-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan groups are inconsistent when there are duplicate packages in npm #924
Comments
@cuixq can you please take a look? |
@oliverchang I was actually thinking this one could be something I pick up if you want @cuixq to focus on other things, but up to you 🙂 |
@G-Rath feel free to take it! I am working on another issue at the moment. :) |
Ok this has been an interesting one - I think I've boiled it down to the question of "should packages be merged based on their group?" i.e. if I have I've got PRs for both and they're probably both alright but for the first one its a bit weird then that we have "groups" when they'll only ever have one item, and in the second it means an empty group denotes "production" and that we want to only include groups that all packages of the same name+version are in. |
If the same package version is installed multiple times under different groups in a package-lock.json file (i.e. in both dev and prod),
osv-scanner scan
behaves inconsistently in showing which groups the package belongs to.e.g. with this package-lock.json (from package.json), the output is randomly:
or
Because ajv@5.5.2 is installed twice, once as a prod dependency, and once as a dev dependency:
Presumably, this would also affect groups in other lockfiles that can support the same package being installed multiple times.
The text was updated successfully, but these errors were encountered: