Track dev and peer dependencies as optional. Include dev dependencies…

… in the dependency tree for pnpm Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Jan 20, 2025 · e5d74db · e5d74db
1 parent a1122d7
commit e5d74db
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 10 deletions.
diff --git a/lib/helpers/utils.js b/lib/helpers/utils.js
@@ -2105,6 +2105,10 @@ export async function parsePnpmLock(
         lockfileVersion >= 6
           ? yamlObj.importers["."]?.optionalDependencies || {}
           : {};
+      const rootPeerDeps =
+        lockfileVersion >= 6
+          ? yamlObj.importers["."]?.peerDependencies || {}
+          : {};
       const ddeplist = new Set();
       // Find the root optional dependencies
       for (const rdk of Object.keys(rootDevDeps)) {
@@ -2119,7 +2123,7 @@ export async function parsePnpmLock(
         ).toString();
         possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
       }
-      for (const rdk of Object.keys(rootOptionalDeps)) {
+      for (const rdk of Object.keys({ ...rootOptionalDeps, ...rootPeerDeps })) {
         const version = await getVersionNumPnpm(rootOptionalDeps[rdk]);
         const dpurl = new PackageURL(
           "npm",
@@ -2161,6 +2165,8 @@ export async function parsePnpmLock(
         const componentOptionalDeps =
           yamlObj?.importers[importedComponentName]["optionalDependencies"] ||
           {};
+        const componentPeerDeps =
+          yamlObj?.importers[importedComponentName]["peerDependencies"] || {};
         let compPurl = undefined;
         let pkgSrcFile = undefined;
         let fallbackMode = true;
@@ -2262,6 +2268,7 @@ export async function parsePnpmLock(
             null,
           ).toString();
           const depRef = decodeURIComponent(dpurl);
+          // This is a definite dependency of this component
           comDepList.add(depRef);
           possibleOptionalDeps[depRef] = false;
           // Track the package.json files
@@ -2272,10 +2279,6 @@ export async function parsePnpmLock(
             srcFilesMap[depRef].push(pkgSrcFile);
           }
         }
-        dependenciesList.push({
-          ref: decodeURIComponent(compPurl),
-          dependsOn: [...comDepList].sort(),
-        });
         for (const cdk of Object.keys(componentDevDeps)) {
           const version = await getVersionNumPnpm(componentDevDeps[cdk]);
           const dpurl = new PackageURL(
@@ -2286,9 +2289,15 @@ export async function parsePnpmLock(
             null,
             null,
           ).toString();
-          possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
-        }
-        for (const cdk of Object.keys(componentOptionalDeps)) {
+          const devDpRef = decodeURIComponent(dpurl);
+          possibleOptionalDeps[devDpRef] = true;
+          // This is also a dependency of this component
+          comDepList.add(devDpRef);
+        }
+        for (const cdk of Object.keys({
+          ...componentOptionalDeps,
+          ...componentPeerDeps,
+        })) {
           const version = await getVersionNumPnpm(componentOptionalDeps[cdk]);
           const dpurl = new PackageURL(
             "npm",
@@ -2300,6 +2309,10 @@ export async function parsePnpmLock(
           ).toString();
           possibleOptionalDeps[decodeURIComponent(dpurl)] = true;
         }
+        dependenciesList.push({
+          ref: decodeURIComponent(compPurl),
+          dependsOn: [...comDepList].sort(),
+        });
       }
       dependenciesList.push({
         ref: decodeURIComponent(ppurl),
@@ -2567,6 +2580,10 @@ export async function parsePnpmLock(
               depsWorkspaceRefs[purlString] ||
               [],
           )) {
+            // This cycle shouldn't happen, but we can't be sure
+            if (wref === purlString) {
+              continue;
+            }
             properties.push({
               name: "internal:workspaceRef",
               value: wref,
@@ -2582,7 +2599,7 @@ export async function parsePnpmLock(
               if (!depsWorkspaceRefs[dref]) {
                 depsWorkspaceRefs[dref] = [];
               }
-              depsWorkspaceRefs[dref].push(dref);
+              depsWorkspaceRefs[dref].push(wref);
             }
           }
           const thePkg = {
@@ -2666,6 +2683,10 @@ export async function parsePnpmLock(
       );
       if (!wsprops.length) {
         for (const wref of depsWorkspaceRefs[apkg["bom-ref"]]) {
+          // Such a cycle should never happen, but we can't sure
+          if (wref === apkg["bom-ref"]) {
+            continue;
+          }
           apkg.properties.push({
             name: "internal:workspaceRef",
             value: wref,

diff --git a/types/lib/helpers/utils.d.ts.map b/types/lib/helpers/utils.d.ts.map