3. Run `snyk test`
4. See error `Dependency lodash@4.17.19 was not found in undefined. Your package.json and undefined are probably out of sync. Please run "undefined" and try again.` (the `undefined` is just because `yarn2` is missing from `lib/errors/out-of-sync-error.ts`.
**Explanation**
In the above `yarn.lock`, the root workspace has a dependency on `lodash@4.17.19`, which does not appear elsewhere in the `yarn.lock` because the only actual `lodash` is `4.17.20`, caused by the resolution. This breaks the `depMap` check, above, even when `--strict-out-of-sync=false` is passed.
**Potential Solutions**
1. When `--strict-out-of-sync=false` is passed, ignore dependencies that are not in the `depMap`; this will unblock consumers who use `resolutions`, but it doesn't add full support for `resolutions`.
2. Figure out how to add full support for `resolutions`, potentially using functionality provided by `@yarnpkg/core`.
mhassan1
commented
3 years ago
As part of the optimization of the
depTreein https://github.com/snyk/nodejs-lockfile-parser/pull/93, we added the following check: https://github.com/snyk/nodejs-lockfile-parser/blob/0bd6a0a2a8a629d9929d089d13cac7e4332e5970/lib/parsers/lock-parser-base.ts#L346-L348In the case of
resolutionsin thepackage.jsonin Yarn 2, this error will get thrown because of the way Yarn 2 puts custom resolutions inyarn.lock.Reproduction Steps
package.json:yarn, which will create ayarn.lock:"root-workspace-0b6124@workspace:.": version: 0.0.0-use.local resolution: "root-workspace-0b6124@workspace:." dependencies: lodash: 4.17.19 languageName: unknown linkType: soft