feat: npm lock v2 and v3 support

package.json

@@ -119,7 +119,7 @@
     "snyk-gradle-plugin": "3.26.0",
     "snyk-module": "3.1.0",
     "snyk-mvn-plugin": "2.32.2",
-    "snyk-nodejs-lockfile-parser": "1.45.1",
+    "snyk-nodejs-lockfile-parser": "1.47.5",
     "snyk-nuget-plugin": "1.23.5",
     "snyk-php-plugin": "1.9.2",
     "snyk-policy": "^1.25.0",

src/lib/plugins/nodejs-plugin/index.ts

@@ -5,7 +5,13 @@ import * as analytics from '../../analytics';
 import { MissingTargetFileError } from '../../errors/missing-targetfile-error';
 import { MultiProjectResult } from '@snyk/cli-interface/legacy/plugin';
 import { DepGraph } from '@snyk/dep-graph';
-import { PkgTree } from 'snyk-nodejs-lockfile-parser';
+import {
+  PkgTree,
+  getLockfileVersionFromFile,
+  NodeLockfileVersion,
+} from 'snyk-nodejs-lockfile-parser';
+
+import * as path from 'path';
 
 export async function inspect(
   root: string,
@@ -26,17 +32,31 @@ export async function inspect(
 
   let scannedProjects: any[] = [];
   if (isResDepGraph(depRes)) {
-    if (depRes.pkgManager.version) {
-      analytics.add('lockfileVersion', depRes.pkgManager.version);
-    }
     scannedProjects = [{ depGraph: depRes }];
   } else {
-    if (depRes.meta?.lockfileVersion) {
-      analytics.add('lockfileVersion', depRes.meta.lockfileVersion);
-    }
     scannedProjects = [{ depTree: depRes }];
   }
 
+  if (isLockFileBased) {
+    const lockFileFullPath = path.resolve(root, targetFile);
+    const lockfileVersion = getLockfileVersionFromFile(lockFileFullPath);
+    switch (lockfileVersion) {
+      case NodeLockfileVersion.NpmLockV1:
+      case NodeLockfileVersion.YarnLockV1:
+        analytics.add('lockfileVersion', 1);
+        break;
+      case NodeLockfileVersion.NpmLockV2:
+      case NodeLockfileVersion.YarnLockV2:
+        analytics.add('lockfileVersion', 2);
+        break;
+      case NodeLockfileVersion.NpmLockV3:
+        analytics.add('lockfileVersion', 3);
+        break;
+      default:
+        break;
+    }
+  }
+
   return {
     plugin: {
       name: 'snyk-nodejs-lockfile-parser',

src/lib/plugins/nodejs-plugin/npm-lock-parser.ts

@@ -60,7 +60,9 @@ export async function parse(
   );
   if (
     lockfileVersion === NodeLockfileVersion.YarnLockV1 ||
-    lockfileVersion === NodeLockfileVersion.YarnLockV2
+    lockfileVersion === NodeLockfileVersion.YarnLockV2 ||
+    lockfileVersion === NodeLockfileVersion.NpmLockV2 ||
+    lockfileVersion === NodeLockfileVersion.NpmLockV3
   ) {
     return await buildDepGraph(
       root,
@@ -128,6 +130,13 @@ async function buildDepGraph(
         lockFileContents,
         options,
       );
+    case NodeLockfileVersion.NpmLockV2:
+    case NodeLockfileVersion.NpmLockV3:
+      return lockFileParser.parseNpmLockV2Project(
+        manifestFileContents,
+        lockFileContents,
+        options,
+      );
   }
   throw new Error('Failed to build dep graph from current project');
 }

test/acceptance/workspaces/npm-package-lockfile-v2/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "npm-package-lockfile-v2",
+  "version": "1.0.0",
+  "description": "Simple NPM package",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "snyk",
+  "license": "ISC",
+  "dependencies": {
+    "debug": "2.2.0"
+  },
+  "devDependencies": {
+    "object-assign": "4.1.1"
+  }
+}

test/acceptance/workspaces/npm-package-lockfile-v3/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "npm-package-lockfile-v3",
+  "version": "1.0.0",
+  "description": "Simple NPM package",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "snyk",
+  "license": "ISC",
+  "dependencies": {
+    "debug": "2.2.0"
+  },
+  "devDependencies": {
+    "object-assign": "4.1.1"
+  }
+}

test/tap/cli-test/cli-test.npm.spec.ts

@@ -21,6 +21,30 @@ export const NpmTests: AcceptanceTests = {
       t.match(req.body.targetFile, undefined, 'target is undefined');
     },
 
+    '`test npm-package with lockfile v2`': (params, utils) => async (t) => {
+      utils.chdirWorkspaces();
+      await params.cli.test('npm-package-lockfile-v2');
+      const req = params.server.popRequest();
+      const depGraph = req.body.depGraph;
+      t.same(
+        depGraph.pkgs.map((p) => p.id).sort(),
+        ['npm-package-lockfile-v2@1.0.0', 'ms@0.7.1', 'debug@2.2.0'].sort(),
+        'depGraph looks fine',
+      );
+    },
+
+    '`test npm-package with lockfile v3`': (params, utils) => async (t) => {
+      utils.chdirWorkspaces();
+      await params.cli.test('npm-package-lockfile-v3');
+      const req = params.server.popRequest();
+      const depGraph = req.body.depGraph;
+      t.same(
+        depGraph.pkgs.map((p) => p.id).sort(),
+        ['npm-package-lockfile-v3@1.0.0', 'ms@0.7.1', 'debug@2.2.0'].sort(),
+        'depGraph looks fine',
+      );
+    },
+
     'test npm-package remoteUrl': (params, utils) => async (t) => {
       utils.chdirWorkspaces();
       process.env.GIT_DIR = 'npm-package/gitdir';