Progress towards better Yarn coverage

Signed-off-by: Quinn Turner <quinnturnertech@gmail.com>

lib/yarn-auditor.ts

@@ -1,6 +1,4 @@
 import type { YarnAudit, YarnBerryAuditReport } from "audit-types";
-import { execSync } from "child_process";
-import * as semver from "semver";
 import { blue, red, yellow } from "./colors.js";
 import { reportAudit, runProgram } from "./common.js";
 import {
@@ -9,38 +7,14 @@ import {
   type AuditCiFullConfig,
 } from "./config.js";
 import Model, { type Summary } from "./model.js";
-
-const MINIMUM_YARN_CLASSIC_VERSION = "1.12.3";
-const MINIMUM_YARN_BERRY_VERSION = "2.4.0";
-/**
- * Change this to the appropriate version when
- * yarn audit --registry is supported:
- * @see https://github.com/yarnpkg/yarn/issues/7012
- */
-const MINIMUM_YARN_AUDIT_REGISTRY_VERSION = "99.99.99";
-
-function getYarnVersion(cwd?: string) {
-  const version = execSync("yarn -v", { cwd }).toString().replace("\n", "");
-  return version;
-}
-
-function yarnSupportsClassicAudit(yarnVersion: string | semver.SemVer) {
-  return semver.satisfies(yarnVersion, `^${MINIMUM_YARN_CLASSIC_VERSION}`);
-}
-
-function yarnSupportsBerryAudit(yarnVersion: string | semver.SemVer) {
-  return semver.gte(yarnVersion, MINIMUM_YARN_BERRY_VERSION);
-}
-
-function yarnSupportsAudit(yarnVersion: string | semver.SemVer) {
-  return (
-    yarnSupportsClassicAudit(yarnVersion) || yarnSupportsBerryAudit(yarnVersion)
-  );
-}
-
-function yarnAuditSupportsRegistry(yarnVersion: string | semver.SemVer) {
-  return semver.gte(yarnVersion, MINIMUM_YARN_AUDIT_REGISTRY_VERSION);
-}
+import {
+  MINIMUM_YARN_BERRY_VERSION,
+  MINIMUM_YARN_CLASSIC_VERSION,
+  getYarnVersion,
+  yarnAuditSupportsRegistry,
+  yarnSupportsAudit,
+  yarnSupportsClassicAudit,
+} from "./yarn-version.js";
 
 const printJson = (data: unknown) => {
   console.log(JSON.stringify(data, undefined, 2));
@@ -83,7 +57,7 @@ export async function auditWithFullConfig(
   let missingLockFile = false;
   const model = new Model(config);
 
-  const yarnVersion = getYarnVersion(directory);
+  const yarnVersion = getYarnVersion(yarnExec, directory);
   const isYarnVersionSupported = yarnSupportsAudit(yarnVersion);
   if (!isYarnVersionSupported) {
     throw new Error(

lib/yarn-version.ts

@@ -0,0 +1,39 @@
+import { execSync } from "child_process";
+import semver from "semver";
+
+export const MINIMUM_YARN_CLASSIC_VERSION = "1.12.3";
+export const MINIMUM_YARN_BERRY_VERSION = "2.4.0";
+/**
+ * Change this to the appropriate version when
+ * yarn audit --registry is supported:
+ * @see https://github.com/yarnpkg/yarn/issues/7012
+ */
+const MINIMUM_YARN_AUDIT_REGISTRY_VERSION = "99.99.99";
+
+export function yarnSupportsClassicAudit(yarnVersion: string | semver.SemVer) {
+  return semver.satisfies(yarnVersion, `^${MINIMUM_YARN_CLASSIC_VERSION}`);
+}
+
+export function yarnSupportsBerryAudit(yarnVersion: string | semver.SemVer) {
+  return semver.gte(yarnVersion, MINIMUM_YARN_BERRY_VERSION);
+}
+
+export function yarnSupportsAudit(yarnVersion: string | semver.SemVer) {
+  return (
+    yarnSupportsClassicAudit(yarnVersion) || yarnSupportsBerryAudit(yarnVersion)
+  );
+}
+
+export function yarnAuditSupportsRegistry(yarnVersion: string | semver.SemVer) {
+  return semver.gte(yarnVersion, MINIMUM_YARN_AUDIT_REGISTRY_VERSION);
+}
+
+const versionMap = new Map<string, string>();
+export function getYarnVersion(yarnExec = "yarn", cwd?: string) {
+  const key = `${yarnExec}:${cwd}`;
+  let version = versionMap.get(key);
+  if (version) return version;
+  version = execSync(`${yarnExec} -v`, { cwd }).toString().replace("\n", "");
+  versionMap.set(key, version);
+  return version;
+}

test/yarn-1-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "1.22.19";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-1-config-file/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-critical/package.json → test/yarn-1-critical/package.json

@@ -1,5 +1,5 @@
 {
-  "name": "audit-ci-yarn-critical-vulnerability",
+  "name": "audit-ci-yarn-1-critical-vulnerability",
   "description": "Test package.json with critical vulnerability",
   "dependencies": {
     "open": "0.0.5"

test/yarn-1-duplicate-paths/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-low/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-moderate/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-none/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-skip-dev/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-workspace-empty/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-1-workspace/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-1.22.19.cjs"

test/yarn-2-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "2.4.0";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-2-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-2.4.0.cjs"

test/yarn-2-critical/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-2-critical-vulnerability",
+  "description": "Test package.json with critical vulnerability",
+  "dependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-2-critical/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-2-critical-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-2-critical-vulnerability@workspace:."
+  dependencies:
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 5c974432a245cad8ecf3c10529fc1bce29118ee73cb71dd89bbe1dc89b453b944edd4a5e42aa56915a27d5419c7b29bfb4782f1fc336a863452d8051ec3e00af
+  languageName: node
+  linkType: hard

test/yarn-2-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-2.4.0.cjs"

test/yarn-2-high/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-2-high-vulnerability",
+  "description": "Test package.json with high vulnerability",
+  "dependencies": {
+    "cryo": "0.0.6"
+  }
+}

test/yarn-2-high/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-2-high-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-2-high-vulnerability@workspace:."
+  dependencies:
+    cryo: 0.0.6
+  languageName: unknown
+  linkType: soft
+
+"cryo@npm:0.0.6":
+  version: 0.0.6
+  resolution: "cryo@npm:0.0.6"
+  checksum: d4faaa6bcbc68c60d940aa546d292fe37aec3ec55760113e9da662a265ccd84173b269419e1a6bb789349732432a45f414ddcee379a03b2d63a9c0a584fb68a4
+  languageName: node
+  linkType: hard

test/yarn-3-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "3.3.1";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-3-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-3.3.1.cjs"

test/yarn-3-critical/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-3-critical-vulnerability",
+  "description": "Test package.json with critical vulnerability",
+  "dependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-3-critical/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 6
+  cacheKey: 8
+
+"audit-ci-yarn-3-critical-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-3-critical-vulnerability@workspace:."
+  dependencies:
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 2a1a5a0accea9a361a8ba8cf298f7d330f5197a98a0752105084c4a3442a3a174700f661d2f8d5b62eaefe52d192f89492774be32da4541b080eba1c8196951e
+  languageName: node
+  linkType: hard

test/yarn-3-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-3.3.1.cjs"

test/yarn-3-high/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-3-high-vulnerability",
+  "description": "Test package.json with high vulnerability",
+  "dependencies": {
+    "cryo": "0.0.6"
+  }
+}

test/yarn-3-high/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 6
+  cacheKey: 8
+
+"audit-ci-yarn-3-high-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-3-high-vulnerability@workspace:."
+  dependencies:
+    cryo: 0.0.6
+  languageName: unknown
+  linkType: soft
+
+"cryo@npm:0.0.6":
+  version: 0.0.6
+  resolution: "cryo@npm:0.0.6"
+  checksum: 8ff3a0355e60301cd9ca1ac19ba0637813e3cfe0f145a115e0ab1fe8a1b13b84e131ad3c10a4ec27c9e7a1f4f1a259f74d5d9f05f0c16967bdef5fe26fa3e479
+  languageName: node
+  linkType: hard

test/yarn-4-auditor.spec.ts

@@ -0,0 +1,12 @@
+import path from "path";
+import { SemVer } from "semver";
+import { performAuditTests } from "./yarn-auditor";
+
+const version = "4.0.0-rc.35";
+
+const yarnAbsolutePath = path.resolve(__dirname, `./yarn-${version}.cjs`);
+
+performAuditTests({
+  yarnAbsolutePath,
+  yarnVersion: new SemVer(version),
+});

test/yarn-4-critical/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-4.0.0-rc.35.cjs"

test/yarn-4-critical/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-4-critical-vulnerability",
+  "description": "Test package.json with critical vulnerability",
+  "dependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-4-critical/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 7
+  cacheKey: 9
+
+"audit-ci-yarn-4-critical-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-4-critical-vulnerability@workspace:."
+  dependencies:
+    open: "npm:0.0.5"
+  languageName: unknown
+  linkType: soft
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 0eb72096c395ef9a8f9540cf83d120f87920ba67c7c7efebe1e581f740bf43e27b16d7ab922379fc7afa5662ea941ee9ee7cbb51a459dc8092eec9f3949b057d
+  languageName: node
+  linkType: hard

test/yarn-4-high/.yarnrc.yml

@@ -0,0 +1 @@
+yarnPath: "../yarn-4.0.0-rc.35.cjs"

test/yarn-4-high/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-4-high-vulnerability",
+  "description": "Test package.json with high vulnerability",
+  "dependencies": {
+    "cryo": "0.0.6"
+  }
+}

test/yarn-4-high/yarn.lock

@@ -0,0 +1,21 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 7
+  cacheKey: 9
+
+"audit-ci-yarn-4-high-vulnerability@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-4-high-vulnerability@workspace:."
+  dependencies:
+    cryo: "npm:0.0.6"
+  languageName: unknown
+  linkType: soft
+
+"cryo@npm:0.0.6":
+  version: 0.0.6
+  resolution: "cryo@npm:0.0.6"
+  checksum: d6bea1dcad60fc06d2c52d0ba061036e24af675299285fc0705c2623a19fedd7d9e0a2d5d04f4730d8eb75be6d321aeca954f3389c9e93bec83ef777c06b4a91
+  languageName: node
+  linkType: hard