Skip to content

feat: Add support for 'npm-shrinkwrap.json' #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add support for 'npm-shrinkwrap.json' #747

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
56c70f2
Add support for 'npm-shrinkwrap.json'
AlexLaroche May 14, 2025
8953b0f
skips package-lock.json extraction if there's also an npm-shrinkwrap.…
AlexLaroche May 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/supported_inventory_types.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ SCALIBR supports extracting software package information from a variety of OS an
* Lockfiles: pom.xml, gradle.lockfile, verification-metadata.xml
* Javascript
* Installed NPM packages (package.json)
* Lockfiles: package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lock
* Lockfiles: package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml, bun.lock
* ObjectiveC
* Podfile.lock
* PHP:
Expand Down
12 changes: 11 additions & 1 deletion extractor/filesystem/language/javascript/packagelockjson/packagelockjson.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ func (e Extractor) Requirements() *plugin.Capabilities {
// FileRequired returns true if the specified file matches npm lockfile patterns.
func (e Extractor) FileRequired(api filesystem.FileAPI) bool {
path := api.Path()
if filepath.Base(path) != "package-lock.json" {
if !slices.Contains([]string{"package-lock.json", "npm-shrinkwrap.json"}, filepath.Base(path)) {
return false
}
// Skip lockfiles inside node_modules directories since the packages they list aren't
Expand Down Expand Up @@ -274,6 +274,16 @@ func (e Extractor) reportFileRequired(path string, fileSizeBytes int64, result s

// Extract extracts packages from package-lock.json files passed through the scan input.
func (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) {
// If both package-lock.json and npm-shrinkwrap.json are present in the root of a project,
// npm-shrinkwrap.json will take precedence and package-lock.json will be ignored.
if filepath.Base(input.Path) == "package-lock.json" {
npmShrinkwrapPath := strings.TrimSuffix(input.Path, "package-lock.json") + "npm-shrinkwrap.json"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use path.Dir instead of strings.TrimSuffix - https://pkg.go.dev/path#Dir

_, err := input.FS.Open(npmShrinkwrapPath)
if err == nil {
return inventory.Inventory{}, nil
}
}

packages, err := e.extractPkgLock(ctx, input)

if e.stats != nil {
Expand Down
27 changes: 27 additions & 0 deletions extractor/filesystem/language/javascript/packagelockjson/packagelockjson_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,33 @@ func TestExtractor_FileRequired(t *testing.T) {
wantRequired: true,
wantResultMetric: stats.FileRequiredResultOK,
},
{
name: "npm-shrinkwrap.json",
path: filepath.FromSlash("npm-shrinkwrap.json"),
wantRequired: true,
wantResultMetric: stats.FileRequiredResultOK,
},
{
name: "npm-shrinkwrap.json at the end of a path",
path: filepath.FromSlash("path/to/my/npm-shrinkwrap.json"),
wantRequired: true,
wantResultMetric: stats.FileRequiredResultOK,
},
{
name: "npm-shrinkwrap.json as path segment",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also add tests for extraction working properly with some example npm.shrinkwrap.json files? See packagelockjson-v1_test.go. You can create a similar file called shrinkwrap_test.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder how useful this is considering that the files are identical and only the name changes.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be helpful if we can support this behavior but for the moment, I don't see a clean way to do so.

If both package-lock.json and npm-shrinkwrap.json are present in the root of a project, npm-shrinkwrap.json will take precedence and package-lock.json will be ignored.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that the precedence behavior was added let's add a test for it too

path: filepath.FromSlash("path/to/my/npm-shrinkwrap.json/file"),
wantRequired: false,
},
{
name: "npm-shrinkwrap.json.file (wrong extension)",
path: filepath.FromSlash("path/to/my/npm-shrinkwrap.json.file"),
wantRequired: false,
},
{
name: "path.to.my.npm-shrinkwrap.json",
path: filepath.FromSlash("path.to.my.npm-shrinkwrap.json"),
wantRequired: false,
},
}

for _, tt := range tests {
Expand Down
Loading