Skip to content

Correctly identify transitive dev deps in V3 package-lock files#1570

Closed
nficca wants to merge 2 commits into
masterfrom
ane1997
Closed

Correctly identify transitive dev deps in V3 package-lock files#1570
nficca wants to merge 2 commits into
masterfrom
ane1997

Conversation

@nficca

@nficca nficca commented Jul 30, 2025

Copy link
Copy Markdown
Contributor

Overview

In V3 package-lock files, fossa-cli is not filtering out transitive dev dependencies. This is because it is failing to recognize that transitive deps of dev dependencies are also dev dependencies.

Acceptance criteria

Transitive dev deps are correctly identified as dev deps and are filtered out of a project's dependencies list.

Testing plan

  1. Download the package.json file attached to ANE-1997.
  2. Run npm install in the directory with the package.json to build the project.
  3. Run the currrent production copy of fossa-cli on the directory
  4. Observe in the FOSSA UI that transitive dev deps like @angular-devkit/build-angular are listed
  5. Run this version of fossa-cli on the directory
  6. Observe in the FOSSA UI that transitive dev deps like @angular-devkit/build-angular are NOT listed

Risks

Could miscategorize dependencies if there is a bug in this logic.

References

  • ANE-1997: In NPM projects, some transitive dev dependencies are being shown as direct dependencies

Checklist

  • I added tests for this PR's change (or explained in the PR description why tests don't make sense).
  • If this PR introduced a user-visible change, I added documentation into docs/.
  • If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
  • If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an ## Unreleased section at the top.
  • If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
  • If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

Comment thread shell.nix

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes aren't relevant to the ticket. I just noticed we had a nix shell env and wanted to try it. It needed some updating to work on my mac, so these are that.

@nficca

nficca commented Aug 6, 2025

Copy link
Copy Markdown
Contributor Author

Closing this. I investigated the issue in https://fossa.atlassian.net/browse/ANE-1997 further and found that this is not the correct solution. See my comment here: https://fossa.atlassian.net/browse/ANE-1997?focusedCommentId=25189.

@nficca nficca closed this Aug 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant