PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

kzantow · 2023-04-26T13:06:44Z

What happened:
When PR #1752 was merged, I overlooked the fact that duplicate packages can get created. This should be accounted for when adding the packages from both the dependencies and packages sections.

When attempting to add a test fixture for this, I used PNPM to make a basic React project and realized that Syft doesn't support the pnpm lockfile format v6.

What you expected to happen:
Syft scans both older (v4) and newer (v6) pnpm lock files. No duplicate packages.

Steps to reproduce the issue:
Use this modified PNPM lock file (remove the .txt extension or create a new one): pnpm-lock.yaml.txt

The text was updated successfully, but these errors were encountered:

kzantow added bug Something isn't working good-first-issue Good for newcomers labels Apr 26, 2023

kzantow self-assigned this May 3, 2023

kzantow added this to OSS May 3, 2023

kzantow moved this to In Progress in OSS May 3, 2023

kzantow mentioned this issue May 3, 2023

fix: duplicate packages, support pnpm lockfile v6 #1778

Merged

kzantow moved this from In Progress to In Review in OSS May 3, 2023

kzantow closed this as completed in #1778 May 23, 2023

github-project-automation bot moved this from In Review to Done in OSS May 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

kzantow commented Apr 26, 2023

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

PNPM improvements: scanning does not support v6 and can result in duplicate packages #1762

Comments

kzantow commented Apr 26, 2023