Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filter yarn deps to direct deps for main package #1623

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Filter yarn deps to direct deps for main package #1623

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions lib/cli/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2873,9 +2873,15 @@ export async function createNodejsBom(path, options) {
}
const rdeplist = [];
if (parsedList.dependenciesList && parsedList.dependenciesList) {
// copyright (c) 2025 Atlassian US, Inc.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove this copyright comment?

// First read package.json to get direct dependencies
const pkgData = JSON.parse(readFileSync(packageJsonF, "utf8"));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we move this logic to outside the for loop? Also how would this work in monorepos with multiple package.json and yarn.lock files?

const directDeps = {
...(pkgData.dependencies || {}),
...(pkgData.devDependencies || {}),
};
// Inject parent component to the dependency tree to make it complete
// In case of yarn, yarn list command lists every root package as a direct dependency
// The same logic is matched with this for loop although this is incorrect since even dev dependencies would get included here
// Add only direct dependencies to the dependency tree of the parent component
for (const dobj of parsedList.dependenciesList) {
rdeplist.push(dobj.ref);
}
Expand All @@ -2892,7 +2898,10 @@ export async function createNodejsBom(path, options) {
).toString();
parsedList.dependenciesList.push({
ref: decodeURIComponent(ppurl),
dependsOn: [...new Set(rdeplist)].sort(),
dependsOn: rdeplist.filter(ref => {
const pkgName = ref.split('/')[1].split('@')[0];
return directDeps.hasOwnProperty(pkgName);
}).sort(),
});
}
dependencies = mergeDependencies(
Expand Down
Loading