feat: enhance package.json finder (#1286)

implements #1284

For assets loaded from a subdirectory of `node_modules`, it will pick
the first `package.json` that actually has `name` and `version`
attributes.
Added a testcase for this, which verifies this functionality for the
`luxon` and `libphonenumber-js` packages.
The `package.json` for `libphonenumber-js/max` [misses a version
number](https://unpkg.com/browse/libphonenumber-js@1.11.3/max/package.json)
while for `luxon` [the name is
missing](https://unpkg.com/browse/luxon@3.4.4/src/package.json).

The snapshot has quite a lot of changes:
- For some reason the `purl` entries are no longer url encoded.
- The `@apollo/client/*` entries have been merged into a single
`@apollo/client` entry
- The `@babel/runtime` was added as dependency

---------

Signed-off-by: Tristan Bastian <tristan.bastian@softwareag.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>

HISTORY.md

@@ -6,6 +6,12 @@ All notable changes to this project will be documented in this file.
 
 <!-- unreleased changes go here -->
 
+* Changed
+  * Improved package detection ([#1284] via [#1286])
+
+[#1284]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/issues/1284
+[#1286]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1286
+
 ## 3.11.0 - 2024-05-08
 
 * Added

package.json

@@ -40,6 +40,10 @@
     {
       "name": "Jan Kowalleck",
       "email": "jan.kowalleck@gmail.com"
+    },
+    {
+      "name": "Tristan Bastian",
+      "url": "https://github.com/reey"
     }
   ],
   "type": "commonjs",

src/_helpers.ts

@@ -18,36 +18,56 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import { existsSync, readFileSync } from 'fs'
-import { dirname, isAbsolute, join } from 'path'
+import { dirname, isAbsolute, join, sep } from 'path'
 
 export interface PackageDescription {
   path: string
   packageJson: any
 }
 
 export function getPackageDescription (path: string): PackageDescription | undefined {
+  const isSubDirOfNodeModules = isSubDirectoryOfNodeModulesFolder(path)
+
   while (isAbsolute(path)) {
-    const packageJson = join(path, 'package.json')
-    if (existsSync(packageJson)) {
+    const pathToPackageJson = join(path, 'package.json')
+    if (existsSync(pathToPackageJson)) {
       try {
-        return {
-          path: packageJson,
-          packageJson: loadJsonFile(packageJson) ?? {}
+        const contentOfPackageJson = loadJsonFile(pathToPackageJson) ?? {}
+        // only look for valid candidate if we are in a node_modules subdirectory
+        if (!isSubDirOfNodeModules || isValidPackageJSON(contentOfPackageJson)) {
+          return {
+            path: pathToPackageJson,
+            packageJson: loadJsonFile(pathToPackageJson) ?? {}
+          }
         }
       } catch {
         return undefined
       }
     }
 
     const nextPath = dirname(path)
-    if (nextPath === path) {
+    if (nextPath === path || isNodeModulesFolder(nextPath)) {
       return undefined
     }
     path = nextPath
   }
   return undefined
 }
 
+function isNodeModulesFolder (path: string): boolean {
+  return path.endsWith(`${sep}node_modules`)
+}
+
+function isSubDirectoryOfNodeModulesFolder (path: string): boolean {
+  return path.includes(`${sep}node_modules${sep}`)
+}
+
+export function isValidPackageJSON (pkg: any): boolean {
+  // checking for the existence of name and version properties
+  // both are required for a valid package.json according to https://docs.npmjs.com/cli/v10/configuring-npm/package-json
+  return typeof pkg.name === 'string' && typeof pkg.version === 'string'
+}
+
 export function loadJsonFile (path: string): any {
   return JSON.parse(readFileSync(path, 'utf8'))
   // may be replaced by `require(f, { with: { type: "json" } })`