SCIO scan_package pipeline does not analyze yarn.lock file #1570
Comments
|
@mjherzog if the only thing we have is a yarn.lock, then there are no file we can attach to it beyond the file itself. The files would be attached to an actual package designated by a package.json instead. |
|
So what do you run in SCIO to analyze a package manifest on its own? Does SCTK handle it? |
|
@mjherzog and @pombredanne I tested a scan of Michael's yarn.lock file and it did show that it read and interpreted the file in the scan results, but all of the download URLs were to a secured private repo requiring credentials so it did not provide any additional information about those packages. |
|
@DennisClark Thank you for the research - that makes sense. Did you test the scan_package pipeline with a yarn.lock file that has public download URLs? I recall that you did and the results were better. Please document here for posterity. |
|
@mjherzog yes I ran a successful scan on a yarn.lock file containing public download URLs. |
I ran the scan_package pipeline on a yarn.lock file to get the list of packages, but SCIO returned only 1 Resource record for the file itself.
The header of the yarn.lock files says: (yarn lockfile v1).
The pipeline was run on SCIO v34.93 (SCTK v32.3.1)
The text was updated successfully, but these errors were encountered: