John Vandenberg

Archived repos effectively cant receive bug reports. Even more so when the owner of the repo appears to have intentionally stopped all activity here, in which case it is preferable...

That isnt useful at the moment due to https://github.com/mozilla/rust-code-analysis/issues/1083 . master fails to build. Nothing can be merged/done until that is fixed.

@marco-c , rebased. anything else I need to do?

Oh sorry, my mistake, I am looking at the "target_sw" part of the CPE, not the "language". The third last part. From the spec > 5.3.3.8 Target_SW > Values for...

I noticed when putting in a set of `[[PackageOverrides]]` explicitly mentioning npm packages, that I needed to remove `group = "dev"` for the license checker to whitelist them. So maybe...

We are using lock 9.0 , which you added support for in https://github.com/google/osv-scanner/pull/934 It does separate prod vs dev ```yaml importers: .: dependencies: '@...': devDependencies: '@...': ``` I looked again...

I am pretty confident the full dependencies tree , and the full devDependency tree of the projects in the workspace. devDependencies of the dependencies are of course omitted.

Confirmed this is still occurring for me.

Is `--anything` a valid npm registry package name ? `pnpx` users then have no help available?

There have been no code commits in the last four years when the latest version was released. i.e. only docs changes have been committed. And lots of simple PRs like...