Skip to content

Add yarn as option for package.json dependency manager detection

What does this MR do?

This MR adds yarn as option for the package.json dependency manager detection. Currently, when viewing a package.json this message will always be shown to the user, even if the repository uses yarn as dependency manager (like gitlab-org/gitlab does). It could lead to confusion when the project actually uses yarn to manage node dependencies but GitLab shows that the project uses npm.

This project manages its dependencies using npm. Learn more

image

Because there is no characteristic difference between yarn package.jsons and npm package.jsons, the dependency manager detection change in this MR checks whether the engine property has a yarn entry:

// Example package.json
{
  "name": "module-name",
  "version": "10.3.1",
  "engines": {
    "yarn": "^2.4.0"
  }
}

The change should not introduce any false positives because projects which have a yarn engine version configured are unlikely to use npm or another package manager in parallel because yarn discourages it (see the source of yarn):

warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.

Screenshots (strongly suggested)

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team
Edited by Kev

Merge request reports

Loading