Problem

Supply Chain scans fail to parse valid yarn.lock entries using Yarn's patch protocol when they use optional dependency syntax. This results in reporting 0 dependencies for the NPM ecosystem.

Error Message

Failed to parse yarn.lock at 39339:1 - expected one of ['"", 'EOF']

Example Failing Entry

? "resolve@patch:resolve@npm%3A>=1.9.0#optional!builtin<compat/resolve>,
  resolve@patch:resolve@npm%3A^1.1.5#optional!builtin<compat/resolve>,
  ..."

Root Cause

The yarn.lock parser does not handle:

1. Optional dependency syntax: ? "package@version"
2. URL-encoded npm prefix: npm%3A (equivalent to npm:)
3. Multi-line comma-separated patch protocol entries

Solution

Files to modify:

• cli/src/semdep/parsers/yarn.py
• cli/tests/default/e2e-other/parsers/test_yarn.py

Changes needed:

1. Support optional dependency prefix in both Yarn v1 and v2/3 parsers
2. Handle URL-encoded npm%3A in remove_npm_prefix function
3. Add comprehensive tests for optional dependencies with patch protocol

Testing

A complete patch with fix and tests is available in branch cursor/fix-yarn-patch-protocol-parsing-8907. The patch:

• ✅ Passes all 26 existing yarn parser tests
• ✅ Adds 2 new tests for optional dependency scenarios
• ✅ Successfully parses the failing entry from customer reports

Links

• Related issue: semgrep/semgrep-app SC-3479
• Customer affected: monday.com (paid customer)
• Yarn patch protocol docs: https://yarnpkg.com/protocol/patch

Impact: This affects paid customers running Supply Chain scans on Yarn-based projects that use patch protocol.