Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node package dependencies ending up as related dependency of the wrong version of the package #5477

Closed
aikebah opened this issue Feb 19, 2023 · 1 comment · Fixed by #5479
Closed

Node package dependencies ending up as related dependency of the wrong version of the package #5477

aikebah opened this issue Feb 19, 2023 · 1 comment · Fixed by #5479
Assignees
@aikebah
Labels
bug

Comments

@aikebah
Copy link
Collaborator

aikebah commented Feb 19, 2023
edited
Loading

Describe the bug
While trying to get some clarity on the dependencymerging concurrency issue I spotted strange behaviour with respect to conflicting dependency-versions. The conflicting versions appear to be mitigated by npm by installing the conflicting version as a child-module of the module requiring it, but DependencyCheck is failing to properly account for it.

Version of dependency-check used
The problem occurs using version 8.1.0 of the gradle plugin (likely others as well)

To Reproduce
Steps to reproduce the behavior:

  1. Create a gradle project with a package.json containing 
    {
  "name": "app1",
  "version": "1.0.0",
  "dependencies": {
    "@angular/core": "^15.1.5",
    "rxjs": "^6.6.7",
    "zone.js": "^0.11.8"
  }
}
  2. Run npm install on the project (gradle npmInstall)
  3. Observe that @angular/core pulled in tslib version 2.5.0 which gets installed as a child of the root node_modules and rxjs pulled in tslib version 1.14.1, which gets installed as a child of node_modules/rxjs/node_modules
  4. Run DependencyCheck on the project (gradle dependencyCheckAnalyze)
  5. Open the report and scroll down to the tslib 1.14.1 entry. Observe that File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is nowhere to be found in the related dependencies of this entry
  6. Scroll to the tslib 2.5.0 entry and observe that File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is found in the entries despite the fact that version 2.5.0 does not satisfy the version-range constraint (^1.9.0) of the dependency.

Expected behavior
File Path: <projectlocation>/package-lock.json?rxjs:6.6.7/tslib:^1.9.0 is accounted for in the relatedDependencies of tslib 1.14.1

Additional context
npm version 8.19.3
node version 16.18.1
gradle version 7.6
@aikebah aikebah added the bug label Feb 19, 2023
@aikebah
Copy link
Collaborator Author

aikebah commented Feb 19, 2023
edited
Loading

In the case of a package-lock version 1 (npm 6.14.18) tslib 1.14.1 is absent and only rxjs is accounted for (wrongly) in the related dependencies for tslib 2.5.0

@aikebah aikebah self-assigned this Feb 19, 2023
aikebah added a commit that referenced this issue Feb 19, 2023
@aikebah
fix: initial constructed node_modules path package should be tested a…
5ca964b 
…s directory, not as file

Fixes issue #5477
@aikebah aikebah mentioned this issue Feb 19, 2023
Merged
@aikebah aikebah linked a pull request Feb 19, 2023 that will close this issue
fix: Node package dependencies ending up as related dependency of the wrong version of the package #5479
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aikebah aikebah

Labels
bug
Projects
None yet
Milestone
No milestone
1 participant
@aikebah