Wrong version is used against Snyk API

Question

Wrong version is used against Snyk API

yoavain opened this issue 4 years ago · 3 comments

Running npq install with explicit version checks against Snyk using latest version, and can result with misleading information

Expected Behavior

Call to getSnykVulnInfo() should use explicit version.

Current Behavior

The call to getSnykVulnInfo() is using latest version.
Installed version is the one requested.

Possible Solution

Steps to Reproduce (for bugs)

Run npq i lodash@3.10.1

Context

Your Environment

Version used: 2.0.7
Environment name and version (e.g. Chrome 39, Node.js 5.4): NodeJS 14.16.1
Operating System and version (desktop or mobile): Windows 10
Link to your project:

Answer 1 · 2021-04-19T19:09:42.000Z

So I debugged a little and found out that you remove the received version from CLI in the getInstallCommand() handler

if (argv && argv.package) {
  for (let i = 0; i < argv.package.length; i++) {
    // eslint-disable-next-line security/detect-object-injection
    argv.package[i] = npa(argv.package[i]).name
  }
}

Then it's missing in the createPackageVersionMaps(), so you add 'latest'

If I understand correctly, the purpose of the handler was to validate input.
If there's a parsing error in npa() it will throw.
So I guess you can then either stay with the input as is and just call the npa (ignoring it's output), or concatenate the name and fetchSpec fields:

      const parsedPackage = npa(argv.package[i])
      // eslint-disable-next-line security/detect-object-injection
      argv.package[i] = `${parsedPackage.name}@${parsedPackage.fetchSpec}`

Answer 2 · 2021-04-20T09:26:56.000Z

Good catch, thanks!

Answer 3 · 2021-04-20T10:52:35.000Z

Fixed with PR.