From 2c8ca11a7474376feeb61d862fed62f804a7d8a9 Mon Sep 17 00:00:00 2001
From: Jon Ruskin <jonabc@github.com>
Date: Sat, 15 Jan 2022 22:09:15 -0700
Subject: [PATCH] improve glob when finding dependency package.json

suggested by ljharb as an improvement by ignoring
package.json files that don't represent installed packages

this also moves the dependency_paths method to the
shared class to consolidate the functionality across
both source versions
---
 lib/licensed/sources/yarn.rb       | 16 ++++++++++++++++
 lib/licensed/sources/yarn/berry.rb | 18 +-----------------
 lib/licensed/sources/yarn/v1.rb    | 16 ----------------
 test/sources/yarn/berry_test.rb    |  2 +-
 4 files changed, 18 insertions(+), 34 deletions(-)

diff --git a/lib/licensed/sources/yarn.rb b/lib/licensed/sources/yarn.rb
index b94084f..86ca18f 100644
--- a/lib/licensed/sources/yarn.rb
+++ b/lib/licensed/sources/yarn.rb
@@ -23,6 +23,22 @@ module Licensed
       def yarn_version
         Gem::Version.new(Licensed::Shell.execute("yarn", "-v"))
       end
+
+      # Returns a hash that maps all dependency names to their location on disk
+      # by parsing every package.json file under node_modules.
+      def dependency_paths
+        @dependency_paths ||= Dir.glob(config.pwd.join("**/node_modules/*/package.json")).each_with_object({}) do |file, hsh|
+          begin
+            dirname = File.dirname(file)
+            json = JSON.parse(File.read(file))
+            hsh["#{json["name"]}@#{json["version"]}"] = dirname
+          rescue JSON::ParserError
+            # don't crash execution if there is a problem parsing a package.json file
+            # if the bad package.json file relates to a package that licensed should be reporting on
+            # then this will still result in an error about a missing package
+          end
+        end
+      end
     end
   end
 end
diff --git a/lib/licensed/sources/yarn/berry.rb b/lib/licensed/sources/yarn/berry.rb
index 7379e57..79c4a6f 100644
--- a/lib/licensed/sources/yarn/berry.rb
+++ b/lib/licensed/sources/yarn/berry.rb
@@ -32,7 +32,7 @@ module Licensed
         mapped_packages = yarn_info.reduce({}) do |accum, package|
           name, _ = package["value"].rpartition("@")
           version = package.dig("children", "Version")
-          id = "#{name}-#{version}"
+          id = "#{name}@#{version}"
 
           accum[name] ||= []
           accum[name] << {
@@ -59,22 +59,6 @@ module Licensed
         end
       end
 
-      # Returns a hash that maps all dependency names to their location on disk
-      # by parsing every package.json file under node_modules.
-      def dependency_paths
-        @dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
-          begin
-            dirname = File.dirname(file)
-            json = JSON.parse(File.read(file))
-            hsh["#{json["name"]}-#{json["version"]}"] = dirname
-          rescue JSON::ParserError
-            # don't crash execution if there is a problem parsing a package.json file
-            # if the bad package.json file relates to a package that licensed should be reporting on
-            # then this will still result in an error about a missing package
-          end
-        end
-      end
-
       # Returns the output from running `yarn list` to get project dependencies
       def yarn_info_command
         args = %w(--json --manifest --recursive --all)
diff --git a/lib/licensed/sources/yarn/v1.rb b/lib/licensed/sources/yarn/v1.rb
index e0ba017..3062854 100644
--- a/lib/licensed/sources/yarn/v1.rb
+++ b/lib/licensed/sources/yarn/v1.rb
@@ -73,22 +73,6 @@ module Licensed
         result
       end
 
-      # Returns a hash that maps all dependency names to their location on disk
-      # by parsing every package.json file under node_modules.
-      def dependency_paths
-        @dependency_paths ||= Dir.glob(config.pwd.join("node_modules/**/package.json")).each_with_object({}) do |file, hsh|
-          begin
-            dirname = File.dirname(file)
-            json = JSON.parse(File.read(file))
-            hsh["#{json["name"]}@#{json["version"]}"] = dirname
-          rescue JSON::ParserError
-            # don't crash execution if there is a problem parsing a package.json file
-            # if the bad package.json file relates to a package that licensed should be reporting on
-            # then this will still result in an error about a missing package
-          end
-        end
-      end
-
       # Finds and returns the yarn package tree listing from `yarn list` output
       def yarn_package_tree
         return @yarn_package_tree if defined?(@yarn_package_tree)
diff --git a/test/sources/yarn/berry_test.rb b/test/sources/yarn/berry_test.rb
index d891ae9..a7ff564 100644
--- a/test/sources/yarn/berry_test.rb
+++ b/test/sources/yarn/berry_test.rb
@@ -84,7 +84,7 @@ if Licensed::Shell.tool_available?("yarn")
             graceful_fs_dependencies = source.dependencies.select { |dep| dep.name =~ /graceful-fs/ }
             assert_equal 2, graceful_fs_dependencies.size
             graceful_fs_dependencies.each do |dependency|
-              assert_equal "#{dependency.record["name"]}-#{dependency.version}", dependency.name
+              assert_equal "#{dependency.record["name"]}@#{dependency.version}", dependency.name
               assert dependency.exist?
             end
           end