-
Notifications
You must be signed in to change notification settings - Fork 79
/
Copy pathyarnpackagehandler.go
82 lines (73 loc) · 2.68 KB
/
yarnpackagehandler.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
package packagehandlers
import (
"errors"
"fmt"
biUtils "github.com/jfrog/build-info-go/build/utils"
"github.com/jfrog/frogbot/v2/utils"
"github.com/jfrog/gofrog/version"
"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
"github.com/jfrog/jfrog-client-go/utils/log"
)
const (
yarnV2Version = "2.0.0"
yarnV1PackageUpdateCmd = "upgrade"
yarnV2PackageUpdateCmd = "up"
modulesFolderFlag = "--modules-folder="
)
type YarnPackageHandler struct {
CommonPackageHandler
}
func (yarn *YarnPackageHandler) UpdateDependency(vulnDetails *utils.VulnerabilityDetails) error {
if vulnDetails.IsDirectDependency {
return yarn.updateDirectDependency(vulnDetails)
} else {
return &utils.ErrUnsupportedFix{
PackageName: vulnDetails.ImpactedDependencyName,
FixedVersion: vulnDetails.SuggestedFixedVersion,
ErrorType: utils.IndirectDependencyFixNotSupported,
}
}
}
func (yarn *YarnPackageHandler) updateDirectDependency(vulnDetails *utils.VulnerabilityDetails) (err error) {
isYarn1, executableYarnVersion, err := isYarnV1Project()
if err != nil {
return
}
var installationCommand string
var extraArgs []string
if isYarn1 {
installationCommand = yarnV1PackageUpdateCmd
// This dir is created to store node_modules that are created during updating packages in Yarn V1. This dir is to be deleted and not pushed into the PR
var tmpNodeModulesDir string
tmpNodeModulesDir, err = fileutils.CreateTempDir()
defer func() {
err = errors.Join(err, fileutils.RemoveTempDir(tmpNodeModulesDir))
}()
if err != nil {
return
}
extraArgs = append(extraArgs, modulesFolderFlag+tmpNodeModulesDir)
} else {
installationCommand = yarnV2PackageUpdateCmd
}
err = yarn.CommonPackageHandler.UpdateDependency(vulnDetails, installationCommand, extraArgs...)
if err != nil {
err = fmt.Errorf("running 'yarn %s for '%s' failed:\n%s\nHint: The Yarn version that was used is: %s. If your project was built with a different major version of Yarn, please configure your CI runner to include it",
installationCommand,
vulnDetails.ImpactedDependencyName,
err.Error(),
executableYarnVersion)
}
return
}
// isYarnV1Project gets the current executed yarn version and returns whether the current yarn version is V1 or not
func isYarnV1Project() (isYarn1 bool, executableYarnVersion string, err error) {
// NOTICE: in case your global yarn version is 1.x this function will always return true even if the project is originally in higher yarn version
executableYarnVersion, err = biUtils.GetVersion("yarn", "")
if err != nil {
return
}
log.Info("Using Yarn version: ", executableYarnVersion)
isYarn1 = version.NewVersion(executableYarnVersion).Compare(yarnV2Version) > 0
return
}