Add yarn v4 support in Dependency Scanning

We are getting "unsupported yarn.lock file version 8" error in Gemnasium with yarn v4. We really hope you can add support for the new yarn version.

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Release notes

Problem to solve

Yarn v4 projects are not supported by our SCA features (Dependency Scanning and License Scanning): https://yarnpkg.com/blog/release/4.0

Intended users

User experience goal

Proposal

Make the existing Gemnasium Yarn parser capable of parsing lock files for yarn v4.

Implementation Plan

1. Update the yarnV3LockfileVersion variable to yarnV4LockfileVersion = 8.

Further details

The lockfile version for Yarn has been updated twice since we last added support for v6 versions. Here are the git blames from v5 to v8.

• v5
  • Added a new conditions field to the Package type. Not used by the Yarn Berry parser.
• v6
  • Added a libc field to the Package type indirectly.
• v7
  • Always require the npm: protocol to ensure data is normalized with a protocol prefix.
• v8
  • Set the default compression level to 0

We don't use the libcfield, conditions field, or the compression level so this does not affect us. In addition, we only check for the workspace and patch prefixes, so the npm: prefix normalization does not impact us either.

Permissions and Security

No change

Documentation

We need to update the relevant section in the documentation, saying that we do support Yarn v4.

Availability & Testing

The following items need to be processed:

• Unit tests for both Yarn v2 and v3 lock files.
• Integration tests using rspec for Yarn v2. If time permits we can also add tests for Yarn v3. Otherwise we can do it as part of 351841
• Test projects should be created for Yarn v2 and v3. These projects need to follow the test-common guidelines.

What does success look like, and how can we measure that?

Demo

What is the type of buyer?

Is this a cross-stage feature?

Links / references

• Yarn v4.0.0 release
• Yarn v4.0.2 lockfile version

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.