Skip to content
Snippets Groups Projects
Commit b0554a99 authored by Rhys Arkins's avatar Rhys Arkins
Browse files

fix: don’t consider parent devDependencies for transitive remediation

parent cce29e39
No related merge requests found
......@@ -40,32 +40,6 @@ describe(getName(__filename), () => {
await findFirstParentVersion('express', '4.0.0', 'send', '0.11.1')
).toEqual('4.11.1');
});
it('finds indirect devDependency', async () => {
httpMock
.scope('https://registry.npmjs.org')
.get('/cookie-parser')
.reply(200, {
name: 'cookie-parser',
repository: {},
versions: {
'1.0.1': {},
'1.0.2': {},
},
'dist-tags': { latest: '1.0.2' },
});
httpMock
.scope('https://registry.npmjs.org')
.get('/express')
.reply(200, expressJson);
expect(
await findFirstParentVersion(
'express',
'4.0.0',
'cookie-parser',
'1.0.2'
)
).toEqual('4.3.0');
});
it('finds removed dependencies', async () => {
httpMock
.scope('https://registry.npmjs.org')
......
......@@ -47,11 +47,9 @@ export async function findFirstParentVersion(
.sort((v1, v2) => semver.sortVersions(v1, v2));
// iterate through parentVersions in sorted order
for (const parentVersion of parentVersions) {
const { dependencies, devDependencies } = parentDep.releases.find(
const constraint = parentDep.releases.find(
(release) => release.version === parentVersion
);
const constraint =
dependencies[targetDepName] || devDependencies[targetDepName];
).dependencies?.[targetDepName];
if (!constraint) {
logger.debug(
`${targetDepName} has been removed from ${parentName}@${parentVersion}`
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment