feat: add support for resolutions in yarn2

[ ] Tests written and linted
[ ] Documentation written / README.md updated https://snyk.io/docs/snyk-for-node/
[x] Follows CONTRIBUTING agreement
[x] Commit history is tidy https://git-scm.com/book/en/v2/Git-Branching-Rebasing
[ ] Reviewed by Snyk team

What this does

This allows Snyk to scan yarn2 projects that use resolutions.

Note

Resolutions behave interestingly and there is not much documentation available for how yarn2 resolutions work (all i could find was this section of a bigger doc). As such the reasoning of the code may seem weird at first - to help this also want to outline keypoints of how resolutions work in yarn2.

Glob patterns in resolutions are gone:

Resolutions now only allow one level of specificity. This means you can either just use a package name, or a package and its parent to specify a resolution as such

{
    "debug": "4.0.0", // good
    "express/debug": "4.0.0", // good
    "express/**/debug": "4.0.0" // bad
}

This means this ticket does not need to worry about globs.

Order matters (...really):

Inside the resolutions object the type of key used to specify a resolution does not give it priority over another if there are multiple matches, it is whichever is first, i.e:

{
    "debug": "4.0.0", 
    "express/debug": "3.0.0",
}

will result in only debug@4.0.0 being used whereas:

{
    "express/debug": "3.0.0",
    "debug": "4.0.0", 
}

will result in both debug@4.0.0 and debug@3.0.0 as 3.0.0 will be used for direct dependent of express only.

Qualifiers can be used in resolutions

This is where you can specify to only apply a resolution if the parent of the resolution is being used at a certain version. This looks like this:

{
   "@babel/core@npm:7.0.0/@babel/generator": "7.3.4",
}

This is why this weird check exists: https://github.com/snyk/nodejs-lockfile-parser/blob/feat/resolutions-for-yarn2/lib/parsers/yarn2-lock-parser.ts#L128-L131

Please let me know if you would like to go through this with me.

snyk / nodejs-lockfile-parser