Merge pull request #5839 from dependabot/jurre/yarn-berry-multiple-reqs

Yarn Berry: Ensure multiple requirements are parsed correctly
dependabot · Oct 6, 2022 · 97ae98c · 97ae98c
2 parents 96cbb6c + 95f118e
commit 97ae98c
Show file tree

Hide file tree

Showing 5 changed files with 1,753 additions and 1 deletion.
diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_parser/lockfile_parser.rb
@@ -77,7 +77,7 @@ def yarn_lockfile_details(lockfile, dependency_name, requirement, _manifest_name
             details_candidates.first.last
           else
             details_candidates.find do |k, _|
-              k.split(/(?<=\w)\@/)[1..-1].join("@") == requirement
+              k.scan(/(?<=\w)\@(?:npm:)?([^\s,]+)/).flatten.include?(requirement)
             end&.last
           end
         end

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser/lockfile_parser_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_parser/lockfile_parser_spec.rb
@@ -218,6 +218,24 @@
           it { is_expected.to eq(nil) }
         end
       end
+
+      context "that have multiple requirements" do
+        let(:dependency_files) { project_dependency_files("yarn_berry/multiple_requirements") }
+        let(:dependency_name) { "postcss" }
+        let(:requirement) { "^8.4.17" }
+
+        it "finds the one matching the requirement" do
+          expect(lockfile_details).to eq(
+            "version" => "8.4.17",
+            "resolution" => "postcss@npm:8.4.17",
+            "dependencies" => { "nanoid" => "^3.3.4", "picocolors" => "^1.0.0", "source-map-js" => "^1.0.2" },
+            "checksum" => "a6d9096dd711e17f7b1d18ff5dcb4fdedf3941d5a3dc8b0e4ea" \
+                          "873b8f31972d57f73d6da9a8aed7ff389eb52190ed34f6a94f299a7f5ddc68b08a24a48f77eb9",
+            "languageName" => "node",
+            "linkType" => "hard"
+          )
+        end
+      end
     end
 
     context "for npm lockfiles" do

diff --git a/npm_and_yarn/spec/fixtures/projects/yarn_berry/multiple_requirements/.yarn/install-state.gz b/npm_and_yarn/spec/fixtures/projects/yarn_berry/multiple_requirements/.yarn/install-state.gz
diff --git a/npm_and_yarn/spec/fixtures/projects/yarn_berry/multiple_requirements/package.json b/npm_and_yarn/spec/fixtures/projects/yarn_berry/multiple_requirements/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "{{ name }}",
+  "dependencies": {
+    "next": "^12.3.1"
+  },
+  "devDependencies": {
+    "eslint-plugin-tailwindcss": "^3.6.2",
+    "postcss": "^8.4.17"
+  },
+  "packageManager": "[email protected]"
+}