@cyclonedx/cdxgen 12.1.3 → 12.1.5

package/lib/helpers/utils.js

@@ -57,6 +57,7 @@ import { IriValidationStrategy, validateIri } from "../parsers/iri.js";
 import Arborist from "../third-party/arborist/lib/index.js";
 import { extractPackageInfoFromHintPath } from "./dotnetutils.js";
 import { thoughtLog, traceLog } from "./logger.js";
+import { get_python_command_from_env, getVenvMetadata } from "./pythonutils.js";
 
 let url = import.meta?.url;
 if (url && !url.startsWith("file://")) {
@@ -175,6 +176,40 @@ export function safeSpawnSync(command, args, options) {
       );
     }
   }
+  let isPyPackageInstall = false;
+  if (command.includes("pip") && args?.includes("install")) {
+    isPyPackageInstall = true;
+  } else if (
+    command.includes("python") &&
+    args?.includes("pip") &&
+    args?.includes("install")
+  ) {
+    isPyPackageInstall = true;
+  } else if (
+    command.includes("uv") &&
+    args?.includes("pip") &&
+    args?.includes("install")
+  ) {
+    isPyPackageInstall = true;
+  }
+  if (isPyPackageInstall) {
+    const hasOnlyBinary = args?.some(
+      (arg) => arg === "--only-binary" || arg.startsWith("--only-binary="),
+    );
+    if (!hasOnlyBinary) {
+      if (isSecureMode) {
+        console.warn(
+          "\x1b[1;31mSecurity Alert: pip/uv install invoked without '--only-binary' argument in secure mode. This is a bug in cdxgen and introduces Arbitrary Code Execution (ACE) risks. Please report with an example repo here https://github.com/cdxgen/cdxgen/issues.\x1b[0m",
+        );
+      } else if (process.env?.CDXGEN_IN_CONTAINER === "true") {
+        console.log("Running pip/uv install without '--only-binary' argument.");
+      } else {
+        console.warn(
+          "\x1b[1;35mNotice: pip/uv install invoked without '--only-binary'. This allows executing untrusted setup.py scripts. Only run cdxgen in trusted directories.\x1b",
+        );
+      }
+    }
+  }
   traceLog("spawn", { command, args, ...options });
   commandsExecuted.add(command);
   // Fix for DEP0190 warning
@@ -471,7 +506,11 @@ export const PROJECT_TYPE_ALIASES = {
     "poetry",
     "uv",
     "pdm",
+    "rye",
     "hatch",
+    "conda",
+    "miniconda",
+    "pyenv",
   ],
   go: ["go", "golang", "gomod", "gopkg"],
   rust: ["rust", "rust-lang", "cargo"],
@@ -1462,6 +1501,40 @@ export async function parsePkgLock(pkgLockFile, options = {}) {
           value: "true",
         });
       }
+      // Detect version spoofing by comparing the version in the lockfile with the version in package.json
+      if (node.path && safeExistsSync(join(node.path, "package.json"))) {
+        try {
+          const diskPkgStr = readFileSync(
+            join(node.path, "package.json"),
+            "utf8",
+          );
+          const diskPkg = JSON.parse(diskPkgStr);
+          if (!diskPkg.name || diskPkg.name !== node.packageName) {
+            console.warn(
+              `\x1b[1;35mWARNING: Package name spoofing detected for ${node.packageName}! Lockfile says ${node.packageName}, but disk says ${diskPkg.name}.\x1b[0m`,
+            );
+            if (diskPkg.name) {
+              pkg.properties.push({
+                name: "cdx:npm:nameMismatchError",
+                value: `${diskPkg.name} used instead of ${node.packageName}`,
+              });
+            }
+          }
+          if (!diskPkg.version || diskPkg.version !== node.version) {
+            console.warn(
+              `\x1b[1;35mWARNING: Package version spoofing detected for ${node.packageName}! Lockfile says ${node.version}, but disk says ${diskPkg.version}.\x1b[0m`,
+            );
+            if (diskPkg.version) {
+              pkg.properties.push({
+                name: "cdx:npm:versionMismatchError",
+                value: `${diskPkg.version} used instead of ${node.version}`,
+              });
+            }
+          }
+        } catch (_err) {
+          // ignore
+        }
+      }
       if (node?.inBundle) {
         pkg.properties.push({
           name: "cdx:npm:inBundle",
@@ -2796,7 +2869,7 @@ export function findPnpmPackagePath(baseDir, packageName, version) {
  * @returns {Array} Enhanced package list
  */
 export async function pnpmMetadata(pkgList, lockFilePath) {
-  if (!pkgList || !pkgList.length || !lockFilePath) {
+  if (!pkgList?.length || !lockFilePath) {
     return pkgList;
   }
 
@@ -5062,7 +5135,7 @@ export async function getMvnMetadata(
   const ANDROID_MAVEN_URL =
     process.env.ANDROID_MAVEN_URL || "https://maven.google.com/";
   const cdepList = [];
-  if (!pkgList || !pkgList.length) {
+  if (!pkgList?.length) {
     return pkgList;
   }
   if (DEBUG_MODE && shouldFetchLicense()) {
@@ -5356,7 +5429,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
   const PYPI_URL = process.env.PYPI_URL || "https://pypi.org/pypi/";
   const cdepList = [];
   for (const p of pkgList) {
-    if (!p || !p.name) {
+    if (!p?.name) {
       continue;
     }
     try {
@@ -5440,7 +5513,7 @@ export async function getPyMetadata(pkgList, fetchDepsInfo) {
         }
       }
       // Use the latest version if none specified
-      if (!p.version || !p.version.trim().length) {
+      if (!p.version?.trim().length) {
         let versionSpecifiers;
         if (p.properties?.length) {
           for (const pprop of p.properties) {
@@ -5595,6 +5668,9 @@ export function parseBdistMetadata(mDataFile, rawMetadata = undefined) {
     externalReferences: [],
     properties: [],
   };
+  if (mDataFile) {
+    pkg.properties.push({ name: "SrcFile", value: mDataFile });
+  }
   const lines = mData.replace(/\r\n/g, "\n").replace(/\r/g, "\n").split("\n");
   let isBody = false;
   for (const line of lines) {
@@ -6433,7 +6509,8 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         },
       }
     : undefined;
-  const lines = reqData.replace(/\r/g, "").replace(/\\$/gm, "").split("\n");
+  const normalizedData = reqData.replace(/\r/g, "").replace(/\\\n/g, " ");
+  const lines = normalizedData.split("\n");
   for (const line of lines) {
     let l = line.trim();
     if (l.includes("# Basic requirements")) {
@@ -6461,7 +6538,25 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
           },
         ]
       : [];
-
+    const hashes = [];
+    const hashRegex = /--hash=([a-zA-Z0-9\-]+):([a-fA-F0-9]+)/g;
+    let hashMatch;
+    while ((hashMatch = hashRegex.exec(l)) !== null) {
+      let alg = hashMatch[1].toUpperCase();
+      if (alg === "SHA256") alg = "SHA-256";
+      else if (alg === "SHA384") alg = "SHA-384";
+      else if (alg === "SHA512") alg = "SHA-512";
+      else if (alg === "SHA1") alg = "SHA-1";
+      hashes.push({
+        alg: alg,
+        content: hashMatch[2],
+      });
+    }
+    // Strip the hash flags and any residual backslashes
+    l = l
+      .replace(/--hash=[a-zA-Z0-9\-]+:[a-fA-F0-9]+/g, "")
+      .replace(/\\/g, "")
+      .trim();
     // Handle markers
     let markers = null;
     let structuredMarkers = null;
@@ -6501,6 +6596,9 @@ async function parseReqData(reqFile, reqData = null, fetchDepsInfo = false) {
         scope: compScope,
         evidence,
       };
+      if (hashes.length > 0) {
+        apkg.hashes = hashes;
+      }
       if (comment) {
         apkg.licenses = comment
           .split("/")
@@ -10492,10 +10590,7 @@ export function parseConanLockData(conanLockData) {
   }
 
   const lockFile = JSON.parse(conanLockData);
-  if (
-    (!lockFile || !lockFile.graph_lock || !lockFile.graph_lock.nodes) &&
-    !lockFile.requires
-  ) {
+  if (!lockFile?.graph_lock?.nodes && !lockFile.requires) {
     return { pkgList, dependencies, parentComponentDependencies };
   }
 
@@ -11878,7 +11973,7 @@ export function parseCsPkgLockData(csLockData, pkgLockFile) {
     };
   }
   const assetData = JSON.parse(csLockData);
-  if (!assetData || !assetData.dependencies) {
+  if (!assetData?.dependencies) {
     return {
       pkgList,
       dependenciesList,
@@ -12181,7 +12276,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
         for (const i in packages[compScope]) {
           const pkg = packages[compScope][i];
           // Be extra cautious. Potential fix for #236
-          if (!pkg || !pkg.name || !pkg.version) {
+          if (!pkg?.name || !pkg.version) {
             continue;
           }
 
@@ -12279,7 +12374,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
       for (const compScope in packages) {
         for (const i in packages[compScope]) {
           const pkg = packages[compScope][i];
-          if (!pkg || !pkg.name || !pkg.version) {
+          if (!pkg?.name || !pkg.version) {
             continue;
           }
           if (!pkg.require || !Object.keys(pkg.require).length) {
@@ -15232,36 +15327,6 @@ function flattenDeps(dependenciesMap, pkgList, reqOrSetupFile, t) {
     .sort();
 }
 
-function get_python_command_from_env(env) {
-  // Virtual environments needs special treatment to use the correct python executable
-  // Without this step, the default python is always used resulting in false positives
-  const python_exe_name = isWin ? "python.exe" : "python";
-  const python3_exe_name = isWin ? "python3.exe" : "python3";
-  let python_cmd_to_use = PYTHON_CMD;
-  if (env.VIRTUAL_ENV) {
-    const bin_dir = isWin ? "Scripts" : "bin";
-    if (safeExistsSync(join(env.VIRTUAL_ENV, bin_dir, python_exe_name))) {
-      python_cmd_to_use = join(env.VIRTUAL_ENV, bin_dir, python_exe_name);
-    } else if (
-      safeExistsSync(join(env.VIRTUAL_ENV, bin_dir, python3_exe_name))
-    ) {
-      python_cmd_to_use = join(env.VIRTUAL_ENV, bin_dir, python3_exe_name);
-    }
-  } else if (env.CONDA_PREFIX) {
-    const bin_dir = isWin ? "" : "bin";
-    if (safeExistsSync(join(env.CONDA_PREFIX, bin_dir, python_exe_name))) {
-      python_cmd_to_use = join(env.CONDA_PREFIX, bin_dir, python_exe_name);
-    } else if (
-      safeExistsSync(join(env.CONDA_PREFIX, bin_dir, python3_exe_name))
-    ) {
-      python_cmd_to_use = join(env.CONDA_PREFIX, bin_dir, python3_exe_name);
-    }
-  } else if (env.CONDA_PYTHON_EXE) {
-    python_cmd_to_use = env.CONDA_PYTHON_EXE;
-  }
-  return python_cmd_to_use;
-}
-
 /**
  * Create uv.lock file with uv sync command.
  *
@@ -15344,14 +15409,12 @@ export async function getPipFrozenTree(
     ...process.env,
   };
 
-  // FIX: Create a set of explicit dependencies from requirements.txt to identify root packages.
   const explicitDeps = new Set();
   if (reqOrSetupFile?.endsWith(".txt") && safeExistsSync(reqOrSetupFile)) {
     // We only need the package names, so we pass `false` to avoid fetching full metadata.
     const tempPkgList = await parseReqFile(reqOrSetupFile, null, false);
     for (const pkg of tempPkgList) {
       if (pkg.name) {
-        // Normalize the name (lowercase, hyphenated) for accurate lookups.
         explicitDeps.add(pkg.name.replace(/_/g, "-").toLowerCase());
       }
     }
@@ -15407,17 +15470,26 @@ export async function getPipFrozenTree(
       }
     }
   }
-  /**
-   * We now have a virtual environment so we can attempt to install the project and perform
-   * pip freeze to collect the packages that got installed.
-   * Note that we did not create a virtual environment for poetry because poetry will do this when we run the install.
-   * This step is accurate but not reproducible since the resulting list could differ based on various factors
-   * such as the version of python, pip, os, pypi.org availability (and weather?)
-   */
-  // Bug #388. Perform pip install in all virtualenv to make the experience consistent
+  const venvMeta = getVenvMetadata(env);
+  const python_cmd_for_tree = get_python_command_from_env(env);
+  // Check if pyproject.toml is actually a uv-configured workspace
+  let hasToolUv = false;
+  let hasToolPoetry = false;
+  if (
+    reqOrSetupFile?.endsWith("pyproject.toml") &&
+    safeExistsSync(reqOrSetupFile)
+  ) {
+    try {
+      const content = readFileSync(reqOrSetupFile, "utf-8");
+      hasToolUv = content.includes("[tool.uv]");
+      hasToolPoetry = content.includes('build-backend = "poetry.core');
+    } catch (_err) {
+      // Ignore read error
+    }
+  }
   if (reqOrSetupFile) {
     // We have a poetry.lock file
-    if (reqOrSetupFile.endsWith("poetry.lock")) {
+    if (reqOrSetupFile.endsWith("poetry.lock") || hasToolPoetry) {
       const poetryConfigArgs = [
         "-m",
         "poetry",
@@ -15504,20 +15576,78 @@ export async function getPipFrozenTree(
           )}${_delimiter}${process.env.PATH || ""}`;
         }
       }
+    } else if (reqOrSetupFile.endsWith("pdm.lock") || venvMeta.type === "pdm") {
+      thoughtLog("Performing pdm install");
+      result = safeSpawnSync("pdm", ["install"], {
+        cwd: basePath,
+        shell: isWin,
+        env,
+      });
+      if (result.status !== 0 || result.error) {
+        frozen = false;
+      }
+    } else if (
+      reqOrSetupFile.endsWith("pixi.lock") ||
+      venvMeta.type === "pixi"
+    ) {
+      thoughtLog("Performing pixi install");
+      result = safeSpawnSync("pixi", ["install"], {
+        cwd: basePath,
+        shell: isWin,
+        env,
+      });
+      if (result.status !== 0 || result.error) {
+        frozen = false;
+      }
+    } else if (
+      reqOrSetupFile.endsWith("uv.lock") ||
+      (venvMeta.type === "uv" && hasToolUv)
+    ) {
+      thoughtLog("Performing uv sync");
+      result = safeSpawnSync("uv", ["sync"], {
+        cwd: basePath,
+        shell: isWin,
+        env,
+      });
+      if (result.status !== 0 || result.error) {
+        frozen = false;
+      }
+    } else if (
+      venvMeta.type === "rye" ||
+      reqOrSetupFile.endsWith("requirements.lock")
+    ) {
+      thoughtLog("Performing rye sync");
+      result = safeSpawnSync("rye", ["sync"], {
+        cwd: basePath,
+        shell: isWin,
+        env,
+      });
+      if (result.status !== 0 || result.error) {
+        frozen = false;
+      }
     } else {
-      // We are about to do a pip install with the right python command from the virtual environment
-      // This step can fail if the correct OS packages and development libraries are not installed
-      const python_cmd_for_tree = get_python_command_from_env(env);
-      let pipInstallArgs = [
-        "-m",
-        "pip",
-        "install",
-        "--disable-pip-version-check",
-      ];
-      if (isSecureMode) {
-        pipInstallArgs.unshift("-S");
+      // General package installation (Handling pip, or uv pip)
+      let installCmd = python_cmd_for_tree;
+      let pipInstallArgs = [];
+      if (venvMeta.type === "uv") {
+        installCmd = "uv";
+        pipInstallArgs = ["pip", "install"];
+        if (isSecureMode) {
+          pipInstallArgs.push("--only-binary");
+          pipInstallArgs.push(":all:");
+        }
+      } else {
+        pipInstallArgs = [
+          "-m",
+          "pip",
+          "install",
+          "--disable-pip-version-check",
+        ];
+        if (isSecureMode) {
+          pipInstallArgs.push("--only-binary=:all:");
+          pipInstallArgs.unshift("-S");
+        }
       }
-      // Requirements.txt could be called with any name so best to check for not setup.py and not pyproject.toml
       if (
         !reqOrSetupFile.endsWith("setup.py") &&
         !reqOrSetupFile.endsWith("pyproject.toml")
@@ -15532,20 +15662,17 @@ export async function getPipFrozenTree(
       } else {
         pipInstallArgs.push(resolve(basePath));
       }
-      // Support for passing additional arguments to pip
-      // Eg: --python-version 3.10 --ignore-requires-python --no-warn-conflicts --only-binary=:all:
       if (process?.env?.PIP_INSTALL_ARGS) {
         const addArgs = process.env.PIP_INSTALL_ARGS.split(" ");
         pipInstallArgs = pipInstallArgs.concat(addArgs);
       }
       thoughtLog(
-        `**PIP**: Trying pip install using the arguments ${pipInstallArgs.join(" ")}`,
+        `**INSTALL**: Trying package install using the arguments: ${installCmd} ${pipInstallArgs.join(" ")}`,
       );
       if (DEBUG_MODE) {
-        console.log("Executing", python_cmd_for_tree);
+        console.log("Executing", installCmd);
       }
-      // Attempt to perform pip install
-      result = safeSpawnSync(python_cmd_for_tree, pipInstallArgs, {
+      result = safeSpawnSync(installCmd, pipInstallArgs, {
         cwd: basePath,
         shell: isWin,
         env,
@@ -15570,6 +15697,10 @@ export async function getPipFrozenTree(
             );
           }
           console.log(result.stderr);
+        } else if (result?.stderr?.includes("No module named pip")) {
+          console.log(
+            "Using uv? Ensure 'uv' is in your PATH to allow cdxgen to use `uv pip install` automatically.",
+          );
         } else if (
           process.env.PIP_INSTALL_ARGS &&
           result.stderr?.includes("Cannot set --home and --prefix together")
@@ -15700,18 +15831,42 @@ export async function getPipFrozenTree(
   }
   // Bug #375. Attempt pip freeze on existing and new virtual environments
   if (env.VIRTUAL_ENV?.length || env.CONDA_PREFIX?.length) {
-    /**
-     * At this point, the previous attempt to do a pip install might have failed and we might have an unclean virtual environment with an incomplete list
-     * The position taken by cdxgen is "Some SBOM is better than no SBOM", so we proceed to collecting the dependencies that got installed with pip freeze
-     */
-    if (DEBUG_MODE) {
-      if (reqOrSetupFile) {
-        console.log(
-          `About to construct the pip dependency tree based on ${reqOrSetupFile}. Please wait ...`,
-        );
+    const venvRoot = env.VIRTUAL_ENV || env.CONDA_PREFIX;
+    const binDir = platform() === "win32" ? "Scripts" : "bin";
+    const pipExe = join(
+      venvRoot,
+      binDir,
+      platform() === "win32" ? "pip.exe" : "pip",
+    );
+    if (!safeExistsSync(pipExe)) {
+      thoughtLog(
+        "The 'pip' module is missing in this environment. Bootstrapping it to support piptree extraction.",
+      );
+      if (venvMeta.type === "uv") {
+        safeSpawnSync("uv", ["pip", "install", "pip"], {
+          cwd: basePath,
+          shell: isWin,
+          env,
+        });
+      } else if (venvMeta.type === "rye") {
+        safeSpawnSync("rye", ["run", "pip", "install", "pip"], {
+          cwd: basePath,
+          shell: isWin,
+          env,
+        });
+      } else {
+        safeSpawnSync(python_cmd_for_tree, ["-m", "ensurepip", "--upgrade"], {
+          cwd: basePath,
+          shell: isWin,
+          env,
+        });
       }
     }
-    const python_cmd_for_tree = get_python_command_from_env(env);
+    if (DEBUG_MODE && reqOrSetupFile) {
+      console.log(
+        `About to construct the dependency tree based on ${reqOrSetupFile}. Please wait ...`,
+      );
+    }
     // This is a slow step that ideally needs to be invoked only once per venv
     const tree = getTreeWithPlugin(env, python_cmd_for_tree, basePath);
     if (DEBUG_MODE && !tree.length) {
@@ -15862,10 +16017,23 @@ export function getPipTreeForPackages(
       env.PYTHONPATH = undefined;
     }
   }
+  const venvMeta = getVenvMetadata(env);
   const python_cmd_for_tree = get_python_command_from_env(env);
-  let pipInstallArgs = ["-m", "pip", "install", "--disable-pip-version-check"];
-  if (isSecureMode) {
-    pipInstallArgs.unshift("-S");
+  let installCmd = python_cmd_for_tree;
+  let pipInstallArgs = [];
+  if (venvMeta.type === "uv") {
+    installCmd = "uv";
+    pipInstallArgs = ["pip", "install"];
+    if (isSecureMode) {
+      pipInstallArgs.push("--only-binary");
+      pipInstallArgs.push(":all:");
+    }
+  } else {
+    pipInstallArgs = ["-m", "pip", "install", "--disable-pip-version-check"];
+    if (isSecureMode) {
+      pipInstallArgs.push("--only-binary=:all:");
+      pipInstallArgs.unshift("-S");
+    }
   }
   // Support for passing additional arguments to pip
   // Eg: --python-version 3.10 --ignore-requires-python --no-warn-conflicts
@@ -15873,19 +16041,23 @@ export function getPipTreeForPackages(
     const addArgs = process.env.PIP_INSTALL_ARGS.split(" ");
     pipInstallArgs = pipInstallArgs.concat(addArgs);
   } else {
-    pipInstallArgs = pipInstallArgs.concat([
-      "--ignore-requires-python",
-      "--no-compile",
-      "--no-warn-script-location",
-      "--no-warn-conflicts",
-    ]);
+    if (venvMeta.type !== "uv") {
+      pipInstallArgs = pipInstallArgs.concat([
+        "--ignore-requires-python",
+        "--no-compile",
+        "--no-warn-script-location",
+        "--no-warn-conflicts",
+      ]);
+    } else {
+      pipInstallArgs.push("--no-compile");
+    }
   }
   if (DEBUG_MODE) {
     console.log(
       "Installing",
       pkgList.length,
       "packages using the command",
-      python_cmd_for_tree,
+      installCmd,
       pipInstallArgs.join(" "),
     );
   }
@@ -15915,7 +16087,7 @@ export function getPipTreeForPackages(
     }
     // Attempt to perform pip install for pkgSpecifier
     const result = safeSpawnSync(
-      python_cmd_for_tree,
+      installCmd,
       [...pipInstallArgs, pkgSpecifier],
       {
         cwd: basePath,
@@ -15932,6 +16104,30 @@ export function getPipTreeForPackages(
   }
   // Did any package get installed successfully?
   if (failedPkgList.length < pkgList.length) {
+    const venvRoot = env.VIRTUAL_ENV || env.CONDA_PREFIX;
+    if (venvRoot) {
+      const binDir = platform() === "win32" ? "Scripts" : "bin";
+      const pipExe = join(
+        venvRoot,
+        binDir,
+        platform() === "win32" ? "pip.exe" : "pip",
+      );
+      if (!safeExistsSync(pipExe)) {
+        if (venvMeta.type === "uv") {
+          safeSpawnSync("uv", ["pip", "install", "pip"], {
+            cwd: basePath,
+            shell: isWin,
+            env,
+          });
+        } else {
+          safeSpawnSync(python_cmd_for_tree, ["-m", "ensurepip", "--upgrade"], {
+            cwd: basePath,
+            shell: isWin,
+            env,
+          });
+        }
+      }
+    }
     const dependenciesMap = {};
     const tree = getTreeWithPlugin(env, python_cmd_for_tree, basePath);
     for (const t of tree) {
@@ -16048,6 +16244,7 @@ export async function addEvidenceForImports(
     const aliases = group?.length
       ? [name, `${group}/${name}`, `@${group}/${name}`]
       : [name];
+    let isImported = false;
     for (const alias of aliases) {
       const all_includes = impPkgs.filter(
         (find_pkg) =>
@@ -16096,6 +16293,7 @@ export async function addEvidenceForImports(
       }
       // Identify all the imported modules of a component
       if (impPkgs.includes(alias) || all_includes.length) {
+        isImported = true;
         let importedModules = new Set();
         pkg.scope = "required";
         for (const subevidence of all_includes) {
@@ -16133,6 +16331,16 @@ export async function addEvidenceForImports(
         }
         break;
       }
+      if (
+        impPkgs?.length > 0 &&
+        !isImported &&
+        DEBUG_MODE &&
+        pkg?.scope !== "optional"
+      ) {
+        console.debug(
+          `\x1b[1;35mNotice: Package ${pkg.name} has no usage in code. Check if it is needed.\x1b[0m`,
+        );
+      }
       // Capture metadata such as description from local node_modules in deep mode
       if (deep && !pkg.description && pkg.properties) {
         let localNodeModulesPath;
@@ -16719,7 +16927,7 @@ export function getCppModules(src, options, osPkgsList, epkgList) {
     // Normalize windows separator
     afile = afile.replace("..\\", "").replace(/\\/g, "/");
     const fileName = basename(afile);
-    if (!fileName || !fileName.length) {
+    if (!fileName?.length) {
       continue;
     }
     const extn = extname(fileName);
@@ -16956,7 +17164,7 @@ async function queryNuget(p, NUGET_URL) {
     { responseType: "json" },
   );
   const items = res.body.items;
-  if (!items || !items[0]) {
+  if (!items?.[0]) {
     return [np, newBody, body];
   }
   if (items[0] && !items[0].items) {