Replace @yarnpkg/lockfile with @yarnpkg/parsers

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues

Apache License 2.0

782 stars 35 forks source link

Replace @yarnpkg/lockfile with @yarnpkg/parsers #122

Closed naugtur closed 2 years ago

naugtur commented 2 years ago

maintained as part of yarn berry
supports old and new lockfile format
may not reach for filesystem powers etc.

naugtur commented 2 years ago

Having replaced the parser I see it's failing a test for bad-yarn.lock because the new parser is accepting any mix of JSON and yaml apparently.
We'd need a validation step after parsing to check if the object shape is as expected.

naugtur commented 2 years ago

Also, why is the shape

 { type: 'success', object: lockfile }

leaking from yarn through to the parseSync output? It throws if it's not a success. Why not just return the object?