Fix package-lock.json lockfile parsing failures (#1467)

This fixes an issue where the lockfile parser for JavaScript's `package-lock.json` was too restrictive and would fail parsing valid lockfiles. As a solution all packages without explicit `resolved` field are now ignored, since these are the only packages we're capable of analyzing anyway.
phylum-dev · Jul 8, 2024 · b8373c8 · b8373c8
1 parent 1239431
commit b8373c8
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## Unreleased
 
+### Fixed
+
+- `package-lock.json` parsing failing for dependencies without `resolved` field
+
 ## 6.6.4 - 2024-06-27
 
 ### Fixed

diff --git a/lockfile/src/javascript.rs b/lockfile/src/javascript.rs
@@ -12,6 +12,7 @@ use lockfile_generator::pnpm::Pnpm as PnpmGenerator;
 use lockfile_generator::yarn::Yarn as YarnGenerator;
 #[cfg(feature = "generator")]
 use lockfile_generator::Generator;
+use log::debug;
 use nom::error::convert_error;
 use nom::Finish;
 use phylum_types::types::package::PackageType;
@@ -67,19 +68,15 @@ impl Parse for PackageLock {
                     None => continue,
                 };
 
-                // Ignore bundled dependencies.
-                if keys.get("inBundle").is_some() {
-                    continue;
-                }
-
-                // Ignore extraneous dependencies.
-                if keys.get("extraneous").is_some() {
-                    continue;
-                }
-
                 // Get dependency type.
-                let resolved = get_field(keys, "resolved")
-                    .ok_or_else(|| anyhow!("Dependency '{name}' is missing \"resolved\" key"))?;
+                let resolved = match get_field(keys, "resolved") {
+                    Some(resolved) => resolved,
+                    // Ignore packages without clear resolution details.
+                    None => {
+                        debug!("ignoring package without `resolved` field: {name}");
+                        continue;
+                    },
+                };
 
                 // Handle aliased dependencies.
                 let name = get_field(keys, "name").unwrap_or_else(|| name.into());

diff --git a/tests/fixtures/package-lock.json b/tests/fixtures/package-lock.json