search

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file
Other
59 stars 28 forks source link

fix: correctly index pkg lock with pkgs with similar candidates #185

Closed JamesPatrickGill closed 1 year ago

JamesPatrickGill commented 1 year ago

This addition, means that we further fix indexing into the pkg lock packages option when a dependency has a number of similar candidates.

When npm resolves packages for npm-lock-v2 it uses some scoping rules to make unique entries for the packages objct in the lockfile. We must then choose the correct key when we are resolving this ourselves. We were missing a case where we have two similar length keys that did not have the entire ancestry hierarchy in them.

To fix this we are now looking for the resolution to at least all it's parent in our ancestry of the package we are currently evaluating. This narrows it down in most scenarios.

yurinka1 commented 1 year ago

@JamesPatrickGill Do you mind adding tests to cover the use cases?

And an example for noobies like me 🙏🏻

snyksec commented 1 year ago

:tada: This PR is included in version 1.48.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket: