syft icon indicating copy to clipboard operation
syft copied to clipboard

Published 20 hours ago verified publisher icon anchore

NPM package-lock.json version 3

Open kzantow opened this issue 2 years ago • 0 comments

What would you like to be added: Add support for parsing package-lock.json version 3.

Why is this needed: There is an incompatible change from version 1 and 2 which Syft should support.

Additional context: Version 1 has a structure like:

    "dependencies": {
        "@types/prop-types": {
            "version": "15.7.5",
            "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.5.tgz",
            "integrity": "sha1-XxnSuFqY6VWANvajysyIGUIPBc8="
        },

Version 2 added a duplication of data under the packages field, and version 3 removes the dependencies field altogether, with a structure like:

    "packages": {
        "node_modules/@types/prop-types": {
            "version": "15.7.5",
            "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.5.tgz",
            "integrity": "sha1-XxnSuFqY6VWANvajysyIGUIPBc8=",
            "license": "MIT"
        },

See the NPM docs here: https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json

kzantow avatar Sep 14 '22 14:09 kzantow