Fix PNPM v5 version parsing

This fixes an issue with the lockfile parser of PNPM v5 lockfiles which would incorrectly include metadata in the package version. Closes #1538.
phylum-dev · Nov 22, 2024 · 6ae64a8 · 6ae64a8
1 parent 69413fc
commit 6ae64a8
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 11 deletions.
diff --git a/lockfile/src/javascript.rs b/lockfile/src/javascript.rs
@@ -344,9 +344,9 @@ impl PnpmLock {
     ///
     /// This parses the combined name and version used as an index for the
     /// `packages` map.
-    fn parse_key(mut key: &str, version: PnpmVersion) -> anyhow::Result<(String, String)> {
+    fn parse_key(mut key: &str, pnpm_version: PnpmVersion) -> anyhow::Result<(String, String)> {
         // Strip prefix from `version < 9` lockfiles.
-        if version < PnpmVersion::V9 {
+        if pnpm_version < PnpmVersion::V9 {
             key = key
                 .strip_prefix('/')
                 .ok_or_else(|| anyhow!("Dependency '{key}' is missing '/' prefix"))?;
@@ -356,16 +356,23 @@ impl PnpmLock {
         let name = key.split_once('(').map(|(name, _)| name).unwrap_or(key);
 
         // Get version separator based on PNPM version.
-        let version_separator = match version {
+        let version_separator = match pnpm_version {
             PnpmVersion::V6 | PnpmVersion::V9 => '@',
             PnpmVersion::V5 => '/',
         };
 
         // Separate name and version.
-        match name.rsplit_once(version_separator) {
-            Some((name, version)) => Ok((name.into(), version.into())),
+        let (name, mut version) = match name.rsplit_once(version_separator) {
+            Some((name, version)) => Ok((name, version)),
             None => Err(anyhow!("Dependency '{name}' is missing a version")),
+        }?;
+
+        // Remove dependency information from V5 versions.
+        if pnpm_version == PnpmVersion::V5 {
+            version = version.split_once('_').map_or(version, |(version, _)| version);
         }
+
+        Ok((name.into(), version.into()))
     }
 
     /// Parse a first-party registry package.
@@ -682,7 +689,7 @@ mod tests {
     fn pnpm() {
         let pkgs = Pnpm.parse(include_str!("../../tests/fixtures/pnpm-lock.yaml")).unwrap();
 
-        assert_eq!(pkgs.len(), 65);
+        assert_eq!(pkgs.len(), 66);
 
         let expected_pkgs = [
             Package {
@@ -725,6 +732,11 @@ mod tests {
                 version: PackageVersion::Path(Some("projects/workspace_member".into())),
                 package_type: PackageType::Npm,
             },
+            Package {
+                name: "@emotion/use-insertion-effect-with-fallbacks".into(),
+                version: PackageVersion::FirstParty("1.1.0".into()),
+                package_type: PackageType::Npm,
+            },
         ];
 
         for expected_pkg in expected_pkgs {
@@ -774,10 +786,28 @@ mod tests {
     fn pnpm_v5() {
         let pkgs = Pnpm.parse(include_str!("../../tests/fixtures/pnpm-lock-v5.yaml")).unwrap();
 
-        assert_eq!(pkgs, vec![Package {
-            name: "lodash".into(),
-            version: PackageVersion::FirstParty("4.17.21".into()),
-            package_type: PackageType::Npm,
-        }]);
+        assert_eq!(pkgs.len(), 3);
+
+        let expected_pkgs = [
+            Package {
+                name: "use-sync-external-store".into(),
+                version: PackageVersion::FirstParty("1.2.2".into()),
+                package_type: PackageType::Npm,
+            },
+            Package {
+                name: "@types/eslint__js".into(),
+                version: PackageVersion::FirstParty("8.42.3".into()),
+                package_type: PackageType::Npm,
+            },
+            Package {
+                name: "lodash".into(),
+                version: PackageVersion::FirstParty("4.17.21".into()),
+                package_type: PackageType::Npm,
+            },
+        ];
+
+        for expected_pkg in expected_pkgs {
+            assert!(pkgs.contains(&expected_pkg), "missing package {expected_pkg:?}");
+        }
     }
 }
diff --git a/tests/fixtures/pnpm-lock-v5.yaml b/tests/fixtures/pnpm-lock-v5.yaml
@@ -6,5 +6,18 @@ packages:
     dev: false
     resolution:
       integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
+  /use-sync-external-store/1.2.2_react@18.3.1:
+    resolution: {integrity: sha512-PElTlVMwpblvbNqQ82d2n6RjStvdSoNe9FG28kNfz3WiXilJm4DdNkEzRhCZuIDwY8U08WVihhGR5iRqAwfDiw==}
+    peerDependencies:
+      react: ^16.8.0 || ^17.0.0 || ^18.0.0
+    dependencies:
+      react: 18.3.1
+
+  /@types/eslint__js/8.42.3:
+    resolution: {integrity: sha512-alfG737uhmPdnvkrLdZLcEKJ/B8s9Y4hrZ+YAdzUeoArBlSUERA2E87ROfOaS4jd/C45fzOoZzidLc1IPwLqOw==}
+    dependencies:
+      '@types/eslint': 9.6.1
+    dev: true
 specifiers:
   lodash: ^4.17.21
diff --git a/tests/fixtures/pnpm-lock.yaml b/tests/fixtures/pnpm-lock.yaml