Errors reading a yarn.lock file

[waynebeaton]

It appears that the yarn.lock file format has evolved somewhat since we created our implementation. AFAICT, our implementation takes care of versions 1 and 2, there is at least a version 8 now (which is YAML).

IMHO, it's not in our best interests to try and keep current with these file formats.

Rather, we should depend on the package managers themselves to give us a list of dependencies, manipulate that list into a form that we can manage, and send that to the tool.

e.g.,

$ yarn info -R --name-only | grep -P "(\S+)@npm:(\S+)" | sed -E -e 's|..\s(\S+)@npm:(\S+)|\1@\2|g' | java -jar org.eclipse.dash.licenses-<version>.jar -

That is:

1. Use the yarn info command to get a list of dependencies
2. Filter the ones that match the pattern
3. Coerce what's left into a format that the Eclipse Dash License Tool can handle.

We need to mark the yarn.lock functionality as deprecated.

FYI @mtdelgadoa

[waynebeaton]

FYI @gomes89

[gomes89]

@waynebeaton thanks for the heads up. In principle I agree with your view, but for tools such as the IP Analysis, it can get tricky because original developers don't typically run them. Instead, they're often run on a variety of repositories simultaneously, which means one of two things:

• Having several package managers installed in the environment
• Additional development work on the tool's side

I'll give it some thought and work out a solution that doesn't create constraints for deprecating this functionality. This might be another good reason for people to run it through Docker.

[adharsh0713]

I agree that continuously adapting to evolving lockfile formats (without stable specifications) is likely unsustainable.

Moving toward an SBOM-first approach (e.g., CycloneDX/SPDX), where ecosystem-specific parsing is handled externally and Dash consumes a standardized dependency representation, seems like it would reduce long-term maintenance burden and improve extensibility.

Is SBOM input considered the intended long-term direction for dependency ingestion?

If so, I’d be interested in exploring incremental steps in that direction.

[waynebeaton]

Our goal is to provide as much flexibility as possible for committers who leverage this tool. So we will continue to support the use of a variety of dependency managers (Yarn, NPM, Cargo, Maven, etc.).

Supporting SBOMs as input is something that we need to add. See #191

[adharsh0713]

Thank you
I’ll take a look at #191 to better understand the current discussion around SBOM input and how it might fit into the existing architecture.