This PR adds support for parsing yarn.lock instead of npm-shrinwrap.json.
It was pretty trivial as yarn has module to parse the file to json format, which seems to be pretty much compatible with shrinkwrap.
Update shrinkwrap for yarn
Use lib-legacy as we need ES5 compatible module
It turns out yarn is not babelifying their modules. I will need to figure out another way to pull its parser in, do you have any ideas how to do that properly? None of my seems ideal.
Added PR to yarn to support es5, let's keep fingers crossed they can accept it: yarnpkg/yarn#2275
Use fork of yarn to get es5 lib
Assign name from package.json when using yarn.lock online mode
Do not pass yarnlock option to api
Fix eslint errors
So it turns out they won't be able to accept that PR adding ES5 support. Do you think we can use my yarn fork for now?
I wonder if it's worth supporting node < v4, as v4 is the lowest supported version of node now? I'm sure the node security team has some thoughts on that and maybe they're not ready to drop support for node versions less than 4. Maybe a new, major version of nsp?
Anyone who cares about security wouldn't use an unsupported platform, or so one would hope.
PS. I know that "in theory, theory and practice are the same. In practice, they are not.", but still, most people who would use nsp would care at least enough to stay on a support version.
@methyl what would this PR look like with node >= v4 support? Looks like the PR is still using your fork
Use official yarn instead of es5-compatible fork
This is how it would look like. @nlf any comments on that?
We've just migrated over to yarn, and this has caused our nodesecurity scans to fail. Following with keen interest!
Has there been a decision on node <= v4 support?
(P.S. @evilpacket & @jlamendo good to meet you guys at DEFCON a couple of years back - didn't see you last year)
@frenchi 👋 - @nlf will officially comment but I know that yarn support is on our list however we do have to make some API tweaks to make it officially go and have a few things in the queue in front of it.
this is a great start for offline mode 👍
we do need to decide if we're officially dropping support for node < 4 before i merge it, however. for right now, i'm going to keep this open. i do want to say THANK YOU for doing this and including tests and everything. it's super appreciated!