Skip to content

fix(yarn2): Avoid failing on ambiguously resolved locators#12145

Open
Juli0q wants to merge 1 commit into
oss-review-toolkit:mainfrom
boschglobal:fix/yarn2-compat-patch-multiversion
Open

fix(yarn2): Avoid failing on ambiguously resolved locators#12145
Juli0q wants to merge 1 commit into
oss-review-toolkit:mainfrom
boschglobal:fix/yarn2-compat-patch-multiversion

Conversation

@Juli0q

@Juli0q Juli0q commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Previously, ORT aborted the analysis of a definition file with an IllegalStateException when a dependency could not be resolved to a single installed package. This happens for valid Yarn Berry trees that install several versions of the same module, for example a package that exists both as a plain npm package and as a compat-patched variant added by @yarnpkg/plugin-compat.

The fallback that looks up installed packages by module name now prefers candidates of the same patch or non-patch type as the locator, and reads the npm version range embedded in patch descriptors. If more than one candidate remains, the highest version is picked and a warning is recorded on the project instead of failing the analysis.

Fixes #12008.

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 76.00000% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 58.64%. Comparing base (ac7e276) to head (84ac07b).
⚠️ Report is 7 commits behind head on main.

Files with missing lines Patch % Lines
...de/src/main/kotlin/yarn2/Yarn2DependencyHandler.kt 76.19% 4 Missing and 6 partials ⚠️
...ckage-managers/node/src/main/kotlin/yarn2/Yarn2.kt 75.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##               main   #12145      +/-   ##
============================================
+ Coverage     58.60%   58.64%   +0.03%     
- Complexity     1825     1840      +15     
============================================
  Files           361      361              
  Lines         13578    13632      +54     
  Branches       1404     1411       +7     
============================================
+ Hits           7958     7994      +36     
- Misses         5114     5129      +15     
- Partials        506      509       +3     
Flag Coverage Δ
funTest-external-tools 14.68% <28.00%> (+0.08%) ⬆️
funTest-no-external-tools 30.10% <0.00%> (-0.04%) ⬇️
test-windows-2025 42.27% <64.00%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Juli0q Juli0q marked this pull request as ready for review July 13, 2026 14:11
@Juli0q Juli0q requested a review from a team as a code owner July 13, 2026 14:11

@oheger-bosch oheger-bosch left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sophisticated stuff! I have some questions.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates ORT’s Yarn 2+ analyzer to tolerate valid Yarn Berry installs where multiple installed locators exist for the same module (e.g., npm vs. @yarnpkg/plugin-compat patched variants), avoiding hard failures by selecting a best candidate and surfacing a warning instead.

Changes:

  • Add locator “patch vs. non-patch” awareness and improved semver-range extraction for patch descriptors during fallback resolution.
  • When ambiguity remains, pick the highest semantic version and record/report a WARNING issue instead of throwing.
  • Extend test coverage to validate patch detection, ambiguity handling, warning draining, and semantic version ordering.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
plugins/package-managers/node/src/test/kotlin/yarn2/Yarn2DependencyHandlerTest.kt Adds tests for patch detection and for ambiguity resolution now producing WARNINGs while selecting the highest version.
plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2DependencyHandler.kt Implements ambiguity-tolerant resolution with patch-type preference, semver-range parsing for patch descriptors, and warning recording/draining.
plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2.kt Includes drained ambiguity warnings in the per-project analyzer result issues.

Comment thread plugins/package-managers/node/src/main/kotlin/yarn2/Yarn2DependencyHandler.kt Outdated
Previously, ORT aborted the analysis of a definition file with an
`IllegalStateException` when a dependency could not be resolved to a
single installed package. This happens for valid Yarn Berry trees that
install several versions of the same module, for example a package that
exists both as a plain npm package and as a compat-patched variant added
by `@yarnpkg/plugin-compat`.

The fallback that looks up installed packages by module name now prefers
candidates of the same patch or non-patch type as the locator, and reads
the npm version range embedded in patch descriptors. If more than one
candidate remains, the highest version is picked and a warning is
recorded on the project instead of failing the analysis.

Fixes oss-review-toolkit#12008.

Signed-off-by: Julian Olderdissen <julian.olderdissen@bosch.com>
@Juli0q Juli0q force-pushed the fix/yarn2-compat-patch-multiversion branch from 5c37856 to 84ac07b Compare July 14, 2026 13:24
@Juli0q Juli0q requested review from Copilot and oheger-bosch July 14, 2026 13:37

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Yarn2 analyzer: "Could not unambiguously resolve locator" on valid multi-version / compat-patch lockfiles

3 participants