Skip to content

Added support for package-lock.json to parse additional features #3988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Added support for package-lock.json to parse additional features #3988

wants to merge 3 commits into from

Conversation

VarshaUN
Copy link

Fixes #3493

Tasks

  • Reviewed contribution guidelines
  • PR is descriptively titled 📑 and links the original issue above 🔗
  • Commits are in uniquely-named feature branch and has no merge conflicts 📁

Signed-off-by: Varsha U N varshaun58@gmail.com

@VarshaUN VarshaUN force-pushed the support-package-lock.json branch from 381909f to 71453ba Compare November 16, 2024 08:25
AyanSinhaMahapatra
AyanSinhaMahapatra reviewed Nov 29, 2024
View reviewed changes
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@VarshaUN are you sure what you are doing is correct?

  1. You are making changes to the package.json parser here, and not package-lock.json which was the target of issue Ensure we can collect the latest package-lock.json including file indirections for versions #3493
  2. Please add tests for each of the new functionality added so we can easily verify whether the code actually works and produces any useful data, use the github search with paths to look for useful examples.

@AyanSinhaMahapatra
Copy link
Member

Gentle ping @VarshaUN

@VarshaUN VarshaUN force-pushed the support-package-lock.json branch from ff330fc to 7f1b0de Compare January 15, 2025 12:48
@VarshaUN
added support for package-lock.json Signed-off-by:VarshaUN <varshaun5…
f88e557 
…8@gmail.com>

Signed-off-by: Varsha U N <varshamaddur2006@gmail.com>
@VarshaUN
add support for package-lock.json
8dbf752 
Signed-off-by: Varsha U N <varshamaddur2006@gmail.com>
@VarshaUN
Add support to package-lock.json
0632016 
Signed-off-by: Varsha U N <varshamaddur2006@gmail.com>
@VarshaUN VarshaUN force-pushed the support-package-lock.json branch from 59db77f to 0632016 Compare January 17, 2025 13:07
AyanSinhaMahapatra
AyanSinhaMahapatra reviewed Apr 7, 2025
View reviewed changes
Copy link
Member

@AyanSinhaMahapatra AyanSinhaMahapatra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@VarshaUN thanks for the PR, but I don't think this achieves anything at all.
Please see my comments on that, and also my comment at #3981 (review) which details how to fix the related issue.

src/packagedcode/npm.py

def handle_http_source(self, pkg_path, pkg_data):
""" Handle HTTP tarball sources. """
logging.info(f'Handling HTTP source for {pkg_path}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think these functions are doing anything at all except logging?
Not sure I understand the use of this or how this is related to the issue.

src/packagedcode/npm.py
@@ -804,6 +804,46 @@ class NpmPackageLockJsonHandler(BaseNpmLockHandler):
description = 'npm package-lock.json lockfile'
documentation_url = 'https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json'

def parse(self, location):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need to define another parse() function here and do nothing except logging? we already have one defined above.

tests/packagedcode/test_npm.py
handler.parse(test_file)
with open(expected_file) as f:
expected_data = json.load(f)
assert handler.packages == expected_data
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see how tests are written for parsing package manifests below, you need to follow the same structure. check_packages_data does all the checking for you, you just need to specify the input/output and parsing function.

AyanSinhaMahapatra
AyanSinhaMahapatra reviewed Apr 7, 2025
View reviewed changes
tests/packagedcode/test_npm.py
return NpmPackageLockJsonHandler()

def test_npm_package_lock_json_parse(handler):
test_file = 'npm/package-lock-v1/package-lock.json'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test already exists at

scancode-toolkit/tests/packagedcode/test_npm.py

Line 254 in 0632016

test_file = self.get_test_loc('npm/package-lock-v1/package-lock.json')
😅

@VarshaUN
Copy link
Author

VarshaUN commented Apr 7, 2025

Hey @AyanSinhaMahapatra I have decided to open a new PR on this as I had some technical issues with this PR . I see that I follow your reviews . Thanks!

@VarshaUN VarshaUN closed this Apr 8, 2025
@VarshaUN VarshaUN deleted the support-package-lock.json branch April 17, 2025 13:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AyanSinhaMahapatra AyanSinhaMahapatra AyanSinhaMahapatra left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ensure we can collect the latest package-lock.json including file indirections for versions
2 participants
@VarshaUN @AyanSinhaMahapatra