Skip to content

Parse pnpm v9 lockfiles #4256

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Parse pnpm v9 lockfiles #4256

wants to merge 1 commit into from
+228 −59

Conversation

bernardoamc
Copy link

Description

Allow pnpm v9 lockfiles to be parsed by Syft. This version has a different structure compared to previous lockfiles, nesting fields like dependencies and devDependencies within the concept of an importer. In order to keep backwards compatibility the code has been refactored to:

  1. Create a shared interface for parsing pnpm files while attempting to keep most of the functionality consolidated across common functions
  2. We have also optimize our logic to check for duplicated packages by utilizing a map rather than repeatedly iterating through a slice.

Fixes: #3927

Type of change

  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@bernardoamc
Copy link
Author

We are only parsing the packages key while leaving the option to parse the remaining fields. I think this covers the current functionality since packages should contain every package listed within every other field.

@bernardoamc bernardoamc force-pushed the bc-parse-v9-lockfiles branch from fc04d5f to b49e6f7 Compare October 6, 2025 15:12
@bernardoamc
Copy link
Author

Adjusted the code so newPnpmLockfileParser doesn't get exported.

@spiffcs spiffcs self-requested a review October 6, 2025 15:29
@bernardoamc
Parse pnpm v9 lockfiles
a2e777e 
Signed-off-by: bernardoamc <bernardo.amc@gmail.com>
@bernardoamc bernardoamc force-pushed the bc-parse-v9-lockfiles branch from b49e6f7 to a2e777e Compare October 6, 2025 15:56
@bernardoamc
Copy link
Author

For some reason my local environment did no catch these exported warnings. I've also made the interface private it.

@bernardoamc
Copy link
Author

Thanks for the review @spiffcs, I appreciate it! Hopefully this build will be a green one. 😄

@bernardoamc
Copy link
Author

Glad the export-check was the only blocker. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs Awaiting requested review from spiffcs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PNPM latest lockfile (version 9.0)
2 participants
@bernardoamc @spiffcs