feat(npm): add v3 lock file support #191
Conversation
pkg/nodejs/npm/parse.go
Outdated
|
|
||
| directDeps := map[string]string{} | ||
| for name, version := range packages[""].Dependencies { | ||
| pkgPath := filepath.Join(nodeModulesFolder, name) |
There was a problem hiding this comment.
I think we should use path.Join here because the joined path will be node_modules\\name with filepath.Join on Windows. I guess the path separator in package-lock.json is always / regardless of the platform. Otherwise, generating a lockfile results in different files, depending on the platform. But this is my guess. Please correct me if I'm wrong.
There was a problem hiding this comment.
Thanks for tip, fixed.
pkg/nodejs/npm/parse.go
Outdated
| // lock file contains path to dependency in `node_modules` folder. e.g.: | ||
| // node_modules/string-width | ||
| // node_modules/string-width/node_modules/strip-ansi | ||
| return filepath.Base(path) |
pkg/nodejs/npm/parse.go
Outdated
| // project can contain 2 different version of dependency | ||
| // we need to check that we choose version for direct dependency | ||
| // also the direct dependency version can use range | ||
| // e.g. "body-parser": "^1.18.3" | ||
| // we need to compare versions using npm comparator | ||
| match, err := matchVersion(directVersion, libVersionRange) | ||
| if err != nil { | ||
| log.Logger.Warnf("unable to compare version for %s@%s", libName, libVersionRange) | ||
| } |
There was a problem hiding this comment.
Is this really needed? I suppose direct dependencies are always located just under node_modules.
For example, there are two versions of strip-ansi, and it is marked as a direct dependency.
"": {
"name": "node_v1",
"version": "1.0.0",
"license": "ISC",
"dependencies": {
"strip-ansi": "^1.18.3"
}
},
- node_modules/strip-ansi
- node_modules/string-width/node_modules/strip-ansi
In this case, is it possible that node_modules/string-width/node_modules/strip-ansi is a direct dependency and node_modules/string-ansi is indirect as below?
- node_modules/strip-ansi (indirect)
- node_modules/string-width/node_modules/strip-ansi (direct)
I thought the direct dependency was always under node_modules.
- node_modules/strip-ansi (direct)
- node_modules/string-width/node_modules/strip-ansi (indirect)
If it is the case, we can just compare the package paths rather than the version constraint. If strip-ansi is written under dependencies, it means node_modules/strip-ansi is direct. I might be wrong.
There was a problem hiding this comment.
direct dependencies are always located just under node_modules.
You are right! i didn't think about this.
Changed this logic.
pkg/nodejs/npm/parse.go
Outdated
| // Try to resolve the version with nested dependencies first | ||
| depPath := filepath.Join(pkgPath, nodeModulesFolder, depName) | ||
| if dep, ok := packages[depPath]; ok { | ||
| depID := utils.PackageID(depName, dep.Version) | ||
| dependsOn = append(dependsOn, depID) | ||
| continue | ||
| } | ||
|
|
||
| // Try to resolve the version with dependencies same folder | ||
| depPath = filepath.Join(filepath.Dir(pkgPath), depName) | ||
| if dep, ok := packages[depPath]; ok { | ||
| depID := utils.PackageID(depName, dep.Version) | ||
| dependsOn = append(dependsOn, depID) | ||
| continue | ||
| } | ||
|
|
||
| // Try to resolve the version with the higher level dependencies | ||
| depPath = filepath.Join(nodeModulesFolder, depName) | ||
| if dep, ok := packages[depPath]; ok { | ||
| depID := utils.PackageID(depName, dep.Version) | ||
| dependsOn = append(dependsOn, depID) | ||
| continue | ||
| } |
There was a problem hiding this comment.
Isn't it possible to have more than two nests like node_modules/body-parser/node_modules/debug/node_modules/ms? Looks like it happens theoretically.
What about this code?
| // Try to resolve the version with nested dependencies first | |
| depPath := filepath.Join(pkgPath, nodeModulesFolder, depName) | |
| if dep, ok := packages[depPath]; ok { | |
| depID := utils.PackageID(depName, dep.Version) | |
| dependsOn = append(dependsOn, depID) | |
| continue | |
| } | |
| // Try to resolve the version with dependencies same folder | |
| depPath = filepath.Join(filepath.Dir(pkgPath), depName) | |
| if dep, ok := packages[depPath]; ok { | |
| depID := utils.PackageID(depName, dep.Version) | |
| dependsOn = append(dependsOn, depID) | |
| continue | |
| } | |
| // Try to resolve the version with the higher level dependencies | |
| depPath = filepath.Join(nodeModulesFolder, depName) | |
| if dep, ok := packages[depPath]; ok { | |
| depID := utils.PackageID(depName, dep.Version) | |
| dependsOn = append(dependsOn, depID) | |
| continue | |
| } | |
| depPath := path.Join(pkgPath, nodeModulesFolder) | |
| paths := strings.Split(depPath, "/") | |
| // Try to resolve the version with the nearest directory | |
| // In the case of "ms", try the following paths in order. | |
| // - "node_modules/body-parser/node_modules/debug/node_moduls/ms" | |
| // - "node_modules/body-parser/node_modules/ms" | |
| // - "node_modules/ms" | |
| for i := len(paths) - 1; i >= 0; i-- { | |
| if paths[i] != nodeModulesFolder { | |
| continue | |
| } | |
| p := path.Join(paths[:i+1]...) | |
| p = path.Join(p, depName) | |
| if dep, ok := packages[p]; ok { | |
| depID := utils.PackageID(depName, dep.Version) | |
| dependsOn = append(dependsOn, depID) | |
| continue | |
| } | |
| } |
Here is my test: https://go.dev/play/p/UPQN11T8qJ_m
There was a problem hiding this comment.
Good idea! thanks, used this.
Co-authored-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
Description
Add v3 lock file support - https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json?v=true#lockfileversion