Merge pull request #252 from snyk/fix/fix-empty-lockfile

fix: handle pnpm empty lockfiles

lib/dep-graph-builders/pnpm/lockfile-parser/index.ts

@@ -8,10 +8,16 @@ import { OpenSourceEcosystems } from '@snyk/error-catalog-nodejs-public';
 import { NodeLockfileVersion } from '../../../utils';
 
 export function getPnpmLockfileParser(
-  pnpmLockContent: string,
+  pnpmLockContent: string | undefined,
   lockfileVersion?: NodeLockfileVersion,
   workspaceArgs?: PnpmWorkspaceArgs,
 ): PnpmLockfileParser {
+  // In case of no dependencies, pnpm@7 (lokfile version 5)
+  // does not create a lockfile at `pnpm install`
+  // so if there is no lockfile content, default to lockfile version 5
+  if (!pnpmLockContent) {
+    return new LockfileV5Parser(pnpmLockContent, workspaceArgs);
+  }
   const rawPnpmLock = load(pnpmLockContent, {
     json: true,
     schema: FAILSAFE_SCHEMA,

lib/dep-graph-builders/pnpm/lockfile-parser/lockfile-v5.ts

@@ -5,6 +5,13 @@ import { PnpmWorkspaceArgs } from '../../types';
 
 export class LockfileV5Parser extends PnpmLockfileParser {
   public constructor(rawPnpmLock: any, workspaceArgs?: PnpmWorkspaceArgs) {
+    // In case of no dependencies, pnpm@7 (lokfile version 5)
+    // does not create a lockfile at `pnpm install`
+    if (!rawPnpmLock) {
+      rawPnpmLock = {
+        lockfileVersion: '5',
+      };
+    }
     super(rawPnpmLock, workspaceArgs);
   }
 

lib/dep-graph-builders/pnpm/lockfile-parser/lockfile-v9.ts

@@ -16,7 +16,8 @@ export class LockfileV9Parser extends LockfileV6Parser {
     super(rawPnpmLock, workspaceArgs);
     this.settings = rawPnpmLock.settings;
     this.packages = {};
-    Object.entries(rawPnpmLock.snapshots).forEach(
+    this.snapshots = rawPnpmLock.snapshots || {};
+    Object.entries(this.snapshots).forEach(
       ([depPath, versionData]: [string, any]) => {
         const normalizedDepPath = this.excludeTransPeerDepsVersions(depPath);
         this.packages[normalizedDepPath] = {

lib/dep-graph-builders/pnpm/parse-project.ts

@@ -7,7 +7,7 @@ import { NodeLockfileVersion } from '../../utils';
 
 export const parsePnpmProject = async (
   pkgJsonContent: string,
-  pnpmLockContent: string,
+  pnpmLockContent: string | undefined,
   options: PnpmProjectParseOptions,
   lockfileVersion?: NodeLockfileVersion,
 ): Promise<DepGraph> => {

test/jest/dep-graph-builders/fixtures/pnpm-lock-v5/empty-project/expected.json

@@ -0,0 +1,25 @@
+{
+  "schemaVersion": "1.3.0",
+  "pkgManager": {
+    "name": "pnpm"
+  },
+  "pkgs": [
+    {
+      "id": "[email protected]",
+      "info": {
+        "name": "empty-project",
+        "version": "1.0.0"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "[email protected]",
+        "deps": []
+      }
+    ]
+  }
+}

test/jest/dep-graph-builders/fixtures/pnpm-lock-v5/empty-project/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "empty-project",
+  "version": "1.0.0"
+}

test/jest/dep-graph-builders/fixtures/pnpm-lock-v6/empty-project/expected.json

@@ -0,0 +1,25 @@
+{
+  "schemaVersion": "1.3.0",
+  "pkgManager": {
+    "name": "pnpm"
+  },
+  "pkgs": [
+    {
+      "id": "[email protected]",
+      "info": {
+        "name": "empty-project",
+        "version": "1.0.0"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "[email protected]",
+        "deps": []
+      }
+    ]
+  }
+}

test/jest/dep-graph-builders/fixtures/pnpm-lock-v6/empty-project/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "empty-project",
+  "version": "1.0.0"
+}

test/jest/dep-graph-builders/fixtures/pnpm-lock-v9/empty-project/expected.json

@@ -0,0 +1,25 @@
+{
+  "schemaVersion": "1.3.0",
+  "pkgManager": {
+    "name": "pnpm"
+  },
+  "pkgs": [
+    {
+      "id": "[email protected]",
+      "info": {
+        "name": "empty-project",
+        "version": "1.0.0"
+      }
+    }
+  ],
+  "graph": {
+    "rootNodeId": "root-node",
+    "nodes": [
+      {
+        "nodeId": "root-node",
+        "pkgId": "[email protected]",
+        "deps": []
+      }
+    ]
+  }
+}

test/jest/dep-graph-builders/fixtures/pnpm-lock-v9/empty-project/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "empty-project",
+  "version": "1.0.0"
+}

test/jest/dep-graph-builders/pnpm-lock.test.ts

@@ -1,5 +1,5 @@
 import { join } from 'path';
-import { readFileSync } from 'fs';
+import { existsSync, readFileSync } from 'fs';
 import { parsePnpmProject } from '../../../lib/dep-graph-builders';
 import { OpenSourceEcosystems } from '@snyk/error-catalog-nodejs-public';
 import { InvalidUserInputError } from '../../../lib';
@@ -24,6 +24,7 @@ describe.each(['pnpm-lock-v5', 'pnpm-lock-v6', 'pnpm-lock-v9'])(
           'npm-protocol',
           'scoped-override',
           'alias-sub-dependency',
+          'empty-project',
         ])('[simple tests] project: %s ', (fixtureName) => {
           jest.setTimeout(50 * 1000);
           it('matches expected', async () => {
@@ -34,13 +35,14 @@ describe.each(['pnpm-lock-v5', 'pnpm-lock-v6', 'pnpm-lock-v9'])(
               ),
               'utf8',
             );
-            const pkgLockContent = readFileSync(
-              join(
-                __dirname,
-                `./fixtures/${lockFileVersionPath}/${fixtureName}/pnpm-lock.yaml`,
-              ),
-              'utf8',
+            const lockfilePath = join(
+              __dirname,
+              `./fixtures/${lockFileVersionPath}/${fixtureName}/pnpm-lock.yaml`,
             );
+            let pkgLockContent: string | undefined = undefined;
+            if (existsSync(lockfilePath)) {
+              pkgLockContent = readFileSync(lockfilePath, 'utf8');
+            }
 
             const newDepGraph = await parsePnpmProject(
               pkgJsonContent,