8000 javascript extractors' handling of workspaces (and local dependencies?) · Issue #808 · google/osv-scalibr · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
javascript extractors' handling of workspaces (and local dependencies?) #808
New issue
New issue
Open
Open
javascript extractors' handling of workspaces (and local dependencies?)#808
@michaelkedar

Description

@michaelkedar
michaelkedar
opened on Jun 5, 2025

Some context: google/osv-scanner#1861

Currently, I don't believe javascript workspaces are being intentionally handled by our extractors (we don't have any test cases explicitly testing for these).

In yarn.lock, we seem to be extracting workspace dependencies as their declared name (in their package.json) with version 0.0.0-use.local (which is indistinguishable from an upstream package with the same name/version)

In package-lock.json, it seems to use the declared name with an empty version string.

I haven't looked into bun.lock or pnpm-lock.yaml.

I'm not entirely sure what our desired behaviour is for these cases, but they should at least be consistent with one-another.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0