Skip to content

fix(javascript): strip peer-dep suffix from deno.lock npm keys#5055

Open
Synvoya wants to merge 1 commit into
anchore:mainfrom
Synvoya:fix/deno-lock-npm-peer-deps
Open

fix(javascript): strip peer-dep suffix from deno.lock npm keys#5055
Synvoya wants to merge 1 commit into
anchore:mainfrom
Synvoya:fix/deno-lock-npm-peer-deps

Conversation

@Synvoya

@Synvoya Synvoya commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Description

deno.lock npm keys append resolved peer dependencies after the version, separated by _ — e.g. typedoc@0.28.19_typescript@6.0.3, or the scoped @algolia/autocomplete-preset-algolia@1.17.9_@algolia+client-search@5.50.0 (a peer's scope @// is re-encoded as +).

parseDenoNpmNameVersion split on the last @, so it captured a peer dependency's @:

  • typedoc@0.28.19_typescript@6.0.3 → name typedoc@0.28.19_typescript, version 6.0.3
  • the scoped example → name @algolia/autocomplete-preset-algolia@1.17.9_@algolia+client-search, version 5.50.0

Both produce a garbage package name, the wrong (peer's) version, and a corrupt PURL — which breaks vulnerability matching. These suffixed keys are common: in denoland/fresh 222 of 808 npm keys carry one.

Fix

Strip the peer suffix — the first _ after the version's @ — before splitting name@version. A semver version never contains _, so the split point is unambiguous, and this correctly handles package names that themselves contain _.

Test

Added two peer-dep keys (unscoped + scoped) to test-fixtures/deno/deno.lock with the expected packages in parse_deno_lock_test.go. go test ./syft/pkg/cataloger/javascript/ passes; reverting only the parser change fails the test (names/PURLs regress to the garbage forms above).

deno.lock npm keys append resolved peer dependencies after the version,
separated by "_" (e.g. "typedoc@0.28.19_typescript@6.0.3" or the scoped
"@scope/name@1.2.3_@scope+peer@4.5.6"). parseDenoNpmNameVersion split on the
last "@", capturing a peer's "@" and producing a garbage package name plus
the peer's version (and a corrupt PURL that breaks vulnerability matching).

Strip the peer suffix (the first "_" after the version "@") before splitting
name@version; a semver version never contains "_".

Signed-off-by: Synvoya <16019863+Synvoya@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant