Error in npm sonar-scanner with pnpm catalog (sonarjs/S6957)

I’m running a code analysis with npm sonar-scanner command in a bitbucket pipeline script over a react typescript monorepo.

Since a couple of days I started having an error without any infrastructure change.

Node version: 22.14
sonarqube-scanner@4.3.4

This is the bitbucket-pipelines.yml snippet that calls sonar-scanner:

- export SONAR_TSCONFIG_PATHS=$(find apps/*/tsconfig.json packages/*/tsconfig.json 2>/dev/null | paste -sd,)

- >
  pnpm --dir . exec sonar-scanner
  -Dsonar.projectBaseDir=.
  -Dsonar.sources=$SONAR_SOURCES
  -Dsonar.tests=$SONAR_SOURCES
  -Dsonar.typescript.tsconfigPaths=$SONAR_TSCONFIG_PATHS
  -Dsonar.qualitygate.wait=true

This is the error:

16:52:33.168 INFO  Plugin version: [11.8.0.37897]
16:52:37.479 ERROR TypeError: Error while loading rule 'sonarjs/S6957': Invalid comparator: catalog:frontend
16:52:37.480 ERROR Occurred while linting /opt/atlassian/pipelines/agent/build/packages/icons/src/types.ts
16:52:37.480 ERROR     at e.parse (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:52732)
16:52:37.480 ERROR     at new e (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:52525)
16:52:37.480 ERROR     at /opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:48601
16:52:37.480 ERROR     at Array.map (<anonymous>)
16:52:37.480 ERROR     at e.parseRange (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:48594)
16:52:37.480 ERROR     at /opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:47264
16:52:37.480 ERROR     at Array.map (<anonymous>)
16:52:37.480 ERROR     at new e (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:47252)
16:52:37.480 ERROR     at lTu (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:722:54886)
16:52:37.480 ERROR     at e$t (/opt/atlassian/pipelines/agent/build/.scannerwork/.sonartmp/bridge-bundle/package/bin/server.cjs:2302:43215)
16:52:38.380 INFO  Found 4 tsconfig.json file(s): [/opt/atlassian/pipelines/agent/build/tooling/vitest/tsconfig.json, /opt/atlassian/pipelines/agent/build/tooling/prettier/tsconfig.json, /opt/atlassian/pipelines/agent/build/packages/icons/tsconfig.json, /opt/atlassian/pipelines/agent/build/apps/docs/tsconfig.json]
16:52:38.381 INFO  6 source files to be analyzed

From what I could see, the plugin version changed. Before it was using version 11.7.0.36965 and we did not have any errors. Now with version 11.8.0.37897 we have the issue.

Also checked the Quality profiles for our project in sonarcloud.io to see if there were any new sonar profile rules added and there was only one added on 26.Jan.2026 (“Function references should not be passed directly to iterator methods“) which is not related with ‘sonarjs/S6957’ that is referenced in the error log.

It seems to have something to do with pnpm workspace catalogs. If we change all package.json files of the monorepo to use the concrete versions (instead of catalog) we do not get the error. Anyhow, we are using catalogs for months now and we did not have this issue with sonar scanner.

Any ideas?

Thanks in advance.

Hi @riddleit,

this seems to come from semver (here), which we use to know the user’s version of react.

We don’t correctly support pnpm, so that’s indeed the reason. Can you share your package.json contents?

This should be fixable by using a semver string for react in your package.json dependencies field.

I created a ticket to not fail the analysis if semver throws.

Thanks

Hi,

thanks for your quick reply.

I our package json we depend not only on react but also other dependencies. Since we have a turbo monorepo structure, we have several package.json files and to avoid repeating the dependencies version everywhere, we use catalogs in our pnpm-workspace.yaml file.

Here is a snippet of one or the package.json file:

  "devDependencies": {
    "@types/node": "catalog:types",
    "@typescript/native-preview": "catalog:dev",
    "@vitest/coverage-v8": "catalog:test",
    "@vitest/ui": "catalog:test",
    "bumpp": "catalog:dev",
    "nyc": "catalog:test",
    "oxlint": "catalog:lint",
    "prettier": "catalog:lint",
    "taze": "catalog:dev",
    "turbo": "catalog:dev",
    "typescript": "catalog:dev",
    "vitest": "catalog:test"
  },

And a snippet of our pnpm-workspace.yaml file:

catalogs:
  dev:
    '@typescript/native-preview': ^7.0.0-dev.20250925.1
    '@vitejs/plugin-react': ^5.0.3
    taze: ^19.7.0
    tsx: ^4.20.6
    turbo: ^2.5.8
    typescript: ^5.9.2
    vite: ^7.1.11
  frontend:
    react: ^19.1.1
    react-dom: ^19.1.1
  lint:
    '@prettier/plugin-oxc': ^0.0.4
    oxlint: ^1.18.0
    prettier: ^3.6.2
  test:
    '@vitest/coverage-v8': ^3.2.4
    '@vitest/ui': ^3.2.4
    jsdom: ^27.0.0
    nyc: ^17.1.0
    vitest: ^3.2.4
  types:
    '@types/node': ^22.18.6
    '@types/react': ^19.1.13
    '@types/react-dom': ^19.1.9

We really wanted to avoid search/replace in all our package.json files just before running sonar-scanner.

Hi @riddleit,

should be fixed in sonar cloud in about 1 month. Until then I’m afraid the only way to avoid that error is to use a semver compatible string (only for react should be enough).

Cheers

Hi Victor Diez,

Thanks for your support and for the expected timeframe.

Cheers.