diff --git a/lib/lock-parser/build-dep-graph.ts b/lib/lock-parser/build-dep-graph.ts index 28254dd..9c7e3cb 100644 --- a/lib/lock-parser/build-dep-graph.ts +++ b/lib/lock-parser/build-dep-graph.ts @@ -41,7 +41,7 @@ export async function buildDepGraph( lockFileContents, { includeDevDeps: options.includeDevDeps, - includeOptionalDeps: options.includeOptionalDeps, + includeOptionalDeps: options.includeOptionalDeps || true, pruneWithinTopLevelDeps: true, strictOutOfSync: options.strictOutOfSync, }, diff --git a/lib/workspaces/pnpm-workspaces-parser.ts b/lib/workspaces/pnpm-workspaces-parser.ts index 6b477e8..f3f9207 100644 --- a/lib/workspaces/pnpm-workspaces-parser.ts +++ b/lib/workspaces/pnpm-workspaces-parser.ts @@ -36,7 +36,7 @@ function computeProjectVersionMaps(root: string, targetFiles) { const projectVersion = parsedPkgJson.version; projectsVersionMap[ normalizeFilePath(pathUtil.relative(root, directory)) - ] = projectVersion; + ] = projectVersion || 'undefined'; } catch (err: any) { debug( `Error getting version for project: ${packageJsonFileName}. ERROR: ${err}`, @@ -132,7 +132,7 @@ export async function processPnpmWorkspaces( pnpmLock.content, { includeDevDeps: settings.dev || false, - includeOptionalDeps: settings.optional || false, + includeOptionalDeps: settings.optional || true, pruneWithinTopLevelDeps: true, strictOutOfSync: settings.strictOutOfSync === undefined diff --git a/package.json b/package.json index 3dd28de..8043f1b 100644 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ "lodash.isempty": "^4.4.0", "lodash.sortby": "^4.7.0", "micromatch": "4.0.2", - "snyk-nodejs-lockfile-parser": "^1.53.1", + "snyk-nodejs-lockfile-parser": "^1.53.2", "snyk-resolve-deps": "4.8.0" }, "devDependencies": { diff --git a/test/fixtures/pnpm/lock-v5/undefined-package-version/package.json b/test/fixtures/pnpm/lock-v5/undefined-package-version/package.json new file mode 100644 index 0000000..f0c60b8 --- /dev/null +++ b/test/fixtures/pnpm/lock-v5/undefined-package-version/package.json @@ -0,0 +1,13 @@ +{ + "name": "pnpm-shallow-goof", + "version": "0.0.1", + "description": "A vulnerable demo application", + "homepage": "https://snyk.io/", + "repository": { + "type": "git", + "url": "https://github.com/snyk-fixtures/pnpm-shallow-goof" + }, + "dependencies": { + "a": "workspace:*" + } +} diff --git a/test/fixtures/pnpm/lock-v5/undefined-package-version/packages/pkg-a/package.json b/test/fixtures/pnpm/lock-v5/undefined-package-version/packages/pkg-a/package.json new file mode 100644 index 0000000..83c7712 --- /dev/null +++ b/test/fixtures/pnpm/lock-v5/undefined-package-version/packages/pkg-a/package.json @@ -0,0 +1,16 @@ +{ + "name": "a", + "description": "", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "keywords": [], + "author": "", + "license": "ISC", + "dependencies": { + "node-uuid": "1.4.0", + "qs": "0.0.6" + } + } + \ No newline at end of file diff --git a/test/fixtures/pnpm/lock-v5/undefined-package-version/pnpm-lock.yaml b/test/fixtures/pnpm/lock-v5/undefined-package-version/pnpm-lock.yaml new file mode 100644 index 0000000..57c7d4a --- /dev/null +++ b/test/fixtures/pnpm/lock-v5/undefined-package-version/pnpm-lock.yaml @@ -0,0 +1,28 @@ +lockfileVersion: 5.4 + +importers: + + .: + specifiers: + a: workspace:* + dependencies: + a: link:packages/pkg-a + + packages/pkg-a: + specifiers: + node-uuid: 1.4.0 + qs: 0.0.6 + dependencies: + node-uuid: 1.4.0 + qs: 0.0.6 + +packages: + + /node-uuid/1.4.0: + resolution: {integrity: sha512-Vns3Mj1WBYNwPchf2T/pt9q2GUpM97JvLekAkAwWYX1H2kIxYQ+jUb3GWmaNRboP5XoS3p3nxptIv00I+cOtLg==} + deprecated: Use uuid module instead + dev: false + + /qs/0.0.6: + resolution: {integrity: sha512-1i8kQcg7L3IYwt9uLfTfAGucLE+wrp7hB+xEGbM0yFp0tbsykoXmSyi+AWn0qdglKMdPzIrzS6w5Ack0ZvkfqQ==} + dev: false diff --git a/test/fixtures/pnpm/lock-v5/undefined-package-version/pnpm-workspace.yaml b/test/fixtures/pnpm/lock-v5/undefined-package-version/pnpm-workspace.yaml new file mode 100644 index 0000000..e69de29 diff --git a/test/fixtures/pnpm/lock-v6/undefined-package-version/package.json b/test/fixtures/pnpm/lock-v6/undefined-package-version/package.json new file mode 100644 index 0000000..f0c60b8 --- /dev/null +++ b/test/fixtures/pnpm/lock-v6/undefined-package-version/package.json @@ -0,0 +1,13 @@ +{ + "name": "pnpm-shallow-goof", + "version": "0.0.1", + "description": "A vulnerable demo application", + "homepage": "https://snyk.io/", + "repository": { + "type": "git", + "url": "https://github.com/snyk-fixtures/pnpm-shallow-goof" + }, + "dependencies": { + "a": "workspace:*" + } +} diff --git a/test/fixtures/pnpm/lock-v6/undefined-package-version/packages/pkg-a/package.json b/test/fixtures/pnpm/lock-v6/undefined-package-version/packages/pkg-a/package.json new file mode 100644 index 0000000..83c7712 --- /dev/null +++ b/test/fixtures/pnpm/lock-v6/undefined-package-version/packages/pkg-a/package.json @@ -0,0 +1,16 @@ +{ + "name": "a", + "description": "", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "keywords": [], + "author": "", + "license": "ISC", + "dependencies": { + "node-uuid": "1.4.0", + "qs": "0.0.6" + } + } + \ No newline at end of file diff --git a/test/fixtures/pnpm/lock-v6/undefined-package-version/pnpm-lock.yaml b/test/fixtures/pnpm/lock-v6/undefined-package-version/pnpm-lock.yaml new file mode 100644 index 0000000..35c5b0f --- /dev/null +++ b/test/fixtures/pnpm/lock-v6/undefined-package-version/pnpm-lock.yaml @@ -0,0 +1,33 @@ +lockfileVersion: '6.0' + +settings: + autoInstallPeers: true + excludeLinksFromLockfile: false + +importers: + + .: + dependencies: + a: + specifier: workspace:* + version: link:packages/pkg-a + + packages/pkg-a: + dependencies: + node-uuid: + specifier: 1.4.0 + version: 1.4.0 + qs: + specifier: 0.0.6 + version: 0.0.6 + +packages: + + /node-uuid@1.4.0: + resolution: {integrity: sha512-Vns3Mj1WBYNwPchf2T/pt9q2GUpM97JvLekAkAwWYX1H2kIxYQ+jUb3GWmaNRboP5XoS3p3nxptIv00I+cOtLg==} + deprecated: Use uuid module instead + dev: false + + /qs@0.0.6: + resolution: {integrity: sha512-1i8kQcg7L3IYwt9uLfTfAGucLE+wrp7hB+xEGbM0yFp0tbsykoXmSyi+AWn0qdglKMdPzIrzS6w5Ack0ZvkfqQ==} + dev: false diff --git a/test/fixtures/pnpm/lock-v6/undefined-package-version/pnpm-workspace.yaml b/test/fixtures/pnpm/lock-v6/undefined-package-version/pnpm-workspace.yaml new file mode 100644 index 0000000..e69de29 diff --git a/test/workspaces/pnpm-workspaces-parser.spec.ts b/test/workspaces/pnpm-workspaces-parser.spec.ts index 4ee0097..833a51b 100644 --- a/test/workspaces/pnpm-workspaces-parser.spec.ts +++ b/test/workspaces/pnpm-workspaces-parser.spec.ts @@ -14,35 +14,91 @@ describe('process pnpm workspaces', () => { packageManager: 'pnpm', lockFileVersion: '5', fixture: 'workspace-with-isolated-pkgs', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], }, { packageManager: 'pnpm', lockFileVersion: '6', fixture: 'workspace-with-isolated-pkgs', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], }, { packageManager: 'pnpm', lockFileVersion: '5', fixture: 'workspace-with-cross-ref', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], }, { packageManager: 'pnpm', lockFileVersion: '6', fixture: 'workspace-with-cross-ref', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], }, { packageManager: 'pnpm', lockFileVersion: '5', fixture: 'workspace-empty-config-file', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], }, { packageManager: 'pnpm', lockFileVersion: '6', fixture: 'workspace-with-cross-ref', + projects: 3, + targetFiles: [ + 'pnpm-lock.yaml', + 'packages/pkg-a/package.json', + 'packages/pkg-b/package.json', + ], + }, + { + packageManager: 'pnpm', + lockFileVersion: '5', + fixture: 'undefined-package-version', + projects: 2, + targetFiles: ['pnpm-lock.yaml', 'packages/pkg-a/package.json'], + }, + { + packageManager: 'pnpm', + lockFileVersion: '6', + fixture: 'undefined-package-version', + projects: 2, + targetFiles: ['pnpm-lock.yaml', 'packages/pkg-a/package.json'], }, ])( 'should build valid dep graph for $packageManager, lockfile version = $lockFileVersion', - async ({ packageManager, lockFileVersion, fixture }) => { + async ({ + packageManager, + lockFileVersion, + fixture, + projects, + targetFiles, + }) => { const fixturePath = path.resolve( __dirname, '..', @@ -54,13 +110,17 @@ describe('process pnpm workspaces', () => { process.chdir(fixturePath); const currentDir = process.cwd(); - const result = await processPnpmWorkspaces(currentDir, {}, [ - `${currentDir}/pnpm-lock.yaml`, - `${currentDir}/packages/pkg-a/package.json`, - `${currentDir}/packages/pkg-b/package.json`, - ]); + const resolvedTargetFiles = targetFiles.map( + (file) => `${currentDir}/${file}`, + ); + + const result = await processPnpmWorkspaces( + currentDir, + {}, + resolvedTargetFiles, + ); expect(result.plugin.name).toEqual('snyk-nodejs-pnpm-workspaces'); - expect(result.scannedProjects.length).toEqual(3); + expect(result.scannedProjects.length).toEqual(projects); expect(result.scannedProjects[0].depGraph?.toJSON()).not.toEqual({}); }, );