Skip to content

Feature/xray 138688 add pnpm support for jf ca#769

Open
gauriy-tech wants to merge 4 commits into
jfrog:devfrom
gauriy-tech:feature/XRAY-140503-onboard-pnpm
Open

Feature/xray 138688 add pnpm support for jf ca#769
gauriy-tech wants to merge 4 commits into
jfrog:devfrom
gauriy-tech:feature/XRAY-140503-onboard-pnpm

Conversation

@gauriy-tech
Copy link
Copy Markdown
Contributor

@gauriy-tech gauriy-tech commented May 29, 2026
edited
Loading

  • The pull request is targeting the dev branch.
  • The code has been validated to compile successfully by running go vet ./....
  • The code has been formatted properly using go fmt ./....
  • All static analysis checks passed.
  • All tests have passed. If this feature is not already covered by the tests, new tests have been added.
  • Updated the Contributing page / ReadMe page / CI Workflow files if needed.
  • All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

What: Added pnpm support to jf ca (curation audit) using lockfile-based dependency resolution
Why: jf ca can't run pnpm ls (requires node_modules) — lockfile parsing avoids any tarball downloads
How: pnpm install --lockfile-only generates/refreshes the lockfile, then pnpm-lock.yaml is parsed directly. jf audit/jf scan pnpm workflow is unchanged.
Scope: Only pnpm v10.x supported. jf audit path untouched.
Test plan: new unit tests in pnpm_test.go, pnpmlock_test.go, curationaudit_test.go

Screenshot 2026-06-02 at 12 39 43 PM

Detailed Test execution plan is here https://jfrog-int.atlassian.net/browse/XRAY-144540

gauriy-tech and others added 3 commits May 27, 2026 15:22
@gauriy-tech
XRAY-140503 - Implementing support for pnpm in jf ca
f4e3c3f
@gauriy-tech @cursoragent
XRAY-140503 - Add pnpm v10 min version check, stale lockfile refresh,…
8a6d199 
… and improved install logging

- Reject pnpm versions below 10.x with a clear error message
- Refresh pnpm-lock.yaml when package.json is newer (stale lockfile)
- Log full install command including --lockfile-only and --ignore-scripts flags
- Add unit tests for validatePnpmMinVersion

Co-authored-by: Cursor <cursoragent@cursor.com>
@gauriy-tech @cursoragent
XRAY-140503 - Polish pnpm version check, rejection message, and --run…
69b4e25 
…-native warning

- Enforce pnpm 10.x only (reject <10 and >10); add maxPnpmMajorVersion=10 const
- Align version rejection message with yarn's wording pattern
- Fix test: v11 correctly expected to be rejected
- Warn via log.Warn when --run-native is passed for pnpm (no-op, always native)

Co-authored-by: Cursor <cursoragent@cursor.com>
@gauriy-tech gauriy-tech force-pushed the feature/XRAY-140503-onboard-pnpm branch from 69b4e25 to 2e42139 Compare May 29, 2026 06:47
@gauriy-tech gauriy-tech force-pushed the feature/XRAY-140503-onboard-pnpm branch from 2e42139 to 57e880a Compare May 29, 2026 07:00
@gauriy-tech gauriy-tech force-pushed the feature/XRAY-140503-onboard-pnpm branch from 57e880a to 1dbd2fb Compare June 1, 2026 08:48
@gauriy-tech gauriy-tech force-pushed the feature/XRAY-140503-onboard-pnpm branch from 1dbd2fb to 8bee66c Compare June 2, 2026 07:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gauriy-tech