Hello! Thanks for this awesome project!

I have a small problem using it with yarn3. It comes from the fact that yarn changed its audit command to npm audit so that it is now necessary to run yarn npm audit instead of just yarn audit. (See this doc).

The issue comes from this line.

I was trying to propose a PR to add support for yarn 3, but I was wondering what the best method would be. Either we could add a new implementation called yarn3 and run the command with yarn check-audit --yarn3 or edit the current yarn implementation to add a v3 flag and run it with yarn check-audit --yarn --v3.

What do you think? I would personally prefer the first option, as yarn v3 changed a lot in terms of APIs.

Cheers!

It'd be nice if --yarn detected which version you have and use it, but I'm not sure if yarn2 was doable. If you want to go with version detection, I might try to pressure you into supporting both :D
making --yarn default to v1 and --yarn1 --yarn2 --yarn3 would also work for me. These versions are pretty much totally unrelated software.

Whichever ends up happening, please be aware I'm getting ready to merge the npm7+ support branch breaking changes (v3+) and that's where you need to branch out.

Thanks for reaching out before putting in the work. Good idea. I can help you get started.

Thanks for your feedback! I should have some time to look into it in the next days, I'll try and submit a PR.

Note - I'm not a maintainer of yarn or this project, just giving some advice

The yarn maintainers refer to v1 as 'classic' and v2+ as 'modern' (e.g their discord channel names), so maybe --yarn-modern makes sense here for this new flag. It would avoid you having to update the name of the flag for every major yarn release.

Alternatively, you might be able to use the packageManager field in package.json to determine if a modern version of yarn is in use.

There's not much different between yarn 2 and 3, - I'd argue you only need to support yarn 1 and latest modern.

@fargito @athayes so if we're choosing between --yarn-berry and --yarn-modern which is more likely to not make us cringe in the future?
Is yarn4 still called berry? Is there going to be an even more modern yarn before this kind of tooling becomes obsolete?

I'd go with --yarn-modern because who knows what berry means? But I wonder how many severe enough modernizations are ahead.

Ready to release a new tag next as soon as we figure that out :D

For now both are equally as meaningful, but i'd argue that "berry" is unlikely to be reused in the future, and therefore it may prevent painful breaking changes here in some time.

But honestly, either one is good for me !

Ok, I'll publish it in a RC now and worry when I get to v3.0.0 :D

I wanted to add a test before the release and tried with yarn 2

Are you sure it should be yarn npm audit --json and not yarn audit --json ?

or is this supposed to only work on v3?

I no longer know what's the appropriate way to install yarn

Ok, got it.
yarn works, yarn npm audit returns vulnerabilities when I added them. but audit-resolver doesn't see any.

@fargito something doesn't work. I'll not publish today.

From my testing it looks like the output from yarn npm audit on berry is totally different from original yarn aoutput and the code copied from pkgmanagers/yarn.js has no chance of working. I may have to undo the merge.

Can you share how you tested it?

Ah ! This is annoying, I'll look into it. It thought it worked, but I probably messed up in my tests...

You can unmerge it for now, I'll change the specific logic in pkgmanagers/yarnBerry.js

If you can engage right now, I'm fine keeping it unreleased in the branch. Please open a new PR with changes.
Try setting up an end2end test. There's a test.sh you can use to switch yarn to berry and do all the necessary prep before running the test. I know bash is ugly, but it's much more flexible for exactly this kind of complicated setup.

Fixed by #63