npm - ohrisk - Versions diffs - 0.127.1 → 0.128.0 - Mend

ohrisk 0.127.1 → 0.128.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # Changelog
+## 0.128.0 - 2026-06-20
+### Added
+- Yarn Berry `yarn.lock` files are now parsed alongside Yarn classic lockfiles,
+  including `npm:` protocol descriptors, patched npm packages, and workspace
+  package roots.
+### Fixed
+- Real-world Yarn workspace scans now ignore local `workspace:` packages as npm
+  package evidence while still scanning each workspace package manifest as a
+  dependency root.
 ## 0.127.1 - 2026-06-20
 ### Fixed

package/README.md CHANGED Viewed

@@ -62,18 +62,18 @@ Ohrisk is distributed as an npm package, and the packaged CLI runs on Node.js
 `>=20.0.0`. Bun is used for Ohrisk development, tests, and packaging, but users
 do not need Bun installed to run the published CLI.
-Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn v1
+Ohrisk scans Bun, npm package-lock/shrinkwrap, pnpm, Deno npm, and Yarn
 lockfiles regardless of which package manager you use to install the CLI.
 ## Current Scope
 The current implementation is the first npm-style vertical slice:
-- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn v1 `yarn.lock` project discovery
+- Bun `bun.lock`, npm `package-lock.json`, npm `npm-shrinkwrap.json`, pnpm `pnpm-lock.yaml`, Deno `deno.lock`, and Yarn classic/Berry `yarn.lock` project discovery
 - Node-compatible packaged CLI entrypoint for npm, pnpm, Yarn, npx, pnpm dlx, and yarn dlx users
 - explicit lockfile selection with `--lockfile <path>` for projects that contain more than one supported lockfile
 - direct and transitive dependency graph extraction
-- Bun, npm, pnpm, and Yarn v1 workspace projects are scanned from every workspace/importer package root
+- Bun, npm, pnpm, and Yarn classic/Berry workspace projects are scanned from every workspace/importer package root
 - Deno `deno.lock` projects are scanned for npm package dependencies recorded in `npm:` specifiers; remote URL imports and JSR packages are not scanned yet
 - npm alias dependency resolution, including pnpm alias package keys, with alias context preserved in dependency paths
 - production, development, optional, and peer dependency classification
@@ -159,7 +159,7 @@ Supported lockfiles:
 - `npm-shrinkwrap.json` with the same package-lock parser support
 - `pnpm-lock.yaml` with `importers`, `packages`, and `snapshots` sections
 - `deno.lock` npm package entries from Deno v3/v4-style lockfiles
-- Yarn v1 `yarn.lock` with root and workspace dependency sets from `package.json` manifests
+- Yarn classic/Berry `yarn.lock` with root and workspace dependency sets from `package.json` manifests
 Select a specific lockfile when a project contains more than one supported lockfile:

package/dist/cli.js CHANGED Viewed

@@ -15175,7 +15175,7 @@ function parseDiffArgs(argv) {
 }
 // src/cli/version.ts
-var OHRISK_VERSION = "0.127.1";
+var OHRISK_VERSION = "0.128.0";
 // src/diff/compare.ts
 function diffRiskFindings(input) {
@@ -17266,6 +17266,17 @@ function resolveNpmDependencyReference(requestedName, range) {
       aliased: alias.name !== requestedName
     };
   }
+  if (range.startsWith("npm:")) {
+    const bareRange = range.slice("npm:".length);
+    if (bareRange !== "") {
+      return {
+        requestedName,
+        lookupName: requestedName,
+        lookupRange: bareRange,
+        aliased: false
+      };
+    }
+  }
   return {
     requestedName,
     lookupName: requestedName,
@@ -19141,17 +19152,20 @@ function readPackageName2(packageJson) {
   return typeof packageJson.name === "string" && packageJson.name !== "" ? packageJson.name : undefined;
 }
 function parseLockfile(input, lockfilePath) {
+  if (hasMergeConflictMarkers(input)) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
+      details: {
+        lockfilePath
+      }
+    }));
+  }
+  if (isYarnBerryLockfile(input)) {
+    return parseBerryLockfile(input, lockfilePath);
+  }
   try {
-    if (hasMergeConflictMarkers(input)) {
-      return err(createError({
-        code: "YARN_LOCK_PARSE_FAILED",
-        category: "unsupported_input",
-        message: "Failed to parse yarn.lock because it contains unresolved merge conflicts.",
-        details: {
-          lockfilePath
-        }
-      }));
-    }
     const parsed = yarnLockfile.parse(input);
     if (parsed.type === "conflict") {
       return err(createError({
@@ -19163,12 +19177,47 @@ function parseLockfile(input, lockfilePath) {
         }
       }));
     }
-    return ok(parsed.object);
+    return ok({
+      format: "classic",
+      entries: parsed.object
+    });
+  } catch (cause) {
+    return err(createError({
+      code: "YARN_LOCK_PARSE_FAILED",
+      category: "unsupported_input",
+      message: "Failed to parse yarn.lock. Ohrisk expects a Yarn classic or Berry lockfile.",
+      details: {
+        lockfilePath,
+        cause: cause instanceof Error ? cause.message : String(cause)
+      }
+    }));
+  }
+}
+function isYarnBerryLockfile(input) {
+  return /^__metadata:\s*$/m.test(input);
+}
+function parseBerryLockfile(input, lockfilePath) {
+  try {
+    const parsed = $parse(input);
+    if (!isObjectRecord8(parsed)) {
+      throw new Error("Expected a YAML mapping at the document root.");
+    }
+    const entries = {};
+    for (const [key, value] of Object.entries(parsed)) {
+      if (key === "__metadata" || !isObjectRecord8(value)) {
+        continue;
+      }
+      entries[key] = value;
+    }
+    return ok({
+      format: "berry",
+      entries
+    });
   } catch (cause) {
     return err(createError({
       code: "YARN_LOCK_PARSE_FAILED",
       category: "unsupported_input",
-      message: "Failed to parse yarn.lock. Ohrisk currently supports Yarn v1 lockfiles.",
+      message: "Failed to parse Yarn Berry lockfile.",
       details: {
         lockfilePath,
         cause: cause instanceof Error ? cause.message : String(cause)
@@ -19181,12 +19230,12 @@ function hasMergeConflictMarkers(input) {
 }
 function parsePackageRecords4(lockfile) {
   const records = [];
-  for (const [key, entry] of Object.entries(lockfile)) {
+  for (const [key, entry] of Object.entries(lockfile.entries)) {
     if (typeof entry.version !== "string" || entry.version === "") {
       continue;
     }
     const descriptors = splitDescriptorKey(key);
-    const identity2 = descriptors.map(parseDescriptor).find(Boolean);
+    const identity2 = lockfile.format === "berry" ? readBerryPackageIdentity({ key, entry }) : descriptors.map(parseDescriptor).find(Boolean);
     if (!identity2) {
       continue;
     }
@@ -19194,7 +19243,10 @@ function parsePackageRecords4(lockfile) {
     const integrity = typeof entry.integrity === "string" && entry.integrity !== "" ? entry.integrity : undefined;
     records.push({
       key,
-      descriptors,
+      descriptors: descriptorIndexKeys({
+        descriptors,
+        format: lockfile.format
+      }),
       name: identity2.name,
       version: entry.version,
       id: `${identity2.name}@${entry.version}`,
@@ -19208,8 +19260,26 @@ function parsePackageRecords4(lockfile) {
 function splitDescriptorKey(key) {
   return key.split(/,\s*/).map((descriptor) => descriptor.trim()).filter(Boolean);
 }
+function descriptorIndexKeys(input) {
+  const keys = new Set;
+  for (const descriptor of input.descriptors) {
+    const unquoted = unquoteDescriptor(descriptor);
+    keys.add(unquoted);
+    const parsed = input.format === "berry" ? parseBerryDescriptor(unquoted) : parseDescriptor(unquoted);
+    if (!parsed) {
+      continue;
+    }
+    keys.add(`${parsed.name}@${parsed.range}`);
+    keys.add(`${parsed.name}@npm:${parsed.range}`);
+  }
+  return [...keys];
+}
 function parseDescriptor(descriptor) {
-  const unquoted = descriptor.replace(/^"|"$/g, "");
+  const unquoted = unquoteDescriptor(descriptor);
+  const berryDescriptor = parseBerryDescriptor(unquoted);
+  if (berryDescriptor) {
+    return berryDescriptor;
+  }
   const aliasMarker = "@npm:";
   const aliasIndex = unquoted.indexOf(aliasMarker);
   if (aliasIndex > 0) {
@@ -19225,6 +19295,89 @@ function parseDescriptor(descriptor) {
   }
   return { name: parsed.name, range: parsed.reference };
 }
+function parseBerryDescriptor(descriptor) {
+  const npmLocator = parseBerryNpmLocator(descriptor);
+  if (npmLocator) {
+    const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+    return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+  }
+  const patchLocator = parseBerryPatchLocator(descriptor);
+  if (patchLocator) {
+    return patchLocator;
+  }
+  return;
+}
+function readBerryPackageIdentity(input) {
+  const resolution = typeof input.entry.resolution === "string" ? input.entry.resolution : undefined;
+  const parsedResolution = resolution ? parseBerryResolution(resolution) : undefined;
+  if (parsedResolution) {
+    return parsedResolution;
+  }
+  const descriptorIdentity = splitDescriptorKey(input.key).map((descriptor) => parseBerryDescriptor(unquoteDescriptor(descriptor))).find(Boolean);
+  return descriptorIdentity ? { name: descriptorIdentity.name, version: descriptorIdentity.range } : undefined;
+}
+function parseBerryResolution(value) {
+  const unquoted = unquoteDescriptor(value);
+  const npmLocator = parseBerryNpmLocator(unquoted);
+  if (npmLocator) {
+    return {
+      name: npmLocator.name,
+      version: npmLocator.reference
+    };
+  }
+  const patchLocator = parseBerryPatchLocator(unquoted);
+  if (patchLocator) {
+    return {
+      name: patchLocator.name,
+      version: patchLocator.range
+    };
+  }
+  return;
+}
+function parseBerryNpmLocator(value) {
+  const marker = "@npm:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const name = value.slice(0, index);
+  const reference = value.slice(index + marker.length);
+  if (!isValidNpmPackageName(name) || reference === "") {
+    return;
+  }
+  return { name, reference };
+}
+function parseBerryPatchLocator(value) {
+  const marker = "@patch:";
+  const index = value.indexOf(marker);
+  if (index <= 0) {
+    return;
+  }
+  const patchedLocator = value.slice(index + marker.length).split("#")[0]?.split("::")[0];
+  if (!patchedLocator) {
+    return;
+  }
+  const decodedLocator = safeDecodeURIComponent(patchedLocator);
+  const npmLocator = parseBerryNpmLocator(decodedLocator);
+  if (!npmLocator) {
+    return;
+  }
+  const alias = parseNpmPackageReference(`npm:${npmLocator.reference}`);
+  return alias ? { name: alias.name, range: alias.reference } : { name: npmLocator.name, range: npmLocator.reference };
+}
+function safeDecodeURIComponent(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function unquoteDescriptor(value) {
+  return value.replace(/^"|"$/g, "");
+}
+function isValidNpmPackageName(value) {
+  return /^(?:@[^/]+\/)?[^/@][^@]*$/.test(value);
+}
 function collectRootDependencies5(packageJson) {
   return [
     ...dependencyEntries4(packageJson.dependencies, "production"),
@@ -19277,10 +19430,28 @@ function indexPackagesByName3(records) {
   return index;
 }
 function resolvePackageRecord4(input) {
-  const descriptor = `${input.name}@${input.range}`;
   const reference = resolveNpmDependencyReference(input.name, input.range);
   const candidates = input.nameIndex.get(reference.lookupName) ?? [];
-  return input.descriptorIndex.get(descriptor) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+  return dependencyDescriptorCandidates({
+    name: input.name,
+    range: input.range,
+    reference
+  }).map((descriptor) => input.descriptorIndex.get(descriptor)).find((record) => record !== undefined) ?? (candidates.length === 1 ? candidates[0] : undefined) ?? candidates.find((candidate) => candidate.version === reference.lookupRange) ?? undefined;
+}
+function dependencyDescriptorCandidates(input) {
+  const candidates = new Set;
+  candidates.add(`${input.name}@${input.range}`);
+  candidates.add(`${input.reference.lookupName}@${input.reference.lookupRange}`);
+  candidates.add(`${input.name}@npm:${input.range}`);
+  candidates.add(`${input.reference.lookupName}@npm:${input.reference.lookupRange}`);
+  if (input.range.startsWith("npm:")) {
+    const bareRange = input.range.slice("npm:".length);
+    candidates.add(`${input.name}@${bareRange}`);
+    candidates.add(`${input.name}@npm:${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@${bareRange}`);
+    candidates.add(`${input.reference.lookupName}@npm:${bareRange}`);
+  }
+  return [...candidates].filter((candidate) => !candidate.endsWith("@"));
 }
 function walkDependency5(input) {
   if (input.seen.has(input.record.key)) {
@@ -21200,7 +21371,7 @@ var KNOWN_PROJECT_MANIFESTS = [
   "deno.json",
   "deno.jsonc"
 ];
-var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn v1 yarn.lock.";
+var SUPPORTED_LOCKFILE_MESSAGE = "Ohrisk currently supports bun.lock, package-lock.json, npm-shrinkwrap.json, pnpm-lock.yaml, deno.lock, and Yarn classic/Berry yarn.lock.";
 function discoverProject(options = {}) {
   const startDir = path12.resolve(options.cwd ?? process.cwd());
   try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ohrisk",
-  "version": "0.127.1",
+  "version": "0.128.0",
   "description": "Catch open-source license risk before your PR ships.",
   "license": "MIT",
   "type": "module",