You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
While trying to get some clarity on the dependencymerging concurrency issue I spotted strange behaviour with respect to conflicting dependency-versions. The conflicting versions appear to be mitigated by npm by installing the conflicting version as a child-module of the module requiring it, but DependencyCheck is failing to properly account for it.
Version of dependency-check used
The problem occurs using version 8.1.0 of the gradle plugin (likely others as well)
To Reproduce
Steps to reproduce the behavior:
Create a gradle project with a package.json containing
Run npm install on the project (gradle npmInstall)
Observe that @angular/core pulled in tslib version 2.5.0 which gets installed as a child of the root node_modules and rxjs pulled in tslib version 1.14.1, which gets installed as a child of node_modules/rxjs/node_modules
Run DependencyCheck on the project (gradle dependencyCheckAnalyze)
Open the report and scroll down to the tslib 1.14.1 entry. Observe that File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is nowhere to be found in the related dependencies of this entry
Scroll to the tslib 2.5.0 entry and observe that File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is found in the entries despite the fact that version 2.5.0 does not satisfy the version-range constraint (^1.9.0) of the dependency.
Expected behavior File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is accounted for in the relatedDependencies of tslib 1.14.1
Additional context
npm version 8.19.3
node version 16.18.1
gradle version 7.6
The text was updated successfully, but these errors were encountered:
In the case of a package-lock version 1 (npm 6.14.18) tslib 1.14.1 is absent and only rxjs is accounted for (wrongly) in the related dependencies for tslib 2.5.0
Describe the bug
While trying to get some clarity on the dependencymerging concurrency issue I spotted strange behaviour with respect to conflicting dependency-versions. The conflicting versions appear to be mitigated by npm by installing the conflicting version as a child-module of the module requiring it, but DependencyCheck is failing to properly account for it.
Version of dependency-check used
The problem occurs using version 8.1.0 of the gradle plugin (likely others as well)
To Reproduce
Steps to reproduce the behavior:
gradle npmInstall
)@angular/core
pulled in tslib version 2.5.0 which gets installed as a child of the rootnode_modules
andrxjs
pulled in tslib version 1.14.1, which gets installed as a child ofnode_modules/rxjs/node_modules
gradle dependencyCheckAnalyze
)File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0
is nowhere to be found in the related dependencies of this entryFile Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0
is found in the entries despite the fact that version 2.5.0 does not satisfy the version-range constraint (^1.9.0
) of the dependency.Expected behavior
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0
is accounted for in the relatedDependencies of tslib 1.14.1Additional context
npm version 8.19.3
node version 16.18.1
gradle version 7.6
The text was updated successfully, but these errors were encountered: