Add pnpm support? #111
Comments
|
I would like to work on this. |
|
I'm sorry to ping you directly @lirantal but the issue was open 12 days ago and I'm still waiting on an answer |
|
Again I'm sorry and notifying random contributors but can you have a look at this issue @lili2311 ? |
|
hi @GermainBergeron apologies for slow response I am not longer directly involved in this plugin, I have however shared this with the relevant team. Is the ask here that you would like to collaborate on the support for the pnpm lockfile? |
|
Hi @GermainBergeron, I am Steph and I am a Product Manager at Snyk. Thank you for your request! Whilst we think this would be a good addition to our current offering due to other priorities we won't be able to work on this anytime soon, sorry about that. I have noted your request down and I will make sure to keep you posted If anything changes. Kind Regards, |
|
If I or @abdulhannanali manage to get it working in this repository, would it be something that you would consider @steph-herd-snyk-pm? Is there any other big piece missing to integrate it in the Snyk CLI? Thanks |
|
👋 hi @GermainBergeron @abdulhannanali while we do welcome contributions, in this particular case adding So even if you were to raise the changes needed and they are merged the team would need to complete all the backend work first before the parser is even called for a new project type Could you help us gather some more requirements on this as well while we have you here:
I also wanted to share a current Github action we have that was a great contribution snyk-tech-services/github-actions-pnpm-snyk it can convert the |
|
Hey @lili2311, thanks for your response! This is why I asked, I figured it could be a lot more complex than just adding the parser in here. To answer your questions:
I'll have a look at the Github action, it's probably better than our current workaround 🙏 |
|
Thanks, @lili2311! |
|
We have a custom script based on the previously mentioned Github action but it's not working currently since we are in a workspace and the package-lock doesn't match the package.json at the root of our workspace (0 dependencies detected). We're thinking about different improvements but they all seem hackish:
|
|
Hi @GermainBergeron, I am Mathilde, I am working with @lili2311 on this issue. I have a question on your project. So you have a pnpm-lock, a package.json and a pnpm-workspace.yaml at the base of the project, is that right? |
|
Hey Mathilde, We have a single pnpm-lock.yaml at the root folder along with a pnpm-workspace.yaml and a package.json. Our different packages all have a package.json but no pnpm-lock.yaml. It looks like this: |
|
Ok thank you. |
|
Hi @GermainBergeron, We should be releasing a solution supporting workspaces in the next couple of days. The solution we have at the moment doesn't use the CLI but the API, we will release a tool to that use the nodejs-parser to produce a depTree convert it into a depGraph and send it to the API. Thank you, |
|
An update on pnpm parser: We will also release a GitHub action later on. If you wan to try the snyk-pnpm-depTree-api-tool you can install it using : npm i -g snyk-pnpm-depTree-api-tool Then to run it with npm snyk-pnpm-deptree-api-tool -—root ‘yourProjectPath’ —-orgId ‘yourOrganisation’ —-snykToken ‘yoursnykToken’ —-includeDev ‘false’ https://www.npmjs.com/package/snyk-pnpm-deptree-api-tool Thank you |
|
hi, Here is the github action: https://github.com/snyk-tech-services/snyk-pnpm-github-action Thank you |
|
Thanks a lot @mathild3r, We'll have a look as soon as possible, it seems to fit our use case quite well 🎉 |
|
Hello @GermainBergeron, Did you had a chance to try the tool? Thank you |
|
I have a few issues with the tool, I tested it in two different packages: Here's the stack trace for the first repository when I use the full path to the repository: The repository doesn't seem that big to me, so I'm a bit confused about why it would break. If I change the The second one is a private repository which is a bit more complex (we have packages inside a Side notes:
|
|
Hi Germain, Thank you for your email. I will have a look at the issues shortly. For the second repo, is look like it's a workspace project, would you be able to share the pnpm-workspace.yaml? the tool probably haven't found one of the files. The tool is not open source at the moment, I am sorry, but I will discuss it with the team. Thank you, |
|
For the root option I tried multiple things, but I got the call stack size exceeded with The pnpm-workspace.yaml look like this for the second repository: packages:
- 'build/*'
- 'packages/*'
- 'core/*'
- 'packages/package-a/cypress/'
- 'packages/package-b/cypress/'
|
|
Hi Germain, Apologies for the late answer, I had to look at something else. I look at your issue a bit closer today and it looks like we are stuck in a loop: I will let you know when I have a fix. Thank you |
|
Hi Germain, Apologies for the delay. Let me know, Thank you, |
|
Hey Mathilde, I tried running the tool with different configurations of my repository but I always get Since the repository is open source, can you try to run the tool on it? |
|
Hi, yes I will and let you know mid next week. Thank you |
|
Hi Germain, I would like to apologies for the delay to resolve your problems. it would find the ones linked that are under packages (ie: demo linked to vapor) but if vapor linked to helpers/enzym-redux it not capable of finding it. I am working on a solution and will update you before the end of the week. Thank you, |
|
Thank you for your implementation @karlhorky! I had to make sure to include |
|
@maxonary oh right, forgot about that. Updated my post above, thanks! |
|
Any update on pnpm support in snyk? This is a blocker for us |
Same here |
same here |
|
Any updates?? my workaround is to push a yarn lock but now dependabot shows 2 sets of alerts for yarn and pnpm lock files. pnpm is quite popular now, why is it taking over 2 year to add this. |
I don't understand why anything needs to change on the backend for this. Do we not just send a list of dependencies? It seems like we just need this parser to support pnpm-lock.yml. My current workaround is a script I wrote that creates a new temporary package and installs all the same dependency versions using npm before running snyk. I guess I am missing some of the features, like auto-upgrade PRs from the bot, but I'm not sure how that's better than running |
|
The issue with generating a lock file from another package manager is you aren't guaranteed all the right transitive dependencies. Since it's not 1:1 it's hard for that to be considered a work around at scale. To the Snyk team: My company uses PNPM workspaces in a monorepo with 70 first party libraries. We have a single lock file with all dependencies and their versions. |
|
What do you guys use as an alternative to snyk? Also having the same problem here, and it seems it will not be solved soon |
I am using Gymnasium [1] to generate a SBOM file and then upload the SBOM file to the service. So any Snyk alternative that supports uploading a SBOM file (e.g. [2]) would work. For example [3] provided by Snyk [1] https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium |
|
We currently use blackduck as that supports pnpm. We were hoping to move to snyk, however this is blocking us |
|
You could use https://snyk.io/code-checker/sbom-security/ |
|
Probably at some point I'm going to get annoyed enough with the broken PRs to create the GitHub Actions workaround I described above (if someone else doesn't do it first) In my experience, it's probably about 1 hour of work to get this set up, having done similar things before for Renovate bot running To be clear, this GitHub Actions workflow would enable Snyk with pnpm, by performing the following steps (only on Snyk PRs):
|
|
Personally or at work I don't use Snyk but I have made a draft PR for someone to finish off, for parsing pnpm lock files, the problem I don't understand how to create the dep graph. The lock file is parsed and normalised so if someone has time to finish off this part: https://github.com/snyk/nodejs-lockfile-parser/pull/217/files#diff-2b8fbea4e000278df793e423c85702460e4a17ed9b161d84d05a95f30de13400R39 I think we would be good to go.... Or someone can sponsor (paid in cash or free books) me to do the rest of the development . |
100%. I don't like doing it this way. But our company forced us to hook snyk scanning up in every repo. I'm honestly not sure what value it provides that we don't get for free from |
Thee main value is diff blocking of bad dependencies that are unsafe. Running All of this is definitely best effort |
|
Try the new package with pnpm support |
|
Which one are you referring to?
…On Apr 11, 2024 at 15:50 -0700, Weyert de Boer ***@***.***>, wrote:
Try the new package with pnpm support
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
@weyert Does this mean snyk now supports pnpm? Or is this some separate tool? |
|
@gemaxim I think we can close this ticket as the pnpm lock file reading/parsing has been added with your PR |
|
@gemaxim has Has anyone tested this to be working in a demo repo successfully? Would be good to have some proof in this issue before it is closed. |
|
Hello @karlhorky this hasn't been integrated in fix prs yet. For the moment, the newly added pnpm functionality will be shortly integrated in the Snyk CLI through a newly open sourced plugin - see snyk/snyk-nodejs-plugin#2. This will include testing and monitoring, but we'll use a rolling out strategy for pnpm. The Snyk SCM pnpm functionality in the Snyk UI is still part of a bigger effort so in the near future importing and scanning pnpm projects in the UI won't be possible. |
|
Thank you!
Is there a place that we can subscribe to updates on this? |
|
Thank you very much, but we decided to stop using snyk because of this issue. Maybe we will evaluate using it again in the future. Thanks to everyone who tried to help |
|
Received a PR just now from Snyk in one of our projects that does not update the pnpm lockfile ( So maybe as per @gemaxim's comments above, this fix is still pending some additional work:
|
and others
We recently switched our package manager from npm to pnpm since it reduce our install time by multiple minutes in our monorepo. Since then our Snyk scans are failing, as we should have expected. We hacked something to generate a package-lock from the pnpm-lock.yaml but we'd like to have a more robust solution.
Can we start working on a PR to add pnpm support? I saw that you already have a parser for yarn that uses yaml and I think we could reuse some logic.
Thanks!
The text was updated successfully, but these errors were encountered: