Unexpected error while analysis of yarn.lock created by bun

[tina-junold]

Describe the bug
When using bun instead of yarn to generate a lock file, the format does not match the expectations of the analyzer

Version of dependency-check used
latest docker version, using the script in the description on docker hub

Log file
https://gist.github.com/tburschka/377fb54eaa196271fd6dda44a1944c6c

To Reproduce

• Install bun https://bun.sh/docs/installation
• use any project with a package.json
• create a bunfig.toml
• add this to the bunfig.toml:

[install.lockfile]
print = "yarn"

• run bun install
• run the dependency-check script from docker description

Expected behavior
The analysis of the yarn.lock should not fail

Additional context
alternative: support for the bun.lockb (binary) lockfile ;-)

[chadlwilson]

All the YarnAuditAnalyzer does is to run yarn audit if it detects a yarn.lock. it doesn't actually parse the lock file directly.

If you have yarn available, but yarn itself cannot understand bun-created lock files, then ODC can't do much about that. If you do not have yarn available then I guess you'd expect this to fail. - although maybe not as gracefully as would be useful.

FWIW, right now ODC's YarnAuditAnalayzer doesn't work with Yarn Berry (v2+) anyway (#4215 & #4894) and you get a similar error, so it may be related - especially if bun is generating yarn v2+ format lockfiles that would only work with Yarn Berry.