Fix: Correctly parse v3 lockfiles

.changeset/kind-llamas-cough.md

@@ -0,0 +1,5 @@
+---
+"modular-scripts": patch
+---
+
+Correctly parse v3 lockfiles for `modular analyze`

packages/modular-scripts/package.json

@@ -31,6 +31,8 @@
     "@svgr/webpack": "5.5.0",
     "@types/micromatch": "4.0.2",
     "@types/semver-regex": "3.1.0",
+    "@types/yarnpkg__lockfile": "^1.1.5",
+    "@yarnpkg/lockfile": "^1.1.0",
     "address": "1.2.0",
     "babel-jest": "26.6.3",
     "babel-preset-react-app": "10.0.1",
@@ -104,7 +106,6 @@
     "semver": "7.3.7",
     "semver-regex": "3.1.3",
     "shell-quote": "1.7.3",
-    "snyk-nodejs-lockfile-parser": "^1.38.0",
     "source-map-support": "0.5.21",
     "strip-ansi": "6.0.0",
     "style-loader": "3.3.1",

packages/modular-scripts/src/utils/getPackageDependencies.ts

@@ -1,14 +1,17 @@
 import * as path from 'path';
 import * as fs from 'fs-extra';
 import { Project } from 'ts-morph';
-import { buildDepTree, LockfileType } from 'snyk-nodejs-lockfile-parser';
+import * as lockfile from '@yarnpkg/lockfile';
+import * as yaml from 'js-yaml';
+
 import type { CoreProperties, Dependency } from '@schemastore/package';
 import getModularRoot from './getModularRoot';
 import getLocation from './getLocation';
 import getWorkspaceInfo from './getWorkspaceInfo';
 import * as logger from './logger';
 
 type DependencyManifest = NonNullable<CoreProperties['dependencies']>;
+type LockFileEntries = Record<string, { version: string }>;
 
 const npmPackageMatcher =
   /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*/;
@@ -42,9 +45,8 @@ function getDependenciesFromSource(workspaceLocation: string) {
 export async function getPackageDependencies(
   target: string,
 ): Promise<{ manifest: DependencyManifest; resolutions: DependencyManifest }> {
-  /* This function is based on the assumption that nested package are not supported, so dependencies can be either declared in the
-   * target's package.json or hoisted up to the workspace root.
-   */
+  // This function is based on the assumption that nested package are not supported, so dependencies can be either declared in the
+  // target's package.json or hoisted up to the workspace root.
   const targetLocation = await getLocation(target);
   const workspaceInfo = getWorkspaceInfo();
 
@@ -69,26 +71,7 @@ export async function getPackageDependencies(
     targetManifest.dependencies,
   ) as Dependency;
 
-  const lockDeps = await buildDepTree(
-    // Build a dependency tree from the lockfile, using target dependencies and root dependencies in order of specificity
-    JSON.stringify(
-      Object.assign(Object.create(null), targetManifest, {
-        dependencies: Object.assign(
-          Object.create(null),
-          rootManifest.dependencies,
-          targetManifest.dependencies,
-        ) as Dependency,
-        devDependencies: Object.assign(
-          Object.create(null),
-          rootManifest.devDependencies,
-          targetManifest.devDependencies,
-        ) as Dependency,
-      }),
-    ),
-    lockFile,
-    true,
-    LockfileType.yarn,
-  );
+  const lockDeps = parseYarnLock(lockFile, deps);
 
   /* Get dependencies from package.json (regular), root package.json (hoisted) or pinned version in lockfile (resolution)
    * Exclude workspace dependencies. Warn if a dependency is imported in the source code
@@ -104,7 +87,7 @@ export async function getPackageDependencies(
             `Package ${depName} imported in ${target} source but not found in package dependencies or hoisted dependencies - this will prevent you from successfully build, start or move esm-views and will cause an error in the next release of modular`,
           );
         }
-        const resolutionVersion = lockDeps.dependencies[depName].version;
+        const resolutionVersion = lockDeps[depName];
         if (!resolutionVersion) {
           logger.error(
             `Package ${depName} imported in ${target} source but not found in lockfile - this will prevent you from successfully build, start or move esm-views and will cause an error in the next release of modular. Have you installed your dependencies?`,
@@ -120,3 +103,46 @@ export async function getPackageDependencies(
     );
   return { manifest, resolutions };
 }
+
+function parseYarnLock(lockFile: string, deps: Dependency): Dependency {
+  return parseYarnLockV1(lockFile, deps) || parseYarnLockV3(lockFile, deps);
+}
+
+function parseYarnLockV1(
+  lockFile: string,
+  deps: Dependency,
+): Dependency | null {
+  try {
+    const parsedLockfile = lockfile.parse(lockFile);
+    return Object.entries(deps).reduce<Record<string, string>>(
+      (acc, [name, version]) => {
+        acc[name] = (parsedLockfile.object as LockFileEntries)[
+          `${name}@${version}`
+        ].version;
+        return acc;
+      },
+      {},
+    );
+  } catch (e) {
+    return null;
+  }
+}
+
+function parseYarnLockV3(lockFile: string, deps: Dependency): Dependency {
+  const dependencyArray = Object.entries(deps);
+  // This function loops over all the dependency ranges listed in the lockfile and tries to match the given dependencies with an exact version.
+  return Object.entries(
+    yaml.load(lockFile) as LockFileEntries,
+  ).reduce<Dependency>((acc, [name, { version }]) => {
+    // Yarn v3 lockfile comes with keys like "'yargs@npm:^15.0.2, yargs@npm:^15.1.0, yargs@npm:^15.3.1, yargs@npm:^15.4.1'" - split them
+    const entryDependencies = name.split(', ');
+    for (const [dependencyName, dependencyVersion] of dependencyArray) {
+      if (
+        entryDependencies.includes(`${dependencyName}@npm:${dependencyVersion}`)
+      ) {
+        acc[dependencyName] = version;
+      }
+    }
+    return acc;
+  }, {});
+}