NPM: The returned `ProjectAnalyzerResult` may contain `Packages` not assigned to any `Scope`

[fviernau]

When analyzing a package.json with a dependency entry for NPM::node:14.15.2, npm ci or rather npm install lead to:

 cat node_modules/node/package.json 
{
  "name": "node",
  "version": "14.15.2",
  ...
  "dependencies": {
    "node-bin-setup": "^1.0.0"
  },
  ...

e.g. the "node" package only depends on "node-bin-setup". While the installed dependencies for "node" are just

ls -l node_modules/node/node_modules/
total 4
drwxrwxr-x 5 root root 4096 Jun  1 10:04 node-linux-x64

So. the result contains a package, node-linux-x64, which is not assigned to any scope. As consequence, such packages cannot be excluded. In this case it seems to make sense to assign the package to it's "physical" parent, e.g. the parent according to directory structure. Since, at least for Yarn, symlinks to module dirs may be involved - it may not be that straight forward to determine that "physical" parent.

Note: npm list doesn't list node-linux-x64.

[sschuberth]

Is in this case node-bin-setup just a (non-platform-specific) alias for a platform-specific package (node-linux-x64 in your case)?

[sschuberth]

Is in this case node-bin-setup just a (non-platform-specific) alias for a platform-specific package (node-linux-x64 in your case)?

Ping @fviernau!

And is this still valid after all the dependency graph changes?

[fviernau]

And is this still valid after all the dependency graph changes?

Haven't checked it.

[sschuberth]

@fviernau, do we want to keep this open for investigation at some point in time, or should we close it and only reopen if we come across the issue again?

[fviernau]

Let's re-open when we come across the issue again.