Skip to content

Allow Yarn v4 audit resolution#766

Open
omribz156 wants to merge 1 commit into
jfrog:devfrom
omribz156:codex/yarn-v4-audit
Open

Allow Yarn v4 audit resolution#766
omribz156 wants to merge 1 commit into
jfrog:devfrom
omribz156:codex/yarn-v4-audit

Conversation

@omribz156

@omribz156 omribz156 commented May 27, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Allow Yarn v4 projects through the Artifactory-resolution path used by jfrog aud --yarn.
  • Keep the existing Yarn v1 rejection.
  • Add focused version-support coverage for Yarn v1, v2, v3, and v4.

Fixes jfrog/jfrog-cli#3512.

Verification

  • go test ./sca/bom/buildinfo/technologies/yarn -run TestArtifactoryResolutionSupportedYarnVersions -count=1
  • go test ./sca/bom/buildinfo/technologies/yarn -run '^$' -count=1
  • rg -n "Yarn V4|Yarn v4|currently not supported for Yarn V1" sca\bom\buildinfo\technologies\yarn
  • git diff --check

Implemented with Codex assistance; I kept the patch focused and manually reviewed the final diff.

@attiasas attiasas self-requested a review June 8, 2026 06:55
@attiasas attiasas changed the base branch from main to dev June 8, 2026 06:55
attiasas
attiasas reviewed Jun 8, 2026
View reviewed changes

@attiasas attiasas left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you validate that the build dependency tree is successful running and generating data on a project with Yarn v4 without errors?

please add integration tests at audit_test.go to validate this

@omribz156

omribz156 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Thanks, added this in 0df9960.

Changes:

  • added a yarn-v4 fixture with Yarn 4.5.3
  • added TestXrayAuditYarn/Yarn v4 in audit_test.go
  • added a lower-level Yarn v4 BuildDependencyTree assertion so the tree-generation path is exercised locally too

Verification:

  • yarn --version in the fixture -> 4.5.3
  • yarn install --immutable in the fixture
  • go test ./sca/bom/buildinfo/technologies/yarn -run 'TestArtifactoryResolutionSupportedYarnVersions|TestSkipBuildDepTreeWhenInstallForbidden' -count=1
  • git diff --check

I also tried go test . -run 'TestXrayAuditYarn/Yarn_v4' -count=1, but this local machine does not have the repo's integration Artifactory/Xray stack running (localhost:8083 refused connection), so the full audit subtest is left for the normal integration environment.

@omribz156 omribz156 force-pushed the codex/yarn-v4-audit branch from 0df9960 to 70420e1 Compare June 10, 2026 20:06
@omribz156

omribz156 commented Jun 10, 2026

Copy link
Copy Markdown
Contributor Author

Quick update after rebasing onto current dev: the follow-up is now 70420e1.

While rebasing I kept the new upstream behavior that rejects Yarn v4 for jf curation-audit Artifactory resolution; current dev now documents that jf audit / jf scan still support Yarn v4, while curation is limited to Yarn v2/v3.

The PR diff is now focused on the requested coverage:

  • TestXrayAuditYarn/Yarn v4 in audit_test.go
  • Yarn 4.5.3 fixture
  • lower-level Yarn v4 BuildDependencyTree assertion

Re-verified:

  • yarn --version in the fixture -> 4.5.3
  • yarn install --immutable in the fixture
  • go test ./sca/bom/buildinfo/technologies/yarn -run 'TestSkipBuildDepTreeWhenInstallForbidden' -count=1
  • git diff --check origin/dev...HEAD

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@attiasas attiasas attiasas left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

jfrog aud --yarn fails on Yarn v4 despite v2.104.1 adding Yarn v4 support

2 participants

@omribz156 @attiasas