-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
syft fails to resolve npm package aliases #1314
Comments
Thanks @EricHripko -- we definitely can figure out a way to handle these aliases (I haven't ever encountered them before!). Do you happen to know if this is specific to |
Thank you for a prompt response, @kzantow 👍 I similarly didn't know about aliases until encountering this SBOM quirk; from what I can tell, |
Thank you for fixing this up - really appreciate it 🙌 |
Please provide a set of steps on how to reproduce the issue
package.json
with the following contents:package-lock.json
by runningnpm install --package-lock-only
syft .
What happened:
Running
syft
on such project generates incorrect SBOM because the dependency uses a package alias:What you expected to happen:
I expected
syft
to correctly resolve the npm package alias (from@vue/vue-loader-v15
tovue-loader@15.10.0
) and recognise that my project has a dependency onvue-loader@15.10.0
.Anything else we need to know?:
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: