will not be supporting:

workspaces: that means that workspaces will not show up in the generated report
dependency paths: that means we will not be creating a dependency graph which can be used to show information like dependency paths in the UI
remediation for berry lock files: remediation will be disabled for berry lock files independently of DS_REMDIATE environmental variable

Tasks:

Create Yarn v3 test project. Test project should have vulnerabilities and it should follow the test-common guidelines.
Add integration tests for Yarn v3
Update documentation (will be done as part of 263358)

Future work

We can add more features to the Gemnasium Yarn v2 support. In order to work in iterrations we have extracted the following follow up issues:

Further details

For more details you can see the relevant section in the Yarn v2 support issue

Documentation

We need to update the relevant section in the documentation. This will be done as part of Yarn v2 support issue.

EDIT: Support for Yarn v2 and v3 was introduced in GitLab 15.11, however, this feature is also available to versions of GitLab >= 15.0.

Availability & Testing

The following items need to be processed:

Unit tests for Yarn v3 lock files.
Integration tests using rspec for Yarn v3
A test projects should be created for Yarn v3. The project needs to follow the test-common guidelines. We should also investigate if we can add these test repos for Yarn v2 and v3 in the e2e test suite.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited Mar 30, 2023 by Nick Ilieskou