feat(npm): treat peerDependencies as dependencies

[knqyf263]

Description

In some cases, peer dependencies are listed in package-lock.json, and then Trivy detects the vulnerabilities for those packages, but Trivy doesn't include them in the dependency tree.

cat package.json
{
  "name": "myapp",
  "version": "1.1.1",
  "description": "try",
  "dependencies": {
    "winston-mail": "^2.0.0"
  }
}​ 

winston-mail has a peer dependency winston.
https://github.com/wavded/winston-mail/blob/19e80d757996a305739536de66ecf3a939360cc4/package.json#L29-L31

npm v3-v6 (tested with v6.14.18)

• npm install doesn't install peer dependencies
• npm install doesn't record peer dependencies in package-lock.json
• npm list --all doesn't show the details of peer dependencies in the tree if they are not found.
• npm list --all shows peer dependencies separately in the tree if they are found locally.

WHen winston is not found

$ npm --version
6.14.18
$ npm install
/node_v3_with_peer # npm list --all
[email protected] /node_v3_with_peer
+-- UNMET PEER DEPENDENCY winston@>=0.5.0
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  `-- [email protected]

When winston is found

$ npm install winston // manually install
$ npm list --all
[email protected] /app
+-- [email protected]
| +-- @colors/[email protected]
...(deducted)...
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  `-- [email protected]

winston is displayed next to winston-mail, not under winston-mail.

npm v7+ (tested with v10.9.1) and v1-3(?)

• npm install installs peer dependencies
• npm install records peer dependencies in package-lock.json
• npm list --all shows peer dependencies under the parent in the tree

[email protected] /app
`-- [email protected]
  +-- [email protected]
  | +-- [email protected]
  | `-- [email protected]
  |   +-- [email protected]
  |   +-- [email protected]
  |   `-- [email protected]
  +-- [email protected]
  `-- [email protected]

winston is displayed under winston-mail.

Yarn (tested with v1.2.22)

• yarn install doesn't install peer dependencies
• yarn install doesn't record peer dependencies in package-lock.json
• yarn list --all doesn't show peer dependencies in the tree

$ yarn list --all
yarn list v1.22.19
Done in 0.17s.

They all work differently.

Ideas

There are two ideas:

1. Always exclude peer dependencies
2. Follow the package manager's implementations

Suggestion

Peer dependencies are not strictly project-dependent packages. Therefore, peer dependencies are not installed in npm v6 and are shown separately in the dependency tree, I guess. However, in newer npm versions (v7+), peer dependencies are installed and displayed in the tree like normal dependencies. If Trivy does not show peer dependencies, we expect to receive inquiries from users. To avoid confusion, we would like to opt for the second approach.

If peer dependencies are recorded in the lock file, treat them as normal dependencies, like npm v7+, even though it's not technically accurate.

References

https://nodejs.org/en/blog/npm/peer-dependencies