search

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file
Other
59 stars 28 forks source link

bug: no OutOfSyncError on github revision mismatch #123

Closed milahu closed 3 months ago

milahu commented 2 years ago

reproduce

cd $(mktemp -d)
npm init -y
npm i snyk-nodejs-lockfile-parser
npm i "github:milahu/postcss-nodegui-autoprefixer#e180d6a5f2f313d634f73637a285c129de90d530"

sed -i 's/e180d6a5f2f313d634f73637a285c129de90d530/f4311b3ce656395d469e9a7df0b940bdc184a757/' package.json
# now package.json and package-lock.json are out of sync

src="const read = path => require('fs').readFileSync(path, 'utf8');"
src+="async function main() { console.dir(await require('snyk-nodejs-lockfile-parser')."
# call buildDepTree
# last argument: strictOutOfSync = true
src+="buildDepTree(read('package.json'), read('package-lock.json'), true, 'npm', true)"
src+="); }; main()"
node -e "$src"

expected result: should throw OutOfSyncError

actual result

{
  dependencies: {
    'postcss-nodegui-autoprefixer': {
      labels: [Object],
      name: 'postcss-nodegui-autoprefixer',
      version: 'git+ssh://git@github.com/milahu/postcss-nodegui-autoprefixer.git#e180d6a5f2f313d634f73637a285c129de90d530',
      dependencies: [Object]
    },
    'snyk-nodejs-lockfile-parser': {
      labels: [Object],
      name: 'snyk-nodejs-lockfile-parser',
      version: '1.37.0',
      dependencies: [Object]
    }
  },
  hasDevDependencies: false,
  name: 'tmp.ibogyemwlr',
  size: 300,
  version: '1.0.0',
  meta: { lockfileVersion: 2, packageManager: 'npm' }
}