JS-packages plugin does not handle Yarn V2 audit output

What happened?

Next episode of JS-package plugin setup with Yarn v2, see #877 for the previous episode.

The yarnv2ToAuditResult function does not handle the output from yarn npm audit --json correctly.

What would you expect to happen?

I would expect the plugin to parse the output of yarn audit :)

What steps did you take?

export default {
        persist: {
            outputDir: '.code-pushup',
            format: ['json', 'md'],
        },
        plugins: [
            // ...
            await jsPackagesPlugin({
                packageManager: 'yarn-modern',
                packageJsonPaths: ['package.json'],
            }),
        ],
    },
);

Run code-pushup with a project containing vulnerabilities.

Later I tried to patch @code-pushup/js-packages-plugin

Running:

yarn npm audit --json --environment development

Produces:

{"value":"eslint","children":{"ID":"eslint (deprecation)","Issue":"This version is no longer supported. Please see https://eslint.org/version-support for other options.","Severity":"moderate","Vulnerable Versions":"8.57.0","Tree Versions":["8.57.0"],"Dependents":["frontend@workspace:."]}}
{"value":"fast-json-patch","children":{"ID":1096610,"Issue":"Starcounter-Jack JSON-Patch Prototype Pollution vulnerability","URL":"https://github.com/advisories/GHSA-8gh8-hqwg-xf34","Severity":"high","Vulnerable Versions":"<3.1.1","Tree Versions":["2.2.1"],"Dependents":["frontend@workspace:."]}}
# ...

Obviously, JSON.parse cannot handle this string.

Create an ugly intermediate parser like:

const opt = `[${output.trim().split('\n').join(',')}]`;

Once parsed:

[
 {
    value: 'eslint',
    children: {
      ID: 'eslint (deprecation)',
      Issue: 'This version is no longer supported. Please see https://eslint.org/version-support for other options.',
      Severity: 'moderate',
      'Vulnerable Versions': '8.57.0',
      'Tree Versions': [Array],
      Dependents: [Array]
    }
  },
  {
    value: 'fast-json-patch',
    children: {
      ID: 1096610,
      Issue: 'Starcounter-Jack JSON-Patch Prototype Pollution vulnerability',
      URL: 'https://github.com/advisories/GHSA-8gh8-hqwg-xf34',
      Severity: 'high',
      'Vulnerable Versions': '<3.1.1',
      'Tree Versions': [Array],
      Dependents: [Array]
    }
  },
//...
]

The format does not comply with the current handler, which expects an advisories and metadata properties.

Should we do something like this? Did the output change with Yarn V4?

 const vulnerabilities = yarnv2Audit.map(({ value: name, children }) => {
      const {
        ID: title,
        URL: url,
        Severity: severity,
        'Vulnerable Versions': versionRange,
        Issue: fixInformation,
        Dependents: dependents,
      } = children;
      // dependents should include the pattern `${packageJsonName}@workspace:.` if it's a direct dependency
      const directDep =
        dependents?.lengh > 0
          ? dependents.some((dep) => dep.includes('my-package-name'))
          : null;
      return {
        name,
        severity,
        title,
        url,
        versionRange,
        fixInformation,
        directDependency:
          directDep != null && directDep !== name ? directDep : true,
      };
    });

Code PushUp package version

0.53.1

What operation system are you on?

Linux

Node version

22.11

Relevant log output

[ warn ] Plugins failed: 
[ warn ] Error: - Plugin JS Packages (js-packages) produced the following error:
  - TypeError: Cannot convert undefined or null to object
    at Function.values (<anonymous>)
    at Object.yarnv2ToAuditResult [as unifyResult] (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1435:34)
    at file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1736:36
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Promise.allSettled (index 0)
    at async processAudit (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1724:24)
    at async executeRunner (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1688:51)
    at async file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1763:1
SyntaxError: Unexpected non-whitespace character after JSON at position 290 (line 2 column 1)
    at JSON.parse (<anonymous>)
    at Object.yarnv2ToAuditResult [as unifyResult] (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1434:28)
    at file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1736:36
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Promise.allSettled (index 1)
    at async processAudit (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1724:24)
    at async executeRunner (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1688:51)
    at async file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1763:1
file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1745
    throw new Error(`JS Packages plugin: Running ${pm.name} audit failed.`);
          ^

Error: JS Packages plugin: Running yarn-modern audit failed.
    at processAudit (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1745:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async executeRunner (file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1688:51)
    at async file:///home/edouard/Dev/monorepo/node_modules/@code-pushup/js-packages-plugin/bin.js:1763:1

Node.js v22.11.0

Error: Executing 1 plugin failed.

code-pushup / cli