Add tests + brief docs for pathological node_modules inputs #2
Description
I just learnt about some weirdness in NPM's "access control" model (or lack thereof), which leads to pathological inputs:
-
A "phantom dependency" occurs when a project uses a package that is not defined in its package.json file.
This is possible when you import a module which is a transitive dependency (via your own dependencies or even your own devDependencies), but not part of your dependencies. I believe this should "just work" with how we currently do indexing (we run
npm installand let the compiler handle things for us), but it would be good to have dedicated tests to make sure that we are indexing these as well.As a future idea, it may be potentially interesting to even surface these phantom dependencies somehow. E.g. if you're looking at the
package.jsonfile in the Sourcegraph UI, and we have detected some phantom dependencies (say by comparing the deps used by the index vs the deps defined in thepackage.json), we could show that as a:Alert: This package additionally depends on m1, m2, m3 which are not shown in the
dependencieshere.That said, I have no idea how much work it would take to implement something like that.
-
Doppelgangers: You can have multiple copies of
pkg@versionin the samenode_modules, these are called "doppelgangers".Again, I think this should "just work" with our current solution; we should be emitting identical symbols since the package and version name are the same, so references will be automatically deduplicated. However, it would be good to have some test cases for this as well.