From a3fc95768eed4ba93b380fcc5a4ca3f7cb5a615c Mon Sep 17 00:00:00 2001
From: cgombauld <clement.gombauld@cpexterne.org>
Date: Tue, 11 Nov 2025 08:51:39 +0100
Subject: [PATCH] feat(depWalker): do not add integrity to payload in cwd for
 workspace

---
 .changeset/calm-dingos-hunt.md            |  4 ++--
 .changeset/warm-jars-draw.md              |  5 +++++
 workspaces/scanner/src/depWalker.ts       | 10 ++++++++--
 workspaces/scanner/test/depWalker.spec.ts |  1 +
 4 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 .changeset/warm-jars-draw.md

diff --git a/.changeset/calm-dingos-hunt.md b/.changeset/calm-dingos-hunt.md
index 6fd32c4..c4ba502 100644
--- a/.changeset/calm-dingos-hunt.md
+++ b/.changeset/calm-dingos-hunt.md
@@ -1,6 +1,6 @@
 ---
-"@nodesecure/tree-walker": major
-"@nodesecure/scanner": major
+"@nodesecure/tree-walker": minor
+"@nodesecure/scanner": minor
 ---
 
 feat(scanner): add manifest integrity of root dependency in payload
diff --git a/.changeset/warm-jars-draw.md b/.changeset/warm-jars-draw.md
new file mode 100644
index 0000000..cd4c36e
--- /dev/null
+++ b/.changeset/warm-jars-draw.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/scanner": minor
+---
+
+feat(depWalker): do not add integrity to payload in cwd for workspace
diff --git a/workspaces/scanner/src/depWalker.ts b/workspaces/scanner/src/depWalker.ts
index fc4921a..2cf08c7 100644
--- a/workspaces/scanner/src/depWalker.ts
+++ b/workspaces/scanner/src/depWalker.ts
@@ -179,8 +179,14 @@ export async function depWalker(
         dependencies.set(name, dependency);
       }
 
-      if (current.id === kRootDependencyId) {
-        payload.integrity = integrity ?? fromData(JSON.stringify(manifest), { algorithms: ["sha512"] }).toString();
+      const isRoot = current.id === kRootDependencyId;
+
+      if (isRoot && payload.integrity) {
+        payload.integrity = integrity;
+      }
+      else if (isRoot) {
+        const isWorkspace = options.location && "workspaces" in manifest;
+        payload.integrity = isWorkspace ? null : fromData(JSON.stringify(manifest), { algorithms: ["sha512"] }).toString();
       }
 
       // If the dependency is a DevDependencies we ignore it.
diff --git a/workspaces/scanner/test/depWalker.spec.ts b/workspaces/scanner/test/depWalker.spec.ts
index e2902a5..bf3d47d 100644
--- a/workspaces/scanner/test/depWalker.spec.ts
+++ b/workspaces/scanner/test/depWalker.spec.ts
@@ -263,6 +263,7 @@ describe("scanner.cwd()", () => {
     );
 
     assert.strictEqual(result.rootDependencyName, "workspace");
+    assert.strictEqual(result.integrity, null);
   });
 });