From 1cafe6e4bf6e8a32dea9e264d2dbfc9e8922a0f4 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 1 Feb 2024 15:27:30 +0600 Subject: [PATCH 1/2] fix(pnpm): use `Name` and `Version` fields if present --- pkg/nodejs/pnpm/parse.go | 9 ++++----- pkg/nodejs/pnpm/parse_testcase.go | 13 +++++++++++++ .../pnpm/testdata/pnpm-lock_archives.yaml | 17 ++++++++++++++++- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/pkg/nodejs/pnpm/parse.go b/pkg/nodejs/pnpm/parse.go index e9180d82..cdf9a33b 100644 --- a/pkg/nodejs/pnpm/parse.go +++ b/pkg/nodejs/pnpm/parse.go @@ -71,14 +71,13 @@ func (p *Parser) parse(lockVer float64, lockFile LockFile) ([]types.Library, []t continue } - // Packages from tarball have `name` and `version` fields. - // cf. https://github.com/pnpm/spec/blob/ad27a225f81d9215becadfa540ef05fa4ad6dd60/lockfile/5.2.md#packagesdependencypathname + // There is cases when `depPath` doesn't contain name ad version of dependency + // e.g. packages installed from local directory or tarball + // cf. https://github.com/pnpm/spec/blob/274ff02de23376ad59773a9f25ecfedd03a41f64/lockfile/6.0.md#packagesdependencypathname name := info.Name version := info.Version - // Other packages don't have these fields. - // Parse `dependencyPath` to determine name and version. - if info.Resolution.Tarball == "" { + if name == "" { name, version = parsePackage(depPath, lockVer) } pkgID := p.ID(name, version) diff --git a/pkg/nodejs/pnpm/parse_testcase.go b/pkg/nodejs/pnpm/parse_testcase.go index b8c3bf5f..b8aa4d5d 100644 --- a/pkg/nodejs/pnpm/parse_testcase.go +++ b/pkg/nodejs/pnpm/parse_testcase.go @@ -147,16 +147,25 @@ var ( // npm pack // mkdir -p /app/foo/bar && cd /app // cp /temp/node_modules/lodash/lodash-4.17.21.tgz /app/foo/bar/lodash.tgz + // npm init -y // npm install ./foo/bar/lodash.tgz + // mkdir package1 && cd package1 + // npm init -y + // npm install asynckit@0.4.0 + // cd .. + // npm install ./package1 // pnpm update // pnpm add https://github.com/debug-js/debug/tarball/4.3.4 // pnpm add https://codeload.github.com/zkochan/is-negative/tar.gz/2fa0531ab04e300a24ef4fd7fb3a280eccb7ccc5 // pnpm list --prod --depth 10 | grep -E -o "\S+\s+[0-9]+(\.[0-9]+)+$" | awk '{printf("{ID: \""$1"@"$2"\", Name: \""$1"\", Version: \""$2"\", Indirect: false},\n")}' | sort -u + // manually update `Indirect` fields pnpmArchives = []types.Library{ + {ID: "asynckit@0.4.0", Name: "asynckit", Version: "0.4.0", Indirect: true}, {ID: "debug@4.3.4", Name: "debug", Version: "4.3.4", Indirect: false}, {ID: "is-negative@2.0.1", Name: "is-negative", Version: "2.0.1", Indirect: false}, {ID: "lodash@4.17.21", Name: "lodash", Version: "4.17.21", Indirect: false}, {ID: "ms@2.1.2", Name: "ms", Version: "2.1.2", Indirect: true}, + {ID: "package1@1.0.0", Name: "package1", Version: "1.0.0", Indirect: false}, } pnpmArchivesDeps = []types.Dependency{ @@ -164,6 +173,10 @@ var ( ID: "debug@4.3.4", DependsOn: []string{"ms@2.1.2"}, }, + { + ID: "package1@1.0.0", + DependsOn: []string{"asynckit@0.4.0"}, + }, } // docker run --name node --rm -it node@sha256:710a2c192ca426e03e4f3ec1869e5c29db855eb6969b74e6c50fd270ffccd3f1 sh diff --git a/pkg/nodejs/pnpm/testdata/pnpm-lock_archives.yaml b/pkg/nodejs/pnpm/testdata/pnpm-lock_archives.yaml index 3dc79c79..7d7ae2fc 100644 --- a/pkg/nodejs/pnpm/testdata/pnpm-lock_archives.yaml +++ b/pkg/nodejs/pnpm/testdata/pnpm-lock_archives.yaml @@ -10,9 +10,16 @@ dependencies: lodash: specifier: file:foo/bar/lodash.tgz version: file:foo/bar/lodash.tgz + package1: + specifier: file:package1 + version: file:package1 packages: + /asynckit@0.4.0: + resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==} + dev: false + /ms@2.1.2: resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==} dev: false @@ -42,4 +49,12 @@ packages: resolution: {integrity: sha512-fPftOkGbplay6FszUHWPJ8wV7liS+n2gB/UVN0Wv4G71KJWx+8trhGYsbekWqz6TTzkKur67bAdSIIccmKIyLA==, tarball: file:foo/bar/lodash.tgz} name: lodash version: 4.17.21 - dev: false \ No newline at end of file + dev: false + + file:package1: + resolution: {directory: package1, type: directory} + name: package1 + version: 1.0.0 + dependencies: + asynckit: 0.4.0 + dev: false From bf6b8c42e5f81aa398f61e671654423eabc1e2f9 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Thu, 1 Feb 2024 15:49:03 +0600 Subject: [PATCH 2/2] refactor: update comments --- pkg/nodejs/pnpm/parse.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/nodejs/pnpm/parse.go b/pkg/nodejs/pnpm/parse.go index cdf9a33b..59a386c6 100644 --- a/pkg/nodejs/pnpm/parse.go +++ b/pkg/nodejs/pnpm/parse.go @@ -71,7 +71,7 @@ func (p *Parser) parse(lockVer float64, lockFile LockFile) ([]types.Library, []t continue } - // There is cases when `depPath` doesn't contain name ad version of dependency + // Dependency name may be present in dependencyPath or Name field. Same for Version. // e.g. packages installed from local directory or tarball // cf. https://github.com/pnpm/spec/blob/274ff02de23376ad59773a9f25ecfedd03a41f64/lockfile/6.0.md#packagesdependencypathname name := info.Name