[🐛] Yarn Berry (v3) yarn.lock v2 parsing error

[doppelmutzi]

node: v16 LTS yarn: 3.1.1 Snyk Gitlab Integration

Issue Migration from Yarn Classic (v1) to Yarn Berry (v3.1.1) with nodeLinker node-modules does not work because Snyk has problems to parse yarn.lock v2. Security and license checks for project fails. External Snyk Gitlab steps (license/snyk and security/snyk) are canceled. Synk Web View shows error reason: "Failed to process package.json and yarn.lock"

Expected behavior Security and license checks does not fail because yarn.lock v2 can be parsed correctly

Actual behavior yarn.lock cannot be parsed because Snyk does expect Yarn 1 (Classic) content instead of YAML content for Yarn Berry yarn.lock files.

Steps to reproduce Push yarn.lock v2 to Gitlab in order to get Snyk Gitlab integration triggered.

[daudmalik06]

node: v16 LTS yarn: 3.1.1 Snyk Gitlab Integration

Issue Migration from Yarn Classic (v1) to Yarn Berry (v3.1.1) with nodeLinker node-modules does not work because Snyk has problems to parse yarn.lock v2. Security and license checks for project fails. External Snyk Gitlab steps (license/snyk and security/snyk) are canceled. Synk Web View shows error reason: "Failed to process package.json and yarn.lock"

Expected behavior Security and license checks does not fail because yarn.lock v2 can be parsed correctly

Actual behavior yarn.lock cannot be parsed because Snyk does expect Yarn 1 (Classic) content instead of YAML content for Yarn Berry yarn.lock files.

Steps to reproduce Push yarn.lock v2 to Gitlab in order to get Snyk Gitlab integration triggered.

Hey @doppelmutzi , by chance did you check vulert.com ? It works same way except you don't need to install anything, so no more these kind of errors

[doppelmutzi]

No, Snyk is the tool for security in this project. But it is unsatisfactory that there is not even an answer if and when this problem will be solved. Yarn Berry has been on the market for 3 years now. That's where support wouldn't be too much to ask for.

Also, it works with Synk CLI, why is there no solution for Synk Gitlab?

[Lonli-Lokli]

I believe that's because they do not support Yarn3, only Yarn1 and Yarn2.

I do not think there was a lot of difference https://docs.snyk.io/products/snyk-open-source/language-and-package-manager-support/snyk-for-javascript#yarn

[doppelmutzi]

That is sad. In addition, it does not make any sense because Yarn 2 is Yarn Berry and Yarn 3 is just the current major release. I would expect that the major JS package managers are supported: npm, pnpm, Yarn Classic (<v2) and Yarn Berry (>=v2).

The situation is strange because people say it would work with Snyk CLI.

[vecerek]

Still an issue today, also in the case of the GitHub integration.

[ssbarnea]

Someone needs to update the title to avoid confusing people as there is nothing specific to gitlab.

Sadly that is also the day I remove snyk from one of our repos which is using yarn v2 (berry).

[doppelmutzi]

@ssbarnea I've updated the title to reflect that Snyk does not work with Yarn Berry at all.

[dylanlan]

I've also been blocked by this.

There was a question about when yarn v3 will be supported, on the yarn v2 issue, but it hasn't received any replies yet: https://github.com/snyk/cli/issues/1518#issuecomment-906221282

Looks like this might've been the PR that had added yarn v2 support: https://github.com/snyk/nodejs-lockfile-parser/pull/57

It does seem strange that the CLI apparently supports yarn v3, but the Github / Gitlab integrations do not. I didn't think there was significant changes to the lockfile structure, and the yarn v3 changelog doesn't even seem to mention it as a breaking change: https://github.com/yarnpkg/berry/blob/master/CHANGELOG.md#300

I've tried opening multiple support tickets with Snyk, and been told Yarn 3 is not on the roadmap for this year (2022)

It's unfortunate that the latest version of one of the major package managers isn't supported yet, especially since yarn v3 is already almost 1 year old

[christian-hawk]

Migration from Yarn Classic (v1) to Yarn Berry (v3.1.1) with nodeLinker node-modules does not work because Snyk has problems to parse yarn.lock v2.

@doppelmutzi without nodeLinker (using PnP) works?

[doppelmutzi]

hi @christian-hawk, nothing worked for me. But I do not care anymore, because the team decided to go with another package manager. And I'm no more in the project that is using Snyk.

[johanblomgren]

Facing the same issue here. Unfortunately we're dependent on nodeLinker: node-modules in our React Native project so disabling it is not an option. Not sure if that was expected to work anyway? @christian-hawk

[kachkaev]

Same here: https://github.com/snyk/cli/issues/1518#issuecomment-974822508

Yarn 2+ (Berry) is widely supported by dependency tools, including Dependabot (https://github.com/dependabot/dependabot-core/issues/1297) and Renovate (https://github.com/renovatebot/renovate/issues/5230).

I had to disable Snyk for projects updated to Yarn Berry. Examples:

• kachkaev/njt 🐸 (using PnP)
• gicentre/prettier-plugin-elm (using node_modules)

It'd be great to re-enable Snyk before I forget about its existence 😅

[jhaals]

We're facing a similar issue where the CLI is killed with an out of memory error(https://github.com/backstage/backstage/issues/14131). Reached out to snyk support and this is apparently due to it not being supported. Would be great to get security scanning back in business 🙏