Closed kylewillmon closed 11 months ago
The package-lock.json parser seems to misinterpret renamed dependencies.
package-lock.json
For example, see this entry in @isaacs/cliui's package.json:
@isaacs/cliui
package.json
"strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
That causes a section in package-lock.json like this:
"node_modules/strip-ansi-cjs": { "name": "strip-ansi", "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dependencies": { "ansi-regex": "^5.0.1" }, "engines": { "node": ">=8" } },
The package name here is strip-ansi. It has just been locally renamed to strip-ansi-cjs. Unfortunately, phylum parse is fooled:
strip-ansi
strip-ansi-cjs
phylum parse
> phylum parse | jq '.[] | select(.name=="strip-ansi-cjs")' { "name": "strip-ansi-cjs", "version": "6.0.1", "type": "npm", "lockfile": "package-lock.json" }
Instead, phylum parse should detect this as a package named strip-ansi.
The
package-lock.json
parser seems to misinterpret renamed dependencies.For example, see this entry in
@isaacs/cliui
'spackage.json
:That causes a section in
package-lock.json
like this:The package name here is
strip-ansi
. It has just been locally renamed tostrip-ansi-cjs
. Unfortunately,phylum parse
is fooled:Instead,
phylum parse
should detect this as a package namedstrip-ansi
.