previously, yarn workspace projects were not being tested successfully because the script would naively attempt npm install on any package.json file in a directory with no correspondingpackage-lock.json or node_modules/ folder. Instead the script now checks if we are in a workspace with yarn workspaces list.
In order to scan package.json files in sub packages within the workspace individually the way snyk-bulk needs to, while still using the locked dependencies from the yarn.lock file in the workspace root directory for accuracy, a bit of trickery is used for the snyk CLI to link the workspace yarn.lock file to the sub-package's package.json file. Because using --file loses the scope of the workspace, we can simply link the workspace yarn.lock file in each sub-package directory so that when snyk test runs it resolves the transitive dependencies and versions from the yarn.lock for those direct dependencies listed in each package.json. After the files are linked to each sub-package directory, the script can run as normal and scan each project accordingly.
What does this PR do?
enables support for yarn workspace projects
How should this be manually tested?
Any background context you want to provide?
previously, yarn workspace projects were not being tested successfully because the script would naively attempt
npm install
on anypackage.json
file in a directory with no correspondingpackage-lock.json
ornode_modules/
folder. Instead the script now checks if we are in a workspace withyarn workspaces list
.In order to scan
package.json
files in sub packages within the workspace individually the way snyk-bulk needs to, while still using the locked dependencies from theyarn.lock
file in the workspace root directory for accuracy, a bit of trickery is used for the snyk CLI to link the workspaceyarn.lock
file to the sub-package'spackage.json
file. Because using--file
loses the scope of the workspace, we can simply link the workspace yarn.lock file in each sub-package directory so that whensnyk test
runs it resolves the transitive dependencies and versions from theyarn.lock
for those direct dependencies listed in eachpackage.json
. After the files are linked to each sub-package directory, the script can run as normal and scan each project accordingly.What are the relevant tickets?
https://snyksec.atlassian.net/browse/CS-9
Screenshots