search

jfrog / frogbot

🐸 Scans your Git repository with JFrog Xray for security vulnerabilities. 🤖
https://docs.jfrog-applications.jfrog.io/
Apache License 2.0
290 stars 61 forks source link

Support for yarn3 workspaces? #674

Closed Feinminen closed 2 months ago

Feinminen commented 2 months ago

I'm encountering an issue while setting up frogbot in my project that utilizes yarn 3.6.1 with workspaces. It seems that the installation command provided in the frogbot configuration is not executing correctly.

Context:

Monorepo Structure:

image

frogbot-config.yml content:

- params:
    scan:
      projects:
        - installCommand: yarn // also tried: yarn install
          workingDirs:
            - packages/lib

Issue:

I'm encountering the following error: image

It seems that frogbot is attempting to install dependencies with 'npm' despite specifying 'yarn' as the installation command in the configuration file.

Question:

Could it be that frogbot lacks support for yarn3 workspaces, or am I potentially setting up frogbot incorrectly?

I appreciate any insights or assistance you can provide on this matter. Thank you in advance for your help!

orz25 commented 2 months ago

Hi @Feinminen , Frogbot indeed lacks support for yarn workspaces. In addition, there is another problem in the way you configured your frogbot-config.yml: you set workingDirs param to packages/lib, which is not a yarn sub-project, but an npm project. if you want this sub-folder to be scanned as a yarn project, it should contain a yarn file. otherwise, frogbot will detect this sub-project as npm. Another solution for you is to scan the entire project, and frogbot will use the yarn.lock file that already exists in your root directory.

Feinminen commented 2 months ago

Thanks for the clarification! I'm closing the question :)