Progress towards better Yarn coverage

Signed-off-by: Quinn Turner <quinnturnertech@gmail.com>

lib/audit.ts

@@ -2,9 +2,9 @@ import { yellow } from "./colors.js";
 import { ReportConfig } from "./common.js";
 import type { AuditCiFullConfig } from "./config.js";
 import type { Summary } from "./model.js";
-import * as npmAuditer from "./npm-auditer.js";
-import * as pnpmAuditer from "./pnpm-auditer.js";
-import * as yarnAuditer from "./yarn-auditer.js";
+import * as npmAuditor from "./npm-auditor";
+import * as pnpmAuditor from "./pnpm-auditor";
+import * as yarnAuditor from "./yarn-auditor";
 
 const PARTIAL_RETRY_ERROR_MSG = {
   // The three ENOAUDIT error messages for NPM are:
@@ -19,17 +19,17 @@ const PARTIAL_RETRY_ERROR_MSG = {
 } as const;
 
 function getAuditor(
-  packageManager: "npm" | "yarn" | "pnpm",
-): typeof yarnAuditer | typeof npmAuditer | typeof pnpmAuditer {
+  packageManager: "npm" | "yarn" | "pnpm"
+): typeof yarnAuditor | typeof npmAuditor | typeof pnpmAuditor {
   switch (packageManager) {
     case "yarn": {
-      return yarnAuditer;
+      return yarnAuditor;
     }
     case "npm": {
-      return npmAuditer;
+      return npmAuditor;
     }
     case "pnpm": {
-      return pnpmAuditer;
+      return pnpmAuditor;
     }
     default: {
       throw new Error(`Invalid package manager: ${packageManager}`);

lib/index.ts

@@ -12,6 +12,6 @@ export {
   type VulnerabilityLevels,
 } from "./map-vulnerability.js";
 export type { Summary } from "./model.js";
-export { audit as npmAudit } from "./npm-auditer.js";
-export { audit as pnpmAudit } from "./pnpm-auditer.js";
-export { audit as yarnAudit } from "./yarn-auditer.js";
+export { audit as npmAudit } from "./npm-auditor.js";
+export { audit as pnpmAudit } from "./pnpm-auditor.js";
+export { audit as yarnAudit } from "./yarn-auditor.js";

lib/yarn-auditer.ts → lib/yarn-auditor.ts

@@ -1,6 +1,4 @@
 import type { YarnAudit, YarnBerryAuditReport } from "audit-types";
-import { execSync } from "child_process";
-import * as semver from "semver";
 import { blue, red, yellow } from "./colors.js";
 import { reportAudit, runProgram } from "./common.js";
 import {
@@ -9,38 +7,14 @@ import {
   type AuditCiFullConfig,
 } from "./config.js";
 import Model, { type Summary } from "./model.js";
-
-const MINIMUM_YARN_CLASSIC_VERSION = "1.12.3";
-const MINIMUM_YARN_BERRY_VERSION = "2.4.0";
-/**
- * Change this to the appropriate version when
- * yarn audit --registry is supported:
- * @see https://github.com/yarnpkg/yarn/issues/7012
- */
-const MINIMUM_YARN_AUDIT_REGISTRY_VERSION = "99.99.99";
-
-function getYarnVersion(cwd?: string) {
-  const version = execSync("yarn -v", { cwd }).toString().replace("\n", "");
-  return version;
-}
-
-function yarnSupportsClassicAudit(yarnVersion: string | semver.SemVer) {
-  return semver.satisfies(yarnVersion, `^${MINIMUM_YARN_CLASSIC_VERSION}`);
-}
-
-function yarnSupportsBerryAudit(yarnVersion: string | semver.SemVer) {
-  return semver.gte(yarnVersion, MINIMUM_YARN_BERRY_VERSION);
-}
-
-function yarnSupportsAudit(yarnVersion: string | semver.SemVer) {
-  return (
-    yarnSupportsClassicAudit(yarnVersion) || yarnSupportsBerryAudit(yarnVersion)
-  );
-}
-
-function yarnAuditSupportsRegistry(yarnVersion: string | semver.SemVer) {
-  return semver.gte(yarnVersion, MINIMUM_YARN_AUDIT_REGISTRY_VERSION);
-}
+import {
+  MINIMUM_YARN_BERRY_VERSION,
+  MINIMUM_YARN_CLASSIC_VERSION,
+  getYarnVersion,
+  yarnAuditSupportsRegistry,
+  yarnSupportsAudit,
+  yarnSupportsClassicAudit,
+} from "./yarn-version.js";
 
 const printJson = (data: unknown) => {
   console.log(JSON.stringify(data, undefined, 2));
@@ -83,7 +57,7 @@ export async function auditWithFullConfig(
   let missingLockFile = false;
   const model = new Model(config);
 
-  const yarnVersion = getYarnVersion(directory);
+  const yarnVersion = getYarnVersion(yarnExec, directory);
   const isYarnVersionSupported = yarnSupportsAudit(yarnVersion);
   if (!isYarnVersionSupported) {
     throw new Error(

lib/yarn-version.ts

@@ -0,0 +1,39 @@
+import { execSync } from "child_process";
+import semver from "semver";
+
+export const MINIMUM_YARN_CLASSIC_VERSION = "1.12.3";
+export const MINIMUM_YARN_BERRY_VERSION = "2.4.0";
+/**
+ * Change this to the appropriate version when
+ * yarn audit --registry is supported:
+ * @see https://github.com/yarnpkg/yarn/issues/7012
+ */
+const MINIMUM_YARN_AUDIT_REGISTRY_VERSION = "99.99.99";
+
+export function yarnSupportsClassicAudit(yarnVersion: string | semver.SemVer) {
+  return semver.satisfies(yarnVersion, `^${MINIMUM_YARN_CLASSIC_VERSION}`);
+}
+
+export function yarnSupportsBerryAudit(yarnVersion: string | semver.SemVer) {
+  return semver.gte(yarnVersion, MINIMUM_YARN_BERRY_VERSION);
+}
+
+export function yarnSupportsAudit(yarnVersion: string | semver.SemVer) {
+  return (
+    yarnSupportsClassicAudit(yarnVersion) || yarnSupportsBerryAudit(yarnVersion)
+  );
+}
+
+export function yarnAuditSupportsRegistry(yarnVersion: string | semver.SemVer) {
+  return semver.gte(yarnVersion, MINIMUM_YARN_AUDIT_REGISTRY_VERSION);
+}
+
+const versionMap = new Map<string, string>();
+export function getYarnVersion(yarnExec = "yarn", cwd?: string) {
+  const key = `${yarnExec}:${cwd}`;
+  let version = versionMap.get(key);
+  if (version) return version;
+  version = execSync(`${yarnExec} -v`, { cwd }).toString().replace("\n", "");
+  versionMap.set(key, version);
+  return version;
+}

test/npm-auditer.spec.ts → test/npm-auditor.spec.ts

@@ -1,7 +1,7 @@
 import { NPMAuditReportV1 } from "audit-types";
 import { describe, expect, it } from "vitest";
 import Allowlist from "../lib/allowlist.js";
-import { auditWithFullConfig, report } from "../lib/npm-auditer.js";
+import { auditWithFullConfig, report } from "../lib/npm-auditor.js";
 import {
   config as baseConfig,
   summaryWithDefault,
@@ -36,7 +36,7 @@ function config(
 
 // To modify what slow times are, need to use
 // function() {} instead of () => {}
-describe("npm-auditer", () => {
+describe("npm-auditor", () => {
   it("prints full report with critical severity", () => {
     const summary = report(
       reportNpmCritical,

test/npm7-auditer.spec.ts → test/npm7-auditor.spec.ts

@@ -2,7 +2,7 @@ import { NPMAuditReportV2 } from "audit-types";
 import semver from "semver";
 import { describe, expect, it } from "vitest";
 import Allowlist from "../lib/allowlist.js";
-import { auditWithFullConfig, report } from "../lib/npm-auditer.js";
+import { auditWithFullConfig, report } from "../lib/npm-auditor.js";
 import {
   config as baseConfig,
   summaryWithDefault,
@@ -38,7 +38,7 @@ function config(
   return baseConfig({ ...additions, "package-manager": "npm" });
 }
 
-describe("npm7-auditer", () => {
+describe("npm7-auditor", () => {
   it("prints full report with critical severity", () => {
     const summary = report(
       reportNpmCritical,

test/pnpm-auditer.spec.ts → test/pnpm-auditor.spec.ts

@@ -1,6 +1,6 @@
 import { describe, expect, it } from "vitest";
 import Allowlist from "../lib/allowlist.js";
-import { report } from "../lib/pnpm-auditer.js";
+import { report } from "../lib/pnpm-auditor.js";
 import {
   config as baseConfig,
   summaryWithDefault,
@@ -23,7 +23,7 @@ function config(
 
 // To modify what slow times are, need to use
 // function() {} instead of () => {}
-describe("pnpm-auditer", () => {
+describe("pnpm-auditor", () => {
   it("prints full report with critical severity", () => {
     const summary = report(
       reportPnpmCritical,

test/yarn-1-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "1.22.19";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-1-config-file/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-critical/package.json → test/yarn-1-critical/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "audit-ci-yarn-critical-vulnerability",
+  "name": "audit-ci-yarn-1-critical-vulnerability",
   "description": "Test package.json with critical vulnerability",
   "dependencies": {
     "open": "0.0.5"

test/yarn-1-duplicate-paths/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-low/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-moderate/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-none/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-skip-dev/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-workspace-empty/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-workspace/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-2-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "2.4.0";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-2-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-2.4.0.cjs"

test/yarn-2-critical/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-2-critical-vulnerability",
+  "description": "Test package.json with critical vulnerability",
+  "dependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-2-critical/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-2-critical-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-2-critical-vulnerability@workspace:."
+  dependencies:
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 5c974432a245cad8ecf3c10529fc1bce29118ee73cb71dd89bbe1dc89b453b944edd4a5e42aa56915a27d5419c7b29bfb4782f1fc336a863452d8051ec3e00af
+  languageName: node
+  linkType: hard

test/yarn-2-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-2.4.0.cjs"

test/yarn-2-high/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-2-high-vulnerability",
+  "description": "Test package.json with high vulnerability",
+  "dependencies": {
+    "cryo": "0.0.6"
+  }
+}

test/yarn-2-high/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-2-high-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-2-high-vulnerability@workspace:."
+  dependencies:
+    cryo: 0.0.6
+  languageName: unknown
+  linkType: soft
+
+"cryo@npm:0.0.6":
+  version: 0.0.6
+  resolution: "cryo@npm:0.0.6"
+  checksum: d4faaa6bcbc68c60d940aa546d292fe37aec3ec55760113e9da662a265ccd84173b269419e1a6bb789349732432a45f414ddcee379a03b2d63a9c0a584fb68a4
+  languageName: node
+  linkType: hard

test/yarn-3-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "3.3.1";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-3-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-3.3.1.cjs"

test/yarn-3-critical/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-3-critical-vulnerability",
+  "description": "Test package.json with critical vulnerability",
+  "dependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-3-critical/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 6
+  cacheKey: 8
+
+"audit-ci-yarn-3-critical-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-3-critical-vulnerability@workspace:."
+  dependencies:
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 2a1a5a0accea9a361a8ba8cf298f7d330f5197a98a0752105084c4a3442a3a174700f661d2f8d5b62eaefe52d192f89492774be32da4541b080eba1c8196951e
+  languageName: node
+  linkType: hard

test/yarn-3-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-3.3.1.cjs"

test/yarn-3-high/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-3-high-vulnerability",
+  "description": "Test package.json with high vulnerability",
+  "dependencies": {
+    "cryo": "0.0.6"
+  }
+}

test/yarn-3-high/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 6
+  cacheKey: 8
+
+"audit-ci-yarn-3-high-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-3-high-vulnerability@workspace:."
+  dependencies:
+    cryo: 0.0.6
+  languageName: unknown
+  linkType: soft
+
+"cryo@npm:0.0.6":
+  version: 0.0.6
+  resolution: "cryo@npm:0.0.6"
+  checksum: 8ff3a0355e60301cd9ca1ac19ba0637813e3cfe0f145a115e0ab1fe8a1b13b84e131ad3c10a4ec27c9e7a1f4f1a259f74d5d9f05f0c16967bdef5fe26fa3e479
+  languageName: node
+  linkType: hard