search

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file
Other
57 stars 28 forks source link

fix: apply array type check for workspace configs #160

Closed xzhou-snyk closed 1 year ago

xzhou-snyk commented 1 year ago

In our old logic, we assume that the workspaces section in the package.json file would be one of the following:

{
  "workspaces": ["packageA/**", "packageB/**"]
}

{
  workspaces: {
    "packages":  ["packageA/**", "packageB/**"]
  }
}

But there could be situations that this assumption doesn't hold, in which case our code fails because we can't iterate on a non-array object. For example, it is possible that one declares only information about nohoist, e.g.

{
  "workspaces":
    {
      "nohoist": ["packageA/**", "packageB/**"]
    }
}

This PR strengthens the array type check on workspaces and workspaces.packages to make sure no error would be thrown.

snyksec commented 1 year ago

:tada: This PR is included in version 1.43.1 :tada:

The release is available on:

Your semantic-release bot :package::rocket: