You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the same package version is installed multiple times under different groups in a package-lock.json file (i.e. in both dev and prod), osv-scanner scan behaves inconsistently in showing which groups the package belongs to.
Ok this has been an interesting one - I think I've boiled it down to the question of "should packages be merged based on their group?"
i.e. if I have a@1 that is "optional" and a@1 that is "dev", should that be a@1, groups: optional and a@1, groups: dev or should be it a@1, groups: optional,dev?
I've got PRs for both and they're probably both alright but for the first one its a bit weird then that we have "groups" when they'll only ever have one item, and in the second it means an empty group denotes "production" and that we want to only include groups that all packages of the same name+version are in.
If the same package version is installed multiple times under different groups in a package-lock.json file (i.e. in both dev and prod),
osv-scanner scan
behaves inconsistently in showing which groups the package belongs to.e.g. with this package-lock.json (from package.json), the output is randomly:
or
Because ajv@5.5.2 is installed twice, once as a prod dependency, and once as a dev dependency:
Presumably, this would also affect groups in other lockfiles that can support the same package being installed multiple times.
The text was updated successfully, but these errors were encountered: