Decide what to do with Yarn berry patch packages
Release notes
Problem to solve
Yarn patches are ignored by Gemnasium dependency scanning in order to avoid duplicate components in the SBOM report. These patches could offer fixes for vulnerabilities and they should not be ignored.
Proposal
Yarn berry provides the ability to the user to apply a custom patch using yarn patch . This will result in a new entry in package.json
but also in yarn.lock
.
For example in the following snippet from a yarn.lock
file you can see the dependency on resolve
package and the resolve@patch
"resolve@npm:^2.0.0-next.4":
version: 2.0.0-next.4
resolution: "resolve@npm:2.0.0-next.4"
dependencies:
is-core-module: ^2.9.0
path-parse: ^1.0.7
supports-preserve-symlinks-flag: ^1.0.0
bin:
resolve: bin/resolve
checksum: c438ac9a650f2030fd074219d7f12ceb983b475da2d89ad3d6dd05fbf6b7a0a8cd37d4d10b43cb1f632bc19f22246ab7f36ebda54d84a29bfb2910a0680906d3
languageName: node
linkType: hard
"resolve@patch:resolve@^2.0.0-next.4#~builtin<compat/resolve>":
version: 2.0.0-next.4
resolution: "resolve@patch:resolve@npm%3A2.0.0-next.4#~builtin<compat/resolve>::version=2.0.0-next.4&hash=c3c19d"
dependencies:
is-core-module: ^2.9.0
path-parse: ^1.0.7
supports-preserve-symlinks-flag: ^1.0.0
bin:
resolve: bin/resolve
checksum: 4bf9f4f8a458607af90518ff73c67a4bc1a38b5a23fef2bb0ccbd45e8be89820a1639b637b0ba377eb2be9eedfb1739a84cde24fe4cd670c8207d8fea922b011
languageName: node
linkType: hard
Currently we ignore package definitions in yarn.lock
that are do not refer to @npm
. This was introduced in this MR.
We should figure out how to process patch items. Perhaps we can use patches when discovering vulnerabilities. We need to investigate if this is possible and how to proceed.
Intended users
This feature will be used by any user that is using dependency scanning and they have a Yarn berry project. Possible personas can include a Software Engineer in Test, a Security operations engineer, a release manager, a Security analyst and a Software developer
Feature Usage Metrics
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.