fossas
npm workspaces are not supported properly
Env: Nodjes 16.x + Npm 8.x The repository is a monorepo with multiple npm projects. The root npm project is configured to use workspaces, so only the root project has a package-lock.json file, the sub projects has only package.json files. Due to the workspaces feature some dependencies are installed into the root node_modules, others into the sub projects' node_modules.
After running fossa analyze, the result is mixed. It contains some deep dependencies as direct dependency, and some deep dependencies are not reported at all.
Based on the report the deep dependencies of the sub-projects are not properly analyzed. The sub projects has only a package.json and only 1-2 modules in the node_modules, all other dependecny are installed in the root, and reported in the root package-lock.json.
Hi @zenonhun, we recently added a few fixes for scanning NPM projects that touched on how we handled workspaces as well. Can you try rescanning this project with the latest version of the FOSSA CLI and let us know how if the issue you see persists?
Hi @zlav, it is imporved, but still there is an issue. Now I had time to create a minimalistic setup:
In this example there is a root project and a sub project. And depending on if the root project has some devdependency, the result changes.
In this example the "winston" dependency has a deep-dependency called "kuler". And it is found or not found depending on the root projects devDependencies.
So issuing the command: "fossa analyze --output | grep kuler" has different result. However it shouldn't.
And it is not the only missing dependency, just an example.
Using node 16.15.0, npm 8.5.5. Fossa 3.2.15.
I am seeing the same issue. I cannot get fossa list-targets to pick up all the workspaces and if I target them directly the yarn.lock file will be missing and it will fail. Is there a workaround for this?
node: v16 fossa-cli: 3.6.4
