Gemnasium support for pnpm lockfileVersion 9.0
Proposal
The current implementation of the gemnasium pnpm lockfile parser does support version 5.0, 6.0 and 6.1. The latest pnpm version 9.x also released a breaking lockfileVersion 9.0.
I got the parser working with the simple addition of the following regex:
var v9DepPathRegex = regexp.MustCompile('^'?(?P<Name>@?[a-z0-9-._/]+)@(?P<Version>.+)')
in https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/scanner/parser/pnpm/lockfile.go?ref_type=heads#L73
If possible I would be happy to provide a MR with the v9 support and tests respectively.
Implementation plan
- Update the pnpm lockfile parser to check for for
v9
in the lockfile version string. - Add new regex to parse the dependency path introduced in v9 lockfiles.
- Add tests for the new lockfile format in
scanner/parser/pnpm/*_test.go
. - Update the documentation to include support for v9.
Edited by Oscar Tovar