fix(javascript): strip peer-dep suffix from deno.lock npm keys#5055
Open
Synvoya wants to merge 1 commit into
Open
fix(javascript): strip peer-dep suffix from deno.lock npm keys#5055Synvoya wants to merge 1 commit into
Synvoya wants to merge 1 commit into
Conversation
deno.lock npm keys append resolved peer dependencies after the version, separated by "_" (e.g. "typedoc@0.28.19_typescript@6.0.3" or the scoped "@scope/name@1.2.3_@scope+peer@4.5.6"). parseDenoNpmNameVersion split on the last "@", capturing a peer's "@" and producing a garbage package name plus the peer's version (and a corrupt PURL that breaks vulnerability matching). Strip the peer suffix (the first "_" after the version "@") before splitting name@version; a semver version never contains "_". Signed-off-by: Synvoya <16019863+Synvoya@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
deno.locknpm keys append resolved peer dependencies after the version, separated by_— e.g.typedoc@0.28.19_typescript@6.0.3, or the scoped@algolia/autocomplete-preset-algolia@1.17.9_@algolia+client-search@5.50.0(a peer's scope@//is re-encoded as+).parseDenoNpmNameVersionsplit on the last@, so it captured a peer dependency's@:typedoc@0.28.19_typescript@6.0.3→ nametypedoc@0.28.19_typescript, version6.0.3@algolia/autocomplete-preset-algolia@1.17.9_@algolia+client-search, version5.50.0Both produce a garbage package name, the wrong (peer's) version, and a corrupt PURL — which breaks vulnerability matching. These suffixed keys are common: in
denoland/fresh222 of 808 npm keys carry one.Fix
Strip the peer suffix — the first
_after the version's@— before splittingname@version. A semver version never contains_, so the split point is unambiguous, and this correctly handles package names that themselves contain_.Test
Added two peer-dep keys (unscoped + scoped) to
test-fixtures/deno/deno.lockwith the expected packages inparse_deno_lock_test.go.go test ./syft/pkg/cataloger/javascript/passes; reverting only the parser change fails the test (names/PURLs regress to the garbage forms above).