Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[npm] fix to preserve all_versions metadata from the lockfile #5846

Merged
merged 2 commits into from
Oct 10, 2022
Merged

[npm] fix to preserve all_versions metadata from the lockfile #5846

merged 2 commits into from
Oct 10, 2022

Conversation

mctofu
Copy link
Contributor

@mctofu mctofu commented Oct 7, 2022
edited
Loading

Minor follow up to #5801

In testing I saw that https://github.com/dsp-testing/npm-multiple-versions/ was still reporting the dependency was no longer vulnerable. It seems that in some cases when a dependency exists in both package.json and package-lock.json we weren't preserving all the versions. This turned out to be because when parsing dependencies from package-lock.json we converted the DependencySet to a list of dependencies and back to a DependencySet which loses a bit of the version tracking state. Rather than try to preserve everything in the conversion I found it easier to just skip the unnecessary conversion.

@mctofu mctofu force-pushed the mctofu/multi-version-fix branch from f66d8e2 to 30239b8 Compare October 7, 2022 21:47
@mctofu mctofu marked this pull request as ready for review October 7, 2022 21:55
@mctofu mctofu requested a review from a team as a code owner October 7, 2022 21:55
bdragon
bdragon approved these changes Oct 10, 2022
View reviewed changes
Copy link
Contributor

@bdragon bdragon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch!

@mctofu mctofu force-pushed the mctofu/multi-version-fix branch from 30239b8 to 1d6c772 Compare October 10, 2022 18:37
@mctofu mctofu merged commit 1ee602f into main Oct 10, 2022
@mctofu mctofu deleted the mctofu/multi-version-fix branch October 10, 2022 19:11
@jeffwidman jeffwidman mentioned this pull request Oct 10, 2022
Closed
@pavera pavera mentioned this pull request Oct 31, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdragon bdragon bdragon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mctofu @bdragon