fix(ci): parse quoted pnpm snapshot keys

2026-05-06 16:30:57 +00:00 · 2026-04-14 21:15:43 -04:00
parent da43277cc9
commit 4c52731051
2 changed files with 67 additions and 1 deletions
--- a/scripts/pre-commit/pnpm-audit-prod.mjs
+++ b/scripts/pre-commit/pnpm-audit-prod.mjs
@@ -170,8 +170,45 @@ function parseInlineYamlMap(rawValue) {
  return result;
 }

+function findYamlMappingSeparator(line) {
+  let quote = null;
+  let depth = 0;
+
+  for (let index = 0; index < line.length; index += 1) {
+    const character = line[index];
+    if (quote) {
+      if (character === quote) {
+        quote = null;
+      }
+      continue;
+    }
+    if (character === "'" || character === '"') {
+      quote = character;
+      continue;
+    }
+    if (character === "{" || character === "[" || character === "(") {
+      depth += 1;
+      continue;
+    }
+    if (character === "}" || character === "]" || character === ")") {
+      depth = Math.max(0, depth - 1);
+      continue;
+    }
+    if (character !== ":" || depth !== 0) {
+      continue;
+    }
+
+    const nextCharacter = line[index + 1];
+    if (nextCharacter === undefined || /\s/u.test(nextCharacter)) {
+      return index;
+    }
+  }
+
+  return -1;
+}
+
 function parseYamlMappingLine(line) {
-  const separatorIndex = line.indexOf(":");
+  const separatorIndex = findYamlMappingSeparator(line);
  if (separatorIndex === -1) {
    return null;
  }
--- a/test/scripts/pnpm-audit-prod.test.ts
+++ b/test/scripts/pnpm-audit-prod.test.ts
@@ -105,6 +105,35 @@ snapshots:
    });
  });

+  it("resolves quoted snapshot keys that contain tarball URLs", () => {
+    const lockfile = `lockfileVersion: '9.0'
+
+importers:
+  .:
+    dependencies:
+      wrapper:
+        version: 1.0.0
+
+snapshots:
+  wrapper@1.0.0:
+    dependencies:
+      libsignal: '@whiskeysockets/libsignal-node@https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123'
+  '@whiskeysockets/libsignal-node@https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123':
+    dependencies:
+      curve25519-js: 0.0.4
+  curve25519-js@0.0.4: {}
+`;
+
+    const payload = createBulkAdvisoryPayload(collectProdResolvedPackagesFromLockfile(lockfile));
+    expect(payload).toEqual({
+      "@whiskeysockets/libsignal-node": [
+        "https://codeload.github.com/whiskeysockets/libsignal-node/tar.gz/abc123",
+      ],
+      "curve25519-js": ["0.0.4"],
+      wrapper: ["1.0.0"],
+    });
+  });
+
  it("filters advisory findings by minimum severity", () => {
    const findings = filterFindingsBySeverity(
      {