Fix Npm Transitive Dependency Calculation #1617
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1617 +/- ##
======================================
Coverage 90.1% 90.1%
======================================
Files 435 435
Lines 37375 37556 +181
Branches 2310 2311 +1
======================================
+ Hits 33682 33863 +181
- Misses 3217 3219 +2
+ Partials 476 474 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Improves npm lockfile v3 dependency-graph recording so shared components under multiple parents (and cycles) are captured more accurately, aligning behavior more closely with npm CLI.
Changes:
- Update
NpmLockfile3Detectortraversal de-duplication to track (component, parent) pairs rather than only component IDs. - Add unit tests covering multi-parent dependency paths and circular dependencies.
- Add a minimal
package.jsonfixture.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfile3Detector.cs | Adjusts traversal bookkeeping to record repeated components under different parents and avoid infinite loops. |
| test/Microsoft.ComponentDetection.Detectors.Tests/NpmLockfile3DetectorTests.cs | Adds tests for multi-parent dependency edges and circular dependency handling. |
| npm-test/package.json | Adds an npm fixture package.json (currently placed at repo root). |
| componentRecorder.IsDependencyOfExplicitlyReferencedComponents<NpmComponent>( | ||
| componentBId, | ||
| parentComponent => parentComponent.Name == componentA.Name); | ||
|
|
||
| componentRecorder.IsDependencyOfExplicitlyReferencedComponents<NpmComponent>( | ||
| componentCId, | ||
| parentComponent => parentComponent.Name == componentA.Name || parentComponent.Name == componentB.Name); |
There was a problem hiding this comment.
These calls return a bool but the result isn’t asserted, so the test will pass even if the expected dependency relationships are not recorded. Please assert the return value (e.g., with .Should().BeTrue()) or use an assertion helper that throws on failure.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
|
@RushabhBhansali I've opened a new pull request, #1618, to work on those changes. Once the pull request is ready, I'll request review from you. |
src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfile3Detector.cs
Outdated
Show resolved
Hide resolved
|
👋 Hi! It looks like you modified some files in the
If none of the above scenarios apply, feel free to ignore this comment 🙂 |
…alls (#1618) * Initial plan * Add assertions to IsDependencyOfExplicitlyReferencedComponents calls in circular dependency test Co-authored-by: RushabhBhansali <24465841+RushabhBhansali@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: RushabhBhansali <24465841+RushabhBhansali@users.noreply.github.com> Co-authored-by: Rushabh <rbhansali@microsoft.com>
|
snapshot verification failure is expected. |
RushabhBhansali
deleted the
users/rbhansali/fix-npm-transitive-dependency
branch
Summary:
This pull request improves the handling of dependency relationships in the
NpmLockfile3Detector. It updates the logic to accurately record cases where the same component appears under multiple parents and ensures that circular dependencies are processed without causing infinite loops. This closely matches the npm cli behaviorDependency graph handling improvements:
NpmLockfile3Detector.csto track component-parent pairs instead of just component IDs, ensuring that the same component appearing under different parents is recorded for each unique relationship. This prevents missing dependencies in cases where a component is shared across multiple parents or involved in circular references. [1] [2]Test coverage enhancements:
NpmLockfile3DetectorTests.cs:c) as a dependency of multiple parents (e.g., bothaandb), ensuring both paths are captured in the dependency graph.a→b→c→a) are handled gracefully without causing infinite loops or crashes, and all relationships are properly recorded.This addresses the bug #1602