fix: resolve npm scoped versions

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file

Other

56 stars 28 forks source link

fix: resolve npm scoped versions #215

Closed JamesPatrickGill closed 7 months ago

JamesPatrickGill commented 7 months ago

What this does

Previously if this parser saw a version specifier like npm:something@^1.0.0 this whole specifier was used as the version in the depgraph. This is a bit disingenuous as we should be able to resolve the version this actually gets resolved to using the lockfile. This behavior also causes downstream issues in the Snyk CLI.

Now these versions will attempt to be resolved to just the final version range in the specifier.

snyksec commented 7 months ago

:tada: This PR is included in version 1.52.10 :tada:

The release is available on:

npm package (@latest dist-tag)
GitHub release

Your semantic-release bot :package::rocket: