Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Yarn parser collects BOM with wrong versions

See original GitHub issue

I have noticed that when collecting BOM components from yarn.lock files - the versions are off. Here are the steps to reproduce this bug:

Clone https://github.com/treosh/lighthouse-ci-action
cd & collect bom cdxgen --type javascript -o bom.json - BOM is collected from.yarn lock
remove yarn.lock & collect BOM from node_modules. rm yarn.lock && cdxgen --type javascript -o bom-modules.json
Examine the two files. E.g. lets take lodash as an example.

bom.json - collected from yarn.lock

/tmp/light/lighthouse-ci-action main*
❯ cat bom.json | jq '.components[] | select(.name=="lodash")'
{
  "group": "",
  "name": "lodash",
  "version": "4.3.2",
  "description": "Lodash modular utilities.",
  "scope": "required",
  "hashes": [
    {
      "alg": "SHA-1",
      "content": "d8757b1da807dde24816b0d6a84bea1a76230b23"
    }
  ],
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "url": "https://opensource.org/licenses/MIT"
      }
    }
  ],
  "purl": "pkg:npm/lodash@4.3.2",
  "externalReferences": [
    {
      "type": "website",
      "url": "https://lodash.com/"
    },
    {
      "type": "vcs",
      "url": "git+https://github.com/lodash/lodash.git"
    }
  ],
  "type": "library",
  "bom-ref": "pkg:npm/lodash@4.3.2"
}

Here we see that lodash is identified as version 4.3.2

Now let’s take the BOM generated from node_modules dir - bom-modules.json

❯ cat bom-modules.json | jq '.components[] | select(.name=="lodash")'
{
  "group": "",
  "name": "lodash",
  "version": "4.17.21",
  "description": "Lodash modular utilities.",
  "scope": "required",
  "licenses": [
    {
      "license": {
        "id": "MIT",
        "url": "https://opensource.org/licenses/MIT"
      }
    }
  ],
  "purl": "pkg:npm/lodash@4.17.21",
  "externalReferences": [
    {
      "type": "website",
      "url": "https://lodash.com/"
    },
    {
      "type": "vcs",
      "url": "git+https://github.com/lodash/lodash.git"
    }
  ],
  "type": "library",
  "bom-ref": "pkg:npm/lodash@4.17.21"
}

Here we see that lodash is identified as version 4.17.21 (which is correct)

Also inside the package.json the lodash version is 4.17.21

/tmp/light/lighthouse-ci-action main*
❯ grep lodash package.json
    "lodash": "^4.17.21"
    "@types/lodash": "^4.14.177",

And in yarn.lock lodash is identified as 4.17.12 & 4.17.21

❯ grep lodash yarn.lock
"@types/lodash@^4.14.177":
  resolved "https://registry.yarnpkg.com/@types/lodash/-/lodash-4.14.178.tgz#341f6d2247db528d4a13ddbb374bcdc80406f4f8"
    lodash "^4.17.12"
    lodash.clonedeep "^4.5.0"
    lodash.get "^4.4.2"
    lodash.isequal "^4.5.0"
    lodash.set "^4.3.2"
lodash.clonedeep@^4.5.0:
  resolved "https://registry.yarnpkg.com/lodash.clonedeep/-/lodash.clonedeep-4.5.0.tgz#e23f3f9c4f8fbdde872529c1071857a086e5ccef"
lodash.get@^4.4.2:
  resolved "https://registry.yarnpkg.com/lodash.get/-/lodash.get-4.4.2.tgz#2d177f652fa31e939b4438d5341499dfa3825e99"
lodash.isequal@^4.5.0:
  resolved "https://registry.yarnpkg.com/lodash.isequal/-/lodash.isequal-4.5.0.tgz#415c4478f2bcc30120c22ce10ed3226f7d3e18e0"
lodash.set@^4.3.2:
  resolved "https://registry.yarnpkg.com/lodash.set/-/lodash.set-4.3.2.tgz#d8757b1da807dde24816b0d6a84bea1a76230b23"
lodash@^4.17.12, lodash@^4.17.21:
  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"

In reality - it’s the 4.17.21 version that’s being used, not the 4.17.12 or 4.3.2 (which I don’t understand where this number comes from). When generating BOM from other lockfiles (such as pnpm-lock.yaml) this problem doesn’t exist and version are identified correctly

Cheers