Generating package-lock or yarn.lock

[vasuneet]

Hi ,

We migrated to pnpm from yarn package manager. At the last moment we stuck with SCA Agent scanning which supports only yarn.lock /package-lock and not pnpm-lock.yaml file.

We liked pnpm and dont want to revert back to yarn. So just need to maintain the yarn.lock file to make our SCA scanning functionality.

Do we have any way to do that. I know we can generate package-lock from installed node modules but here is my doubt
does npm install -package-lock-only will work on node modules folder which is generated by pnpm ?

Or you can suggest any better way to do that.

[zkochan]

I don't know about ways to generate npm or yarn lockfile from pnpm lockfile. You need either support for pnpm's lockfile or switch back to yarn.

[zkochan]

Although generating a yarn lockfile might be possible to implement.

[vasuneet]

i actuallly need to generate yarn.lock file from pnpm-lock. if that can be done that would be awesome and in that way i will not be blocked to be with pnpm.

[fasterinnerlooper]

You can use npm install --package-lock-only to generate a package-lock.json file, and that should be picked up by any scanning agent.

[vasuneet]

I agree but that is not working if we have node modules generated from pnpm in place. Also in that way generating a new lock file is not recommended way to scan. If we have different dependencies hierarchy and scanning vulnerabilities with other lock file which might not in sync with original pnpm one which we are actually using does not seem right.

[fasterinnerlooper]

You're asking about the dependency graph differences between the two package managers. I think whatever packages are installed during dependency management with either pnpm or npm would have to be the same or at least very similar. We're running into a similar issue with Snyk and the route we're taking is to generate a package-lock.json file so that Snyk can complete its scan.
The alternative is to see if the scanning tool you're using has a way of generating a dependency graph arbitrarily which can be fed directly into the scanning tool via an API. Again, this is something we tried with Snyk but it's all not ready for production, so this is why we're falling back to the method mentioned above.

Hope that helps.

[vasuneet]

but npm install --package-lock-only will not work when we have node_modules generated from pnpm.

npm ERR! Cannot read properties of null (reading 'matches')

npm ERR! A complete log of this run can be found in:
npm ERR! /Users/va030e/.npm/_logs/2023-01-13T15_18_43_199Z-debug-0.log

and in logs i am seeing this issue :

7753 timing idealTree Completed in 1991768ms
7754 timing command:install Completed in 1991786ms
7755 verbose stack TypeError: Cannot read properties of null (reading 'matches')
7755 verbose stack at Link.matches (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:1107:41)
7755 verbose stack at Link.canDedupe (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/node.js:1061:15)
7755 verbose stack at PlaceDep.pruneDedupable (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:468:14)
7755 verbose stack at PlaceDep.placeInTree (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:329:14)
7755 verbose stack at PlaceDep.place (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:216:10)
7755 verbose stack at new PlaceDep (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:73:10)
7755 verbose stack at PlaceDep.placeInTree (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:365:26)
7755 verbose stack at PlaceDep.place (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:216:10)
7755 verbose stack at new PlaceDep (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:73:10)
7755 verbose stack at /Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:990:31
7755 verbose stack at Array.map ()
7755 verbose stack at Arborist.[buildDepStep] (/Users/va030e/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:990:8)

[fasterinnerlooper]

So you're actually facing the same issue we're facing, in that if you run any command via npx during the installation process, npm throws errors during install. We're going to get around this issue by generating the npm lock file first, and then running the pnpm installation process as normal.

[vasuneet]

hmm okay. but kind of having different graph might create a security issues

[fasterinnerlooper]

Yes, I agree. The error is on the npm side so I think it's up to the npm guys to fix it, and geneating a package-lock file has been talked about a lot in this repo already and it doesn't sound like it's something that they're going to implement, so our options are limited here.
Good luck with whatever you decide.

[vasuneet]

Thanks. I am hoping confirmation from zkochan](https://github.com/zkochan if they can provide feature to genearte yarn.lock from pnpm-lock as he agreed on feasibility to do that.

[vasuneet]

@zkochan , if you can provide the mapping fields of pnpm to yarn . I can write script to generate yarn.lock. Here I am not seeing resolved field information we need in yarn.lock file

[vasuneet]

dont know how much working it might be but worth to do try

https://github.com/cvent/pnpm-lock-export

[fasterinnerlooper]

I know it's not ideal but we were able to get a package-lock.json file generated using the following command:
npm install --package-lock-only --ignore-scripts
You'll be able to run this at any time and not get the crashing errors, but it does still mean that you're using two different dependency resolution algorithms, so your point about different packages still holds true even with this approach.