Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
When a
package-lock.json
has the following structure (simplified for clarity), we were not reporting the edge betweenjs-yaml
andargparse 2.0.1
:This was causing
argparse 2.0.1
to not be reported, since it was then pruned in theSourceUnit
conversion (it was an orphan node in the graph without that edge).To resolve this, we carry the parent into the recursive dep analysis, and add an edge when analyzing the child.
When implementing, another oversight was revealed: When adding edges from packages under the
requires
key, we try to detect the package's version from the top-level deps. Now, we look at the localdependecies
block first (at the same level of therequires
that we're currently working on), before falling back to the top-leveldependencies
package list.Acceptance criteria
js-yaml
andargparse 2.0.1
in the example above. This causespruneUnreachable
to not deleteargparse 2.0.1
, which would otherwise be an orphan node.Testing plan
Unit testing should be sufficient
References
Fixes fossas/team-analysis#874
Checklist
If this PR introduced a user-visible change, I added documentation intodocs/
.Changelog.md
if this change is externally facing. If this PR did not mark a release, I added my changes into an# Unreleased
section at the top.I updated*schema.json
if I have made changes for.fossa.yml
,fossa-deps.{json, yaml, yml}
. You may also need to update these if you have added/removed new dependency (e.g. pip) or analysis target type (e.g. poetry).