Skip to content

fix: reconstruct transitive dependency paths from yarn.lock (#421).#576

Merged
sonukapoor merged 1 commit into
OWASP:mainfrom
coder-Yash886:fix/yarn-lock-path-reconstruction-421
Jun 8, 2026
Merged

fix: reconstruct transitive dependency paths from yarn.lock (#421).#576
sonukapoor merged 1 commit into
OWASP:mainfrom
coder-Yash886:fix/yarn-lock-path-reconstruction-421

Conversation

@coder-Yash886

@coder-Yash886 coder-Yash886 commented Jun 7, 2026
edited by sonukapoor
Loading

Copy link
Copy Markdown
Contributor

Closes #421

Summary

  • Reconstruct full transitive dependency paths from yarn.lock (Classic + Berry) using a BFS graph walk, following the pnpm fix: preserve multiple pnpm dependency paths for repeated package versions #335 approach
  • Preserve multiple paths per package (cap: 5 paths, depth 10)
  • Extend resolveTransitiveRemediationViaRegistry for deep chains so within-range remediation works for yarn/pnpm/bun without an npm lock graph
  • Add parser and remediation tests; fix flaky Windows temp-dir teardown via shared test-utils.ts

What this fixes

The Yarn parser previously emitted flat paths (["project", "js-cookie"]) instead of the full chain (["project", "aws-amplify", "@aws-amplify/core", "js-cookie"]). Without correct paths, the within-range resolver could not suggest yarn upgrade js-cookie.

Once this lands, PR #537 (yarn-within-range fixture) should produce the expected scan output.

Test plan

@coder-Yash886

coder-Yash886 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

@sonukapoor Please review the PR when you have free time .
Is there any Slack or Discord channel for project discussions where I can coordinate or ask doubts related to issues and PRs?

@sonukapoor

sonukapoor commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

@sonukapoor Please review the PR when you have free time . Is there any Slack or Discord channel for project discussions where I can coordinate or ask doubts related to issues and PRs?

Will take a look this week. We have a Slack channel as mentioned in our readme: https://owasp.org/slack/invite

sonukapoor
sonukapoor approved these changes Jun 8, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on the branch — yarn upgrade js-cookie is now correctly generated for the yarn-within-range fixture. Full test suite passes (419 tests, 1 skipped). The flat path problem is fixed. This unblocks #537.

@sonukapoor sonukapoor merged commit 9ce8081 into OWASP:main Jun 8, 2026
6 checks passed
sonukapoor
sonukapoor approved these changes Jun 8, 2026
View reviewed changes

@sonukapoor sonukapoor left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on the branch — yarn upgrade js-cookie is now correctly generated for the yarn-within-range fixture. Full test suite passes (419 tests, 1 skipped). The flat path problem is fixed. This unblocks #537.

@sonukapoor

sonukapoor commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

Merged — thank you @coder-Yash886!

This was referenced Jun 8, 2026
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sonukapoor sonukapoor sonukapoor approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: improve Yarn parser to preserve multiple dependency paths to the same package

2 participants

@coder-Yash886 @sonukapoor