component-detection
component-detection copied to clipboard
microsoft
Add support for pnpm lockfile v6
pnpm version 8 includes an upgrade to lockfile version 6, but we currently only support up to pnpm lockfile v5.
Since we are unable to accurately parse the lockfile v6, we are not correctly detecting development dependencies for pnpm v8.
We need to update our pnpm detector to handle the new v6 lockfile. At the time of writing this issue, there isn't documentation on the lockfile v6 format: https://github.com/pnpm/spec/issues/4.
This is a similar issue to #476 -- we've already seen the same problem with NPM lockfile v3.
AB#2121069
Hey, the lockfile v6 format is available now.
https://github.com/pnpm/spec/blob/master/lockfile/6.0.md
Just came to upvote this. Would be happy to contribute, if someone would be open to some onboarding support...
Just came to upvote this too. It would be great to have support for the latest lockfile formats.
I looked at the relevant code and it doesn't seem too hard. I'm going to make an attempt at fixing this during the hackathon next week.
Pnpm 9 (currently in alpha) moves to lock file format v7: thats going to be an issue soon even if v6 support is added.
My work in progress for this lives in the branch https://github.com/CraigMacomber/component-detection/tree/pnpmv6
I have it working as far as I can tell. It manages to parse the included test lock file with v6 as well as a much larger test using the lock file from FluidFramework (which actually uses the shared shrinkwrap mode, file references, peer deps etc).
I still need to add unit tests v6, but otherwise I think its almost ready for review. I hope to have a PR up for review tomorrow.
https://github.com/microsoft/component-detection/pull/1028 fixes this and is currently awaiting review.
@CraigMacomber Pinged the team to see if we can get some traction on the PR review. Otherwise I'll plan to take a look next week.
@CraigMacomber Pinged the team to see if we can get some traction on the PR review. Otherwise I'll plan to take a look next week.
"Next week" happened. Any update?
@annaowens The PR addressing this issue been waiting for review for a response from maintainers for over a month.
Pnpm currently only provides security patches for the last two major versions. Given that pnpm 9 has been publishing release candidates for a while, I'm concerned it might come out soon, and they might drop support for pnpm 7 soon after. Since component-detection users are blocked from updating to pnpm 8 by this issue, that could force users of pnpm to choose between an unsupported package manager version, breaking component-detection and porting to a different package manger. This seems like it could be a bad situation, and we should try and to make progress on this to avoid it.
My above noted fear has happened: according to https://github.com/pnpm/pnpm/security all versions of pnpm supported by component-detection are no longer getting security patches.
I was able to get in contact with the maintainers via their listed contact email. They have been very busy with other things, but they are aware of this issue and will be prioritizing it when they can.
