phylum-dev / cli

Command line interface for the Phylum API
https://phylum.io
GNU General Public License v3.0
103 stars 11 forks source link

Incorrect parsing for renamed npm packages #1285

Closed kylewillmon closed 11 months ago

kylewillmon commented 11 months ago

The package-lock.json parser seems to misinterpret renamed dependencies.

For example, see this entry in @isaacs/cliui's package.json:

    "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",

That causes a section in package-lock.json like this:

    "node_modules/strip-ansi-cjs": {
      "name": "strip-ansi",
      "version": "6.0.1",
      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
      "dependencies": {
        "ansi-regex": "^5.0.1"
      },
      "engines": {
        "node": ">=8"
      }
    },

The package name here is strip-ansi. It has just been locally renamed to strip-ansi-cjs. Unfortunately, phylum parse is fooled:

> phylum parse | jq '.[] | select(.name=="strip-ansi-cjs")'
{
  "name": "strip-ansi-cjs",
  "version": "6.0.1",
  "type": "npm",
  "lockfile": "package-lock.json"
}

Instead, phylum parse should detect this as a package named strip-ansi.