Open pombredanne opened 4 years ago
Revisiting this, the npms in a package-lock-json are resolved by construction and by definition.
With the caveat here is the lockfile listed here use tilde ranges https://github.com/npm/node-semver#tilde-ranges-123-12-1 which is problematic as this means not resolved. So IMHO the right way is to mark as resolved IFF the version in an npm is NOT a semver range at all. Consider using the univers library for this
Description
I have this (simplified) package-lock.json file: package-lock.json.txt
I scan this with develop and
scancode -p --json-pp p.txt package-lock.json
: p.txt and I get this dependencies section:These are NOT resolved and we should instead have this:
Furthermore the value returned with Python 3.8 is:
"purl": "pkg:npm/safe-buffer@~5.1.0",
instead of"purl": "pkg:npm/safe-buffer@%7E5.1.0",
The tilde is not escaped and should be per the Package URL spec. This is likely either a 3.8 bug OR a Package URL library bug.System configuration
Linux, latest develop branch, Python 2