Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error determining version of yarn dependency with "+git" in version #574

Closed
spencerschrock opened this issue Oct 5, 2023 · 4 comments · Fixed by #576
Closed

Error determining version of yarn dependency with "+git" in version #574

spencerschrock opened this issue Oct 5, 2023 · 4 comments · Fixed by #576
Assignees
@G-Rath
Labels
bug Something isn't working

Comments

@spencerschrock
Copy link
Contributor

spencerschrock commented Oct 5, 2023
edited

Saw this today running osv-scanner indirectly through Scorecard.

Failed to determine version of domino while parsing a yarn.lock - please report this!

The offending line is here, which was added recently here

"domino@https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a":
  version "2.1.6+git"
  uid f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a
  resolved "https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a"

I see the + symbol is used for build info in npm semver, but I have no idea if this is a valid yarn.lock file (similar to #142 ) with any version of yarn.

Not a yarn user, tried a few things and got different (valid) lockfiles. Not sure what Angular did to get theirs. Running yarn add domino@2.1.6 yields:

domino@2.1.6:
  version "2.1.6"
  resolved "https://registry.yarnpkg.com/domino/-/domino-2.1.6.tgz#fe4ace4310526e5e7b9d12c7de01b7f485a57ffe"
  integrity sha512-3VdM/SXBZX2omc9JF9nOPCtDaYQ67BGp5CoLpIQlO2KCAPETs8TcDHacF26jXadGbvUteZzRTeos2fhID5+ucQ==

And yarn add https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a proudces:

"@angular/domino@https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a":
  version "2.1.6"
  resolved "https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a"
@spencerschrock spencerschrock changed the title Error determining yarn.lock with "+git" in version Error determining version of yarn dependency with "+git" in version Oct 5, 2023
@another-rex
Copy link
Collaborator

@G-Rath Can you take a look? Thanks!

@another-rex another-rex added the bug Something isn't working label Oct 6, 2023
@G-Rath G-Rath self-assigned this Oct 6, 2023
@G-Rath G-Rath mentioned this issue Oct 6, 2023
Merged
@G-Rath
Copy link
Collaborator

G-Rath commented Oct 6, 2023

That is the actual version of the package: https://github.com/angular/domino/blob/main/package.json#L3

It's a valid semantic version but Yarn v1 strips out build metadata - Yarn Berry and NPM v7+ however don't

@spencerschrock
Copy link
Contributor Author

Out of curiosity, does 2.1.6+git vs 2.1.6 make a difference when the call bubbles up to osv.dev?

@G-Rath
Copy link
Collaborator

G-Rath commented Oct 6, 2023

It shouldn't because build metadata is meant to be ignored when comparing versions

another-rex pushed a commit that referenced this issue Oct 9, 2023
@G-Rath
fix: support versions with build metadata in yarn.lock files (#576)
6c68bee 
Resolves #574
@Porkepix Porkepix mentioned this issue Oct 25, 2023
Merged
@spencerschrock spencerschrock mentioned this issue Dec 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@G-Rath G-Rath

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: support versions with build metadata in yarn.lock files
3 participants
@G-Rath @spencerschrock @another-rex