Merge pull request #270 from snyk/feat/add-npm-yarn-alias-support

feat: add alias support

Author: aarlaud

lib/aliasesPreprocessors/npm-lock-v1.ts

@@ -0,0 +1,24 @@
+import * as cloneDeep from 'lodash.clonedeep';
+export const rewriteAliasesInNpmLockV1 = (lockfileContent: string): string => {
+  const jsonLockfile = JSON.parse(lockfileContent);
+  for (const pkg in jsonLockfile.dependencies) {
+    if (jsonLockfile.dependencies[pkg].version.startsWith('npm:')) {
+      const aliasName = jsonLockfile.dependencies[pkg].version.substring(
+        4,
+        jsonLockfile.dependencies[pkg].version.lastIndexOf('@'),
+      );
+      jsonLockfile.dependencies[aliasName] = cloneDeep(
+        jsonLockfile.dependencies[pkg],
+      );
+      jsonLockfile.dependencies[aliasName].version = jsonLockfile.dependencies[
+        pkg
+      ].version.substring(
+        jsonLockfile.dependencies[pkg].version.lastIndexOf('@') + 1,
+        jsonLockfile.dependencies[pkg].version.length,
+      );
+      delete jsonLockfile.dependencies[pkg];
+    }
+  }
+
+  return JSON.stringify(jsonLockfile);
+};

lib/aliasesPreprocessors/npm-lock-v2.ts

@@ -0,0 +1,39 @@
+import { NpmLockPkg } from '../dep-graph-builders/npm-lock-v2/extract-npm-lock-v2-pkgs';
+
+export const rewriteAliasesInNpmLockV2 = (
+  lockfilePackages: Record<string, NpmLockPkg>,
+): Record<string, NpmLockPkg> => {
+  // 1. Rewrite top level "" packages in "".dependencies
+  const rootPkg = lockfilePackages[''];
+  const lockFileToReturn: Record<string, NpmLockPkg> = lockfilePackages;
+  if (rootPkg && rootPkg.dependencies) {
+    const dependencies = rootPkg.dependencies;
+    for (const pkgName in rootPkg.dependencies) {
+      if (rootPkg.dependencies[pkgName].startsWith('npm:')) {
+        const aliasName = rootPkg.dependencies[pkgName].substring(
+          4,
+          rootPkg.dependencies[pkgName].lastIndexOf('@'),
+        );
+        const aliasVersion = rootPkg.dependencies[pkgName].substring(
+          rootPkg.dependencies[pkgName].lastIndexOf('@') + 1,
+          rootPkg.dependencies[pkgName].length,
+        );
+        dependencies[aliasName] = aliasVersion;
+      } else {
+        dependencies[pkgName] = rootPkg.dependencies[pkgName];
+      }
+    }
+    lockFileToReturn[''].dependencies = dependencies;
+  }
+
+  // 2. Rewrite alias packages
+  for (const pkgName in lockfilePackages) {
+    if (pkgName != '' && lockfilePackages[pkgName].name) {
+      lockFileToReturn[`node_modules/${lockfilePackages[pkgName].name}`] =
+        lockfilePackages[pkgName];
+      delete lockFileToReturn[pkgName];
+    }
+  }
+
+  return lockFileToReturn;
+};

lib/aliasesPreprocessors/pkgJson.ts

@@ -0,0 +1,37 @@
+import { parsePkgJson } from '../dep-graph-builders/util';
+
+export const rewriteAliasesPkgJson = (packageJsonContent: string): string => {
+  const pkgJsonPreprocessed = parsePkgJson(packageJsonContent);
+  pkgJsonPreprocessed.dependencies = rewriteAliases(
+    pkgJsonPreprocessed.dependencies,
+  );
+  pkgJsonPreprocessed.devDependencies = rewriteAliases(
+    pkgJsonPreprocessed.devDependencies,
+  );
+  pkgJsonPreprocessed.optionalDependencies = rewriteAliases(
+    pkgJsonPreprocessed.optionalDependencies,
+  );
+  pkgJsonPreprocessed.peerDependencies = rewriteAliases(
+    pkgJsonPreprocessed.peerDependencies,
+  );
+  return JSON.stringify(pkgJsonPreprocessed);
+};
+
+export const rewriteAliases = (
+  dependencies: Record<string, string> | undefined,
+): Record<string, string> | undefined => {
+  if (!dependencies) {
+    return undefined;
+  }
+  const newDependencies: Record<string, string> = {};
+  for (const key in dependencies) {
+    const value = dependencies[key];
+    if (value.startsWith('npm:')) {
+      newDependencies[value.substring(4, value.lastIndexOf('@'))] =
+        value.substring(value.lastIndexOf('@') + 1, value.length);
+    } else {
+      newDependencies[key] = value;
+    }
+  }
+  return newDependencies;
+};

lib/aliasesPreprocessors/yarn-lock-v1.ts

@@ -0,0 +1,7 @@
+export const rewriteAliasesInYarnLockV1 = (lockfileContent: string): string => {
+  const regex = /^(\s*)"(.+?@npm:)([^"]+)":/gm;
+
+  const lockfilePreprocessed = lockfileContent.replace(regex, '$1"$3":');
+
+  return lockfilePreprocessed;
+};

lib/aliasesPreprocessors/yarn-lock-v2.ts

@@ -0,0 +1,42 @@
+import { NormalisedPkgs } from '../dep-graph-builders/types';
+import * as cloneDeep from 'lodash.clonedeep';
+export const rewriteAliasesInYarnLockV2 = (
+  lockfileNormalisedPkgs: NormalisedPkgs,
+): NormalisedPkgs => {
+  const lockfileNormalisedPkgsPreprocessed: NormalisedPkgs = cloneDeep(
+    lockfileNormalisedPkgs,
+  );
+  for (const pkg in lockfileNormalisedPkgsPreprocessed) {
+    const pkgSplit = pkg.substring(0, pkg.lastIndexOf('@'));
+    const resolutionSplit =
+      lockfileNormalisedPkgsPreprocessed[pkg].resolution?.split(
+        /@npm[:%3A]/,
+      )[0];
+
+    if (
+      !pkg.startsWith('v2@workspace') &&
+      resolutionSplit &&
+      pkgSplit != resolutionSplit
+    ) {
+      const newPkg = lockfileNormalisedPkgsPreprocessed[pkg];
+      delete lockfileNormalisedPkgsPreprocessed[pkg];
+      const newKey = pkg.replace(pkgSplit, resolutionSplit);
+      lockfileNormalisedPkgsPreprocessed[newKey] = newPkg;
+    }
+    if (pkg.startsWith('v2@workspace')) {
+      const newDependencies: Record<string, string> = {};
+      for (const key in lockfileNormalisedPkgsPreprocessed[pkg].dependencies) {
+        const value = lockfileNormalisedPkgsPreprocessed[pkg].dependencies[key];
+        if (value.startsWith('npm:')) {
+          newDependencies[value.substring(4, value.lastIndexOf('@'))] =
+            value.substring(value.lastIndexOf('@') + 1, value.length);
+        } else {
+          newDependencies[key] = value;
+        }
+      }
+      lockfileNormalisedPkgsPreprocessed[pkg].dependencies = newDependencies;
+    }
+  }
+
+  return lockfileNormalisedPkgsPreprocessed;
+};

lib/dep-graph-builders/npm-lock-v2/index.ts

@@ -21,6 +21,8 @@ import * as semver from 'semver';
 import * as micromatch from 'micromatch';
 import * as pathUtil from 'path';
 import { eventLoopSpinner } from 'event-loop-spinner';
+import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
+import { rewriteAliasesInNpmLockV2 } from '../../aliasesPreprocessors/npm-lock-v2';
 
 export { extractPkgsFromNpmLockV2 };
 
@@ -38,8 +40,14 @@ export const parseNpmLockV2Project = async (
     pruneNpmStrictOutOfSync,
   } = options;
 
-  const pkgJson: PackageJsonBase = parsePkgJson(pkgJsonContent);
-  const pkgs = extractPkgsFromNpmLockV2(pkgLockContent);
+  const pkgJson: PackageJsonBase = parsePkgJson(
+    options.honorAliases
+      ? rewriteAliasesPkgJson(pkgJsonContent)
+      : pkgJsonContent,
+  );
+  const pkgs = options.honorAliases
+    ? rewriteAliasesInNpmLockV2(extractPkgsFromNpmLockV2(pkgLockContent))
+    : extractPkgsFromNpmLockV2(pkgLockContent);
 
   const depgraph = await buildDepGraphNpmLockV2(pkgs, pkgJson, {
     includeDevDeps,

lib/dep-graph-builders/types.ts

@@ -24,6 +24,7 @@ export type NormalisedPkgs = Record<
   PkgIdentifier,
   {
     version: string; // This is resolved version
+    resolution?: string;
     dependencies: Record<string, string>;
     optionalDependencies: Record<string, string>;
   }
@@ -35,6 +36,7 @@ export type DepGraphBuildOptions = {
   strictOutOfSync: boolean;
   includePeerDeps?: boolean;
   pruneNpmStrictOutOfSync?: boolean;
+  honorAliases?: boolean;
 };
 
 export type LockFileParseOptions = {
@@ -57,6 +59,7 @@ export type YarnLockV2ProjectParseOptions = {
   includeOptionalDeps: boolean;
   strictOutOfSync: boolean;
   pruneWithinTopLevelDeps: boolean;
+  honorAliases?: boolean;
 };
 
 /*
@@ -73,6 +76,7 @@ export type YarnLockV1ProjectParseOptions = {
   includePeerDeps: boolean;
   strictOutOfSync: boolean;
   pruneLevel: PruneLevel;
+  honorAliases?: boolean;
 };
 
 export type Yarn1DepGraphBuildOptions = {

lib/dep-graph-builders/yarn-lock-v1/simple.ts

@@ -1,4 +1,7 @@
 import { buildDepGraphYarnLockV1Simple } from '.';
+import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
+import { rewriteAliasesInYarnLockV1 } from '../../aliasesPreprocessors/yarn-lock-v1';
+
 import { PackageJsonBase, YarnLockV1ProjectParseOptions } from '../types';
 import { parsePkgJson } from '../util';
 import { buildDepGraphYarnLockV1SimpleCyclesPruned } from './build-depgraph-simple-pruned';
@@ -15,11 +18,18 @@ export const parseYarnLockV1Project = async (
     includePeerDeps,
     pruneLevel,
     strictOutOfSync,
+    honorAliases,
   } = options;
 
-  const pkgs = extractPkgsFromYarnLockV1(yarnLockContent);
+  const pkgs = extractPkgsFromYarnLockV1(
+    honorAliases
+      ? rewriteAliasesInYarnLockV1(yarnLockContent)
+      : yarnLockContent,
+  );
 
-  const pkgJson: PackageJsonBase = parsePkgJson(pkgJsonContent);
+  const pkgJson: PackageJsonBase = parsePkgJson(
+    honorAliases ? rewriteAliasesPkgJson(pkgJsonContent) : pkgJsonContent,
+  );
 
   const depGraph =
     pruneLevel === 'cycles'

lib/dep-graph-builders/yarn-lock-v2/simple.ts

@@ -7,6 +7,8 @@ import {
 } from '../types';
 import { buildDepGraphYarnLockV2Simple } from './build-depgraph-simple';
 import { DepGraph } from '@snyk/dep-graph';
+import { rewriteAliasesPkgJson } from '../../aliasesPreprocessors/pkgJson';
+import { rewriteAliasesInYarnLockV2 } from '../../aliasesPreprocessors/yarn-lock-v2';
 
 export const parseYarnLockV2Project = async (
   pkgJsonContent: string,
@@ -19,11 +21,16 @@ export const parseYarnLockV2Project = async (
     includeOptionalDeps,
     strictOutOfSync,
     pruneWithinTopLevelDeps,
+    honorAliases,
   } = options;
 
-  const pkgs = extractPkgsFromYarnLockV2(yarnLockContent);
+  const pkgs = honorAliases
+    ? rewriteAliasesInYarnLockV2(extractPkgsFromYarnLockV2(yarnLockContent))
+    : extractPkgsFromYarnLockV2(yarnLockContent);
 
-  const pkgJson: PackageJsonBase = parsePkgJson(pkgJsonContent);
+  const pkgJson: PackageJsonBase = parsePkgJson(
+    honorAliases ? rewriteAliasesPkgJson(pkgJsonContent) : pkgJsonContent,
+  );
 
   const depgraph = await buildDepGraphYarnLockV2Simple(
     pkgs,

lib/index.ts

@@ -70,6 +70,8 @@ import {
   getPnpmLockfileVersion,
   NodeLockfileVersion,
 } from './utils';
+import { rewriteAliasesInNpmLockV1 } from './aliasesPreprocessors/npm-lock-v1';
+import { rewriteAliasesPkgJson } from './aliasesPreprocessors/pkgJson';
 export {
   parseNpmLockV2Project,
   extractPkgsFromYarnLockV1,
@@ -156,6 +158,7 @@ async function buildDepTreeFromFiles(
   lockFilePath: string,
   includeDev = false,
   strictOutOfSync = true,
+  honorAliases?: boolean,
 ): Promise<PkgTree> {
   if (!root || !manifestFilePath || !lockFilePath) {
     throw new Error('Missing required parameters for buildDepTreeFromFiles()');
@@ -192,8 +195,12 @@ async function buildDepTreeFromFiles(
   }
 
   return await buildDepTree(
-    manifestFileContents,
-    lockFileContents,
+    honorAliases
+      ? rewriteAliasesPkgJson(manifestFileContents)
+      : manifestFileContents,
+    honorAliases
+      ? rewriteAliasesInNpmLockV1(lockFileContents)
+      : lockFileContents,
     includeDev,
     lockFileType,
     strictOutOfSync,