Support yarn v3 in Dependency Scanning
Note to wider-community, sales, support and customer success
As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!
NOTE if you are a user who also would like to see this feature, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
NOTE if you are a user who also is seeing this bug, please UPVOTE
If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.
Proposal
We are currently working on adding support for Yarn v2 in #263358 (closed). One benefit of supporting Yarn v2 lock files is that we also gain support for Yarn v3, due to the similar structure of their lock files. The goal of the Yarn v2 support issue is to enhance the existing Gemnasium Yarn parser so that it can parse lock files for both Yarn v2 and v3. This will require the parser to distinguish between Yarn Classic and Berry, and treat the lock files accordingly. It's important to note that Yarn berry refers to Yarn versions greater than or equal to 2.
Implmentation Plan
Since Yarn v2 support issue will extend the Gemnasium Yarn parser capabilities to parse Yarn v3 lock files, with this issue we need to make sure we have everything we need in place for our first iteration. Keep in mind that initially we will not be supporting:
- workspaces: that means that workspaces will not show up in the generated report
- dependency paths: that means we will not be creating a dependency graph which can be used to show information like dependency paths in the UI
- remediation for berry lock files: remediation will be disabled for berry lock files independently of DS_REMDIATE environmental variable
Tasks:
-
Create Yarn v3 test project. Test project should have vulnerabilities and it should follow the test-common guidelines. -
Add integration tests for Yarn v3 -
Update documentation (will be done as part of 263358)
Future work
We can add more features to the Gemnasium Yarn v2 support. In order to work in iterrations we have extracted the following follow up issues:
- Perform dependency remediation for Yarn Berry
- Add support for workspaces in Yarn berry Dependency Scanning
- Add support for Yarn berry dependency paths
- Decide what to do with Yarn berry patch packages
Further details
For more details you can see the relevant section in the Yarn v2 support issue
Documentation
We need to update the relevant section in the documentation. This will be done as part of Yarn v2 support issue.
EDIT: Support for Yarn v2 and v3 was introduced in GitLab 15.11, however, this feature is also available to versions of GitLab >= 15.0.
Availability & Testing
The following items need to be processed:
- Unit tests for Yarn v3 lock files.
- Integration tests using rspec for Yarn v3
- A test projects should be created for Yarn v3. The project needs to follow the test-common guidelines. We should also investigate if we can add these test repos for Yarn v2 and v3 in the e2e test suite.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.