Skip to content

Fixes nested dependency detection in NpmLockfile3Detector and applies the engines array fix that was missing from PR #1400. #1606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gzproger wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fixes nested dependency detection in NpmLockfile3Detector and applies the engines array fix that was missing from PR #1400. #1606

gzproger wants to merge 2 commits into from
+883 −85

Conversation

@gzproger
Copy link

@gzproger gzproger commented Jan 8, 2026

Changes

  • Rewrote ProcessLockfile to iterate ALL packages directly (matching npm's actual behavior)
  • Applied PackageJsonEnginesConverter to PackageLockV3Package.Engines (PR don't throw if engines property is a string array #1400 only fixed NpmComponentDetector, not NpmLockfile3Detector)
  • Fixed devOptional classification for packages that are both dev and optional dependencies of non-dev packages
  • Added node-style module resolution for building dependency graph edges

Testing

  • All unit tests pass (11/11)
  • Tested on 3 real-world repos with correct component counts

@jiewenz
Fix NpmLockfile3 nested dependency detection and devOptional classifi…
a703d5a 
…cation

- Rewrite ProcessLockfile to iterate ALL packages directly instead of tree traversal
- Add node-style module resolution for dependency graph edges
- Fix devOptional and peer+dev dependencies to be classified as dev dependencies
- Skip link packages (symbolic links) and bundled dependencies
- Handle engines field as JsonElement to support both object and array formats
- Add tests for devOptional, peer-only, and engines-as-array scenarios

Fixes issue microsoft#1380

## Test Results

Tested against multiple real-world repositories with npm lockfile v3:
- Main branch crashes when engines field is array format instead of object
- This PR correctly handles both object and array formats for engines
- This PR detects all packages from lockfile including nested dependencies
- NpmLockfile3 now finds the complete transitive dependency tree
@gzproger gzproger requested a review from a team as a code owner January 8, 2026 21:00
@gzproger gzproger requested review from AMaini503 and Copilot January 8, 2026 21:00
@codecov
Copy link

codecov bot commented Jan 8, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.59939% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.2%. Comparing base (601ebcd) to head (4b9e0d0).

Files with missing lines Patch % Lines
...entDetection.Detectors/npm/NpmLockfile3Detector.cs 80.0% 12 Missing and 9 partials ⚠️
...onentDetection.Detectors.Tests/NpmTestUtilities.cs 90.2% 0 Missing and 8 partials ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##            main   #1606     +/-   ##
=======================================
+ Coverage   90.0%   90.2%   +0.1%     
=======================================
  Files        437     437             
  Lines      37181   37777    +596     
  Branches    2306    2332     +26     
=======================================
+ Hits       33499   34082    +583     
+ Misses      3210    3208      -2     
- Partials     472     487     +15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes nested dependency detection in NpmLockfile3Detector and applies the missing engines array converter fix from PR #1400. The core change rewrites the ProcessLockfile method from a queue-based traversal to a cleaner three-pass approach that processes all packages directly, then registers components, and finally builds dependency edges using node-style module resolution.

Key changes:

  • Replaces complex queue-based dependency traversal with direct iteration over all packages in lockfile
  • Implements node-style module resolution for dependency graph construction, walking up the directory tree to find dependencies
  • Fixes devOptional classification to correctly mark peer dependencies that are also dev dependencies

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfile3Detector.cs Complete rewrite of ProcessLockfile to use three-pass approach with node-style resolution; removes queue-based traversal
src/Microsoft.ComponentDetection.Detectors/npm/NpmLockfileDetectorBase.cs Adds new RecordComponent overload for registering components with explicit reference flag
src/Microsoft.ComponentDetection.Detectors/npm/Contracts/PackageLockV3Package.cs Applies PackageJsonEnginesConverter to Engines property to handle array format
test/Microsoft.ComponentDetection.Detectors.Tests/NpmLockfile3DetectorTests.cs Adds three new tests for devOptional, peer, and engines array handling
test/Microsoft.ComponentDetection.Detectors.Tests/NpmTestUtilities.cs Adds helper methods for generating test lockfiles with devOptional and peer dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@AMaini503 AMaini503 Awaiting requested review from AMaini503 AMaini503 is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gzproger @jiewenz