[BUG] Include Dev option for NPM does not filter out all transitive Dev Dependencies when disabled

sonatype-nexus-community / vscode-iq-plugin

Visual Studio Code plugin for Nexus IQ

MIT License

18 stars 21 forks source link

[BUG] Include Dev option for NPM does not filter out all transitive Dev Dependencies when disabled #230

Open awoodobvio opened 2 years ago

awoodobvio commented 2 years ago

Describe the bug When the "Include Dev" option is disabled, the expectation is that devDependencies are ignored. However, it appears that only direct devDependencies are ignores and any dependencies that are included by them are not. That makes the scan not line up with the expectation.

To Reproduce Steps to reproduce the behavior:

npm init
npm i hello-world-npm
Run scan, note that only 1 component is listed
npm i express --save-dev
Run scan, note that multiple components are listed all of which are related to the "devDependency" express.

Expected behavior Only hello-world-npm should be present in the scan.

Screenshots

Desktop (please complete the following information):

OS: Windows
NodeJS Version: 12.22.7
VS Code Version: 1.64.2
Version of Extension 1.2.3

Additional context n/a

cc @bhamail / @DarthHater

madpah commented 1 year ago

Thanks for taking the time @awoodobvio to report this. I can confirm this is not working as documented, and we'll look into getting a fix for this.

madpah commented 1 year ago

This issue is caused by the mechanism being used to enumerate NPM packages. Currently, the plugin utilises list-installed which looks at all packages installed in the node_modules directory (i.e. you also need to have run npm i before we detect any components). This method means we have no understanding as to whether the package was installed due to a dependency or a devDependency.

We likely need to gather our thoughts on NPM package parsing here - we used to read the lock files (only) in the past - but that also is not a guaranteed complete answer either (lock files do indicate whether the dependency is dev or not!).

FYI @maurycupitt

madpah commented 1 year ago

Removed bug as our docs specifically state we do what I stated above. However - we will consider this for enhancement!

voxpelli commented 1 year ago

Author of list-installed here. Open to extend it to help out here.

Eg. shipped https://github.com/voxpelli/list-installed/issues/23 now which can simplify some of the code in this extension + eg. also shipped proper support for aliased npm dependencies in 4.0.0 of that module.

If you want to jump on a call or such I'm open to that as well, currently freelancing on my own projects so I'm flexible.