Error determining version of yarn dependency with "+git" in version

[spencerschrock]

Saw this today running osv-scanner indirectly through Scorecard.

Failed to determine version of domino while parsing a yarn.lock - please report this!

The offending line is here, which was added recently here

"domino@https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a":
  version "2.1.6+git"
  uid f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a
  resolved "https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a"

I see the + symbol is used for build info in npm semver, but I have no idea if this is a valid yarn.lock file (similar to #142 ) with any version of yarn.

Not a yarn user, tried a few things and got different (valid) lockfiles. Not sure what Angular did to get theirs. Running yarn add domino@2.1.6 yields:

domino@2.1.6:
  version "2.1.6"
  resolved "https://registry.yarnpkg.com/domino/-/domino-2.1.6.tgz#fe4ace4310526e5e7b9d12c7de01b7f485a57ffe"
  integrity sha512-3VdM/SXBZX2omc9JF9nOPCtDaYQ67BGp5CoLpIQlO2KCAPETs8TcDHacF26jXadGbvUteZzRTeos2fhID5+ucQ==

And yarn add https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a proudces:

"@angular/domino@https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a":
  version "2.1.6"
  resolved "https://github.com/angular/domino.git#f2435fe1f9f7c91ade0bd472c4723e5eacd7d19a"

[another-rex]

@G-Rath Can you take a look? Thanks!

[G-Rath]

That is the actual version of the package: https://github.com/angular/domino/blob/main/package.json#L3

It's a valid semantic version but Yarn v1 strips out build metadata - Yarn Berry and NPM v7+ however don't

[spencerschrock]

Out of curiosity, does 2.1.6+git vs 2.1.6 make a difference when the call bubbles up to osv.dev?

[G-Rath]

It shouldn't because build metadata is meant to be ignored when comparing versions