From 0092efa086a1fa3af2354e81abcf329891f6a70a Mon Sep 17 00:00:00 2001 From: Frank Viernau Date: Fri, 4 Oct 2024 12:16:25 +0200 Subject: [PATCH] fix(Npm): Stop creating dangling packages for non-workspace projects According to the code comment directly above, adding the packages is necessary only for projects using workspaces, see also [1]. Executing the logic is not necessary for non-workspace projects and may lead to non-referenced packages in the result, for example when scope excludes are used. Fix that by executing the code only conditionally. Note: The workspaces support for Pnpm and Yarn currently represents workspace submodules as non-referenced packages. This change is a preparation for fixing the workspace submodule representation. Fixes #9195. [1]: https://github.com/oss-review-toolkit/ort/pull/4034/files#diff-28d89c724dd945fe93dec5700d61d4dcdaab02f492e09613c8fee6ac5c76cbe6R363-R366 Signed-off-by: Frank Viernau --- ...p-skip-excluded-scopes-expected-output.yml | 394 ------------------ .../node/src/main/kotlin/Npm.kt | 7 +- 2 files changed, 5 insertions(+), 396 deletions(-) diff --git a/plugins/package-managers/node/src/funTest/assets/projects/synthetic/npm/shrinkwrap-skip-excluded-scopes-expected-output.yml b/plugins/package-managers/node/src/funTest/assets/projects/synthetic/npm/shrinkwrap-skip-excluded-scopes-expected-output.yml index 775383bc6ee06..f1061d8adae53 100644 --- a/plugins/package-managers/node/src/funTest/assets/projects/synthetic/npm/shrinkwrap-skip-excluded-scopes-expected-output.yml +++ b/plugins/package-managers/node/src/funTest/assets/projects/synthetic/npm/shrinkwrap-skip-excluded-scopes-expected-output.yml @@ -164,97 +164,6 @@ packages: url: "https://github.com/cheeriojs/cheerio.git" revision: "f21ffef971826d1ba64ccbdf96adbc44964d30c5" path: "" -- id: "NPM::coffee-script:1.12.7" - purl: "pkg:npm/coffee-script@1.12.7" - authors: - - "Jeremy Ashkenas" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Unfancy JavaScript" - homepage_url: "http://coffeescript.org" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/coffee-script/-/coffee-script-1.12.7.tgz" - hash: - value: "c05dae0cb79591d05b3070a8433a98c9a89ccc53" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "git://github.com/jashkenas/coffeescript.git" - revision: "492111ccfb9b703b49a443c1aa68fb41dc8a2271" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/jashkenas/coffeescript.git" - revision: "492111ccfb9b703b49a443c1aa68fb41dc8a2271" - path: "" -- id: "NPM::cson:4.1.0" - purl: "pkg:npm/cson@4.1.0" - authors: - - "2012+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "CoffeeScript-Object-Notation Parser. Same as JSON but for CoffeeScript\ - \ objects." - homepage_url: "https://github.com/bevry/cson" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/cson/-/cson-4.1.0.tgz" - hash: - value: "b1075344fa9d9fe5cf88d80f21d9366296b865c7" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/cson.git" - revision: "0e913a90be66b2f29d2d75433b06ed52e83ba810" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/cson.git" - revision: "0e913a90be66b2f29d2d75433b06ed52e83ba810" - path: "" -- id: "NPM::cson-parser:1.3.5" - purl: "pkg:npm/cson-parser@1.3.5" - authors: - - "Groupon" - declared_licenses: - - "BSD-3-Clause" - declared_licenses_processed: - spdx_expression: "BSD-3-Clause" - description: "Safe parsing of CSON files" - homepage_url: "https://github.com/groupon/cson-parser" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/cson-parser/-/cson-parser-1.3.5.tgz" - hash: - value: "7ec675e039145533bf2a6a856073f1599d9c2d24" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "git+ssh://git@github.com/groupon/cson-parser" - revision: "fa37e04bc6c516eb76ef01df2d105a413c0253a0" - path: "" - vcs_processed: - type: "Git" - url: "ssh://git@github.com/groupon/cson-parser.git" - revision: "fa37e04bc6c516eb76ef01df2d105a413c0253a0" - path: "" - id: "NPM::css-select:1.2.0" purl: "pkg:npm/css-select@1.2.0" authors: @@ -435,100 +344,6 @@ packages: url: "https://github.com/FB55/domutils.git" revision: "7d4bd16cd36ffce62362ef91616806ea27e30d95" path: "" -- id: "NPM::eachr:3.2.0" - purl: "pkg:npm/eachr@3.2.0" - authors: - - "2011+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Give eachr an item to iterate (array, object or map) and an iterator,\ - \ then in return eachr gives iterator the value and key of each item, and will\ - \ stop if the iterator returned false." - homepage_url: "https://github.com/bevry/eachr" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/eachr/-/eachr-3.2.0.tgz" - hash: - value: "2c35e43ea086516f7997cf80b7aa64d55a4a4484" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "http://github.com/bevry/eachr.git" - revision: "57ef794d001c16fd906b2558137e8ea51c1f6330" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/eachr.git" - revision: "57ef794d001c16fd906b2558137e8ea51c1f6330" - path: "" -- id: "NPM::editions:1.3.4" - purl: "pkg:npm/editions@1.3.4" - authors: - - "2016+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Publish multiple editions for your JavaScript packages consistently\ - \ and easily (e.g. source edition, esnext edition, es2015 edition)" - homepage_url: "https://github.com/bevry/editions" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/editions/-/editions-1.3.4.tgz" - hash: - value: "3662cb592347c3168eb8e498a0ff73271d67f50b" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/editions.git" - revision: "5580800dc3935e988b7aa2cf8d571f3e9fa2d8f9" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/editions.git" - revision: "5580800dc3935e988b7aa2cf8d571f3e9fa2d8f9" - path: "" -- id: "NPM::editions:2.1.3" - purl: "pkg:npm/editions@2.1.3" - authors: - - "2016+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Publish multiple editions for your JavaScript packages consistently\ - \ and easily (e.g. source edition, esnext edition, es2015 edition)" - homepage_url: "https://github.com/bevry/editions" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/editions/-/editions-2.1.3.tgz" - hash: - value: "727ccf3ec2c7b12dcc652c71000f16c4824d6f7d" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/editions.git" - revision: "84f536320f7eff6385e867d9f5c1de0dfb92fa88" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/editions.git" - revision: "84f536320f7eff6385e867d9f5c1de0dfb92fa88" - path: "" - id: "NPM::entities:1.1.2" purl: "pkg:npm/entities@1.1.2" authors: @@ -559,95 +374,6 @@ packages: url: "https://github.com/fb55/entities.git" revision: "54a5717d85d886c4aafa2ac5ff83d8d3d730337c" path: "" -- id: "NPM::errlop:1.1.1" - purl: "pkg:npm/errlop@1.1.1" - authors: - - "2018+ Benjamin Lupton" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "An extended Error class that envelops a parent error, such that the\ - \ stack trace contains the causation" - homepage_url: "https://github.com/bevry/errlop" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/errlop/-/errlop-1.1.1.tgz" - hash: - value: "d9ae4c76c3e64956c5d79e6e035d6343bfd62250" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/errlop.git" - revision: "ca13727bd3a227cd937d104b3217d1cd778cc99b" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/errlop.git" - revision: "ca13727bd3a227cd937d104b3217d1cd778cc99b" - path: "" -- id: "NPM::extract-opts:3.3.1" - purl: "pkg:npm/extract-opts@3.3.1" - authors: - - "2013+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Extract the options and callback from a function's arguments easily" - homepage_url: "https://github.com/bevry/extract-opts" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/extract-opts/-/extract-opts-3.3.1.tgz" - hash: - value: "5abbedc98c0d5202e3278727f9192d7e086c6be1" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "http://github.com/bevry/extract-opts.git" - revision: "87e349bbf92a6f95d1ecc8b064a1631def105dc8" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/extract-opts.git" - revision: "87e349bbf92a6f95d1ecc8b064a1631def105dc8" - path: "" -- id: "NPM::graceful-fs:4.2.0" - purl: "pkg:npm/graceful-fs@4.2.0" - declared_licenses: - - "ISC" - declared_licenses_processed: - spdx_expression: "ISC" - description: "A drop-in replacement for fs, making various improvements." - homepage_url: "https://github.com/isaacs/node-graceful-fs#readme" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.0.tgz" - hash: - value: "8d8fdc73977cb04104721cb53666c1ca64cd328b" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/isaacs/node-graceful-fs" - revision: "585df780323740a2b562677caa08a80de1f56c62" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/isaacs/node-graceful-fs.git" - revision: "585df780323740a2b562677caa08a80de1f56c62" - path: "" - id: "NPM::htmlparser2:3.10.1" purl: "pkg:npm/htmlparser2@3.10.1" authors: @@ -886,36 +612,6 @@ packages: url: "https://github.com/nodejs/readable-stream.git" revision: "4ba93f84cf8812ca2af793c7304a5c16de72088a" path: "" -- id: "NPM::requirefresh:2.2.0" - purl: "pkg:npm/requirefresh@2.2.0" - authors: - - "2013+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Require a file without adding it into the require cache" - homepage_url: "https://github.com/bevry/requirefresh" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/requirefresh/-/requirefresh-2.2.0.tgz" - hash: - value: "68298ae66af9da3d6843375adf8351dd29d73789" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/requirefresh.git" - revision: "f389cbc33b5891468bde8db479bc0f129b0fcc57" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/requirefresh.git" - revision: "f389cbc33b5891468bde8db479bc0f129b0fcc57" - path: "" - id: "NPM::safe-buffer:5.1.2" purl: "pkg:npm/safe-buffer@5.1.2" authors: @@ -946,65 +642,6 @@ packages: url: "https://github.com/feross/safe-buffer.git" revision: "649435cc8e2d1f3ecdc7caf323f1cb1187307a16" path: "" -- id: "NPM::safefs:4.1.0" - purl: "pkg:npm/safefs@4.1.0" - authors: - - "2013+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Stop getting EMFILE errors! Open only as many files as the operating\ - \ system supports." - homepage_url: "https://github.com/bevry/safefs" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/safefs/-/safefs-4.1.0.tgz" - hash: - value: "f82aeb4bdd7ae51f653eb20f6728b3058c8d6445" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "http://github.com/bevry/safefs.git" - revision: "51d15eaa03e53aaedd3002dc67814355073e8a55" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/safefs.git" - revision: "51d15eaa03e53aaedd3002dc67814355073e8a55" - path: "" -- id: "NPM::semver:5.7.0" - purl: "pkg:npm/semver@5.7.0" - declared_licenses: - - "ISC" - declared_licenses_processed: - spdx_expression: "ISC" - description: "The semantic version parser used by npm." - homepage_url: "https://github.com/npm/node-semver#readme" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/semver/-/semver-5.7.0.tgz" - hash: - value: "790a7cf6fea5459bac96110b29b60412dc8ff96b" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/npm/node-semver" - revision: "8055dda0aee91372e3bfc47754a62f40e8a63b98" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/npm/node-semver.git" - revision: "8055dda0aee91372e3bfc47754a62f40e8a63b98" - path: "" - id: "NPM::string_decoder:1.2.0" purl: "pkg:npm/string_decoder@1.2.0" declared_licenses: @@ -1033,37 +670,6 @@ packages: url: "https://github.com/nodejs/string_decoder.git" revision: "6e0a9286ed4497badebd4ec6a9a7a4d37793aae8" path: "" -- id: "NPM::typechecker:4.7.0" - purl: "pkg:npm/typechecker@4.7.0" - authors: - - "2013+ Bevry Pty Ltd" - declared_licenses: - - "MIT" - declared_licenses_processed: - spdx_expression: "MIT" - description: "Utilities to get and check variable types (isString, isPlainObject,\ - \ isRegExp, etc)" - homepage_url: "https://github.com/bevry/typechecker" - binary_artifact: - url: "" - hash: - value: "" - algorithm: "" - source_artifact: - url: "https://registry.npmjs.org/typechecker/-/typechecker-4.7.0.tgz" - hash: - value: "5249f427358f45b7250c4924fd4d01ed9ba435e9" - algorithm: "SHA-1" - vcs: - type: "Git" - url: "https://github.com/bevry/typechecker.git" - revision: "69008d42927749d7e21cfe9816e478dd8d15ab88" - path: "" - vcs_processed: - type: "Git" - url: "https://github.com/bevry/typechecker.git" - revision: "69008d42927749d7e21cfe9816e478dd8d15ab88" - path: "" - id: "NPM::util-deprecate:1.0.2" purl: "pkg:npm/util-deprecate@1.0.2" authors: diff --git a/plugins/package-managers/node/src/main/kotlin/Npm.kt b/plugins/package-managers/node/src/main/kotlin/Npm.kt index 783ccf076207d..e90feb6748e5e 100644 --- a/plugins/package-managers/node/src/main/kotlin/Npm.kt +++ b/plugins/package-managers/node/src/main/kotlin/Npm.kt @@ -198,8 +198,11 @@ open class Npm( // Create packages for all modules found in the workspace and add them to the graph builder. They are // reused when they are referenced by scope dependencies. - val packages = parseInstalledModules(workingDir) - graphBuilder.addPackages(packages) + val isWorkspacesProject = (findWorkspaceSubmodules(workingDir) - workingDir).isNotEmpty() + if (isWorkspacesProject) { + val packages = parseInstalledModules(workingDir) + graphBuilder.addPackages(packages) + } val scopeNames = setOfNotNull( // Optional dependencies are just like regular dependencies except that NPM ignores failures when