licensed 3.2.3 → 3.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e2043fe7541ca6458302eab4e81fabdc22d874d5e80498eaac0f1551d7796e8
-  data.tar.gz: abe1b03af0e02be363661d357e82cac6b53a127a6fd01cfef2c7ba2b6c174116
+  metadata.gz: 1a241c3ec016e1b2f49cc7a4ed53c53ee07a45fb5dc5f1b6655e6c4e5acf2d6d
+  data.tar.gz: 26e55577302098d09128c87d422856307841fa85dd95c181a7fe9280713ee644
 SHA512:
-  metadata.gz: 8555b427c46ab7e0198cf4ac71ed02fae65a230576057bd6d2cbf38e5d26491479444cfc4ed6ec78549e615c5b8cf6d71ce762b31552bf7bfd1d348e228b1055
-  data.tar.gz: 30da66cc1abb37677768dab09d79f93c17df25a7d0a73e06dbfdcb51ce7bb3ea66af5962e97631a019a8119498f4b0ebdeaca46667cb8b2b3d3fe0a2bb63c254
+  metadata.gz: 4358bc3c0f238d569beb172ded8589088336a64ccac81f55f2f669e7619c59c5590fdda1b88c5d3812cc8f554af2381ec1f74f40798634a547a6e8884d33c10e
+  data.tar.gz: 751818fb0934e5cf80629971267373117d1649d6ec65f8ae35477f53153307a4fee7893d9182f9b112fe622d8554656ca4892717084793b31577cb1b86557fad

data/CHANGELOG.md

@@ -6,6 +6,56 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## 3.4.1
+
+2022-01-07
+
+### Fixed
+
+- Malformed package.json files will no longer crash yarn dependency detection (https://github.com/github/licensed/pull/431)
+
+## 3.4.0
+
+2021-12-14
+
+### Added
+
+- New Yarn enumerator with support for berry versions (https://github.com/github/licensed/pull/423)
+
+### Fixed
+
+- Error handling cases return correct values in the Yarn enumerator (https://github.com/github/licensed/pull/425)
+- Fixed link in command documentation (:tada: @chibicco https://github.com/github/licensed/pull/416)
+- Fixed minor backwards compatibility issue for Ruby 2.3 support (:tada: @dzunk https://github.com/github/licensed/pull/414)
+
+### Changed
+
+- Licensed's own dependencies are cached in the repository and kept up to date with GitHub Actions (https://github.com/github/licensed/pull/421)
+
+## 3.3.1
+
+2021-10-07
+
+### Fixed
+
+- Fix evaluation of peer dependencies with npm 7 (:tada: @manuelpuyol https://github.com/github/licensed/pull/411)
+
+### Changed
+
+- Manifest source evaluation performance improvements (https://github.com/github/licensed/pull/407)
+
+## 3.3.0
+
+2021-09-18
+
+### Added
+
+- New cargo source enumerates rust dependencies (https://github.com/github/licensed/pull/404)
+
+### Changed
+
+- Removed non-functional files from gem builds (https://github.com/github/licensed/pull/405)
+
 ## 3.2.3
 
 2021-09-14
@@ -497,4 +547,4 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Initial release :tada:
 
-[Unreleased]: https://github.com/github/licensed/compare/3.2.3...HEAD
+[Unreleased]: https://github.com/github/licensed/compare/3.4.1...HEAD

data/Rakefile

@@ -2,13 +2,16 @@
 require "bundler/gem_tasks"
 require "rake/testtask"
 require "rubocop/rake_task"
+require "licensed"
 
 desc "Run source setup scripts"
 task :setup, [:arguments] do |task, args|
   arguments = args[:arguments].to_s.split
   force = arguments.include?("-f") ? "-f" : ""
 
-  Dir["script/source-setup/*"].each do |script|
+  Dir["script/source-setup/**/*"].each do |script|
+    next if File.directory?(script)
+
     # green
     puts "\033[32mRunning #{script}.\e[0m"
 
@@ -27,8 +30,7 @@ task :setup, [:arguments] do |task, args|
   end
 end
 
-sources_search = File.expand_path("lib/licensed/sources/*.rb", __dir__)
-sources = Dir[sources_search].map { |f| File.basename(f, ".*") }
+sources = Licensed::Sources::Source.sources.map { |source| source.full_type }
 
 namespace :test do
   sources.each do |source|

data/docs/adding_a_new_source.md

@@ -13,8 +13,37 @@ Dependency enumerators inherit and override the [`Licensed::Sources::Source`](..
 
 ### Optional method overrides
 
-1. `Licensed::Sources::Source.type`
-   - Returns the name of the current dependency enumerator as it is found in a licensed configuration file.
+1. `Licensed::Sources::Source.type_and_version`
+   - Returns the name, and optionally a version, of the current dependency enumerator as it is found in a licensed configuration file.  See [the method description](../lib/licensed/sources/source.rb#L38-L41) for more details
+
+### Implementing an enumerator for a new version of an existing source
+
+If a package manager introduces breaking changes, it can be easier to build a new implementation rather than making a single class work for all cases.  To enable seamless migration between source versions, the implementation for each version of the source enumerator should return the same `.type` and determine whether the version implementation should run in `#enabled?`.
+
+The sections below describe what was done when adding a new version for the `yarn` source.  Following these steps will make sure that the new version implementation follows the expected patterns for local development and test scenarios.
+
+#### Migrating the file structure for a single source enumerator to enable multiple source enumerator versions
+
+The following steps will migrate the source to the pattern expected for multi-version source enumerators.  
+
+The enumerators source code file is likely named to closely match the source enumerator, e.g. `lib/licensed/sources/yarn.rb`
+
+1. Create a new directory matching the name of the source and move the existing enumerator into the new folder with a version descriptive name, e.g. `lib/licensed/sources/yarn/v1.rb`
+1. Update the source enumerator class name to include a version identifier, e.g. `Licensed::Sources::Yarn::V1`
+1. Make similar changes for the source's [unit test fixtures](../test/fixtures), [unit test file](../test/sources) and [setup script](../scripts/source-setup), moving these files into subfolders and renaming the files to match the change in (1)
+   - Also be sure to update any references to old paths or class names
+1. If needed, update the source's `#type_and_version` to include a version value as a second array value
+   - If this isn't already set, the default implementation will return the type and version as the last two part names of the class name, snake cased and with a `/` delimeter,  e.g. `yarn/v1`
+1. Update the source's `#enabled?` method, adding a version check to ensure that the source only runs in the expected scenario
+1. Add a new generic source file in `lib/licensed/sources` that `require`s the new file, e.g. `lib/licensed/sources/yarn.rb`
+   - This is also an ideal spot to put shared code in a module that can be included in one or more versions of the source enumerator
+1. Update any references to the source in scripting and GitHub Actions automation to use the new versioned identifier, e.g. `yarn/v1` instead of the unversioned identifier.
+
+#### Adding a new implementation for the new version of the source
+
+1. Add the new implementation to the source's `lib/licensed/sources` subfolder.
+1. If there is shared code that can be reused between multiple source enumerator versions, put it in a module in the source's base file, e.g. `lib/licensed/sources/yarn.rb`.  Include the module in the version implementations.
+1. Ensure that the new version implementation checks for the expected source enumerator version in `#enabled?`
 
 ## Determining if dependencies should be enumerated
 
@@ -24,7 +53,7 @@ whether `Licensed::Source::Sources#enumerate_dependencies` should be called on t
 Determining whether dependencies should be enumerated depends on whether all the tools or files needed to find dependencies are present.
 For example, to enumerate `npm` dependencies the `npm` CLI tool must be found with `Licensed::Shell.tool_available?` and a `package.json` file needs to exist in the licensed app's configured [`source_path`](./configuration.md#configuration-paths).
 
-### Gating functionality when required tools are not available.
+### Gating functionality when required tools are not available
 
 When adding new dependency sources, ensure that `script/bootstrap` scripting and tests are only run if the required tooling is available on the development machine.
 

data/docs/commands/README.md

@@ -8,7 +8,7 @@ Run `licensed -h` to see help content for running licensed commands.
 - [migrate](migrate.md)
 - [notices](notices.md)
 - [status](status.md)
-- [version](verison.md)
+- [version](version.md)
 
 Most commands accept a `-c`/`--config` option to specify a path to a configuration file or directory. If a directory is specified, `licensed` will look in that directory for a file named (in order of preference):
 

data/docs/commands/status.md

@@ -39,30 +39,34 @@ The following data is reported for each dependency when the YAML or JSON report
 
 ### cached dependency record not found
 
-**Cause:** A dependency was found while running `licensed status` that does not have a corresponding cached metadata file
-**Resolution:** Run `licensed cache` to update the metadata cache and create the missing metadata file
+*Cause:* A dependency was found while running `licensed status` that does not have a corresponding cached metadata file
+
+*Resolution:* Run `licensed cache` to update the metadata cache and create the missing metadata file
 
 ### cached dependency record out of date
 
-**Cause:** A dependency was found while running `licensed status` with a different version than is contained in the dependency's cached metadata file
-**Resolution:** Run `licensed cache` to update the out-of-date metadata files
+*Cause:* A dependency was found while running `licensed status` with a different version than is contained in the dependency's cached metadata file
+
+*Resolution:* Run `licensed cache` to update the out-of-date metadata files
 
 ### missing license text
 
-**Cause:** A license determination was made, e.g. from package metadata, but no license text was found.
-**Resolution:** Manually verify whether the dependency includes a file containing license text.  If the dependency code that was downloaded locally does not contain the license text, please check the dependency source at the version listed in the dependency's cached metadata file to see if there is license text that can be used.
+*Cause:* A license determination was made, e.g. from package metadata, but no license text was found.
+
+*Resolution:* Manually verify whether the dependency includes a file containing license text.  If the dependency code that was downloaded locally does not contain the license text, please check the dependency source at the version listed in the dependency's cached metadata file to see if there is license text that can be used.
 
 If the dependency does not include license text but does specify that it uses a specific license, please copy the standard license text from a [well known source](https://opensource.org/licenses).
 
 ### license text has changed and needs re-review. if the new text is ok, remove the `review_changed_license` flag from the cached record
 
-**Cause:** A dependency that is set as [reviewed] in the licensed configuration file has substantially changed and should be re-reviewed.
-**Resolution:** Review the changes to the license text and classification, along with other metadata contained in the cached file for the dependency.  If the dependency is still allowable for use in your project, remove the `review_changed_license` key from the cached record file.
+*Cause:* A dependency that is set as [reviewed] in the licensed configuration file has substantially changed and should be re-reviewed.
+
+*Resolution:* Review the changes to the license text and classification, along with other metadata contained in the cached file for the dependency.  If the dependency is still allowable for use in your project, remove the `review_changed_license` key from the cached record file.
 
 ### license needs review
 
-**Cause:** A dependency is using a license that is not in the configured [allowed list of licenses][allowed], and the dependency has not been marked [ignored] or [reviewed].
-**Resolution:** Review the dependency's usage and specified license with someone familiar with OSS licensing and compliance rules to determine whether the dependency is allowable.  Some common resolutions:
+*Cause:* A dependency is using a license that is not in the configured [allowed list of licenses][allowed], and the dependency has not been marked [ignored] or [reviewed].
+*Resolution:* Review the dependency's usage and specified license with someone familiar with OSS licensing and compliance rules to determine whether the dependency is allowable.  Some common resolutions:
 
 1. The dependency's specified license text differed enough from the standard license text that it was not recognized and classified as `other`.  If, with human review, the license text is recognizable then update the `license: other` value in the cached metadata file to the correct license.
    - An updated classification will persist through version upgrades until the detected license contents have changed.  The determination is made by [licensee/licensee](https://github.com/licensee/licensee), the library which this tool uses to detect and classify license contents.

data/docs/sources/cargo.md

@@ -0,0 +1,19 @@
+# Cargo
+
+The cargo source will detect dependencies when `Cargo.toml` is found at an apps `source_path`.  The source uses the `cargo metadata` CLI and reports on all dependencies that are listed in the output in `resolve.nodes`, excluding packages that are listed in `workspace_members`.
+
+## Metadata CLI options
+
+Licensed by default runs `cargo metadata --format-version=1`.  You can specify additional CLI options by specifying them in your licensed configuration file under `cargo.metadata_options`.  The configuration can be set as a string, or as an array of strings for multiple options.
+
+```yml
+cargo:
+  metadata_options: '--all-features'
+```
+
+```yml
+cargo:
+  metadata_options:
+    - '--all-features'
+    - '--filter-platform x86_64-pc-windows-msvc'
+```

data/docs/sources/yarn.md

@@ -2,13 +2,14 @@
 
 The yarn source will detect dependencies when `package.json` and `yarn.lock` are found at an app's `source_path`.
 
-It uses `yarn list` to enumerate dependencies and `yarn info` to get metadata on each package.
+It uses the `yarn` CLI commands to enumerate dependencies and gather metadata on each package.
 
-### Including development dependencies
+## Including development dependencies
 
-Yarn versions < 1.3.0 will always include non-production dependencies due to a bug in those yarn versions.
+**Note** Yarn versions < 1.3.0 will always include non-production dependencies due to a bug in those versions of yarn.
+**Note** Yarn versions > 2.0 will always include non-production dependencies due to lack of filtering of production vs non-production dependencies in the yarn CLI.
 
-Starting with yarn version >= 1.3.0, the yarn source excludes non-production dependencies by default.  To include development and test dependencies, set `production_only: false` in `.licensed.yml`.
+For yarn versions between 1.3.0 and 2.0, the yarn source excludes non-production dependencies by default.  To include development and test dependencies in these versions, set `production_only: false` in `.licensed.yml`.
 
 ```yml
 yarn:

data/lib/licensed/reporters/status_reporter.rb

@@ -49,7 +49,7 @@ module Licensed
         errored_reports = all_reports.select { |r| r.errors.any? }.to_a
 
         dependency_count = all_reports.count { |r| r.target.is_a?(Licensed::Dependency) }
-        error_count = errored_reports.sum { |r| r.errors.size }
+        error_count = errored_reports.reduce(0) { |count, r| count + r.errors.size }
 
         if error_count > 0
           shell.newline

data/lib/licensed/sources/cargo.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Licensed
+  module Sources
+    class Cargo < Source
+      # Source is enabled when the cargo tool and Cargo.toml manifest file are available
+      def enabled?
+        return false unless Licensed::Shell.tool_available?("cargo")
+        config.pwd.join("Cargo.toml").exist?
+      end
+
+      def enumerate_dependencies
+        packages.map do |package|
+          Dependency.new(
+            name: "#{package["name"]}-#{package["version"]}",
+            version: package["version"],
+            path: File.dirname(package["manifest_path"]),
+            metadata: {
+              "name" => package["name"],
+              "type" => Cargo.type,
+              "summary" => package["description"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+
+      # Returns the package data for all dependencies used to build the current package
+      def packages
+        cargo_metadata_resolved_node_ids.map { |id| cargo_metadata_packages[id] }
+      end
+
+      # Returns the ids of all resolved nodes used to build the current package
+      def cargo_metadata_resolved_node_ids
+        cargo_metadata.dig("resolve", "nodes")
+                      .map { |node| node["id"] }
+                      .reject { |id| cargo_metadata_workspace_members.include?(id) }
+
+      end
+
+      # Returns a hash of id => package pairs sourced from the "packages" cargo metadata property
+      def cargo_metadata_packages
+        @cargo_metadata_packages ||= cargo_metadata["packages"].each_with_object({}) do |package, hsh|
+          hsh[package["id"]] = package
+        end
+      end
+
+      # Returns a set of the ids of packages in the current workspace
+      def cargo_metadata_workspace_members
+        @cargo_metadata_workspace_members ||= Set.new(Array(cargo_metadata["workspace_members"]))
+      end
+
+      # Returns parsed JSON metadata returned from the cargo CLI
+      def cargo_metadata
+        @cargo_metadata ||= JSON.parse(cargo_metadata_command)
+      rescue JSON::ParserError => e
+        message = "Licensed was unable to parse the output from 'cargo metadata'. JSON Error: #{e.message}"
+        raise Licensed::Sources::Source::Error, message
+      end
+
+      # Runs a command to get cargo metadata for the current package
+      def cargo_metadata_command
+        options = Array(config.dig("cargo", "metadata_options")).flat_map(&:split)
+        Licensed::Shell.execute("cargo", "metadata", "--format-version=1", *options)
+      end
+    end
+  end
+end

data/lib/licensed/sources/manifest.rb

@@ -61,7 +61,7 @@ module Licensed
         manifest.each_with_object({}) do |(src, package_name), hsh|
           next if src.nil? || src.empty?
           hsh[package_name] ||= []
-          hsh[package_name] << File.join(config.root, src)
+          hsh[package_name] << File.absolute_path(src, config.root)
         end
       end
 
@@ -130,19 +130,17 @@ module Licensed
         @configured_dependencies ||= begin
           dependencies = config.dig("manifest", "dependencies")&.dup || {}
 
-          dependencies.each do |name, patterns|
+          dependencies.each_with_object({}) do |(name, patterns), hsh|
             # map glob pattern(s) listed for the dependency to a listing
             # of files that match the patterns and are not excluded
-            dependencies[name] = files_from_pattern_list(patterns) & included_files
+            hsh[name] = files_from_pattern_list(patterns) & included_files
           end
-
-          dependencies
         end
       end
 
       # Returns the set of project files that are included in dependency evaluation
       def included_files
-        @sources ||= all_files - files_from_pattern_list(config.dig("manifest", "exclude"))
+        @included_files ||= tracked_files - files_from_pattern_list(config.dig("manifest", "exclude"))
       end
 
       # Finds and returns all files in the project that match
@@ -151,26 +149,23 @@ module Licensed
         return Set.new if patterns.nil? || patterns.empty?
 
         # evaluate all patterns from the project root
-        Dir.chdir config.root do
-          Array(patterns).reduce(Set.new) do |files, pattern|
-            if pattern.start_with?("!")
-              # if the pattern is an exclusion, remove all matching files
-              # from the result
-              files - Dir.glob(pattern[1..-1], File::FNM_DOTMATCH)
-            else
-              # if the pattern is an inclusion, add all matching files
-              # to the result
-              files + Dir.glob(pattern, File::FNM_DOTMATCH)
-            end
+        Array(patterns).each_with_object(Set.new) do |pattern, files|
+          if pattern.start_with?("!")
+            # if the pattern is an exclusion, remove all matching files
+            # from the result
+            files.subtract(Dir.glob(pattern[1..-1], File::FNM_DOTMATCH, base: config.root))
+          else
+            # if the pattern is an inclusion, add all matching files
+            # to the result
+            files.merge(Dir.glob(pattern, File::FNM_DOTMATCH, base: config.root))
           end
         end
       end
 
-      # Returns all tracked files in the project
-      def all_files
-        # remove files if they are tracked but don't exist on the file system
-        @all_files ||= Set.new(Licensed::Git.files || [])
-                          .delete_if { |f| !File.exist?(File.join(Licensed::Git.repository_root, f)) }
+      # Returns all tracked files in the project as the intersection of what git tracks and the files in the project
+      def tracked_files
+        @tracked_files ||= Set.new(Array(Licensed::Git.files)) &
+                           Set.new(Dir.glob("**/*", File::FNM_DOTMATCH, base: config.root))
       end
 
       class Dependency < Licensed::Dependency

data/lib/licensed/sources/npm.rb

@@ -23,10 +23,6 @@ module Licensed
         end
       end
 
-      def self.type
-        "npm"
-      end
-
       def enabled?
         Licensed::Shell.tool_available?("npm") && File.exist?(config.pwd.join("package.json"))
       end
@@ -66,15 +62,17 @@ module Licensed
 
       # Recursively parse dependency JSON data.  Returns a hash mapping the
       # package name to it's metadata
-      def recursive_dependencies(dependencies, result = {})
+      def recursive_dependencies(dependencies, result = {}, parent = nil)
         dependencies.each do |name, dependency|
-          next if dependency["peerMissing"]
+          next if missing_peer?(parent, dependency, name)
           next if yarn_lock_present && dependency["missing"]
           next if dependency["extraneous"] && dependency["missing"]
 
           dependency["name"] = name
+          dependency["version"] ||= extract_version(parent, name) if dependency["missing"]
+
           (result[name] ||= []) << dependency
-          recursive_dependencies(dependency["dependencies"] || {}, result)
+          recursive_dependencies(dependency["dependencies"] || {}, result, dependency)
         end
         result
       end
@@ -135,6 +133,18 @@ module Licensed
       def include_non_production?
         config.dig("npm", "production_only") == false
       end
+
+      def missing_peer?(parent, dependency, name)
+        dependency["peerMissing"] || (dependency["missing"] && peer_dependency(parent, name))
+      end
+
+      def peer_dependency(parent, name)
+        parent&.dig("peerDependencies", name)
+      end
+
+      def extract_version(parent, name)
+        parent&.dig("_dependencies", name) || peer_dependency(parent, name)
+      end
     end
   end
 end

data/lib/licensed/sources/nuget.rb

@@ -7,8 +7,8 @@ module Licensed
     # Only supports ProjectReference (project.assets.json) style restore used in .NET Core.
     # Does not currently support packages.config style restore.
     class NuGet < Source
-      def self.type
-        "nuget"
+      def self.type_and_version
+        ["nuget"]
       end
 
       class NuGetDependency < Licensed::Dependency

data/lib/licensed/sources/source.rb

@@ -19,13 +19,32 @@ module Licensed
           (@sources ||= []) << klass
         end
 
-        # Returns the source name as the snake cased class name
+        # Returns the source name as the first snake cased class or module name
+        # following "Licensed::Sources::".  This is the type that is included
+        # in metadata files and cache paths.
+        # e.g. for `Licensed::Sources::Yarn::V1`, this returns "yarn"
         def type
-          self.name.split(/::/)
-                   .last
+          type_and_version[0]
+        end
+
+        # Returns the source name as a "/" delimited string of all the module and
+        # class names following "Licensed::Sources::".  This is the type that is
+        # used to distinguish multiple versions of a sources from each other.
+        # e.g. for `Licensed::Sources::Yarn::V1`, this returns `yarn/v1`
+        def full_type
+          type_and_version.join("/")
+        end
+
+        # Returns an array that includes the source's type name at the first index, and
+        # optionally a version string for the source as the second index.
+        # Callers should override this function and not `type` or `full_type` when
+        # needing to adjust the default type and version parsing logic
+        def type_and_version
+          self.name.gsub("#{Licensed::Sources.name}::", "")
                    .gsub(/([A-Z\d]+)([A-Z][a-z])/, "\\1_\\2".freeze)
                    .gsub(/([a-z\d])([A-Z])/, "\\1_\\2".freeze)
                    .downcase
+                   .split("::")
         end
       end
 

data/lib/licensed/sources/yarn/berry.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require "json"
+
+module Licensed
+  module Sources
+    class Yarn::Berry < Source
+      include Licensed::Sources::Yarn
+
+      def self.version_requirement
+        Gem::Requirement.new(">= 2.0")
+      end
+
+      def enumerate_dependencies
+        packages.map do |name, package|
+          Dependency.new(
+            name: name,
+            version: package["version"],
+            path: package["path"],
+            metadata: {
+              "type"     => self.class.type,
+              "name"     => package["name"],
+              "homepage" => package["homepage"]
+            }
+          )
+        end
+      end
+
+      # Finds packages that the current project relies on based on the output from `yarn info`
+      def packages
+        # parse all lines of output to json and find one that is "type": "tree"
+        yarn_info = JSON.parse("[#{yarn_info_command.lines.join(",")}]")
+        mapped_packages = yarn_info.reduce({}) do |accum, package|
+          name, _ = package["value"].rpartition("@")
+          version = package.dig("children", "Version")
+          id = "#{name}-#{version}"
+
+          accum[name] ||= []
+          accum[name] << {
+            "id" => id,
+            "name" => name,
+            "version" => version,
+            "homepage" => package.dig("children", "Manifest", "Homepage"),
+            "path" => dependency_paths[id]
+          }
+          accum
+        end
+
+        mapped_packages.each_with_object({}) do |(name, results), hsh|
+          results.uniq! { |package| package["version"] }
+          if results.size == 1
+            # if there is only one package for a name, reference it by name
+            hsh[name] = results[0]
+          else
+            # if there is more than one package for a name, reference each by id
+            results.each do |package|
+              hsh[package["id"]] = package
+            end
+          end
+        end
+      end
+
+      # Returns a hash that maps all dependency names to their location on disk
+      # by parsing every package.json file under node_modules.
+      def dependency_paths
+        @dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
+          begin
+            dirname = File.dirname(file)
+            json = JSON.parse(File.read(file))
+            hsh["#{json["name"]}-#{json["version"]}"] = dirname
+          rescue JSON::ParserError
+            # don't crash execution if there is a problem parsing a package.json file
+            # if the bad package.json file relates to a package that licensed should be reporting on
+            # then this will still result in an error about a missing package
+          end
+        end
+      end
+
+      # Returns the output from running `yarn list` to get project dependencies
+      def yarn_info_command
+        args = %w(--json --manifest --recursive --all)
+        Licensed::Shell.execute("yarn", "info", *args)
+      end
+    end
+  end
+end