@cyclonedx/cdxgen 12.1.1 → 12.1.3

package/lib/server/server.poku.js

@@ -8,6 +8,7 @@ import {
   isAllowedWinPath,
   parseQueryString,
   parseValue,
+  validateAndRejectGitSource,
 } from "./server.js";
 
 it("parseValue tests", () => {
@@ -129,28 +130,73 @@ describe("isAllowedPath()", () => {
   });
 
   afterEach(() => {
-    process.env.CDXGEN_SERVER_ALLOWED_PATHS = originalPaths;
+    if (originalPaths === undefined) {
+      delete process.env.CDXGEN_SERVER_ALLOWED_PATHS;
+    } else {
+      process.env.CDXGEN_SERVER_ALLOWED_PATHS = originalPaths;
+    }
+  });
+
+  it("returns false for non-string inputs", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath(null), false);
+    assert.strictEqual(isAllowedPath(123), false);
+    assert.strictEqual(isAllowedPath({}), false);
+    assert.strictEqual(isAllowedPath(undefined), false);
   });
 
   it("returns true if CDXGEN_SERVER_ALLOWED_PATHS is not set", () => {
     delete process.env.CDXGEN_SERVER_ALLOWED_PATHS;
-    assert.deepStrictEqual(isAllowedPath("/any/path"), true);
+    assert.strictEqual(isAllowedPath("/any/path"), true);
   });
 
-  it("returns true for paths that start with an allowed prefix", () => {
+  it("treats an empty-string env var as unset (returns true)", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "";
+    assert.strictEqual(isAllowedPath("/anything"), true);
+  });
+
+  it("returns true for exact directory matches", () => {
     process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
-    assert.deepStrictEqual(isAllowedPath("/api/resource"), true);
-    assert.deepStrictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/api"), true);
+    assert.strictEqual(isAllowedPath("/public"), true);
   });
 
-  it("returns false for paths that do not match any prefix", () => {
+  it("returns true for files safely nested inside allowed directories", () => {
     process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
-    assert.deepStrictEqual(isAllowedPath("/private/data"), false);
+    assert.strictEqual(isAllowedPath("/api/resource"), true);
+    assert.strictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/public/assets/css/main.css"), true);
   });
 
-  it("treats an empty-string env var as unset (returns true)", () => {
-    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "";
-    assert.deepStrictEqual(isAllowedPath("/anything"), true);
+  it("returns false for completely unrelated paths", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
+    assert.strictEqual(isAllowedPath("/private/data"), false);
+    assert.strictEqual(isAllowedPath("/etc/passwd"), false);
+  });
+
+  it("prevents directory prefix bypass (e.g., /var/www vs /var/www-secret)", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/var/www";
+    assert.strictEqual(isAllowedPath("/api-secret/data"), false);
+    assert.strictEqual(isAllowedPath("/api-secret"), false);
+    assert.strictEqual(isAllowedPath("/var/www-backup"), false);
+  });
+
+  it("prevents path traversal attacks using ../", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath("/api/../private"), false);
+    assert.strictEqual(isAllowedPath("/api/../../etc/passwd"), false);
+  });
+
+  it("allows paths that contain ../ but safely resolve inside the allowed directory", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath("/api/resource/../data"), true);
+  });
+
+  it("gracefully handles comma-separated lists with empty segments", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,,/public,";
+    assert.strictEqual(isAllowedPath("/api/resource"), true);
+    assert.strictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/private/data"), false);
   });
 });
 
@@ -385,3 +431,179 @@ describe("getQueryParams", () => {
     });
   });
 });
+describe("validateGitSource() tests", () => {
+  let originalGitAllow;
+  let originalAllowedHosts;
+
+  beforeEach(() => {
+    originalGitAllow = process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL;
+    originalAllowedHosts = process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+    delete process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL;
+    delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+  });
+
+  afterEach(() => {
+    if (originalGitAllow)
+      process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL = originalGitAllow;
+    if (originalAllowedHosts)
+      process.env.CDXGEN_SERVER_ALLOWED_HOSTS = originalAllowedHosts;
+  });
+
+  it("should reject ext:: and fd:: outright", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("ext::sh -c id").error,
+      "Invalid Protocol",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("fd::123").error,
+      "Invalid Protocol",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("EXT::sh -c id").error,
+      "Invalid Protocol",
+    );
+  });
+
+  it("should allow standard local paths to bypass validation", () => {
+    assert.deepStrictEqual(validateAndRejectGitSource("/tmp/local-path"), null);
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("C:\\Users\\local"),
+      null,
+    );
+  });
+
+  it("should handle ssh git@ format gracefully", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git@github.com:foo/bar.git"),
+      null,
+    );
+  });
+
+  it("should reject malformed git URLs", () => {
+    // invalid URL format (can't parse via node's new URL object)
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http://[:::1]/bad-ipv6").error,
+      "Invalid URL Format",
+    );
+  });
+
+  it("should enforce GIT_ALLOW_PROTOCOL default schemes", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http://github.com/repo"),
+      {
+        status: 400,
+        error: "Protocol Not Allowed",
+        details: "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
+      },
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("ssh://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git+ssh://github.com/repo"),
+      null,
+    );
+
+    // ftp is not allowed by default
+    const res = validateAndRejectGitSource("ftp://github.com/repo");
+    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
+    assert.deepStrictEqual(
+      res.details,
+      "The protocol 'ftp:' is not permitted by GIT_ALLOW_PROTOCOL.",
+    );
+  });
+
+  it("should reject protocol smuggling techniques", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git+ext://github.com/repo").error,
+      "Protocol Not Allowed",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http+ext://github.com/repo").error,
+      "Protocol Not Allowed",
+    );
+  });
+
+  it("should respect custom CDXGEN_SERVER_GIT_ALLOW_PROTOCOL configs", () => {
+    process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL = "https:git";
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://github.com/repo"),
+      null,
+    );
+
+    // http is no longer allowed
+    const res = validateAndRejectGitSource("http://github.com/repo");
+    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
+    assert.deepStrictEqual(
+      res.details,
+      "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
+    );
+  });
+
+  it("should reject remote helper syntax (::) inside valid schemes", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/ext::sh -c id").error,
+      "Invalid URL Syntax",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://foo::bar/repo").error,
+      "Invalid URL Format",
+    );
+  });
+
+  it("should validate allowed hosts", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,gitlab.com";
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+
+    const res = validateAndRejectGitSource("https://evil.com/repo");
+    assert.deepStrictEqual(res.error, "Host Not Allowed");
+    assert.deepStrictEqual(res.status, 403);
+  });
+});
+it("should correctly normalize and validate various git@ (SCP-like) formats", () => {
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@gitlab.com:group/project.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@bitbucket.org:workspace/repo:name.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@github.com/user/repo.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("ssh://git@github.com/user/repo.git"),
+    null,
+  );
+  process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,bitbucket.org";
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@github.com:user/repo.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@bitbucket.org:workspace/repo.git"),
+    null,
+  );
+  const deniedRes = validateAndRejectGitSource("git@evil.com:foo/bar.git");
+  assert.deepStrictEqual(deniedRes.status, 403);
+  assert.deepStrictEqual(deniedRes.error, "Host Not Allowed");
+  delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+});

package/lib/stages/postgen/annotator.js

@@ -39,7 +39,177 @@ function cleanNames(s) {
 }
 
 function cleanTypes(s) {
-  return s?.replace(/[+-_]/g, " ");
+  return s?.replace(/[+_-]/g, " ");
+}
+
+/**
+ * Count GitHub workflow components and extract security-relevant stats
+ *
+ * @param {Array} components BOM components array
+ *
+ * @returns {Object} Statistics about GitHub workflow components
+ */
+function getGitHubWorkflowStats(components) {
+  const stats = {
+    totalActions: 0,
+    officialActions: 0,
+    verifiedActions: 0,
+    shaPinned: 0,
+    tagPinned: 0,
+    branchPinned: 0,
+    unknownPinned: 0,
+    workflowCount: 0,
+    jobCount: 0,
+    hasWritePermissions: 0,
+    hasIdTokenWrite: 0,
+    continueOnError: 0,
+    workflows: new Set(),
+    jobs: new Set(),
+    runners: new Set(),
+    environments: new Set(),
+  };
+
+  if (!components || !Array.isArray(components)) {
+    return stats;
+  }
+
+  for (const comp of components) {
+    if (comp?.scope === "excluded") {
+      continue;
+    }
+    if (comp?.purl?.startsWith("pkg:github/")) {
+      stats.totalActions++;
+      const props = comp.properties || [];
+      const propMap = {};
+      for (const prop of props) {
+        propMap[prop.name] = prop.value;
+      }
+      if (propMap["cdx:github:workflow:name"]) {
+        stats.workflows.add(propMap["cdx:github:workflow:name"]);
+      }
+      if (propMap["cdx:github:job:name"]) {
+        stats.jobs.add(propMap["cdx:github:job:name"]);
+      }
+      if (propMap["cdx:actions:isOfficial"] === "true") {
+        stats.officialActions++;
+      }
+      if (propMap["cdx:actions:isVerified"] === "true") {
+        stats.verifiedActions++;
+      }
+      const pinningType = propMap["cdx:github:action:versionPinningType"];
+      if (pinningType === "sha") {
+        stats.shaPinned++;
+      } else if (pinningType === "tag") {
+        stats.tagPinned++;
+      } else if (pinningType === "branch") {
+        stats.branchPinned++;
+      } else {
+        stats.unknownPinned++;
+      }
+      if (propMap["cdx:github:workflow:hasWritePermissions"] === "true") {
+        stats.hasWritePermissions++;
+      }
+      if (propMap["cdx:github:workflow:hasIdTokenWrite"] === "true") {
+        stats.hasIdTokenWrite++;
+      }
+      if (propMap["cdx:github:step:continueOnError"] === "true") {
+        stats.continueOnError++;
+      }
+      if (propMap["cdx:github:job:runner"]) {
+        propMap["cdx:github:job:runner"]
+          .split(",")
+          .filter((r) => r.includes("$"))
+          .forEach((r) => {
+            stats.runners.add(r.trim());
+          });
+      }
+      if (propMap["cdx:github:job:environment"]) {
+        stats.environments.add(propMap["cdx:github:job:environment"]);
+      }
+    }
+  }
+  stats.workflowCount = stats.workflows.size;
+  stats.jobCount = stats.jobs.size;
+  stats.workflows = Array.from(stats.workflows);
+  stats.jobs = Array.from(stats.jobs);
+  stats.runners = Array.from(stats.runners);
+  stats.environments = Array.from(stats.environments);
+  return stats;
+}
+
+/**
+ * Generate security assessment text based on GitHub workflow properties
+ *
+ * @param {Object} stats GitHub workflow statistics
+ *
+ * @returns {String} Security assessment text
+ */
+function generateSecurityAssessment(stats) {
+  let text = "";
+  const securityIssues = [];
+  const securityStrengths = [];
+  if (stats.branchPinned > 0) {
+    securityIssues.push(
+      `${stats.branchPinned} action(s) use branch references instead of pinned versions, which may introduce supply chain risks`,
+    );
+  }
+  if (stats.unknownPinned > 0) {
+    securityIssues.push(
+      `${stats.unknownPinned} action(s) have unknown version pinning types`,
+    );
+  }
+  if (stats.shaPinned > 0) {
+    securityStrengths.push(
+      `${stats.shaPinned} action(s) are pinned to specific commit SHAs for maximum security`,
+    );
+  }
+  if (stats.tagPinned > 0) {
+    securityStrengths.push(
+      `${stats.tagPinned} action(s) are pinned to version tags`,
+    );
+  }
+  if (stats.hasWritePermissions > 0) {
+    securityIssues.push(
+      `${stats.hasWritePermissions} workflow(s) have write permissions to repository resources`,
+    );
+  }
+  if (stats.hasIdTokenWrite > 0) {
+    securityIssues.push(
+      `${stats.hasIdTokenWrite} workflow(s) have id-token write access, enabling OIDC authentication`,
+    );
+  }
+  if (stats.officialActions > 0) {
+    securityStrengths.push(
+      `${stats.officialActions} action(s) are official GitHub Actions from github.com org`,
+    );
+  }
+  if (stats.verifiedActions > 0) {
+    securityStrengths.push(
+      `${stats.verifiedActions} action(s) are from verified creators`,
+    );
+  }
+  if (stats.continueOnError > 0) {
+    securityIssues.push(
+      `${stats.continueOnError} step(s) continue on error, which may mask failures`,
+    );
+  }
+  if (securityStrengths.length > 0) {
+    text = `${text} Security strengths: ${joinArray(securityStrengths)}.`;
+  }
+  if (securityIssues.length > 0) {
+    text = `${text} Security considerations: ${joinArray(securityIssues)}.`;
+  }
+  const totalActions = stats.totalActions || 1;
+  const securePinned = stats.shaPinned + stats.tagPinned;
+  const pinningScore = (securePinned / totalActions) * 100;
+  if (pinningScore >= 80) {
+    text = `${text} Overall, the workflow demonstrates good version pinning practices.`;
+  } else if (pinningScore >= 50) {
+    text = `${text} Overall, the workflow has moderate version pinning practices with room for improvement.`;
+  } else {
+    text = `${text} Overall, the workflow would benefit from improved version pinning practices.`;
+  }
+  return text;
 }
 
 /**
@@ -62,8 +232,22 @@ export function findBomType(bomJson) {
       c?.data?.length > 0 ||
       (c.modelCard && Object.keys(c?.modelCard).length > 0),
   ).length;
+  const githubActionCount = bomJson?.components?.filter((c) =>
+    c?.purl?.startsWith("pkg:github/"),
+  ).length;
+  const hasWorkflowProperties = bomJson?.components?.some((c) =>
+    c?.properties?.some(
+      (p) =>
+        p.name?.startsWith("cdx:github:") || p.name?.startsWith("cdx:actions:"),
+    ),
+  );
+  // Is this a GitHub Workflow BOM?
+  if (githubActionCount > 0 && hasWorkflowProperties) {
+    bomType = "SBOM";
+    description = "Software Bill-of-Materials (SBOM) including GitHub Actions";
+  }
   // Is this an OBOM?
-  if (lifecycles.filter((l) => l.phase === "operations").length > 0) {
+  else if (lifecycles.filter((l) => l.phase === "operations").length > 0) {
     bomType = "OBOM";
     description = "Operations Bill-of-Materials (OBOM)";
   } else if (cryptoAssetsCount > 0) {
@@ -110,6 +294,8 @@ export function textualMetadata(bomJson) {
   const swidCount = bomJson?.components?.filter((c) =>
     c?.purl?.startsWith("pkg:swid"),
   ).length;
+  const githubStats = getGitHubWorkflowStats(bomJson?.components);
+  const isGitHubBom = bomType === "SBOM";
   if (metadata?.timestamp) {
     text = `This ${bomTypeDescription} document was created on ${humanifyTimestamp(metadata.timestamp)}`;
   }
@@ -174,6 +360,49 @@ export function textualMetadata(bomJson) {
       text = `${text} The ${cleanTypeName} also has ${metadata.component.components.length} child modules/components.`;
     }
   }
+  if (isGitHubBom && githubStats.totalActions > 0) {
+    text = `${text} This ${bomType} contains ${githubStats.totalActions} GitHub Action references across ${githubStats.workflowCount} workflow(s) and ${githubStats.jobCount} job(s).`;
+    if (githubStats.workflows.length > 0) {
+      if (githubStats.workflows.length <= 3) {
+        text = `${text} The workflows are: ${joinArray(githubStats.workflows)}.`;
+      } else {
+        text = `${text} There are ${githubStats.workflows.length} workflows including ${joinArray(githubStats.workflows.slice(0, 3))}${githubStats.workflows.length > 3 ? " and others" : ""}.`;
+      }
+    }
+    if (githubStats.environments.length > 0) {
+      text = `${text} Jobs are deployed to ${joinArray(githubStats.environments)} environment(s).`;
+    }
+    const pinningText = [];
+    if (githubStats.shaPinned > 0) {
+      pinningText.push(`${githubStats.shaPinned} SHA-pinned`);
+    }
+    if (githubStats.tagPinned > 0) {
+      pinningText.push(`${githubStats.tagPinned} tag-pinned`);
+    }
+    if (githubStats.branchPinned > 0) {
+      pinningText.push(`${githubStats.branchPinned} branch-referenced`);
+    }
+    if (githubStats.unknownPinned > 0) {
+      pinningText.push(`${githubStats.unknownPinned} with unknown pinning`);
+    }
+    if (pinningText.length > 0) {
+      text = `${text} Version pinning breakdown: ${pinningText.join(", ")}.`;
+    }
+    if (githubStats.officialActions > 0 || githubStats.verifiedActions > 0) {
+      const trustText = [];
+      if (githubStats.officialActions > 0) {
+        trustText.push(`${githubStats.officialActions} official`);
+      }
+      if (githubStats.verifiedActions > 0) {
+        trustText.push(`${githubStats.verifiedActions} verified`);
+      }
+      text = `${text} ${joinArray(trustText)} action(s) are from trusted sources.`;
+    }
+    const securityText = generateSecurityAssessment(githubStats);
+    if (securityText) {
+      text = `${text}${securityText}`;
+    }
+  }
   let metadataProperties = metadata.properties || [];
   if (
     metadata?.component?.properties &&
@@ -237,7 +466,9 @@ export function textualMetadata(bomJson) {
     }
   }
   if (bomJson?.components?.length) {
-    text = `${text} There are ${bomJson.components.length} components.`;
+    if (!isGitHubBom) {
+      text = `${text} There are ${bomJson.components.length} components.`;
+    }
   } else {
     text = `${text} BOM file is empty without components.`;
     thoughtLog(
@@ -403,5 +634,52 @@ export function extractTags(
       }
     }
   }
+  // GitHub workflow specific tags from properties
+  if (bomType === "sbom" || bomType === "all") {
+    for (const aprop of compProps) {
+      // Security-related tags
+      if (
+        aprop.name === "cdx:github:action:isShaPinned" &&
+        aprop.value === "true"
+      ) {
+        tags.add("sha-pinned");
+        tags.add("secure-versioning");
+      }
+      if (
+        aprop.name === "cdx:github:action:versionPinningType" &&
+        aprop.value !== "sha"
+      ) {
+        tags.add(`pinning-${aprop.value}`);
+      }
+      if (aprop.name === "cdx:actions:isOfficial" && aprop.value === "true") {
+        tags.add("official-action");
+        tags.add("trusted-source");
+      }
+      if (aprop.name === "cdx:actions:isVerified" && aprop.value === "true") {
+        tags.add("verified-action");
+        tags.add("trusted-source");
+      }
+      if (
+        aprop.name === "cdx:github:workflow:hasWritePermissions" &&
+        aprop.value === "true"
+      ) {
+        tags.add("write-permissions");
+        tags.add("elevated-access");
+      }
+      if (
+        aprop.name === "cdx:github:workflow:hasIdTokenWrite" &&
+        aprop.value === "true"
+      ) {
+        tags.add("id-token-write");
+        tags.add("oidc-enabled");
+      }
+      if (
+        aprop.name === "cdx:github:step:continueOnError" &&
+        aprop.value === "true"
+      ) {
+        tags.add("continue-on-error");
+      }
+    }
+  }
   return Array.from(tags).sort();
 }

package/lib/stages/postgen/postgen.js

@@ -400,9 +400,7 @@ export function filterBom(bomJson, options) {
         for (const aprop of properties) {
           if (
             filterstr.length &&
-            aprop &&
-            aprop.value &&
-            aprop.value.toLowerCase().includes(filterstr.toLowerCase())
+            aprop?.value?.toLowerCase().includes(filterstr.toLowerCase())
           ) {
             filtered = true;
             purlfiltered = true;
@@ -454,8 +452,7 @@ export function filterBom(bomJson, options) {
     if (
       options.specVersion >= 1.5 &&
       options.autoCompositions &&
-      bomJson.metadata &&
-      bomJson.metadata.component
+      bomJson.metadata?.component
     ) {
       if (!bomJson.compositions) {
         bomJson.compositions = [];
@@ -548,10 +545,10 @@ export function annotate(bomJson, options) {
     }
     parentBomRef = bomJson.metadata.component["bom-ref"];
   }
-  if (metadataAnnotations && parentBomRef) {
+  if (metadataAnnotations) {
     bomAnnotations.push({
       "bom-ref": "metadata-annotations",
-      subjects: [parentBomRef],
+      subjects: parentBomRef ? [parentBomRef] : [bomJson.serialNumber],
       annotator: {
         component: cdxgenAnnotator[0],
       },

package/lib/third-party/arborist/lib/diff.js

@@ -271,7 +271,7 @@ const diffNode = ({
     // to get the list of nodes to move, then move them all at once, rather
     // than moving them one at a time in the first loop.
     const bd = ideal.package.bundleDependencies;
-    if (actual && bd && bd.length) {
+    if (actual && bd?.length) {
       const bundledChildren = [];
       for (const node of actual.children.values()) {
         if (node.inBundle) {

package/lib/third-party/arborist/lib/node.js

@@ -270,7 +270,7 @@ class Node {
 
   // true for packages installed directly in the global node_modules folder
   get globalTop() {
-    return this.global && this.parent && this.parent.isProjectRoot;
+    return this.global && this.parent?.isProjectRoot;
   }
 
   get workspaces() {

package/lib/third-party/arborist/lib/yarn-lock.js

@@ -188,7 +188,7 @@ class YarnLock {
         this.current[this.subkey] = {};
         continue;
       }
-      if (SUBVAL.test(line) && this.current && this.current[this.subkey]) {
+      if (SUBVAL.test(line) && this.current?.[this.subkey]) {
         const subval = this.splitQuoted(line.trimLeft(), " ");
         if (subval.length === 2) {
           this.current[this.subkey][subval[0]] = subval[1];