davglass / license-checker

Check NPM package licenses
Other
1.6k stars 215 forks source link

Dependencies are scanned incorrectly #91

Open rus0000 opened 7 years ago

rus0000 commented 7 years ago

https://github.com/davglass/license-checker/blob/master/lib/index.js#L45 Here, to avoid circular dependencies traversal we also avoid to scan same package version twice.

read-installed module returns package dependencies as they are resolved by Node module loading mechanism. This mechanism allows to have same package version to be loaded with different dependency tree. That means we should analyze same package version again, even if it already was processed.

Steps to reproduce

$ npm init -y
$ npm i -S jscs@3.0.7 nsp@2.6.3
$ npm ls ansi-regex
├─┬ jscs@3.0.7
│ └─┬ chalk@1.1.3
│   └─┬ has-ansi@2.0.0
│     └── ansi-regex@2.1.1 
└─┬ nsp@2.6.3
  └─┬ chalk@1.1.3
    ├─┬ has-ansi@2.0.0
    │ └── ansi-regex@2.0.0 
    └─┬ strip-ansi@3.0.1
      └── ansi-regex@2.0.0
$ license-checker | grep ansi-regex
├─ ansi-regex@2.1.1
│  ├─ repository: https://github.com/chalk/ansi-regex
│  └─ licenseFile: /home/ruslan/Projects/verify/t1/node_modules/ansi-regex/licens

ansi-regex@2.0.0 is missed from license-checker, because chalk@1.1.3 is not processed twice.

davglass commented 7 years ago

Thanks for the issue, I'll have to think on this one.. This was added because it can cause an infinite loop if there are circular dependencies. The issue here is that the nsp package has an npm-shrinkwrap.json file that prohibits it from using the updated version of ansi-regex.

I'll have to look into seeing how I can trap the infinite loop so that I can remove this.