From 0bf7323f6f3606b248a3a3374ce455c4a5ce0b29 Mon Sep 17 00:00:00 2001 From: coder-Yash886 Date: Wed, 3 Jun 2026 18:23:30 +0530 Subject: [PATCH] feat: add yarn-within-range lockfile fixture (#5) --- examples/readme.md | 2 ++ examples/yarn-within-range/package.json | 10 ++++++++++ examples/yarn-within-range/yarn.lock | 18 ++++++++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 examples/yarn-within-range/package.json create mode 100644 examples/yarn-within-range/yarn.lock diff --git a/examples/readme.md b/examples/readme.md index ca9ec18..e2f0f52 100644 --- a/examples/readme.md +++ b/examples/readme.md @@ -18,6 +18,7 @@ Small curated projects committed to the repository. Clone the repo and scan imme | `workspace` | npm (workspace) | npm workspace hoisting and multi-package scanning. | | `yarn-berry` | Yarn Berry (v2+) | Yarn Berry lockfile format parsing (`__metadata:` block). | | `yarn-classic` | Yarn Classic (v1) | Yarn v1 lockfile format with direct and transitive vulnerabilities. | +| `yarn-within-range` | Yarn Classic (v1) | Deep transitive chain where the parent's range already covers the fix; suggests `yarn upgrade `. | | `bun-simple` | Bun | Minimal Bun lockfile with a direct and transitive vulnerability. | | `bun-workspace` | Bun (workspace) | Bun workspace monorepo with workspace-scoped fix commands. | | `pnpm-simple` | pnpm | Minimal pnpm v9 lockfile with a single direct vulnerability. | @@ -140,6 +141,7 @@ node dist/index.js examples/direct-and-transitive --verbose node dist/index.js examples/workspace --verbose node dist/index.js examples/yarn-berry --verbose node dist/index.js examples/yarn-classic --verbose +node dist/index.js examples/yarn-within-range --verbose node dist/index.js examples/bun-simple --verbose node dist/index.js examples/bun-workspace --verbose node dist/index.js examples/pnpm-simple --verbose diff --git a/examples/yarn-within-range/package.json b/examples/yarn-within-range/package.json new file mode 100644 index 0000000..2a33952 --- /dev/null +++ b/examples/yarn-within-range/package.json @@ -0,0 +1,10 @@ +{ + "name": "yarn-within-range", + "version": "1.0.0", + "private": true, + "description": "Minimal Yarn Classic fixture: deep transitive within-range remediation should suggest yarn upgrade js-cookie.", + "license": "ISC", + "devDependencies": { + "aws-amplify": "6.16.3" + } +} diff --git a/examples/yarn-within-range/yarn.lock b/examples/yarn-within-range/yarn.lock new file mode 100644 index 0000000..c4ad131 --- /dev/null +++ b/examples/yarn-within-range/yarn.lock @@ -0,0 +1,18 @@ +# yarn lockfile v1 + + +aws-amplify@6.16.3: + version "6.16.3" + resolved "https://registry.npmjs.org/aws-amplify/-/aws-amplify-6.16.3.tgz" + dependencies: + "@aws-amplify/core" "6.16.1" + +"@aws-amplify/core@6.16.1": + version "6.16.1" + resolved "https://registry.npmjs.org/@aws-amplify/core/-/core-6.16.1.tgz" + dependencies: + js-cookie "^3.0.5" + +js-cookie@^3.0.5: + version "3.0.6" + resolved "https://registry.npmjs.org/js-cookie/-/js-cookie-3.0.6.tgz"