Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM aliased packages are not handled correctly #588

Closed
michaelkedar opened this issue Oct 13, 2023 · 1 comment · Fixed by #610 or #615
Closed

NPM aliased packages are not handled correctly #588

michaelkedar opened this issue Oct 13, 2023 · 1 comment · Fixed by #610 or #615
Assignees
@cuixq
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@michaelkedar
Copy link
Member

michaelkedar commented Oct 13, 2023
edited
Loading

In NPM, you can install packages under a different name e.g. from @isaacs/cliui:

"dependencies": {
  "string-width": "^5.1.2",
  "string-width-cjs": "npm:string-width@^4.2.0",
  "strip-ansi": "^7.0.1",
  "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
  "wrap-ansi": "^8.1.0",
  "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
},

Which seems to show up in the package-lock.json as

"node_modules/string-width-cjs": {
  "name": "string-width",
  "version": "4.2.3",
  "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
  ...
},

(not sure what it looks like in the v1 format) Edit: seems like it shows up in the old format as

"string-width-cjs": {
  "version": "npm:[email protected]",
  "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
  ...
},

(but I don't think version of npm that only use this format actually allows aliases...)

I believe osv-scanner will use the aliased name when looking for vulnerabilities, which can potentially cause false negatives (or false positives maybe, if the alias is a vulnerable package?)

We should also look into if other ecosystems have a similar issue.
@michaelkedar michaelkedar added the bug Something isn't working label Oct 13, 2023
@oliverchang oliverchang added the good first issue Good for newcomers label Oct 13, 2023
@oliverchang
Copy link
Collaborator

@cuixq this is a simple first issue if you're looking for a smaller code task to tackle.

@cuixq cuixq self-assigned this Oct 16, 2023
@cuixq cuixq mentioned this issue Oct 25, 2023
Merged
cuixq added a commit that referenced this issue Oct 26, 2023
@cuixq
handle npm aliased packages (#610)
f1e0e5b 
Fixes #588
@G-Rath G-Rath mentioned this issue Oct 29, 2023
Merged
another-rex pushed a commit that referenced this issue Oct 30, 2023
@G-Rath
fix: handle yarn aliased packages (#615)
419a945 
Resolves #588
Follows up #610

Because of how PNPM structures its lockfile, aliases are already
supported there
@Porkepix Porkepix mentioned this issue Nov 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cuixq cuixq

Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

handle npm aliased packages cuixq/osv-scanner
fix: handle yarn aliased packages
3 participants
@oliverchang @michaelkedar @cuixq