From fd9ed3a330bc66e229bcbdc262dc296a3bf01f54 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:19:01 +0600 Subject: [PATCH] fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387) --- pkg/dependency/parser/nodejs/pnpm/parse.go | 22 +++++++++++++------ .../parser/nodejs/pnpm/parse_test.go | 6 ----- .../parser/nodejs/pnpm/parse_testcase.go | 13 +++++++++++ .../nodejs/pnpm/testdata/pnpm-lock_v9.yaml | 21 ++++++++++++++++++ 4 files changed, 49 insertions(+), 13 deletions(-) diff --git a/pkg/dependency/parser/nodejs/pnpm/parse.go b/pkg/dependency/parser/nodejs/pnpm/parse.go index 8ccf9de0ae9a..6f85411f40d0 100644 --- a/pkg/dependency/parser/nodejs/pnpm/parse.go +++ b/pkg/dependency/parser/nodejs/pnpm/parse.go @@ -37,15 +37,11 @@ type LockFile struct { Packages map[string]PackageInfo `yaml:"packages,omitempty"` // V9 - Importers Importer `yaml:"importers,omitempty"` + Importers map[string]Importer `yaml:"importers,omitempty"` Snapshots map[string]Snapshot `yaml:"snapshots,omitempty"` } type Importer struct { - Root RootImporter `yaml:".,omitempty"` -} - -type RootImporter struct { Dependencies map[string]ImporterDepVersion `yaml:"dependencies,omitempty"` DevDependencies map[string]ImporterDepVersion `yaml:"devDependencies,omitempty"` } @@ -167,6 +163,18 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen } + // Parse `Importers` to find all direct dependencies + devDeps := make(map[string]string) + deps := make(map[string]string) + for _, importer := range lockFile.Importers { + for n, v := range importer.DevDependencies { + devDeps[n] = v.Version + } + for n, v := range importer.Dependencies { + deps[n] = v.Version + } + } + for depPath, pkgInfo := range lockFile.Packages { name, ver, ref := p.parseDepPath(depPath, lockVer) parsedVer := p.parseVersion(depPath, ver, lockVer) @@ -179,10 +187,10 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen // We will update `Dev` field later. dev := true relationship := ftypes.RelationshipIndirect - if dep, ok := lockFile.Importers.Root.DevDependencies[name]; ok && dep.Version == ver { + if v, ok := devDeps[name]; ok && p.trimPeerDeps(v, lockVer) == ver { relationship = ftypes.RelationshipDirect } - if dep, ok := lockFile.Importers.Root.Dependencies[name]; ok && p.trimPeerDeps(dep.Version, lockVer) == ver { + if v, ok := deps[name]; ok && p.trimPeerDeps(v, lockVer) == ver { relationship = ftypes.RelationshipDirect dev = false // mark root direct deps to update `dev` field of their child deps. } diff --git a/pkg/dependency/parser/nodejs/pnpm/parse_test.go b/pkg/dependency/parser/nodejs/pnpm/parse_test.go index ec869d6ff492..ebdfe0e2442f 100644 --- a/pkg/dependency/parser/nodejs/pnpm/parse_test.go +++ b/pkg/dependency/parser/nodejs/pnpm/parse_test.go @@ -59,12 +59,6 @@ func TestParse(t *testing.T) { want: pnpmV9, wantDeps: pnpmV9Deps, }, - { - name: "v9", - file: "testdata/pnpm-lock_v9.yaml", - want: pnpmV9, - wantDeps: pnpmV9Deps, - }, { name: "v9 with cyclic dependencies import", file: "testdata/pnpm-lock_v9_cyclic_import.yaml", diff --git a/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go b/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go index 3c9383bd1e25..5649a9325559 100644 --- a/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go +++ b/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go @@ -752,6 +752,13 @@ var ( Version: "0.4.0", Relationship: ftypes.RelationshipIndirect, }, + { + ID: "await-sleep@0.0.1", + Name: "await-sleep", + Version: "0.0.1", + Dev: true, + Relationship: ftypes.RelationshipDirect, + }, { ID: "debug@4.3.4", Name: "debug", @@ -843,6 +850,12 @@ var ( Version: "8.1.0", Relationship: ftypes.RelationshipDirect, }, + { + ID: "sleep-utils@1.0.3", + Name: "sleep-utils", + Version: "1.0.3", + Relationship: ftypes.RelationshipDirect, + }, { ID: "statuses@1.4.0", Name: "statuses", diff --git a/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml b/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml index 12a61f02b79a..ef8a229a3c88 100644 --- a/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml +++ b/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml @@ -40,6 +40,17 @@ importers: specifier: 2.0.0 version: 2.0.0 + subdir: + dependencies: + sleep-utils: + specifier: 1.0.3 + version: 1.0.3 + + devDependencies: + await-sleep: + specifier: ^0.0.1 + version: 0.0.1 + packages: '@babel/helper-string-parser@7.24.1': @@ -52,6 +63,9 @@ packages: asynckit@0.4.0: resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==} + await-sleep@0.0.1: + resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==} + debug@4.3.4: resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==} engines: {node: '>=6.0'} @@ -117,6 +131,9 @@ packages: promise@8.1.0: resolution: {integrity: sha512-W04AqnILOL/sPRXziNicCjSNRruLAuIHEOVBazepu0545DDNGYHz7ar9ZgZ1fMU8/MA4mVxp5rkBWRi6OXIy3Q==} + sleep-utils@1.0.3: + resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==} + statuses@1.4.0: resolution: {integrity: sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==} engines: {node: '>= 0.6'} @@ -134,6 +151,8 @@ snapshots: asynckit@0.4.0: {} + await-sleep@0.0.1: {} + debug@4.3.4(supports-color@8.1.1): dependencies: ms: 2.0.0 @@ -186,6 +205,8 @@ snapshots: optionalDependencies: asap: 2.0.6 + sleep-utils@1.0.3: {} + statuses@1.4.0: {} unpipe@1.0.0: {}