fossas
Fossa-cli can't handle npm aliases
We need to scan npm project containing transient aliased dependency. The relevant part of the yarn.lock file looks like this:
monaco-languageclient@^2.1.0:
version "2.1.0"
resolved "https://registry.yarnpkg.com/monaco-languageclient/-/monaco-languageclient-2.1.0.tgz#4c69eeafb31003c9a2a5a5a0481e8cdae4a1c591"
integrity sha512-Ps+G97MH8p/T7dk7NqJnDgub6x2+SiAmFR6rjUyJ2qdSGUNgg310bPD521rEPUTNKGfP7VwBggFjcnoGGCi0vg==
dependencies:
glob-to-regexp "0.4.1"
vscode "npm:@codingame/monaco-vscode-api@~1.67.20"
vscode-jsonrpc "8.0.2"
vscode-languageclient "8.0.2"
vscode-languageserver-textdocument "1.0.5"
vscode-uri "3.0.3"
Note the @codingame/monaco-vscode-api package is aliased to vscode according to NPM docs.
The output from fossa analyze -o /path/to/app/src contains the following element in projects[0].graph.deps array:
{
"locations": [
"https://registry.yarnpkg.com/@codingame/monaco-vscode-api/-/monaco-vscode-api-1.67.20.tgz"
],
"name": "vscode",
"tags": {},
"type": "NodeJSType",
"version": {
"type": "EQUAL",
"value": "1.67.20"
}
}
This is obviously wrong (see the "name" attribute) and the dependency could not be parsed on fossa server:
The expected outcome from the fossa-cli should look like:
{
"tags": {},
"name": "@codingame/monaco-vscode-api",
"type": "NodeJSType",
"locations": [
"https://registry.yarnpkg.com/@codingame/monaco-vscode-api/-/monaco-vscode-api-1.67.20.tgz"
],
"version": {
"type": "EQUAL",
"value": "1.67.20"
}
}
Checked with the latest fossa-cli 3.4.7.
Thank you for reporting this defect. I have been able to reproduce it and have added it as a work item in our internal backlog.
Reference: https://fossa.atlassian.net/browse/ANE-616
I or someone from the team will update this thread once the patch lands.
