Merge pull request #290 from snyk/fix/yarn-handle-resolutions-aliases

james-snyk · web-flow · commit 208dcf5abad7 · 2025-10-21T15:15:25.000+01:00
fix: handle npm aliases in resolutions field (yarn)
diff --git a/lib/aliasesPreprocessors/pkgJson.ts b/lib/aliasesPreprocessors/pkgJson.ts
@@ -66,6 +66,13 @@ export const rewriteAliasesPkgJson = (packageJsonContent: string): string => {
       pkgJsonPreprocessed.overrides,
     );
   }
+  // Process resolutions field to extract aliases (yarn)
+  if (pkgJsonPreprocessed.resolutions) {
+    rewriteAliasesInOverrides(
+      pkgJsonPreprocessed,
+      pkgJsonPreprocessed.resolutions,
+    );
+  }
   return JSON.stringify(pkgJsonPreprocessed);
 };
 
diff --git a/lib/dep-graph-builders/util.ts b/lib/dep-graph-builders/util.ts
@@ -4,6 +4,7 @@ import { InvalidUserInputError } from '../errors';
 import { NormalisedPkgs } from './types';
 import { OutOfSyncError } from '../errors';
 import { LockfileType } from '../parsers';
+import { parseNpmAlias } from '../aliasesPreprocessors/pkgJson';
 
 export type Dependencies = Record<
   string,
@@ -87,10 +88,13 @@ export const getTopLevelDeps = (
 
   if (pkgJson.aliases) {
     for (const alias of Object.keys(pkgJson.aliases)) {
-      deps[alias] = {
-        ...deps[alias],
-        ...{ alias: { ...pkgJson.aliases[alias] } },
-      };
+      // Only add alias metadata to dependencies that are actually in deps
+      if (deps[alias]) {
+        deps[alias] = {
+          ...deps[alias],
+          ...{ alias: { ...pkgJson.aliases[alias] } },
+        };
+      }
     }
   }
 
@@ -170,29 +174,60 @@ export const getChildNode = (
   const childNodeKey = `${name}@${depInfo.version}`;
   let childNode: PkgNode;
 
+  // Check if this lockfile entry is for an aliased package
+  // by looking for a corresponding npm: entry in the lockfile
+  let aliasInfo = depInfo.alias;
+  if (!aliasInfo && pkgs[childNodeKey]) {
+    // Look for any key in pkgs that matches the pattern: name@npm:*
+    // and has the same version as our current entry
+    for (const key in pkgs) {
+      if (key.startsWith(`${name}@npm:`)) {
+        const pkgEntry = pkgs[key];
+        if (pkgEntry.version === pkgs[childNodeKey].version) {
+          // Extract the npm: portion and parse it using the shared helper
+          const npmPortion = key.substring(name.length + 1); // Remove "name@" prefix
+          const parsed = parseNpmAlias(npmPortion);
+          if (parsed) {
+            const targetPkgName = parsed.packageName;
+            // Only add alias info if the alias name is different from the target name
+            if (targetPkgName !== name) {
+              aliasInfo = {
+                aliasName: name,
+                aliasTargetDepName: targetPkgName,
+                semver: parsed.version,
+                version: parsed.version,
+              };
+            }
+            break;
+          }
+        }
+      }
+    }
+  }
+
   if (!pkgs[childNodeKey]) {
     // Handle optional dependencies that don't have separate package entries
     if (depInfo.isOptional) {
       childNode = {
         id: childNodeKey,
-        name: depInfo.alias?.aliasTargetDepName ?? name,
+        name: aliasInfo?.aliasTargetDepName ?? name,
         version: depInfo.version,
         dependencies: {},
         isDev: depInfo.isDev,
         missingLockFileEntry: true,
-        alias: depInfo.alias,
+        alias: aliasInfo,
       };
     } else if (strictOutOfSync && !/^file:/.test(depInfo.version)) {
       throw new OutOfSyncError(childNodeKey, LockfileType.yarn);
     } else {
       childNode = {
         id: childNodeKey,
-        name: depInfo.alias?.aliasTargetDepName ?? name,
+        name: aliasInfo?.aliasTargetDepName ?? name,
         version: depInfo.version,
         dependencies: {},
         isDev: depInfo.isDev,
         missingLockFileEntry: true,
-        alias: depInfo.alias,
+        alias: aliasInfo,
       };
     }
   } else {
@@ -208,11 +243,11 @@ export const getChildNode = (
       : {};
     childNode = {
       id: `${name}@${depData.version}`,
-      name: depInfo.alias?.aliasTargetDepName ?? name,
+      name: aliasInfo?.aliasTargetDepName ?? name,
       version: depData.version,
       dependencies: { ...dependencies, ...optionalDependencies },
       isDev: depInfo.isDev,
-      alias: depInfo.alias,
+      alias: aliasInfo,
     };
   }
 
diff --git a/test/jest/dep-graph-builders/aliases.test.ts b/test/jest/dep-graph-builders/aliases.test.ts
@@ -563,6 +563,46 @@ describe('Testing aliases for npm', () => {
     // Verify the alias metadata is present
     expect(depGraphJson).toContain('"alias":"elliptic=>dry-uninstall@0.3.0"');
   });
+
+  it('match aliased package in resolutions field - yarn-lock-v1', async () => {
+    const pkgJsonContent = readFileSync(
+      join(
+        __dirname,
+        `./fixtures/aliases/yarn-lock-v1-with-resolutions/package.json`,
+      ),
+      'utf8',
+    );
+    const yarnLockContent = readFileSync(
+      join(
+        __dirname,
+        `./fixtures/aliases/yarn-lock-v1-with-resolutions/yarn.lock`,
+      ),
+      'utf8',
+    );
+
+    const newDepGraph = await parseYarnLockV1Project(
+      pkgJsonContent,
+      yarnLockContent,
+      {
+        includeDevDeps: false,
+        includeOptionalDeps: false,
+        includePeerDeps: false,
+        pruneLevel: 'cycles',
+        strictOutOfSync: false,
+        honorAliases: true,
+      },
+    );
+
+    expect(newDepGraph).toBeDefined();
+    expect(() => JSON.parse(JSON.stringify(newDepGraph))).not.toThrow();
+
+    // ms should be aliased to dry-uninstall via resolutions
+    const depGraphJson = JSON.stringify(newDepGraph);
+    expect(depGraphJson).toContain('dry-uninstall');
+
+    // Verify the alias metadata is present (version will be from lockfile)
+    expect(depGraphJson).toContain('"alias":"ms=>dry-uninstall');
+  });
 });
 
 describe.each(['pnpm-lock-v5', 'pnpm-lock-v6', 'pnpm-lock-v9'])(
diff --git a/test/jest/dep-graph-builders/fixtures/aliases/yarn-lock-v1-with-resolutions/package.json b/test/jest/dep-graph-builders/fixtures/aliases/yarn-lock-v1-with-resolutions/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "yarn-with-resolutions",
+  "version": "1.0.0",
+  "dependencies": {
+    "debug": "4.3.1"
+  },
+  "resolutions": {
+    "ms": "npm:dry-uninstall@0.3.0"
+  }
+}
diff --git a/test/jest/dep-graph-builders/fixtures/aliases/yarn-lock-v1-with-resolutions/yarn.lock b/test/jest/dep-graph-builders/fixtures/aliases/yarn-lock-v1-with-resolutions/yarn.lock
@@ -0,0 +1,15 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+debug@4.3.1:
+  version "4.3.1"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.1.tgz#f0d229c505e0c6d8c49ac553d1b13dc183f6b2ee"
+  integrity sha512-doEwdvm4PCeK4K3RQN2ZC2BYUBaxwLARCqZmMjtF8a51J2Rb0xpVloFRnCODwqjpwnAoao4pelN8l3RJdv3gRQ==
+  dependencies:
+    ms "2.1.2"
+
+ms@2.1.2, "ms@npm:dry-uninstall@0.3.0":
+  version "0.3.0"
+  resolved "https://registry.yarnpkg.com/dry-uninstall/-/dry-uninstall-0.3.0.tgz#29847a27ed3b3bb94e6212547a677e37f4427011"
+  integrity sha512-b8h94RVpETWkVV59x62NsY++79bM7Si6Dxq7a4iVxRcJU3ZJJ4vaiC7wUZwM8WDK0ySRL+i+T/1SMAzbJLejYA==
