Update enhance-vulnerability-list.cjs

.github/helpers/npm-audit/enhance-vulnerability-list.cjs

@@ -1,8 +1,8 @@
-const getLatestDependencyInfo = require('./get-latest-dep-info.cjs');
-const isFixAvailable = require('./is-fix-available.cjs');
-const findDirectDependencies = require('./find-direct-dependencies.cjs');
-const path = require('path');
-const fs = require('fs');
+const getLatestDependencyInfo = require("./get-latest-dep-info.cjs");
+const isFixAvailable = require("./is-fix-available.cjs");
+const findDirectDependencies = require("./find-direct-dependencies.cjs");
+const path = require("path");
+const fs = require("fs");
 
 /**
  * Enhance vulnerabilities with latest version info and formatted parent dependencies.
@@ -12,7 +12,12 @@ const enhanceVulnerabilityList = async (auditResult, directoryPath) => {
   try {
     const { vulnerabilities } = auditResult;
 
-    const packageJson = JSON.parse(fs.readFileSync(path.resolve(__dirname, `../../../${directoryPath}/package.json`), 'utf-8'));
+    const packageJson = JSON.parse(
+      fs.readFileSync(
+        path.resolve(__dirname, `../../../${directoryPath}/package.json`),
+        "utf-8"
+      )
+    );
 
     const enhancedVulnerabilities = await Promise.all(
       vulnerabilities.map(async (vuln) => {
@@ -23,41 +28,54 @@ const enhanceVulnerabilityList = async (auditResult, directoryPath) => {
 
           // Transform parentDependencies into object array with fixAvailable and version properties
           const parentDependencies = await Promise.all(
-            (vuln.parentDependencies || []).map(async (dep) => {
-              const parentInfo = await getLatestDependencyInfo(dep);
-              const childVersion = parentInfo.childDependencies[vuln.name];
-              const fixAvailable = isFixAvailable(latestVersion, vuln.range, childVersion);
-              const directDependenciesList = findDirectDependencies(dep).directDependencies;
+            (vuln.parentDependencies || []).map(async (parentDep) => {
+              const parentInfo = await getLatestDependencyInfo(parentDep);
+              const childVersion = Object(
+                parentInfo?.childDependencies
+              ).hasOwnProperty(vuln.name)
+                ? parentInfo?.childDependencies[vuln.name]
+                : false;
+              const fixAvailableIncludesParentDep =
+                vuln.fixAvailable.name === parentDep;
+              const fixAvailable = childVersion
+                ? isFixAvailable(latestVersion, vuln.range, childVersion)
+                : false;
+              const directDependenciesList = findDirectDependencies(
+                parentDep,
+                directoryPath
+              ).directDependencies;
 
               const directDependenciesObjs = await Promise.all(
-                directDependenciesList.map(async (dep) => {
-                  const details = await getLatestDependencyInfo(dep);
+                directDependenciesList.map(async (directDep) => {
+                  const details = await getLatestDependencyInfo(directDep);
                   const currentVersion =
-                    packageJson.dependencies[dep] ?? packageJson.devDependencies[dep];
+                    packageJson.dependencies[directDep] ??
+                    packageJson.devDependencies[directDep];
 
                   // There can only be a possibility of a fix available if the original parent dep has
                   // a fix available, and the latestVersion is greater than the current version.
                   const possibleFixAvailable =
                     fixAvailable && details.latestVersion !== currentVersion;
 
                   return {
-                    name: dep,
+                    name: directDep,
                     latestVersion: details.latestVersion,
                     currentVersion,
                     possibleFixAvailable,
                   };
-                }),
+                })
               );
 
               return {
-                name: dep,
-                isDirect: findDirectDependencies(dep).isDirect,
-                fixAvailable,
+                name: parentDep,
+                isDirect: findDirectDependencies(parentDep, directoryPath)
+                  .isDirect,
+                fixAvailable: fixAvailableIncludesParentDep || fixAvailable,
                 latestVersion: parentInfo.latestVersion,
                 childVersion: childVersion,
                 directDependencies: directDependenciesObjs,
               };
-            }),
+            })
           );
 
           return {
@@ -66,18 +84,21 @@ const enhanceVulnerabilityList = async (auditResult, directoryPath) => {
             parentDependencies,
           };
         } catch (error) {
-          console.error(`Error enhancing vulnerability for ${vuln.name}:`, error);
+          console.error(
+            `Error enhancing vulnerability for ${vuln.name}:`,
+            error
+          );
           return vuln; // Return original vulnerability if there's an error
         }
-      }),
+      })
     );
 
     return {
       ...auditResult,
       vulnerabilities: enhancedVulnerabilities,
     };
   } catch (error) {
-    console.error('Error enhancing vulnerabilities:', error);
+    console.error("Error enhancing vulnerabilities:", error);
     throw error;
   }
 };