Support yarn.lock #142

wants to merge 8 commits into


None yet

6 participants

methyl commented Dec 16, 2016

This PR adds support for parsing yarn.lock instead of npm-shrinwrap.json.

It was pretty trivial as yarn has module to parse the file to json format, which seems to be pretty much compatible with shrinkwrap.

@methyl methyl referenced this pull request Dec 16, 2016

Offline support for yarn #136

methyl commented Dec 16, 2016

It turns out yarn is not babelifying their modules. I will need to figure out another way to pull its parser in, do you have any ideas how to do that properly? None of my seems ideal.

@methyl methyl referenced this pull request in yarnpkg/yarn Dec 16, 2016

Build es5-compatible lib #2275

methyl commented Dec 16, 2016

Added PR to yarn to support es5, let's keep fingers crossed they can accept it: yarnpkg/yarn#2275

methyl commented Dec 17, 2016

So it turns out they won't be able to accept that PR adding ES5 support. Do you think we can use my yarn fork for now?


I wonder if it's worth supporting node < v4, as v4 is the lowest supported version of node now? I'm sure the node security team has some thoughts on that and maybe they're not ready to drop support for node versions less than 4. Maybe a new, major version of nsp?

omeid commented Jan 11, 2017

Anyone who cares about security wouldn't use an unsupported platform, or so one would hope.

PS. I know that "in theory, theory and practice are the same. In practice, they are not.", but still, most people who would use nsp would care at least enough to stay on a support version.


@methyl what would this PR look like with node >= v4 support? Looks like the PR is still using your fork

methyl commented Jan 11, 2017
methyl commented Jan 12, 2017

This is how it would look like. @nlf any comments on that?

frenchi commented Jan 23, 2017

We've just migrated over to yarn, and this has caused our nodesecurity scans to fail. Following with keen interest!

Has there been a decision on node <= v4 support?

(P.S. @evilpacket & @jlamendo good to meet you guys at DEFCON a couple of years back - didn't see you last year)


@frenchi 👋 - @nlf will officially comment but I know that yarn support is on our list however we do have to make some API tweaks to make it officially go and have a few things in the queue in front of it.

nlf commented Feb 1, 2017

this is a great start for offline mode 👍

we do need to decide if we're officially dropping support for node < 4 before i merge it, however. for right now, i'm going to keep this open. i do want to say THANK YOU for doing this and including tests and everything. it's super appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment