Skip to content

Add yarn.lock support (classic v1 and berry)#16

Merged
ejntaylor merged 1 commit into
mainfrom
ejntaylor/yarn-support
May 21, 2026
Merged

Add yarn.lock support (classic v1 and berry)#16
ejntaylor merged 1 commit into
mainfrom
ejntaylor/yarn-support

Conversation

@ejntaylor
Copy link
Copy Markdown
Contributor

@ejntaylor ejntaylor commented May 19, 2026

Summary

  • Adds a zero-dep parser for yarn.lock covering both yarn classic (v1, version "x" field syntax) and yarn berry (v2+, YAML-style version: x with __metadata header and npm: protocol descriptors).
  • Handles multi-descriptor blocks ("axios@^1.6.0", "axios@~1.6.0":), quoted-comma edge cases, scoped names, and dedupes blocks that resolve to the same name@version.
  • Direct-vs-transitive marking cross-references the sibling package.json (yarn's lockfile, unlike pnpm v9's, doesn't record an importer manifest). Missing or unreadable package.json leaves entries unmarked rather than failing the scan.
  • Detection priority is now npm > pnpm > yarn > bun, matching what each package manager itself prefers when multiple lockfiles are present — important for in-progress migrations.

Stacked on pnpm PR

Based on #15 so the diff here only shows yarn changes. GitHub will auto-retarget to main when #15 merges.

Test plan

  • npm run typecheck — clean
  • npm test — 88/88 pass (21 new yarn tests; pnpm tests still green)
  • npm run build — bundles updated dist/
  • Manual: run npx @patchstack/connect scan --dry-run against a real yarn classic project (e.g. a Next.js app generated with yarn create next-app)
  • Manual: same against a yarn berry / PnP project, confirm direct deps from package.json are flagged

🤖 Generated with Claude Code

@coderbuds
Copy link
Copy Markdown

coderbuds Bot commented May 19, 2026
edited
Loading

Comprehensive yarn.lock parser added with extensive test coverage.

🎯 Quality: 86% Excellent · 📦 Size: Oversized — strongly consider breaking this down

📈 This month: Your 100th PR — above team average · Averaging Good

See how your team is trending →

@ejntaylor
Copy link
Copy Markdown
Contributor Author

ejntaylor commented May 19, 2026

/review

Base automatically changed from ejntaylor/brisbane-v1 to main May 20, 2026 08:00
@ejntaylor ejntaylor force-pushed the ejntaylor/yarn-support branch from d042e10 to a74a6f1 Compare May 21, 2026 10:41
@ejntaylor
Copy link
Copy Markdown
Contributor Author

ejntaylor commented May 21, 2026

/review

@ejntaylor @claude
Add yarn.lock parser (yarn classic v1 and berry v2+)
be0c97e 
Yarn is the last of the four major Node package managers we didn't yet
read. This adds a zero-dep parser that handles both yarn classic
(`version "x"`) and yarn berry (`version: x`, `__metadata` header, `npm:`
descriptors) by walking the shared block structure and only branching on
the value syntax.

Yarn's lockfile, unlike pnpm v9's, doesn't record an importer manifest,
so direct-vs-transitive marking is cross-referenced against the sibling
`package.json`. Absent or unreadable package.json leaves all entries
unmarked rather than failing the scan.

Detection priority is npm > pnpm > yarn > bun, so a yarn migration in
progress with multiple lockfiles still resolves deterministically and
matches what the package manager itself would prefer.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@ejntaylor ejntaylor force-pushed the ejntaylor/yarn-support branch from a74a6f1 to be0c97e Compare May 21, 2026 10:51
@ejntaylor ejntaylor merged commit 249acf2 into main May 21, 2026
4 checks passed
@ejntaylor ejntaylor deleted the ejntaylor/yarn-support branch May 21, 2026 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mariojgt mariojgt mariojgt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ejntaylor @mariojgt