Support yarn.lock #142

Open
wants to merge 8 commits into
from

Projects

None yet

6 participants

@methyl
methyl commented Dec 16, 2016

This PR adds support for parsing yarn.lock instead of npm-shrinwrap.json.

It was pretty trivial as yarn has module to parse the file to json format, which seems to be pretty much compatible with shrinkwrap.

@methyl methyl referenced this pull request Dec 16, 2016
Open

Offline support for yarn #136

@methyl
methyl commented Dec 16, 2016

It turns out yarn is not babelifying their modules. I will need to figure out another way to pull its parser in, do you have any ideas how to do that properly? None of my seems ideal.

@methyl methyl referenced this pull request in yarnpkg/yarn Dec 16, 2016
Closed

Build es5-compatible lib #2275

@methyl
methyl commented Dec 16, 2016

Added PR to yarn to support es5, let's keep fingers crossed they can accept it: yarnpkg/yarn#2275

@methyl
methyl commented Dec 17, 2016

So it turns out they won't be able to accept that PR adding ES5 support. Do you think we can use my yarn fork for now?

@mike-engel

I wonder if it's worth supporting node < v4, as v4 is the lowest supported version of node now? I'm sure the node security team has some thoughts on that and maybe they're not ready to drop support for node versions less than 4. Maybe a new, major version of nsp?

@omeid
omeid commented Jan 11, 2017

Anyone who cares about security wouldn't use an unsupported platform, or so one would hope.

PS. I know that "in theory, theory and practice are the same. In practice, they are not.", but still, most people who would use nsp would care at least enough to stay on a support version.

@mike-engel

@methyl what would this PR look like with node >= v4 support? Looks like the PR is still using your fork

@methyl
methyl commented Jan 11, 2017
@methyl
methyl commented Jan 12, 2017

This is how it would look like. @nlf any comments on that?

@frenchi
frenchi commented Jan 23, 2017

We've just migrated over to yarn, and this has caused our nodesecurity scans to fail. Following with keen interest!

Has there been a decision on node <= v4 support?

(P.S. @evilpacket & @jlamendo good to meet you guys at DEFCON a couple of years back - didn't see you last year)

@evilpacket
Member

@frenchi 👋 - @nlf will officially comment but I know that yarn support is on our list however we do have to make some API tweaks to make it officially go and have a few things in the queue in front of it.

@nlf
Member
nlf commented Feb 1, 2017

this is a great start for offline mode 👍

we do need to decide if we're officially dropping support for node < 4 before i merge it, however. for right now, i'm going to keep this open. i do want to say THANK YOU for doing this and including tests and everything. it's super appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment