snyksec
commented
5 months ago :tada: This PR is included in version 1.52.11 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed JamesPatrickGill closed 5 months ago
snyksec
commented
5 months ago :tada: This PR is included in version 1.52.11 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
What this does
Previously (
v1.52.1) npm projects using lockfile v2 and above that had dependencies that uses the "npm dist-tags" feature were able to be scanned by this library.Since then thie npm lockfile v2 parsing code has been iterated upon, fixing a number of bugs. Unfortunately one of these bugs was masking the fact we did not support
dist-tagsas it was just choosing a version that matched the name. Once semver checks were added, thesedist-tagsversion started to fail to be found which caused parsing to error out.To fix this I have skipped just the semver part of the resolution algorithm if the version provided is not valid semver, i.e. if it is a dist-tag. The algorithm then continues to look through potential parents to find a node that would satisfy - note that in complicated dep trees, there may be some ambiguity to the node that should be used for the tag - but this is desirable over failure in the larger case.