fix: Preserve file: protocol entries in pruned yarn v1 lockfile (#12064)

## Summary

- Fixes `turbo prune` dropping `file:` protocol dependencies from the
pruned `yarn.lock`, causing `yarn install --frozen-lockfile` to fail on
pruned output
- Adds a `yarn1-file-dep` check-lockfiles fixture that reproduces the
bug

## Problem

Yarn v1 creates lockfile entries for `file:` protocol dependencies (e.g.
`"@repo/eslint-config@file:./packages/eslint-config"`). During pruning,
the dependency splitter correctly classifies these as internal workspace
dependencies — but that means they never get added to the set of
lockfile keys passed to `Yarn1Lockfile::subgraph()`. The pruned lockfile
is then missing these entries entirely, which breaks frozen installs.

## Fix

`Yarn1Lockfile::subgraph` now scans the original lockfile for `file:`
protocol entries whose paths match included workspace packages, and
includes them in the pruned output. This is scoped to `subgraph` rather
than changing the dependency splitter because the classification as
"internal" is correct for the package graph — it's only the lockfile
serialization that needs the extra entries.

## Testing

To verify the fix manually on the new fixture:

```sh
cargo build --bin turbo
cd lockfile-tests/fixtures/yarn1-file-dep
git init && git add . && git commit -m init
turbo prune web
grep "file:" out/yarn.lock  # should show the @repo/eslint-config entry
cd out && yarn install --frozen-lockfile --ignore-scripts  # should succeed
```

Closes #4105

Author: anthonyshew

crates/turborepo-lockfiles/src/yarn1/mod.rs

@@ -94,7 +94,7 @@ impl Lockfile for Yarn1Lockfile {
 
     fn subgraph(
         &self,
-        _workspace_packages: &[String],
+        workspace_packages: &[String],
         packages: &[String],
     ) -> Result<Box<dyn Lockfile>, super::Error> {
         let mut inner = Map::new();
@@ -106,6 +106,23 @@ impl Lockfile for Yarn1Lockfile {
             inner.insert(key.clone(), entry.clone());
         }
 
+        // Yarn v1 creates lockfile entries for `file:` protocol dependencies
+        // that point to workspace packages. These are classified as internal
+        // by the dependency splitter and therefore not included in `packages`,
+        // but they must be present in the pruned lockfile for
+        // `yarn install --frozen-lockfile` to succeed.
+        for (key, entry) in &self.inner {
+            if let Some(file_path) = extract_file_path(key) {
+                let normalized = file_path.strip_prefix("./").unwrap_or(file_path);
+                if workspace_packages
+                    .iter()
+                    .any(|wp| normalized == wp || normalized.ends_with(&format!("/{wp}")))
+                {
+                    inner.insert(key.clone(), entry.clone());
+                }
+            }
+        }
+
         Ok(Box::new(Self { inner }))
     }
 
@@ -158,6 +175,17 @@ impl Entry {
 
 const PROTOCOLS: &[&str] = ["", "npm:", "file:", "workspace:", "yarn:"].as_slice();
 
+/// Extracts the file path from a yarn1 lockfile key like
+/// `@scope/pkg@file:./packages/foo`. Returns `None` if the key doesn't use
+/// the `file:` protocol.
+fn extract_file_path(key: &str) -> Option<&str> {
+    // Keys look like `name@file:path` or `name@npm:version`.
+    // The name may be scoped (`@scope/pkg@file:path`) so we find `@file:`
+    // anywhere after the first character.
+    let idx = key[1..].find("@file:")? + 1;
+    Some(&key[idx + "@file:".len()..])
+}
+
 fn possible_keys<'a>(name: &'a str, version: &'a str) -> impl Iterator<Item = String> + 'a {
     PROTOCOLS
         .iter()
@@ -169,6 +197,64 @@ fn possible_keys<'a>(name: &'a str, version: &'a str) -> impl Iterator<Item = St
 mod test {
     use super::*;
 
+    #[test]
+    fn test_extract_file_path() {
+        assert_eq!(
+            extract_file_path("@hardfin/eslint-config@file:./packages/eslint-config"),
+            Some("./packages/eslint-config")
+        );
+        assert_eq!(
+            extract_file_path("my-pkg@file:packages/foo"),
+            Some("packages/foo")
+        );
+        assert_eq!(extract_file_path("lodash@^4.17.21"), None);
+        assert_eq!(extract_file_path("@scope/pkg@npm:1.0.0"), None);
+    }
+
+    #[test]
+    fn test_subgraph_includes_file_deps_for_workspaces() {
+        // Reproduces https://github.com/vercel/turborepo/issues/4105
+        // file: dependencies pointing to workspace packages must appear in
+        // the pruned lockfile even though they are classified as internal.
+        let lockfile_content = r#"# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"@repo/eslint-config@file:./packages/eslint-config":
+  version "0.0.0"
+  dependencies:
+    eslint-config-prettier "8.6.0"
+
+eslint-config-prettier@8.6.0:
+  version "8.6.0"
+  resolved "https://registry.yarnpkg.com/eslint-config-prettier/-/eslint-config-prettier-8.6.0.tgz"
+  integrity sha512-abc
+
+is-odd@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/is-odd/-/is-odd-3.0.1.tgz"
+  integrity sha512-def
+"#;
+        let lockfile = Yarn1Lockfile::from_str(lockfile_content).unwrap();
+
+        // The transitive closure only contains the normal package — the file:
+        // dep was classified as internal so it won't be in `packages`.
+        let packages = vec!["is-odd@^3.0.1".to_string()];
+        let workspace_packages = vec!["packages/eslint-config".to_string()];
+
+        let pruned = lockfile.subgraph(&workspace_packages, &packages).unwrap();
+        let encoded = String::from_utf8(pruned.encode().unwrap()).unwrap();
+
+        assert!(
+            encoded.contains("@repo/eslint-config@file:./packages/eslint-config"),
+            "pruned lockfile must include file: entry for workspace package"
+        );
+        assert!(
+            encoded.contains("is-odd@^3.0.1"),
+            "pruned lockfile must include normal packages"
+        );
+    }
+
     #[test]
     fn test_turbo_version_rejects_non_semver() {
         // Malicious version strings that could be used for RCE via npx should be

lockfile-tests/check-lockfiles.ts

@@ -64,7 +64,7 @@ function parseArgs(): CliArgs {
       args.fixture = next;
       i++;
     } else if (arg === "--pm" && next) {
-      const valid: PackageManagerType[] = ["npm", "pnpm", "yarn-berry", "bun"];
+      const valid: PackageManagerType[] = ["npm", "pnpm", "yarn", "yarn-berry", "bun"];
       if (!valid.includes(next as PackageManagerType)) {
         console.error(
           `Invalid --pm: ${next}. Must be one of: ${valid.join(", ")}`

lockfile-tests/fixtures/yarn1-file-dep/apps/web/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "web",
+  "version": "1.0.0",
+  "private": true,
+  "dependencies": {
+    "@repo/eslint-config": "*",
+    "is-odd": "^3.0.1"
+  }
+}

lockfile-tests/fixtures/yarn1-file-dep/meta.json

@@ -0,0 +1,6 @@
+{
+  "packageManager": "yarn",
+  "packageManagerVersion": "yarn@1.22.22",
+  "lockfileName": "yarn.lock",
+  "frozenInstallCommand": ["yarn", "install", "--frozen-lockfile", "--ignore-scripts"]
+}

lockfile-tests/fixtures/yarn1-file-dep/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "yarn1-file-dep",
+  "private": true,
+  "workspaces": [
+    "apps/*",
+    "packages/*"
+  ],
+  "packageManager": "yarn@1.22.22",
+  "dependencies": {
+    "@repo/eslint-config": "file:./packages/eslint-config"
+  }
+}

lockfile-tests/fixtures/yarn1-file-dep/packages/eslint-config/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "@repo/eslint-config",
+  "version": "0.0.0",
+  "private": true,
+  "dependencies": {
+    "is-number": "^7.0.0"
+  }
+}

lockfile-tests/fixtures/yarn1-file-dep/turbo.json

@@ -0,0 +1 @@
+{ "tasks": { "build": {} } }

lockfile-tests/fixtures/yarn1-file-dep/yarn.lock

@@ -0,0 +1,25 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"@repo/eslint-config@file:./packages/eslint-config":
+  version "0.0.0"
+  dependencies:
+    is-number "^7.0.0"
+
+is-number@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/is-number/-/is-number-6.0.0.tgz#e6d15ad31fc262887cccf217ae5f9316f81b1995"
+  integrity sha512-Wu1VHeILBK8KAWJUAiSZQX94GmOE45Rg6/538fKwiloUu21KncEkYGPqob2oSZ5mUT73vLGrHQjKw3KMPwfDzg==
+
+is-number@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/is-number/-/is-number-7.0.0.tgz#7535345b896734d5f80c4d06c50955527a14f12b"
+  integrity sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==
+
+is-odd@^3.0.1:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/is-odd/-/is-odd-3.0.1.tgz#65101baf3727d728b66fa62f50cda7f2d3989601"
+  integrity sha512-CQpnWPrDwmP1+SMHXZhtLtJv90yiyVfluGsX5iNCVkrhQtU3TQHsUWPG9wkdk9Lgd5yNpAg9jQEo90CBaXgWMA==
+  dependencies:
+    is-number "^6.0.0"

lockfile-tests/types.ts

@@ -1,4 +1,4 @@
-export type PackageManagerType = "npm" | "pnpm" | "yarn-berry" | "bun";
+export type PackageManagerType = "npm" | "pnpm" | "yarn" | "yarn-berry" | "bun";
 
 export interface TestCase {
   fixture: {