fix(nodejs): check all importers to detect dev deps from pnpm-lock.yaml file (#7387)

DmitriyLewen · web-flow · commit fd9ed3a330bc · 2024-09-02T07:19:01.000Z
diff --git a/pkg/dependency/parser/nodejs/pnpm/parse.go b/pkg/dependency/parser/nodejs/pnpm/parse.go
@@ -37,15 +37,11 @@ type LockFile struct {
 	Packages        map[string]PackageInfo `yaml:"packages,omitempty"`
 
 	// V9
-	Importers Importer            `yaml:"importers,omitempty"`
+	Importers map[string]Importer `yaml:"importers,omitempty"`
 	Snapshots map[string]Snapshot `yaml:"snapshots,omitempty"`
 }
 
 type Importer struct {
-	Root RootImporter `yaml:".,omitempty"`
-}
-
-type RootImporter struct {
 	Dependencies    map[string]ImporterDepVersion `yaml:"dependencies,omitempty"`
 	DevDependencies map[string]ImporterDepVersion `yaml:"devDependencies,omitempty"`
 }
@@ -167,6 +163,18 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 
 	}
 
+	// Parse `Importers` to find all direct dependencies
+	devDeps := make(map[string]string)
+	deps := make(map[string]string)
+	for _, importer := range lockFile.Importers {
+		for n, v := range importer.DevDependencies {
+			devDeps[n] = v.Version
+		}
+		for n, v := range importer.Dependencies {
+			deps[n] = v.Version
+		}
+	}
+
 	for depPath, pkgInfo := range lockFile.Packages {
 		name, ver, ref := p.parseDepPath(depPath, lockVer)
 		parsedVer := p.parseVersion(depPath, ver, lockVer)
@@ -179,10 +187,10 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 		// We will update `Dev` field later.
 		dev := true
 		relationship := ftypes.RelationshipIndirect
-		if dep, ok := lockFile.Importers.Root.DevDependencies[name]; ok && dep.Version == ver {
+		if v, ok := devDeps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
 			relationship = ftypes.RelationshipDirect
 		}
-		if dep, ok := lockFile.Importers.Root.Dependencies[name]; ok && p.trimPeerDeps(dep.Version, lockVer) == ver {
+		if v, ok := deps[name]; ok && p.trimPeerDeps(v, lockVer) == ver {
 			relationship = ftypes.RelationshipDirect
 			dev = false // mark root direct deps to update `dev` field of their child deps.
 		}
diff --git a/pkg/dependency/parser/nodejs/pnpm/parse_test.go b/pkg/dependency/parser/nodejs/pnpm/parse_test.go
@@ -59,12 +59,6 @@ func TestParse(t *testing.T) {
 			want:     pnpmV9,
 			wantDeps: pnpmV9Deps,
 		},
-		{
-			name:     "v9",
-			file:     "testdata/pnpm-lock_v9.yaml",
-			want:     pnpmV9,
-			wantDeps: pnpmV9Deps,
-		},
 		{
 			name:     "v9 with cyclic dependencies import",
 			file:     "testdata/pnpm-lock_v9_cyclic_import.yaml",
diff --git a/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go b/pkg/dependency/parser/nodejs/pnpm/parse_testcase.go
@@ -752,6 +752,13 @@ var (
 			Version:      "0.4.0",
 			Relationship: ftypes.RelationshipIndirect,
 		},
+		{
+			ID:           "await-sleep@0.0.1",
+			Name:         "await-sleep",
+			Version:      "0.0.1",
+			Dev:          true,
+			Relationship: ftypes.RelationshipDirect,
+		},
 		{
 			ID:           "debug@4.3.4",
 			Name:         "debug",
@@ -843,6 +850,12 @@ var (
 			Version:      "8.1.0",
 			Relationship: ftypes.RelationshipDirect,
 		},
+		{
+			ID:           "sleep-utils@1.0.3",
+			Name:         "sleep-utils",
+			Version:      "1.0.3",
+			Relationship: ftypes.RelationshipDirect,
+		},
 		{
 			ID:           "statuses@1.4.0",
 			Name:         "statuses",
diff --git a/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml b/pkg/dependency/parser/nodejs/pnpm/testdata/pnpm-lock_v9.yaml
@@ -40,6 +40,17 @@ importers:
         specifier: 2.0.0
         version: 2.0.0
 
+  subdir:
+    dependencies:
+      sleep-utils:
+        specifier: 1.0.3
+        version: 1.0.3
+
+    devDependencies:
+      await-sleep:
+        specifier: ^0.0.1
+        version: 0.0.1
+
 packages:
 
   '@babel/helper-string-parser@7.24.1':
@@ -52,6 +63,9 @@ packages:
   asynckit@0.4.0:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
 
+  await-sleep@0.0.1:
+    resolution: {integrity: sha512-H3X3eAxwGpeNIk/yvFOs8g7500Q1YvzrxjSC9TNgLGtjrMFxPwhDdcT34QNs2iGWpZ+5WKkMJdjDoYs+Sw+TaA==}
+
   debug@4.3.4:
     resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
     engines: {node: '>=6.0'}
@@ -117,6 +131,9 @@ packages:
   promise@8.1.0:
     resolution: {integrity: sha512-W04AqnILOL/sPRXziNicCjSNRruLAuIHEOVBazepu0545DDNGYHz7ar9ZgZ1fMU8/MA4mVxp5rkBWRi6OXIy3Q==}
 
+  sleep-utils@1.0.3:
+    resolution: {integrity: sha512-uJW7WDHISE1zJIdvoIewcdmis3pBvJhM30rni2gH7fHhV1NkTWLKw3J6CPRFdg3h+rFChFHzAgbkCKUErd4s8Q==}
+
   statuses@1.4.0:
     resolution: {integrity: sha512-zhSCtt8v2NDrRlPQpCNtw/heZLtfUDqxBM1udqikb/Hbk52LK4nQSwr10u77iopCW5LsyHpuXS0GnEc48mLeew==}
     engines: {node: '>= 0.6'}
@@ -134,6 +151,8 @@ snapshots:
 
   asynckit@0.4.0: {}
 
+  await-sleep@0.0.1: {}
+
   debug@4.3.4(supports-color@8.1.1):
     dependencies:
       ms: 2.0.0
@@ -186,6 +205,8 @@ snapshots:
     optionalDependencies:
       asap: 2.0.6
 
+  sleep-utils@1.0.3: {}
+
   statuses@1.4.0: {}
 
   unpipe@1.0.0: {}
