feat: add yarn-within-range lockfile fixture (#5)

[coder-Yash886]

Closes #528 (fixture #5)

Fixture: yarn-within-range

What this tests

Yarn equivalent of the wrong-parent scenario — when the immediate parent's
version range already covers the patched version, the scanner should emit
yarn upgrade <pkg> rather than bumping the parent.

Fixture structure

examples/yarn-within-range/
├── package.json
└── yarn.lock

Vulnerable package : js-cookie@3.0.6
Fix available at : 3.0.7
Parent range : ^3.0.5 (covers the fix — no parent bump needed)

Scan output

node dist/index.js examples/yarn-within-range --verbose

Parsed 3 packages from yarn-lock (yarn.lock)

✗ Found 1 package (1 CVE) with known OSV matches from yarn-lock

┌──────────┬──────┬────────┬─────┬─────────┐
│ Critical │ High │ Medium │ Low │ Unknown │
├──────────┼──────┼────────┼─────┼─────────┤
│ 0 │ 1 │ 0 │ 0 │ 0 │
└──────────┴──────┴────────┴─────┴─────────┘

Quick take

• 0 vulnerable packages look directly fixable in this project.
• 1 issue come through other dependencies.
• 1 CVE matched overall.
• 1 package include a fixed-version hint from OSV.

🛠 Fix Commands
Detected package manager: yarn (yarn.lock)

High severity parent updates within range
┌───────────┬─────────┬────────────────────┬───────┬──────────────────────────────────┐
│ Package │ Current │ Recommended target │ Usage │ Context │
├───────────┼─────────┼────────────────────┼───────┼──────────────────────────────────┤
│ js-cookie │ 3.0.6 │ lockfile refresh │ n/a │ js-cookie@3.0.6 can be refreshed │
│ │ │ │ │ to 3.0.8+ — no parent upgrade │
│ │ │ │ │ needed. │
└───────────┴─────────┴────────────────────┴───────┴──────────────────────────────────┘

yarn upgrade js-cookie

┌───────────┬─────────┬──────────┬────────────┬───────┬───────┬─────────────────────┐
│ Package │ Version │ Severity │ Type │ Usage │ Fixed │ IDs │
├───────────┼─────────┼──────────┼────────────┼───────┼───────┼─────────────────────┤
│ js-cookie │ 3.0.6 │ high │ transitive │ n/a │ 3.0.7 │
└───────────┴─────────┴──────────┴────────────┴───────┴───────┴─────────────────────┘

Verification

• ✅ Scanner correctly detects js-cookie@3.0.6 as vulnerable
• ✅ Emits yarn upgrade js-cookie — not a parent bump
• ✅ Category shown as "parent updates within range" — correct path fired
• ✅ "no parent upgrade needed" confirmed in context column
• ✅ Package manager auto-detected as yarn (yarn.lock)

[coder-Yash886]

@sonukapoor please review the PR when you have free time

while working on this fixture I also made some improvements
to the yarn-lock parser (src/parsers/yarn-lock.ts) and added related tests.
Should I include these changes in this PR or open a separate one?

[sonukapoor]

The fixture itself is exactly right — same aws-amplify → @aws-amplify/core → js-cookie chain as wrong-parent, Yarn edition. Scan output confirms yarn upgrade js-cookie fires correctly, no wrong parent bump. Five green verification points — well done.

One issue before this can merge: the PR includes changes from your --create-pr branch (src/cli/args.ts, src/index.ts, src/utils/create-pr.ts, related tests) which belong to PR #518 and still has open change requests. This branch was cut from your feature branch rather than main.

Please rebase against main to isolate the fixture — the examples/yarn-within-range/ files and the examples/readme.md update are all that should be here. Once rebased, this is ready to merge.

[coder-Yash886]

@sonukapoor please review the PR when you have free time

[sonukapoor]

The fixture itself is correctly constructed — the dependency chain (aws-amplify → @aws-amplify/core → js-cookie@3.0.6) is right and the vulnerability is real. However the scanner currently produces no fix command for this fixture because the Yarn Classic parser outputs flat paths (["project", "js-cookie"]) rather than reconstructing the transitive chain (["project", "aws-amplify", "@aws-amplify/core", "js-cookie"]). Without the correct path, the within-range resolver can't find @aws-amplify/core's ^3.0.5 range to suggest yarn upgrade js-cookie.

This is tracked as issue #421 — improving Yarn parser path reconstruction. The createNpmLockGraphFromYarnLock implementation you added in PR #518 is actually the fix for #421. Would you be willing to extract that work from #518 into its own PR against #421? Once that lands, this fixture will work correctly and can merge.

[coder-Yash886]

@sonukapoor please review the PR when you have free time

[sonukapoor]

Thanks for the fixture @coder-Yash886 - the lockfile and dependency chain are correctly constructed.

I tested this against the current build and the scanner shows js-cookie@3.0.6 with a ⊘ (skipped) indicator rather than generating yarn upgrade js-cookie. This is because the Yarn Classic parser currently outputs flat paths (["project", "js-cookie"]) rather than the full transitive chain (["project", "aws-amplify", "@aws-amplify/core", "js-cookie"]). Without the correct path, the within-range resolver can't identify that @aws-amplify/core's ^3.0.5 range already covers the fix.

This is tracked in issue #421. Would you be interested in opening a PR for #421 to fix the Yarn parser path reconstruction? Once that lands, this fixture will produce the correct yarn upgrade js-cookie output and can merge. The pnpm fix in #335 is a good reference for the approach.

[sonukapoor]

PR #576 (Yarn path reconstruction fix for #421) has just merged into main. Could you rebase this branch against main? Once rebased, examples/yarn-within-range should produce yarn upgrade js-cookie as expected and this is ready to merge.

[coder-Yash886]

@sonukapoor Please review the PR

[sonukapoor]

Please join our slack channel https://owasp.slack.com/archives/C0B0T4BH2MR/p1780661811942929

[coder-Yash886]

I have already joined owasp slack channel Display name: Yash Kumar

…

On Tue, Jun 9, 2026, 6:53 PM Sonu Kapoor ***@***.***> wrote: *sonukapoor* left a comment (OWASP/cve-lite-cli#537) <#537 (comment)> Please join our slack channel https://owasp.slack.com/archives/C0B0T4BH2MR/p1780661811942929 — Reply to this email directly, view it on GitHub <#537?email_source=notifications&email_token=BVQISK5KDRIPCTHYWOX3NZL47AFTJA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRWGAYTGNRVGE3KM4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#issuecomment-4660136516>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVQISK6IWJYAD3P754Q6JIL47AFTJAVCNFSM6AAAAACZYAYB7KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DMNRQGEZTMNJRGY> . Triage notifications, keep track of coding agent tasks and review pull requests on the go with GitHub Mobile for iOS <https://github.com/notifications/mobile/ios/BVQISK55ECEDANIYSLBOO7L47AFTJA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRWGAYTGNRVGE3KM4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJKTGN5XXIZLSL5UW64Y> and Android <https://github.com/notifications/mobile/android/BVQISK7XVLQKEQBW2DB4XLL47AFTJA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINRWGAYTGNRVGE3KM4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLTGN5XXIZLSL5QW4ZDSN5UWI>. Download it today! You are receiving this because you were mentioned.Message ID: ***@***.***>