fix: parse child peerDependencies in package-lock.json #121

milahu · 2021-09-17T19:46:48Z

child peerDependencies should be parsed

part of the dependency tree

svelte-nodegui-starter
+ webpack@5.53.0
+ + acorn@8.5.0
+ + acorn-import-assertions@1.7.6

acorn-import-assertions peerDependencies -> acorn

this is also visible in package-lock.json

    "node_modules/acorn-import-assertions": {
      "version": "1.7.6",
      "resolved": "...",
      "integrity": "...",
      "dev": true,
      "peerDependencies": {
        "acorn": "^8"
      }
    },

but in the snyk-nodejs-lockfile-parser deptree, the peerDependencies field is missing

{
  labels: { scope: 'dev' },
  name: 'acorn-import-assertions',
  version: '1.7.6',
  resolved: '...',
  integrity: '...',
  nameVersion: 'acorn-import-assertions@1.7.6'
}

related #104

details: peerDependencies are NOT listed in yarn.lock

acorn-import-assertions@^1.7.6:
  version "1.7.6"
  resolved "..."
  integrity ...

webpack@^5.53.0:
  version "5.53.0"
  resolved "..."
  integrity ...
  dependencies:
    ...
    acorn "^8.4.1"
    acorn-import-assertions "^1.7.6"

details: peerDependencies in pnpm-lock.yaml

  /webpack/5.52.1_webpack-cli@4.8.0:
    ...
    dependencies:
      ...
      acorn: 8.5.0
      acorn-import-assertions: 1.7.6_acorn@8.5.0

  /acorn-import-assertions/1.7.6_acorn@8.5.0:
    ...
    peerDependencies:
      acorn: ^8
    dependencies:
      acorn: 8.5.0
    dev: true

details: when are peerDependencies installed?

npm versions 1, 2, and 7 will automatically install peerDependencies if they are not explicitly depended upon higher in the dependency tree. For npm versions 3 through 6, you will receive a warning that the peerDependency is not installed instead.

https://nodejs.org/en/blog/npm/peer-dependencies/

As of npm v7, peerDependencies are installed by default.

https://docs.npmjs.com/cli/v7/configuring-npm/package-json#peerdependencies

... except its marked "optional" in peerDependenciesMeta

The text was updated successfully, but these errors were encountered:

louis-bompart · 2021-10-05T17:47:43Z

I encountered the same issue, and created a minimum reproducible example here: louis-bompart/upgraded-garbanzo.

OS: Windows10, Node: 16.10.0, NPM: 7.24.0

fix: support optional peerDependencies with npm7 For each peerDependency, check if peerDependencyMeta[depName].optional is true. If so, do not include the peerDependency in the tree, else include it. Modified the fixtures for the npm7 peer-deps tests by adding another peerDependency and marking it as optionnal using peerDependencyMeta See https://docs.npmjs.com/cli/v7/configuring-npm/package-json#peerdependenciesmeta fix snyk#121

snyksec · 2021-11-24T15:53:50Z

🎉 This issue has been resolved in version 1.37.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

milahu changed the title ~~fix: resolve child peerDependencies~~ fix: parse child peerDependencies in package-lock.json Sep 17, 2021

louis-bompart mentioned this issue Oct 7, 2021

fix: support optional peerDependencies with npm7 #128

Merged

5 tasks

JamesPatrickGill closed this as completed in f88455b Nov 24, 2021

snyksec added the released label Nov 24, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: parse child peerDependencies in package-lock.json #121

fix: parse child peerDependencies in package-lock.json #121

milahu commented Sep 17, 2021 •

edited

Loading

louis-bompart commented Oct 5, 2021 •

edited

Loading

snyksec commented Nov 24, 2021

fix: parse child peerDependencies in package-lock.json #121

fix: parse child peerDependencies in package-lock.json #121

Comments

milahu commented Sep 17, 2021 • edited Loading

louis-bompart commented Oct 5, 2021 • edited Loading

snyksec commented Nov 24, 2021

milahu commented Sep 17, 2021 •

edited

Loading

louis-bompart commented Oct 5, 2021 •

edited

Loading