Skip to content

Decide what to do with Yarn berry patch packages

Release notes

Problem to solve

Yarn patches are ignored by Gemnasium dependency scanning in order to avoid duplicate components in the SBOM report. These patches could offer fixes for vulnerabilities and they should not be ignored.

Proposal

Yarn berry provides the ability to the user to apply a custom patch using yarn patch . This will result in a new entry in package.json but also in yarn.lock.

For example in the following snippet from a yarn.lock file you can see the dependency on resolve package and the resolve@patch


"resolve@npm:^2.0.0-next.4":
  version: 2.0.0-next.4
  resolution: "resolve@npm:2.0.0-next.4"
  dependencies:
    is-core-module: ^2.9.0
    path-parse: ^1.0.7
    supports-preserve-symlinks-flag: ^1.0.0
  bin:
    resolve: bin/resolve
  checksum: c438ac9a650f2030fd074219d7f12ceb983b475da2d89ad3d6dd05fbf6b7a0a8cd37d4d10b43cb1f632bc19f22246ab7f36ebda54d84a29bfb2910a0680906d3
  languageName: node
  linkType: hard

"resolve@patch:resolve@^2.0.0-next.4#~builtin<compat/resolve>":
  version: 2.0.0-next.4
  resolution: "resolve@patch:resolve@npm%3A2.0.0-next.4#~builtin<compat/resolve>::version=2.0.0-next.4&hash=c3c19d"
  dependencies:
    is-core-module: ^2.9.0
    path-parse: ^1.0.7
    supports-preserve-symlinks-flag: ^1.0.0
  bin:
    resolve: bin/resolve
  checksum: 4bf9f4f8a458607af90518ff73c67a4bc1a38b5a23fef2bb0ccbd45e8be89820a1639b637b0ba377eb2be9eedfb1739a84cde24fe4cd670c8207d8fea922b011
  languageName: node
  linkType: hard

Currently we ignore package definitions in yarn.lock that are do not refer to @npm. This was introduced in this MR.

We should figure out how to process patch items. Perhaps we can use patches when discovering vulnerabilities. We need to investigate if this is possible and how to proceed.

Intended users

This feature will be used by any user that is using dependency scanning and they have a Yarn berry project. Possible personas can include a Software Engineer in Test, a Security operations engineer, a release manager, a Security analyst and a Software developer

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Edited by Nick Ilieskou