component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

NPM lockfile 3 ignores optional dependencies

Open melotic opened this issue 2 years ago • 1 comments

Given a lock file entry like this:

"node_modules/minipass-fetch": {
  "version": "1.4.1",
  "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-1.4.1.tgz",
  "integrity": "sha512-CGH1eblLq26Y15+Azk7ey4xh0J/XfJfrCox5LDJiKqI2Q2iwOLOKrlmIaODiSQS8d18jalF6y2K2ePUm0CmShw==",
  "optional": true,
  "dependencies": {
    "minipass": "^3.1.0",
    "minipass-sized": "^1.0.3",
    "minizlib": "^2.0.0"
  },
  "engines": {
    "node": ">=8"
  },
  "optionalDependencies": {
    "encoding": "^0.1.12"
  }
}

The lock file v3 detector will not traverse into optionalDependencies and recursively detect those components.

For instance, encoding has a dependency on iconv-lite:

"node_modules/encoding": {
  "version": "0.1.13",
  "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz",
  "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==",
  "optional": true,
  "dependencies": {
    "iconv-lite": "^0.6.2"
  }
}

and these are not recorded, as proved by detector experiments:

{
  "AddedIds": [],
  "RemovedIds": [
    "encoding 0.1.13 - Npm",
    "component-detection 0.0.0 - Npm",
    "iconv-lite 0.6.3 - Npm"
  ],
  "DevelopmentDependencyChanges": [],
  "AddedRootIds": {},
  "RemovedRootIds": {}
}

melotic avatar May 08 '23 16:05 melotic

This issue also valid for lockfile 2 detector (NpmDetectorWithRoots)

RushabhBhansali avatar Mar 13 '24 20:03 RushabhBhansali

Closed with merging of #1030

cobya avatar May 15 '24 18:05 cobya