Closed stephen-carter-at-sf closed 4 weeks ago
eoftedal
commented
4 weeks ago Thanks for reporting this. The only problem is that matcher is also used for URL which uses forward slashes also on Windows. But I suppose it would not hurt to split on both, or filenames usually don't contain any of those characters (at least not the files retire.js is looking for).
eoftedal
commented
4 weeks ago Fix coming to 5.0.1 which is currently in the release pipeline (ready in a few minutes)
stephen-carter-at-sf
commented
4 weeks ago Thank you.
eoftedal
commented
4 weeks ago stephen-carter-at-sf
commented
4 weeks ago Excellent. I already applied your fix to our code and now my tests are passing. Thank you very much for the super fast turn around!
Retire.js version: (
retire --version): 5.0.0node version: (
node --version): v21.7.1Description: I'm a lead developer at Salesforce working on the next generation Salesforce Code Analyzer. We use retire.js inside of one of our engines, but I am finding that our tests are failing on windows. Specifically I see the following diff in my actual vs expected output on windows regarding the retire vulnderability findings:
That is, on linux environments, it is picking up most vulnerabilities first from just seeing the file name. But on windows, it never picks up the file name. It can only pick up vulnerabilities based on file contents.
I believe the issue is on line 171 of https://github.com/RetireJS/retire.js/blob/7231dfb9707ceb0ed09f4465201f5c1751d06d22/node/lib/retire.js#L171C49-L171C65
where it creates a match function using var result = scan(fileName, 'filename', repo, splitAndMatchAll('/'));
but that forward slash is specific to unix machines. Should path.sep be used instead of '/'?
Expected behaviour:
Running retire on windows platforms should detect vulnerabilities based on filename.