PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

kzantow · 2023-04-26T13:06:44Z

What happened:
When PR #1752 was merged, I overlooked the fact that duplicate packages can get created. This should be accounted for when adding the packages from both the dependencies and packages sections.

When attempting to add a test fixture for this, I used PNPM to make a basic React project and realized that Syft doesn't support the pnpm lockfile format v6.

What you expected to happen:
Syft scans both older (v4) and newer (v6) pnpm lock files. No duplicate packages.

Steps to reproduce the issue:
Use this modified PNPM lock file (remove the .txt extension or create a new one): pnpm-lock.yaml.txt

The text was updated successfully, but these errors were encountered:

kzantow added bug Something isn't working good-first-issue Good for newcomers labels Apr 26, 2023

kzantow self-assigned this May 3, 2023

kzantow mentioned this issue May 3, 2023

fix: duplicate packages, support pnpm lockfile v6 #1778

Merged

kzantow closed this as completed in #1778 May 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

kzantow commented Apr 26, 2023

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

Comments

kzantow commented Apr 26, 2023