Skip to content

Commit

Permalink
fix(nodejs): fix infinite loop when package link from `package-lock.j…
Browse files Browse the repository at this point in the history
…son` file is broken [backport: release/v0.52] (#6888)

Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
aqua-bot and DmitriyLewen authored Jun 10, 2024
1 parent f186d22 commit 01dbb42
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 3 deletions.
16 changes: 13 additions & 3 deletions pkg/dependency/parser/nodejs/npm/parse.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,8 +194,16 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype
// node_modules/func1 -> link to target
// see `package-lock_v3_with_workspace.json` to better understanding
func (p *Parser) resolveLinks(packages map[string]Package) {
links := lo.PickBy(packages, func(_ string, pkg Package) bool {
return pkg.Link
links := lo.PickBy(packages, func(pkgPath string, pkg Package) bool {
if !pkg.Link {
return false
}
if pkg.Resolved == "" {
p.logger.Warn("`package-lock.json` contains broken link with empty `resolved` field. This package will be skipped to avoid receiving an empty package", log.String("pkg", pkgPath))
delete(packages, pkgPath)
return false
}
return true
})
// Early return
if len(links) == 0 {
Expand All @@ -208,7 +216,9 @@ func (p *Parser) resolveLinks(packages map[string]Package) {
}

workspaces := rootPkg.Workspaces
for pkgPath, pkg := range packages {
// Changing the map during the map iteration causes unexpected behavior,
// so we need to iterate over the cloned `packages` map, but change the original `packages` map.
for pkgPath, pkg := range maps.Clone(packages) {
for linkPath, link := range links {
if !strings.HasPrefix(pkgPath, link.Resolved) {
continue
Expand Down
6 changes: 6 additions & 0 deletions pkg/dependency/parser/nodejs/npm/parse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@ func TestParse(t *testing.T) {
want: npmV3WithoutRootDepsField,
wantDeps: npmV3WithoutRootDepsFieldDeps,
},
{
name: "lock version v3 with broken link",
file: "testdata/package-lock_v3_broken_link.json",
want: nil,
wantDeps: nil,
},
}

for _, tt := range tests {
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"name": "node_v3_without_direct_deps",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "node_v3_without_direct_deps",
"version": "1.0.0",
"license": "ISC"
},
"functions/func1": {
"version": "1.0.0",
"license": "ISC",
"dependencies": {
"debug": "^2.6.9"
}
},
"node_modules/func1": {
"resolved": "",
"link": true
}
}
}

0 comments on commit 01dbb42

Please sign in to comment.