@openrewrite/recipes-nodejs 0.37.0-20260103-170432 → 0.37.0-20260106-082310

package/src/security/remove-redundant-overrides.ts

@@ -0,0 +1,515 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import {
+    ExecutionContext,
+    Option,
+    ScanningRecipe,
+    Tree,
+    TreePrinters,
+    TreeVisitor
+} from "@openrewrite/rewrite";
+import {isJson, Json, JsonParser, JsonVisitor} from "@openrewrite/rewrite/json";
+import {
+    findNodeResolutionResult,
+    NpmrcScope,
+    PackageManager,
+    runInstallInTempDir
+} from "@openrewrite/rewrite/javascript";
+import * as semver from "semver";
+import {extractVersionFromLockFile} from "./npm-utils";
+
+/**
+ * Information about an override that might be redundant.
+ */
+interface OverrideInfo {
+    /** The package name (or version-specific key like "package@^1") */
+    key: string;
+    /** The base package name (without version specifier) */
+    packageName: string;
+    /** The version the override pins to */
+    version: string;
+    /** Whether this is a version-specific override (e.g., "package@^1") */
+    isVersionSpecific: boolean;
+    /** The version range specifier if version-specific (e.g., "^1") */
+    versionRange?: string;
+}
+
+/**
+ * Project information for override analysis.
+ */
+interface ProjectInfo {
+    /** Path to package.json */
+    packageJsonPath: string;
+    /** Original package.json content */
+    originalPackageJson: string;
+    /** Package manager used */
+    packageManager: PackageManager;
+    /** List of overrides found */
+    overrides: OverrideInfo[];
+    /** Config files (.npmrc, etc.) */
+    configFiles?: Record<string, string>;
+}
+
+/**
+ * Accumulator for the recipe.
+ */
+interface Accumulator {
+    /** Projects to analyze */
+    projects: Map<string, ProjectInfo>;
+    /** Overrides confirmed as redundant (project path -> set of override keys) */
+    redundantOverrides: Map<string, Set<string>>;
+    /** Whether redundant override analysis has been completed */
+    analysisComplete: boolean;
+}
+
+/**
+ * Removes overrides from package.json that are redundant because the dependency tree
+ * already resolves to the overridden version (or higher) without the override.
+ *
+ * This recipe is useful for cleaning up package.json after dependency upgrades that
+ * may have made previously-necessary overrides redundant.
+ *
+ * For each override, the recipe:
+ * 1. Temporarily removes the override from package.json
+ * 2. Runs `npm install --package-lock-only` (or equivalent)
+ * 3. Checks if the resolved version satisfies the override constraint
+ * 4. If yes, marks the override as redundant and removes it
+ *
+ * Also removes associated comments (e.g., from `//overrides`).
+ */
+export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
+    readonly name = "org.openrewrite.node.security.remove-redundant-overrides";
+    readonly displayName = "Remove redundant dependency overrides";
+    readonly description = "Removes overrides/resolutions from package.json that are redundant " +
+        "because the dependency tree already resolves to the overridden version or higher.";
+
+    @Option({
+        displayName: "Dry run",
+        description: "If true, only report which overrides are redundant without removing them.",
+        required: false,
+        example: "true"
+    })
+    dryRun?: boolean;
+
+    constructor(options?: { dryRun?: boolean }) {
+        super();
+        this.dryRun = options?.dryRun ?? false;
+    }
+
+    initialValue(_ctx: ExecutionContext): Accumulator {
+        return {
+            projects: new Map(),
+            redundantOverrides: new Map(),
+            analysisComplete: false
+        };
+    }
+
+    async scanner(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>> {
+        const recipe = this;
+
+        return new class extends TreeVisitor<Tree, ExecutionContext> {
+            protected async accept(tree: Tree, _ctx: ExecutionContext): Promise<Tree | undefined> {
+                if (!isJson(tree) || tree.kind !== Json.Kind.Document) {
+                    return tree;
+                }
+
+                const doc = tree as Json.Document;
+                if (!doc.sourcePath.endsWith('package.json')) {
+                    return doc;
+                }
+
+                const marker = findNodeResolutionResult(doc);
+                if (!marker) {
+                    return doc;
+                }
+
+                const pm = marker.packageManager ?? PackageManager.Npm;
+                const content = await TreePrinters.print(doc);
+                let packageJson: Record<string, any>;
+
+                try {
+                    packageJson = JSON.parse(content);
+                } catch {
+                    return doc;
+                }
+
+                // Extract overrides based on package manager
+                const overrides = recipe.extractOverrides(packageJson, pm);
+                if (overrides.length === 0) {
+                    return doc;
+                }
+
+                // Extract config files
+                const configFiles: Record<string, string> = {};
+                const projectNpmrc = marker.npmrcConfigs?.find(c => c.scope === NpmrcScope.Project);
+                if (projectNpmrc) {
+                    const lines = Object.entries(projectNpmrc.properties)
+                        .map(([key, value]) => `${key}=${value}`);
+                    configFiles['.npmrc'] = lines.join('\n');
+                }
+
+                acc.projects.set(doc.sourcePath, {
+                    packageJsonPath: doc.sourcePath,
+                    originalPackageJson: content,
+                    packageManager: pm,
+                    overrides,
+                    configFiles: Object.keys(configFiles).length > 0 ? configFiles : undefined
+                });
+
+                return doc;
+            }
+        };
+    }
+
+    async editorWithData(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>> {
+        const recipe = this;
+
+        // Only run the expensive analysis once (editorWithData is called per source file)
+        if (!acc.analysisComplete) {
+            for (const [projectPath, project] of acc.projects) {
+                const redundant = await recipe.findRedundantOverrides(project);
+                if (redundant.size > 0) {
+                    acc.redundantOverrides.set(projectPath, redundant);
+                }
+            }
+            acc.analysisComplete = true;
+        }
+
+        // If dry run, don't modify files
+        if (recipe.dryRun) {
+            return new class extends TreeVisitor<Tree, ExecutionContext> {
+                protected async accept(tree: Tree, _ctx: ExecutionContext): Promise<Tree | undefined> {
+                    return tree;
+                }
+            };
+        }
+
+        return new class extends JsonVisitor<ExecutionContext> {
+            protected async visitDocument(doc: Json.Document, _ctx: ExecutionContext): Promise<Json | undefined> {
+                if (!doc.sourcePath.endsWith('package.json')) {
+                    return doc;
+                }
+
+                const redundant = acc.redundantOverrides.get(doc.sourcePath);
+                if (!redundant || redundant.size === 0) {
+                    return doc;
+                }
+
+                const project = acc.projects.get(doc.sourcePath);
+                if (!project) {
+                    return doc;
+                }
+
+                // Remove redundant overrides
+                const modifiedContent = recipe.removeOverrides(
+                    project.originalPackageJson,
+                    project.packageManager,
+                    redundant
+                );
+
+                // Re-parse the modified content
+                const parsed = await new JsonParser({}).parseOne({
+                    text: modifiedContent,
+                    sourcePath: doc.sourcePath
+                }) as Json.Document;
+
+                return {
+                    ...doc,
+                    value: parsed.value,
+                    eof: parsed.eof
+                } as Json.Document;
+            }
+        };
+    }
+
+    /**
+     * Extracts override information from package.json.
+     */
+    private extractOverrides(
+        packageJson: Record<string, any>,
+        pm: PackageManager
+    ): OverrideInfo[] {
+        const overrides: OverrideInfo[] = [];
+
+        let overrideObj: Record<string, any> | undefined;
+
+        switch (pm) {
+            case PackageManager.Npm:
+            case PackageManager.Bun:
+                overrideObj = packageJson.overrides;
+                break;
+            case PackageManager.Pnpm:
+                overrideObj = packageJson.pnpm?.overrides;
+                break;
+            case PackageManager.YarnClassic:
+            case PackageManager.YarnBerry:
+                overrideObj = packageJson.resolutions;
+                break;
+        }
+
+        if (!overrideObj) {
+            return overrides;
+        }
+
+        for (const [key, value] of Object.entries(overrideObj)) {
+            // Skip nested overrides (npm supports objects as values)
+            if (typeof value !== 'string') {
+                continue;
+            }
+
+            // Parse the key to extract package name and version range
+            const atIndex = key.lastIndexOf('@');
+            let packageName: string;
+            let versionRange: string | undefined;
+            let isVersionSpecific = false;
+
+            // Check if this is a version-specific override like "package@^1"
+            // But be careful with scoped packages like "@scope/package"
+            if (atIndex > 0 && !key.startsWith('@')) {
+                // Unscoped package with version specifier
+                packageName = key.substring(0, atIndex);
+                versionRange = key.substring(atIndex + 1);
+                isVersionSpecific = true;
+            } else if (atIndex > 0 && key.startsWith('@')) {
+                // Scoped package - check if there's another @ after the scope
+                const secondAtIndex = key.indexOf('@', 1);
+                if (secondAtIndex > 0 && secondAtIndex !== atIndex) {
+                    // Has version specifier: @scope/package@^1
+                    packageName = key.substring(0, secondAtIndex);
+                    versionRange = key.substring(secondAtIndex + 1);
+                    isVersionSpecific = true;
+                } else {
+                    // Just @scope/package
+                    packageName = key;
+                }
+            } else {
+                packageName = key;
+            }
+
+            overrides.push({
+                key,
+                packageName,
+                version: value,
+                isVersionSpecific,
+                versionRange
+            });
+        }
+
+        return overrides;
+    }
+
+    /**
+     * Tests each override to see if it's redundant.
+     *
+     * Optimization: Instead of running N installs (one per override), we run ONE install
+     * with all overrides removed and check each override against that single result.
+     * This is much faster for projects with multiple overrides.
+     */
+    private async findRedundantOverrides(project: ProjectInfo): Promise<Set<string>> {
+        const redundant = new Set<string>();
+
+        if (project.overrides.length === 0) {
+            return redundant;
+        }
+
+        try {
+            // Create package.json with ALL overrides removed
+            const packageJson = JSON.parse(project.originalPackageJson);
+            for (const override of project.overrides) {
+                this.removeOverrideFromObject(packageJson, project.packageManager, override.key);
+            }
+            const modifiedPackageJson = JSON.stringify(packageJson, null, 2);
+
+            // Run ONE install to see what versions get resolved without any overrides
+            const result = await runInstallInTempDir(
+                project.packageManager,
+                modifiedPackageJson,
+                {
+                    configFiles: project.configFiles,
+                    lockOnly: true
+                }
+            );
+
+            if (!result.success || !result.lockFileContent) {
+                // Can't determine - keep all overrides
+                return redundant;
+            }
+
+            // Check each override against the resolved versions
+            for (const override of project.overrides) {
+                const isRedundant = this.isOverrideRedundantForLockFile(
+                    override,
+                    result.lockFileContent,
+                    project.packageManager
+                );
+                if (isRedundant) {
+                    redundant.add(override.key);
+                }
+            }
+        } catch {
+            // Error during check - keep all overrides
+        }
+
+        return redundant;
+    }
+
+    /**
+     * Checks if a single override is redundant given a lock file without any overrides.
+     */
+    private isOverrideRedundantForLockFile(
+        override: OverrideInfo,
+        lockFileContent: string,
+        packageManager: PackageManager
+    ): boolean {
+        // Find the resolved version
+        const resolvedVersion = extractVersionFromLockFile(
+            lockFileContent,
+            override.packageName,
+            packageManager
+        );
+
+        if (!resolvedVersion) {
+            // Package not found in lock file - might no longer be a dependency
+            // This override is definitely redundant
+            return true;
+        }
+
+        // Check if resolved version satisfies the override
+        // The override is redundant if the natural resolution is >= the override version
+        try {
+            if (semver.gte(resolvedVersion, override.version)) {
+                return true;
+            }
+
+            // Also check if resolved version satisfies the override as a range
+            if (semver.satisfies(resolvedVersion, `>=${override.version}`)) {
+                return true;
+            }
+        } catch {
+            // Invalid version comparison - keep the override
+            return false;
+        }
+
+        return false;
+    }
+
+    /**
+     * Removes a single override from the package.json object.
+     */
+    private removeOverrideFromObject(
+        packageJson: Record<string, any>,
+        pm: PackageManager,
+        key: string
+    ): void {
+        switch (pm) {
+            case PackageManager.Npm:
+            case PackageManager.Bun:
+                if (packageJson.overrides) {
+                    delete packageJson.overrides[key];
+                    if (Object.keys(packageJson.overrides).length === 0) {
+                        delete packageJson.overrides;
+                    }
+                }
+                break;
+            case PackageManager.Pnpm:
+                if (packageJson.pnpm?.overrides) {
+                    delete packageJson.pnpm.overrides[key];
+                    if (Object.keys(packageJson.pnpm.overrides).length === 0) {
+                        delete packageJson.pnpm.overrides;
+                    }
+                    if (Object.keys(packageJson.pnpm).length === 0) {
+                        delete packageJson.pnpm;
+                    }
+                }
+                break;
+            case PackageManager.YarnClassic:
+            case PackageManager.YarnBerry:
+                if (packageJson.resolutions) {
+                    delete packageJson.resolutions[key];
+                    if (Object.keys(packageJson.resolutions).length === 0) {
+                        delete packageJson.resolutions;
+                    }
+                }
+                break;
+        }
+    }
+
+    /**
+     * Removes the specified overrides from package.json content.
+     * Also removes associated comments.
+     */
+    private removeOverrides(
+        originalContent: string,
+        pm: PackageManager,
+        keysToRemove: Set<string>
+    ): string {
+        const packageJson = JSON.parse(originalContent);
+
+        // Determine field names
+        let overrideField: string;
+        let commentField: string;
+
+        switch (pm) {
+            case PackageManager.Npm:
+            case PackageManager.Bun:
+                overrideField = 'overrides';
+                commentField = '//overrides';
+                break;
+            case PackageManager.Pnpm:
+                overrideField = 'pnpm';
+                commentField = '//pnpm.overrides';
+                break;
+            case PackageManager.YarnClassic:
+            case PackageManager.YarnBerry:
+                overrideField = 'resolutions';
+                commentField = '//resolutions';
+                break;
+            default:
+                return originalContent;
+        }
+
+        // Remove overrides
+        if (pm === PackageManager.Pnpm) {
+            if (packageJson.pnpm?.overrides) {
+                for (const key of keysToRemove) {
+                    delete packageJson.pnpm.overrides[key];
+                }
+                if (Object.keys(packageJson.pnpm.overrides).length === 0) {
+                    delete packageJson.pnpm.overrides;
+                }
+                if (Object.keys(packageJson.pnpm).length === 0) {
+                    delete packageJson.pnpm;
+                }
+            }
+        } else {
+            if (packageJson[overrideField]) {
+                for (const key of keysToRemove) {
+                    delete packageJson[overrideField][key];
+                }
+                if (Object.keys(packageJson[overrideField]).length === 0) {
+                    delete packageJson[overrideField];
+                }
+            }
+        }
+
+        // Remove associated comments
+        if (packageJson[commentField]) {
+            for (const key of keysToRemove) {
+                delete packageJson[commentField][key];
+            }
+            if (Object.keys(packageJson[commentField]).length === 0) {
+                delete packageJson[commentField];
+            }
+        }
+
+        // Preserve original indentation
+        const indentMatch = originalContent.match(/^(\s+)"/m);
+        const indent = indentMatch ? indentMatch[1].length : 2;
+
+        return JSON.stringify(packageJson, null, indent);
+    }
+}