Skip to content

fix: CJS Module Lexer replaced by merve #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
richardlau wants to merge 1 commit into
base: main
Choose a base branch
from
+21 −7
Open

fix: CJS Module Lexer replaced by merve #268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions dep_checker/dependencies.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,6 @@ def get_cpe(self, repo_path: Path) -> Optional[str]:
"acorn",
"brotli",
"c-ares",
"CJS Module Lexer",
"corepack",
"HdrHistogram",
"ICU",
Expand All @@ -58,15 +57,17 @@ def get_cpe(self, repo_path: Path) -> Optional[str]:
]

# Define branch-specific dependencies
main_specific = ["simdutf"]
v22_specific = ["simdutf"]
v20_specific = ["simdutf"]
main_specific = ["merve"]
v25_specific = ["merve"]
v24_specific = ["merve"]
v22_specific = ["CJS Module Lexer", "simdutf"]
v20_specific = ["CJS Module Lexer", "simdutf"]

# Combine common dependencies with branch-specific ones
dependencies_per_branch: dict[str, list[str]] = {
"main": common_dependencies, # No simdutf in main
"v24.x": common_dependencies, # No simdutf in v24.x
"v23.x": common_dependencies, # No simdutf in v23.x
"main": common_dependencies + main_specific,
"v25.x": common_dependencies + v25_specific,
"v24.x": common_dependencies + v24_specific,
"v22.x": common_dependencies + v22_specific,
"v20.x": common_dependencies + v20_specific,
}
Expand Down Expand Up @@ -118,6 +119,11 @@ def get_cpe(self, repo_path: Path) -> Optional[str]:
version_parser=vp.get_nghttp2_version,
cpe=CPE(vendor="nghttp2", product="nghttp2"),
),
"merve": Dependency(
version_parser=vp.get_merve_version,
cpe=None,
Copy link
Copy Markdown
Member Author

@richardlau richardlau Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nodejs/security-wg Is this correct? I based this on the "CJS Module Lexer" mapping, which also has cpe=None.

keyword="merve",
),
"llhttp": Dependency(
version_parser=vp.get_llhttp_version,
cpe=CPE(vendor="llhttp", product="llhttp"),
Expand Down
8 changes: 8 additions & 0 deletions dep_checker/versions_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,14 @@ def get_llhttp_version(repo_path: Path) -> str:
return f"{versions['major']}.{versions['minor']}.{versions['patch']}"


def get_merve_version(repo_path: Path) -> str:
with open(repo_path / "deps/merve/merve.h", "r") as f:
matches = re.search('#define MERVE_VERSION "(?P<version>.*)"', f.read())
if matches is None:
raise RuntimeError("Error extracting version number for merve")
return matches.groupdict()["version"]


def get_nghttp2_version(repo_path: Path) -> str:
with open(repo_path / "deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h", "r") as f:
matches = re.search('#define NGHTTP2_VERSION "(?P<version>.*)"', f.read())
Expand Down
Loading