Yarn2 PackageManager tries to fetch Metadata for Workspace packages

[flash-me]

Describe the bug

TL;DR:
ort tries to fetch metadata with yarn npm info for packages maintained in the same yarn workspace and fails, because they are not published

Rough idea of Our Setup: Yarn2+ (right now its 4.9.1) Monorepo with bunch of workspace-only packages.

-- mainapp
── plugins
   ├── aut
   ├── jum
   ├── meg
   ├── per
   ├── pro
   ├── REA
   └── sca

Where every subfolder below plugins represents packages used by the mainapp.

These packages are not publicly available. Some of them are not published at all.
The packagemanagers plugin detects correctly packages being part of the workspace and skips.

Sample output (original paths redacted)

19:02:45.848 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].
19:02:45.849 [main] INFO  org.ossreviewtoolkit.plugins.packagemanagers.node.NodePackageManagerDetection - Skipping '/home/runner/work/plugins/..../package.json' as it is part of a workspace implicitly handled by [YARN2].

Where it starts to fail

Right after, the Analyzer starts doing its job, in particular this log snippet:

19:02:45.911 [main] INFO  org.ossreviewtoolkit.analyzer.Analyzer - Calling before resolution hooks for 1 manager(s).
19:02:45.939 [main] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn --version' in '/home/runner/work/foo/bar'...
19:02:46.340 [main] INFO  org.ossreviewtoolkit.analyzer.PackageManagerRunner - Starting Yarn 2+ analysis.
19:02:46.353 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.analyzer.PackageManager - Using Yarn 2+ to resolve dependencies for path 'package.json'...
19:02:46.358 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn install' in '/home/runner/work/foo/bar'...
19:04:14.084 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn workspaces list --json' in '/home/runner/work/foo/bar'...
19:04:14.740 [DefaultDispatcher-worker-1] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn info --all --recursive --manifest --virtuals --json' in '/home/runner/work/foo/bar'...
19:05:23.008 [DefaultDispatcher-worker-3] INFO  org.ossreviewtoolkit.utils.common.ProcessCapture - Running 'yarn npm info --json @types/request@2.48.13 @types/resolve@1.20.2 @types/retry@0.12.2 @types/semver@7.5.8 @types/send@0.17.5 @types/serve-index@1.9.4 @types/serve-static@1.15.8 @types/set-cookie-parser@2.4.10 @types/sockjs@0.3.36 @types/ssh2-streams@0.1.12 @types/ssh2@0.5.52 @types/ssh2@1.15.5 @types/stack-utils@2.0.3 @types/styled-jsx@2.2.9 

Especially the last two lines are my pain points. First, details about the workspace are listed with

yarn info --all --recursive --manifest --virtuals --json

⚠️⚠️⚠️⚠️ followed by the crashing step that fetches the Metadata of all packages. ⚠️⚠️⚠️⚠️

For this, every entry in the yarn.lock is processed.

Even the workspace-only packages (mentioned above) are passed to yarn npm info --json

which obviously crashes with

{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  \u001b[38;5;111mResponse Code\u001b[39m: \u001b[38;5;220m404\u001b[39m (Not Found)"}
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  \u001b[38;5;111mRequest Method\u001b[39m: GET"}
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  \u001b[38;5;111mRequest URL\u001b[39m: \u001b[38;5;170m[https://registry.yarnpkg.com/@foo%2fbar\u001b[39m](https://registry.yarnpkg.com/@foo%2fbar/u001b[39m)"}

To Reproduce

Steps to reproduce the behavior:

Try to scan any up2date yarn repo? like backstage

Expected behavior

I would clearly expect that packages from the same yarn workspace are also skipped by the analyzer, as they are in the previous step.

Environment

Output of the ort requirements command (ensure to remove any sensitive information manually):

• ORT version: 69.0.0
• Java version: 21
• OS: Linux (GitHub Runner ubuntu-24.04)

I know since two days what ORT even is, I can't tell which information might be relevant, but here an excerpt of the config file

ort:
  deniedProcessEnvironmentVariablesSubstrings:
    - 'key'
    - 'pass'
    - 'pwd'
  enableRepositoryPackageConfigurations: true
  enableRepositoryPackageCurations: true
  forceOverwrite: false
  packageConfigurationProviders:
    - type: 'DefaultDir'
      id: 'DefaultDir'
      enabled: true
      options: {}
  packageCurationProviders:
    - type: 'DefaultDir'
      id: 'DefaultDir'
      enabled: true
      options: {}
    - type: 'DefaultFile'
      id: 'DefaultFile'
      enabled: true
      options: {}
  severeIssueThreshold: 'ERROR'
  severeRuleViolationThreshold: 'ERROR'

  scanner:
    skip_excluded: true
    scanners:
      SCANOSS:
        options:
          apiUrl: '<REDACTED>'
          writeToStorage: false
          enablePathObfuscation: false
        secrets:
          apiKey: '<REDACTED>'

analyzer:
  skip_excluded: true
  allow_dynamic_versions: false

advisor:
  skip_excluded: true

downloader:
  allowMovingRevisions: false
  includedLicenseCategories: []
  skipExcluded: false
  sourceCodeOrigins:
    - 'VCS'
    - 'ARTIFACT'

Additional context

I also looked into Yarn2.kt code.
It really seems like that the workspace packages are not excluded from the list that is passed to yarn npm info....

[fviernau]

@flash-me could you provide a minimal reproducer for this?
We do have a test dedicated to workspaces in Yarn2FunTest.
Could you provide a minimal enhancement for the test project [1], so that the test reproduces the issue?

[1] https://github.com/oss-review-toolkit/ort/tree/main/plugins/package-managers/node/src/funTest/assets/projects/synthetic/yarn2/workspaces

[flash-me]

Hey @fviernau I had a look into the test project and I was not able to reproduce our case, which I provided you with a more comprehensive setup.

We are using https://backstage.io/ and have quite a large yarn.lock file (~34k lines)

[flash-me]

@fviernau I was able to narrow it down to single packages and reconstruct the case.

This is the project setup:

├── package.json
├── packages
│   ├── app
│   │   └── package.json
│   └── spark
│       └── package.json
└── yarn.lock

Here is the yarn workspace: ort_failing_yarn2.zip

This is the output log:

Hoplite is configured to infer which sealed type to choose by inspecting the config values at runtime. This behaviour is now deprecated in favour of explicitly specifying the type through a discriminator field. In 3.0 this new behavior will become the default. To enable this behavior now (and disable this warning), invoke withExplicitSealedTypes() on the ConfigLoaderBuilder.
WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::load has been called by com.sun.jna.Native in an unnamed module (file:/workspaces/ort/ort-70.1.0/lib/jna-5.17.0.jar)
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled

 ______________________________
/        \_______   \__    ___/ The OSS Review Toolkit, version 70.1.0,
|    |   | |       _/ |    |    built with JDK 21.0.8+9-LTS, running under Java 25.
|    |   | |    |   \ |    |    Executing 'analyze' as 'root' on Linux
\________/ |____|___/ |____|    with 14 CPUs and a maximum of 6000 MiB of memory.

Environment variables:
HOME = /root
TERM = xterm
JAVA_HOME = /usr/local/sdkman/candidates/java/current

Looking for ORT configuration in the following file:
        /root/.ort/config/config.yml (does not exist)

Looking for analyzer-specific configuration in the following files and directories:
        /workspaces/sample/.ort.yml (does not exist)
        /root/.ort/config/resolutions.yml (does not exist)
The following 26 package manager(s) are enabled:
        Bazel, Bower, Bundler, Cargo, Carthage, CocoaPods, Composer, Conan, GoMod, Gradle Inspector, Maven, NPM, NuGet, PIP, Pipenv, PNPM, Poetry, Pub, SBT, SpdxDocumentFile, Stack, Swift Package Manager, Tycho, Unmanaged, Yarn, Yarn 2+
The following 2 package curation provider(s) are enabled:
        DefaultDir, DefaultFile
Analyzing project path:
        /workspaces/sample
WARNING: A terminally deprecated method in sun.misc.Unsafe has been called
WARNING: sun.misc.Unsafe::staticFieldBase has been called by com.google.inject.internal.aop.HiddenClassDefiner (file:/workspaces/ort/ort-70.1.0/lib/guice-5.1.0-classes.jar)
WARNING: Please consider reporting this to the maintainers of class com.google.inject.internal.aop.HiddenClassDefiner
WARNING: sun.misc.Unsafe::staticFieldBase will be removed in a future release
Found 1 Yarn2 definition file(s) at:
        package.json
Found in total 1 definition file(s) from the following 1 package manager(s):
        Yarn2
18:18:47.431 [DefaultDispatcher-worker-1] ERROR org.ossreviewtoolkit.analyzer.PackageManager - Yarn 2+ failed to resolve dependencies for path 'package.json': IOException: Running 'yarn npm info --json @failing/package-with-lightningcss@0.6.0-next.1 detect-libc@2.1.2 lightningcss-android-arm64@1.30.2 lightningcss-darwin-arm64@1.30.2 lightningcss-darwin-x64@1.30.2lightningcss-freebsd-x64@1.30.2 lightningcss-linux-arm-gnueabihf@1.30.2 lightningcss-linux-arm64-gnu@1.30.2 lightningcss-linux-arm64-musl@1.30.2 lightningcss-linux-x64-gnu@1.30.2 lightningcss-linux-x64-musl@1.30.2 lightningcss-win32-arm64-msvc@1.30.2 lightningcss-win32-x64-msvc@1.30.2 lightningcss@1.30.2' in '/workspaces/sample' failed with exit code 1:
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"Package not found"}
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  Response Code: 404 (Not Found)"}
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  Request Method: GET"}
{"type":"error","name":35,"displayName":"YN0035","indent":"","data":"  Request URL: https://registry.yarnpkg.com/@failing%2fpackage-with-lightningcss"}

Wrote analyzer result to '/tmp/output/analyzer-result.yml' (0.00 MiB) in 208.018542ms.
The analysis took 2.311465917s.
Found 1 project(s) and 0 package(s) in total (not counting excluded ones).
Applied 0 curation(s) from 0 of 2 provider(s).

Any package that includes somehow the library lightningcss causes ORT to fail?

cheers
flash ⚡_****_