add support to pnpm-lock.yaml file

[lapa182]

This pull request adds support to the pnpm-lock.yaml files.

I've updated the tests to also support this change, please let me know if there's anything further to apply this change to chromatic-cli!

Relates to issue #785

[tevanoff]

Thanks for the PR @lapa182! We'll take a look at this ASAP.

[Obi-Dann]

I am trying these changes in our setup. I don't think it will work because snyk-nodejs-lockfile-parser does not support pnpm. It will likely report an error from

chromatic-cli/node-src/lib/getDependencies.ts

Line 28 in 602d90c

const headTree = await buildDepTreeFromFiles(rootPath, manifestPath, lockfilePath, includeDev);

Unknown lockfile pnpm-lock.yaml. Please provide either package-lock.json or yarn.lock.

snyk/nodejs-lockfile-parser#111

[lapa182]

@Obi-Dann do you think you could create a specific condition just for PNPM and use https://www.npmjs.com/package/@pnpm/lockfile-file to parse the lock file just for pnpm? 🤔

[tevanoff]

Thanks @Obi-Dann! You're right, this won't change the current behavior since it won't be able to parse the pnpm lock file. It will fall back to looking at package.json which is what happens currently when it can't find the lock file at all.

@lapa182 that pnpm library looks promising, but we haven't yet dug into it enough to know if it will give us what we need. We have a ticket on our end to take a closer look, but I can't say for sure when that will be prioritized. I'll see if I can get some traction on that. Thanks!

[kevinlandsberg]

Having the same issue...please fix this! ❤️

[milahu]

const headTree = await buildDepTreeFromFiles(rootPath, manifestPath, lockfilePath, includeDev);

related: my parse-package-lock is a generic lockfile parser for npm, yarn, pnpm
to provide a generic interface to @npmcli/arborist, @yarnpkg/parsers, @pnpm/lockfile-file

but it does not return a tree of dependencies
its a stream parser that calls

eventHandlers.enterPackage(packageData);
// recurse into dependencies of this package
eventHandlers.leavePackage(packageData);

i started this 2 years ago because i was not happy with snyk-nodejs-lockfile-parser
also because it does not return the resolved and integrity values of the locked packages

downsides: not used, not tested, abandoned project
i just found this again via my pnpm-install-only
which is a generic package installer for npm, yarn, (not yet pnpm)
using the filesystem layout of pnpm to create a deep tree

edit: https://github.com/antongolub/lockfile is more mature, but has no pnpm support

[jwir3]

This is out of sync with the main branch, and hasn't been updated in almost a year. Please re-open after rebasing if you still want to merge this.