pnpm: make dependency resolution more robust and configurable #10771
Conversation
Improve the PNPM package manager integration to better handle unexpected output and large workspaces. * Add defensive parsing for `pnpm list` and `pnpm info` JSON results. Instead of failing with exceptions, skip invalid entries and log warnings to aid debugging. * Use `pnpm list --only-projects --recursive` to determine workspace module directories, avoiding reliance on `node_modules` heuristics. * Support the environment variable `ORT_PNPM_DEPTH` to configure the depth passed to `pnpm list`. Defaults to "Infinity" if unset. * Ensure `pnpm install` is run with `--prod` unless dev dependencies are required, reducing unnecessary installs in CI. * Improve logging to clarify which scope or project failed resolution and why, making analyzer runs easier to debug. This makes ORT’s PNPM support more resilient in CI environments where pnpm output may vary between versions or where large monorepos cause performance and stability issues. Returning partial results instead of failing fast allows analysis to complete while still surfacing warnings. Signed-off-by: kumar10 <[email protected]>
akshay1410
force-pushed
the
pnpm-defensive-fixes
branch
from
46b225d to
56848a2
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
detekt found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
| import org.semver4j.range.RangeList | ||
| import org.semver4j.range.RangeListFactory | ||
| // pnpm-local ModuleInfo (file is plugins/package-managers/node/src/main/kotlin/pnpm/ModuleInfo.kt) | ||
| import org.ossreviewtoolkit.plugins.packagemanagers.node.pnpm.ModuleInfo |
Check warning
Code scanning / QDJVMC
Unused import directive Warning
| // ModuleInfoResolver lives in plugins/package-managers/node/src/main/kotlin/ModuleInfoResolver.kt | ||
| import org.ossreviewtoolkit.plugins.packagemanagers.node.ModuleInfoResolver | ||
|
|
||
| private val logger = LogManager.getLogger("Pnpm") |
Check warning
Code scanning / QDJVMC
Unused symbol Warning
|
|
||
| // Expecting an array of project objects; fall back gracefully if not. | ||
| val dirs = mutableSetOf<File>() | ||
| if (root is ArrayNode) { |
Check warning
Code scanning / QDJVMC
Unreachable code Warning
| // Expecting an array of project objects; fall back gracefully if not. | ||
| val dirs = mutableSetOf<File>() | ||
| if (root is ArrayNode) { | ||
| root.forEach { node -> |
Check warning
Code scanning / QDJVMC
Unreachable code Warning
| val dirs = mutableSetOf<File>() | ||
| if (root is ArrayNode) { | ||
| root.forEach { node -> | ||
| val pathNode = node.get("path") |
Check notice
Code scanning / QDJVMC
Explicit 'get' or 'set' call Note
| else logger.debug { "Skipping non-object element from pnpm list in $pkgDir (scope=$scope): ${elem?.toString()?.take(200)}" } | ||
| } | ||
| } | ||
| else -> if (node.isObject) consolidated.add(node) else logger.debug { "Skipping non-object pnpm list root for $pkgDir (scope=$scope): ${node.toString().take(200)}" } |
Check warning
Code scanning / QDJVMC
Unreachable code Warning
| else logger.debug { "Skipping non-object element from pnpm list in $pkgDir (scope=$scope): ${elem?.toString()?.take(200)}" } | ||
| } | ||
| } | ||
| else -> if (node.isObject) consolidated.add(node) else logger.debug { "Skipping non-object pnpm list root for $pkgDir (scope=$scope): ${node.toString().take(200)}" } |
Check warning
Code scanning / QDJVMC
Unreachable code Warning
| else logger.debug { "Skipping non-object element from pnpm list in $pkgDir (scope=$scope): ${elem?.toString()?.take(200)}" } | ||
| } | ||
| } | ||
| else -> if (node.isObject) consolidated.add(node) else logger.debug { "Skipping non-object pnpm list root for $pkgDir (scope=$scope): ${node.toString().take(200)}" } |
Check warning
Code scanning / QDJVMC
Unreachable code Warning
| try { | ||
| val name = jsonNode.get("name")?.asText().orEmpty() | ||
| val path = jsonNode.get("path")?.asText().orEmpty() | ||
| val version = jsonNode.get("version")?.asText().orEmpty() |
Check warning
Code scanning / QDJVMC
Unused variable Warning
| } | ||
| } | ||
|
|
||
| if (moduleInfos.isEmpty()) { |
Check warning
Code scanning / QDJVMC
Constant conditions Warning
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #10771 +/- ##
============================================
- Coverage 57.38% 56.98% -0.41%
+ Complexity 1671 1670 -1
============================================
Files 346 346
Lines 12759 12832 +73
Branches 1209 1228 +19
============================================
- Hits 7322 7312 -10
- Misses 4972 5056 +84
+ Partials 465 464 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Improve the PNPM package manager integration to better handle unexpected output and large workspaces.
Add defensive parsing for
pnpm listandpnpm infoJSON results. Instead of failing with exceptions, skip invalid entries and log warnings to aid debugging.Use
pnpm list --only-projects --recursiveto determine workspace module directories, avoiding reliance onnode_modulesheuristics.Support the environment variable
ORT_PNPM_DEPTHto configure the depth passed topnpm list. Defaults to "Infinity" if unset.Ensure
pnpm installis run with--produnless dev dependencies are required, reducing unnecessary installs in CI.Improve logging to clarify which scope or project failed resolution and why, making analyzer runs easier to debug.
This makes ORT’s PNPM support more resilient in CI environments where pnpm output may vary between versions or where large monorepos cause performance and stability issues. Returning partial results instead of failing fast allows analysis to complete while still surfacing warnings.
Please ensure that your pull request adheres to our contribution guidelines. Thank you!