whatatripp
commented
1 year ago conversation moved to https://forums.inedo.com/topic/3877 (where we can track it much easier)
Closed crotondo-dap closed 1 year ago
whatatripp
commented
1 year ago conversation moved to https://forums.inedo.com/topic/3877 (where we can track it much easier)
Hi,
we noticed that pgscan isn't showing any dependencies for one of our npm-projects. After debugging into it and comparing it with other npm-projects we noticed that there is a difference in the lockfileVersion of the package-lock.json files. The "problem-project" has lockfileVersion 3 while the others have lockfileVersion 2. pgscan tries to read the dependencies from the property "dependencies" which is a legacy-property from lockfileVersion 1. lockfileVerson 2 was downward compatible, but lockfileVersion 3 (used by npm v9) is not. The newest package-lock.json no longer has the property "dependencies" and all dependencies are part of the "packages"-property. Here is the official documentation about it: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json/#lockfileversion
Have you already noticed this breaking change in the package-lock.json files? Supporting lockfileVersion 3 would be very useful.