PNPM analyses

[ivanmjartan]

Hello guys I am trying to run fossa scan on our public repository and I am preforming scan only on top of pnpm-lock.yaml file. We are using RUSH as monorep tool.

So I have setting in my repo .fosss.yml

Problem is that part of my monorepo is also tooling library and tooling dependency occurred in attribution file.

Is there way how to exclude some packages from scan if I am performing scan only on top of pnpm lock file ?

for example in my lock file is this tool package https://github.com/gooddata/gooddata-ui-sdk/blob/master/common/config/rush/pnpm-lock.yaml#L5893C3-L5893C22

How can I set it into .fossa.yml

this part of code is not working and scan contain still all dep from pnpm-lock.yaml

version: 3
project:
  id: gooddata-ui-sdk

telemetry:
  scope: 'off'

targets:
  only:
    - type: pnpm
      path: common/config/rush
  exclude:
    - type: bundler
      path: ../../tools/applink # or tools/applink etc ...

Thanks very much for hints

[github-actions]

Thank you @ivanmjartan for creating this issue. If this is in regards to a defect, product question or feature request: you should use our support portal at https://support.fossa.com to file a request, as you would receive more immediate support.

[ryanlink]

Hi @ivanmjartan - did you get support for this? Using targets.only should negate the need for targets.exclude.

The current implementation for lock file scanning (such as with pnpm) does not allow you to filter out a subset of dependencies. The exclusion rules work more naturally when you’re excluding entire directories or files that are scanned separately rather than elements parsed from a consolidated lock file.

You can always remove the dependency from the project in the FOSSA UI: https://docs.fossa.com/docs/editing-a-dependency