Filter yarn deps to direct deps for main package #1623
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When creating the dependency list for the main package in yarn.lock parsing, filter to only include direct dependencies from package.json. This ensures the dependency graph accurately represents direct vs transitive dependencies. Previously all dependencies were being added as direct dependencies for the main package, which was incorrect. Now we read package.json to determine which dependencies are actually direct dependencies. Signed-off-by: Sahil Seth <sseth@atlassian.com> Signed-off-by: sseth <sseth@atlassian.com>
|
Please let me know your thoughts on this and we can also make minor adjustments to the code, if required. |
|
@prabhu could you please take a look at this since this is kinda blocking us due to the extra dependencies? |
|
Sorry. I had my head buried in the last few weeks. Please take my email to avoid delays in the future (prabhu at appthreat dot dev). |
|
Could you kindly run |
prabhu
reviewed
Feb 13, 2025
| @@ -2873,9 +2873,15 @@ export async function createNodejsBom(path, options) { | |||
| } | |||
| const rdeplist = []; | |||
| if (parsedList.dependenciesList && parsedList.dependenciesList) { | |||
| // copyright (c) 2025 Atlassian US, Inc. | |||
There was a problem hiding this comment.
Can you remove this copyright comment?
prabhu
reviewed
Feb 13, 2025
| @@ -2873,9 +2873,15 @@ export async function createNodejsBom(path, options) { | |||
| } | |||
| const rdeplist = []; | |||
| if (parsedList.dependenciesList && parsedList.dependenciesList) { | |||
| // copyright (c) 2025 Atlassian US, Inc. | |||
| // First read package.json to get direct dependencies | |||
| const pkgData = JSON.parse(readFileSync(packageJsonF, "utf8")); | |||
There was a problem hiding this comment.
Should we move this logic to outside the for loop? Also how would this work in monorepos with multiple package.json and yarn.lock files?
|
@sahil-seth we need to test this with monorepos etc. We are not there yet I'm afraid. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is related to #1085
Context:
yarn list --depth=0which is also incorrect and has been acknowledged hereChanges:
package.jsonfiledependenciesListand only adding direct ones to the main packageSigned-off-by: Sahil Seth sseth@atlassian.com