From fbc6dabca03d5a61784ef4120f455307ba28dd91 Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Sun, 12 Apr 2026 16:15:12 +0800 Subject: [PATCH 1/2] test: make yarn tests agnostic of corepack defaults The tests will fail currently if ones default corepack-yarn version is not Yarn Classic (v1). Setting the package manager makes this explicit; although the tests still rely on having a corepack-based yarn installation. Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- .../owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java | 1 - .../yarn/yarn-classic-audit-bad-berry-lockfile/package.json | 3 ++- core/src/test/resources/yarn/yarn-classic-audit/package.json | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java index 32b1c1a6439..c3474e96086 100644 --- a/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java +++ b/core/src/test/java/org/owasp/dependencycheck/analyzer/YarnAuditAnalyzerIT.java @@ -63,7 +63,6 @@ void testAnalyzePackageYarnClassic() throws Exception { testAnalyzeForUglifyJs("yarn/yarn-classic-audit/yarn.lock"); } - @Disabled("broken test case on my local machine - needs further investigation") @Test void testAnalyzePackageYarnClassicOnYarnBerryLockfile() { AnalysisException exception = assertThrows(AnalysisException.class, () -> testAnalyzeForUglifyJs("yarn/yarn-classic-audit-bad-berry-lockfile/yarn.lock")); diff --git a/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json b/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json index d46b8308f70..ccf5d0997d4 100644 --- a/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json +++ b/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json @@ -14,5 +14,6 @@ "precommit": "grunt precommit" }, "repository": "https://github.com/OWASP/NodejsGoat", - "license": "Apache 2.0" + "license": "Apache 2.0", + "packageManager": "yarn@1.22.22" } diff --git a/core/src/test/resources/yarn/yarn-classic-audit/package.json b/core/src/test/resources/yarn/yarn-classic-audit/package.json index b2fc8eaf8f0..ba0bfadbfed 100644 --- a/core/src/test/resources/yarn/yarn-classic-audit/package.json +++ b/core/src/test/resources/yarn/yarn-classic-audit/package.json @@ -57,5 +57,6 @@ "zaproxy": "^0.2.0" }, "repository": "https://github.com/OWASP/NodejsGoat", - "license": "Apache 2.0" + "license": "Apache 2.0", + "packageManager": "yarn@1.22.22" } From ae177eb56e4a9d62a5bf067c8dc5b648882d7c16 Mon Sep 17 00:00:00 2001 From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> Date: Sun, 3 May 2026 21:02:35 +0800 Subject: [PATCH 2/2] test: correct test to use non-existent dependency Ensure that the dependency that needs to be resolved cannot already be cached by Yarn, and thus the lockfile must be consulted; even in offline mode. Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com> --- .../yarn/yarn-classic-audit-bad-berry-lockfile/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json b/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json index ccf5d0997d4..fb923d5d14d 100644 --- a/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json +++ b/core/src/test/resources/yarn/yarn-classic-audit-bad-berry-lockfile/package.json @@ -5,7 +5,7 @@ "description": "A tool to learn OWASP Top 10 for node.js developers", "main": "server.js", "dependencies": { - "mime-db": "^1.52.0" + "does-not-exist": "file:../does-not-exist" }, "scripts": { "start": "node server.js",