fix(ci): update IOC scanner to use pnpm-lock.yaml instead of yarn.lock

Also fix remaining yarn→pnpm references in e2e start script,
and add @octokit/types as direct api devDependency (was only
resolved via hoisting, broke CI's stricter resolution).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JeromeBu

api/package.json

@@ -44,6 +44,7 @@
     "keywords": [],
     "homepage": "https://github.com/codegouvfr/sill",
     "devDependencies": {
+        "@octokit/types": "^16.0.0",
         "@types/compression": "^1.7.2",
         "@types/cookie-parser": "^1.4.9",
         "@types/cors": "^2.8.12",
@@ -67,8 +68,8 @@
         "run-exclusive": "^2.2.19",
         "superjson": "^1.12.2",
         "ts-node": "^10.9.1",
-        "typescript": "^5.7.3",
         "tsx": "^4.19.0",
+        "typescript": "^5.7.3",
         "vitest": "^1.2.2"
     },
     "dependencies": {

e2e/scripts/start-e2e.ts

@@ -160,7 +160,7 @@ const main = async () => {
 
     console.log("Starting containers and building API in parallel...");
 
-    const apiBuildPromise = execCommand("yarn", ["build"], { cwd: API_DIR });
+    const apiBuildPromise = execCommand("pnpm", ["build"], { cwd: API_DIR });
 
     const pgPromise = new PostgreSqlContainer("postgres:16-alpine").start();
 
@@ -202,7 +202,7 @@ const main = async () => {
 
     try {
         console.log("Running migrations...");
-        await execCommand("yarn", ["migrate", "latest"], { cwd: API_DIR, env: apiEnv });
+        await execCommand("pnpm", ["migrate", "latest"], { cwd: API_DIR, env: apiEnv });
 
         console.log("Seeding database...");
         await execCommand("node", ["dist/scripts/seed.js"], { cwd: API_DIR, env: apiEnv });

pnpm-lock.yaml

@@ -1,16 +1,16 @@
 #!/usr/bin/env node
 
 /**
- * Shai-Hulud 2.0 IOC Scanner for Yarn projects
- * Scans package.json and yarn.lock against DataDog's consolidated IOC list
+ * Shai-Hulud 2.0 IOC Scanner
+ * Scans package.json and pnpm-lock.yaml against DataDog's consolidated IOC list
  */
 
 const fs = require("fs");
 const path = require("path");
 
 const IOC_FILE = "iocs.csv";
 const PACKAGE_JSON_PATHS = ["package.json", "api/package.json", "web/package.json"];
-const YARN_LOCK_PATH = "yarn.lock";
+const PNPM_LOCK_PATH = "pnpm-lock.yaml";
 
 /**
  * Parse IOC CSV file
@@ -63,10 +63,11 @@ function extractDependencies(packageJsonPath) {
 }
 
 /**
- * Parse yarn.lock to get resolved versions
- * Simplified parser - extracts package@version pairs
+ * Parse pnpm-lock.yaml to get resolved versions
+ * Extracts package@version pairs from the packages: section
+ * Format: '  @scope/name@1.2.3:' or '  name@1.2.3:'
  */
-function parseYarnLock(lockPath) {
+function parsePnpmLock(lockPath) {
     if (!fs.existsSync(lockPath)) {
         console.error(`ERROR: ${lockPath} not found`);
         process.exit(1);
@@ -76,31 +77,26 @@ function parseYarnLock(lockPath) {
     const lines = content.split("\n");
     const packages = [];
 
-    let currentPackage = null;
-    let currentVersion = null;
+    let inPackagesSection = false;
 
     for (const line of lines) {
-        // Package declaration line (e.g., "package-name@^1.0.0:")
-        if (line.match(/^[^ ].*:$/)) {
-            const pkgLine = line.slice(0, -1); // Remove trailing :
-            // Extract package name (before @)
-            const atIndex = pkgLine.lastIndexOf("@");
-            if (atIndex > 0) {
-                currentPackage = pkgLine.substring(0, atIndex);
-            }
+        if (line === "packages:") {
+            inPackagesSection = true;
+            continue;
         }
-        // Version line (e.g., "  version "1.2.3"")
-        else if (line.trim().startsWith('version "')) {
-            const versionMatch = line.match(/version "([^"]+)"/);
-            if (versionMatch && currentPackage) {
-                currentVersion = versionMatch[1];
-                packages.push({
-                    name: currentPackage,
-                    version: currentVersion
-                });
-                currentPackage = null;
-                currentVersion = null;
-            }
+
+        if (inPackagesSection && line.length > 0 && !line.startsWith(" ")) {
+            break;
+        }
+
+        if (!inPackagesSection) continue;
+
+        const match = line.match(/^\s{2}'?(@?[^@']+)@([^':]+)'?:/);
+        if (match) {
+            packages.push({
+                name: match[1],
+                version: match[2]
+            });
         }
     }
 
@@ -153,9 +149,9 @@ function scanDependencies() {
         }
     }
 
-    // Parse yarn.lock for resolved versions
-    const resolvedDeps = parseYarnLock(YARN_LOCK_PATH);
-    console.log(`✓ Scanned ${YARN_LOCK_PATH}: ${resolvedDeps.length} resolved packages\n`);
+    // Parse pnpm-lock.yaml for resolved versions
+    const resolvedDeps = parsePnpmLock(PNPM_LOCK_PATH);
+    console.log(`✓ Scanned ${PNPM_LOCK_PATH}: ${resolvedDeps.length} resolved packages\n`);
 
     // Check for matches
     const matches = [];
@@ -167,7 +163,7 @@ function scanDependencies() {
                 matches.push({
                     package: pkg.name,
                     version: pkg.version,
-                    source: "yarn.lock",
+                    source: "pnpm-lock.yaml",
                     ioc: ioc
                 });
             }