@openrewrite/recipes-nodejs 0.37.0-20260106-083133 → 0.37.0-20260106-170728

package/src/security/index.ts

@@ -5,5 +5,8 @@
  */
 
 export * from "./vulnerability";
+export * from "./version-utils";
+export * from "./types";
+export * from "./override-utils";
 export * from "./dependency-vulnerability-check";
 export * from "./remove-redundant-overrides";

package/src/security/npm-utils.ts

@@ -107,7 +107,7 @@ export async function fetchNpmPackageInfo(
 
         if (Array.isArray(versions)) {
             for (const v of versions) {
-                versionMap[v] = { version: v };
+                versionMap[v] = {version: v};
             }
         }
 
@@ -251,42 +251,41 @@ export interface DirectUpgradeCheckResult {
 export type DependencyScope = 'dependencies' | 'devDependencies' | 'peerDependencies' | 'optionalDependencies';
 
 /**
- * Checks if upgrading a direct dependency to a specific version fixes a transitive vulnerability.
- * Does this by running npm install in a temp directory and checking the resolved transitive version.
+ * Checks if a direct dependency at a given version, when installed alone (in isolation),
+ * brings in a safe version of a transitive dependency. This is useful when multiple
+ * direct dependencies bring in the same vulnerable transitive - we need to check each
+ * in isolation to find upgrade candidates.
  *
  * @param pm The package manager to use
- * @param directDepName The direct dependency to upgrade
- * @param directDepVersion The version to upgrade to
- * @param transitiveDepName The transitive dependency that has a vulnerability
- * @param isVulnerable Function that checks if a version is vulnerable
- * @param originalPackageJson The original package.json content
- * @param scope The dependency scope of the direct dependency
+ * @param directDepName The direct dependency name
+ * @param directDepVersion The version to test
+ * @param transitiveDepName The transitive dependency to check
+ * @param isVulnerable Function that checks if a transitive version is vulnerable
+ * @param scope The dependency scope
  * @param configFiles Optional config files (e.g., .npmrc)
- * @returns Result indicating if the upgrade fixes the vulnerability
+ * @returns Result indicating if the upgrade is safe and what transitive version it brings
  */
-export async function checkDirectUpgradeFixesTransitive(
+export async function checkDirectDepBringsSafeTransitiveInIsolation(
     pm: PackageManager,
     directDepName: string,
     directDepVersion: string,
     transitiveDepName: string,
     isVulnerable: (version: string) => boolean,
-    originalPackageJson: string,
     scope: DependencyScope,
     configFiles?: Record<string, string>
 ): Promise<DirectUpgradeCheckResult> {
     try {
-        // Parse and modify package.json with upgraded direct dependency
-        const pkgJson = JSON.parse(originalPackageJson);
-        if (!pkgJson[scope]?.[directDepName]) {
-            return {fixed: false, directDepVersion};
-        }
-
-        // Upgrade the direct dependency
-        pkgJson[scope][directDepName] = directDepVersion;
-        const modifiedPackageJson = JSON.stringify(pkgJson, null, 2);
+        // Create a minimal package.json with ONLY this direct dependency
+        const minimalPackageJson = JSON.stringify({
+            name: 'upgrade-check-isolated',
+            version: '1.0.0',
+            [scope]: {
+                [directDepName]: directDepVersion
+            }
+        }, null, 2);
 
         // Run install in temp directory
-        const result = await runInstallInTempDir(pm, modifiedPackageJson, {
+        const result = await runInstallInTempDir(pm, minimalPackageJson, {
             configFiles,
             lockOnly: true
         });
@@ -321,8 +320,9 @@ export async function checkDirectUpgradeFixesTransitive(
 }
 
 /**
- * Finds a direct dependency upgrade that fixes a transitive vulnerability.
- * Tries versions from newest to oldest within the allowed delta.
+ * Finds a direct dependency upgrade that brings in a safe transitive, checking in isolation.
+ * This differs from findDirectUpgradeThatFixesTransitive by testing the direct dep alone,
+ * not with other dependencies that might also bring in the vulnerable transitive.
  *
  * @param pm The package manager to use
  * @param directDepName The direct dependency to upgrade
@@ -330,19 +330,17 @@ export async function checkDirectUpgradeFixesTransitive(
  * @param transitiveDepName The transitive dependency that has a vulnerability
  * @param isVulnerable Function that checks if a version is vulnerable
  * @param isWithinDelta Function that checks if a version is within the allowed upgrade delta
- * @param originalPackageJson The original package.json content
- * @param scope The dependency scope of the direct dependency
+ * @param scope The dependency scope
  * @param configFiles Optional config files (e.g., .npmrc)
- * @returns The direct dependency version that fixes the transitive, or undefined if none found
+ * @returns The direct dependency version that brings in a safe transitive, or undefined
  */
-export async function findDirectUpgradeThatFixesTransitive(
+export async function findDirectUpgradeWithSafeTransitiveInIsolation(
     pm: PackageManager,
     directDepName: string,
     currentDirectVersion: string,
     transitiveDepName: string,
     isVulnerable: (version: string) => boolean,
     isWithinDelta: (fromVersion: string, toVersion: string) => boolean,
-    originalPackageJson: string,
     scope: DependencyScope,
     configFiles?: Record<string, string>
 ): Promise<string | undefined> {
@@ -355,7 +353,6 @@ export async function findDirectUpgradeThatFixesTransitive(
     const currentMajor = semver.major(currentDirectVersion);
 
     // Filter to versions newer than current and within delta
-    // Note: getAvailableVersions already filters out prereleases
     const candidateVersions = availableVersions.filter(v => {
         try {
             return semver.gt(v, currentDirectVersion) && isWithinDelta(currentDirectVersion, v);
@@ -369,30 +366,26 @@ export async function findDirectUpgradeThatFixesTransitive(
     }
 
     // Sort candidates: same major version first (descending), then other majors (descending)
-    // This prioritizes peer-compatible versions while still allowing major upgrades if needed
     candidateVersions.sort((a, b) => {
         const aMajor = semver.major(a);
         const bMajor = semver.major(b);
         const aIsSameMajor = aMajor === currentMajor;
         const bIsSameMajor = bMajor === currentMajor;
 
-        // Same major versions come first
         if (aIsSameMajor && !bIsSameMajor) return -1;
         if (!aIsSameMajor && bIsSameMajor) return 1;
 
-        // Within the same priority group, sort by version descending
         return semver.rcompare(a, b);
     });
 
     // Try candidates in order (same major first, then others)
     for (const candidate of candidateVersions) {
-        const result = await checkDirectUpgradeFixesTransitive(
+        const result = await checkDirectDepBringsSafeTransitiveInIsolation(
             pm,
             directDepName,
             candidate,
             transitiveDepName,
             isVulnerable,
-            originalPackageJson,
             scope,
             configFiles
         );
@@ -402,13 +395,155 @@ export async function findDirectUpgradeThatFixesTransitive(
         }
 
         // Only try a few candidates to avoid excessive npm installs
-        // After trying the newest same-major and newest other-major, give up
         const candidateMajor = semver.major(candidate);
         if (candidateMajor !== currentMajor) {
-            // We've tried a different major version and it didn't work, give up
             break;
         }
     }
 
     return undefined;
 }
+
+/**
+ * Verifies that applying all proposed direct dependency upgrades fixes a transitive vulnerability.
+ * This is used after finding individual upgrade candidates to confirm they work together.
+ *
+ * @param pm The package manager to use
+ * @param upgrades Array of direct dependency upgrades to apply
+ * @param transitiveDepName The transitive dependency that should be fixed
+ * @param isVulnerable Function that checks if a transitive version is vulnerable
+ * @param originalPackageJson The original package.json content
+ * @param configFiles Optional config files (e.g., .npmrc)
+ * @returns True if all upgrades together fix the transitive vulnerability
+ */
+export async function verifyAllUpgradesFixTransitive(
+    pm: PackageManager,
+    upgrades: Array<{ name: string; version: string; scope: DependencyScope }>,
+    transitiveDepName: string,
+    isVulnerable: (version: string) => boolean,
+    originalPackageJson: string,
+    configFiles?: Record<string, string>
+): Promise<boolean> {
+    try {
+        // Parse and modify package.json with all upgraded dependencies
+        const pkgJson = JSON.parse(originalPackageJson);
+
+        for (const upgrade of upgrades) {
+            if (pkgJson[upgrade.scope]?.[upgrade.name]) {
+                pkgJson[upgrade.scope][upgrade.name] = upgrade.version;
+            }
+        }
+
+        const modifiedPackageJson = JSON.stringify(pkgJson, null, 2);
+
+        // Run install in temp directory
+        const result = await runInstallInTempDir(pm, modifiedPackageJson, {
+            configFiles,
+            lockOnly: true
+        });
+
+        if (!result.success || !result.lockFileContent) {
+            return false;
+        }
+
+        // Check all copies of the transitive in the lock file
+        const allVersions = extractAllVersionsFromLockFile(
+            result.lockFileContent,
+            transitiveDepName,
+            pm
+        );
+
+        if (allVersions.length === 0) {
+            // Transitive not found - considered fixed
+            return true;
+        }
+
+        // ALL copies must be safe
+        return allVersions.every(v => !isVulnerable(v));
+    } catch {
+        return false;
+    }
+}
+
+/**
+ * Extracts ALL versions of a package from a lock file (handles multiple copies).
+ * This is important when the same package appears multiple times at different versions
+ * due to incompatible peer dependency ranges.
+ */
+export function extractAllVersionsFromLockFile(
+    lockFileContent: string,
+    packageName: string,
+    pm: PackageManager
+): string[] {
+    const versions: string[] = [];
+    try {
+        switch (pm) {
+            case PackageManager.Npm: {
+                const lockJson = JSON.parse(lockFileContent);
+                if (lockJson.packages) {
+                    for (const [key, value] of Object.entries(lockJson.packages)) {
+                        // Match both root and nested copies: node_modules/pkg or .../node_modules/pkg
+                        if (key.endsWith(`node_modules/${packageName}`)) {
+                            const version = (value as any).version;
+                            if (version && !versions.includes(version)) {
+                                versions.push(version);
+                            }
+                        }
+                    }
+                }
+                // Also check v1 format
+                if (lockJson.dependencies?.[packageName]) {
+                    const version = lockJson.dependencies[packageName].version;
+                    if (version && !versions.includes(version)) {
+                        versions.push(version);
+                    }
+                }
+                break;
+            }
+
+            case PackageManager.Pnpm: {
+                const regex = new RegExp(`['"]?${escapeRegExp(packageName)}@([\\d.]+)['"]?:`, 'g');
+                let match;
+                while ((match = regex.exec(lockFileContent)) !== null) {
+                    if (!versions.includes(match[1])) {
+                        versions.push(match[1]);
+                    }
+                }
+                break;
+            }
+
+            case PackageManager.YarnClassic:
+            case PackageManager.YarnBerry: {
+                const regex = new RegExp(`"?${escapeRegExp(packageName)}@[^":\\n]+[":]*\\s*\\n\\s*version:?\\s*"?([^"\\n]+)"?`, 'g');
+                let match;
+                while ((match = regex.exec(lockFileContent)) !== null) {
+                    const version = match[1]?.trim();
+                    if (version && !versions.includes(version)) {
+                        versions.push(version);
+                    }
+                }
+                break;
+            }
+
+            case PackageManager.Bun: {
+                const lockJson = JSON.parse(lockFileContent);
+                if (lockJson.packages) {
+                    for (const [key, value] of Object.entries(lockJson.packages)) {
+                        if (key === packageName || key.endsWith(`/${packageName}`)) {
+                            if (Array.isArray(value) && value[0]) {
+                                const version = String(value[0]);
+                                if (!versions.includes(version)) {
+                                    versions.push(version);
+                                }
+                            }
+                        }
+                    }
+                }
+                break;
+            }
+        }
+    } catch {
+        // Return empty array on parse errors
+    }
+    return versions;
+}

package/src/security/override-utils.ts

@@ -0,0 +1,253 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import {DependencyScope, PackageManager} from "@openrewrite/rewrite/javascript";
+import {ALL_DEPENDENCY_SCOPES} from "./types";
+
+/**
+ * Finds the dependency scope where a package is declared as a direct dependency.
+ * Returns the scope name (dependencies, devDependencies, etc.) or undefined if not found.
+ */
+export function findDirectDependencyScope(
+    packageJson: Record<string, any>,
+    packageName: string
+): DependencyScope | undefined {
+    for (const scope of ALL_DEPENDENCY_SCOPES) {
+        if (packageJson[scope]?.[packageName]) {
+            return scope;
+        }
+    }
+    return undefined;
+}
+
+/**
+ * Extracts the overrides section from a package.json based on the package manager.
+ * Returns the overrides object or undefined if not present.
+ */
+export function getOverridesFromPackageJson(
+    packageJson: Record<string, any>,
+    packageManager: PackageManager
+): Record<string, string> | undefined {
+    switch (packageManager) {
+        case PackageManager.Npm:
+        case PackageManager.Bun:
+            return packageJson.overrides;
+        case PackageManager.Pnpm:
+            return packageJson.pnpm?.overrides;
+        case PackageManager.YarnClassic:
+        case PackageManager.YarnBerry:
+            return packageJson.resolutions;
+        default:
+            return undefined;
+    }
+}
+
+/**
+ * Gets the field names for overrides and comments based on package manager.
+ */
+export function getOverrideFieldNames(packageManager: PackageManager): {
+    overrideField: string;
+    commentField: string;
+} {
+    switch (packageManager) {
+        case PackageManager.Npm:
+        case PackageManager.Bun:
+            return {overrideField: 'overrides', commentField: '//overrides'};
+        case PackageManager.Pnpm:
+            return {overrideField: 'pnpm', commentField: '//pnpm.overrides'};
+        case PackageManager.YarnClassic:
+        case PackageManager.YarnBerry:
+            return {overrideField: 'resolutions', commentField: '//resolutions'};
+        default:
+            return {overrideField: 'overrides', commentField: '//overrides'};
+    }
+}
+
+/**
+ * Information about an override entry.
+ */
+export interface OverrideInfo {
+    /** The full key (e.g., "package" or "package@^1") */
+    key: string;
+    /** The base package name (without version specifier) */
+    packageName: string;
+    /** The version the override pins to */
+    version: string;
+    /** Whether this is a version-specific override (e.g., "package@^1") */
+    isVersionSpecific: boolean;
+    /** The version range specifier if version-specific (e.g., "^1") */
+    versionRange?: string;
+}
+
+/**
+ * Parses an override key to extract package name and version range.
+ * Handles both regular packages (lodash) and scoped packages (@scope/package).
+ */
+export function parseOverrideKey(key: string): {
+    packageName: string;
+    versionRange?: string;
+    isVersionSpecific: boolean;
+} {
+    const atIndex = key.lastIndexOf('@');
+    let packageName: string;
+    let versionRange: string | undefined;
+    let isVersionSpecific = false;
+
+    // Check if this is a version-specific override like "package@^1"
+    // But be careful with scoped packages like "@scope/package"
+    if (atIndex > 0 && !key.startsWith('@')) {
+        // Unscoped package with version specifier
+        packageName = key.substring(0, atIndex);
+        versionRange = key.substring(atIndex + 1);
+        isVersionSpecific = true;
+    } else if (atIndex > 0 && key.startsWith('@')) {
+        // Scoped package - check if there's another @ after the scope
+        const secondAtIndex = key.indexOf('@', 1);
+        if (secondAtIndex > 0 && secondAtIndex !== atIndex) {
+            // Has version specifier: @scope/package@^1
+            packageName = key.substring(0, secondAtIndex);
+            versionRange = key.substring(secondAtIndex + 1);
+            isVersionSpecific = true;
+        } else {
+            // Just @scope/package
+            packageName = key;
+        }
+    } else {
+        packageName = key;
+    }
+
+    return {packageName, versionRange, isVersionSpecific};
+}
+
+/**
+ * Extracts all override entries from a package.json.
+ */
+export function extractOverrides(
+    packageJson: Record<string, any>,
+    packageManager: PackageManager
+): OverrideInfo[] {
+    const overrides: OverrideInfo[] = [];
+    const overrideObj = getOverridesFromPackageJson(packageJson, packageManager);
+
+    if (!overrideObj) {
+        return overrides;
+    }
+
+    for (const [key, value] of Object.entries(overrideObj)) {
+        // Skip nested overrides (npm supports objects as values)
+        if (typeof value !== 'string') {
+            continue;
+        }
+
+        const {packageName, versionRange, isVersionSpecific} = parseOverrideKey(key);
+
+        overrides.push({
+            key,
+            packageName,
+            version: value,
+            isVersionSpecific,
+            versionRange
+        });
+    }
+
+    return overrides;
+}
+
+/**
+ * Removes a single override from the package.json object.
+ * Mutates the object in place.
+ */
+export function removeOverrideFromObject(
+    packageJson: Record<string, any>,
+    packageManager: PackageManager,
+    key: string
+): void {
+    switch (packageManager) {
+        case PackageManager.Npm:
+        case PackageManager.Bun:
+            if (packageJson.overrides) {
+                delete packageJson.overrides[key];
+                if (Object.keys(packageJson.overrides).length === 0) {
+                    delete packageJson.overrides;
+                }
+            }
+            break;
+        case PackageManager.Pnpm:
+            if (packageJson.pnpm?.overrides) {
+                delete packageJson.pnpm.overrides[key];
+                if (Object.keys(packageJson.pnpm.overrides).length === 0) {
+                    delete packageJson.pnpm.overrides;
+                }
+                if (Object.keys(packageJson.pnpm).length === 0) {
+                    delete packageJson.pnpm;
+                }
+            }
+            break;
+        case PackageManager.YarnClassic:
+        case PackageManager.YarnBerry:
+            if (packageJson.resolutions) {
+                delete packageJson.resolutions[key];
+                if (Object.keys(packageJson.resolutions).length === 0) {
+                    delete packageJson.resolutions;
+                }
+            }
+            break;
+    }
+}
+
+/**
+ * Removes multiple overrides from package.json content.
+ * Also removes associated comments.
+ * Returns the modified JSON string.
+ */
+export function removeOverridesFromContent(
+    originalContent: string,
+    packageManager: PackageManager,
+    keysToRemove: Set<string>
+): string {
+    const packageJson = JSON.parse(originalContent);
+    const {overrideField, commentField} = getOverrideFieldNames(packageManager);
+
+    // Remove overrides
+    if (packageManager === PackageManager.Pnpm) {
+        if (packageJson.pnpm?.overrides) {
+            for (const key of keysToRemove) {
+                delete packageJson.pnpm.overrides[key];
+            }
+            if (Object.keys(packageJson.pnpm.overrides).length === 0) {
+                delete packageJson.pnpm.overrides;
+            }
+            if (Object.keys(packageJson.pnpm).length === 0) {
+                delete packageJson.pnpm;
+            }
+        }
+    } else {
+        if (packageJson[overrideField]) {
+            for (const key of keysToRemove) {
+                delete packageJson[overrideField][key];
+            }
+            if (Object.keys(packageJson[overrideField]).length === 0) {
+                delete packageJson[overrideField];
+            }
+        }
+    }
+
+    // Remove associated comments
+    if (packageJson[commentField]) {
+        for (const key of keysToRemove) {
+            delete packageJson[commentField][key];
+        }
+        if (Object.keys(packageJson[commentField]).length === 0) {
+            delete packageJson[commentField];
+        }
+    }
+
+    // Preserve original indentation
+    const indentMatch = originalContent.match(/^(\s+)"/m);
+    const indent = indentMatch ? indentMatch[1].length : 2;
+
+    return JSON.stringify(packageJson, null, indent);
+}