Incorrect parsing for renamed npm packages
Closed this issue · 0 comments
kylewillmon commented
The package-lock.json
parser seems to misinterpret renamed dependencies.
For example, see this entry in @isaacs/cliui
's package.json
:
"strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
That causes a section in package-lock.json
like this:
"node_modules/strip-ansi-cjs": {
"name": "strip-ansi",
"version": "6.0.1",
"resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
"integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
"dependencies": {
"ansi-regex": "^5.0.1"
},
"engines": {
"node": ">=8"
}
},
The package name here is strip-ansi
. It has just been locally renamed to strip-ansi-cjs
. Unfortunately, phylum parse
is fooled:
> phylum parse | jq '.[] | select(.name=="strip-ansi-cjs")'
{
"name": "strip-ansi-cjs",
"version": "6.0.1",
"type": "npm",
"lockfile": "package-lock.json"
}
Instead, phylum parse
should detect this as a package named strip-ansi
.