osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

Ignoring group "dev" deps not working for pnpm

Open jayvdb opened this issue 1 year ago • 9 comments

I have the following config

[[PackageOverrides]]
group = "dev"
license.ignore = true

When I run osv-scanner --experimental-licenses-summary pnpm-lock.yaml , the summary contains the same list as when I run it without that config.

And when running with --experimental-licenses MIT,ISC,Apache-2.0,.. I see failures in dev dependencies.

jayvdb avatar Oct 05 '24 22:10 jayvdb

I noticed when putting in a set of [[PackageOverrides]] explicitly mentioning npm packages, that I needed to remove group = "dev" for the license checker to whitelist them. So maybe this a generic npm "dev" problem, or user error/understanding.

jayvdb avatar Oct 06 '24 00:10 jayvdb

I assume you're using the latest pnpm whose lockfile version no longer marks dev dependencies as such, so currently the scanner has to assume all dependencies are in no groups.

The main path to improving this is supporting extracting information from supporting files (which in this case would be package.json), whichll hopefully be worked on soon after the upcoming V2.

There's an issue open for that if you search (I'm on mobile and can't remember the number off hand 😅)

G-Rath avatar Oct 06 '24 00:10 G-Rath

We are using lock 9.0 , which you added support for in https://github.com/google/osv-scanner/pull/934

It does separate prod vs dev


importers:

  .:
    dependencies:
      '@...':
    devDependencies:
      '@...':

I looked again and didnt find any issues or PRs about it.

jayvdb avatar Oct 06 '24 01:10 jayvdb

It does separate prod vs dev

I'm 98% sure that only holds direct dependencies, which is why I didn't try implementing support for it (and eluded to that in my pr) - afaik the lockfile does not provide enough information on its own about the dependency tree to be able to accurately construct "grouped" trees.

I believe this is the sort of thing we might be able to use e.g. deps.dev to look up but given the average number of packages in a npm project I don't think we're structured in a way for that to be efficient in v1.

(Frankly though I think this will still be a problem after we support including package.json, for that underlying reason, but being able to support that will represent an important underlying API change that should make it easier to do other stuff like talk with APIs...)

(After looking back over my paper notes & the pnpm codebase, looks like it might be possible to rebuild the tree manually using all the info in the lockfile, but I mean all the info including parsing the dependency qualifiers - I really wish they'd publish a proper spec or kept the dev field 😵‍💫)

G-Rath avatar Oct 06 '24 02:10 G-Rath

You want #416 & #654

G-Rath avatar Oct 06 '24 02:10 G-Rath

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Dec 05 '24 03:12 github-actions[bot]

I am pretty confident the full dependencies tree , and the full devDependency tree of the projects in the workspace. devDependencies of the dependencies are of course omitted.

jayvdb avatar Dec 05 '24 03:12 jayvdb

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Feb 03 '25 05:02 github-actions[bot]

Confirmed this is still occurring for me.

jayvdb avatar Sep 08 '25 03:09 jayvdb