fix: resolve yarn lock aliases to source package (#4836)

Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-05-20 12:15:27 +02:00 · 2026-04-29 16:50:09 +03:00 · 2026-04-29 16:50:09 +03:00 · 8cb78ce40c
commit 8cb78ce40c
parent 3b046b3787
2 changed files with 20 additions and 0 deletions
--- a/syft/pkg/cataloger/javascript/parse_yarn_lock.go
+++ b/syft/pkg/cataloger/javascript/parse_yarn_lock.go
@ -25,6 +25,11 @@ import (
 )

 var (
+	// packageAliasExp matches aliased yarn dependencies and captures the
+	// underlying npm package name instead of the local alias.
+	// For example: "old-async@npm:async@0.9.2" returns "async".
+	packageAliasExp = regexp.MustCompile(`^"?(?:@\w[\w-_.]*\/)?\w[\w-_.]*@npm:((?:@\w[\w-_.]*\/)?\w[\w-_.]*)@`)
+
 	// packageNameExp matches the name of the dependency in yarn.lock
 	// including scope/namespace prefix if found.
 	// For example: "aws-sdk@2.706.0" returns "aws-sdk"
@ -305,6 +310,9 @@ func (a genericYarnLockAdapter) parseYarnLock(ctx context.Context, resolver file
 }

 func findPackageName(line string) string {
+	if matches := packageAliasExp.FindStringSubmatch(line); len(matches) >= 2 {
+		return matches[1]
+	}
 	if matches := packageNameExp.FindStringSubmatch(line); len(matches) >= 2 {
 		return matches[1]
 	}
--- a/syft/pkg/cataloger/javascript/parse_yarn_lock_test.go
+++ b/syft/pkg/cataloger/javascript/parse_yarn_lock_test.go
@ -708,6 +708,18 @@ func TestParseYarnFindPackageNames(t *testing.T) {
 			line:     `"color-convert@npm:^1.9.0":`,
 			expected: "color-convert",
 		},
+		{
+			line:     `"old-async@npm:async@0.9.2":`,
+			expected: "async",
+		},
+		{
+			line:     `"old-foo@npm:@scope/foo@1.2.3":`,
+			expected: "@scope/foo",
+		},
+		{
+			line:     `"@scope/old-foo@npm:@scope/foo@1.2.3":`,
+			expected: "@scope/foo",
+		},
 		{
 			line:     `"@npmcorp/code-frame@^7.1.0", "@npmcorp/code-frame@^7.10.4":`,
 			expected: "@npmcorp/code-frame",