Skip to content

fix(pnpm): select correct workspace member from pnpm ls array#484

Open
Strum355 wants to merge 3 commits intoguacsec:mainfrom
Strum355:TC-4180
Open

fix(pnpm): select correct workspace member from pnpm ls array#484
Strum355 wants to merge 3 commits intoguacsec:mainfrom
Strum355:TC-4180

Conversation

@Strum355
Copy link
Copy Markdown
Member

@Strum355 Strum355 commented Apr 22, 2026
edited by atlassian Bot
Loading

Summary

  • Fix pnpm workspace member dependency resolution returning 0 dependencies for both component and stack analysis
  • When pnpm ls --json runs from the workspace root, it returns an array with one entry per workspace package — the override now finds the entry matching the manifest name instead of blindly taking tree[0]
  • Add workspace member test fixtures with golden SBOMs for both stack and component analysis

Implements TC-4180

Test plan

  • pnpm workspace member stack analysis returns correct transitive dependencies
  • pnpm workspace member component analysis returns correct direct dependencies
  • All 47 existing javascript provider tests continue to pass
  • ESLint clean

🤖 Generated with Claude Code

Strum355 and others added 3 commits April 22, 2026 13:17
@Strum355
fix(pnpm): select correct workspace member from pnpm ls array
b146b38 
When pnpm ls --json runs from a workspace root, it returns an array
with one entry per workspace package. Previously, _buildDependencyTree
always selected tree[0], which is typically the workspace root — not
the member being analyzed. This caused both component and stack
analysis to return 0 dependencies for workspace members.

Now finds the array element matching the manifest name before falling
back to tree[0].

Implements TC-4180

Assisted-by: Claude Code
@Strum355 @claude
docs: add explanatory comment to pnpm workspace member fix
90aaf05 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Strum355 @claude
fix(pnpm): add -r flag and regenerate listings from real CLI output
4be4adf 
pnpm ls without -r only returns the workspace root entry, omitting
workspace members entirely. Adding -r includes all workspace packages
in the output array.

Test fixtures regenerated from actual pnpm ls output (follow-redirects
resolved to 1.16.0).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@Strum355 Strum355 requested a review from ruromero April 22, 2026 16:16
ruromero
ruromero approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ruromero ruromero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ruromero ruromero ruromero approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Strum355 @ruromero