fix: handle aliased packages in lockfiles for npm and yarn (#233)

* fix: handle aliased packages using NPM * test: add aliased cases for pnpm * fix: handle aliased packages using yarn
G-Rath · Nov 9, 2023 · 4f305b9 · 4f305b9
1 parent 962af1d
commit 4f305b9
Show file tree

Hide file tree

Showing 13 changed files with 403 additions and 16 deletions.
diff --git a/pkg/lockfile/fixtures/npm/with-aliases.v1.json b/pkg/lockfile/fixtures/npm/with-aliases.v1.json
@@ -0,0 +1,21 @@
+{
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "ansi-regex": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
+      "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA=="
+    },
+    "ansi-regex-cjs": {
+      "version": "npm:[email protected]",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="
+    },
+    "babel-hvi": {
+      "version": "npm:@babel/[email protected]",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz",
+      "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A=="
+    }
+  }
+}
diff --git a/pkg/lockfile/fixtures/npm/with-aliases.v2.json b/pkg/lockfile/fixtures/npm/with-aliases.v2.json
@@ -0,0 +1,45 @@
+{
+  "name": "my-library",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "my-library",
+      "dependencies": {
+        "ansi-regex": "^6.0.0",
+        "ansi-regex-cjs": "npm:ansi-regex@^5.0.0",
+        "babel-hvi": "npm:@babel/helper-validator-identifier@^7.0.0"
+      }
+    },
+    "node_modules/ansi-regex": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
+      "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-regex?sponsor=1"
+      }
+    },
+    "node_modules/ansi-regex-cjs": {
+      "name": "ansi-regex",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/babel-hvi": {
+      "name": "@babel/helper-validator-identifier",
+      "version": "7.22.20",
+      "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz",
+      "integrity": "sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    }
+  },
+  "dependencies": {}
+}
diff --git a/pkg/lockfile/fixtures/pnpm/with-aliases-v6.yaml b/pkg/lockfile/fixtures/pnpm/with-aliases-v6.yaml
@@ -0,0 +1,33 @@
+lockfileVersion: '6.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+dependencies:
+  ansi-regex:
+    specifier: ^6.0.0
+    version: 6.0.1
+  ansi-regex-cjs:
+    specifier: npm:ansi-regex@^5.0.0
+    version: /[email protected]
+  babel-hvi:
+    specifier: npm:@babel/helper-validator-identifier@^7.0.0
+    version: /@babel/[email protected]
+
+packages:
+
+  /@babel/[email protected]:
+    resolution: {integrity: sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==}
+    engines: {node: '>=6.9.0'}
+    dev: false
+
+  /[email protected]:
+    resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
+    engines: {node: '>=8'}
+    dev: false
+
+  /[email protected]:
+    resolution: {integrity: sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==}
+    engines: {node: '>=12'}
+    dev: false
diff --git a/pkg/lockfile/fixtures/pnpm/with-aliases.yaml b/pkg/lockfile/fixtures/pnpm/with-aliases.yaml
@@ -0,0 +1,28 @@
+dependencies:
+  ansi-regex: 6.0.1
+  ansi-regex-cjs: /ansi-regex/5.0.1
+  babel-hvi: /@babel/helper-validator-identifier/7.22.20
+lockfileVersion: 5.2
+packages:
+  /@babel/helper-validator-identifier/7.22.20:
+    dev: false
+    engines:
+      node: '>=6.9.0'
+    resolution:
+      integrity: sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==
+  /ansi-regex/5.0.1:
+    dev: false
+    engines:
+      node: '>=8'
+    resolution:
+      integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
+  /ansi-regex/6.0.1:
+    dev: false
+    engines:
+      node: '>=12'
+    resolution:
+      integrity: sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==
+specifiers:
+  ansi-regex: ^6.0.0
+  ansi-regex-cjs: npm:ansi-regex@^5.0.0
+  babel-hvi: npm:@babel/helper-validator-identifier@^7.0.0
diff --git a/pkg/lockfile/fixtures/yarn/with-aliases.v1.lock b/pkg/lockfile/fixtures/yarn/with-aliases.v1.lock
@@ -0,0 +1,18 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"ansi-regex-cjs@npm:ansi-regex@^5.0.0":
+  version "5.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-5.0.1.tgz#082cb2c89c9fe8659a311a53bd6a4dc5301db304"
+  integrity sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==
+
+ansi-regex@^6.0.0:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/ansi-regex/-/ansi-regex-6.0.1.tgz#3183e38fae9a65d7cb5e53945cd5897d0260a06a"
+  integrity sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==
+
+"babel-hvi@npm:@babel/helper-validator-identifier@^7.0.0":
+  version "7.22.20"
+  resolved "https://registry.yarnpkg.com/@babel/helper-validator-identifier/-/helper-validator-identifier-7.22.20.tgz#c4ae002c61d2879e724581d96665583dbc1dc0e0"
+  integrity sha512-Y4OZ+ytlatR8AI+8KZfKuL5urKp7qey08ha31L8b3BwewJAoJamTzyvxPR/5D+KkdJCGPq/+8TukHBlY10FX9A==
diff --git a/pkg/lockfile/fixtures/yarn/with-aliases.v2.lock b/pkg/lockfile/fixtures/yarn/with-aliases.v2.lock
@@ -0,0 +1,37 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 8
+  cacheKey: 10c0
+
+"ansi-regex-cjs@npm:ansi-regex@^5.0.0":
+  version: 5.0.1
+  resolution: "ansi-regex@npm:5.0.1"
+  checksum: 9a64bb8627b434ba9327b60c027742e5d17ac69277960d041898596271d992d4d52ba7267a63ca10232e29f6107fc8a835f6ce8d719b88c5f8493f8254813737
+  languageName: node
+  linkType: hard
+
+"ansi-regex@npm:^6.0.0":
+  version: 6.0.1
+  resolution: "ansi-regex@npm:6.0.1"
+  checksum: cbe16dbd2c6b2735d1df7976a7070dd277326434f0212f43abf6d87674095d247968209babdaad31bb00882fa68807256ba9be340eec2f1004de14ca75f52a08
+  languageName: node
+  linkType: hard
+
+"babel-hvi@npm:@babel/helper-validator-identifier@^7.0.0":
+  version: 7.22.20
+  resolution: "@babel/helper-validator-identifier@npm:7.22.20"
+  checksum: dcad63db345fb110e032de46c3688384b0008a42a4845180ce7cd62b1a9c0507a1bed727c4d1060ed1a03ae57b4d918570259f81724aaac1a5b776056f37504e
+  languageName: node
+  linkType: hard
+
+"mine@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "mine@workspace:."
+  dependencies:
+    ansi-regex: "npm:^6.0.0"
+    ansi-regex-cjs: "npm:ansi-regex@^5.0.0"
+    babel-hvi: "npm:@babel/helper-validator-identifier@^7.0.0"
+  languageName: unknown
+  linkType: soft
diff --git a/pkg/lockfile/parse-npm-lock-v1_test.go b/pkg/lockfile/parse-npm-lock-v1_test.go
@@ -347,3 +347,34 @@ func TestParseNpmLock_v1_Files(t *testing.T) {
 		},
 	})
 }
+
+func TestParseNpmLock_v1_WithAliases(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseNpmLock("fixtures/npm/with-aliases.v1.json")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "@babel/helper-validator-identifier",
+			Version:   "7.22.20",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+		{
+			Name:      "ansi-regex",
+			Version:   "6.0.1",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+		{
+			Name:      "ansi-regex",
+			Version:   "5.0.1",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+	})
+}
diff --git a/pkg/lockfile/parse-npm-lock-v2_test.go b/pkg/lockfile/parse-npm-lock-v2_test.go
@@ -336,3 +336,34 @@ func TestParseNpmLock_v2_Files(t *testing.T) {
 		},
 	})
 }
+
+func TestParseNpmLock_v2_WithAliases(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseNpmLock("fixtures/npm/with-aliases.v2.json")
+
+	if err != nil {
+		t.Errorf("Got unexpected error: %v", err)
+	}
+
+	expectPackages(t, packages, []lockfile.PackageDetails{
+		{
+			Name:      "@babel/helper-validator-identifier",
+			Version:   "7.22.20",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+		{
+			Name:      "ansi-regex",
+			Version:   "6.0.1",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+		{
+			Name:      "ansi-regex",
+			Version:   "5.0.1",
+			Ecosystem: lockfile.NpmEcosystem,
+			CompareAs: lockfile.NpmEcosystem,
+		},
+	})
+}
diff --git a/pkg/lockfile/parse-npm-lock.go b/pkg/lockfile/parse-npm-lock.go
@@ -14,6 +14,7 @@ type NpmLockDependency struct {
 }
 
 type NpmLockPackage struct {
+	Name         string            `json:"name"`
 	Version      string            `json:"version"`
 	Resolved     string            `json:"resolved"`
 	Dependencies map[string]string `json:"dependencies"`
@@ -69,6 +70,13 @@ func parseNpmLockDependencies(dependencies map[string]NpmLockDependency) map[str
 		if strings.HasPrefix(detail.Version, "file:") {
 			finalVersion = ""
 		} else {
+			// use the name of the underlying package rather than the alias
+			if strings.HasPrefix(detail.Version, "npm:") {
+				i := strings.LastIndex(detail.Version, "@")
+				name = detail.Version[4:i]
+				finalVersion = detail.Version[i+1:]
+			}
+
 			commit = tryExtractCommit(detail.Version)
 
 			// if there is a commit, we want to deduplicate based on that rather than
@@ -111,7 +119,12 @@ func parseNpmLockPackages(packages map[string]NpmLockPackage) map[string]Package
 		if namePath == "" {
 			continue
 		}
-		finalName := extractNpmPackageName(namePath)
+
+		finalName := detail.Name
+		if finalName == "" {
+			finalName = extractNpmPackageName(namePath)
+		}
+
 		finalVersion := detail.Version
 
 		commit := tryExtractCommit(detail.Resolved)