feat: add alias support for npm v1 v2 and v3

Author: aarlaud

lib/aliasesPreprocessors/npm-lock-v1.ts

@@ -0,0 +1,24 @@
+import * as cloneDeep from 'lodash.clonedeep';
+export const rewriteAliasesInNpmLockV1 = (lockfileContent: string): string => {
+  const jsonLockfile = JSON.parse(lockfileContent);
+  for (const pkg in jsonLockfile.dependencies) {
+    if (jsonLockfile.dependencies[pkg].version.startsWith('npm:')) {
+      const aliasName = jsonLockfile.dependencies[pkg].version.substring(
+        4,
+        jsonLockfile.dependencies[pkg].version.lastIndexOf('@'),
+      );
+      jsonLockfile.dependencies[aliasName] = cloneDeep(
+        jsonLockfile.dependencies[pkg],
+      );
+      jsonLockfile.dependencies[aliasName].version = jsonLockfile.dependencies[
+        pkg
+      ].version.substring(
+        jsonLockfile.dependencies[pkg].version.lastIndexOf('@') + 1,
+        jsonLockfile.dependencies[pkg].version.length,
+      );
+      delete jsonLockfile.dependencies[pkg];
+    }
+  }
+
+  return JSON.stringify(jsonLockfile);
+};

lib/aliasesPreprocessors/npm-lock-v2.ts

@@ -0,0 +1,41 @@
+import { NpmLockPkg } from '../dep-graph-builders/npm-lock-v2/extract-npm-lock-v2-pkgs';
+
+export const rewriteAliasesInNpmLockV2 = (
+  lockfilePackages: Record<string, NpmLockPkg>,
+): Record<string, NpmLockPkg> => {
+  // 1. Rewrite top level "" packages in "".dependencies
+  const rootPkg = lockfilePackages[''];
+  const lockFileToReturn: Record<string, NpmLockPkg> = lockfilePackages;
+  if (rootPkg && rootPkg.dependencies) {
+    const dependencies = rootPkg.dependencies;
+    for (const pkgName in rootPkg.dependencies) {
+      if (!rootPkg.dependencies[pkgName].startsWith('npm:')) {
+        const aliasName = rootPkg.dependencies.dependencies[pkgName].substring(
+          4,
+          rootPkg.dependencies.dependencies[pkgName].lastIndexOf('@'),
+        );
+        const aliasVersion = rootPkg.dependencies.dependencies[
+          pkgName
+        ].substring(
+          rootPkg.dependencies.dependencies[pkgName].lastIndexOf('@') + 1,
+          rootPkg.dependencies.dependencies[pkgName].length,
+        );
+        dependencies[aliasName] = aliasVersion;
+      } else {
+        dependencies[pkgName] = rootPkg.dependencies[pkgName];
+      }
+    }
+    lockFileToReturn[''].dependencies = dependencies;
+  }
+
+  // 2. Rewrite alias packages
+  for (const pkgName in lockfilePackages) {
+    if (pkgName != '' && lockfilePackages[pkgName].name) {
+      lockFileToReturn[`node_modules/${lockfilePackages[pkgName].name}`] =
+        lockfilePackages[pkgName];
+      delete lockFileToReturn[pkgName];
+    }
+  }
+
+  return lockFileToReturn;
+};

lib/aliasesPreprocessors/yarn-lock-v1.ts

@@ -1,4 +1,4 @@
-export const rewriteAliasesInLockV1 = (lockfileContent: string): string => {
+export const rewriteAliasesInYarnLockV1 = (lockfileContent: string): string => {
   const regex = /^(\s*)"(.+?@npm:)([^"]+)":/gm;
 
   const lockfilePreprocessed = lockfileContent.replace(regex, '$1"$3":');

lib/aliasesPreprocessors/yarn-lock-v2.ts

@@ -1,6 +1,6 @@
 import { NormalisedPkgs } from '../dep-graph-builders/types';
 import * as cloneDeep from 'lodash.clonedeep';
-export const rewriteAliasesInLockV2 = (
+export const rewriteAliasesInYarnLockV2 = (
   lockfileNormalisedPkgs: NormalisedPkgs,
 ): NormalisedPkgs => {
   const lockfileNormalisedPkgsPreprocessed: NormalisedPkgs = cloneDeep(

lib/dep-graph-builders/npm-lock-v2/index.ts

@@ -21,6 +21,8 @@ import * as semver from 'semver';
 import * as micromatch from 'micromatch';
 import * as pathUtil from 'path';
 import { eventLoopSpinner } from 'event-loop-spinner';
+import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
+import { rewriteAliasesInNpmLockV2 } from '../../aliasesPreprocessors/npm-lock-v2';
 
 export { extractPkgsFromNpmLockV2 };
 
@@ -36,8 +38,14 @@ export const parseNpmLockV2Project = async (
     pruneNpmStrictOutOfSync,
   } = options;
 
-  const pkgJson: PackageJsonBase = parsePkgJson(pkgJsonContent);
-  const pkgs = extractPkgsFromNpmLockV2(pkgLockContent);
+  const pkgJson: PackageJsonBase = parsePkgJson(
+    options.honorAliases
+      ? rewriteAliasesPkgJson(pkgJsonContent)
+      : pkgJsonContent,
+  );
+  const pkgs = options.honorAliases
+    ? rewriteAliasesInNpmLockV2(extractPkgsFromNpmLockV2(pkgLockContent))
+    : extractPkgsFromNpmLockV2(pkgLockContent);
 
   const depgraph = await buildDepGraphNpmLockV2(pkgs, pkgJson, {
     includeDevDeps,

lib/dep-graph-builders/yarn-lock-v1/simple.ts

@@ -1,6 +1,6 @@
 import { buildDepGraphYarnLockV1Simple } from '.';
 import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
-import { rewriteAliasesInLockV1 } from '../../aliasesPreprocessors/yarn-lock-v1';
+import { rewriteAliasesInYarnLockV1 } from '../../aliasesPreprocessors/yarn-lock-v1';
 
 import { PackageJsonBase, YarnLockV1ProjectParseOptions } from '../types';
 import { parsePkgJson } from '../util';
@@ -22,7 +22,9 @@ export const parseYarnLockV1Project = async (
   } = options;
 
   const pkgs = extractPkgsFromYarnLockV1(
-    honorAliases ? rewriteAliasesInLockV1(yarnLockContent) : yarnLockContent,
+    honorAliases
+      ? rewriteAliasesInYarnLockV1(yarnLockContent)
+      : yarnLockContent,
   );
 
   const pkgJson: PackageJsonBase = parsePkgJson(

lib/dep-graph-builders/yarn-lock-v2/simple.ts

@@ -8,7 +8,7 @@ import {
 import { buildDepGraphYarnLockV2Simple } from './build-depgraph-simple';
 import { DepGraph } from '@snyk/dep-graph';
 import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
-import { rewriteAliasesInLockV2 } from '../../aliasesPreprocessors/yarn-lock-v2';
+import { rewriteAliasesInYarnLockV2 } from '../../aliasesPreprocessors/yarn-lock-v2';
 
 export const parseYarnLockV2Project = async (
   pkgJsonContent: string,
@@ -25,7 +25,7 @@ export const parseYarnLockV2Project = async (
   } = options;
 
   const pkgs = honorAliases
-    ? rewriteAliasesInLockV2(extractPkgsFromYarnLockV2(yarnLockContent))
+    ? rewriteAliasesInYarnLockV2(extractPkgsFromYarnLockV2(yarnLockContent))
     : extractPkgsFromYarnLockV2(yarnLockContent);
 
   const pkgJson: PackageJsonBase = parsePkgJson(

lib/index.ts

@@ -70,6 +70,8 @@ import {
   getPnpmLockfileVersion,
   NodeLockfileVersion,
 } from './utils';
+import { rewriteAliasesInNpmLockV1 } from './aliasesPreprocessors/npm-lock-v1';
+import { rewriteAliasesPkgJson } from './aliasesPreprocessors/pkgJson';
 export {
   parseNpmLockV2Project,
   extractPkgsFromYarnLockV1,
@@ -156,6 +158,7 @@ async function buildDepTreeFromFiles(
   lockFilePath: string,
   includeDev = false,
   strictOutOfSync = true,
+  honorAliases?: boolean,
 ): Promise<PkgTree> {
   if (!root || !manifestFilePath || !lockFilePath) {
     throw new Error('Missing required parameters for buildDepTreeFromFiles()');
@@ -192,8 +195,12 @@ async function buildDepTreeFromFiles(
   }
 
   return await buildDepTree(
-    manifestFileContents,
-    lockFileContents,
+    honorAliases
+      ? rewriteAliasesPkgJson(manifestFileContents)
+      : manifestFileContents,
+    honorAliases
+      ? rewriteAliasesInNpmLockV1(lockFileContents)
+      : lockFileContents,
     includeDev,
     lockFileType,
     strictOutOfSync,

test/jest/dep-graph-builders/aliases.test.ts

@@ -1,12 +1,13 @@
 import { join } from 'path';
 import { readFileSync } from 'fs';
 import {
+  buildDepTreeFromFiles,
   parseNpmLockV2Project,
   parseYarnLockV1Project,
   parseYarnLockV2Project,
 } from '../../../lib/';
 
-describe('Testing aliases', () => {
+describe('Testing aliases for yarn', () => {
   it('match aliased package - yarn-lock-v1', async () => {
     const pkgJsonContent = readFileSync(
       join(__dirname, `./fixtures/aliases/yarn-lock-v1/package.json`),
@@ -57,37 +58,82 @@ describe('Testing aliases', () => {
         honorAliases: true,
       },
     );
-    console.log(JSON.stringify(newDepGraph));
     expect(newDepGraph).toBeDefined;
 
     expect(JSON.stringify(newDepGraph)).toContain('@yao-pkg/pkg');
     expect(JSON.stringify(newDepGraph)).not.toContain("'pkg@");
   });
+});
+describe('Testing aliases for npm', () => {
+  it('match aliased package - npm-lock-v1', async () => {
+    const rootPath = join(__dirname, './fixtures/aliases/npm-lock-v1');
 
-  // it('match aliased package - npm-lock-v2', async () => {
-  //   const pkgJsonContent = readFileSync(
-  //     join(__dirname, `./fixtures/aliases/package.json`),
-  //     'utf8',
-  //   );
-  //   const pkgLockContent = readFileSync(
-  //     join(__dirname, `./fixtures/aliases/package-lock.json`),
-  //     'utf8',
-  //   );
+    const newDepGraph = await buildDepTreeFromFiles(
+      rootPath,
+      join(__dirname, `./fixtures/aliases/npm-lock-v1/package.json`),
+      join(__dirname, `./fixtures/aliases/npm-lock-v1/package-lock.json`),
+      true,
+      true,
+      true,
+    );
 
-  //   const newDepGraph = await parseNpmLockV2Project(
-  //     pkgJsonContent,
-  //     pkgLockContent,
-  //     {
-  //       includeDevDeps: false,
-  //       includeOptionalDeps: true,
-  //       pruneCycles: true,
-  //       strictOutOfSync: true,
-  //     },
-  //   );
+    expect(newDepGraph).toBeDefined;
+    expect(() => JSON.parse(JSON.stringify(newDepGraph))).not.toThrow();
+    expect(JSON.stringify(newDepGraph)).toContain('@yao-pkg/pkg');
+    expect(JSON.stringify(newDepGraph)).not.toContain('"pkg"');
+  });
+  it('match aliased package - npm-lock-v2', async () => {
+    const pkgJsonContent = readFileSync(
+      join(__dirname, `./fixtures/aliases/npm-lock-v2/package.json`),
+      'utf8',
+    );
+    const pkgLockContent = readFileSync(
+      join(__dirname, `./fixtures/aliases/npm-lock-v2/package-lock.json`),
+      'utf8',
+    );
 
-  //   expect(newDepGraph).toBeDefined;
+    const newDepGraph = await parseNpmLockV2Project(
+      pkgJsonContent,
+      pkgLockContent,
+      {
+        includeDevDeps: true,
+        includeOptionalDeps: true,
+        pruneCycles: true,
+        strictOutOfSync: true,
+        honorAliases: true,
+      },
+    );
 
-  //   expect(JSON.stringify(newDepGraph)).toContain('@yao-pkg/pkg');
-  //   expect(JSON.stringify(newDepGraph)).not.toContain("'pkg'");
-  // });
+    expect(newDepGraph).toBeDefined;
+    expect(() => JSON.parse(JSON.stringify(newDepGraph))).not.toThrow();
+    expect(JSON.stringify(newDepGraph)).toContain('@yao-pkg/pkg');
+    expect(JSON.stringify(newDepGraph)).not.toContain('"pkg"');
+  });
+  it('match aliased package - npm-lock-v3', async () => {
+    const pkgJsonContent = readFileSync(
+      join(__dirname, `./fixtures/aliases/npm-lock-v3/package.json`),
+      'utf8',
+    );
+    const pkgLockContent = readFileSync(
+      join(__dirname, `./fixtures/aliases/npm-lock-v3/package-lock.json`),
+      'utf8',
+    );
+
+    const newDepGraph = await parseNpmLockV2Project(
+      pkgJsonContent,
+      pkgLockContent,
+      {
+        includeDevDeps: true,
+        includeOptionalDeps: true,
+        pruneCycles: true,
+        strictOutOfSync: true,
+        honorAliases: true,
+      },
+    );
+
+    expect(newDepGraph).toBeDefined;
+    expect(() => JSON.parse(JSON.stringify(newDepGraph))).not.toThrow();
+    expect(JSON.stringify(newDepGraph)).toContain('@yao-pkg/pkg');
+    expect(JSON.stringify(newDepGraph)).not.toContain('"pkg"');
+  });
 });